cyberconIQ’s Cybersecurity Awareness Month
Taking the FEAR out of Cybersecurity
Week 1: Let’s talk about usernames and passwords!
Do you remember how many accounts you’ve registered for in your lifetime? While I may not be able to tell you an exact number my guess is a lot. In the past, even if I couldn’t remember if there was an existing account, I more than likely could tell you exactly what my username and password would be. It is well known by the general public and cybercriminals that when people register for a new account they reuse or make a slight variation to an old password. This is good news for criminals because when one account is hacked, then there is not much effort needed to hack any other accounts.
Reusing passwords, or variations of passwords can be dangerous and cause you to be less cybersafe online. Not only is reusing the same password dangerous but so is sharing your username and password with others. Even those you trust.
Have you ever shared your Netflix or Hulu profile? How many people have access to it? If you shared your login information, then every person who has access to your profile also has a username and password that you’ve probably used in the past on other accounts or maybe current accounts. Even without malicious intent, account sharing can be dangerous, it opens the door for you to be compromised. Once someone has your login credentials your information can no longer be controlled, and it is out of your hands. It is your account, so any actions taken under your login falls to you. The person you shared that information with may have shared with a friend or family member and pretty soon a friend of a friend is in your account and anything can happen.
Here are some suggestions to make you safer online. Enable multi-factor authentication whenever you are able to. Enabling this security measure will notify you through email or text if a new person or device tries to access your account. If you do not recognize the login, change your password. Use long and or complex passwords. Instead of keeping a physical password (sticky notes are a big no) utilize a password manager on your phone. This can ensure all your passwords are stored on a device that only you have access to. Use passwords that are unfamiliar, not a regular password.
In the world of cybersecurity, it is better to be safe rather than sorry. Take the necessary precautions and don’t share your login credentials.
Week 2: Safe website
Malware is crawling all over the internet, and false and unsecured websites are a typical place that cybercriminals tend to hide this malicious software. Here are some simple tips to make sure you're safer online. Make it a priority to check that the website has HTTPS before it's URL. HTTP stands for Hypertext Transfer Protocol, and the S symbolizes that it is, in fact, secured. The function of the HTTPS is to encrypt communications and to prevent criminals from stealing sensitive information. A secure site is particularly crucial if you are planning on doing online shopping or accessing any sensitive data such as your bank. You should also check for a padlock symbol in the URL bar. A padlock will indicate that the website is using a trusted SSL (Secure Sockets Layer) digital certificate. This will encrypt the link between the server and your device. If the padlock symbol is not there, it is not safe to enter passwords or credit card information.
Finally, look for a privacy policy. All legitimate webpages utilize them. Once the policy is found, use the Ctrl-F function to search for keywords such as "third-parties," "data," "store," "retain," and similar terms. The policy will give you a better understanding of what is private and what the company could share about you.
At the end of the day, you have the power to close a malicious webpage. The next time you're browsing the internet, keep these tips in mind to stay cyber safe!
Week 2: Online Purchase/Confidential Information
You can shop for just about anything online, and with COVID-19, people are even more inclined to utilize the convenience of having everyday essentials delivered right to your door. However, if you are not careful, this can lead to you becoming the target of cybercriminals. Keep these tips in the back of your mind the next time you shop!
Do your research. Before entering your card information, look at reviews and not just the ones on the webpage. Search for the vendor and the product online to see what comes up. It is also a good idea to check for any customer service information or the physical location of the vender to verify it is legitimate.
Don't use your debit card. Credit cards are much safer to shop with because there are more customer protections, and it is not a direct link to your bank account. Some card companies also have a notification system that lets you know via text if any purchases are made on your card. If you do not have a credit card, fear not! Utilize a third-party payment service such as PayPal, Venmo or, Google pay. Doing this removes the direct link to your bank account, and you still have the ability to report and file claims.
As frustrating as it may seem, do not store your payment information in your shopping profiles. Because if that company is hacked then there is less sensitive information about you for a criminal to use.
Finally, check your bank and card statements regularly. I suggest minimally checking once a week to be sure no suspicious charges have been made.
Be alert, be aware, and be cyber smart.
Week 2: Shopping
Cybercriminal turned cyberwarrior.
Yes, this really happened!
The year was 2008, and Walker, a young 18-year-old hacker with Asperger's (a mild form of autism), pled guilty to six charges of cyber-crime. He had been homeschooled since he was thirteen, and in his free time, he taught himself about programming and encryption. Walker was responsible for an international hacker network that infiltrated over a million computers and led to the theft of $20 million. Through this, he only made about $32,000 from his efforts. The program he created enabled a cyber-gang to use their botnets, a group of computers infected with malicious software that can be controlled without the owner’s knowledge, to infiltrate computers. Anti-virus software couldn't detect his encrypted malware, and at the time, it was considered one of the most advanced encrypted malware that investigators had encountered. The code he created would disable anti-virus software and prevent it from being updated, causing the computer to be unaware that the anti-virus software was inactive.
However, due to his age, remorse, condition, and lack of criminal intent, the judge dismissed the guilty plea and asked that he instead pay $11,000 in damages. Today he is now working as a cybersecurity consultant for a telecom company in New Zealand.
