My general cyber suggestions!
Work from home, play at home, you have to be aware of cybersecurity. Ninety-six percent of all targeted cyber attacks start with attempts to expose your personal information.
You should try to keep your personal information — name, social security number, driver’s license number, email, address, phone number, place of work, position — as private as possible.
If your data is exposed to a level that you are comfortable with (you trade off some privacy for convenience), hackers can still try to get your info through “social engineering,” getting users to release personal or business data or perform actions that they will only later realize are harmful.
A piece of data you disclose may seem inconsequential by itself, but this data can later be pieced together into an attack. Whether working from home or the office, know these attacks and recommended security practices.
Email Security
Ninety-seven percent of people cannot distinguish a real email from their bank from a sophisticated “phishing” –malicious–email. These emails may have your bank’s or credit company’s logo and ask you to log in to your account or respond to an alert by clicking a link in the email.
Common subject lines for other malicious emails reference healthcare products, dating apps and invites, adult products, and stock picks. If only .001% of users clicked on links in these emails, a spammer could make over $270,000 from one email sent out to millions of users.
But mobile users open 34% of phishing emails, and twelve percent of these targeted users click on the malicious link or attachment. These users are on the go, but should notice spam when they see it.
Clicking on email links can install malware(malicious software); trojans, spyware, ransomware, and other compromises are common.
The number of phishing emails that contain some form of ransomware has risen to 97.25% since 2016. (Ransomware is particularly nasty: after the victim clicks on an email link attackers gain access to a network, encrypt the computers’ files, and demand a ransom to unlock the files.
Sometimes the ransom is demanded again after being paid, others bad actors threaten to publish the files or sensitive data. The recent ransomware hits include the Texas-New York pipeline this month.)
Email Best Practices
– Double-check for unusual sender email addresses, dates, or language problems before opening an email.
– Do not open attachments or click any links from people who don’t know.
– Do not click if “tech support” sends you an email saying you need to reset your password by clicking “here.” Even if the email uses your correct name and appears to come from someone in IT support whose name you recognize.
This could be another type of phishing attack and 95% of all attacks on enterprise networks are caused by successful spear phishing.
– Do not respond to suspicious emails.
Mobile Security
However, mobile users are not only vulnerable to email phishing. Eighty-one percent of all mobile attacks on iOS and Android devices are due to app vulnerabilities, instant messaging, and texts.
Hackers now communicate over local networks and the Internet and do not need physical access to the device.
User beware: eighty-nine percent of mobile vulnerabilities can be exploited only by users downloading malicious apps. Apps that are free can work as advertised, but can also send your data to the hacker’s server.
By far the most common issue with mobile devices is insecure data storage, but users generally keep passwords, financial information, personal data, and correspondence in an unsafe manner.
Practice: You should not store your credit card, banking, or other personal information on your smartphone or tablet. Spyware – software that transmits your online behavior, personal data, or location – can also be downloaded along with apps without your knowledge.
Some apps could ask for broad permissions before use. Make sure you are OK with each of these permissions.
Other Attacks
Smishing: Cybercriminals also use texting to trick people to download malware, click on malicious links, or disclose sensitive information.
Practice: Anything that asks for your personal or financial information through a text is suspect; no matter how legitimate it looks, financial institutes or merchants will never contact you to make important changes like update your account or to enter your account PIN or other data.
Watch out for “act now,” which causes people to act rashly, and look out for suspicious numbers like “8000.” These numbers are used by scammers to hide their actual phone numbers.
Your devices, like Amazon Echo (Alexa), Google Home, smart light bulbs, cameras, thermostats, and appliances, can be exploited to expose physical information like the geolocation of your network or can act as entry points to your larger home network or for use as bots in larger attack campaigns on the Internet.
Practice: Create harder passwords, change default passwords, turn off/disable any unneeded features, only use legitimate applications from your device’s vendor, and updating the device’s firmware and applications.
“Tech support” calls you and uses your real name, asking for details about another employee, or for you to perform some task on your computer.
Practice: Tell tech support you will call them back or ask them to come to your desk.
“Your bank” calls you and asks you to call to speak with a representative or you get a text message alert from the bank with a phone number to call.
The recorded voice says to enter your social security number or account number to be connected with a representative.
Practice: Do not click, do not call.
A fired employee may have sabotaged or created a vulnerability in a shared app to become active after a set time.
Practice: Contact security and your supervisor about any unusual behaviors.
At the Starbucks a malicious user can intercept your browsing or communications. You may even see a network named “Starbucks Pro” or some such harmless name.
That user may “record” your transactions (like a bank login) and use your session later to access your accounts. If you’re doing bank or other sensitive work, switch to mobile data and turn off your device’s wifi.
Practice: Do not connect.
Outside your house, malicious user is driving by scanning your home office network for openings.
Practice: Make sure your home router is set up with WPA2 AES security and strong passphrase and change your default admin password. Disabling the SSID Broadcast (hiding name of your network) is not considered a strong measure by itself.
Outside your house, a malicious user may have also told the world about your wireless network with chalk marks on your sidewalk. Be alert.
As you are walking in a parking lot, or even outside your house, you find an old-looking USB flash drive on the sidewalk.
Practice: Do not plug that in.
Your phone is getting unwanted messages popping up or you may get your data stolen through bluetooth.
Practice: Disable bluetooth when not in use.
Someone may have plugged in a USB hardware device (dongle) into your USB port without your knowledge. The “keylogger” records all your key strikes.
Practice: Occasionally check your physical computer ports at work or home.
At work your colleague has set up his own wifi router without your knowing, a “rogue access point.” Perhaps he just wants to have his own network (against company policy), but could be doing something malicious.
Practice: Do not connect, alert management.
Also beware of:
– Walking into work, another person rushes up behind you and asks that you hold the door open for them (maybe they “lost their badge”). You’ve just been “tailgated.”
– At work or a public place, someone is peering over your shoulder to get your data. “Shoulder surfing.”
– In line at the register, someone bumps you from behind. They’ve just clicked their phone to yours accessing it using NFC, the protocol for some short-range electronic transactions.
– A waiter swipes your card in a device, a “skimmer,” and records your card for later use.
– Some men are jumping into the company dumpster and pulling out old desktop calendars, sticky notes, company procedural manuals and handbooks (“dumpster diving”).
– Two men are walking confidently through the corporate building and walk into the CFO’s office when he is out of town. When asked, they say they are with building services or IT.
They dump the office trash into a receptacle they are carrying or they make a call to IT from the office to ask for help logging in. They act like they belong, but are targeting an important person at the company.
– Phone tactics for dropping your guard: making you laugh, having a sensible reason for the action, portraying confidence, maybe even displaying anger and asking to speak to your supervisor (though they never call back), but then evading or diverting if asked specific questions.
Conclusion
In addition to the aforementioned measures, a comprehensive antivirus and malware detection software should help. Happy computing!
***
Tech Kahunas is a San Diego Managed IT Services provider which provides IT support and services like 24/7 monitoring, data backup and restore, and malware protection.
Tech Kahunas will help you Defend Your Island. Set up a free 30-minute Strategy Session with us now.
1 comment