Sponsored by our friends at Veeam Software! Make sure to click here and get the latest and greatest data protection platform for everything from containers to your cloud!
Sponsored by the Shift Group – Shift Group is turning athletes into sales professionals. Is your company looking to hire driven, competitive former athletes? Shift Group not only offers a large pool of diverse sales candidates from entry level to leadership – they help early stage companies in developing their hiring strategy, interview process and build strong sales cultures that attract the best talent for early stage companies.
Sponsored by the 4-Step Guide to Delivering Extraordinary Software Demos that Win Deals – Click here and because we had such good response we have opened it up to make the eBook and Audiobook more accessible by offering it all for only 5$
Sponsored by Diabolical Coffee. Devilishly good coffee and diabolically awesome clothing
Does your startup need strategic technical content? The team at GTM Delta delivers SEO-optimized, compelling content that connects your company with technical users to help grow your credibility, and your pipeline.
Need Podcast gear? We are partnered up with Podcast Gear Pro to share tips, gear ideas and much more. Check it out at PodcastGearPro.com.
Scott N. Schober is the President and CEO of Berkeley Varitronics Systems (BVS), a forty-year-old New Jersey-based privately held company and leading provider of advanced, world-class wireless test and security solutions.
Schober also invented BVS’s cell phone detection tools, used to enforce a “no cell phone policy” in prisons and secure government facilities. Scott is a highly sought-after subject expert on the topic of cybersecurity.
Scott shares his story of his own recovery from identity theft, techniques we can all use to protect ourselves, and the challenges that are faced by everyday people in a growing increase of cyberwarfare and cybersecurity attacks.
Check out Scott’s book: Hacked Again
Visit Scott’s website at https://scottschober.com
Thank you for the great lessons in this episode, Scott!
Transcript powered by Happy Scribe
Hello, and good morning, good evening, good afternoon wherever you are.
This is Eric Wright, the host of the DiscoPosse Podcast. You’re in for a really great episode. We talk about cybersecurity, online security, personal security, ransomware, and much more with Scott Schober. Scott is an author. He’s also the founder of Berkeley Varitronics Systems. He’s a well adored voice in the InfoSec and cybersecurity world. He’s been featured all over the place. So it was a real honor to share time with Scott, and it’s a lot of great lessons in here. You hear about his own journey through challenges in having his identity stolen and how he recovered from that.
And he shares a lot of the practices that will allow you to do that really compelling story. Plus, he’s just a very good speaker, definitely somebody who I would love to see on a stage somewhere in his presentation mode. And of course, speaking of ransomware, how do you stop ransomware?
Easy. You use our friends over at Veeam Software in order to make sure that you’re protected for everything across data protection, including ransomware protection, because ransomware is about making sure you protect your assets, whether they’re in the Cloud, whether they’re Cloud-Native, whether they’re On Premises, you are vulnerable. Unless, of course, you use the good practices and the great software at the fine folks at Veeam. So go to vee.am/DiscoPosse, and you can get hooked up with that. And if you want to stop ransomware as well, make sure you try and ease up the in-flight traffic that you do and that’s protecting yourself using things like VPNs.
I’m a user of ExpressVPN. I highly recommend it because it allows me to ensure that wherever I go, my traffic is protected in flight. It’s part of an overall practice, so easy to try. Head on over to tryexpressvpn.com/DiscoPosse and that’s the easiest way to get set up and you get a little bit of a bonus. You get a free month, you get some neat things. Do that head on over to tryexpressvpn.com/DiscoPosse.
And of course, one last thing. If you want to be able to stay up late to be able to fight your ransomware and think about better security practices, then do it by drinking fantastic, devilishly good coffee, like diabolical coffee. So head to diabolicalcoffee.com and you can get set up there.
All right. Anyways, let’s go back to the show. This is Scott Schober. He’s really cool. I enjoyed this. And this is the DiscoPosse Podcast.
Hi, I’m Scott Schober, President and CEO of Berkeley Varitronics, cybersecurity expert and also author. And looking forward to a great conversation with the DiscoPosse Podcast.
Scott, thank you very much for joining today. This is especially enjoyable as I’ve spent a lot more time now in the security and cybersecurity community. Been diving back in, and naturally your name pops up and your content tends to pop up just because you’ve got, number one, you’re a very prolific voice in the community and in the industry, and it’s just super high quality. So you are CEO of an organization. You’ve actually got your own company. You’re an author. So we’ll talk about Berkeley Varitronics. We’ll talk about your book, and this is one that I definitely will recommend.
We’ll make sure we have links as well for folks that want to hear about Hacked Again. And more than anything, you’re just such a great, respectful voice in the community. So thanks for joining. If you don’t mind for folks that are new to you, give a quick little intro and a bio, and then we’ll jump into the challenges that we all face right now.
Yeah, absolutely. I have the honor of running a small company. We’re a wireless security firm. We’re in business 49 years. I’m actually next generation. It was founded by my father. And over the years, we’ve kind of changed what we do as a company. But we’ve always had the unique challenge where people come to us with complex problems and we try to provide a simple solution. Oftentimes it’s tied in with wireless. And that really blossomed for us. In about the mid 1980s, we developed the first wireless test tools, and these were receivers, transmitters and propagation software so you could actually plot out and look what the cellular coverage was and have an idea where in the world to put cell towers.
A lot of the offshoots of that in the 90s and the 2000s were understanding how cell phones work and providing more advanced tools and the offshoots of all that were a lot of security problems and solutions. And a lot of the solutions we came up with was because we understand how bad guys think and the vulnerabilities that are inherent in mobile phones. And hence we launched a bunch of different security tools and products and provide services and expertise and knowledge base. And in the process of doing all of this, the education of it, especially in the past ten years, I found out I had a target on my back, and these were the cyber criminals going after me to basically silence me.
That’s really kind of the Genesis of my story, Hacked Again. That was my first book was what happened when I got victimized and targeted by these cyber criminals. And a lot of it is really the mistakes that I made. And it’s kind of embarrassing because here you are as a CEO, running a cybersecurity security company to help with physical security and cybersecurity. And here we are, we’re a victim. We’re getting repeated DDoS attacks, Twitter hack, debit card, credit card. We had $65,000 stolen out of our checking account, became a federal investigation.
So I kind of detail all of my misfortunes and all the things that I’ve learned from the community, and I try to share and give that back so others don’t go down the same path that I’ve gone down and hopefully can learn from some of my mistakes. And in the process of that, it obviously gets a lot of attention in the world of cybersecurity, on the speaking circuit from books. So I launched two other books. As a result of that, I focus a lot in the world of media, TV and radio, and blogging to share and provide tips that people can use to stay safe, whether it be just from a consumer side, a small business Fortune 500 company, but really trying to harness my knowledge base to fight back against cyber criminals.
And that’s kind of become my mission.
