Battle Buddy Podcast

View Original

Cyber Threats

Keith McKeever

Lori Jackson may have not served but as a DOD cyber compliance professional and as someone who has worked with the Corps of Engineers she is well aware of the variety of cyber threats facing everyone and every company.  Lori explains what is going on in the cyber world in terms of current threats to be on the lookout for. 

Battle Buddy Podcast Guest Links:

https://www.whiteravensecurity.com

https://www.linkedin.com/in/ljackson7/

Battle Buddy Podcast Links:

https://linktr.ee/battlebuddypodcast 

Your browser doesn't support HTML5 audio

EP 64: Cyber Threats

Transcript from Episode 64 with Lori Jackson:


Keith McKeever 0:02

Welcome to the battle buddy podcast with Keith McKeever. Welcome back to the bottom money podcast. I have Laurie with me and she is going to talk about some cybersecurity threats. Before we get her up here on stage, I just want to say make sure you hit the Like, subscribe follow button, but most importantly, battle buddies. Make sure you're sharing this, and any other podcast episodes that you listen to the find valuable. Make sure you're sharing them with your battle buddies out there. That's where all the impact is sharing to the people who might need that message. So without further ado, we've got more Jackson, welcome to the show. Thanks, Keith. Yeah, I'm glad to have you on here. Because I'm, I wouldn't call myself a super tech nerd. But I'm kind of a tech nerd. So I kind of get the whole cybersecurity threats. It's the world that we live in these days. It's just something we didn't have to deal with 2530 years ago, at least to this point. So I appreciate you coming on here to kind of enlighten us a little bit about some of the things that are going on. And you have an interesting story. You did not serve, but you have we get the wording right. facility related control systems for the Corps of Engineers and some other government work that you've done. So tell us a little bit about that, and a little bit about your story.

Lori Jackson 1:15

Sure. Thanks, Keith. I'm so glad to be with you today and really excited to talk about cybersecurity. Yeah, so my story is I went to school for computer engineering. So I've always kind of been in that geek spot, just like you started out supporting it. And, you know, helping folks eons ago with their email and learning how to use the printer and those kinds of things. So I've paid my dues and moved up through the ranks, but my entire career has been in the defense space. So I have been supporting Department of Defense, my entire career. Like you mentioned, the Corps of Engineers, that's one of the clients that I have routinely engaged with, throughout my, my time. And more recently, you mentioned the facility related control systems. So we've been providing the cybersecurity design for some of those buildings that are being designed or renovated on different bases throughout the country, you know, to protect the fire alarm from getting compromised, to protecting the HVAC so that the temperature doesn't get hyped up, you know, from an adversary that's not even nearby. So you think about all of our systems nowadays are much more connected than they were, you know, even five years ago. And so cybersecurity has become a key component in architecture and engineering design on our, our bases, work for the Corps of Engineers, like you mentioned, and also for the Navy. So we've been really excited doing that. But I spent, you know, my entire career working in defense. And then more recently, prior to the pandemic, I started my own company, white Raven security. And with white Raven, we do the facility control system design, but we've also been providing small businesses with support in all manner of cybersecurity, whether it's DoD contractors who have compliance needs, or if it's training, you know, because your first line of defense is, quite honestly, your people. And if they don't know what to look for, then you know, you could be susceptible to an attack. And so we work with companies to make sure that their employees are being trained properly, we help them develop policies and procedures, setting up their actual security program. So a lot of the companies we work with, they're kind of new to the space, and they don't want to go out of business, because the more more and more we see attacks on small businesses than any other sector of the economy, because small businesses aren't always equipped with the tools that they need to protect their environments. And so we've been supporting those companies and helping them feel more confident in their protections and pointing out, you know, ways that maybe they can improve.

