Transcript
[INTRODUCTION]
Ronda Nelson: Hello, everyone, and welcome to The Clinical Entrepreneur Podcast. My name is Ronda Nelson and I am your host for today. I’ve got my friend, Jeff Evenson, with me and we are going to talk about all things nerdy and tech. Jeff is the guy to do it. The reason why I absolutely love having Jeff in my corner and now in yours, is because we are going to talk about all things as it has to do with securing your patient information from spying eyes that do not need to be looking. So, Jeff, welcome. Thank you for joining me on the podcast.
[INTERVIEW]
Jeff Evenson: Thanks for having me. I appreciate coming on.
Ronda Nelson: We’ve had some great conversations before now and Jeff has been a great asset. He has helped me a lot. Before we get started, I want to give you a little bit of background on Jeff and why he’s amazing. He was a cryptologist in the Navy for 20 years. He has a Bachelor’s in Computer and Information Sciences, a Master’s in Health Arts and Sciences, and after 20 years in the Navy, he went into the private sector. He worked in telecommunications and is now working in the finance sector doing crypto-science security business, but fortunate for us, he’s also a healthcare practitioner. So, he’s certified in RT, he does Reiki. He lives in our world, as far as the alternative medicine world, but he’s also got a handle on the security side and knows how to apply that in a practical sense, as it has to do with our clinical practice. We are going to do two interviews, so, next week will be part two. Today I want to start talking about security as it comes in. We all have routers in our offices or our homes, and the router is the gateway between the internet and our computer. Is that right, Jeff?
Jeff Evenson: Yes.
Ronda Nelson: Okay. So, talk to us about the internet security risks that happen at the point of the router.
Jeff Evenson: A lot of people’s internet provider will show up at their location and install a modem. It’s called a modem because it’ll take the signal off their wire, which is the internet, and turn it into the internet signal that your computers can understand. The interesting part is a lot of times that the modem (or router) has default passwords on it.
Ronda Nelson: Yeah. Mine did. It was fasteasy77 or something like that. It was really simple and it was easy for me because I could remember it. I’m like, “Oh, I can log in with my password right here.”
Jeff Evenson: Yeah, what’s interesting is so can everybody else. If you have a hacker that wants to get into your business or figure out what’s going on, they can start running little programs against your router. It’ll tell them what kind of router it is just by how the router responds to it. And they can look that up and go, “Oh, they’re running an NVG443B router,” for example.
Ronda Nelson: Really?
Jeff Evenson: Yeah. They know exactly what it is and they can google that to see what is the default password for this kind of router.
Ronda Nelson: No way.
Jeff Evenson: They’re out there. Every default password you think of is on the internet already.
Ronda Nelson: I could go look them up right now if I knew my router and I could go look up my easyfast77 or whatever the heck the password is? I can go look that up?
Jeff Evenson: A lot of times, yes, you can. A lot of times the default they’re going to try the first one, the easy one’s first and it might be the user code might be admin and the password, the default password might be admin.
Ronda Nelson: That’s secure. Nice.
Jeff Evenson: Right. Internet companies don’t care. They just want to deploy the box, make sure your internet is working, and then leave because they’ve gotten all the customers to do the same.
Ronda Nelson: Right. They’re not interested in security. They’re interested in taking my money.
Jeff Evenson: They want your money, get you on the internet, and that’s it.
Ronda Nelson: So, now what? Now I’ve got this password that somebody could look up and they can go access my modem/router and then really, they could log in. Would they then have full access to my computer?
Jeff Evenson: Once they know what the address is and how to get into your router, then they can use your router as a jump-off point to the inside of your network.
Ronda Nelson: Oh, I don’t like that. That’s a bad idea.
Jeff Evenson: So, there are things you can do to get in there and change the settings a little bit to prevent that from happening.
Ronda Nelson: Okay, Jeff. I need you to break this down and give me the “dummy” version, like the fifth-grade version of what I need to do to go change that password because I don’t have a clue.