Hahn, J. (2020, April 17). The Stories Behind 15 of the Most Dangerous Hackers Ever. Retrieved September 24, 2020, from https://www.complex.com/pop-culture/2015/02/the-most-dangerous-hackers-and-groups/owen-walker
Martin T. Biegelman, C. (n.d.). Fraud Magazine. Retrieved September 24, 2020, from https://www.fraud-magazine.com/article.aspx?id=412
Teen hacker turns cyber-crime consultant. (2009, March 26). Retrieved September 24, 2020, from http://www.nbcnews.com/id/29875907/ns/technology_and_science-security/t/teen-hacker-turns-cyber-crime-consultant/
Week 2: IoT
First, let's begin with what is IoT (Internet of Things)? Essentially it is a network of physical objects that have the ability to gather and share electronic information. So, when you think IoT, imagine smart devices ranging from a Fitbit to industrial machinery. Nowadays, just about any device could be considered "smart," so how do you protect yourself from items that are not only constantly around you but necessary and vital to your job/life. Here are some tips that may help you better protect you and your devices.
Change your passwords, and don't leave it at its factory settings. Instead of using a single word, use a phrase you would remember and change out some letters for numbers and symbols. This way, it's easier for you to remember and harder for a hacker to guess.
Many smart devices are accompanied by a mobile application. Many of these apps could be running in the background or using default permissions you may not have approved. This allows them to gather personal information without your knowledge. Only download apps from trusted sources and always check the permissions on an application. If you are not comfortable with the permissions they allow, it is best not to download it.
Secure your network. You will hear this suggestion throughout the month, but it is vital. It is an excellent baseline of defense. However, do not forget about it once it is established. Make sure to update your network continually, and if you are worried about forgetting, then enable automatic updates during low use time. You are the security officer for your home.
Week 2: Use Multifactor Identification (Apply to personal lives and not to organization)
What is Multifactor Identification?
You are probably most familiar with it when logging into your bank account. Once past the initial username and password login, the bank will typically ask to send you a code via text or email from the information linked to your account.
It is essentially another layer of verification utilizing something you know, have, or are. In order to gain access, your credentials must come from two of the three categories.
The category of something you know includes usernames, passwords, and pin numbers. The category of something you have could consist of a verification text, call, or email. The category of something you are includes fingerprint, vocal, or facial recognition.
If given the option to enable Multifactor Identification, take the initiative and do so to protect your information and identity.
Week 3: Check for System Updates
Stop disregarding those little pop-ups asking you to install your software updates. We all get them! Even though they are a bit disrupting, they are critical to your computer’s safety and wellbeing. Software updates typically have both vulnerability fixes and bug fixes.
While browsing the internet, you are at the mercy of your computers' current protective measures. These fixes can aid in keeping malicious software out of your computer. It is like locking the door to your house, it won't keep everything out, but you’re not leaving an open invitation for a nefarious person to access your home.
These system updates don’t always have to be tedious. An anti-virus program can be set to automatically install, and if available, you can even schedule the updates in low use hours. We recommend scheduling automatic updates for your operating system, security software, and browsers whenever they are available.
The Importance of General Software Updates and Patches. (n.d.). Retrieved October 02, 2020, from https://wp.umaryland.edu/the-importance-of-general-software-updates-and-patches/
IT at Yale. (n.d.). Retrieved October 02, 2020, from https://cybersecurity.yale.edu/patchyourdevices
Week 3: Unsecure Public Wi-Fi
There are two types of public Wi-Fi networks: secured and unsecured. A secured network requires a user to agree to legal terms, register an account, or type in a password before being allowed access to the network. A secure network can also supply some encryption for your Wi-Fi connection. An unsecured network can be connected to without any type of security features like a password, encryption or a login page.
You should always use public Wi-Fi with caution, especially an unsecured network. Let us look at some dos and don’ts, according to Norton, when it comes to public Wi-Fi:
Do not: Shop online when using public Wi-Fi. Shopping does not seem like it involves sensitive data, but making purchases online requires personal information that could include bank account information.
Do not: Access personal bank accounts, or sensitive personal data, on unsecured public networks.
Do: Turn off automatic connectivity. Most smartphones, laptops, and tablets have automatic connectivity settings, which allow you to connect from one hotspot to the next. While this may be convenient, it can also connect your device to networks you would not ordinarily use.
Do: Check your Bluetooth connectivity. Leaving Bluetooth on while in public places can pose a huge risk to your cybersecurity. It allows various devices to communicate with each other, and a hacker can look for open Bluetooth signals to gain access to your devices. Keep this function locked down when you leave your home or office.
Do: Think about using a virtual private network (VPN) solution to ensure your privacy is protected when using public Wi-Fi. VPN services can encrypt all the data you send and receive while using public Wi-Fi. Securing your information from other users should be a top priority. An example of a VPN service is Norton Secure VPN.
Norton. (2020, July 06). The Do's and Don'ts of Using Public Wi-Fi. Retrieved September 30, 2020, from https://us.norton.com/internetsecurity-wifi-the-dos-and-donts-of-using-public-wi-fi.html
Week 3: Wait, This Really Happened?!?