Well, if anything, in fact, I’d find that those who’ve been on the other side of it effectively a victim of this situation are the ones that I would most likely have a greater trust in because you’ve actually genuinely experienced it. You’ve understood the recovery process, you’ve really seen the exploit in action. The challenge we often find is you end up with a lot of pundits and experts, right? And I use it as someone who gets asked all the time to do things as an influencer or as whatever.
And I’m like, I can speak about a lot of things, but I can’t speak with truth and conviction about everything. I can read about a thing and then speak about it versus you have lived experience. You have skin in the game in actually going through this. And so I find that just the credibility is so much stronger also that you’re willing to share in the challenges you faced, because that’s also another problem everybody kind of wants to say, oh, I would never. Countless financial advisors who are bordering on bankruptcy, countless bankers who haven’t paid their taxes in nine years.
There are all these people who do a job and yet have sort of fundamental issues in their own handling of the very same thing that they are supposed to be experts in. It’s an odd world in that way that sometimes the voices are the loudest, but not necessarily the most ideal that you would have.
Yeah, I think you make a great point. And I always joke around with my wife, and there’s kind of an old adage, you always say that the electrician house always has electrical problems and things like that, and there is some truth to it, and it can be embarrassing. And I’m the first guilty of it, especially when I look back and was targeted and hacked. But as I talked to other cybersecurity practitioners and some of these guys, I learn a ton of things about. But yet I see they themselves are lacks in cybersecurity often, and they’ll send me a password by email and say, Well, I trust you. It’s okay.
And I’m like, no, stop, please don’t text or email that or they’re not using multifactor authentication or whatever it is. So we, as a community in cybersecurity sometimes are not setting the best example for others. And I’m hoping that we can over time, break that trend. And most of the things that I tend to talk about are not items that are big spends are super complex and technical. And I think that’s kind of a misunderstanding industry people hear cybersecurity. And at least years ago, when I first started talking about it, people would look at your deer in the headlights.
What in the world is this guy talking about? Acronyms and this word and that word. Now it’s become a little bit more mainstay. And people understand if they hear ransomware, they hear fishing attack, they hear multifactor authentication. It resonates with them. They get it. Maybe they don’t practice it or utilize best practices, but they get the sense of those terms because every day you turn the news on, we hear about these things. Cyber attack, ransomware attack. It happened with phishing, it happened these credentials were lost.
So it’s become kind of the norm. And hence the reason why I wrote my second book, cybersecurity Is Everybody’s Business. I kind of had to pivot from understanding from a technical standpoint. Here’s what it is with a CEO wireless security company compromised. But now when I talk about cybersecurity, it does affect my grandmother. It affects my kids, my family, my business colleagues. It affects everybody, and we have to do something about it, or we will be victimized. And hopefully that resonates through some of the pages there and the stories and things that I share because I think it is important for each person to take control of their own security, just like you want to secure your home, secure your car.
You want to have some type of strong cybersecurity stance just so you can fight back and not be victimized because the cyber criminals are winning. That’s the part that bothers me so much, despite the effort of what I’m trying to do and a lot of other great people out there men and women, countless hours trying to fight back and defend people and define good security practices and make things simple. In a sense, I feel like we’re losing. And it’s not just on the personal level, but even as a global level.
Look at what’s happening in the United States with countless ransomware attacks, especially that seems to be an area that now the government is stepping up, which is good. You’ve got the Biden administration now talking to tech companies, and these are the guys that really are embedding security into their products, especially the IoT type of products and mobile phones and things like that. Hopefully this will start to make a difference and resonate through the community or through the United States and get us all safer. And that’s important.
The interesting thing is sort of the adage of we have to be right all the time, and the intruder only has to be right once. We are basically holding up a shield and hoping it doesn’t fail. And at best, it’s a shield that we borrowed. We cannot be experts. They, this proverbial sort of The Royal They. This is all they want to succeed at is just trying and trying and trying until a small way of breaching that armor, it’s a small data breach. And we have this real unfortunate problem that I agree with you.
I love that the government is moving towards at least raising it because it has an incredible impact that they’re there. The downside is often the first step will be to somehow legislate it away. And that is very much not the way. And in fact, sometimes can hobble real true technology organizations and companies and groups that, like many of us are doing, is trying to fight, trying to create ways in which to hold off these breaches, hold off these attacks. And we get sometimes hamstrung by the very same legislation that is designed to protect the rest of the greater good that it’s like, oh, now you’re on the wrong side of some code by law violation or something or another, right?
Yeah. There is truth to that. And I think to some degree that adage, it is pointed and it makes sense. And then I often also think about the counter. And if we look at cybersecurity and I have to say nothing is 100% secure. I think that, I always put that out on the table. So when people are unrealistic, it kind of balances it out. However, when you look at the government and some of their failures or misgivings of the past endless breaches that have happened from pretty much every agency throughout the government, it doesn’t mean going forward.
It will be constant failure, because if they start implementing these best practices and you’ve got private and public working together, communicating, sharing vulnerabilities, sharing weaknesses, then you can start actually blocking them, stopping them and working together. So there’s kind of that silver lining I look at when that communication is there the sharing of information. It doesn’t matter that we don’t have to get it right every single time. But when we do is start implementing best practices and don’t just throw our hands up because I hear that all the time.
When I present at these security trade shows often, a lot of times I’ll interact with the audience and I’ll hear a little bit sense of why bother. I don’t have anything that’s that valuable to steal. They’re going to get it anyway. The government can’t secure it. No company can keep my information secure.
So why bother?
And that’s not a good way to approach cybersecurity, but rather, if each person takes some personal responsibility, do what they can. And it starts at the simplest level. Sometimes it doesn’t mean you have to go out and spend a ton of money, but creating a strong password. This is something I’ve talked past ten years until my eyes are blue. And yet people look at you and say, yeah, very important yet then you question them or quiz them. Well, how many characters is your password? Six characters.
Well, why is it six? I can’t remember more than six or eight characters. And is it a common name? Well, yeah.
Do you use it across multiple logins? Well, yeah, because that way it’s easier to remember. So right away, they start to break down their security. And these are things that we control. So if you don’t reuse the same password across multiple websites, that just takes you to another level, because guess what? More than 50% of all people still reuse the same password across multiple websites. But when we start looking at odds and these security breaches, we wonder, why does it keep happening? Because of us. People are the problem.
Human weakness, and we’re complacent. We’re laxed in cybersecurity. I always ask people and challenge them and say, do you use multifactor authentication? And most people say, oh, yeah. Do you use Gmail? Well, yeah. Do you use multifactor authentication there? Well, no, I have nothing private there to share. And I’m like, well, yes, you do, because before you know it, you’re sending a password, a Social Security number, bank account information. At some point you will. Do you think that that email is truly encrypted private, and Google never reads any of the content of it?
