Restart Recharge Podcast
We’re coaches at Forward Edge, a K-12 technology company in Ohio. We are a team of former educators who now work as instructional coaches across the region. On our podcast, we’ll share lessons, stories, and tips from our network of coaches and special guests. We’re right there with you - on the ground and in schools every day. Hear personal perspectives on the role of a coach, benefit from our experiences, and learn from our mistakes - wherever you are, we’ve been there, we are there, and we want to help! So press the restart button, recharge your coaching batteries, and leave feeling equipped and inspired to coach fearlessly - with the Restart Recharge Podcast: A Tech Coach Collective!
Restart Recharge Podcast
410 - Digital Danger Zone: Cybersecurity Essentials for Educators and Beyond
In this episode of Restart Recharge, Katie Ritter and Matthaeus Huelse tackle the important topic of cybersecurity in education with Kehlan Rutan, Senior Information Security Officer at Forward Edge. As schools become frequent targets for cyber threats, Kehlan shares his extensive experience in improving cybersecurity for K-12 schools, offering practical strategies to protect digital environments.
We discuss why educational institutions are particularly vulnerable, the tactics cybercriminals use, and essential steps to safeguard your data. Kehlan explains terms like malware, ransomware, and the dark web in an accessible way. He also provides actionable tips on password management, recognizing phishing attempts, and the importance of regular updates.
Whether you're an educator, administrator, or just someone using the internet, this episode has valuable information to help you stay safe online.
Give Kehlan a follow!
Twitter: @Kehlan
Coaches Camp
Professional development designed specifically for instructional coaches, like you!
Join us in Cincinnati - July 29th - 30th
or Virtually - July 22nd - 24th
Edge•U Badges
Edge•U is an anytime, anywhere professional learning platform made for teachers by teachers!
Hey listeners, before we start with today's episode on cybersecurity, I've got an exciting offer that I want to share with you. As we approach the end of the school year, it's the ideal time to think about upgrading your school's tech infrastructure and replacing those old teacher laptops. Forward Edge is offering a fantastic deal on Chromebook Plus devices that are made for the way you teach. Chromebook Plus devices aren't like your students Chromebooks. They're more powerful and built for security and efficiency. With features like verified boot, system sandboxing, and layers of data encryption, your and your students data is always protected. In fact, to date, Chromebooks have not had a successful ransomware attack. Keep listening to today's episode to find out what the heck ransomware is. But that's not all. When you invest in 10 or more Chromebook Plus devices from Forward Edge, you'll get free, hands on training for your teachers to learn all about these powerful teaching devices. It's a limited time offer, so don't miss out. Reach out to us via email at hello@forward-edge.Net to learn more and get your educators set up for success. Stay secure, stay updated, and empower your teaching with Chromebook Plus. Now, let's get into today's episode on cyber security.
Matthaeus Huelse:Calling all Instructional Coaches, Curriculum Specialists, Teachers on Special Assignment, or whatever they call you. I'm Matthaeus Huelse.
Katie Ritter:And I'm Katie Ritter. As Instructional Coaches, we are often responsible for our own professional learning and can sometimes feel pretty isolated in our role.
Matthaeus Huelse:That's why we're here, bridging the gap with a wealth of tips, tricks, and building a community of coaches.
Katie Ritter:So hit the restart button with us.
Matthaeus Huelse:Recharge your coaching batteries.
Katie Ritter:And hopefully you'll leave feeling just a little bit less on your own coaching island.
Matthaeus Huelse:Welcome back again to Restart Recharge everyone. I hope you all got my recent message.
Katie Ritter:What message?
Matthaeus Huelse:You know, the one about getting some gift cards for me because that's really time sensitive, right? Or did you get that one message about how your password got stolen?
Katie Ritter:Yes.
Matthaeus Huelse:I really hope you clicked that link. I mean, rather, I hope you probably, I hope you didn't click that link. So today, if you can tell, is all about cybersecurity. We'll explore why educational institutions are prime targets, discuss the tactics cybercriminals use, and offer tangible strategies to keep your digital environment safe.
Katie Ritter:So our guest today is Kalen Rutan. He is the Senior Information Security Officer here at Forward Edge. Kaelin has 10 years of experience in cyber security, working to advance operational integrity for K 12 schools. He holds his certification in Security Plus in CISSP, and he leads the XPEL Security Operations Center here at Forward Edge. XPEL is X P E L. So welcome first time to the pod here, Kehlan
Matthaeus Huelse:Hey, welcome.
Kehlan Rutan:Hi, thanks for having me.