If you were a gifted hacker, would you join the forces of good or evil? If your Kevin Poulsen why not both. By day he worked as a security expert and programmer for SRI international. A technology company with government contracts. But by night, he donned his pseudonym “Dark Dante” and gained access to government secrets and a Porsche.
As a young kid growing up in the 80s, Poulsen was fascinated with the avenue’s computers opened for him. He enjoyed testing the limits and seeing what he could get away with. In his early years, he hacked the pentagon ARPANET, the foundation of the internet, and stole sensitive military and government documents. Poulsen was only caught because he logged in under his actual name. Since he was underage at the time, he was never officially charged.
He learned from his past mistake and adopted the name “Darke Dante” for his black hat hacker activities. However, those days came to an end when he missed the payment on a storage locker. When this locker was then opened, some strange electronic equipment was discovered, along with payphones, and printouts, including the Soviet embassy's unpublished number, was found within. The authorities were contacted, and Poulsen’s possessions were taken, causing him to run and hide. He enjoyed the game that being on the run created. He would call the authorities searching for him and mock them for letting him get away. When they attempted to trace the call, it would circle back to within their own facilities.
He spent a total of seventeen months on the run. He was only apprehended when store clerks recognized him from an episode of Unsolved Mysteries. The clerks grabbed and held him until the authorities could come to pick him up. While being arrested, he began begging to remove his contact lenses and retrieve his glasses. An FBI agent complied but not before he searched the bag. Hidden within the case for Poulsen glasses was a handcuff key.
Although he was a high-profile hacker, His most well know scam is when he jammed the phone lines of a radio station to win a Porsche 944 S2 Cabriolet. By jamming the lines, he made it so that it was guaranteed he would be the required 102nd caller to win the car. He also did not just pull this off once. He and his accomplices ran this scam on multiple radio stations, winning two Porsches, two trips to Hawaii, and 22 thousand dollars in cash.
Now Poulsen is a journalist and appears to have left his criminal past behind. He handles writing a script that was able to search for Myspace’s membership database for registered sex offenders. This script found a total of 744 sex offenders who had Myspace profiles. The question remains, has he really left his black hat hacker days behind him?
Jeff, Britt, Manojkumar, Chanita, Fozzie, [Larks], . . . Anonymous. (2020, September 07). Kevin Poulsen. Retrieved October 02, 2020, from https://unsolved.com/gallery/kevin-poulsen/
Kevin Poulsen. (2019, March 23). Retrieved October 02, 2020, from https://www.hackerscrackersandthieves.com/kevin-poulsen/
The Last Hacker: He Called Himself Dark Dante. His Compulsion Led Him to Secret Files and, Eventually, the Bar of Justice. (1993, September 12). Retrieved October 02, 2020, from https://www.latimes.com/archives/la-xpm-1993-09-12-tm-34163-story.html
Week 3: Deepfake
Deepfakes are images and videos created using software to appear real and from a legitimate source that are then used to spread misinformation. A fantastic example of a deepfake that did no harm was when one of the earliest deepfake developers, DerpFake, recreated the final scene from Star Wars: Rogue One. He used deepfake technology to recreate the scene with a young Princess Leia. He was able to perfectly mimic Carrie Fisher’s acting so thoroughly that Star Wars fans wish his technology could have been used in the film rather than the CGI that was released. However, pleasing a fandom is not the only purpose of deepfakes. Deepfakes are used in global politics to discredit electoral candidates and push falsehoods on the public.
The software can transfer not only the appearance of an individual but also their facial movements and voices. Neural-network structures called an “autoencoder” are used to make deepfakes successful. They can learn efficient data coding without being supervised. It encodes the image that it wishes to project and then reconstructs it over another image. Typically, deepfakes can be figured out because the reconstructed image is not as detailed as the original. However, this technology is ever-improving.
Deepfakes can be difficult to detect. Even with the technology developed to decode deepfakes, the best way to continue combat it is to think critically and do your own research. Do not believe everything that comes across your internet feed.
Dickson, B. (2020, March 04). What Is a Deepfake? Retrieved October 02, 2020, from https://www.pcmag.com/news/what-is-a-deepfake
Read, C., & Scott Ikeda·February 22, 2. (2019, May 28). Deepfakes and Cybersecurity: How Much of a Threat Are They? Retrieved October 02, 2020, from https://www.cpomagazine.com/cyber-security/deepfakes-and-cybersecurity-how-much-of-a-threat-are-they/
Sahelirc. (2019, December 18). Automated hacking, deepfakes are going to be major cybersecurity threats in 2020. Retrieved October 02, 2020, from https://www.cnbc.com/2019/12/18/automated-hacking-deepfakes-top-cybersecurity-threats-in-2020.html
Week 3: Keep Business and personal life separate
The majority of professionals are working in busy, fast-paced environments and multitasking between personal and business life. Using mobile devices for business and personal reasons could not only put you at risk for company checking but also leave you open to security and privacy threats.
BYOD or “Bring Your Own Device” is something some companies encourage. BYOD allows you to use your own mobile phone or tablet for work. This also means that your company could have the right to remotely wipe your device when you leave the said company.
