Posts

Staying Safe Online: The Connect4 Cyber Security Survival Guide

Today I’m publishing a guide that I hope will help improve your personal online security. This guide focuses on the basics – how to reduce the life-altering risks we face as we navigate the internet.

This is a Cyber Security survival guide. I’m going to start by giving you a clear picture of the current state of Cyber Security. Then I’m going to prioritize what you should be protecting. I’m going to focus on the biggest risks and I will explain how to reduce the risk for each category.

If you find this useful, please go ahead and share it extensively.

Current State of Cyber Security

Would you believe it if I told you that there’s a 66% chance that your data has already been stolen and will be stolen again and again? Unfortunately, it doesn’t matter whether you use secure passwords, two-factor authentication, are young or old, or which websites you visit or businesses you do business with. At various points in your life, your data will be stolen. And in all likelihood, it will be stolen repeatedly.

Today, 64% of Americans have already had their data stolen through data breaches. That is almost 2 out of three people.

In the past 3 years we saw the first data breach of more than 1 billion user accounts with the Yahoo breach. That breach affected 1 in 7 people on our planet! In the United States, the OPM breach included the data of our top spies, including their fingerprints and personal data. Even our intelligence services can’t protect highly confidential personnel data.

Data has been stolen from private companies, intelligence agencies and the military. Even cyber security companies have had their data stolen.

How Data Is Stolen

Even if you use a strong password, two factor authentication and best practices for security, your data will still be stolen because the companies whose services you use in some cases will fail to protect their own networks and systems.

How to Prioritize What to Protect

If data breaches are the new normal and if you accept the premise that they are inevitable and unavoidable, the problem we need to solve in our personal and business lives becomes “How do I reduce the risk and the impact of a breach?”

It’s helpful to start this conversation by trying to prioritize what we need to protect. I’m focusing on the really important, upper level things and this is my prioritized list so it’s possible your list could be in a different order.

  1. Information about us that could help criminals target us in the real world.
  2. Our financial means – savings accounts, ability to borrow, and our assets.
  3. Sensitive personal information – medical records, tax data and other private data.
  4. Our ability to earn an income through our reputation and our ability to provide products or services to people.

Preventing Criminals from Targeting Us in the Real World

In most of the developed countries, it is rare to hear stories of real-world targeting of individuals through information they have ‘leaked’ into the cyber realm. But in developing countries where there’s a greater disparity of wealth, or if you happen to be a superstar or athlete in a developed country, it might be good to:

  • Never show high value items (like jewelry or cars) online.
  • Share your location in general terms, and if you want to share a specific location, do it after you have left that location.
  • Don’t share information that may indicate when or how much you’ve been paid.
  • Consider making social profiles only available to people you have approved.
  • If you work for someone or some entity with access to highly confidential information, avoid disclosing who your employer is and what your job title is. This includes public websites like LinkedIn.

Protecting Your Financial Means

I’m not concerned with credit card fraud in this section. That risk falls on the vendor and transactions can be reversed. Instead, I’m focused on the kind of risk that can have a permanent impact on your financial well-being.

If an attacker is able to authorize a wire transfer from your savings account, they can empty your bank account and the funds may never be recoverable. This risk applies to savings accounts, checking accounts and investments like brokerage accounts and money market accounts.

If they are able to borrow in your name, it can permanently damage your credit score and your ability to borrow money to buy a home, for example.

I suggest taking the following steps to reduce the risk of large scale financial fraud:

  1. Make a list of savings and investment accounts. Audit each account to determine how you prove your identity when transferring funds and get a clear idea of what an attacker would need to do to commit fraud on each account.
  2. Implement any additional security provided by your banks or brokerages:
    1. callback to a predetermined number.
    2. authorization from multiple parties prior to transferring funds.
    3. two factor or hardware-based authentication.
    4. limiting transaction size when not in person.
    5. real-time alerts.
  3. Monitor account statements weekly. Make this a routine.
  4. Place a credit freeze on your credit report if you are in the U.S. This restricts access to your credit report and makes it difficult for thieves to open up accounts in your name.
  5. Place a fraud alert on your credit report – also if you are in the U.S. This lasts 90 days and forces businesses to verify your identity before issuing you credit.

In all of these cases above, if you are able to choose a password, choose one that is complex (more than 12 digits and including uppercase, lowercase, numbers, and other characters), and use a password manager.

Protecting Your Sensitive Information

Sensitive data that you need to protect includes your medical data, tax data, and social security number. There are two surprisingly easy ways of protecting this information.

First, try to avoid creating data about yourself. If it doesn’t exist, you don’t need to protect it. You will frequently find forms that ask for your social security number or equivalent. Most of the forms don’t actually require it. Don’t provide it if it’s not required.

Second, the best way to protect data is to delete it. Once again, if it doesn’t exist, it doesn’t need to be protected. Don’t hoard sensitive data. When you do need to store and protect your sensitive data, encrypt it and use strong device passwords.

