podcast

Girl Scouts empowering cyber security leaders.

Dave describes a survey of call center security methods. Joe explains a spam campaign raising the specter of a flu pandemic to scare people into enabling macros in an Office document. The catch of the day highlights a Facebook scammer promising a prize-winning windfall. Carole Theriault returns with a story about special badges Girl Scouts can earn for cyber security. 

Links to stories:

Transcript

Violet Apple: [00:00:00] It's about bringing different thinking to the table and taking limits off of girls and off of people to really think differently. Quite frankly, to be able to protect us from cyberattacks.

Dave Bittner: [00:00:13] Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast. This is the show where - what, Joe?

Joe Carrigan: [00:00:18] Where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world.

Dave Bittner: [00:00:27] Excellent. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. We've got some fun stories to share this week. And later in the show, Carole Theriault returns. She's got a fun story about Girl Scouts who are earning special badges in cybersecurity.

Joe Carrigan: [00:00:44] Awesome.

Dave Bittner: [00:00:45] But first, a quick word from our sponsors at KnowBe4. Have you ever been to security training? We have. What's it been like for you? If you're like us, ladies and gentlemen, it's the annual compliance drill, a few hours of PowerPoint in the staff break room. Refreshments in the form of sugary donuts and tepid coffee are sometimes provided, but a little bit of your soul seems to die every time the trainer says, next slide. Well, OK, we exaggerate, but you know what we mean. Stay with us. And in a few minutes, we'll hear from our sponsors at KnowBe4, who have a different way of training.

Dave Bittner: [00:01:26] And we are back. Joe, I'm going to kick things off this week. My story is about call centers. Now, interacting with call centers is, I suppose, one of those necessary evils of modern life. I don't think anybody looks forward to having to call into a call center.

Joe Carrigan: [00:01:41] I dread every time I have to call my ISP's customer support.

Dave Bittner: [00:01:45] Your cable company...

Joe Carrigan: [00:01:46] Cable company.

Dave Bittner: [00:01:46] ...Your bank, your health care, all that stuff.

Joe Carrigan: [00:01:50] That's the worst. Health insurance is definitely one of the worst ones to have to call.

Dave Bittner: [00:01:53] All that stuff - it turns out that more and more scammers are taking advantage of call centers as a weak link in the security chain. And there's a group of folks - it's a company called TRUSTID - and they work on security of phone systems. They did a survey of call center professionals, and they wanted to find out what the current state of call center security is and whether the folks who work at call centers and run them - if they feel that the systems they have in place are sufficient. Now, one of the fun things about reading a report like this is that you get to know some of the lingo that particular groups use. For example, do you know what KBA stands for?

Joe Carrigan: [00:02:32] KBA.

Dave Bittner: [00:02:33] KBA.

Joe Carrigan: [00:02:34] No.

Dave Bittner: [00:02:34] I'm sure there's someone in our audience who is yelling it at their...

Joe Carrigan: [00:02:37] Right.

Dave Bittner: [00:02:38] ...At their device right now. It is knowledge-based authentication.

Joe Carrigan: [00:02:41] OK. Knowledge-based authentication - actually, I did know that.

Dave Bittner: [00:02:43] OK. Sure you did.

(LAUGHTER)

Joe Carrigan: [00:02:46] I worked in a KBA system very early on at Hopkins.

Dave Bittner: [00:02:48] OK. So KBA is what 69 percent of call centers use and...

Joe Carrigan: [00:02:54] To authenticate inbound calls.

Dave Bittner: [00:02:55] That's right - to authenticate people. And that's when they ask you about personal information, right?

Joe Carrigan: [00:02:59] Right.

Dave Bittner: [00:02:59] You call in, and they say, before I can talk to you, tell me some bit of information about yourself, depending on...

Joe Carrigan: [00:03:05] Yes. I get that every time I call a credit card company.

Dave Bittner: [00:03:07] Right. Now, the disconnect here is that 40 percent of the survey respondents - these are people who work in the call centers - they had little to no confidence in KBA's ability to authenticate callers accurately. And that's because of the increased availability of all sorts of personal information online...

Joe Carrigan: [00:03:25] Right.

Dave Bittner: [00:03:25] ...Thanks to data breaches.

Joe Carrigan: [00:03:26] Absolutely.

Dave Bittner: [00:03:27] Chances are, if I want to look hard enough, I can probably find most of the things that we tell these folks about ourselves over the phone.

Joe Carrigan: [00:03:34] I remember one time I was on the phone with somebody, and they asked me to validate all the information. And I said to him, you know, if I had simply rummaged through my trash and found a statement, I could give you everything you just asked me for.