Here are some things to keep in mind if you are using BYOD. First, continually backing up your data. There are also apps you can download that separate your work and personal life. Divide is an example of an app that allows you to enjoy privacy on your personal device as well as accomplish your business tasks on the go. Another consideration is to separate your primary hard drive into two partitions: one for work and one for personal use. If you feel some pressure, as an alternative, you could purchase a second phone or tablet specifically for business purposes. Having a second device not only keeps your data private, but it can keep you focused on work throughout the day, since your personal life won’t exist on your work device.
Lucas, S. (n.d.). The Pros and Cons of a Bring Your Own Device (BYOD) to Work Policy. Retrieved September 30, 2020, from https://www.thebalancecareers.com/bring-your-own-device-byod-job-policy-4139870
Murphy, D. (2018, March 30). How to Separate Your Work and Personal Life on Your Devices. Retrieved September 30, 2020, from https://lifehacker.com/how-to-separate-your-work-and-personal-life-on-your-dev-1824208389
Week 4: Install Anti-malware Software
What is malware?
Malware is software specifically designed to do harm to your computer, server, and network. This can include but is not limited to viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, and scareware.
What exactly does anti-malware do?
Anti-malware software is a safety net for the everyday person. It offers a line of protection from becoming a victim of threats like identity theft, it can help prevent your data from being corrupted, and it saves both time and money by preventing most threats before they strike.
How does anti-malware work?
Anti-malware programs typically contain malware protection along with sandboxing technology. Sandboxing technology will isolate suspicious files. It will then hold that file in a contained environment “sandbox” to analyze further. If the file is deemed threatening, it will then be removed while non-threatening files will be allowed through; however, the files will be consistently monitored. Another technique of anti-malware technology is behavior monitoring. It will look at each file individually and assess if its behavior is suspicious without comparing it to any known threats. If the behavior is suspicious, then it will be flagged. This technique allows it to look at each file individually without comparing it to any known threats.
Malware Removal.
Ideally, anti-malware software will prevent malware from installing altogether. However, when malware is identified, it will attempt to remove it from the computer to prevent the computer from infection. Identifying and removing malware seems like a long process but, in reality, it is done in a matter of seconds.
What are the pros of installing anti-malware software?
You are protected from hackers trying to gain access to your computer using malware. Your privacy is protected from software that steals personal information from installing on your computer. Your files are not only secured, but your data is protected if malware does install on the device. Anti-malware will also keep your software up to date, and most will remind you when it is time to do so.
Why is anti-malware software important?
Especially today, with more people working from home, it is important to protect yourself. Technology is changing, and you never know when hackers could access your computer. Most technology can remain undetected until the malware does a major change, and installing this software could detect it before that occurs. It will prevent computer infections such as worms, bugs, and viruses; and is designed to protect your computer at all times.
Security Tip (ST04-005). (n.d.). Retrieved October 12, 2020, from https://us-cert.cisa.gov/ncas/tips/ST04-005
What is Anti Malware?: How Anti Malware Software Works? (2018, November 30). Retrieved October 12, 2020, from https://enterprise.comodo.com/what-is-anti-malware.php
What Is the Importance of Antivirus Software & Why Use It? (2017, October 26). Retrieved October 12, 2020, from https://computer-fixperts.com/security/importance-antivirus-software/
Week 4: Passphrase/Fingerprint
Have you kept track of your digital footprint? Most people have not and the reality of that is most have been exposed to phishing scams, data breaches, and the sale of personal data. Anti-malware software is fantastic and should be installed but there are even more basic steps to protect your safety. Passwords, or better yet, passphrases.
A passphrase is a better alternative to a complex password. Most passwords are a combination of letters, symbols, and numbers, typically from an easy to remember piece of information like a word, name, or date. No matter how complex you make the word, it is still guessable. A passphrase, on the other hand, is a full sentence that the hacker needs to guess. Adding complexity to this as well makes it nearly impossible for hackers to access using computation, algorithms and even brute-force trial and error approaches.
When building a secure passphrase, it is important to take two things into consideration, the length and complexity. However, in the end, the length is more important than complexity. You could use the title of your favorite book or an inside joke. So long as it is not easily guessed by anyone but you, it will be effective. Then add some punctuation and capitalization differences to secure it further. By doing this, you have made it nearly impossible to gain entry to anyone but those intended.
As mentioned earlier in the month, two-factor authentication is also important to keeping your data safe. Fingerprints and the new face id technology are a great example of this. It adds an extra layer of protection and should always be taken advantage of. Check out Oct 9th of cyberconIQ’s cybersecurity awareness month for more in-depth information on multifactor authentication.
Palmer, D. (2017, September 26). Face, fingerprint, passwords, or PIN: What's the best way to keep your smartphone secure? Retrieved October 12, 2020, from https://www.zdnet.com/article/face-fingerprint-passwords-or-pin-whats-the-best-way-to-keep-your-smartphone-secure/
Wetherill, J. (2018, August 02). Council Post: Cybersecurity 101: Practical Tips To Protect Your Personal Data. Retrieved October 12, 2020, from https://www.forbes.com/sites/forbestechcouncil/2018/08/02/cybersecurity-101-practical-tips-to-protect-your-personal-data/
Winder, D. (2020, February 23). The FBI Wants You To Stop Using Passwords And Do This Instead. Retrieved October 12, 2020, from https://www.forbes.com/sites/daveywinder/2020/02/22/the-fbi-wants-you-to-stop-using-passwords-and-do-this-instead/
Week 4: Wait This Really Happened?!?!