Protecting Your Ability to Earn an Income and Protecting Your Reputation

Most of us rely on some type of IT infrastructure to earn a living. Whether you are an architect, photographer or computer programmer, it is important that you secure the systems you use. Here are a few tips to secure your own systems and the services you use:

  • If you have a WordPress website, make sure that you have a malware scanner and firewall in place, and look into upgrading your security by using SSL.
  • Use a password manager like Last Pass to automatically store and generate long complex passwords that are different for each system you access.
  • Secure your phones, tablets, laptops, and PCs by using disc encryption when available and use complex passwords for device access.
  • Avoid adding data to systems that you need or use.
  • Enable two-factor authentication on all systems or services you use.
  • Keep backup drives in a secure place and destroy sensitive data that you don’t need. Never simply throw backup devices in the trash without either using a secure wiping software or physically destroying them with a large hammer.
Protecting Your Online Reputation

If you use social media, never simply ‘Share’ or retweet someone else’s post until you have fully read it, understood it and also understand any context around it. If you accidentally share something that is highly controversial without fully understanding what you’re sharing, you may find your professional reputation severely damaged.

Secure any social media accounts that you own. If your account is hacked, it may be used for spam which could damage your online reputation.

Secure any websites that you own. If your website is hacked, it will damage your search engine ranking and infuriate your customers if their data is stolen. This can have a severe impact on your reputation. If you use WordPress, install Wordfence which will help prevent a hack.

When installing apps on your smartphone, avoid apps that are aggressively viral. Some apps gain access to your contacts list and can SMS, private message or email your contacts a message from you that suggests they also sign up for the service.

 

 

 

 

Cyber Security – Will Our Risk Decrease If We Have Fewer Devices?

This is a good question but I don’t think it’s immediately a cyber security question. There is definitely a correlation between the number of devices you have to manage and potential risk. And it’s possible there’s a cost savings by having a laptop instead of multiple devices as there are fewer computers that need to be serviced. But I think your actual cyber security risk goes up when you give people mobile devices. Laptops can be used in many unsafe places and their versatility might actually increase security problems.

The real answer is the educational one. If people make the right choices, then cyber security risks can be minimized.

Here are some pointers to help you create an action plan to strengthen your company’s defenses against hackers:

1) Failure to cover cyber security basics – software and operating system updates

2) Not understanding what generates corporate cyber security risks

3) Lack of a cyber security policy

As part of their cyber security policies, companies should:

  • identify risks related to cyber security
  • establish cyber security governance
  • develop policies, procedures and oversight processes
  • protect company networks and information
  • identify and address risks associated with remote access to client information and funds transfer requests
  • define and handle risks associated with vendors and other third parties
  • be able to detect unauthorized activity.

4) Confusing compliance with cyber security

5) The human factor – the weakest link

6) Bring Your Own Device (BYOD) Policy and the Cloud

7) Funding, talent and resource constraints

Think of this security layer as the immune system of your company that needs funding and talent to ensure that you don’t experience severe losses as a consequence of cyber-attacks. A good approach would be to set reasonable expectations towards this objective and allocate the resources you can afford.

8) No information security training

Employee training and awareness is essential when covering your base in terms of information security.

Another quick look at the most common file types that hackers use to penetrate your system and trigger attacks that can lead to data leakage tells you what types of actionable advice you could include in your employees’ trainings on cyber security.

9) Lack of a recovery plan

Being prepared for a security attack means to have a thorough plan of what can happen to prevent the cyber-attack, but also minimize the damage if is takes place.

10) Constantly evolving risks

Polymorphic malware is harmful, destructive or intrusive computer software such as a virus, worm, Trojan or spyware that constantly changes, making it difficult to detect with anti-malware programs. That is why you should take into account that your company might need an extra layer of protection, on top of the antivirus solution.

The first line of defense must be ensured by a product that can act proactively to identify malware, block access to hacker controlled servers and stop data leakage, but also keep your system protected by patching vulnerabilities (usually, applications that are not up to date, such as Flash or Java).

 

Ten Tips For Spotting Phishing Emails

Every day millions of phishing emails are sent to unsuspecting victims all over the world. I know because I receive five or six myself in my spam folder every day. While some of these messages are so outlandish it’s obvious they are fraud, others can be a bit more convincing. So how do you tell the difference between legitimate emails and phishing emails? Unfortunately there is no single way, but this post provides ten tips for spotting a phishing emails.

Ten Tips For Spotting Phishing Emails

#1 URLs contain a misleading domain name

People who launch phishing scams often rely on victims who don’t know much about technology or how the DNS naming structure for domains works. The last part of a domain name is the most telling. For example, the domain name info.gabeseiden.com would be a child domain of gabeseiden.com because gabeseiden.com appears at the end of the full domain name (on the right-hand side). Conversely, gabeseiden.com.maliciousdomain.com would clearly not have originated from gabeseiden.com because the reference to gabeseiden.com is on the left side of the domain name.

This happens all the time, especially when the phishing criminal uses a trusting name like Microsoft or Apple or even the IRS. The resulting domain name looks something like this: Microsoft.maliciousdomainname.com.