Katie Ritter:Yeah, so super excited. And our listeners might be like, what the heck? This is a bit of a turn of events from our normal coaching topics. But if I can give some quick background on the conversation that Matthaeus and I had in planning this episode. So. We based on the intro if you didn't know, Forward Edge actually has a cyber security division. It is recently rebranded and known as Xpel. And we have been doing cyber security for, I don't know how many years now, Kaelin, you, you know better than me and look, being in researching even longer than that. But as a part of that solution, our coaching team will sometimes partner with your cybersecurity engineers to actually lead educator focused training. It's kind of where the whole like social engineering, cybersecurity training came from with large input from you and Dustin Bingham from a technical standpoint. And then our team kind of helped come in to translate that to educators and teachers. And so we have been doing this training now in, in kind of partnership with our districts who have our cybersecurity solution. And I have just really, really, I most recently actually led the training myself out in Nevada for a group of teachers and it, it's just always shocking to me. I've, I think I have kind of taken for granted the knowledge I've gained of how to be vigilant and safe. And it's really a training that a lot of times people walk in the room and, and it's one of those compliance trainings that like hurts our team when we have to lead. Like, teachers have to be there, so they walk in the room a little grumbly and like not wanting, like, you know, no offense to you, Kehlan, but like most of our audience isn't like, woo, cyber security.
Matthaeus Huelse:So It's not the sexiest topic, really, it's not.
Katie Ritter:But then they leave, like, Oh my gosh, I need to tell everyone I know about these tips and about this information. So as we were kind of thinking, you know, we're going into the summer, people aren't actively doing coaching in the summer. So instead of having like a coaching focused episode, we thought that this might just be a really great topic to share with essentially not just educators, but. Anyone who lives in 2024 and has a single online account. So that's kind of, for our listeners, that's like some background info for why we're taking a bit of a turn. So Kaelin, kind of diving into our first question here. You know, you being like, the everyday person. Now we hear about cyber security, cyber breaches all of the time particularly targeting education institutions. So will you just talk to us, like, why are schools a focus of cyber threats?
Kehlan Rutan:Yeah, sure. So, obviously you get the low hanging fruit with, with lack of resources that are in these schools, both from a. Personnel standpoint, as well as a monetary standpoint, you know, they, they just don't either have the time or controls in place for them to be able to, defend a school district properly. And the bad guys have found that out. You know, we see a lot of attacks that are initially used in other sectors, and then when those sectors are properly defending those attacks, then they'll scale down to education because there's education has yet to defend against this thing. So like we see a lot of malware that may have started in financial or banking, and then all of a sudden we're seeing it in K 12 also. So you got that low hanging fruit piece. But also, you know, there's a lot of things that school districts have that bad guys could want. You know, you have, even though their budgets are really tight, they also have, they have, you know, large outstanding balances on, in their bank accounts. As well as you have that whole PII piece, which is, you know, personally identifying information. You have access to a lot of students and kids that may not need to use a credit card until, you know, after they're 18. So that gives the bad guys that amount of time to be able to use that identity and recycle through that before they are ever even found out.
Katie Ritter:Jeez, super scary. So a couple of things just to clarify cause again, I don't want to take for granted that like you've been educating us here at Forward Edge for a long time. One, what, and I know it's personal, identifiable information, but like what falls under that for someone who that might be a new term? What are we talking about the information that they're taking?
Kehlan Rutan:That could be anything that, can be tied back to you. So a name, obviously an email address a computer name, a username, a, an IP address you know, which is that, that number that is applied to every web address or device that is accessing the internet. You know, anything that can be directly tied to an individual is considered PII.
Katie Ritter:And big one probably in this context is also like social security number. So when I think about you said like, you know, we can take this information from students and they're not going to be applying for credit cards, right? Or loans or whatever it may be. They're, they're doing that with the social security numbers that they're taking. And, and then explain just like Super high level how would you explain malware versus ransomware versus another term that we may need to know, like, to one of your
Kehlan Rutan:for sure. So malware stands for malicious software, and it is basically the overarching term that ransomware and adware and all of these other things fall underneath. So malware is, you know, the umbrella term. And really that's when we talk about, , things that we are seeing in other financials. We generally use that umbrella term because within that can be several different things. So ransomware is something that. is intentionally locking and, encoding your files so that you cannot access them. That way they can be ransomed for their access. So, you know, if, if ransomware gets on your computer, it makes all of your files unreadable and unusable. And there will generally be a message that pops up on your screen that says here is a Bitcoin address or a number to call so You can pay us and then we'll unlock your files. And then whether they actually do or don't, that's entirely up to them, but that's that, that's that piece of what the ransomware is
Katie Ritter:Okay, and I'm just going to double down on one more super scary thing. So what are some of these criminals doing, like, when I think of, Not monetary, right? I mean, that one seems obvious to me, but like, if I am a cyber criminal and I get all of these students employees social security number, what am I then doing with them beyond just maybe applying for a credit card just for myself? Like, what is also taking place that I don't think people are aware of?