COVID-19 has brought along a new set of challenges. People have been made to rely on e-commerce now more than ever. Cybercriminals have kept up with this new development and new threats have been found. Most begin with a simple email. For example, in the United Kingdom, NCSC’s (the UK’s National Cyber Security Center) allows for the reporting of suspicious emails and from this we can gain a better understanding of the methods used in new phishing scams. Some scams are easy to recognize such as the request for $250 in iTunes gift card for “essential lockdown supplies”, but others can be harder to spot. It is important to remember that if an email seems suspicious then do not open it.
Since COVID-19, the demand for certain products has exceeded the inventory and has created some chaos for online retailers. This chaos opens avenues for counterfeiters, opportunistic people like hackers. Some shoppers have no choice but to rely on ecommerce for products and counterfeiters are well aware of this fact. Retailers, such as Amazon, have banned over a million products that make a claim to protect against or completely cure COVID-19. In addition, there have been millions of knockoff face masks that have been taken off the market. Counterfeiters have been selling face masks, lab coats, and even gas masks on platforms such as Facebook, Craigslist, Etsy, and Amazon.
With so many counterfeits on the market it is important to understand how to spot fake products or stores. A key point is price. A great rule of thumb is if it is too good to be true then it probably is. Counterfeits are typically cheaper and made from poor-quality materials that do not comply with safety standards. If you are still unsure then contact the seller and ask questions about the product and their policies. Most importantly, you need to perform your own research before purchasing a product. A good way to do this is by checking out online reviews by looking at the number of reviews, dates, and if photos are attached. You could also buy from a company you are familiar with and have purchased from before rather than third-party sellers.
You are in charge of your own wallet. If you are unsure of a product or a company and cannot find the right answers then maybe it best to play it safe and do not enter your payment information.
Bowden, J. (2020, April 02). Man accused of smuggling fake coronavirus 'miracle cure' into US. Retrieved October 12, 2020, from https://thehill.com/homenews/news/490857-man-accused-of-smuggling-fake-coronavirus-miracle-cure-into-us
Coronavirus: UK forces hundreds of scam Covid-19 shops offline. (2020, April 20). Retrieved October 12, 2020, from https://www.bbc.com/news/technology-52361618
How to Spot a Fake Online Store in 5 Easy Steps. (2020, July 22). Retrieved October 12, 2020, from https://clark.com/scams-rip-offs/how-to-spot-a-fake-online-store/
Miracle cures? UK investigators go after fake coronavirus medicines. (2020, April 03). Retrieved October 12, 2020, from https://www.reuters.com/article/us-health-coronavirus-britain-fake-idUSKBN21L3DH
Nardi, C. (2020, March 25). Beware of COVID-19 scams - like free masks from the 'Red Cross' or fake test kits. Retrieved October 12, 2020, from https://nationalpost.com/news/beware-of-covid-19-scams-fraudsters-offer-free-masks-from-the-red-cross-or-fake-test-kits
Schwab, K. (2020, May 01). Counterfeiting is a billion-dollar problem. COVID-19 has made it far worse. Retrieved October 12, 2020, from https://www.fastcompany.com/90500123/counterfeiting-is-a-billion-dollar-problem-covid-19-has-made-it-far-worse
Week 4: Physical Security
Cybersecurity should be a business’s priority, and while software, firewalls, and security appliances. are great, what about your physical cybersecurity. It is a topic that is not often talked about in this context, but it is just as important as the software you install. Every organization should consider every possible way someone could compromise them. In our experience, most employees are not clear on what constitutes physical security. You may think that you are being kind by holding the door for someone when in reality it is call tailgating and could lead to a security breach. Other examples of a physical security breach entail losing physical equipment such as computers or flash drives, throwing away old files, burglary, shoulder surfing and obviously holding a door for someone to a locked facility.
Here are some tips for physical security from a cybersecurity point of view.
Keep track of all devices. Our lives have become increasingly more mobile and with that the possibility of lost or stolen devices also increases. In the case a device is lost you should know your contingency plan and who to contact immediately. If your organization uses mobile device management, then leverage this to locate or wipe your device.
When disposing of old files, anything that is thrown away can legally be obtained. Dumpster diving is a practice among cybercriminals because it is a legal way to obtain sensitive information. A simple solution is, do not throw away items that have sensitive information. Shredding is an easy way to protect your company and destroy these documents.
This may seem obvious but is still crucial to physical security. Lock it up! Computer windows are not the only ones in need of protection. Secure all your windows and doors in your office space and at home. A simple walk through your office could cause a security risk due to the presence of sensitive information and company technology. Ensure all windows and doors are locked and secured before exiting the premises. If your office has a window that people can walk by and look in, then make sure no sensitive information is left lying around or open on the computer. Be aware of all angles and the visibility of the everyday passerby. Try to limit who has access to the premises.
For additional security to your office space add video surveillance. Even the presence of a security camera can deter potential threats and if the threat happens to get through then you can potentially identify the perpetrator.
In regards to cybersecurity it is vital not to forget the importance of physical security. When taken into consideration this can potentially save you time, money, and stress in the long run.