Dave Bittner: [00:03:46] Right. Right.

Joe Carrigan: [00:03:47] This is not a good authentication system.

Dave Bittner: [00:03:48] Well, and it turns out that the call centers hate this kind of authentication because it also slows things down. And people are expensive. So having these folks at the call center - taking the time, they estimate it takes between a minute and a minute and a half, on average, to gather up this information from people. And that takes time, and that costs money. The customers don't like it, either, because who wants to start a relationship with an interrogation?

Joe Carrigan: [00:04:13] Right.

Dave Bittner: [00:04:13] Right. And it also gives everyone a false sense of security.

Joe Carrigan: [00:04:16] And that's my biggest problem with it. That's what irritates me the most about it - is a - it is a false sense of security. I appreciate that they're trying to do something to secure my account, but they're really not doing anything to secure my account.

Dave Bittner: [00:04:26] Yeah. Now, some systems do kind of a prescreening before you even get to a call center person. So this is where the computer answers and says, you know, please enter your phone number, or, please enter your account number.

Joe Carrigan: [00:04:37] Right.

Dave Bittner: [00:04:38] And so that takes away that labor part of the person having to deal with that. They may ask for your account number or your zip code and things like that, but that still falls short because, again, much of that information is available online.

Joe Carrigan: [00:04:51] Sure. I mean, all they're doing is taking the cost off the call center at that point in time.

Dave Bittner: [00:04:54] Right. Right. And also, those systems are limited by what sorts of information is convenient to put in over a telephone.

Joe Carrigan: [00:05:02] Correct.

Dave Bittner: [00:05:02] So you're pretty much limited to numbers.

Joe Carrigan: [00:05:04] Yeah - your last four of your Social Security number, your zip code, your date of birth.

Dave Bittner: [00:05:07] Right. All of those things - probably not much more than a Google search away.

Joe Carrigan: [00:05:10] Right (laughter).

Dave Bittner: [00:05:12] So - now, there are biometric systems. There are some systems that use voiceprint IDs, but the problem with those is they tend to have a long enrollment process.

Joe Carrigan: [00:05:21] Yes.

Dave Bittner: [00:05:21] You have to go through, and you have to read a script. And the other thing is that has to be done ahead of time, or else it's...

Joe Carrigan: [00:05:27] It does.

Dave Bittner: [00:05:27] ...No good.

Joe Carrigan: [00:05:28] Yep.

Dave Bittner: [00:05:28] (Laughter) It can't - you can't do voice ID in the same call that they're going to use voice ID to authenticate you. That doesn't work. And of course, there's multifactor, which we've talked about here plenty of times, so...

Joe Carrigan: [00:05:38] That would be a good one. I would think this would be a great opportunity to enact, like, SMS multifactor, even though we talk about how that being the least secure form of multifactor authentication.

Dave Bittner: [00:05:47] Yeah.

Joe Carrigan: [00:05:47] It is temporal, and it does provide a greater level of security than just asking information that's on my statement, for example.

Dave Bittner: [00:05:54] Right. And now the systems that these folks at TRUSTID are advocating - and to be perfectly clear here, but part of the reason they're advocating is because it is the type of system that they sell.

Joe Carrigan: [00:06:03] OK.

Dave Bittner: [00:06:04] (Laughter) It's kind of like asking a barber if you need a haircut, right?

Joe Carrigan: [00:06:06] Right. That doesn't mean it's invalid. There...

Dave Bittner: [00:06:08] No. No. But just to make sure we all understand...

Joe Carrigan: [00:06:12] Right. Right.

Dave Bittner: [00:06:12] ...That they are...

Joe Carrigan: [00:06:13] Full disclosure.

Dave Bittner: [00:06:13] ...Definitely on one side of this equation. But I thought this was interesting that they have systems that analyze the call itself.

Joe Carrigan: [00:06:19] OK.

Dave Bittner: [00:06:19] So before anybody picks up the call, these systems look at the quality of the call. They can actually analyze some of the acoustics of the call, the route that the call takes to the call center. And they can run it by all of these analysis algorithms that they use to establish if the call is likely to be fraudulent. And if the call doesn't pass a certain number of tests, it'll never even make it to the call center at all.

Joe Carrigan: [00:06:45] Really?

Dave Bittner: [00:06:46] Yeah.

Joe Carrigan: [00:06:47] That's interesting.

Dave Bittner: [00:06:48] The bottom line here from this report is that this is sort of the shape of things to come, that these folks are - they're using a combination of these things.

Joe Carrigan: [00:06:55] Right.