Kehlan Rutan:Generally when a bad guy is done with the information he has obtained, whether it be, you know, going out and initially either applying ransomware to a school district and getting that ransomware that ransom back. Or if they don't pay whatever and then, you know, applying for credit cards or whatever, then they will just take that data dump of that cybersecurity breach and either sell it or they will just generally, dump that information for anyone to use on the internet so that that way now you have people who may not be as, technically inclined to be able to hack a district to still be able to use that information that has been posted on either the dark web or we're actually currently seeing a huge uptick in telegram and bad guys just being able to, you know, at that point, it's more accessible than the dark web because generally not everybody knows how to access the dark web but everyone knows how to download an app. And search, you know, so it is becoming even more and more,
Katie Ritter:So you don't even have to be tech savvy to be a cyber criminal anymore.
Kehlan Rutan:correct. It, and, and now, and now with AI, , that expands it tenfold.
Matthaeus Huelse:Oh yeah. You can definitely use AI to do all kinds of coding and scripting for you. That gets dangerous fast.
Katie Ritter:Yeah. What is the dark web? My last question before Matthaeus jumps in.
Matthaeus Huelse:You
Kehlan Rutan:so You you, know, your, your website, all of the websites that, you know, end with either com or org or edu. The net, those are the ones that are generally recognizable at the end . Any dark web address ends with onion. And normal browsers cannot process those URLs or those website addresses. It requires a TOR browser, and then you gain access to it. So the what makes the dark web dark is that it is, , from a high level standpoint. Websites and traffic pass through. They don't just travel from your computer directly to the server, where that website is hosted, like the normal web, it passes through what's called nodes, which makes everything more, way more difficult to trace. And you are a lot more anonymous using the dark web, which spurs online Illegal activity, but it also has its good uses as well. You know, people who are in countries that could be oppressive and want to communicate or people who are whistleblowers and want to talk to journalists. And there's a lot of Discussions around why anonymity is either good or bad. But you know, there's definitely it's use cases as well. Not every website that you go to in the dark or on the dark web is for illegal activity,
Katie Ritter:Okay, that helps me because I always thought it was just, you know, kidneys and passwords and social security numbers being pulled on the dark web.
Matthaeus Huelse:Yeah, I didn't even know that. I thought I knew they had like a Wikipedia version of it on there too, but I didn't know that it was used for, you know, like the other purposes of like journalists communicating. That was fascinating. I
Kehlan Rutan:most. Most websites on the dark web are for legitimate uses. Facebook even has a onion website address. You can, you can access Facebook through the dark web. And it, so it is, it's, and that allows it, and that's a personal project for a Facebook engineer, but it gives people in China access to Facebook who wouldn't normally have access to it because of, you know, the great firewall of China. So it is, it is. Used for a lot of legitimate purposes.
Matthaeus Huelse:I could go down the rabbit hole with the dark web even further with you, but I, I would rather start talking a little bit about some of the technicalities. So like, we talked a little bit about what happens when hackers get access to your information, but how do they do it? You mentioned malware and we mentioned ransomware, but what is, you know, how do they actually get to us? How do they get that information? What do we need to be
Kehlan Rutan:So Verizon uses sends a report every year that I read. It's really, it's really good. They do a threat Intel report along with a lot of companies, but I, and I read a lot of them you know, generally in my free time, because that's what kind of nerd I am, but the Verizon report still put out.
Katie Ritter:We need nerds like you Kehlan.
Matthaeus Huelse:Absolutely.
Katie Ritter:Otherwise we'd be out here clicking everything.
Kehlan Rutan:So the, you know, Verizon report still puts. Email compromises as 80 percent of the way that bad guys get into this was enterprise focused, but so, but I would assume that it is across all industries and verticals that, you know, most of it is through email. That number I assume is going to go up because we are seeing phishing campaigns from bad guys being harder and harder to detect. Because of AI. So, previously before LLMs or large language models , you had people who were, English speaking as their secondary language, crafting these emails. So you could potentially look for misspelled words or grammatical errors or something like that to, Pick out a phishing email , as I'm sure you guys are aware, LLMs are really good at speaking English. So that is no longer a thing.
Katie Ritter:I didn't even think of
Kehlan Rutan:Yeah. So, so grammatical errors and those things like, you know, those Nigerian Prince emails with all of their, with all the grammatical errors are just not being seen anymore because of , AI, which is a way that the bad guys are using it. In addition to that, we're seeing a huge uptick in more complicated malware. So generally the, cybersecurity term for you, APT, which is Advanced Persistent Threat. These are the cream of the crop when it comes to bad guys. These are generally your nation state actors, and they are. The most sophisticated. Their malware was the ones that would be able to bypass your EDR or your, your, your local protections on your computer, which is, you know, your antivirus and all those things. So their malware would be able to slip through that. We are seeing. Again, with the birth of AI, people are able to write way more sophisticated malware, and we're seeing a lot of that malware being able to fly under the radar a lot more often. So that's another way. And then we're also seeing an uptick in Vulnerabilities being able to be exploited. So like, you know, school districts have several different websites or different servers that may access the internet or may be open to the internet. We're seeing, you know, those, the vulnerabilities in devices and servers being able to be exploited. Being a much more common thing than what it used to be.