Physical Security. (2019, May 10). Retrieved October 12, 2020, from https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity/physical-security
White, S. (2018, December 12). 10 Things You Should Do to Ensure Physical Cybersecurity. Retrieved October 12, 2020, from https://www.agileit.com/news/ensure-physical-cybersecurity/
Week 4: Strengthen Your Passwords
Passwords can be a pain to remember, but they are necessary for your online protection. However, passwords are able to be compromised.
Here are some helpful tips to give you the best password protection. Try using a longer passphrase. Passphrases are more challenging to guess than a password and can have more variations. Do not include personal information such as a portion of your name or your pet’s name in your password. This is easy to guess and easily attainable due to social media. Replace letters in your passphrase with symbols or numbers. Use phonetic replacements like PH instead of F or even misspellings such as luv instead of love. Do not reuse passwords this just opens more avenues of attack for cybercriminals. By switching it up if one account gets hacked, then access cannot be obtained to your other accounts.
If you cannot think of a good passphrase, there are password generators that are available online. Wolfram Alpha knowledge engine is a great example. Look online to see what you can find as well. Several online companies when you register for an account have already included a password generator feature in their process. I encourage you to use this whenever possible. At the end of the day you can easily recover your password if you forget it, but data once stolen is not so easily recoverable.
Lightner, R. (2011, September 09). How to improve your password strength. Retrieved October 12, 2020, from https://www.cnet.com/how-to/how-to-improve-your-password-strength/
Stahl, A. (2019, May 02). 4 Simple Ways to Strengthen Your Passwords. Retrieved October 12, 2020, from https://www.kelsercorp.com/blog/4-ways-to-strengthen-your-passwords
Vigo, J. (2019, May 02). 6 ways to strengthen your password. Retrieved October 12, 2020, from https://www.techrepublic.com/article/6-ways-to-strengthen-your-password/
Week 5: Ransomware
Ransomware is malicious software that is used to lock and encrypt a victim's computer or data. A ransom is then demanded to restore access. These files could be documents, photos, and financial information. While the files are still on your computer, there is malware in place that has encrypted these files, causing the data to be inaccessible. Often there is a set time frame in place before the locked files are deleted to create a sense of urgency for the victim, making them more likely to comply with the ransom.
When ransomware was created and introduced, it initially targeted regular everyday people who would not expect their own files and images to be held for ransom. However, cybercriminals have since realized the full potential of ransomware and are focused more on attacking businesses. When targeted against companies, it can halt productivity, which will result in lost data and revenue. This may cause businesses to quickly pay off the ransom rather than lose more money from the halted business.
There are several target groups that victims of ransomware can be categorized into.
Groups that have smaller security teams. Universities tend to fall into this category because they have lots of files with personal information but less security in place.
Groups that can and will pay quickly. These include government agencies, banks, medical facilities, and similar organizations. They need immediate access to their files and would be more willing to pay a ransom quickly.
Firms that contain sensitive data. This includes law firms and similar organizations. These could be targeted because cybercriminals may rely on legal controversies that could become an issue if the data were leaked.
Businesses make up the last group. For cybercriminals looking for a more massive payout, they will look at targeting large corporate organizations.
How can ransomware infect a computer?
There are many ways ransomware can infect a computer, but the most common method is a malicious phishing message. This method is where an unsolicited email delivers malware using attachments such as PDFs and Word documents to trick people into clicking on them and therefore downloading the malicious ransomware software. These emails can appear legitimate, as if the emails are from a trusted institution or a friend. Once you take the bait from the phishing email, the software will then steal files or lock up the computer to scare users into paying a sum of money to regain access to their files.
How do you protect yourself against ransomware?
One of the best ways to protect against ransomware is to stay educated on what to look for in a malicious email since we know that is a primary delivery method. You should also download security products to run scans and remove any known threats. In this instance, you may not get your files back, but the threat could be removed. In the case of screen-locking ransomware, which makes you unable to use your computer screen, you may need a full system restore that will return the system to the state that it was at the time of the last backup.
What is the best way to respond to ransomware?
Fighting back against ransomware is complicated because even if you pay the ransom, there is no guarantee that you will regain access to your files. Because of this, most suggestions are not to pay the ransom when responding to ransomware attacks.
If you are a ransomware victim, you should do some quick research on where to file a report. In the U.S that would be with the FBI's internet crime complaint center (IC3) and also contact the local FBI field office.
Here are some dos and don'ts when dealing with ransomware.
Do educate yourself on how to spot malicious messages that may deliver malicious software to your computer.
Do use security software: This will help to protect your data. To be effective, it must do more than just antiviral features.
Do keep the security software up to date: Ransomware continues to evolve, so having up to date internet security software is essential in protecting you against cyberattacks.
Do update the operating system and additional software: Software updates will typically include patches for new security vulnerabilities that could be exploited by ransomware attacks.
Do back up important data onto an external hard drive. The main leverage cybercriminals have over their victims is their ability to control or remove important data. If the victim has backup copies, then the cybercriminal loses the advantage. This backup will also allow you to restore files once the infection is cleaned up. These backups must be protected or stored offline, so the cybercriminal cannot access them.