#2 The message is poorly written with grammar and spelling mistakes

Whenever a company sends out a message on behalf of the company as a whole, the message is usually reviewed for spelling, grammar, and legality. So if a message is filled with poor grammar or spelling mistakes, it probably didn’t come from a major corporation’s legal department.

#3 The message asks for personal information

This is usually a major red flag. No matter how official an email message looks, it’s always a bad sign if the email asks for personal information. Your bank or credit card company already know your account number and social security number.

#4 The message contains a mismatched url

One of the first things you should check in a suspicious email message are any embedded URLs. Often the URL in a phishing message will appear to be perfectly valid but if you hover your mouse over the top of the URL, you see the actual hyperlinked address (at least in Outlook) and if the hyperlinked address is different from the address that is displayed, the message is probably fraudulent or malicious.

#5 The message looks too good to be true

If you receive a message from someone unknown to you who is making big promises, the message is probably a scam.

#6 You’re asked to send money to cover expenses

You might not get hit up for cash in the initial message. But sooner or later, phishing criminals will ask for money to cover expenses, taxes, fees, or something similar. If that happens, you can bet that it’s a scam.

#7 You didn’t initiate the action

If you get an email congratulating you on winning the lottery, but you never bought a ticket, you can bet that it’s a scam. If you didn’t do something to initiate the action, it is probably a scam.

#8 The message makes unrealistic threats

Most phishing scams try to trick people into giving up cash or sensitive information by promising instant money. However, some phishing scams use intimidation to scare victims into giving up information. If a message makes unrealistic threats, it’s probably a scam. Let me give you an example.

I once received an email from what looked like the IRS. Everything looked legitimate except for one thing. The letter said my account had been compromised and that if I did not submit a form (which asked for my social security number) along with two picture IDs, my assets would be seized.

I knew this was a scam because the IRS doesn’t send out emails like this. The IRS sends out its threats via snail mail.

#9 The message appears to be from a government agency

Government agencies in the U.S. don’t normally use email as an initial point of contact.

#10 Something is fishy

If you receive a message that seems suspicious, it’s usually in your best interest to avoid acting on the message. On the off chance that it’s a real message, usually the real person will find another way to contact you.

How to stay ahead of cyber criminals

It’s no secret that cyber attacks are becoming more increasingly sophisticated, stealthy, and, as a result, commonplace. We have seen high profile security breaches at Target, JP Morgan, Home Depot, and the US Government. Attackers can infiltrate practically any “secure” environment and maneuver undetected for months at a time while they scope out the best practice (for them) for a cyber attack. So the question for us is – how do we stay ahead of cyber criminals?

This is ultimately a cat and mouse game and it’s clear that the cyber criminals play the cat in this game. As cyber attackers become increasingly aware of cyber security measures, both large and small organizations must be on the defense and continuously learn about potential warning signs. Here are a few helpful tips to help you stay ahead of cyber attacks and reduce the risk of data breaches.

Constant Change

There’s one thing that cyber criminals and the rest of us have in common – none of us like change. We want to keep systems and processes static because it makes life and work easier. Attackers love static systems and processes because it makes it easier for them to study their subjects, learn the ins and outs, and figure out exactly how they can compromise your data. If you want to make it difficult for sophisticated cyber attackers, create a culture that thrives on change.

Monitor for Usage of Irrelevant Information

Cyber criminals do their homework before launching an attack. Sometimes their data is misinformed or incomplete. You should monitor for activity that doesn’t make sense for your organization.

A typical example of an irrelevant information scenario is the “former employee” situation. In this case, an attacker targets a specific user from your list of employees, not knowing that the person no longer works for your organization. Because the employee no longer works for you, that employee should not be taking actions within the company’s network and the network shouldn’t be contacting them. Spotting this suspicious activity can help you prevent data breaches.

Avoid Alarm Fatigue

Security appliances are more sensitive than ever to better detect potential threats, but the sharp increase in alerts leaves security teams running ragged.

It is impossible to launch a full-scale investigation every time your security appliances send a notification. Instead, you must monitor your organization for signs of alarm fatigue and resolve them as soon as possible. If you stop monitoring for serious notifications, you are sure to miss the real issues as they come up.

Invest in Cyber Security Education

Did you know that human error is the leading cause of data loss? Cyber security training and education teaches employees the importance of changing passwords and monitoring for suspicious activity to cut down on the amount of human errors.

One major part of training employees for better cyber security is preparing them for phishing schemes. In Phishing attacks, cyber criminals often send out seemingly legitimate emails, mimicking companies like PayPal or eBay in an attempt to lure readers to click on a fake link. While the link seems real and the landing page is set up with real logos, the site is built to filter sensitive data to cyber criminals. The email might mention an issue with the user’s account and lead them to a site that requests PIN numbers, credit card data and more. These can be tough to spot, but there are warnings to look out for.

All of the security solutions in the world can’t protect your network if your workforce is willingly (but unknowingly) giving cyber criminals access to it. Creating a truly secure workforce requires ongoing education and training.