Dave Bittner: [00:06:55] So we can expect using automated things like this that check the call out for authenticity, combined with this knowledge-based information, but also multifactor and maybe even easier types of biometrics. You know, if you have...

Joe Carrigan: [00:07:09] Right.

Dave Bittner: [00:07:09] For example, more and more of our mobile phones have biometric systems for authenticating us.

Joe Carrigan: [00:07:15] They do. They have fingerprints.

Dave Bittner: [00:07:16] Right - fingerprints, Face ID, things like that. So if they can integrate into those sorts of things, something that you're already carrying around with you...

Joe Carrigan: [00:07:23] Right.

Dave Bittner: [00:07:23] ...Well, that'll enhance the security.

Joe Carrigan: [00:07:25] Yeah, this is what they fancily call defense in depth, but I like to call the belt and suspenders approach.

Dave Bittner: [00:07:30] OK (laughter). Right. In England, I think they call it belts and braces.

Joe Carrigan: [00:07:34] Belts and braces, right.

Dave Bittner: [00:07:35] Yeah, kind of like...

Joe Carrigan: [00:07:35] Suspenders hold up socks.

Dave Bittner: [00:07:37] Yeah. (Laughter) That's right. Yeah. So not a whole lot to be done here, but I just thought it was an interesting look into what the problem is in a certain sector and the types of things that they're using to try to make us a little bit safer.

Joe Carrigan: [00:07:49] Yeah. I think this is interesting. I would like to see a demo of this product. And the good part about this is that this will happen behind the scenes and will happen very quickly, I think.

Dave Bittner: [00:07:58] Right.

Joe Carrigan: [00:07:59] And it's not an impediment to either me as a customer or the call center operator, as well.

Dave Bittner: [00:08:05] Right.

Joe Carrigan: [00:08:05] I mean, it is an increase in their expenses, but it makes things much more convenient. And if you can weed out these fraudulent calls as they're coming in and they don't even wind up bothering anybody on your end, all the better.

Dave Bittner: [00:08:15] Yeah, it's a win for everybody. So what do you have for us this week, Joe?

Joe Carrigan: [00:08:18] So this week, my story comes from Lawrence Abrams over at Bleeping Computer, which - I love the name of that website.

Dave Bittner: [00:08:23] (Laughter) OK.

Joe Carrigan: [00:08:25] But it's great. There's a spam campaign going around right now that looks like it's coming from the Centers for Disease Control and Prevention. And the message reads like this

Dave Bittner: [00:09:34] OK.

Joe Carrigan: [00:09:35] There is an attached Word document, and it's called flu pandemic warning...

Dave Bittner: [00:09:38] Right.

Joe Carrigan: [00:09:39] ...That states you need to enable editing and enable content in order to properly view it. And if you open the Word document - don't open it - but when you open a Word document, Microsoft Word protects you by not enabling any of the content.

Dave Bittner: [00:09:51] Right.

Joe Carrigan: [00:09:51] And all it says in big...

Dave Bittner: [00:09:52] The macros.

Joe Carrigan: [00:09:53] Right. It doesn't enable macros or editing. It just shows you the document. And it says in big words, urgent notice. And that's it. It doesn't say anything else. So that's supposed to lead you to believe that you have to enable editing and then enable the content so that the content will display.

Dave Bittner: [00:10:09] Right.

Joe Carrigan: [00:10:09] But guess what happens if you enable editing and you enable the content.

Dave Bittner: [00:10:14] Guy, oh, gosh. What could it be? What could it be?

Joe Carrigan: [00:10:18] Ransomware, Dave.

Dave Bittner: [00:10:19] (Laughter) Yes. Yes, indeed.

Joe Carrigan: [00:10:20] The file contains a malicious macro that downloads and executes the GandCrab ransomware.

Dave Bittner: [00:10:27] OK. Yep.

Joe Carrigan: [00:10:28] Couple things to note here...

Dave Bittner: [00:10:29] Yeah.

Joe Carrigan: [00:10:29] ...That - first off, aside from the terrible English, which I had a really hard time stumbling through while reading this...

Dave Bittner: [00:10:35] Yes.

Joe Carrigan: [00:10:35] ...It is Centers for Disease Control, like Johns Hopkins.

Dave Bittner: [00:10:43] (Laughter) I had the feeling that's a correction you make fairly often in your career.

Joe Carrigan: [00:10:46] I do make that correction fairly often.

Dave Bittner: [00:10:48] OK.

Joe Carrigan: [00:10:49] We actually sell shirts somewhere that say Johns with, like, seven S's after them.

Dave Bittner: [00:10:53] I - OK. I see.

Joe Carrigan: [00:10:53] I got to get one of those shirts.