Do use cloud services. This can help mitigate ransomware infection since the cloud will keep previous versions of files. It will allow you to open an unencrypted form of the file.
Don't pay the ransom. You may, or you may not get your files back. If you pay the ransom, then the cybercriminal could ask you to pay more and continuing to receive money from you while never releasing your data.
Don't automatically open attachments in emails: Emails are the most common methods of delivering malware. Phishing scams can look like they are from a legitimate source and release malware onto your system once opened.
Remember, when it comes to ransomware, the best offense is a good defense. Learn to recognize the signs of phishing and smishing and have preventative measures in place.
NortonOnline. (n.d.). Ransomware is malicious software that can take over your computer or mobile device, holding your precious data hostage and demanding cash. Retrieved October 19, 2020, from https://us.norton.com/internetsecurity-malware-ransomware-5-dos-and-donts.html
Ransomware - What Is It & How To Remove It. (n.d.). Retrieved October 19, 2020, from https://www.malwarebytes.com/ransomware/
Ransomware. (2020, April 03). Retrieved October 19, 2020, from https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/ransomware
Week 5: Smishing
Phishing emails are so popular that most email clients believe they have an excellent phishing filter that can catch a lot of junk mail before you even have to view them in your inbox. So now, scammers have turned to another medium.
Smishing is the SMS (short message service) version of a phishing scam. Just rather than receiving a scam email, you will receive a scam text message. This is relatively new and is still something a lot of people have never encountered. Scammers expect people to be less skeptical and careful from SMS than they would be on an email.
There are typically three categories that smishing attacks fall under.
- Attempts to trick you into revealing your credentials. Smishers could try to convince you to give a username and password combo and other confidential information to log into your online accounts. Smishing for banking credentials is most commonly seen. It is often successful because banks do, in fact, have services that text you about suspicious activity on your account. Another factor is that many Smishers use SMS spoofing techniques to either disguise the phone number or use short code, a short digit sequence used to address messages in SMS and can be used in abbreviated dialing a text message appears to come from.
- Attempts to trick you into downloading malware. This attack is similar to that of email phishing but in a now mobile travel version. These scams are rarer when seen in text because smartphones make it more difficult to install apps. iPhones and Androids only allow signed and verified apps from app stores to operate, but it is still possible to sidelong apps. These apps will act as a Trojan horse that can harvest sensitive information from the phone.
- Attempts to trick you into sending someone money. This type of smishing is more of a con artist than anything else, but it is a real concern. These are the typically Nigerian princes trying to get money stashed in overseas bank accounts. They will do some work to get you to trust them, such as using friends' names or even government grants, such as our recent stimulus checks. These approaches will attack a victim's greed or generosity. Some will ask for money for false fundraising purposes.
To recognize a smishing message, you must check the source of the text message. Reverse search the phone number online or even double-check the information they are asking for. For instance, if they ask about a delivery preference and you haven't ordered anything, it is a smishing scam. If you have ordered something, then don't click the link sent in the message. Go to the source such as amazon and look at your tracking number directly. The same goes for if you get a "fraud" alert from your bank. Do not click the link in the message. Go directly to your bank's webpage and check it directly. Do not send sensitive information in response to a strange text. If someone asks for information from a "new number," it is good to call the old number or message them on another platform to verify this information. Be wary of offers that seem too good to be true, unnatural, or ungrammatical language, don't click embedded links or download apps directly from a text message, and the IRS and social security administration don't communicate via text.
At the end of the day, smishing is all about fact-checking directly from the source itself. Always take it one step further and verify the information before taking any action.
Fruhlinger, J. (2020, May 01). What is smishing? How phishing via text message works. Retrieved October 19, 2020, from https://www.csoonline.com/article/3538831/what-is-smishing-how-phishing-via-text-message-works.html
Hoffman, C. (2020, January 24). What Is Smishing, and How Do You Protect Yourself? Retrieved October 19, 2020, from https://www.howtogeek.com/526115/what-is-smishing-and-how-do-you-protect-yourself/
What Is Smishing? (n.d.). Retrieved October 19, 2020, from https://us.norton.com/internetsecurity-emerging-threats-what-is-smishing.html
Week 5: Wait This Really Happened!?!?
A young student, Demirkapi, used hacking to expose vulnerabilities on Blackboard and Follett, common systems used for schools. Out of teenage boredom and an ambition to learn more about cybersecurity he began digging into technology and exploring computers. He later took a more typical approach for a young hacker. He found he could add group resources to the school's account that would be available to all users and would trigger a push notification with a message "hello from Bill Demirkapi:) "to thousands of parents, teachers, and students.
He saw hacking as a way to figure out how things would work, see if he could then break them, and then see if he could make the system behave in a way that he wanted. In his mind, he was not trying to steal information. Still, he wanted to bring awareness to the vulnerabilities of a system his school used that did house private student information, including his own. When he began poking around these systems, he found he could gain access to millions of student records from test grades, medical records, and lunch menus.