Jeff Evenson: Okay, hopefully, it’ll be easy for you. The internet provider should give you a sheet that tells you how to log into the router from your computer and how to get into the management screen of your router. A lot of times, it’ll be as simple as opening up any web browser, whether it’s Internet Explorer, Microsoft Edge, or Google Chrome, it’ll instruct you to put an address into the browser, and then it’ll take you right to the login page of the router.
Ronda Nelson: So, it’s kind of like I’m going in the back door sort of.
Jeff Evenson: Yep. Hopefully, it’s not a revolving door.
Ronda Nelson: Let’s hope not.
Jeff Evenson: Once you’re in, you’ll know you’re there because it’ll have a login page and it’ll ask you for the username and password. What was it again?
Ronda Nelson: Easyfastshoes777. I don’t even remember, but it was really easy.
Jeff Evenson: Yep. So, you’ll type that information in and you have to make sure they give that too. Sometimes they’ll come in so fast and they hope that you won’t ask for that information because they don’t want you to change the settings in there. They don’t want you to change the default passwords and things like that because then it makes it harder for them to manage remotely.
Ronda Nelson: If we don’t have a password or we don’t have anything, then what do we do?
Jeff Evenson: You’ll need to call the internet service provider and ask them how to log in, or you can go to the internet service provider’s website and look for that information to see if they have documents posted on how to log in. Once you have those steps, you may still need to contact them for the username and password or you can just Google that information for the default.
Once you log in, you’ll see the settings page. It’ll show you all kinds of things like the IP address, DNS settings, domain name, service settings, etcetera. You’re going to look for the page with the admin settings.
Ronda Nelson: Okay, look for admin settings. Got it.
Jeff Evenson: You’ll know you’re on the right page for admin settings when it gives you the option to change your password.
Ronda Nelson: Okay. Got it.
Jeff Evenson: That’s what you’re looking for. That’s the golden nugget page. It’ll probably ask you what your default password is or for your old password. Put that in.
Ronda Nelson: Old password. Right.
Jeff Evenson: Enter that in there and then enter the new password, but when you enter the new password, don’t change it from easy777 to summertime2020 or summerfromhell2020. Those are easy passwords also. You want to go complex. For password complexity, you want to make it at least 14 characters long and use a sentence if it helps you remember the password.
Ronda Nelson: Right. One wrong type with the shift key and then your password’s blown and you’re like, “I can’t do it. It’s too many lowercase, uppercase, numbers, symbol.” What do you mean by a sentence? Give me an example. Just disclaimer, don’t use this sentence because…
Jeff Evenson: Don’t use the sentence.
Ronda Nelson: Yes.
Jeff Evenson: That’s a good point. So, the example I give is to come up with a sentence that maybe only you’re going to know, something you won’t forget. So if you know something about me, you know that I like to camp but you don’t know necessarily where I like to camp or how I like to camp. So, I might come up with a password that says, “I like to go tent camping in Ely Minnesota.”
Ronda Nelson: Oh, there are no symbols in that.
Jeff Evenson: No. So, then go back and change a couple of the letters like change an “E” to a number “3.” Or an “A” to an “@.” Okay. And then put an exclamation point at the end of it.
Ronda Nelson: Or some other symbol or whatever you want, you’re done.
Jeff Evenson: Yeah, and you have a sentence.
Ronda Nelson: Okay, fair.
Jeff Evenson: You can keep the spaces in there or take them out whatever is easier for you to remember but write it down. You could also use LastPass so you don’t have to worry about remembering it six months later when you go, “Oh, I want to go into my router and change something.”
Ronda Nelson: Yeah. So, the new password on the router can be simple by making it a long sentence, like what you said, “I love tent camping in Ely.” If you’re going to use a service like LastPass, which we’re going to talk about next week when we get to that episode. We’re going to dive into that a little bit more but you would use it in LastPass, which stores it so you don’t have to remember. Where do we store the admin login?
