Recently, our IT Analyst attended an all-day cybersecurity conference. If you’re interested in keeping your data safe, here are some items of interest. NOTE: These notes are designed for the general public, not just IT professionals.
Universal Security Notes
80% of attacks are currently occurring through email. Phishing for credentials is the prime vector. This is usually done via an email trying to get you to click on a link, which will then ask you to enter your credentials. The link will most frequently take you to a web page that looks identical to a legitimate site. Think password reset for Gmail or Office 365, or a request to “verify” your banking info.
Far too many people continue to reuse usernames and passwords. As an illustration, let’s say that you use same username/password for your home Gmail account and your bank, and your Gmail gets compromised. Once you’re compromised, the hacker can monitor your email account and find out where you bank. The attacker then uses your reused username and password to log on to your bank account, and subsequently drains your bank account. The best way to deal with this is to use a password manager.
Multifactor Authentication is one of the most effective ways to prevent authentication attacks. (This is where you log on to a web site and are sent a text message to your cell phone, or something similar.)
Having personal information leaked in a third-party data breach following a hacking incident drastically increases the odds of being targeted. For example, if you were part of the Target hack, your chance of a subsequent attempt to hack your email went up drastically, because bad actors had information about you that they didn’t have before.
Consider separate email addresses for separate purposes. For example, have one email address for trusted senders (such as close friends, password resets and so forth,) and a separate email address for spammy stuff, such as coupon sites, business promotions, etc. The idea behind this is that mailing lists are often sold from business to business, and the more places that have your email account, the more likely it is that you will be phished.
You can go to https://haveibeenpwned.com to see if your credentials have been compromised in a known data breach. You can type in your email address, and the web site will search that email address against their database of known compromises. If your email address has been compromised, you can look at details of the compromise. If your password for that site was compromised, you should change that password immediately if you haven’t already done so. If you’re reusing that email address and password somewhere else, you should immediately change the password at the other places too. (Refer to the previous comment about reusing passwords.)
When you purchase new computer hardware, IoT items and so forth, you should immediately change the default username and password. This is incredibly important for sensitive network items like your home router, security cameras, or smart devices such as thermostats. If you purchase an electronics device such at a TV or refrigerator and don’t intend to use its internet capabilities, don’t hook it up to the network just because you can.
Keep your internet-connected devices updated. The majority of hacks occur on exploits that were patched long ago. On a similar note, if your device is no longer capable of receiving updates, it’s probably time to retire it or disconnect it from your network.
One of the latest trends in phishing is email chain hijacking. In this scenario, a bad actor will compromise an employee and monitor their sent emails. When the time is right, the bad actor will use the hacked account to do damage. For example, a bad actor compromises the account of a company executive, and then monitors an email chain about a contract negotiation. When the time is right, the bad actor sends an email using the exact email chain, directing the accounting department to pay the contract and wire the funds to the bad actor’s offshore banking account.
Bad actors are slowing down their exploit process. This makes intrusion more difficult to detect, and more damaging when the exploit occurs.
Mobile devices are more difficult to manage than traditional computers, because these devices may not be owned by the company, and because employees are more able to install apps on company-owned devices without authorization. Mobile devices are “blind spots” for the company from a security standpoint.
Bad actors are increasingly attempting to destroy or compromise backups before launching a malware attack. If data cannot be recovered from backup, then payment is the only method of recovery.
Alert fatigue is a growing problem. At the micro level, this can mean that security professionals are receiving too many alerts in a given day. At the macro level, this means that we are hearing about breaches so often that we’re growing numb to it.
Ongoing awareness training is an important tool in reducing risk, because people are always the weakest link. “Naming and shaming” when human failure occurs is counterproductive. The best approach for awareness training is to budget for fun activities and rewarding achievements.
One of the latest buzzwords is Integrated Risk Management. In a nutshell, a lot of risk management is done in a segregated fashion. (For example, IT and finance might perform completely separate risk assessments.) This can lead to holes and/or redundancies in a company’s overall risk management.
Businesses could do a better job of monitoring their external data sharing. For example, an employee intends to share a single SharePoint file with a client, but unintentionally shares an entire folder.
We are operating in a tri-polar world when it comes to privacy governance. The US is generally geared toward business. The EU is generally geared toward citizens. China is generally geared toward the government. Most other countries lean toward one of these three approaches. Software companies that want to develop software for international use need to be aware of all three types of governance, and understand their similarities and differences.
Privacy governance is going to continue increasing in importance, and there is an expected shortfall of privacy experts in the future, similar to how there is a shortage of security experts now. This will be especially prevalent in IoT. Privacy and security will need to be baked in to the code. This will become an additional factor as we move further into Web/Mobile/Cloud work.
4250 River Center Ct NE, Cedar Rapids, IA 52402
Monday Through Friday 8:00 AM – 4:30 PM
Due to COVID-19, building access or business hours may be restricted. Please call before visiting the office.