Well, they do. Because you’re paying nothing for it, when you pay nothing for it, what are you doing? You’re trading your privacy. So they’re not going to write Scott Schober bank account number. However, that metadata, data about me will make that correlation. And that’s where it’s really powerful. And we have to realize these companies are selling us as the product, and we have to use caution. So when we do use multifactor authentication, encryption, are cautious about what we share through our email, which is the most common way.
It’ll give us a much better cybersecurity posture.
Yeah, a lot of people sort of take that approach that, well, I used to fax this stuff, and it literally sits on someone’s desk on the other side. But you knew whose desk it was, right. Even if you didn’t know, at least you knew it went to a physical building, and they had a responsibility to shred it. Gmail. Not only did they not shred it, but they’re using it to design other things. They can sell to you via selling your information and meta-information. As you said, they’re not taking the content of your email and directly giving it away.
But they’re developing metadata about you as a persona to then sell to subscribers, vendors, et cetera. And there’s a reason why you get amazingly targeted advertisements. When you go to a website you’re like, oh, that’s funny. I was just looking up something about Subway sandwiches and also I’m getting ad for Subway, or I’m getting ad for Jersey Mike’s because they are buying competitive positioning against advertisement. And you’re like, how did they know so much? Well, you said or wrote it somewhere. Most likely or did a quick Google search.
We literally call it a Google search, right? Like at that point, you know, it by trade name.
And it’s true in so many other ways to your point. We’re so accustomed to what we call it a Google search. And I use Google. It’s great search engine. However, I also used DuckDuckGo. And there I can do searches. Not as good as Google. Honestly, they’re not as good, but they’re pretty good, but it gives a level of anonymity and privacy because again, they’re bouncing around the IP address. It’s encrypted and probably more important, they’re not selling my information, and hence other companies pushing ads toward me.
It really does is it allows me to control my digital footprint. I talk about that often each of us has a digital footprint. The more we put out on social media. The reason for social media. So we can be social. Talk about the trip we went on, share pictures of the kids or whatever else the case may be. But sometimes we’re too social on social media, and we’re giving little tells about our private lives that people can put together a picture of us and perform identity theft, hacking into computers.
All of those things are combination of things socially engineered, where they pick up a phone and garnish a little bit of information from the Secretary, maybe someone in our house innocently, slipped something. And next thing you know, they use all that to get into a computer network. That’s how a lot of these big breaches happen. Third party access, weak passwords, socially engineered phishing attacks. There’s lots of different ways. All the culmination of all of those together are effective means until they can get into that network, and then the game starts and they can really start accumulating stolen personal information and use it to their advantage.
And of course, that all ends up on the marketplace, the dark web, the underbelly of the internet, where they can sell these things and they can do it effectively, make money, stay anonymous and grow the criminal Empire.
You can tell when you’re sitting next to a security person, when you hear them, and they ask the question, like, what’s your mother’s maiden name? Metal four underscore underscore star, even the security questions. This is one of the challenges I often tell people. I’m like you want a basic to transpose the real thing. You don’t want to always use your actual mother’s maiden name. You want to have a key phrase that you may use and maybe add an Identifier to the particular service. There’s different ways you can approach it.
Scott, maybe if you want to talk about ways that we can protect ourselves, especially around those challenge phrases because they feel it’s secure automatically, but they can still be pretty laxed about it.
Yeah. And I think that unfortunately, the concept of security challenge questions when it initially came out was really good. The negative side is probably the specific questions are not unique enough to us to make it a true authenticator or another level of security, because really, security is achieved in layers, and that’s really the intent of it. I always use the analogy. We secure our homes. We don’t just have a simple doorknob lock that we turn, we have a deadbolt, we have an alarm, we have camera, we have those fake stickers that the place is patrol, so on and so forth to do what, to deter the thief, to move to the next house where the window is half open and they’re going to go rob that house.
Same thing in cybersecurity. We want to have these levels of security. So when a security challenge question comes up, what high school did you attend? Anybody can do a simple Google search and see. Scott Schober attended Edison High School, and that’s probably the answer he would use. I actually claim that it would be safer to use password 1234 as my high school that I attended, as opposed to the actual high school I attended. I know that sounds counterintuitive, but guess what? Somebody trying to hack into my account would not put password 1234 in there.
They’d be trying all the different high schools if they looked. Oh, he grew up in Edison. He probably went to Edison High or this high school or this high school, and they would guess it. Case in point, similar to this, a couple of years ago, I was presenting at a, this was a government security conference down in the Virginia area, and I had a keynote there. And also Kevin Mitnick, the world’s most famous hacker had a keynote. He actually invited me up on stage and he wanted to perform identity theft on somebody.
So he picked me out of this crowd of 400, 500 people. I was a little embarrassed and a little nervous going up on stage thinking, oh, gosh, what’s he going to do here? So I just said, Kevin, please go easy on me. I’ve read his books. I certainly follow him. He’s a great guy. He’s done some amazing things, good and bad, but any event. To start off, he simply looked at my badge and said, Scott Schober got on his computer, entered it in, pulled up information. He said a couple of simple questions because you just got to answer yes or no Scott.
Do you live at this residence? Yes.
Do you have another house here? Yes. Are you this old?
Yes.
Is that your mother’s maiden name? Yes. Now I’m getting scared and he goes, okay, the final thing, I got to get your Social Security number pulled it up. Is that your Social Security number? I said, yes, that cost me one dollar. I got nervous. I said, oh, gosh. And then he goes the final piece to perform identity theft on Scott Schober, his date of birth and he goes, does a search and pulls up a screen. All said about 20 or so different entries for different dates of birth.
He goes, is that your date of birth? I said, no. Is your date of birth on the screen at all? I said yes. And one instance is correct, I’m not telling you what it is. And he kind of laughed. And he says, “You’re ruining my routine here”. I said one trick that I’ve always done is every site that I sign up for. I use a different date of birth, so I get different throughout the year, different reminders, Congratulations or happy birthday on all these different dates.
But that is used actually as something that I can control, and it helps keep me secure. So if somebody was going to do identity theft or say, take credit out in my name, they call the issuing bank, there’s a stolen credit card, this and that. And at some point the bank says, what is your date of birth? And the cyber criminal responds with the wrong date. Guess what? Conversation over phone hangs up. Security is in my control, and not all of us can do that. So simple things we can do that will help keep our cybersecurity posture much, much more secure.
Now, obviously, I have my credit frozen. I recommend that for everybody. Do it with the three major credit monitoring agencies. They talk between one another. Is it a pain? Yes.
And there’s always that trade off between security and convenience. If it’s not convenient, it’s probably more secure. And that’s what I do in all my cases when creating a password, when freezing credit or dethawing credit. Making cybersecurity decisions. I balance that. How secure is it versus how convenient it is? And I always try to err on the side of security. And that seems to help to keep me secure for the most of the time. However, that being said, as I mentioned, Eric, nothing is 100% secure. Despite my best efforts, I’m constantly targeted.