Matthaeus Huelse:So from a teacher perspective or really like anyone's, right. So we talked about malware. How does it get on my computer? Like what, what did I do? What happened to the, how did it end up there? Like, where's my mistake?
Katie Ritter:When we got the email, like what's happening?
Matthaeus Huelse:How did my email get compromised?
Kehlan Rutan:So generally when you click on a link that you shouldn't have you will either be taken to a website or if it has an attachment in that email that maybe you download or you open up, there are things that can run in the background without you ever knowing. As soon as some form of interaction happens that to a malicious email, Then in the background, it could be installing that malware. It can be , stealing your credentials or installing a key logger, which is, you know, malware that is recording every one of your keystrokes and sending it to a server. You know, it could be doing a bunch of different stuff. And all you see is a normal interaction, that, you know, you would click on a link or download and open up a PDF and say, that doesn't make sense and close it, but you didn't realize that that PDF had embedded malware..
Matthaeus Huelse:Oh, so even downloading the attachment. So downloading the attachment, careful. Clicking on the link, careful. Anything else? Am I forgetting something? Can I just open the email? Is that already dangerous?
Kehlan Rutan:Is fine. Opening the email. The worst case that could happen by opening an email is just letting the person who sent it know that you're opening emails. So
Matthaeus Huelse:oh, send request. Send receipts like
Kehlan Rutan:Yeah. Send receipts or what we call them. There's tracking pixels, which is a send receipt. So basically what people don't understand or don't know is that there's maybe a, a tiny dot in that email that is embedded with some code. And as soon as you open it up, that dot will send a ping to a server and that if you're receiving a ping, then, you know, that, you know, an interaction happened, which means you open to that. That's generally how send receipts work is through tracking pixels, which is kind of interesting.
Matthaeus Huelse:Okay. So I know that at least
Katie Ritter:If you're like me, everyone's like, not opening any more emails again today.
Matthaeus Huelse:Terrified.
Kehlan Rutan:Generally opening emails is, is 100 percent fine. Generally, actually from our end users and, you know, You guys, we would prefer that you open it and then report it. You know, teachers or educators have some form of way of, you know, reporting security incidences, that's, that's a huge help , for your security or your IT team. Generally, you know, we always, embrace people who forward things and say, Hey, is this legitimate? You know, that's way better than just. Archiving it, because if you just archive it now, if it's your personal email, obviously that you can only just archive it, but you know, if you're able to report it to an it team there, able to take that from address or whatever and add it to their block list. If it is legitimate.
Matthaeus Huelse:So I recently got an email. I'm going to expose myself. I, I got an email recently. It looked really legitimate. It said, Hey it was an email from Google that said, your password has been stolen. Click here to reset it. Yeah, I clicked on it. I'm pretty sure.
Katie Ritter:Is this cyber anonymous?
Matthaeus Huelse:I am pretty sure that I am pretty good about these things, but that got me. It was fast. It was quick. It looked so legitimate. I had no idea. And all of a sudden I clicked on it. What do we do next? I'm pretty sure it was, it was one of the like training emails. Pretty sure. I hope the email account is still safe. But I
Katie Ritter:Right, Kehlan right?
Kehlan Rutan:that was one that I personally crafted. Yes.
Matthaeus Huelse:Oh man, that was a good one. Well done, then. You're a good hacker, I guess. But my course What do I do? I clicked on it, legit, non legit, whether it was training or not. What do I do?
Katie Ritter:Yeah, like if that had been a real cyber attacker and Matthaeus had clicked on it I know you've also taught us, Kehlan sometimes the link itself isn't malicious, but then it's that next website, right? Where you're entering to change, you know, or entering your current password. Now they have your password and it's the website itself that's collecting the info. So like, let's say something like that legitimately did happen. I think that's where you're going, right? Like what would the next step be?
Kehlan Rutan:You know, contact your IT team and, or for you guys, it would be contact me or our cybersecurity team, you know, so it would be, because even though, And every TC or tech coordinator I've talked to feels the same way. We would never want end users to feel like it's a gotcha, right? We want them to be able to, if you see something, Potentially malicious, or, you know, that you're just not real sure about. Always report it regardless of how far you went into the engagement. If you went to that next website and you entered in your password, and then all of a sudden, if it's good, then that's when you'll get the web. Infograph that says, Hey, this was a phishing campaign. Here's some things you could have caught it. But if it was a bad guy, then basically what, how the attack chain generally works is if once, as soon as you enter in that username and password, it will either route you to the legitimate website. So it'll look like you will need to sign in again. So generally, those are the two, interactions that we've seen that are actually malicious. And so if something doesn't look right, like, Hey, I just entered in my username and password. Why do I have to do it again? For sure, reach out to your IT team and your security team so that that way they can send up, send you a password reset or, or investigate further on your actual device to make sure that nothing's compromised.
