AMA (Ask Me Anything) with USask’s Chief Information Security Officer

Is it true that my phone is listening to my conversations?

Generally, your phone or smart devices aren't really listening to your conversations all the time. Most devices include an audio chip which listens for keywords or phrases and then tells your phone to start listening. Until that keyword is triggered, none of the audio is processed by other systems, which means your phone is not listening and sending everything it hears to Google, Apple, or Facebook. 

At the same time, individual apps can request access to your microphone, often for calls, meetings, or video functionality. Once the app has permissions, it could theoretically use your audio for other purposes. 

To combat this, Apple added privacy dots to the status bar, which lets you know when the microphone or camera are in use. This is like the LED indicator on your webcam, which lets you know whether your camera is live. 

How often should I change my password?

In a perfect world where you have created a secure password that is never reused and is never exposed, you should not have to change your password. At the same time, if you have any indication that your password was exposed then you should change it ASAP. 

Instead of worrying about the age of your passwords, I would recommend focusing on the security and uniqueness of your passwords. 

How do I create a secure password that I can remember? 

I would recommend against trying to remember your passwords, which can lead to password reuse or passwords with a common theme. If any of those sites has a security breach, you would have a problem wherever that single password was used. 

Instead, I would recommend remembering only a couple passwords, and using a password manager to generate and store all your other unique passwords.   

What should I look for when spotting a phishing email?

The best advice when it comes to phishing is to hover over any links in the email. Do this to safely read the URL and deduce if an email is legitimate or not.

Hackers are increasingly sophisticated and can copy legitimate notification emails from real vendors. Without checking the URL there is really no way to tell whether the email is from Apple / Amazon / UPS or a look alike trying to steal your data and money. 

Why should I use MFA? 

MFA adds another layer of protection to your account, in addition to your username and password. A scammer will also need access to your other method of authentication, like your phone. This significantly raises the bar for attackers to get access to your account, money, and data. 

A recent Google study found that enabling MFA defeated 100% of automated bots, 99% of commodity phishing attacks, and over 70% of sophisticated or targeted attacks. 

How does the ICT Security team predict (and prepare) for emerging/potential threats to USask IT architecture?

The security team actively monitors the industry for new vulnerabilities, attack techniques, and advances in mitigations. We also regularly read and follow-up on breach reports at other institutions, to try and understand the root causes, and whether we have adequate protection here. 

How does USask protect our digital information from cyberattacks? 

The university takes the security of our data seriously. This means implementing technical controls like patching, firewalls, and system hardening, detective controls like monitoring logs and systems for signs of attack, and controls to secure our people from attack. We offer training, articles, phishing simulations, and seminars like this one where we try and improve the awareness of our community. 

How do you balance user stress and trust and with phishing simulations? Has staff morale been considered?  

This is a tricky balance and I understand the frustration. We use phishing simulations not to punish or have a “gotcha” moment, but to legitimately help our community identify phishing emails. Our community is constantly bombarded with spam, scams, and phishing messages. Some are low quality and easy to spot, but there are also perfect recreations of common vendor emails.  

Phishing simulations give you a safe space to make mistakes and learn from them without risk of real consequence. If you make a mistake with a real phishing message, they will steal from you and try to scam your friends, family, and coworkers too. I have spoken with people who lost money due to successful phishing campaigns and I would rather they be tricked by our simulation to learn to protect themselves. 

If I was interested in working in the field of cybersecurity, how or where should I start? 

There are some great programs out there for training, from individual computer science courses to complete graduate-level programs. There are also programs at many technical schools like Saskatchewan Polytechnic, SAIT, or NAIT. 

In many cases cybersecurity is a specialty that you might transition into after some time in IT. It is extremely important to have a strong understanding of IT fundamentals to provide advice and guidance. All members of my team had time in other IT roles, including support, system administration, software development, and IT project management before making the move into IT security.  

I started my career in software development and IT operations before getting a master's degree in IT Security and then moving into a full-time IT security role.  

There are also many people who have followed non-traditional paths into the industry, so if it is something you are interested in and have a passion for, I would recommend doing some research to see if it is a fit for you.  

How can our devices be used to spy on us and what can we do about it? 

There are two ways our devices are used against us. First, the apps we download are often used to build detailed analysis about our habits and patterns. This is intentional and is how some free apps make money. 

Protect yourself by asking if you need that app or if there is an alternative. Also, read the permissions prompts carefully. In most cases you can choose not to grant apps permission to your camera, contacts, location, or other sensitive data, or only allow when the app is in use.  

The other way devices can be used against you is when you are targeted for spying. This can happen either by an abusive partner or parent installing spyware on your device, or by repressive regimes using exploits to gain access to your devices. 

If you think someone might have installed spyware to track your device or usage, there are resources online to help detect it and reset your phone. Protect yourself by keeping a secure password on your device, but you should seek help from the police, friends, and family if you feel unsafe. 

There have been several stories recently about NSO Group and Pegasus malware targeting journalists and researchers. If you think you might be a target for repressive regimes, protect yourself by patching regularly, resetting your phone regularly, and limiting the exposure of your phone number, instant messaging IDs, or having email addresses synchronized on your phone.  

How can you protect yourself from hacking attacks and how efficient is anti-virus software? 

The best ways to protect yourself against attack are: 

1. Keeping your systems up to date 
2. Not running as an administrator day to day 
3. Running as an administrator allows hackers and malware to make major changes to your system which makes it harder to detect, including turning off your antivirus 
4. Only downloading software from trustworthy sources and keeping an eye out for ads or pop-ups claiming to be legitimate updates 
5. Never enabling macros or active content in office documents 
6. If you are a staff or faculty, use a managed device. We make sure all these things are done for you, so you do not have to be a security export to keep your laptop secure. 

I strongly recommend antivirus (AV) software, but it is not sufficient to catch and detect all cyber-attacks. From my experience monitoring AV alerts is an effective way to detect an on-going attack, but it requires active monitoring to know that you have caught everything. 

Malware is often a multi-stage weapon, with several independent parts which are downloaded in stages. When we do forensics on compromised systems and compare them against antivirus logs, we often see the first stages being missed because they are uniquely packed or encrypted, with later components being detected and blocked. Unfortunately, those first stages can retry repeatedly and download alternate versions which may evade antivirus or might even try to turn off security features if you are running as an administrator. 

Because of this I see AV more like a smoke alarm. It can tell you something bad is happening, but if you ignore it or do not follow-up, bad things can still happen.  

Should we keep our camera covered unless we are using it?  

This is a personal choice, but it depends on where your camera is located and the consequences if it were abused. My laptop camera is in my office, so I do not cover my camera, but if it were in my house, I would make a different choice.  

You should also think about the other cameras in your life, such as the ones on your phone or tablets and what might be seen either accidentally or maliciously.