I have been hacked. I still receive repeated attacks. It’s just I got to keep up in my game and doing a better job to fight back. And we all do.
This is the challenge we face. As you said, it’s an opportunity crime like bicycle theft is purely about convenience of the availability of a crime. It is very rarely do they want to go out of their way to break into your garage to steal your bicycle. What they want to do is they wait by a place where a lot of students go for lunch. They are likely to forget their lock. They ride up, they lean it against the wall, they walk into the restaurant, they come back out three minutes later, no bicycle.
Especially even if it’s on the dark web. All this stuff like you said, they have to do it in bulk. It’s a systemized approach to the hack. So if your mother’s maiden name is password123. Even though, like I said, it sounds insecure, it’s not, because no one’s mother’s maiden name would be password123. So it will fail on a systemized hack. And unless they really want you in particular very badly, and they’re individualizing the attack, which. Let’s talk about that.
Scott, especially once you’ve been breached. Unfortunately, you go on a short list that often also gets shared, that hey, we have one. And they can show how you were exploited and then ultimately, at that point, then they begin to go a bit deeper. So talk about your own experiences there.
Yeah, a fair amount of security. The way I implement it, I call it security by obscurity, making it a little bit more challenging. In other words, I don’t do things that the normal person does. And again, I can’t recommend this for everybody, but I often will put it out there so people can just reflect upon it and think about it and make the personal choices that work for them to help them stay more secure in the world of this crazy cybersecurity. So since I’ve had my debit card compromising reissued a million times, I don’t use a debit card.
It’s inconvenient. It’s a pain, but I try to find that balance. I don’t have an Amazon account, but if I want to buy something for Amazon, I have other people that have an Amazon account that I will just pay them cash, reimburse them. So I do some things, too. I call it staying off the grid a little bit to keep it a little bit more secure. And I try to mix up my digital footprint, as we were mentioning before, using multiple search engines. I’d like to put in random things that have absolutely nothing to do with my interest or my desire every once in a while to throw curves out there.
And why? Because I always like to keep myself in check. And when you see a crazy ad pop up on your smartphone because you did a search on Google last week for a kayak. Now you’re getting pitched with kayak ads. You make that connection and say, yes, it’s still happening. So I even do things. And this is maybe the next level. I balance it on paranoia, maybe a little bit, just because of the things I went through. Yes, I shred documents. Maybe to a fault. I use a micro cross cut shredder that’s going to obliterate a 2000+ piece as the same as NSA groups will use to really make sure it’s impossible to take this confetti and put it back together.
I use when transporting files via computer to another computer. If I’m using it on a USB stick, I’ll actually use an encrypted stick. They’re cheap, they’re effective. They can have one that holds three terabytes. Works between Mac and PC. You don’t have to put a driver on there. You have a unique code that only you know, you enter it to lock and unlock the stick.
AES 256-bit encryption is on there. Somebody else tries it if I drop or the stick is stolen, it does a mission impossible and erases it. You can implement things like that. That’s about $60 for a base stick with enough memory on it to hold lots of documents. I’m controlling my cybersecurity. Do I use anti malware virus scanners, anti key loggers? Yes, I do. In reality, they only stop about 10% to 15% of the threats coming in because the threats continually evolve and there’s zero day threats. You can’t stop everything.
I patch all my software as quick as I can. iOS. I’m careful not to use a lot of different sites that I surf. I have different computers for different things, especially because I go out on the tour and go on the dark web. I’ll use a VPN to make sure my information is encrypted. Traffic is bounced around, so law enforcement doesn’t knock on my door and lock me up. Not that I’m doing anything bad. I do it more for research a lot of times finding stolen credit cards, identity and things like that.
I’ve even worked with several different media outlets. When we find that information, we’ll actually work together and report that to the authorities, number one and to the individuals that were compromised so they can take some solace that there is something they can do about it. And that’s important. Another tip I recommend a lot of people don’t do this that I think is very important. The dark web, I’ve mentioned that a few times. That’s where all this information, stolen credit cards, debit cards, bank account, passwords. That all ends up on the dark web in volumes that cyber criminals are selling.
They’re using cryptocurrency Bitcoin digital money, basically, so they can remain anonymous. And the dark web things are encrypted. The IP traffic is bounced around, so you don’t know where the criminals working from and the sites are not indexed. So it’s really hard to find the criminals. So when you think about those types of things, we have to be aware of it. And what I do is every month I scan my email addresses. I have about four email accounts that I primarily use. I send them to a company. It’s called Cyberlytics.
I am on the board of advisers there. They got a great product and they have an engine that basically crawls and is in the dark web looking. So if it sees my email account and it’s correlated to any of these breaches, it will alert me. And why is it so important? When you know right away that your email, your possible personal login, credentials to a particular site, say LinkedIn is compromised and you see the date of that breach, how many were affected and that you’re part of it.
Guess what? I go on to LinkedIn and I change my password and I think that’s more effective approaches being proactive as opposed to what many people have recommended. Change your password every three months. Statistically, actually, when you change your password every three months, it doesn’t actually make you any stronger. From a cybersecurity perspective, I argue and counter and say, actually, it creates a situation where it actually may be worse. It gives another opportunity where somebody could intercept that password where it’s being stored. You have to write it down, record it, put it in a password manager.
Again, another opportunity for somebody to hack in there, be it the conduit wireless, through the Internet, email reception part of a breach. Who knows? So just because you’re changing your password more frequently doesn’t make it more secure, but rather make a really long, strong password. Both characters or more will take a long time to compromise. And if it’s so obscure, you can’t remember it. My rule of thumb is that’s a good password. I write it down a physical black book. And again, layers of security as I was talking about Eric, lock the book in a safe, in a locked office, in a locked building with an alarm with cameras, layers of security.
Unlikely my little black book is going to be compromised. I also use keychain passwords for less secure accounts, but I need convenience when I’m traveling and then also, I’ll use a password manager. I personally use Dashlane. Great product. Good balance between security and convenience. It’s not too hard, it’s affordable, but it’s secure one password to remember your information. Your password list is encrypted, and hopefully it does never get compromised and someone can hack it and get your master password. So don’t ever write that down on a sticky note or leave that lying around because that’s the golden key to basically everything you own.
So you got to again balance and manage your security. And I always say, separate your really strong passwords, bank accounts, stock portfolios for US government login sites that’s kept near and dear to me, where I control that. Other ones that are more common and useful when I travel to speak or different events and things, they’re on a password manager. So again, I can control it. And I’m controlling the device that it’s on, and that device is secured and encrypted and backed up, which is very important.
So again, we need to unfortunately, spend a lot of time keeping our stuff secure.