Keith McKeever 3:59

Make sense. When I was in I was Air Force Security Forces. So we were tasked with law enforcement, security, airbase defense, all that fun stuff. But of course, I got out 10 years ago, and when you say like Internet of Things, and cybersecurity for buildings, you know, the last unit I was at, we had a fairly new building. And I don't remember any kind of tech controls in that. And so it's kind of weird for me to think about like, okay, I get that, because we were always secure and about, concerned about physical security, you know, the fence, the gate, the the alarm systems, the camera, like, all those different things. But it's, it makes perfect sense, you know, just in this new world that we're in these days where cyber attacks can happen from anywhere that the DoD would be, obviously a really prime target. And when I was doing we always talked about hard targets versus soft targets, you always want to be the hard target. Nobody wants to attack the hard target. They're always going to take the opportunity to tack the soft ones that are unprepared. And so I think that's where it's Part of the value in this conversation is, is, is the small business owners, a lot of veteran entrepreneurs out there, yes, who are probably really unprotected. I'm probably guilty of it myself. So I'm not throwing stones here like I, I'm probably guilty of it too. Like we all have areas, we could probably improve on that. So he's a valuable conversation to have. Yes, I agree. So the training that you provide, can you elaborate a little bit more on what, what you do, and then we'll kind of dive into kind of what some of the threats and stuff that that are happening out there.

Lori Jackson 5:33

Yeah, so we have a lunch and learn format for cybersecurity, because if you start putting people in really long drawn out cybersecurity sessions, you know, that they're just going to check out. And so our program kind of focuses on, you know, Lunch and Learn, makes it short and brief gives you, you know, some some takeaways, so you can refer back, oh, she told me about XYZ, and so you have like a cheat sheet, you can go back to, and, and what we like to do is do these kind of frequently, like, on a monthly basis, because the top of mind is important with cybersecurity, because they're, the adversaries are not going to sleep, they're expecting us to let down our guard and be too tired to do X, Y, or Z, whatever those protections are. And so having that training at top of mind is always a good idea. The other thing that we like to do is tied into your personal life, you know, who doesn't want to protect their children, or protect their parents or their families, you know, from cyber attacks. So if there's a way in your business, that you can train your employees, that gives them that buy in, that it also could be carried over to their families, they might be more eager to protect your company, as well. And so we try to make it, you know, somewhat personal and give folks a chance to ask questions that are specific to their particular situation. Because if somebody's going to protect themselves at home, and they're trying to figure out how to do that the best way that they can that's obviously going to carry over to their their work life as well.

Keith McKeever 7:07

Absolutely. I love that you said it was, you know, kind of bite sized lunchtime, because, you know, I kind of jokingly put my head down. But yeah, I sat there for like, an hour, two hours of like a computer based training, I'll just be like, okay, all right, time to wake up. Right? It's cyber stuff. So everybody has a different level of ability. So I like the fact that, you know, small lunchtime, you can digest just a little bit, and then maybe go back and take action on that. And then, you know, come back to the next section, because that's a that's a tough topic.

Lori Jackson 7:39

Well, you know, I've been in trainings before where they get into the technical weeds. And, you know, for folks, like you're talking about that may not have that same level of knowledge, as maybe you know, one guy in the room, you're gonna lose them. And so you have to bring it down to a level where everybody can be engaged in it. Otherwise, it's not very effective.

Keith McKeever 8:00

Absolutely. Likewise, Oh, hold on. Let's just back out a little bit. Right, bring it back to, to reality for for the 99% of people in there. So. So with the DoD compliance stuff, what cmmc is what I have in my notes, can you explain what that is and what you do for the DoD compliance stuff?