Dave Bittner: [00:10:54] Yeah. All right.

Joe Carrigan: [00:10:55] But it's the same thing for Centers for Disease Control and Prevention, not center. I saw this, and I'm like, this is supposed to scare me? Twenty thousand deaths from the flu - that seems like an average flu season.

Dave Bittner: [00:11:04] OK.

Joe Carrigan: [00:11:05] Right. And I looked it up, and there's an NPR article. Yeah, that's about an average flu season. It's not a bad flu season for 20,000 people to die from the flu. That happens just about every year. The worst flu season we had was from 2003 to 2004 where close to 50,000 people died. And there was one back in the '80s where only, like - less than 4,000 people died.

Dave Bittner: [00:11:24] And wasn't there that one back in, like - wasn't, like, the 1917 - there was a really bad one where a lot of people...

Joe Carrigan: [00:11:29] Yeah, there was a really bad one back then that...

Dave Bittner: [00:11:31] Yeah.

Joe Carrigan: [00:11:31] ...Killed a lot of people. But I...

Dave Bittner: [00:11:32] A high percentage of people, but...

Joe Carrigan: [00:11:33] I don't think we kept accurate records for the - back then.

Dave Bittner: [00:11:35] In the modern era.

Joe Carrigan: [00:11:36] In the modern era - this is modern era times...

Dave Bittner: [00:11:38] Yeah.

Joe Carrigan: [00:11:38] ...Since the CDC has started keeping records, I guess.

Dave Bittner: [00:11:41] Right. But you can see what they're going for here. They're...

Joe Carrigan: [00:11:43] Right. They're going to scare you.

Dave Bittner: [00:11:44] Yeah.

Joe Carrigan: [00:11:44] They're trying to scare you. They're going, 20,000 people have already died. Well, that sounds like a lot of people.

Dave Bittner: [00:11:48] And you want to protect your family.

Joe Carrigan: [00:11:49] You want to protect yourself. You want to protect your family. So they say, hey, here are some instructions. Why don't you go out and look at these instructions and keep you safe? And in the course of doing that, you have just infected your computer with ransomware, and now you have to either restore from backup or pay a ransom. I don't even know if GandCrab works. Does it - I have - I'm not familiar with the strain.

Dave Bittner: [00:12:07] I think GandCrab is a - sort of one of those ransomware as a service types of things, where...

Joe Carrigan: [00:12:12] OK. So it's like...

Dave Bittner: [00:12:12] ...Anybody can buy it and spin it up and use it. I don't recall offhand if you get your files back. I mean, two sides to this, right. First of all, don't ever do anything that enables...

Joe Carrigan: [00:12:21] Macros.

Dave Bittner: [00:12:22] ...Word macros.

Joe Carrigan: [00:12:22] Never do that. There's no reason to do it at all.

Dave Bittner: [00:12:25] It amazes me that that's still a functioning feature since what percentage of the use of that feature in Word is for good and not evil?

Joe Carrigan: [00:12:33] Right.

Dave Bittner: [00:12:33] Probably extraordinarily low. I don't know. Maybe I'm all wet on this. Yeah (laughter).

Joe Carrigan: [00:12:36] On Word documents, I would say you're probably correct. Maybe on Excel documents, it might be a little bit higher.

Dave Bittner: [00:12:40] Yeah. Yeah.

Joe Carrigan: [00:12:41] But Word documents - I have never professionally developed a Word document that had a macro in it for some business purpose.

Dave Bittner: [00:12:47] Yeah. And the other thing here is protection against ransomware - have regular backups.

Joe Carrigan: [00:12:52] Have regular backups - offline backups.

Dave Bittner: [00:12:54] Yep.

Joe Carrigan: [00:12:55] Then disconnect it from your computer.

Dave Bittner: [00:12:56] Remember, when it comes to backups, one is none.

Joe Carrigan: [00:12:59] That's correct.

Dave Bittner: [00:12:59] Yeah. So have more than one in more than one place...

Joe Carrigan: [00:13:02] Yep.

Dave Bittner: [00:13:02] ...If it's important to you. All right, Joe. That's a good story. It is time to move on to our Catch of the Day.

Joe Carrigan: [00:13:08] My favorite part of the show.

(SOUNDBITE OF REELING IN FISHING LINE)

Dave Bittner: [00:13:13] Our Catch of the Day this week comes from a listener who got contacted on Facebook Messenger. And he sensed pretty quickly that there was something up, and he decided to string this scammer along. So this comes from someone who claims to be named Anne - the scammer, that is. So let's go ahead and read this. I will be Anne, and you can play the part of our loyal listener.