There’s small things even to, like you said, the master password. Quite often. The issue we have is that somebody says, hey, I’m trying to protect my passwords. I’m going to use a master password that I definitely won’t forget, which is ultimately one of their actual passwords, which is probably floating about the dark web. And my suggestion to folks is often take a complex pass phrase. And like you said, don’t write it down, don’t put it in a spot, but put it in three spots or even two spots.
And you can even email part of it to yourself. And then in another area, get the other half. I used to do this in an organization that I was at. We had the top level root password for active directory as an example. I would have three different people create the password. I would create the first six characters. The next person would create the next six. Then the third person would create their six. We would each put our six characters into an envelope and then do this for three instances and then put them in different locations.
One goes to Iron Mountain, one goes to the opposing office, and one goes in a secured file cabinet. And when I first implemented this practice, people are like, this is a little crazy. I’m like, no, you can at any point in time. If I leave, you can recover a password. And if I leave, I don’t have the password. It’s ideal. So none of us have the complete understanding of the way to get in. Yet we all know how in a pinch we could collectively come together and get it effectively.
It’s like turning the two keys at the identical time in order to unlock the nuclear codes and such. But I had a greater responsibility to that corporation. But then I took those practices, and I kind of use that for my own. I’m a fan of Dashlane myself and the other one as well, and I won’t mention the name but people can click on the links below if they watch the YouTube. One of the supporters of the podcast is a VPN. I won’t say just because I don’t want to be like, Scott Schober supports this. Well, like, no.
So lots of VPN products are out there and people say like, well, I don’t look up things on the Internet that people, I wouldn’t be comfortable with people seeing him like, that’s not the point. It’s other things that go in transit with it, it’s other man in the middle attacks for just simple password. Simple.
You log in the email wherever you go, you go to Starbucks. So I have it on my phone and I have it on my laptop. And like you said, it seems like a hurdle. But once you do it two, three times, you just know. On my phone, it’s always on. As soon as it initiates the network, it’s automatically on the background. So I don’t have to be as concerned. Like you said, I love this layered approach. And in practice, when we do it, I think that starts to allay the fears.
Like I said, the same way that people know what ransomware is. If you, three years ago said, ransomware is a thing, people will be like, they just look at you strangely.
You’re going to take my child. Wait a minute.
Exactly. I’ve seen that Liam Neeson thing. Is that what you’re talking? That Liam Neeson movie? I searched about 17 Liam Neeson movies. But if we introduce these practices, it’s actually not terribly complex to do. And then it becomes part of your, you think harder about the next time you write a password somewhere. You think maybe I should be thinking about how I manage this and it becomes pervasive to other secure things. Like you said emailing. How many times do you do this right? They sent, a bank sends you a DocuSign, and then. Well, not a bank.
But somebody could send you a DocuSign to sign a job form, and then they ask you to email back your PDF unencrypted with your Social Security on it. Like, why did you make me DocuSign the thing?
Wait a second.
That’s supposed to be secured and marked and protected. But yet then you asked me for an incredibly powerful piece of information about my life over unencrypted email.
Yeah, and that’s why I tend to like to kind of work in the realm of that security by obscurity by doing things maybe a little bit unorthodox and different. So if someone is targeting me, it’s not going to be that clear what direction I’m going. And I like your analogy there about kind of dividing the password up and keeping it secure and having a way that you could still gain access to it. And then if you do leave the company, it doesn’t go with you. That’s a good balance.
That’s a brilliant example of why it’s so important to just think these things out, and I often encourage it till it becomes habit forming. Some people, you wash your car once a month. We need to do cybersecurity things that we make sure we follow that habit. Maybe you do a data backup. It should really be daily. But if you’re not doing anything once a month is better than nothing at all, especially if you’re a victim of ransomware attack. So implementing systems where you could be disciplined to follow structure that works for you so you can maintain it.
If it’s too complex. I’ve learned quickly people don’t do it. People are lazy, and that seems to happen again and again. I always comparing complacency with cybersecurity and trying to help people realize once you are a victim and hacked and compromised, it could be anything. It could be DDoS attacks. It could be your social media account, your credit card, or debit, your checking account. Once you go through the pain process of it, and it happens again and again and again. You say, I’m never going to go through this again.
You don’t want to go through a federal investigation when $65,000 is taken out of your checking account. It is not fun. It is time consuming. And if you’re running a business like myself, it’s taking away from that. So your whole sole focus is to get that money back and secure it. So it doesn’t happen again. And people don’t sometimes realize they hear it and say, oh, that’s a shame. Well, you were targeted that’s what you get. But you can prevent that. And then you can implement certain things to prevent it from happening again.
Like in that particular case, I sat down with my bank and understood through the investigation, who got the money, how much they got, which accounts they got it for, what it went for. I asked those questions and they’re required by law to tell me under a federal investigation. So it’s interesting understanding. And then how it happened through the bank, how they had access to my account. Somebody impersonated a teller, in a sense and digitally, how they can manipulate and take that money out from a wire transfer.
What did I do in response? I said, Well, from now on, no wire transfers can go out of our bank account unless I’m there in person signing for it and proof of my ID. So suddenly it puts up again, not convenient, but secured. Never had it happen since then. So sometimes you have to look at your personal situation and put in some security layers to make sure it stays secure. So you don’t fall victim to the cyber criminals, and they’ll just move on to the next target.
It’s not that they’re going to give up. They’re lazy. They will move on to the next person that has a password with a sticky note on their computer that doesn’t have a secure account that shares passwords, that doesn’t use multifactor, whatever the case may be. So I encourage everybody to do those things, but just realize once you start doing that, you’re not going to be targeted and victimized, they’re just moving to the next target. It’s a numbers game.
They prey on the fact that humans by nature, as you mentioned. Right.
And we know this, unfortunately. We don’t like friction. We don’t like additional rigor and processes. And yet when we are the victim of a breach or victim of anything. Right.
I know a lot of people that give up drinking every Saturday morning, but then they take it up very effectively on the next Friday night. So when you’re on the direct impact, other side of a personal breach or a fearful thing, and usually they think it’s some complex thing, like somebody with a balaclava and a mask over their face, sitting in a data center and like, no, it’s floating out there. It’s a list. It’s very easy. You get a text message and look, I get them all the time.
And it’s kind of funny because I know what it is. I know this is a phishing expedition, right? I know I get the email, but sometimes they’re good, and even I want to like, I’m going to make sure this is very well done. I want to just triple check how well this was made because they pick a bank that you’re a member of or a cellular phone company that you have an account with. And if you don’t know, it’s just very easy to, oh, the first thing that hits you is, oh, my goodness.
This thing says I’ve been breached. I need to change my password right away. And I used to test this with people all the time. In the Kevin Mitnick style, when I was at one organization, I would pick up the phone somewhere in the office, and I would say, hey, this is Pete from the help desk. I just need to double check if you shared your mainframe password with anybody recently, and they’d be like, no. Okay. I just need you to confirm what it is right now because we’ve seen it, and it looks like it may have been compromised, and they’d be like, and of course, you would use almost always something very simple.
