Former FBI special agent and cybercrime expert Chris Tarbell lives and works in New York City, and he notices the way people guard their space and their privacy on the street.
If a marketer approaches them to hand out a coupon or flyer, people will look straight ahead and keep walking. If only they were so discerning about their digital safety.
“On the internet, people will download free apps on their phones and then bring that phone into their home and plug it into their computer all the time,” Tarbell said.
If the app is malicious, hackers may gain access to the phone. Plugging the phone into the computer may put a whole network at risk.
Tarbell, who once was called the “Eliot Ness of online crime” by Newsweek, provided cybersecurity tips to an audience at the AICPA spring Council meeting Sunday in New Orleans. During an interview before Council, he said individuals and organizations need to make sure they and their organizations don’t become easy marks for hackers.
He said it’s not necessary for everyone in an organization to have expertise about firewall settings in routers. But he said everyone can educate themselves on prevention and be vigilant for signs of cyber breaches.
“Be a little security-conscious, and don’t allow yourself to be victimized,” Tarbell said.
Tarbell, who’s now a director in Berkeley Research Group’s cybersecurity and investigations practice, is best known as the agent who led the tracking and arrest of the notorious hacker Sabu and Dread Pirate Roberts of dark web drug trafficking site Silk Road. Here are some of his tips for improving cybersecurity.
Combat insider threats
A common insider threat comes from someone who works for an organization for eight to 10 years and then decides to leave for other employment, Tarbell said. These people sometimes take files when they leave because they feel a mistaken sense of ownership.
“We pay them a salary,” Tarbell said. “We pay them to do work. And because we don’t monitor our logs and our access controls, they take our files with them. They think they’re their files.”
Tarbell has seen this occur with partners in a law firm. He said partners who plan to move to another firm will access other partners’ case files right before leaving. Although IT personnel may detect this, they may hesitate to bring it to anyone’s attention because of a partner’s high position in the firm.
But Tarbell said it’s important to speak up in these situations. He also said that although IT and management have the tools available to monitor what employees are doing on their network, those tools often are not used.
“Often no one is using the tools available to them to look at what [employees] are doing,” Tarbell said. “Simple, Active Directory rules will limit digital access for employees. Once in a while check up on your employees and see what files they are attempting to access.”
Insider threats are not limited to employees with malicious intent. Employees who just don’t know any better may introduce malware by inserting thumb drives from home into a system or clicking on malicious links in emails.
Employee training is necessary to reduce the threat that these mistakes pose, Tarbell said.
Compartmentalize
One principle of cybersecurity can be compared with the construction of an ocean liner, Tarbell said. The hull is built so that if one hole gets pierced and a section gets flooded, the whole ship won’t go down.
Having different networks for different functions can protect organizations in the same way by preventing an intruder from getting access to all sensitive files. This works at home as well as at the office, Tarbell said.
“We’re starting to put a lot more devices onto our network at home,” Tarbell said. “Doorbells. Thermostats. Cameras inside the home. That doesn’t need to be on the same wireless network that your kids use to watch Netflix. Segment it off.”
Consider log files
When a system is hacked, log files allow management to look back and figure out where the hacker went, what access they achieved, and whether they are still in the system.
Organizations need to make smart decisions on whether log files are a worthwhile expenditure, Tarbell said.
“A victim only learns how powerful log files are when they are a victim,” Tarbell said. “Before that they are just a nuisance, taking up space and … money.”
Manage passwords and patches
Passwords should not be stored in places that are easy for hackers to find, Tarbell said.
“A lot of people store passwords on their phone in notepad. That’s a horrible decision,” he said. “Or they keep a file on their desktop. That’s a horrible decision.”
Choosing strong passwords and storing them in a safe place is essential for security, he said, and two-factor authentication is a better solution than a single password for systems.
“Not only do you need to know the user name and the password, but you have to have a specialized token that goes along with that password,” Tarbell said. “You need to have two forms of identification in order to get into the account. I would never do online banking if it didn’t have two-factor identification. I would switch banks immediately.”
It’s important to upgrade smartphones and other technology with the appropriate software updates and patches, Tarbell said. When a software update is made available, hackers can decipher the vulnerability in the previous software. Then they hunt for users who haven’t updated.
Learn from others
News reports today often include information about the latest breach suffered by a high-profile organization. Cybercriminals are so persistent that it’s impossible to guarantee that any system is safe from hackers.
But those news reports may also include details about how a hacker operated. Paying attention can help you recognize your own vulnerabilities.
“Learn from other people in your industry,” Tarbell said. “Learn from others on the news. If they talk about someone that got hacked into, learn from the mistakes they made, and don’t be a victim and repeat those same mistakes.”
—Ken Tysiac (ktysiac@aicpa.org) is a JofA editorial director.