Lori Jackson 8:20

Yeah, so the Department of Defense deals in a lot of data, as you're aware of you do projects that you know, there's, there's, there's all kinds of information that you create for the government or that they give you and there's a certain classification of that data that's called controlled unclassified information. So it doesn't fall under what you're probably familiar with is the top secret, or the TSS, ci, it's not under that umbrella. It is something that is not for public release, but it should be controlled. And so for US department of defense contracts that deal in the controlled unclassified information, you have to show that your computer systems and processes and and you know, your people are all meeting a certain type of requirement. And that requirement is an NIST document. NIST is a National Institute of Standards and Technology that's under the Department of Commerce, and they provide guidance documents for a whole manner of of topics, but one of them is in cybersecurity. And so the main document that they provide us NIST 801 71, so any company that's dealing with controlled unclassified information likely has a default clause, that means that tells them they need to meet NIST 801 71. Now, up until now, even that clause just by signing that contract, you state that you're meeting, NIST 801 71, but what a lot of companies have come to realize is it's a large effort to meet those requirements. And so your your more entry interested in signing that contract getting that project started. And perhaps you haven't gone through all the steps to meet that particular guidance document from NIST. So where we have the cmmc, come in the cmmc is the Cybersecurity Maturity Model certification. And that is the third party assessment piece to NIST 801 71, where the government has said, Okay, a lot of folks are just signing, they're doing it, and they're not doing it. So this is going to be our verification. So we're going to have these third party companies come to you at your expense, and make sure you are meeting all of those controls. And it's not something you can do over a weekend, it is a document that has 110 controls, and each of those controls has a certain number of assessment criteria that you would need to address in order to meet them. And it's not just your firewall, it's not just antivirus software, although those, those are things that are in the requirements, but it's also, you know, personnel training. So do you do background checks before you allow certain individuals to access the government's controlled unclassified information? Yeah, and so it's a whole company approach to security, it's not necessarily just, you know, the IT department has to do a flip a bunch of switches. And so that's where the CME cmmc has come in, is to make sure that companies are doing these things to help protect that data that the government wants to be protected. You were talking about hard targets, there's a section in the NIST 801 71, that's on physical protection. So you got to be able to lock your doors and, you know, monitor for intruders. I mean, things that, you know, kind of common sense, but in

Keith McKeever 11:51

the standard 1015 years ago for securing data. Now, you got this other aspect to deal with.

Lori Jackson 11:57

Right, exactly. And so, you know, it seems like it's going to be straightforward. And so a lot of companies that have just been like, I'll do it when it's actually a rule that I have to implement. But some companies are already under that requirement, the NIST 801 71, even though cmmc hasn't come out yet, as a, you know, forcing you to show on paper, you've done it. And to prove it, there are an increase of assessments by dip CAC, which is the defense industrial base, cybersecurity assessment. Center. I always get that with all these government acronyms. Oh, my goodness, yeah. But that that piece in that piece is under DCMA. And they're starting to get requests to come in and do a government assessment of organizations that are supposed to be meeting these requirements, even before cmmc comes out. So we've been helping companies to assess their systems, assess their policies, see if what they're doing for security is going to meet the requirements requirements. And then at that point, if we find holes, then we can help, you know, fill those holes.

Keith McKeever 13:07

And I would imagine, pretty much any, any company that has a government contract is going to have some sort of documents at least, and things that they have to secure. So let's ever go

Lori Jackson 13:17

Oh, yeah, well, in just the change in the last couple of years, you know, there are other arms of the government that are looking at the same requirements, because you know, our adversaries. I mean, if you look at what's going on in Europe, and with Ukraine, I mean, part of that engagement is in cyberspace. So more of our threats are not necessarily on the ground. They're in the air that we can't see surrounding our systems. And so I would imagine that a lot of defense contractors, if not DHS, in the future, and others are going to start requiring some level of cybersecurity, you know, hygiene, and proof that you're doing those things to protect their data.

Keith McKeever 14:04

Yeah, be good. Anybody who's paying attention to this really needs to, no matter what government contract you have, you might want to be the first. If nobody else is really doing it in your space, you might be wanting to be the one of the first that will

Lori Jackson 14:17

be a differentiator

Keith McKeever 14:19

on it. You can go back and say, Guess what, you know, hey, here's my, here's my papers. I'm good to go. I'm certified. I'm, I'm already. And I imagine that the companies that you see that are doing this well, as you were kind of explaining that, I'm willing to bet that almost almost all of them probably have one person whose position is for compliance on

Lori Jackson 14:42

this. And it's not even a job like, you

Keith McKeever 14:46

know, somebody's got that responsibility. Right,

Lori Jackson 14:49

exactly. In most of the situations that I've encountered, it's somebody who's doing four different things. And so well, right but you know, It is it is, you know, cybersecurity and these requirements for NIST 801 71 are so in depth and complex, that it really could be arguably a full time job for one person, and then to have the support of management and human resources and, and other areas of the company because like I said, it's, it's not an IT solution. So it's not like, you know, you put it to the IT department to figure it out. I mean, it is a whole company, approach to security.