Joe Carrigan: [00:13:34] OK.

Dave Bittner: [00:13:34] Here it goes. Anne says, I was wondering if you've heard anything from the Publisher Clearing House, PCH.

Joe Carrigan: [00:13:41] No. Who is PCH?

Dave Bittner: [00:13:43] I was enable to get some cash from them, but I saw your name among the winner list when they came to deliver my winning money. Did you actually get yours?

Joe Carrigan: [00:13:51] I don't think so. Maybe Betsy did. Nope.

Dave Bittner: [00:13:54] If truly you haven't got yours, I think you need to be contact their claiming agent now to see if you are eligible. Do you need their contact?

Joe Carrigan: [00:14:03] If you have it.

Dave Bittner: [00:14:04] All right. I'm going to send them you email address now, OK?

Joe Carrigan: [00:14:09] And he sends a thumbs up emoji.

Dave Bittner: [00:14:11] And then Anne sends the email address, which is a Gmail account.

Joe Carrigan: [00:14:15] Right. That's not pch.com. Whatevs (ph).

Dave Bittner: [00:14:19] That's they claiming agent text email. Text them right now that you are ready to claim your winning money.

Joe Carrigan: [00:14:24] What info do they need?

Dave Bittner: [00:14:26] Mind you, you don't have to pay for it nor pay it back. All I was told to do is to get some amount of - wait for it - gift cards for the approving and installation of informations into their system. That's all.

Joe Carrigan: [00:14:38] Huh. I think you were having too many conversations at once and getting your scams mixed up (laughter).

Dave Bittner: [00:14:45] And not long after that, the conversation ended, and the account was deleted by Facebook. So Facebook got...

Joe Carrigan: [00:14:52] OK.

Dave Bittner: [00:14:52] ...Caught on quickly. I suppose it was probably reported by...

Joe Carrigan: [00:14:56] Yeah.

Dave Bittner: [00:14:56] ...A bunch of people...

Joe Carrigan: [00:14:57] Yeah. Many people.

Dave Bittner: [00:14:59] Yeah. All right. Well, that's a fun one. Thanks to our listener for sending that in. That is our Catch of the Day. Coming up next, we've got Carole Theriault. She's back with a story about the Girl Scouts. They're earning special badges in cybersecurity.

Dave Bittner: [00:15:14] And now back to that question we asked earlier about training. Our sponsors at KnowBe4 want to spring you from that break room with new-school security awareness training. They've got the world's largest security awareness training library, and its content is always fresh. KnowBe4 delivers interactive, engaging training on demand. It's done through the browser and supplemented with frequent simulated social engineering attacks by email, phone and text. Pick your categories to suit your business. Operate internationally? KnowBe4 delivers convincing, real-world, proven templates in 24 languages. And wherever you are, be sure to stay on top of the latest news and information to protect your organization with KnowBe4's weekly Cyberheist News. We read it, and we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news.

Dave Bittner: [00:16:14] And we are back. Joe, it's good to welcome back to the show Carole Theriault. She's got a story this week about the Girl Scouts. They've been earning special badges in cybersecurity.

Carole Theriault: [00:16:24] I have something a little different for you guys today. So when I heard via the webisphere (ph) that the Girl Scouts of America would be offering cybersecurity badges as part of their science, technology, engineering and math program, I was thrilled. And I wanted to learn more about it.

Carole Theriault: [00:16:42] Violet Apple, CEO of Girl Scouts for Central Maryland, was kind enough to give me an insider's glimpse on how they came to introduce a cyber program into the Girl Scouts, what was involved and most importantly, how the scouts are reacting to it. So lots of interesting tidbits. Plus, Violet was just lovely to speak with. She's full of warmth, charisma, energy and vision for the Girl Scouts. She's so good, I'm going to let her introduce herself.

Violet Apple: [00:17:07] Hi. I'm Violet Apple, and I'm the CEO for Girl Scouts of Central Maryland. I've spent my entire career with Girl Scouts, starting in Pennsylvania, moved to Boston. And now I'm here in Maryland. When I first got the job, it was kind of almost right out of college. And I got to see these incredible opportunities that girls were having in Girl Scouting. And I had been a Girl Scout, but I had not gone all the way through.

Violet Apple: [00:17:33] I also saw an opportunity to bring the program to an audience that wasn't really getting a lot of Girl Scout program at that time, which was back in the '80s and that were, you know, girls of color - African-American, Latino girls. We didn't have as many girls in the council, and I was hired specifically to help bring that population into the Girl Scout world. When I saw the opportunities, I - I never stepped away from it. And I didn't expect this. I didn't expect to be here this many years later. (Laughter) But it's been a rich career, very, very rich in terms of the work that I've been able to do and how rewarding it has been.