After three years of after-school hacking, Demirkapi presented his findings. In both Blackboard and Follett, he found severe bugs that would allow a malicious hacker to gain deep access to student data. He found 5 million vulnerable records for both students and teachers. He pointed out that if a bored 16-year-old kid motivated only by his curiosity could easily access these records, imagine what a hacker with malicious intent could do. Demirkapi stated that he had access to pretty much any data the school stored in their systems. He stated, "this is software that not enough people pay attention to or put the correct security measure in place." Because he was not sure how to contact Blackboard or Follet, Demirkapi took this course of action to let the companies know of their vulnerabilities. In his opinion, a customer complaint rather than a "kid" pointing out the system flaws would be well-received. Although he was suspended for two days, Dermirkapi claims that he would have done the same thing had he been a faculty member and a student presented these findings to him. Hacking does not have to be a large-scale attack to gain money or fame. It can sometimes be a curious young kid who is bored and is looking for a better way to protect people from the internet.
Greenberg, A. (n.d.). Teen Hacker Finds Bugs in School Software That Exposed Millions of Records. Retrieved October 19, 2020, from https://www.wired.com/story/teen-hacker-school-software-blackboard-follett/
Young, J. (2019, September 25). A Bored Student Hacked His School's Systems. Will the Edtech Industry Pay Attention? - EdSurge News. Retrieved October 19, 2020, from https://www.edsurge.com/news/2019-09-10-a-bored-student-hacked-his-school-s-systems-will-the-edtech-industry-pay-attention
Week 5: BEC
BEC stands for Business Email Compromise. It is a form of cyberattack that exploits the fact that many people rely on email to conduct business. This type of attack can include receiving an email from a higher-up within a company ordering you to process an invoice, change the recipient of a payment, or provide sensitive documents, typically with a sense of urgency deterring you from checking the source.
BEC's consist of a spoof of an email account or website. This type of email will have a slight variation of a legitimate address to appear authentic. Scammers will often use spear-phishing emails, which are messages that look like they are from a trusted sender to trick people into revealing confidential information. Once the confidential information is revealed, the information will allow criminals to access company accounts, calendars, and data needed to carry out BEC schemes. BEC's can also use malware software to infiltrate companies and access legitimate email threads about billing and invoices.
Here are some points to keep in mind to spot BEC's.
The messages are typically brief and bypass standard policies and procedures for your company. The sender may state they are traveling, or it came from a mobile device. The email comes from Gmail, Hotmail, other personal accounts rather than a business account.
Here are some tips to prevent a BEC:
- Don't click on anything from an unsolicited email or text message asking to update or verify account information.
- Carefully examine the email address check the URL and spelling used. Typically, scammers will use slight spelling differences and hope you overlook it.
- Never open an email attachment from a questionable or unknown email address
- Fact-checking is your friend! It may take extra time to verify everything, especially when it contains personal or sensitive information. However, it is better to take the additional few minutes to fact check than to be a cyberattack victim.
AARP | Comments: 0, & Aarp. (n.d.). How to Spot a Business Email Compromise Scam. Retrieved October 19, 2020, from https://www.aarp.org/money/scams-fraud/info-2019/business-email-compromise.html
Business Email Compromise. (2020, April 17). Retrieved October 19, 2020, from https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/business-email-compromise
Business Email Compromise: What it is, and how to stop it: Microsoft On The Issues. (2020, July 23). Retrieved October 19, 2020, from https://news.microsoft.com/on-the-issues/2020/07/23/business-email-compromise-cybercrime-phishing/
Week 5: Social Media
Social media is a part of our everyday lives, and cybercriminals are aware of it. In fact, social media is a wonderful place to find information and answers to security questions such as where you went to school, your pet's name, or even your mother's maiden name.
Here are some precautions you can take to make yourself safer while using social media:
- Never click and tell. Limit the information you make available on social media. Seemingly random information about you can be used against you by cybercriminals.
- If you go on trips, do not post about them until you have returned.
- Disable location services that allow anyone to see where you are at any given time.
- Speak up if you feel uncomfortable with the amount of information a friend has posted about you and understand if a friend comes to you with a similar concern.
- Report suspicious activity or harassment on social media.
- Remember, there is no such thing as a delete button on the internet, so be sure to share it with care. Keep your privacy setting updated.
- Connect only with people you trust and do not accept unknown friend requests.
Social media is known as a place where people let their guard down. It's something to scroll through on lunch breaks or before or after school/work. The atmosphere is casual, and some information can slip through the cracks, which brings its own set of risks along with it.
To keep yourself safe, be pragmatic, and understand that social media will always be attractive to cybercriminals. Educate yourself and your employees on how much information should be available on social media. Utilize the privacy settings that are available on social media sites.
(n.d.). Retrieved October 19, 2020, from https://www.ecpi.edu/blog/cyber-security-for-social-media-what-information-is-at-stake
Business Home. (n.d.). Retrieved October 19, 2020, from https://www.mcafee.com/enterprise/en-us/security-awareness/cybersecurity/cybercriminal-social-media.html
Social Media Cybersecurity. (2019, October 29). Retrieved October 19, 2020, from https://www.commerce.gov/news/blog/2019/10/social-media-cybersecurity
Terrill, C. (2017, April 28). What You Need To Know Now About Cybersecurity And Social Media. Retrieved October 19, 2020, from https://www.forbes.com/sites/christieterrill/2017/04/28/what-you-need-to-know-now-about-cybersecurity-and-social-media/