Matthaeus Huelse:Should I initiate a password reset myself?
Kehlan Rutan:No, cause it came from me. So I didn't, I didn't get any,
Matthaeus Huelse:Well, okay, know I'm not interested in my case, but anyway, well done. I
Kehlan Rutan:you're talking about from an engineer, right?
Katie Ritter:I did it on my personal Gmail, right? Like then I'd probably want to just go ahead and reset my
Kehlan Rutan:Yeah. Yeah, absolutely. That would be the recommended route to just make sure that everything's good to double check. Also in personal Gmail, I don't know, I was assuming that you're comfortable with it. You can go into your account settings and see if there are any devices logged in that you do not recognize. Is it also a good way to say, to make sure, and I generally recommend doing that anyway, at least, you know, every, every so often, you know, just to make sure that there aren't any outdated devices or devices in other countries that you're like, wait a minute, I've never been to, you know, Nigeria or whatever. So it's good to check up on that anyway.
Katie Ritter:And I have a couple other questions. So I know you're seeing email is like 80 percent of where these things are happening. I do want to touch on just a couple of other things that we've seen just to make people aware.
Matthaeus Huelse:Before you do that, Katie.
Katie Ritter:Oh, caught me.
Matthaeus Huelse:I know. You know what's coming next. We're going to take a really quick break for our sponsors, and then we will be right back.
Coaches Camp Promo:Calling all instructional coaches! Join Forward Edge for Coaches Camp in summer of 2024. Coaches Camp is packed with high quality professional development exclusively for you. Attendees will work with like minded coaches on creating strategies for building teacher relationships, executing coaching cycles, and building a culture of coaching and tech integration within their school district. There are two opportunities to attend Coaches Camp in the summer of 2024. You can either join us virtually July 22nd through 24th. Or come to Cincinnati on July 29th and 30th. Please visit forward edge. net slash coach camp to reserve your spot today.
EdgeU Badges Promo:Looking for a program that reaches all teachers and learning new tools to integrate in their lessons? EduBadges is the answer! Edu is an anytime, anywhere badging program that is designed to take bite sized tools for instruction and teach teachers how to use them. Edu has received the ISTE Seal of Alignment for educator standards, and each badge in our expanding library is aligned to the ISTE standards and the SAMR model. Learn more about the program that teachers call addicting at forward edge. net backslash EduBadges.
Katie Ritter:All right, Matthaeus, thanks for breaking us to our sponsors. We are back with Kehlan talking all things cyber security to keep you safe in your schools, and also just keep Generally is a safe, vigilant person with any online account you know, operating in society today. So we, we started right before the break, Caitlin, talking about some other ways besides email or even within the context of email, some things to look out for that isn't just like your fake, Amazon delivery or fake reset your Google password. But I know like here we've also seen, and I'm sure everyone, as soon as I say this, you're going to be like, Oh yeah, this has happened to me too, but text messages on our phone. And I know like we have employees who frequently will get a text claiming to be our CEO. And back to your like joke at the beginning, Matthaeus, Like, can you go buy gift cards, scratch it off, send me the thing, we'll reimburse you. This is an emergency, I need it for a customer event, right? And they use like the, the pressure of the boss or a person in charge in a school setting. It could be like your superintendent, your principal's name. And they're spoofing these things and just the context. I, I wonder if you can just speak to that, Kehlan, of like this context of some other areas that. Phishing attempts might be coming in addition to email and then also like how they're creating these like really highly targeted Messages and if that's even still relevant or if they've moved on
Kehlan Rutan:Yeah, no, it is absolutely relevant. And, you know, so I kind of bristle at our industry's love for anything -"ishing", you know, so the text messages is"smishing" now we're seeing a lot of QR codes it's "quishing" you know, it's all of these different things that are, ishing because I don't know why, but it's basically,
Katie Ritter:Some of these are cringe-ishing
Matthaeus Huelse:Yeah, honestly, as a non-native I'm pretty confused. A non-native
Kehlan Rutan:So, yeah, so it is still relevant. We're obviously, just like you said, you know, we're seeing those text messages come through and it is, you know, easy to look on LinkedIn, look at a company or a school, see who is a prominent individual who is employed there and start sending out text messages from a number at claiming to be that individual. You know, you can just do some , real quick, lookups on LinkedIn and other social media. So it, it is still very relevant. We are seeing an increase in QR codes now also. So there is, that's another attack vector or another way. It's all considered social engineering, right? So it's phishing campaigns, it's text messages. It's QR codes, it's voice, you know, now, again, with. The birth of AI, you know, you need three seconds of someone talking and you can create a phone call and sound like that superintendent, that CEO, that person of authority and say whatever it is that you want them to say or want them to do for you to change a password or whatever the case may be. And now you're in. So we're seeing it's still all under that umbrella of social engineering and it is. That's what holds that 80 percent mark, not just emails. It's all social engineering.