Carole Theriault: [00:18:11] I bet you've seen a lot of changes in the Girl Scouts, especially with this kind of new chapter on technology.

Violet Apple: [00:18:17] Yeah, it's interesting. I have - our focus now is much more, I would say, laser-focused than when I first came into the organization, particularly around technology. But interestingly enough, STEM has - like, when we talk about technology - science, technology, engineering and math - has been a part of the Girl Scout program for a very long time. But I think right now what I'm seeing is really a different level of collaboration with experts in the field, and that's what makes it really exciting.

Violet Apple: [00:18:52] Juliette Gordon Low started the Girl Scouts on March 12 in 1912. When she started the program, she really thought about giving girls these very interesting and different opportunities than what they were used to traditionally. So when you start thinking back to way back then, I would say almost, like, a year after the Girl Scouts started - maybe around 1913 - badges were already introduced around learning about being an electrician and flyer badges and things like that.

Violet Apple: [00:19:22] So when you think about some level of science and that kind of thing, it goes way back. It started back then, and I think badges have always been a way to really introduce girls to a number of different topics.

Carole Theriault: [00:19:35] It makes sense. It's a natural progression that you guys would be looking to partner with cybersecurity and, you know, cyber awareness for girls.

Violet Apple: [00:19:44] A lot of the cyber badges came about with - I'm going to give her a lot of credit - our new CEO nationally, Sylvia Acevedo. Sylvia, by profession, is a rocket science. So she got her start, her early start in Girl Scouts. That's where her interests around science came. And so she has been so focused on the importance of STEM in a girl's life.

Violet Apple: [00:20:07] And so I want to go back and talk a little bit about why that is, and it's - it's really twofold. When we look at the workforce in the future, probably right now, a little over a quarter of the workforce is made up of women in the STEM fields - maybe, let's say around 29 percent. The jobs that are emerging right now, we are looking at, in some areas, 85 percent of the jobs will have some kind of a STEM focus. The Girl Scouts has always been a pipeline, you know, for leadership and for the workforce. And so we have to really think about this a little bit differently in terms of how we're preparing girls for the future.

Violet Apple: [00:20:43] This is an economic imperative as I look at it. But Sylvia had great contacts, and she really worked with a number of companies around the country to really start talking about how we elevate and give girls these really interesting and unique experiences, using their content and using their expertise to elevate the badges. And so cybersecurity, as we know, is one of the biggest and fastest emerging fields. And so she worked with companies like Raytheon - when I say she, the national organization worked with companies like Raytheon to begin to develop these badges and programs.

Carole Theriault: [00:21:22] And so can you tell us a few of the badges that the girls can focus on and what work maybe they have to do to get them, just to give an example of the kind of things they're looking at?

Violet Apple: [00:21:31] So we have, like, think like an engineer badge. We have badges that are cybersecurity around safe - safeguard badges. The interesting piece about these badges is they start at the Daisy level, which is kindergarten and first grade, and go all the way through, which is our ambassador level, which is 12th grade. The badges focused on, like, looking at networks or thinking about binary codes and coding. And they're - they're amazing. It's - it's a wide variety of badges. And these are new badges. So this is, like, from a cybersecurity standpoint, we're just introducing those badges. But we've had other STEM badges as well.

Carole Theriault: [00:22:15] Now that Violet had given me this overview of how the whole cybersecurity program worked, I wanted to know how the girls were taking to learning about cybersecurity.

Violet Apple: [00:22:26] The badges have just been introduced this year, and we did a kickoff with - I'm going to, you know - nationally, we have a national partnership with Raytheon. They do amazing work. We did a kickoff, and part of that kickoff was they just wanted to test out some of the activities on about 10 girls.

Violet Apple: [00:22:47] So we had about eight - eight or nine girls who went to their innovation center, gave them these activities to do. And one of them was an escape room, which is very popular right now. And I was a little nervous for the girls. The girls rose to - rose to the occasion. But they were using it because we're going to use components of what they did in a national cyber challenge.

Violet Apple: [00:23:13] What was fascinating was to watch seven or eight girls who didn't know each other at all until they walked into that room - none of them knew each other. They were a random pick. They came together, and you had to watch the dynamic of how they began to work together. It's about bringing different thinking to the table and taking limits off of girls and off of people to really think differently, quite frankly, to be able to protect us from cyberattacks.

Violet Apple: [00:23:41] These girls were amazing. They gave them so much time. I think it was initially 45 minutes and an hour, and then they had to limit it to 45 minutes. They did it in less than 30 minutes working together beautifully.

