I’ve been fortunate to have spent the better part of the last 25 years in cybersecurity. I say fortunate because in our ever increasingly complex digital world, I’ve had a front seat to the ways in which technology has enabled businesses and people to achieve great things. I’ve also been witness however, to how technology has changed the ways in which criminals carry out crimes. Being on the front lines has enabled me to better understand the risks inherent with technology and to build the defenses necessary to mitigate them.
Hackers, which is a broadly used term to describe many kinds of cyber criminals, employ a myriad of tactics to steel information and money from a wide range of victims. They use technology as well as social engineering to trick or deceive people and business into revealing information they would otherwise protect. While technology is employed to facilitate their campaigns, it’s the social aspect which is in many ways the key to their success.
Hackers have learned that they can get people to give up valuable information by triggering emotional reactions to events. There is a cyclical nature to what they do. Phishing emails, which many will be familiar with, are simply emails that contain links and attachments that contain viruses. The trick to getting a person to open one is based in large part, on the messaging. During the Christmas holiday we see numerous phishing attacks using fake delivery notifications, fake credit card alerts, and fake online greeting cards themes. Over the years these attacks have become very well crafted; long gone are the Nigerian Prince scams loaded with spelling errors.
The Covid-19 pandemic has become another event that has been abused by hackers to conduct their crimes. Hackers are using a number of campaigns designed to try to get people to give up information, download viruses or pay them sums of money to regain control of your computer. In recent weeks I have investigated hacks involving fake Covid-19 information emails, compromised Covid-19 websites and a string of stimulus-related phishing attacks. I have also had a number of issues surrounding the use of remote technologies including Zoom meetings.
The good news is, many of the news stories about hacking and the damage hackers cause can actually be greatly reduced if people just took some basic precautions. The challenge with technology is that the default settings of many of the digital services we use favor convenience over security. It’s possible to make many of these services very secure; it means, however, that each person will need to give up some of those conveniences for better protection. Let me start with the basics.
Passwords: Cybersecurity professionals have been going on for ages about passwords. Yes, they’re a pain. Yes, we all have too many. And yes, it’s hard to remember them all. But there is a solution, a password manager. Apple, LastPass, 1Password; there are plenty of tools out there that will not only help you manage your passwords but will actually create extraordinarily complex ones for you automatically. The catch, you need to create a really complex password to unlock it to access the sites that it stores passwords for. Is it worth it? Sure, I’d rather an extra minute unlocking my password vault than an entire day changing the passwords to all my accounts.
Two Factor Authentication: Passwords alone, even a really good one can still be compromised; the solution incorporate Two Factor Authentication. Two Factor Authentication adds another aspect to your login process. Services like Amazon, Paypal, and Google Mail all offer you the ability to turn on Two Factor Authentication. Using Two Factor Authentication makes it exponentially more difficult to break into your accounts. Even if you gave up your password to your Gmail account via a phishing email, the hacker would still need that second factor, and that can be a major difference. Check our twofactorauth.org for a list and instructions on how to set it up on your favorite internet services.
Be Careful When You Click: As I said in the beginning, phishing is the primary way hackers dupe people into giving up valuable information about themselves, downloading viruses and visiting malicious links that try to steel passwords and install malware. With Covid-19 there have been a number of phishing campaigns that use fake municipal information to lure you into clicking a malware link as well as fake emails, pretending to come from the government about stimulus payments. If you receive an email in general be cautious when clicking on links and attachments; they may be malicious.
Use Antivirus and Web Filters: Antivirus isn’t perfect, but it provides a great layer of defense. There are many good options out there from Windows defender to McAfee, Sophos and Intego. There are pluses and minuses to them all, but you should have something. For Web Filtering I am a big fan of OpenDNS, available at opendns.com. It will filter your connections to the internet and prevent access to a host of bad websites. There is a free version as well as a paid version that provides additional features.
Install Software Updates: The terms virus and malware are nothing more than fancy words for bad software. A virus isn’t anything more than a piece of software designed to do bad things. Like regular programs, or Apps as the hip kids say, a virus needs some conditions to work. In some cases, a virus relies on a weakness or vulnerability on your computer in order to work successfully. When operating system providers, like Apple, or Microsoft or Google, become aware of this, they release a software update. Unless you have automatic updates turned on, which I recommend, it’s up to you to do it. If you have an iPhone with a little red circle on the settings app it means there is an update, and I would suggest you perform the update. I would liken it to a recall by your car company. If you got a note in the mail saying there was a recall on your vehicle because of faulty brakes, would you have them fixed? When your computer tells you there is an update available, take a few minutes and do the update.
Search for security best practice with the tools you use. Zoom took a lot of heat recently for a host of “security” weaknesses. Now while there were some issues with their service, many of the issues you probably heard about in the news, like Zoom bombing, were avoidable. Think back to what I said earlier, software/solution providers often offer services with default settings that favor convenience over security. Zoom bombing was avoidable if people just took some simple precautions. Get into the habit of doing a Google or Bing search for “security best practices for….” with each new service you use. This will help you find those settings you may want to turn on to reduce the risk of your online experience being a bad one.
As many of us adapt to using more online services for work, family, school, and entertainment, it’s important to remember that the internet is both a wonderful tool and a powerful weapon. Being vigilant about how we use those tools can be the difference between a great online experience, a productive work day and the continuance of our children’s education, and many countless hours trying to re-establish our identities. Covid-19 is just another opportunity for hackers to try and take advantage of people, but with some due care, each of us can make sure that they fail.
If you have any cyber security questions, feel free to contact me at craig@greyswanllc.com.
Photo at top: Chris Lucca of Easton, a cybersecurity professional, offers tips to keep data safe in an increasingly digital environment.