Matthaeus Huelse:Has there been a large uptick of these AI kind of phishing attempts where they do create a quick video or quick audio, or is this just something we hear and it's just, you know, scare tactics?
Kehlan Rutan:So, yeah. We've seen with our customers internally, we have seen a few, so with the voice calls, they are people can't report those to us, but we are able, you know, our customers reach out and say, how do we even block this? Right. And you know, how can we stop these calls from happening? And unfortunately, our answer right now is unless, unless schools own phones, which not, there's, None of our customers do, you know, it's, it's all comes to security awareness training and training for the staff and talking to their end users to be aware, you know, that your, your superintendent should never be asking, you know, a teacher for a password change or gift card. Right.
Katie Ritter:So for security awareness training, everyone who's listening, send this out to your staff to help start. And then I also, I want to kind of pivot a little bit, Kehlan and so like now I'm ready to just basically turn my computer off and my phone off and never use it again. Technology or email again.
Matthaeus Huelse:Sufficiently scared right now.
Katie Ritter:And we know that we can't do that, right? I mean, that's just not the society that we operate in. It's not the education experience our students deserve to not learn some of these skills and how to be vigilant and the opportunities that technology opens doors for them. So like just turning off the computer and not using technology anymore is really just not an option. But what are their strategies? that you can can share with us, and I know sometimes it's like hard to explain verbally, but explaining verbally some quick strategies that people could be aware of to double check, to, to kind of self check, is this fishing, is this safe?
Kehlan Rutan:Absolutely. There's a, there's a lot that can be done from a , End user standpoint to investigate an email or a phone call, you know, a lot of these things, they kind of prey on urgency. They, you know, they, Hey, hurry up and do this quick before you think about it and realize I'm fake, right? So, you know, if you, just ask yourself, if you stop, take a minute and ask yourself, should this be happening or is this legitimate? Then you can. weed out a lot of that. But you know, everything's in capitalized letters, everything's urgent, Hey, do this quick, whatever. And if you just take a beat and think about it, then you're able to weed out a lot of that information. Also, if you're on your computer, you can hover over links. If you're sending, if Matthaeus, if you would have hovered over that link for password check you would have seen that it wouldn't have gone straight to Google. I made it close. So it would, it was like something, you know, Google password check dot org or something like that, that doesn't actually, isn't owned by Google, but you would have been able to see that this isn't going to an actual Google address..
Katie Ritter:And I'm going to pause you right there because this is something that when we're leading the training, so many people do not know how to do this. So by hovering over a link, you just like move your trackpad or your mouse and don't, and literally hover it, the icon over the link. You don't click on it. And then in the bottom left corner, usually, or right there over the mouse, depending on your browser, the, a preview of the link will show up. Can you also explain, because I know I'm usually running around checking email from my phone, how would I hover a link on my phone?
Kehlan Rutan:if you just long press on a link, it will pop up in both Android and iOS. I, I, believe.
Katie Ritter:Yeah. And for iPhone,
Kehlan Rutan:yeah. so if you just long press on a link, it'll pop up that preview of where you're about to go. So then you can do that for emails as well.
Katie Ritter:Yeah. That has been probably the biggest tip that I have learned that has saved me from so many things and that I find sharing with teachers that that is a huge strategy for them as well. What about Like passwords themselves. So let's say Matthaeus goes, that was a malicious link. He enters his current password. And like many of us, we have the same password for everything. So maybe he changes his Google password, but he has the same password for every single account he owns. Like what, what are some password best practices like right now, as of the recording of this episode?
Kehlan Rutan:number one would be to not do that. To, to not have
Katie Ritter:But it's such a pain in the behind, Kehlan!
Matthaeus Huelse:I would like a listener to know that that's not what I do, for the record.
Katie Ritter:I'm speaking for a friend.
Matthaeus Huelse:Of course.
Kehlan Rutan:Generally, I recommend, you know, password managers. There's a lot of free options out there. Google has one in the Chrome browser that's built in. I generally, I generally don't recommend the browser if you're going to go look for one, but it is better than nothing for sure to have that stored. But you know, generally there's, there's a lot of good different password managers out there and they're super easy to just auto fill, you know, you, when you go to during the account creation process or the password reset process, you can just have it auto fill. Click on save. And then when you go back to that website, it just auto fills in the username and password. So not using the same website password for multiple websites, like kind of how we spoke about earlier about how the bad guys are now just doing dumps of data. Those passwords, if you're using them for, let's say you don't use it for Google, but you use it for some math tools website and that math tools website gets compromised. And now. Guess what? Your Google is probably at risk now for being compromised because you use the same password for multiple different locations and your social media and possibly your bank account and everything else. So, you know, the more, the more you use a, a password, the more you are at risk at just getting your whole life upended because of an attack that, you know, some website isn't as necessarily secure as it should be. So that. For sure.