But even if it wasn’t because they are now in fear that they are at risk. They say, it’s Pete from the help desk. It’s Monday123 or whatever they give to me. I’m like, okay, thankfully, that’s not what it is. So you shouldn’t have any problem. If you get any weird issues, then just change your password and photos of the help desk again. But they just see internal number. They save them from the help desk. I’m in fear that my account could be a problem.
I’m going to help them help me. And it worked every time Scott, that’s the scary part. I’m like this easy to do. But human nature was very easy to exploit.
I say it in a weird way. The beauty of social engineering. Since we’re creatures of habit, we’re trusting individuals. When we hear familiar terms and acronyms, especially in a particular space, we will divulge information very innocently. I look back a couple of years ago, we had a vulnerability assessment, done a penetration test at our company after we were hacked and compromised. And it’s interesting going over some of the stuff with the company. I thought, Jeez, we were hacked. Compromise, we take all these great stances and do this and that we’re 100% secure.
We’re going to get through this flying colors. There were still little areas that we were too close to that were identified. And one thing that they brought up, and I said, I’m curious when you guys go into other companies, typical company. How do you get in what’s your most effective way? And they said, well, for example, when they do a lot of work for law firms because they have a lot of personal information. They say, first thing we do is we don’t even go in the company.
We don’t even try to hack. We don’t even do anything. The first thing we do is pull up in the parking lot with some of our wireless tools, and we try to do a Wi-Fi hack, a lot of free tools. And there’s some that are very low cost you can buy. And oftentimes we start with a simple phone call. We spoof the number, we pretend we’re another law firm. We call the receptionist and tell her and say, oh, I’m so glad you got there. Hey, we’ve got this really important proposal.
We got to send it over right away to whatever the senior lawyer is there, Mr. Smith, but we don’t want to tell him we’re a little bit late. We’re so sorry, but this is important to him. Could you just give us the password for your Wi-Fi network so we could email it right over? This is really important. And you’re talking fast and you’re moving through it. And next thing you know, they’re like, he needs a password. Well, I know what that is. It’s password123 or whatever it is on a sticky note on the desk.
They innocently give it to him, even though that has no connection with emailing them this fictitious proposal. Now they’ve got the password to get into the Wi-Fi network, plant malware, work laterally, start gathering up personal information so that they can go to the CEO and say, hey, look, not only we get in compromises information, here’s the weak spot and how we got in sometimes we don’t realize it, but people innocently will give information to just somebody. That sounds very convincing. And that’s a huge caution. What’s the way to counter that?
It’s really just with security awareness training companies like KnowBe4 and many other companies educating people, having that formal process, making somebody an example or sharing some of these silly stories help them just to think and stop before they give out information. We’ve been targeted with them. One employee came up not too long ago and said, Scott, I got this strange email you’re giving gift cards out to all employees. And I heard about it by accident through this person. Are you really doing that? And am I really supposed to give them?
No, stop. Thank you for reporting. Even in security companies, it doesn’t matter. The company we can all easily give in if there’s certain things that sound very credible. And that’s to me when you got to stop right away, pause and say, Hold on, let me investigate it. Make a phone call, text, email, knock on someone’s door and say, hey, do you want to confirm this? And especially if they’re targeting an older population, seniors, the elderly are more prone to being targeted for things like that. Scams on the phone.
Email phishing attacks sounds too good to be true. It’s probably too good to be true. It’s not real. So we want to really pause and have a trusted individual where we could ask the question and just validate it to see if it’s a scam or not.
When a bank phones me or when I phone a bank or when they phone me, especially. And they say, hey, we just need to confirm your identity. And I say, okay, give me a number that I can phone back to get you. And I will do that. And they say, Well, it’s a collective bank. We can’t do that. I’m like, I have no way to confirm your identity, and they’re like, but you’re the one we need to confirm. I’m like, no, you see, that’s the interesting thing.
I know who I am, and I don’t know who you are. So if we can’t meet in the middle on this, no one’s getting confirmed today, and we’ll meet at another time. And it’s funny the resistance they have because they’re like, this is just in the same way that it’s irritating for me to have multifactor and write a password and multi parts and separate it. But it’s what I have to do. It’s what I’ve set. And in the same way, like you said, it goes beyond just raw technology.
This is not about hacking the Wi-Fi and breaking down keys and doing this stuff that we see sort of the Hugh Jackman Swordfish spinning around on a chair with 14 monitors and breaking into the mainframe, which I always laughed. It’s always the mainframe. But the truth is, technologists like yourself, like all your smartest engineers on your team, they’re fantastically good at what they do in the technology space. But if they get an email from what looks like their bank, ask them to fill out a W138 A, and it needs their social.
The bank teller knows as little about encryption key as you do about a W138 being not even a real form, right? The same way those lawyers, if you tell them, hey, you’ve got whatever some judgment thing coming up, you try and use their lingo at them. They will immediately say, hang up the phone. This is a fake call, but you tell them I need to get the Wi-Fi password because we haven’t been able to email you. They’re like, this is a thing I don’t know about, but it’s critical to my business.
Let me get you that password, and it’s very easy. Like I said, it’s just natural human behavior. I’m enthralled by the ability to exploit it, but frightened at the same time. It’s such a weird dichotomy of knowing that you can do it. But then knowing that there’s just so much we have to do to protect against it.
Yeah, it reminds me of a colleague in the space, a slightly parallel space. Frank Abagnale Jr. You’re probably familiar with the movie. A lot of people have seen that. I think it was Leonardo DiCaprio or whatever is the main character. And Tom Hanks in there, too. Loved the movie, but I had the privilege of going down to a security event. I won’t mention the company, but at this event he was the keynote speaker there, and he talked for a good hour plus, and afterward I got to go up and meet him and chat a little bit, and we exchanged contact information.
In fact, he was nice enough to write some praise about my second book, Cybersecurity Is Everybody’s Business. But I learned a lot from him from the standpoint of social engineering, not just from that movie, but understanding how it works from the mindset and understanding kind of who your target victim is going to be and understanding the key phrases, the word, the look and the feel and a sense of urgency. When you give a sense of urgency and authority to anything, you can breach right through. And nine out of ten people will let you through that secure spot.
We’ll trust you because we’re trusting individuals, and that’s good to say that. And I like that value and quality in people. But from the pessimist in the world of cybersecurity, that’s not a good thing. I always tell people trust nobody, unfortunately. Even those that are closest to you because those are the ones that are going to give little tells about how you can be compromised. And it’s a shame the world we live in right now is filled with cyber criminals, but they’re using that to their advantage.