Keith McKeever 15:30

Absolutely. Look at his organization, you know, if the, if the leadership is buying into it, and IT departments doing what they need to do, and HR is hiring the right people, not people, you know, crazy felonies are questionable paths. Right, what happens? I don't know, I don't know how that happens. That just takes me back to my time in that. It was amazing how many moving companies, maybe this is a good note, for those that are still serving the moving companies that contract and come on base to move your personal goods. Almost like clockwork, every single one that would come through the base, would have somebody in there with an outstanding warrant. And you still have people coming on base, trying to come on base and move your personal belongings. So people companies don't always check. Yeah. So you know, if you're a business owner out there, you might want to start double checking that.

Lori Jackson 16:20

Right. Right. Right. And, you know, it starts with your contracts, you know, those documents are long and arduous to go through. But it's worth, you know, doing a search for, you know, those those key words basic cyber hygiene, or cybersecurity or NIST 801 71. Because if if they're hidden down in there, and you don't see them, it can have ramifications. There is a new memo that just came out from the Department of Defense in the past month, it talks about how they're planning to enforce this in the interim. And, you know, there's a new DOJ initiative to, for whistleblowers to come forward to put you know, in situations where companies are claiming they meet the requirements, but they're not. So the government is starting to take note because they're losing their data to our adversaries. I'll just give one real quick story that came from Katie Arrington, who was kind of a big pusher of the cmmc. She worked in the Department of Defense during the last administration. And so she was out trying to push these requirements and help and encouraging folks to, to start taking note and start improving their security. And she would always talk about the the plane that China developed over the course of a very short amount of time that we had already spent 20 or so years developing. And the reason that they were able to do it so fast, is because they came into our systems at a low level subcontractor stole the plans, they didn't do any of the work, and their plane looks practically identical to ours. And so that's the kind of thing that we need to keep protected is that information, it's like little puzzle pieces. So you think, Well, I'm only designing the screw for this one particular, you know, weapon system. However, what our adversaries are able to do is they take that piece of information from you about the screw, and then another piece of information from another company. And they start to put together the puzzle to build the bigger picture. And that's what we need to protect is not allowing them to do that. Because it puts us at a disadvantage. If our adversaries can do just as well as we can, then there's no longer that advantage that we have.

Keith McKeever 18:40

Absolutely, you know, it's it's really not much different than back in the day a spy walks into an office and works there for four or five years. And all of a sudden, one day, there's the plans for this new plane sitting right there on the table. There goes,

Lori Jackson 18:54

yeah, and they don't need to be physically present anymore. Yeah,

Keith McKeever 18:58

I don't want to go back to the I don't know, if you're, I like Johnny Cash. And he's got a song, I can't remember the name of it, but where he like bills this car over like a 10 year period. And then he puts it together and it's like 15 different cars. And it's this ugly thing, but kind of the same thing. Just take a little bit here a little bit there. And the next thing, you know, you kind of put that puzzle together. Right, right. Yeah. Because there's more than that. I can't imagine how many contractors are involved in the design plans for, you know, the F 22. You know what I mean? I'm sure there's hundreds of companies that are that are putting these pieces together. You know, and you don't always have to have all the pieces. You could have 85% of the pieces. Pressed. Exactly. Yep. So these these standards, when does the government have anything come out exactly when these are supposed to start and how that's playing out?

Lori Jackson 19:50

Well, like I mentioned, the NIST 801 71 Is is in practice right now, but the cmmc That's the new piece. That's the verification piece. Ece, and that is expected to come out in March of next year. So we're less than a year out now. And so you know, I've worked with some companies for more than a year to try and build their security program. So it's not a small lift. So you don't want to wait until January to get started on this, you know, it's good to go ahead and get a baseline, because we're going to start to see the cnmc requirements, they say, in summer next year. And so, you know, it could prevent you from bidding on a new contract, if you haven't been doing your, your groundwork in your foundation of going through NIST 801 71. And preparing your systems for that assessment, because a third party assessor is going to come in, and you know, it's going to be up to them whether or not you get that certification, whether or not you're going to be able to bid on that contract. And so it's important to go ahead and get started on those now.

Keith McKeever 20:54

Awesome. Well, you know, one of the goals of my podcast here is to educate, also inspire people into action. So anybody once again listening to this, or watching this, no matter what it is, you might want to get started on it. Because as you were saying that I was thinking, oh, a year or less, that's like crunch time, you're playing catch up at this point. So I'm glad you, you know, told us about that, so people can get on it. So. So what, what kind of bringing this more into a personal space? What kind of cyber attacks are kind of the mainstream thing that you're seeing out there against personal people or businesses?