Katie Ritter:So I should take that little message that google Chrome or my iPhone tells me this password has been shown in a data breach. Do you want to change it? I should take that seriously.
Kehlan Rutan:absolutely. You should always say yes. And then wherever else you use that password. Also, from a, password best practices standpoint, there's been a kind of a shift in the cybersecurity industry where they prioritize length over complexity. So, something that is, you know, 16 characters or even 20 characters. Generally what I do if, if I don't have a random password generator on hand is I will pick three or four items on my desk and just combine them. You know, it, I may do something that's, you know, keyboard, mouse. Deck of cards, like, and then just have that huge password and, you know, maybe capitalize the first letter or change something to a special, but the need for it to be all special, some lower, some upper, there's websites still have those requirements, but from a cybersecurity, Crackability, I guess, you know, which is like bad guys being able to, you know, brute force an account to try to get it to open or guess the password. Longer passwords are way harder on those brute force programs than something that is smaller but complex.
Katie Ritter:Okay.
Matthaeus Huelse:So what if I use kind of like a, a system. What if I say, Oh, for every password, I want to use the first or something letter of that, and then I'm going to put a number in that I maybe repeat. If there's some variation, but rather than remembering a word, I remember like a pattern. Would that be something or that get me in trouble
Kehlan Rutan:As long as that pattern is long and it doesn't necessarily pertain to you. So if it's like all of my kids first name combined, that's going to be guessed pretty quickly just because of the nature of social media, right? Especially if someone is actively, like, attacking, if, you know, if someone who's listening to this is a person. in administration or who has LinkedIn and someone is, we call that spear phishing, which is like very intently going after a certain individual, which happens a lot that way they can gain access rather than, you know, the spray and pray type mentality of we're sending phishing campaigns to everybody and hoping someone clicks. Then, you know, I would recommend not doing anything that pertains to you doing like several. Phrases or patterns that can't be tied back to you individually, but that definitely works. And then the variation on that, I would, the variation on passwords, as long as those passwords aren't known to be compromised is safe within reason. But as soon as that compromised password, as soon as that password is compromised in any variation, all variations are then should be considered compromised,
Katie Ritter:You're killing me, kehlan
Matthaeus Huelse:so then
Katie Ritter:ring light, microphone, spit protector, 24 exclamation mark it is.
Matthaeus Huelse:I have the one, one more question I have. So I guess. Is two factor authentication then my silver bullet to do all this? Should I just put two factor authentication on everything and then just, Oh, I'm good. I got two f whatever.
Kehlan Rutan:It, it is not a silver bullet. It does not protect you.
Katie Ritter:And let's explain what that is just quickly before, in case anyone listening doesn't know what two factor
Kehlan Rutan:Yeah. So MFA or 2FA is. any second form of authentication. So authentications can happen by something, you know, something you have, something you are. And if you put in a password, which is something, you know, And then you put in a, you know, code from an authentication app or like, you know, Google Authenticator, then that's something you have, right? So that, that's multiple forms of authentication. So MFA isn't considered MFA if it's just two passwords, because that's two things, you know, if the things that you are, know are now compromised, then you, both of those passwords can be assumed to be bad. So yeah.
Katie Ritter:So like a password and a security question.
Kehlan Rutan:a password and then a you know, thumbprint or something like that, or UB Key or, you know, we're seeing MFA bypass attacks. Not, I wouldn't say often but they happen. So, it is not a silver bullet, but it does make things way more secure with that said, if you have a password that's compromised, I would still recommend going and changing it because, you know, MFA attacks do happen or MFA completely bypassing an MFA, setup is, is possible.
Katie Ritter:Okay. Now I do have to bring us back before we move into our next question, because you really broke my heart when you said that about the QR codes. And I feel like there was a lot of like shattered dreams here, listening to the pod, because we love our QR codes for us, which is especially like, Quick scan this, like, fill out my feedback. Quick scan this, sign up, right? Like we use QR codes everywhere. So what, like, what can we do in place
Kehlan Rutan:I don't, I don't think that there's anything to do in place of it. It's just for the end user to understand that context is extremely important. Obviously, if you're looking at a presentation and you're sitting in front of the presenter , if you're showing something and there's a company that you trust that has a QR code on a slide and they scan that, that's, that's fine. I don't know if you guys were if, if that's the case. You remember, but it was either the last Super Bowl or the Super Bowl before had the QR code during a commercial break. And it, it actually, so many people scanned it that it brought down the server of that actual company., but any bad actor could have phone, anything out there on a commercial, you know, any state, funded actor who had the money to buy a time slot and Superbowl, then, you know, how many users would have been compromised because the users didn't have any idea. End users didn't have any idea of where that QR code was going to send them. So context being context aware is extremely important, but, As far as what you could do outside of that, I would just make sure that you can still look at the from address. If you're getting a QR code sent to you, making sure that it is coming from it. If you're not expecting one, always reach back out and say, Hey, is this legitimate or did you mean to send this to me or whatever, just ask a question and then get a confirmation back, you know, so there's still some things that you can do to help mitigate from those QR code phishing campaigns.