Jeff Evenson: If you store that information into your password manager, that address will get stored with it.
Ronda Nelson: It’ll save? Okay, got it.
Jeff Evenson: Or if the service provider that you’re working with was nice enough to leave you a sheet of paper with how to log in, you can write your new password on there and put it in a file in your file cabinet, somewhere where you’re not going to lose it or somewhere that not everybody in your office would have access to it.
Ronda Nelson: Just so it’s secure. Okay. That makes a lot of sense. Now, we’ve got the router-modem secure. So, now we’ve at least eliminated that risk, or we’ve minimized it by creating a complex password, 14 characters or longer with something you can remember and switch out some of the characters. We have an “A” is an “@” or an “E” is a “3” or something like that, whatever you can remember, right?
Jeff Evenson: Yeah. Upper, lowercase.
Ronda Nelson: Yep. You want a little bit of mixture. The second thing that I want to ask you is from a router standpoint. Is it better that we keep the ones that we get when they come out or are they inherently a little bit riskier?
Jeff Evenson: That’s a great question because the providers now were coming out with more capable devices. Back in the day when the internet used to come to the house, you just had to have a modem, and then you’d have your Wi-Fi on it. Now, most of the providers are giving you modems with Wi-Fi and other network ports added to it.
Ronda Nelson: It’s built-in. It holds one unit.
Jeff Evenson: It’s all built-in.
Ronda Nelson: Yeah, right.
Jeff Evenson: And so, I still find, and maybe I’m paranoid when it comes to the internet and my provider but they’re just not as secure. Because I know that they gave that device to me and they know all the settings that are on it and they can control it remotely and all that kind of stuff. So with the router, I got from my provider, it had Wi-Fi. It also could serve up to guests Wi-Fi and whatnot. So, I went in there and I disabled all of those functions.
Ronda Nelson: You turned off the Wi-Fi?
Jeff Evenson: I turned off the Wi-Fi because I wanted to put my own Wi-Fi router in place, one that I had complete control over, and some people think, “Oh my god, that’s just way too scary.”
Ronda Nelson: You’re doing a great job explaining it for us simpletons over here.
Jeff Evenson: I would invite everyone to go ahead and get your own equipment as much as you can. I disabled all the Wi-Fi on the internet provider because I want my own. When you put on your own, they’re really good about explaining and giving you the actual directions on how to manage that device.
Ronda Nelson: When you take it out of the box?
Jeff Evenson: When you take it out of the box because they want people to keep buying their products so they have to tell you how to use it. If I were to buy them new, they’re close to $500 apiece.
Ronda Nelson: Oh, wow.
Jeff Evenson: I managed to find them on the Amazon refurbished program for $170 a piece.
Ronda Nelson: Nice savings. Good job.
Jeff Evenson: And they’re refurbished. Refurbished means somebody returned it because they didn’t like it. They got to clean it up and all that but they test all this stuff before they send it back out. So, they’re saying you can find deals like that.
Ronda Nelson: That’s a great tip. I’ll make sure in the show notes that we’ve got a few options for all of my listeners to check out and make their decision. If you have an IT person working with you, make sure to chat with them and ask for their recommendation. If you have someone that you are working with that knows your system, knows how you’re set-up, knows all your stuff, don’t be afraid to ask these kinds of questions. But today, I want to ask you how to keep track of computers. We’ve got routers and all other kinds of equipment that you have in your office and then we have all the software that goes with that equipment. I know from our past conversations, you’ve talked about how important it is that we take an assessment or inventory of all of that. How would you recommend we do that and why is it important? And how do we go about doing that?
Jeff Evenson: Great question. When you look at all of the technology that you have in your office, computers are internet aware, you have printers that are now internet aware.
Ronda Nelson: Yeah.