Lori Jackson 21:31

Right? Well, you know, I'm sure you've probably heard about phishing and social engineering, those kinds of things, those have not gone away, if anything, what we've seen recently is how much more sophisticated those attacks are becoming, you know, before you could look at the spelling of words, or the, the grammar of an email, and, and know that, you know, that's, that's probably not really my bank, because they, they, they typically will proofread. But anymore. Nowadays, those phishing attacks are getting more sophisticated social engineering, especially around things like the pandemic, and any other like social activity, you can expect an increase in social engineering attacks, you know, more and more, we're on social media. And, you know, someone could target your, your activity online and try and, and attack you social, like social engineering, and all that requires is a telephone. So that's not even a very sophisticated attack. But those have been increasing as well. Something else we see for business owners is business email compromise, that has been increasing a lot lately. And that's where, like, let's say, for instance, you have an invoice that you need to pay, and that vendor, they contact you, and they say, Hey, we've changed our banking information. So send the next payment here. Well, unbeknownst to the business, that vendor is an imposter. And so now you have paid an adversary, a criminal, what you should have been paying your vendor legitimately. And so now you're out that money, and your vendor still needs to get paid. So that's

Keith McKeever 23:20

where I'm at. I'm a realtor been doing that for almost 10 years. Yes. And that's something over probably last four years, we've been disclosing we are local association created a form to have that conversation specifically with all hopefully all agents are doing it. But all buyers and sellers, because there was a situation where it was a couple 100,000 was wired to the wrong account. And I always have to have the conversation with it was sellers kind of look at me confused, like what doesn't matter to me, I'm getting the money. The the title company or the attorney is just going to wire it to my bank, right, that's usually not intercepted. They already know those information. I was like, because you want to know that there's a risk that your buyer gets taken advantage of. If you're expecting cash offer on your property, and boom, 200,000 or 500,000 is gone. They're not getting it back. The likelihood is slim. So I always tell people trust but verify. When you get the wiring instructions, or you get something that looks fishy pick up the phone and call or physically go into the place if you happen to happen to be a local business or something, you know, and call and be like, hey, is this right? You know, why am I getting billed? An extra $500 on the deliveries for last week or something, you know, trust but verify.

Lori Jackson 24:37

Right? It will and you know you think about you you want to find the best in people you want to be able to trust people. But any more nowadays in cyberspace, we have to put ourselves in the shoes of an adversary. And like you said verify, you know online unless you are absolutely certain of who you're talking to because you've been able to verify it outside of that that band of being on the internet. Like You know, with a text message or something, yeah, you you can't really trust anybody that you encounter, because it's so easy to impersonate nowadays, a legitimate person. And that'll that'll go into some of my suggest we're

Keith McKeever 25:13

gonna look at the TV. I don't know if you've seen on TV catfished. You know, that's just dating and people faking who they are. Oh, yeah, that's totally faking people. I mean, that's, that's called going down a different path. But same basic thing can happen to any business and other things.

Lori Jackson 25:29

Oh, yeah. And it's heartbreaking to hear some of the stories. And so, you know, that's, that's something that I'm glad we're talking about this and you're getting this out to folks is because, you know, you don't want your family to become a victim to something like this. You don't, you don't want to face those, those difficult challenges of changing all your bank accounts of, you know, freezing your credit. And I mean, it's just a whole lot. But you know, at the end of the day, I always try and encourage folks to put yourself in the position of the bad guy. We don't want to be that. But in order to protect ourselves, and to think, What is the worst that could happen? It gives you kind of that that pause to say, Oh, that's right, maybe, maybe let just Let me confirm. So if somebody calls you out of the blue, and it's like, Hey, it's your bank and your car has been stolen? Can you verify the number? That should cause you to pause and say, I didn't, I didn't call you give me you know, let me give me your name. And you go outside of that, look up the number yourself and call them back.

Keith McKeever 26:34

calling you to tell you Oh, we got you know.

Lori Jackson 26:38

Yeah. Yeah, yeah. So trust, but verify, I think is, is good advice.