So let’s not make it any easier for them, so they can socially engineer information out. Double check everything I often say with phone scams. If somebody calls up as you mentioned there and they claim they’re the bank fraud department and questioning transactions, you say, hold on a second. What’s your name and phone number in case we get disconnected, that’s a fair question to ask. What did you find out? Nine out of ten times. Click phone hangs up. Guess what? It’s a scammer. That tells you right there.
So simple things you can be proactive. Put the onus on them to give you a little bit of information. They’re not giving you anything proprietary or confidential. My name is John Smith. I’m with the Bank X-Y-Z fraud department. I could be reached at this extension. Okay, you jot it down. It’s probably more likely the bank if that’s the case, if they’re divulging some information and now you have something you can check and verify. I’ll go on Google and do a quick check, go on LinkedIn, throw their name up and say, oh, they do work at Bank X-Y-Z.
Okay, the number is not spoofed. Okay, this is legitimate. I did make this transaction. So you start to go through the process before you divulge anything that’s personal or private.
And I guess it’s probably apropos. I’m going to take your question. I’m going to give it to you, Scott, because I love to hear your take. What keeps you up at night? We’ve talked about a lot of things, and I love your content, especially Evan Kirstel was one of the ones the episodes I like. Evan’s a great guy. I really appreciate his content in general, as a good human. But what’s top of mind in your concerns these days?
Well, I do have so many one that kind of concerns me because I have gone down this path as everybody else is. I constantly go back to the world of IoT. I love innovation. I love technology. I love wireless, love cybersecurity, but I’m kind of at crossroads a little bit, because as I embrace new IoT, the latest camera, the latest watch, the latest iPhone, you name it and bring that into my home and to my car. I’m adding all these additional conduits for hackers to target myself, my company, my family.
So I’m always trying to think of ways. How do I prevent this from becoming a conduit from a hacker getting into my world? And it’s hard because with IoT products in general, they don’t bake the security in in the beginning because they’re focused on cost. Keep the cost down, not going to worry about firmware upgrades later. Make it secure when a vulnerability is discovered a year later in my Nest Thermostat or my Wyze camera or whatever else. So it’s hard to stay on top of those things and keep it secure.
So that’s kind of toward the top of my list. These IoT things. I have probably another ten items that follow, and I have some paranoia with some of the new smart cars of all 50 plus automobile manufacturers globally. They all put cellular modems in there.
Right.
A cellular modem is a great conduit to download malware into a car. And the average new car off the lot has over 100 ECUs in it. Engine control units that could then be used if they could commandeer and take over.
That scares me to death when you’re realizing that there’s the capability to do that. And only because I know researchers and I’ve talked to them, interviewed them and heard how they’ve actually manipulated or found back doors to some of these very secure smart vehicles. Those type of things are the things I think that keep me up at night. I don’t think I can solve them all. Some of the tools and technology that we do develop within my company is putting a dent in it, and I’m proud of that.
And I’m excited with that. And when it changes people’s lives, I’ll share a really brief story because I’m always very proud of this. This happened earlier this year. We develop one tool it’s used for hunting down cell phones not tied directly to cybersecurity, but security and really life and safety more toward. And we still sell these around the globe for various things, getting contraband cell phones out of prison, securing government facilities. But more recently, search and rescue because everybody carries a phone on us. We’re glued to our phone while in France earlier this year, French Alps at the base of it, there was a terrible avalanche.
Family escaped from it except the father. He got trapped and he was pinned up against a tree, had enough airspace to breathe for a while and had his mobile phone on. So he was safe, partially injured, but he had 2.5 meters of snow on top of him. They sent out a rescue team, 130 people in the village with sticks and calling and trying to find them in the ground. They searched for two and a half hours and couldn’t find him. They sent out search dogs to sniff.
Snow pack was too thick. They couldn’t pick the scent up through that deep thing. They walked right past the guy, through the whole area that was under avalanche. Somebody had the smarts to pull our tool out and said, hey, I got one of these Wolfhound-PRO used for search and rescue. Let’s try it, lit it up and right away. Boom signal. Pick up the guy’s phone, hunted it down with a direction finding antenna, called everyone back. The guys over here, dig, dig. They dug him. Miraculously, they found the guy, saved his life.
And it was a wonderful story. So sometimes when you hear about technology being used for good to stop the problems and tragedies that happen in life, it makes you feel good. Same thing about skimmers technology. We were talking about that earlier. A couple of years ago, I started investigating and reading articles. Brian Krebs does a great job, a reporter talking about a lot of the skimmers and how they get into gas pumps and ATMs. So I really took it on as a passion and started doing research.
And one thing I came across was all these problems are reported on and talked about, but nobody seems to have a solution for it. I sat there and said, this is frustrating. There’s got to be something. So we started developing and getting the engineer team involved here and did a lot of trial and error and research and different tests and things and then getting educated with National Weights and Measurements group, local law enforcement, Secret Service FBI and kind of brainstorming all that together. And I came up with a couple of different solutions we developed that are now we’re selling as tools.
And one of them is a simple tool called a Skim Scan. It’s a few hundred dollars. You slide it down the neck of a point of sale terminal that reads your debit card or credit card. And we simply look, if there’s a second read head in there. Green light, red light. Simple beeps and let you know, second head in there. Stop. Don’t use that ATM machine because there’s a skimmer in there. Same thing with a gas pump. So as I start to learn and investigate, I find out not just the vulnerabilities and weaknesses, but how to counter them with tools, sometimes, that are effective.
Same thing in the world of gas pumps. As I got educated on this, I realized how easy it is to be a cyber criminal. You buy a Bluetooth skimmer for very little price. You go on eBay, and then there’s six keys to open up a generic lock on the millions of gas pumps throughout the United States. You take the simple Bluetooth skimmer, plug it into the top of where the point of sale terminal is. You lock the machine 20 seconds. You’re in business.
Now, every time somebody pulls up to the pump and search their card. A second read head reads off that information, stores it in a buffer. Bluetooth set to be within 75 foot proximity to the cyber criminal. Now they go home and hundreds of credit cards each day from each gas pump. At each gas station, they burn them, they sell them on dark web and so on and so forth. They’re in business. So when you understand the inner workings of these cyber criminal gangs, you quickly learn why it is a multi billion dollar industry stealing credit cards.
And instantly we go to the gas pump and put our card and we buy $50. A gas transaction goes through. We move on. We never think about guess what? That’s where the credit card was compromised. Most people I talk to and this is funny. They say, Well, Scott, no, you don’t know what you’re talking about. I’ve got a chip and pin card. Look, it’s secure. And I usually counter that and say, okay, when you go shopping and you stick your chip and pin in front of the terminal, it is more secure than just a mag stripe alone.
I agree with you there. However, how often do you enter a pin in? And out of a room of 100 people, one or two people say, I do at Walmart or Target, I enter an actual pin as another layer of security. But guess what? Most people don’t. And just about all our cards still have the mag stripe on them. So when you put a mag stripe into anything and there’s a second read head, they got the CVV data. They got the golden key to compromise our information.