Jeff Evenson: My HP printer right behind me, I subscribe to their service. It tells me every month when I’m getting low on ink or the ink shows up in the mailbox because I’m due to get low. I permit that device to talk back to Hewlett Packard, and tell them, “Hey, I’m out of ink.” So, you have to be aware of these things. Those are called the Internet of Things, IoT devices.
Ronda Nelson: IoT, the Internet of Things. That doesn’t make any sense to me that term, but I believe you.
Jeff Evenson: I know, it doesn’t. I don’t know who came up with that phrase. I could probably figure it out.
Ronda Nelson: IoT. Okay.
Jeff Evenson: You know, the Roomba vacuums are now internet aware.
Ronda Nelson: Well, and some refrigerators even.
Jeff Evenson: What’s interesting, there was a hacking story about some of the Roombas, they have these robot vacuums that have webcams on so you can watch them. These hackers figured out how to hack into it and control the camera and take over the steerage of the robot vacuum and steer it around and watch people.
Ronda Nelson: Okay. So, how do we make sure that our vacuum cleaners don’t get hijacked?
Jeff Evenson: Take control of your router and the traffic going in and out. It goes back to being aware of all of the hardware in your office environment or your business, especially if it’s internet aware. If it can talk to the internet, whether it’s by wire or by Wi-Fi, you want to know where the hardware is, how old it is, and what software is running on it.
Ronda Nelson: Okay. So, I just write that out on a spreadsheet or something?
Jeff Evenson: Yes. The easiest way to do it is to create an Excel or Google spreadsheet. Write down what you have: Intel computer, AMD computer, Windows, Macintosh, iPads, they’re all internet aware. Write down the make, model, serial number, when you bought it, and what are the hardware specifics? How much memory does it have? Is it running an Intel processor?
Ronda Nelson: Oh, got it. Okay. So, like a Mac, it runs iOS, and Windows would run Intel or whatever the processor is, so, we wouldn’t have that information. It would be part of the information on the computer.
Jeff Evenson: Yeah. You may see some computer incident that makes the world or national news, and they disclose a vulnerability that was discovered and is affecting every Intel computer out there for a certain type of hardware. This is why it’s important to know what kind of hardware you have.
Ronda Nelson: So, you go back to your sheet and go, “Okay. That’s mine,” then you need to beef up your security or do something different or reach out to an IT guy and say, “How do I protect myself?”
Jeff Evenson: Right. It’s no different than getting a recall notice on your car.
Ronda Nelson: Oh, yeah. Okay. Got that.
Jeff Evenson: That’s a vulnerability. That’s a risk vulnerability if you don’t get the recall fixed, you risk exposure to your family, but without knowing what computers you have, how would you know? And how would you know how to fix it? So, you have to be aware of what we call it in the security world, we call that understanding what your risk surface is. How big is your risk surface? My risk surface is the 10 computers in my business.
Ronda Nelson: Once we have all of the documentation for the hardware to everything that can talk to the internet, whether hardwire or Wi-Fi, then you recommend making a list of the software programs we’re running as well. Is that right?
Jeff Evenson: Absolutely. Especially if you’re running Microsoft patches, they deploy patches on their system every month. They have a “Patch Tuesday” every month.
Ronda Nelson: What you’re saying is that we need to make sure that our software is always updated as often as possible. I have mine set on auto-update. Is that okay? Is that good?
Jeff Evenson: That is okay. If you fall into the bucket of I don’t have time or I’m not tech-savvy with some of this stuff, I would always encourage people to turn on the automatic updates. Sometimes you have to google how to do that or if you’re installing for the first time, it’ll ask you in the install process if you want to turn on automatic updates? Select “yes,” if you might forget about it, don’t have time, etc. At least, then, the automatic updates will update the critical vulnerabilities that are identified every month. I also recommend searching your desktop every couple of months by typing “check for updates,” in the search bar.