Keith McKeever 26:45

Another thing is don't believe the emails and the voicemails and text messages about your business has been pre approved for a $500,000 loan. I get those every day. And it's like, that's funny. I never applied for one.

Lori Jackson 26:58

With the text messages, and this happens around the holidays a lot. I tell folks, if it sounds too good to be true, this is one of those situations where it's definitely too good to be true. You know, so watch out for any sensational, you know, fear mongering or something like that, you know, or, or, like, if you don't get this last item, you know, that like, do it quick. If it's, yeah, just

Keith McKeever 27:23

be able to go to Walgreens or CVS and get the I don't care. Just get the American Express gift cards. Numbers, like I get it all the time. I I don't know what it is about the real estate industry. But they will. They will pretend to be my managing broker. And I can't I just I just left it off small office. There's like 12 people in there. And it will try and spoof her all the time. Like, I really need to do me a favor. I'm in a meeting right now. Like, at eight o'clock at night, you ain't no conference call meeting like I'm, yeah, you may be out with clients, but you ain't out there. Because it was like clockwork, you know, and I'm in a large company now with like, 10,000 agents, and I got one the other day from the CEO. I was like, the CEO doesn't have my phone

Lori Jackson 28:09

number. That's not useful. Yeah. Yeah.

Keith McKeever 28:13

You gotta you gotta just, you gotta be really careful with those things. I mean, I see him on my email all the time. All kinds of things. And I'm like, I'm not open to that. Right? If it is legit, and I don't open it. Somebody's gonna call me because they'll have my phone number. Right? And it'd be like, Why didn't you open that email? Oh, okay. Send it to me again. If it comes to the next five minutes, I know it's legit.

Lori Jackson 28:35

Yeah, so verification, that's a good verify. Yep.

Keith McKeever 28:39

So what what would you say are maybe the top five tips or so then to to not be come a victim?

Lori Jackson 28:48

You know, we've talked about a few things. But, you know, one, one in particular is passwords. You know, think about what password you're using, or what sites are using the same password on multiple websites. Because if you are than that, if one side is compromised, then your other accounts where you've used that same password has also been compromised. So do not reuse passwords would be my first recommendation. My second recommendation is don't use personal information in your passwords, makes it easy to remember, right? But if you're on in social media, you're you know, somebody has developed a file on you and they know your birthday. They know your kids names. They know your pet's names. So don't use personal information in your passwords. And so then you're probably thinking, well, how the heck am I going to remember all my passwords? So my third recommendation is look at a password manager. You can, there are free password managers out there where you can have a long complex password for every single one of your sites and you never have to remember a single One, the only thing you have to remember is your master password for the entire database where your passwords are stored. And then the password manager protects all of those. And so you're not using the same password on multiple sites. And you're using a long complex password that's not likely to be guessed, or in a brute force attack where a computer is trying all the different combinations of letters and numbers to get your password. So Password Manager. The other thing that I recommend, I guess is number four is multi factor authentication. Anytime you can turn it on, turn it on, you know, there's some debate in the IT space in the cybersecurity space about, you know, how secure is your SMS versus the the authenticator app on your phone. But the bottom line is that most people don't do multi factor authentication. So any one that you can turn on is going to increase your security to a new level. So it's, it's true, it really is, and you'll find it a lot. I think with like parents, you know, an older generation, it's harder for them to understand that concept, because they're so used to because, you know, they didn't grow up with computers. So they've become accustomed to typing in their password. Well, for that short amount of time, from the time that we, you know, we started working on computers until now, that's just the way that we did it. And so, you know, you and I, we might not, we might find it pretty easy to set up a password manager and start using it. But for older, the older generations, it's a lot harder to do because they are not seeing that I have to type it in. But with a password manager, you don't even have to type it in it plugs it in for you. So that's a really big one that that I like to push.

Keith McKeever 31:53

Yeah, the two factor thing is I tried to set it up on everything I can, I will admit, sometimes it's a real pain in the butt like, Okay, do I want an email, or I want a text? I get so many texts says it is like, it's so annoying, but it's like, you know what? I can go delete the text after after I've authenticated. Nobody Well, my text messages.