Katie Ritter:So we shouldn't like totally feel the need to abandon QR codes. It's just more about being aware of practicing those safe habits.
Kehlan Rutan:say the same thing with the rest of technology, right? I don't think people should abandon email as much, you know, sometimes in my mornings, I wish people would abandon email, but you know, it's, it's a matter of just saying,
Katie Ritter:Can we email back that just says, thanks, please don't email me. Thanks. I know you appreciate whatever I just said. Don't email me back. Thanks.
Kehlan Rutan:sure. Yeah. So, I mean, it's, it just goes with the, you know, everything else to where it, you just need to be aware and make sure that the context is important and you're expecting it.
Matthaeus Huelse:This has been great. We've learned so much. I feel like helpful, still a little scared of the internet now, but I'm sure it'll pass. We always end our episodes with our top three tips. So what are your top three tips to stay cyber vigilant?
Kehlan Rutan:Yeah, so you know, password hygiene is probably the most, I would say the top, using different passwords for different websites, making sure that they are long and making sure that if you do have one or you know that one is compromised, you change it everywhere. It is, it is basic. Like if you have a compromised password, it is using a password that is public information out there. The second one would be phishing campaigns and social engineering. Just knowing what you are clicking on before you click on it or downloading before you download it, that would be number two. Number three is when you get those notifications to update your device or your browser, to do it. And not to just let it sit and fester, I would recommend, you know, just updating your devices and software so that that way, you know, those updates happen because generally there's been a vulnerability found and a bad guy could completely bypass your email and, you know, just access your device because of a vulnerability or you didn't update your Chrome browser or something like that. So, so that would be passwords. Social engineering and updates.
Matthaeus Huelse:That's great.
Katie Ritter:Thank you. Yeah,
Matthaeus Huelse:also not me looking at my browser right now when it says new Chrome available.
Katie Ritter:Yeah.
Matthaeus Huelse:Okay, gonna do that. I know, I'm like,
Katie Ritter:you're killing us all here, Kehlan
Matthaeus Huelse:we are now all sufficiently scared of the internet, but I think you gave us some great advice and some great tips to to stay safe out there. Thank you so much for
Kehlan Rutan:Yeah, I appreciate it. Not a problem.
Matthaeus Huelse:my gosh, I'm way too fast. I would like to ask you, do you want to brag about anything? How people get in touch with you
Kehlan Rutan:So, XPELCyber.com is our website. Go there and you can reach out. I believe there's a QR code that is not malicious that you could scan and it'll reach out to an email that you could ask for more information.
Katie Ritter:And expel is just X. P E L. It is not E X.
Kehlan Rutan:Also, I have a Twitter account at Kehlan, K E H L A N where I post some cyber it's, they're more technical posts, but you can definitely reach out and look for more information there as well.
Katie Ritter:Shut up! Your name on Twitter is just your first name. No numbers, no letters, no, underscores.
Kehlan Rutan:benefit for one, being an early adopter for Twitter, at Twitter, and two, you know, being able to have a unique name. So,
Katie Ritter:Oh my gosh. Lucky you.
Matthaeus Huelse:I didn't get the first name with just Matthaeus either. So I'm jealous. That's, that's pretty good.
Katie Ritter:Awesome. Well, thanks Kehlan this has been a treat, a scary treat. But again, really just very important information for people to be aware of and hope that our listeners will share it. Maybe just with, with us. Family members who could benefit, but also for sure your educator, friends and colleagues so that we can all keep ourselves, our colleagues and our students safe.
Matthaeus Huelse:Yeah. Scary indeed. Do you want to come back for Halloween episodes?
Kehlan Rutan:Let's do it.
Matthaeus Huelse:All right. Thanks everybody. Thanks listeners.
Kehlan Rutan:Thank you.
Matthaeus Huelse:Thanks for spending time with us today. If you found this episode helpful, please share it with an educator friend.
Katie Ritter:And connect with us on social media at rrcoachcast to let us know what you thought of the episode and what topics you want us to discuss next.
Matthaeus Huelse:New episodes drop every other Tuesday. Be sure to subscribe to Restart Recharge wherever you listen to podcasts.
Katie Ritter:So press the restart button,
Matthaeus Huelse:recharge your coaching batteries, and leave feeling equipped and inspired to coach fearlessly with the Restart Recharge podcast,
Katie Ritter:a Tech Coach Collective.