On Windows computers, it is located in the lower-left corner. I believe you can do this on Macs as well.
Ronda Nelson: Besides the auto-update?
Jeff Evenson: Besides the auto-update. What happens is, it may find a whole list of optional updates. It won’t affect the security of your computer at all, but it may improve the functionality of your computer. The automatic updates don’t usually pick up the optional updates.
Ronda Nelson: So by a manual check for updates, it’ll pick up those random ones that might be out there that you’d want to add. If it’s up and says “update,” I don’t know what that means. Should we just always say opt into the updates? Do you then, update the software log? You talked about creating an Excel sheet. Do you ever have space there where you input the last time it was updated? Or do you just let it ride knowing it’s on auto-update?
Jeff Evenson: You can do it, either way, however you want to track that. Use your setup reminders on your phone to pop up once a month saying, “Hey, check your auto-updates or check for updates on your computers.” When these pop-up, please do not ignore them. I always resist the urge to just immediately click on something that pops up on the screen telling you to update. Take time. You could save yourself countless hours and money in recovery services if you had just taken the time to read the notice, and let it click in your brain, “What is that telling me? Oh, I have that on my software list. Yep. That’s good to go.”
Ronda Nelson: Okay, I see. Well, Jeff, this has been a little overwhelming but you did a great job making it simple for my fifth-grade mind. Thank you so much for hanging out with me today and we’re going to dive in a little bit more very soon. It’s been awesome.
Jeff Evenson: You’re welcome. I love coming here and talking about security. Especially with other like-minded people.
Ronda Nelson: Yes. We are all in the same boat and you get to be the leader guy because you’re smarter than the rest of us on that. We’ll default to you.
Jeff Evenson: Thank you.
Ronda Nelson: Thanks, Jeff. Take care.
[CLOSING]
Ronda Nelson: Well, my friend, that was some amazing information that our friend, Jeff, had for us. I didn’t have any idea about some of those tidbits he shared with us. Just to recap, we first talked about the importance of maintaining security. The connection comes into our home or office and that’s where those hackers can get in and hijack that password, especially for using the one that came factory preset with the router. Guilty as charged. I have used that before. So, since this podcast, I’ve gone through and completely changed all of the passwords on our routers in all of our clinics and our home. I’m feeling quite a bit more secure. They’re pretty long passwords, but I’m very happy about the security level. You may want to think about doing that for yourself. We also talked about the importance of always having your computer updates, set to “auto-update.” We want to keep that software going and updated so that we don’t miss any vulnerabilities and leave open holes for those hackers to get in. Remember that term Jeff was talking about where he said IoT, Internet of Things? That is seriously a weird term. But that’s okay, I can go with it but it’s true. Our devices are connected everywhere. We’ve got smart doorbells, we have these outside security systems, washers, dryers, refrigerators, sound in our houses, and cars that can turn lights on and off.
It’s a little bit scary that we can control things that way because I always think if I control it, that means someone else can hack in and control it like the Roomba vacuum. Who would have thought that a vacuum cleaner could get hijacked and then used to prowl on people? We want to avoid as much of that as possible. The takeaway is, keep your computer safe and keep your hardware and software documented. In the show notes, we have a resource for you that you can use to fill out the hardware that you have as well as your software, and it allows you to put in the date when you updated it. You may want to assign it to someone inside your organization or a spouse who might be a little bit more “techie” or even a kid to make sure that everything is always up-to-date and you know exactly where you stand. Then when you get those random emails or pop-ups and you don’t recognize them, remember Jeff saying, “I always wait a minute before I accept anything,” and that is very sage advice.
So, my friend, thank you for hanging out with me. Jeff and I will be back next week with another conversation to talk about how to organize all of your passwords. It’s definitely an episode you do not want to miss. I look forward to being with you next week. Take care. Have a great week. Bye, my friend.
[END]
To learn more and get access to all episodes, visit our podcast page!