Lori Jackson 32:14

Yeah. But if you think about it, if your bank account is compromised, and you get locked out, well, you're gonna have to get in the car and go down to the bank to prove who you are. And that's going to take some time. And then they're going to have to spin up your account again, which was going to require them to call somebody. So that short amount of time that it takes to put in those six digits from your from a text message or from the authenticator app is really in the grand scheme of things. Not a lot of time. Because you don't want to be in that situation where you're having to go and reset all your accounts, and wait for the bank to reimburse you for the money that was lost. I mean, it's it's a headache.

Keith McKeever 32:55

Absolutely. Well, that's one of the kind of goes into the kind of crosses both worlds really, but like the whole gas pump thing, and the readers that they put on. That's why I use a credit card all the time to set up my debit card. Because I'm like least if I got to shut it off, it's one phone call to my credit card company. Right? Yeah. And then I saw I put on my credit card, just yeah, maybe some pizza cases every now and then only Midwestern. Probably get that one. But like, That's it, then then pay it off. But at least I know, I've got another layer of security there through the credit card company versus of having access to, you know, the different accounts and my personal accounts. So Right. Right, yeah. Yeah, that's, that's just some good advice there. Now, let's switch to kids. What should the parents out there that are listening to this? What should they do to help take precautions to protect their kids or conversations with their kids? What should they be doing?

Lori Jackson 33:53

Well, you know, this really hits close to home because I have three all under the age of 14. And so I it is a world out there. It is a scary world out there. And you know, a couple of my suggestions for kids is one you've got to know what your kids are doing. You know it's really hard for us with our day to day jobs and are the responsibilities to have to go and learn okay, what is Roblox? I don't I don't get it. But you really need to understand what it is that your kids are doing online. You need to have some knowledge about what is Roblox what is the lingo you know, and robust blogs just comes to mind because I have voice but you know, anything that that kids are into? It is you need to know about it. You need to you don't have to become an expert, but you need to be able to understand okay, what it is that they're doing. The other

Keith McKeever 34:53

goes off you maybe at least recognize it and could do something right

Lori Jackson 34:56

or there's this you know, something that comes up in the news. and you're like, oh, yeah, that's my kid place that you can investigate further. My other recommendation is know your kids passwords, do not allow them to have their own passwords, they must share their passwords with you. And here's the thing, it's not because you don't trust them. It's a because we don't trust the other people on the internet. And B, kids are notorious for forgetting their passwords. So you having the, the password as well, not only gives you the access to their account to be able to go in and make sure they're not, you know, exposed to something they shouldn't be. But you know, you can be, well, if you lose your password, you can't get back into Roblox. So don't you want me to have that as well. It just, it just makes sense. And that's it, that's a deal breaker in our house, you know, I have to know all the passwords, otherwise, you don't get to use the device. So you kind of have to draw a line in the sand. And just, you know, you're the one that's supposed to protect them. So as much as we can do to do that is important. And then the other thing is a lot of devices nowadays, have built in control, like time limitations, limitations on who they can text, we use Apple. And so that's a built in feature for families. And so any any way that you're not, I don't like to advocate like spying, like those kinds of apps, that spy on what your kids are doing. But where you can put limitations I think is important. You know, time limitations. They don't need to be on there all day long. And they don't do all night long. Exactly. I mean, there needs to be a cut off. No good thing happens on the internet after 8pm. I mean, we know we're adults. We know this,

Keith McKeever 36:53

I do the same thing. And I'll point it out, we use Android. So I've got family link. I think it's a Google product. That could be wrong. But it allows me to do that same thing to with my oldest seizoen. It's kind of phone. But I can set the timeframes throughout the day I can set like, I don't know, what is the set at off top my head like 7am to 9pm. So after that, it won't let him do anything but make an emergency call. Right? There might be settings in there for who he can text. But in order to download an app, he has to request it life and I have to approve it right through our phones. Which piece of advice to parents out there, don't leave your phone sitting around if they know the password to it.

Lori Jackson 37:34

Because they'll let them know the password. And they'll just get on it.

Keith McKeever 37:37

And then they'll approve that video game download or whatever program it is that's happening in my house. And then, ironically, talking about passwords earlier, I won't say what program but my youngest, I got an email yesterday that a password of mine was changed. And I'm like, well, that's weird, you know, nobody would have gone in there and change this particular password. And, of course, they've got access to all kinds of devices. But he finally admitted to it today that he went in there and changed it. He wanted to download something. And so he knew the password and went in and changed it. And I'm like, you know, I get emails about that right? Oops. Lesson learned? Yeah, you know, you learn some was apparent? Oh, yeah.

