One industry expert was heard to have said that he actually wonders about all the high profile security attacks and how many of those incidents are actual brute force attacks by “cyber militia or hacktivists” or were they really done through social engineering attacks.
Internet or IT Security has had high visibility amongst many of us in the recent days either due to Corporate requirement of implementing 2 Factor Authentication or some high profile hacking incidents like that of SONY, JPMorgan, and the infamous attack on the iCloud.
One can categorize computer attackers into two types: skill and focus. Most attacks are both low-skill and low focus. These low end attacks include millions of random spam emails, and thousands of scans into our corporate network on a daily basis. With this type of attack, they simply hope to get lucky that a “port” would unintentionally be left open or that somewhere along the way someone will fall for the ruse.
Another type of attacker would be “low focus, but highly skilled”. This can be deemed a more serious type of attack utilizing techniques as “zero-day” vulnerabilities (Zero-day vulnerabilities are those malware or viruses which have just been released and have not yet been recognized by the antivirus or security programs). This is the type of attack which affected both JPMorgan and Target.
But the most serious type of attacker would be “high skill and high focus” or sometimes called “targeted attacks”. This type of attacks are done by highly skilled people who have a specific target — and a good example of this was the SONY attack.
Statistics show that data loss due to cyber attacks is primarily done through social engineering attacks and not brute force attacks on a data center. So the rest of this article will focus on your role in helping to protect corporate data.
Phishing
The most prevalent attack on the individual is what we call phishing.
Phishing (pronounced “fishing”) is a kind of identity theft using fraudulent websites and false emails where perpetrators attempt to steal your personal data – most commonly passwords and credit card information.
Criminals gain this information by sending you links to sites that look like sites you trust, such as your online banking provider or social networks, and are able to steal your data as you enter it.
Here are some tips to keep in mind:
A. Don’t submit, go direct. Be very wary of emails asking for confidential information – especially information of a financial nature. Legitimate organizations will never request sensitive information via email, rather, they would ask you to login to their site and provide information there.
B. Don’t panic. Phishers like to use scare tactics, and may threaten to disable an account, charge you fees or delay services until you update certain information. If your bank or credit card company sends a warning message saying that your account has been compromised and you need to click through an emailed link to “verify your account information,” DON’T. Banks and credit card companies don’t communicate that way.
C. Don’t click. Never use links in an email to connect to a website unless you are absolutely sure they are authentic. Instead, open a new browser window and type the URL directly into the address bar. Often a phishing website will look identical to the original – look at the address bar to make sure that this is the case.
D. Don’t try to “win” anything. Seriously! Phishing is done with more than emails. Contests are big: “Win a free iPad!” or “Get a $500 Gift Card!” The come-ons are all over the web. All you have to supposedly do to get this awesome gift is click on a link that is likely to take you to a toxic site.
E. Get security. Your corporate laptop should have antivirus software installed on it. Additionally, you can install a browser add-on like Web of Trust (it’s free) which automatically blocks known toxic or dangerous websites.
Password
Aside from phishing attacks where you are tricked into sharing or voluntarily giving your password, there are some basic tips on using and creating passwords.
1. Do not use a common password amongst websites.
Let’s face it, on a daily basis, you probably have to remember anywhere from 3 to 8+ passwords to access: your laptop, your email, Success Factors, Oracle, Facebook, Twitter, and so much more. So there is a very strong tendency to reuse passwords. DON’T!
Once one of the websites is compromised, hackers tend to try other websites as well using the same password. Effectively, the security of all your websites is dependent on the weakest link.
2. Remember the Underwear Meme
The saying goes like this: Passwords are like underwear. You should change them often (okay, maybe not every day). Don’t share them. Don’t leave them out for others to see (no sticky notes!).
a. Use strong passwords
To create a strong password, you should use a string of text that mixes numbers, letters that are both lowercase and uppercase, and special characters. It should be eight characters, preferably many more. A lot more. The characters should be random, and not follow from words, alphabetically, or from your keyboard layout.
b. Multiple sites
Our first tip to passwords is not to use the same password for different sites. We then showed you one way of strengthening your password. But it’s still madness to try to remember individual passwords for multiple sites.
One more trick to passwords, is to append a part of the site to your strong password at the beginning or at the end. For example, if I were to use the strong password as my base – Kr0yw3^. – my password for Facebook can be = Kr0yw3^.FB and Kr0yw3^.TWTR for a Twitter account.
c. Don’t write it down
Well, at least that’s the best practice. But even I am challenged to remember all of these. If you must write it down, here are some final tips”
· If you have to write it down, don’t write password or pwd or pword beside it
· Maybe write down an extra character which only YOU know is really not part of the password. Inversely, you can leave it one character short, as long as you remember what that last character is.
These tips and tricks are not the only solutions and neither are they meant to be 100% foolproof. But this definitely cuts down the chance of security risk tremendously.
Privacy is not for the passive. Everyone’s security consciousness is our best weapon.
I.T. FUN FACTS
When we used to deploy our own integral anti-spam, we would reject up to as much as 95% of incoming mail as junk or spam — so the tons of email you get is only 5% of the total email we get daily. Today, this is handled automatically for us by Google. We literally have thousands of people scanning our network on a daily basis, checking if we had left a window or backdoor open to see if they can infiltrate our network.
•••
Ever wonder what the difference between ‘phishing’ and ‘spearphishing’ is? What about ‘whaling’?
Phishing attacks are generally exploratory attacks for a broad audience. Spearphishing is a targeted version of phishing that usually focuses on a specific company and combines tactics such as sender impersonation, personalization, etc. and are of a much more sophisticated manner. Whaling is very similar to spearphishing, but is a more specific form of attack targeting corporate upper management with the intent of obtaining confidential company information.