So just because there’s a perceived security measure on their chip and pin, which again, it is more secure, but it’s not fully implemented. Instead, what we have in the United States, I call it chip and signature, right? Because what are we still doing? We stick it in. It makes the connection secure. Encrypted this and that, and we sign for it. I could sign Mickey Mouse and guess what transaction goes through. Nobody’s validating that signature. That’s a problem. Yet look over in Europe and other countries, ten years ago, they were properly implementing chip and pin credit cards.
We are not. Still slow. Why are we doing it now? It’s because of the legislation. It’s because of the rules, the point of sale terminals. It shifts the liability down to the actual processor of it if they don’t upgrade the chip and pin. And that’s why we have it now. So for all the wrong reasons, it was implemented and it really started the conversation in 2013 with who? Target. Irony of it is Target was the first to actually test chip and pin technology. They were also the first to abandon it years back. Why?
Because it took a little bit longer to check out at the lines. So again, they chose convenience over security. And then they were the first major data breach as a result. So it’s kind of funny when we look back full scale. And in hindsight, we learn a lot of things about security and the importance of using layers of security and not being so focused on speed because you may pay in the end and the result of a data breach, it costs you for years and a lot of money, a lot of time and a lot of rebuilding of your brand.
Yeah. If it’s inconvenient to use a chip and pin, how inconvenient is it to reopen bank accounts and cancel every credit card and reinitiate every auto pay every bill pay. My favorite thing of this one to pull the thread on that story, too, is I’m Canadian. And so we’ve had chip and pin for eons, and it’s been kind of natural prior to that, though, when it was just purely signature card.
I actually went into a place one time and I got a brand new card, and so I go and the cashier says, oh, sorry, we can’t take this because it’s not a signature. You need to sign it. And I said, you can’t take it because you can’t validate the signature that you’re going to watch me do. And then I’m going to sign the second piece of paper the same way. And that’s validating what exactly. So what I would actually write on my signature section of the card was ‘Show ID’.
Yeah, that’s what I do on mine, too. Show photo ID.
And they would get really weirded out. They’re like, this isn’t the signature. You’re right, because you have to validate by my photo ID. I worked at a police station when I was younger, so I learned about a lot of things of how easy it was to. And I worked in retail. And so I knew sort of the regulatory boundaries they’re under in and little tips and tricks. But this is great.
I tell you, Scott, thank you. It’s been a real pleasure. You are a pleasure to chat with, and it’s really great. You’re prolific in so many ways. So of course you do daily radio. You’ve got three books. You’re a CEO of a company. Your a keynote speaker. Hopefully, the world opens up a bit more. We can see you on a stage again soon. But if you want to actually give a shout out as well for your radio spots, because I’ll have a link as well. But just let people know what it is you do around that.
Yeah, absolutely. I’m on Cybercrime Radio. It’s 24/7, 365 days a year, constant updates in the world of cybersecurity security. And I do several different segments. But one of the main ones I do every morning is really just the headlines. I take one story that kind of stands out, and I simply break it down and just kind of give a short minute and a half blurb about what the headline is, and it can be anything from ransomware, crypto, cyber attacks and I slip in their little tips and stats here and there also so people can stay safe. And it’s really enjoyable and it’s fast paced and you can even listen to it in the background on your computer if you do Internet radio and things like that.
But it’s Cybercrime Radio. So I’m a host of that segment and I do about two or three other segments as well. So throughout the week you’re going to constantly hear my voice sharing different tips, knowledge, headlines, you name it. Anything in the world of cybersecurity.
That’s great, and especially for folks that are getting into it. And I find this is, there’s a lot of people that are obviously leaning into the industry. It’s a burgeoning area of technology, lots of employment opportunities and learning opportunities. So I wanted to call it out. It’s a great place for folks to get in and make it a part of the routine and sort of introduce the nomenclature and start to get tapped into what’s going on, and it, hopefully, will lead them to ultimately get into.
Like I said, maybe we can see them at a BSides or other things around. There’s lots of great community events. And actually, if you don’t mind, Scott, I’ll add one more question, what’s a great place for people to go or if they wanted to get started in the world of InfoSec and cybersecurity, what are some sort of freely available or community accessible resources that you’d recommend?
Tons and tons of, if I may encourage people if you want to just meet individuals, get a knowledge base. The headline Cybercrime Magazine, part of that on their CSO and chief media commentator. But there’s tons of information that you could download videos to watch radio segments that you can hear. It’s a really good educational part. I’m a part of a whole bunch of other shows. Also, I do a monthly show on Computer America where I spend 1 hour dissecting different cybersecurity breaches and discuss that. It’s over video so you can look back at past episodes, that’s Computer America.
I think there’s so many endless sites and a lot of the events I’m associated with FutureCon, SecureWorld. You name it. RSA, Black Hat. I go to those events, so hopefully our paths will cross somewhere we can meet in person somewhere. Great sources to learn things, and even some of the smaller shows like you mentioned. BSides, ShowMeCon. I’ve been to shows like that and I’ll do presentations there. I really enjoy it. Next week I have one out in Iowa. It’s called CornCon.
It’s a little strange name, but interesting. They do a lot of hacking events, their education for children starting at a young age. I think that’s really important, the math and science aspect that young ones early on learn that and especially for women. Women are really needed in the field of cybersecurity because we got a lot of great, brilliant women doing cybersecurity stuff, but it’s only a tiny portion of it. So I always shout out there and say, women, if you’re interested, looking for a great career that you really needed, you can do well financially, but especially the challenge.
Think about cybersecurity. There’s so many great niches there where you can actually lend a hand and actually make a huge difference in keeping this world safer.
Yeah, that’s a great point. And especially now, I think we’ve learned and we’re beginning to act better as a community. The technology community has not always been very welcoming, still challenging for folks, especially women, folks from underrepresented communities. But there’s so much that we’re doing to make that better, and we just have to keep on it. So as you said, great opportunity. Scott, thank you very much. And for folks that want to reach out directly to you, what’s the best way they can get in contact?
They can certainly check out the stuff we’re doing in my company. It’s simply our website, dvsystems.com or my name scottschober.com. In there, there’s tips that you can download for free. I have white papers there, information about books, speaking appearances, interviews, you name it, feel free to peruse that, and hopefully it’s helpful in keeping you safe and feel free to reach out to me. There’s a fill out form there. I do actually respond. It’s not a robot that responds. I actually respond in person and get tons of requests for advice on products, recommendations, good versus bad in the world of cybersecurity.
And I’m happy to share anything there at no cost. If I can be encouraging to people, I just put that out there. I’m used as a resource for many people and companies around the globe.
Excellent. Well, thank you very much. It’s been a real pleasure to share time.
Thank you so much, Eric. Stay safe, everyone.