Lori Jackson 38:18

Well, you know, the last thing that I recommend for parents is is talking, just talk about it, ask them what they're looking at online, have those dialogues. Because in the event that something happens online, like bullying, cyber bullying, or something like that, you want your child to feel comfortable enough to come and talk to you about it. And so you having some knowledge of how, how everything works. In that space, you have some knowledge about Roblox, they've encountered an issue. They need to feel comfortable to come and talk to you about it. I think that is is probably one of the most important things when it comes to parenting a child in a digital age.

Keith McKeever 39:02

You know, I couldn't agree more with that. Because we always try to tell my kids like, they'll talk about stuff. And so you do realize like, we like your mom and I are so old, but yet so young, that we've seen everything go from floppy disks. To today, we have seen the complete evolution of personal computers, cell phones being introduced to a snake on all up to smartphones, everything they do today, like we're going to generation has seen a lot of that stuff we know exactly, exactly. We saw AOL instant messengers into weird conversations into creeps that were on there. We know internet does know. You know, you know, going through that, which is weird, but you gotta have you have to have the Open dialog and kind of show him that, you know what, what's going on there?

Lori Jackson 39:52

Well, and it also you can you can tap into your own experience and you can you know, point out things were like, you know, I'm Just thinking of an instance where, you know, my friend told me that such and such, you know, happened. And it's a situation where you can say, What did you know that anyone can post on the internet, you can't always believe everything that you read. And so there's, there's situations where that that back and forth dialogue can, you know, tap into your own experience. And you know, not necessarily scare them into not using it at all, but at least to make them aware, because the the future, their future, they need to be digital citizens, first and foremost, and they're gonna learn that by doing but also by us being that guiding light for them.

Keith McKeever 40:43

I didn't realize that, well. I'll say 10 years ago, there was a whole lot of user created content like there is today. I know pedia right? You know, I just finished college here. This last December, right? That was beaten into our heads. Remember that information on Wikipedia may be true the truth, but it may not be because at least at one point in time anyway, it was partially user created. But you think about now like YouTube, and all these other video apps? Yeah, there's a real person, you can see that real person on there. But they may not be 100%, the experts, you have to do that like trucking, verifying, what are their credentials? Right? Who is this person speaking? If they just come on here and start talking about something they don't? You know, they could be blowing smoke out of there. You know what?

Lori Jackson 41:31

Right, exactly. Those are just great ways to engage in discussion with the children, because they're going to learn it some way or another. So it may as well be you that's having those discussions.

Keith McKeever 41:43

Because not everything you read on Google is the truth. Just like you read in the news is not always the truth. YouTube, you know, someone that's been, you know, a cyber citizen, it's just the world we live in these days. Right? To adapt to it. Right. Yeah. So well, Laurie, I appreciate you coming on the podcast. This has been a fascinating conversation and valuable to literally anybody in the audience, whether they're going for a government contract, or small business owner, or just a parent, with some kids who are starting to discover devices, which seems to happen younger and younger every day. But, you know, there's a lot of good information in here for people to take some action on, or at least think about, you know, be more aware of so I appreciate that.

Lori Jackson 42:30

Yeah, absolutely. My pleasure.

Keith McKeever 42:32

And for anybody watching, you're listening, I've had a scrolling across the bottom, white Raven security.com. I made sure to include HTTPS, which means it's secure enough about Yeah, and information, but our contact information will be in the show notes as well. So if you want to reach out to or learn more about these classes, consultations, whatever the case may be all her contact information be

Lori Jackson 42:56

there. Thanks so much, Keith. It was really a great to talk to you.

Keith McKeever 43:00

Absolutely. You take it easy.

Lori Jackson 43:02

All right, you too.

Keith McKeever 43:05

There you go. Folks, remember can go check out my website battle buddy podcast.net trying to always keep a new information and resources available there. If you happen to be struggling right now, remember, the National Suicide Hotline number is now 988. Press one or the same old text numbers there, which is 838255