Carole Theriault: [00:23:55] Brilliant.

Violet Apple: [00:23:55] It worked just as it was supposed to. And that really made an impression on me because it said to me, you know, you can bring girls from different backgrounds, different races, just - and given a task and given a challenge where they had to write code, there was no one leading them. They gave them a folder and said, go at it. Go to it.

Violet Apple: [00:24:13] So it was interesting to watch how they took to it. And they did. And so I think that girls are loving this, and we have - we had more girls interested in doing this than what we had spaces available. So I'm looking forward to the challenge next October.

Carole Theriault: [00:24:28] The thing also that I love about this program is I spend a lot of my time trying to educate people on how to be secure online. And so not only is this going to benefit the country that these girls are learning these skills eventually, but it also helps protect them now on their phones or on their computers, right?

Violet Apple: [00:24:48] We had to tell girls they had to put their phones away, which is hard. But the engineers that were there, many of whom were female engineers, talked about working in the company and really helping girls to understand how your digital footprint is left with everything that you post.

Violet Apple: [00:25:06] I think they gave girls a little bit of a different insight than parents or someone who comes and says, well, you shouldn't do that. It's going to come back. And they really kind of helped them to understand the impact of their digital footprint and how it can have an impact on your future. So girls - I say young people - think differently about their personal information and putting it out there online. And so what I like about the cybersecurity badges and in particular in this area is it's helping them to understand the vulnerability of your personal information out in the public realm.

Carole Theriault: [00:25:43] Absolutely. But what I like, too, is that it's also giving them the skills so they don't have to approach that world with fear or trepidation.

Violet Apple: [00:25:50] Absolutely.

Carole Theriault: [00:25:51] They'll have the skill set to be able to go, this feels a bit dodgy. I don't like this. I'm going to back away now before I put any of my information in.

Violet Apple: [00:25:57] And they're pretty - you know, (laughter), they're pretty fearless, I think. And that's what - so you're trying to instill a little bit of fear in them. But, no, they really...

Carole Theriault: [00:26:06] (Laughter).

Violet Apple: [00:26:06] ...You know, they come at technology so differently, and they think about it from a very different perspective than I do. I'm old to technology, but they're, like, connected to their phones. But I do think this ability to impact them in this way and for them to just give thought to it will help them along the way, particularly in their futures.

Carole Theriault: [00:26:28] Is the Girl Scouts always looking for new girls? If there's a girl out there who's listening to this and thinks, that sounds fun, what steps would they take to get involved?

Violet Apple: [00:26:36] So if a girl was interested in Girl Scouts, I mean, they - and particularly if they have a phone, they could go to just girlscouts.org. Or if they're in my council, mine is gscm.org. And the first thing you'll see is how to join. So that would be one way. You can pick up the phone, the old-fashioned way, and actually call the office. And from there, you know, there's different ways to participate.

Violet Apple: [00:26:59] So I encourage girls, if you hear something that you're interested in, you don't always have to be in a troop. Troops are a great way to get a very rich Girl Scout program. But we have girls who come in, they want to go to maybe a science-type camp that's being offered, or they want to participate in the programs we have, like a wonderful STEM festival that happens every year. It's incredible. And then we have STEM programs that happen throughout the year. And you can just come in and be a member and participate in those kinds of activities. So all they have to do is go to girlscouts.org, look for a way to join. It will direct them to their local area. Or if you're in my council, go to Girl Scouts of Central Maryland, or that's gscm.org, and they can join from there.

Carole Theriault: [00:27:45] You know, I wish there was the adults scouts out there. I could use with some of these skills (laughter).

Violet Apple: [00:27:51] You know, and I'm glad that you said that because that is a really - that's a great opportunity for our adults to actually learn with our girls. One of the things we do with our STEM festival and with our programming is, some of our programming, we invite parents to be part of it. Because in order for a girl to be supported after she gets excited about science, she needs to her parents or her parent to help her along the way. Parents are the biggest influencers of careers in the future for children. And so I think adults getting involved, even if you're a little - you know, like, I'm not a science-type person. You can help to lead a robotics team and learn with girls, and it's an amazing opportunity, I think, for adults, as well.

Carole Theriault: [00:28:36] Violet, it's been such a pleasure speaking with you.

Violet Apple: [00:28:39] Thank you. This has been fun. I could talk about this, as you can see, all day. I know we don't have all day, but I could talk about my love for the Girl Scouts and the work that we're doing for girls every day and creating this wonderful environment where they can thrive, I could do that all day and in my sleep.

Carole Theriault: [00:28:55] (Laughter).

