Happy Cybersecurity Awareness Month everyone! This year’s campaign theme, “See Yourself in Cyber,” focuses on the human element of cybersecurity – specifically, what we can do to stay safe online and what we, as cybersecurity professionals, can do to improve our industry.
I particularly like this year’s theme because the human element has and continues to be the “Achilles Heel” in our efforts to protect and defend our organizations from cyber-attacks. There is only so much that can be done from a technology standpoint to take the human element out of the equation. This point is not lost on cyber criminals. They continue to successfully exploit the human element to gain access to our networks and systems through Phishing and Social Engineering attacks; unpatched vulnerabilities in systems; and weak, reused, and poorly protected passwords. To back this up, recent reports identified that in 2021, 65% of cyber attackers leveraged spear phishing emails as their primary attack vector and 90% of all cyber-attacks started with someone clicking on a phishing link.
The key point here is that the cyber sharks are circling our families, friends, customers, and employees and we need to do what we can to help protect them from attack. Luckily, there are lots of things that we can do to protect them and to better arm them with the tools and knowledge they need to stay safe online – in both their personal and work lives.
Think Before You Click: Recognize and Report Phishing
As mentioned above, one of the primary avenues of attack for cyber criminals is Phishing. Phishing attacks trick end users into providing sensitive information over the phone, opening a malicious e-mail, or visiting a compromised website. We need to continue our efforts to educate our family, friends, and employees on the dangers of Phishing and we need to take steps to actively protect them against it. My anti-Phishing guidance includes:
- Be wary of phone calls requesting confidential information. It’s easy for an unauthorized person to call and pretend to be an employee of your organization or a business partner. If you are unsure if a caller is legitimate, hang up and call them back using the contact information you have for them or that you can obtain from an independent source.
- Be careful what you post on public sites and in social media. Be sure to enable privacy settings on social media sites to restrict access to any personal or sensitive information you have posted there. Attackers can use this personal information to masquerade as you and to create more believable Phishing e-mails containing personal details about your family, friends, and co-workers.
- Never click on links in an e-mail or text message from an unknown or untrusted source. Cyber attackers often use authentic looking links to trick you into visiting malicious sites and downloading malware that can be used to compromise your end system, steal data, and damage networks.
- Never open e-mail attachments from an unknown or untrusted source. Cyber criminals can embed a malicious executable file in an attachment (e.g., a word or PDF document) that is launched when you open the attachment.
- If anything about an e-mail or text message looks “phishy”, handle it properly. Mark the message as “junk,” block Phishing sender email e-mail addresses and phone numbers, and report Phishing to your corporate security team for analysis.
As cybersecurity professionals, we can also help to protect our employees by keeping their devices up to date with the latest software patches and by installing and maintaining anti-virus, endpoint detection and response, firewalls, and email filters on their end devices and accounts to minimize the amount of spam, junk mail, and Phishing e-mails that arrive in their inboxes. Multi-Factor Authentication (MFA) (discussed below) is also a very effective tool in blocking Phishing campaigns from succeeding – although attackers have adapted by tailoring their Phishing campaigns to specifically bypass MFA.
Use Strong Passwords and Enable Multi-Factor Authentication
While Phishing can be used to trick you into disclosing your password and logon details, attackers can also attempt to guess or steal your password and use it to gain access to your account. We make this easier for attackers if we use trivial, easily guessed passwords, reuse the same password across multiple accounts, or are sloppy in protecting our passwords. If you discover that one of your passwords is exposed through a data breach, you should assume that attackers will try to use the breached password, and variants of the breached passwords, on your other accounts to see if you have reused passwords. Here are my recommended best practices for passwords.
- Use hard-to-guess passwords. A password should have a minimum of 8 characters (I prefer at least 12) using 2 or more of the following: uppercase letters, lowercase letters, numbers and special characters. To make it easy for you to remember but hard for an attacker to guess, create a passphrase. For example, pick a phrase that is meaningful to you, such as “Charleston, SC is a great place to visit” Using that phrase as your guide, you might use CSCiaGR8p2v! for your password. Where available, and particularly for your more sensitive accounts, use 2 Factor Authentication (2FA) to augment the security of your password.
- Use different passwords for different accounts. If one password becomes compromised, your other accounts are not compromised. I would suggest using a password manager to store and manage your passwords. This eliminates the need to remember and/or write down your passwords. It’s also important that you do not share your passwords with others or display them in public areas. It is ultimately your responsibility to safeguard your passwords!
More Tips for Better Cyber Safety
A few other things that we can all do to stay safe online include:
- Back up your computer and mobile phone regularly using a cloud-based backup service or a removable hard drive (that is disconnected from your device unless you are performing a backup). At a minimum, ensure you have a backup copy of your important documents, files, and photos. This allows you to recover your important information if you are struck by a Ransomware attack.
- Never leave your laptop or mobile phone unattended in public places and lock your screen when your device is not in use. Enable passwords, PINs, and/or biometric authentication features on your computer and mobile phone. This helps protects your data from unauthorized access and use should your device be lost or stolen. If your device supports remote erase (e.g., Find my iPhone), ensure that this feature is enabled and configured ahead of time so that you can erase your device if it is lost or stolen.
- Remember that Public Wi-Fi is a shared service and is not as secure as your home network. Avoid performing sensitive activities while on Public Wi-Fi (e.g., mobile banking) or use a VPN service to protect your sensitive communications while using Public Wi-Fi.
- Secure your home network. This is especially important now that we are all working from home and using our home networks to access our corporate networks.
- Change the default passwords on all your home network devices – routers, Wi-Fi access points, security cameras, game consoles, internet connected appliances, etc. Most consumer products are sold with a default password set by the manufacturer and the default password will be the first one tried by an attacker. Change these default passwords to a hard to guess password.
- Update the firmware on all home network devices. Attack against home networking devices are constantly evolving and vendors make updates available on their websites to mitigate those attacks. Visit the vendor’s website for your devices to download and install the latest software and firmware.
Hopefully this is useful information that can be shared with your families, friends, and employees to allow them to be better protected online.
Stay Up to Date with Threat Geek
Enjoying Cybersecurity Awareness Month? Want to continue receiving timely and relevant information related to cybersecurity? Be sure to subscribe to the Fidelis Cybersecurity Threat Geek blog and follow us on LinkedIn!