Violet Apple: [00:28:56] Thank you so much. Stay in touch.

Carole Theriault: [00:28:59] Now, I just love the sound of all this. Not only do these girls get to meet some pretty talented cyber folks on their journey of filling their badge requirements, but they're learning some key skills on staying safe online. That's a total win-win in my book.

Dave Bittner: [00:29:14] Wow. That's some good stuff going on there.

Joe Carrigan: [00:29:17] That is fantastic. Merry-land (ph).

(LAUGHTER)

Dave Bittner: [00:29:21] Yeah. I know. Carol, you know, she's Canadian, living in the U.K.

Joe Carrigan: [00:29:25] Right.

Dave Bittner: [00:29:25] We have to cut her some slack. I mean, it's not like we ever butcher any words, or names or accents on - you or I, right?

Joe Carrigan: [00:29:31] Sure. I do that every single time.

Dave Bittner: [00:29:33] (Laughter).

Joe Carrigan: [00:29:34] I'm also not going to let that stop me from pointing it out (laughter) when other people do it.

Dave Bittner: [00:29:37] Yeah. Yeah. Well...

Joe Carrigan: [00:29:38] I'm a jerk that way.

Dave Bittner: [00:29:38] Maybe someday she'll have to visit us here in lovely merry-land.

Joe Carrigan: [00:29:41] Right.

Dave Bittner: [00:29:42] So back to the Girl Scouts...

Joe Carrigan: [00:29:43] Yes.

Dave Bittner: [00:29:44] How cool is it that the head of the Girl Scouts is an actual rocket scientist?

Joe Carrigan: [00:29:48] Yes.

Dave Bittner: [00:29:49] I love it.

Joe Carrigan: [00:29:50] Sylvia Acevedo. She worked on Voyager 2...

Dave Bittner: [00:29:52] Wow.

Joe Carrigan: [00:29:53] ...And wrote programs for processing the data it sent back.

Dave Bittner: [00:29:56] Yeah.

Joe Carrigan: [00:29:57] Worked at the NASA Jet Propulsion Laboratory.

Dave Bittner: [00:29:59] Very cool.

Joe Carrigan: [00:30:00] That is fantastic. Something that Violet Apple said here was very important, that 89 percent of the jobs in the future will involve some kind of STEM component. OK? We are beyond the point where you can say, I'm not good with computers, I'm not good with math, I'm not good with engineer - you're going to have to have that, and our education system is going to have to change to promote that kind of education.

Dave Bittner: [00:30:21] Yeah. And these sorts of programs can help folks get a leg up, I suppose.

Joe Carrigan: [00:30:25] I would agree.

Dave Bittner: [00:30:25] Yeah.

Joe Carrigan: [00:30:26] It is great that they're starting with the cybersecurity training in kindergarten. That's fantastic. In my opinion, you cannot start this kind of training too early. You cannot start this kind of cognizance, this kind of thought process. When I have gone out into high schools and talked to students about careers in cybersecurity, I think that is actually too late, that at that point time, they're not looking at the careers if they're not already prepared for it. I think the latest you can talk to a kid about gearing their career towards this is middle school. And that's just my opinion. There's no evidence behind it. I'm just saying that out loud. Usually by the time a kid is in high school, they're already thinking along their career path.

Dave Bittner: [00:31:03] Yeah. That's interesting. Like, you couldn't take up baseball as a junior in high school and expect to be a pro. Is that kind of what you're getting at?

Joe Carrigan: [00:31:10] Yeah. That's kind of what I'm getting at.

Dave Bittner: [00:31:11] Yeah. OK. Thanks to Carole Theriault for something a little different. But I'm really glad we got to hear that.

Joe Carrigan: [00:31:18] Yeah. That was a good interview.

Dave Bittner: [00:31:19] Yeah. And that is our podcast.

Dave Bittner: [00:31:21] We want to thank our sponsor, KnowBe4. Their new-school security awareness training will help you keep your people on their toes with security at the top of their mind. Stay current about the state of social engineering by subscribing to their Cyberheist News at knowbe4.com/news. Think of KnowBe4 for your security training.

Dave Bittner: [00:31:39] We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more about them at isi.jhu.edu.

Dave Bittner: [00:31:49] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben, our editor is John Petrik, our technical editor is Chris Russell, our staff writer is Tim Nodar, executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: [00:32:08] And I'm Joe Carrigan.

Dave Bittner: [00:32:09] Thanks for listening.

Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.

Supported by:
KnowBe4 Logo
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.

Subscribe to the CyberWire
Subscribe to the CyberWire Podcast: RSS Stitcher Google Play Music
Follow the CyberWire