INTRO
As an Information Security Professional, cyber security hygiene has been drilled in from day one. So much so that best practices have been brought over into personal daily life, which can only be a benefit right? Often, speaking to family and friends I pick up on areas for concern, so this week’s blog will focus on some of the key factors that both individuals and companies alike can take to help secure day to day operations.
Not sure where to start? At DigiF9 we combine highly skilled and dedicated software developers with experienced information security professionals to help safeguard your company operations. Get in touch today at sales@digif9.co.uk to let us know how we can help take your company to the next level.
WHY SECURITY IS ESSENTIAL
Having worked in the cyber security field for several years now, the need to secure accounts has always existed, but with the COVID-19 pandemic forcing more companies and individuals to go digital, the need has never been greater. In fact, over 20% of organisations have reported that they faced a security breach as a result of employees working remotely.
Often the prevailing thought is that a company or person is not important or big enough, or rich enough to be of interest to an attacker. The problem is that attackers are motivated by different means, some go for direct financial gain, others seek to obtain sensitive data and use for nefarious purposes, and others just wish to cause reputational damage and harm. As soon as your website is live, there are automated scans happening trying to find a quick and easy way in. The key point is that no one is exempt from being targeted, and all individuals should as a minimum follow basic security hygiene.
STRONG & UNIQUE PASSWORDS
Sorry, please choose a more complicated password.
Lets start off with the most common one thrown out there – we all know about it but ultimately it is always viewed as a hassle. How can I possibly remember that password? Most of the time, people choose a password that they are familiar with, have used before and has some relevance to them – maybe a family member or pet’s name, favourite band, or sports team.
The problem here is that if you can easily remember your password and it has some obvious relevance, chances are an attacker can piece this together. When attempting to brute force into an account, essentially trying different combinations of passwords to try and guess the correct information, attackers will use commonly used passwords, such as ‘Password123’. Not only this but they will also use variations and substitutions, such as ‘P@ssw0rd123’.
Following on from this, reused passwords are another area to be wary of. Once an account has been compromised, and exists on a leaked database of password combinations, attackers will attempt to use these credentials across multiple systems, to see if this password has been reused. The moral of the story here – take notice of that banner when you create a password warning you not to reuse passwords! Do not make it easy for the attacker.
MINIMISING LOGINS
How am I going to remember all of these complicated unique passwords?
This is the first question I get asked after advising on password security. Admittedly, some people have a powerful memory that can remember this sort of information with ease but lets think practically for a second here. There are two big options here – minimising logins and password managers.
Lets start with minimising logins. Often when you go to sign up for a new account you will be offered the chance to set up an account using your email or link an existing account. The most common are Google and Facebook, which offer Federated Identity. Essentially this allows you to create an account with this new service without actually creating login details – it ties to your existing login with that previous system.
This does not expose your Google or Facebook data to this new provider either – it just means that the new service logins you in by verifying your login details with the existing provider – limiting the amount of login details that you need to remember. Therefore, when you update your Google credentials, it will mean that all of your linked accounts will have their password updated too. A new feature in Apple’s iOS allows you to create an account through Apple, tying it to your AppleID in similar fashion.
PASSWORD MANAGERS
But what about services that don’t offer this?
Right, option two – password managers. These do exactly what they say on the tin – they manage all your passwords for you, so you only have to remember one password. Better still you can store other information in them, such as credit card details, secure notes, and other content that you want to keep private. There are a number of services in this space, personally I use NordPass and LastPass professionally, which offer similar benefits to each other. Not only do they store all of the information I need but offer robust security features that are discussed in this article, including multi-factor authentication, suspicious login flagging and dark web monitoring. When your email address or credit card details are exposed on the dark web, these solutions will flag it, alerting you to update your password details and secure your accounts. In fact, data breaches exposed 36 billion records alone in the first half of 2020!
MULTI-FACTOR AUTHENTICATION (MFA)
MFA is such a hassle.
Probably the statement I hear most in relation to this domain, admittedly I have my moments here too where I get frustrated by that extra step, but as with all areas of security, you will only know the true value when it goes wrong for you, by which point it is too late.
MFA adds a second layer of authentication to your account when you go to login, meaning that if your password is ever exposed or cracked, a second piece of information is required to get into the account. This can range from;
- Something You Have
A physical object you need to verify identity, such as a USB drive, bank card or key.
- Something You Know
Certain knowledge only known to the user, such as a PIN number, or security question.
- Something You Are
Something about the user’s characteristics, such as fingerprint or biometrics.
- Somewhere You Are
A key location such as your personal or professional address that you can only sign in from.
The most common types of MFA are text messages, and app codes generated from an app such as Microsoft Authenticator or Google Authenticator. Just think that extra few seconds to login to your account could make all the difference when it comes to security.
LOGGING & ALERTS
Alert! Something isn’t right!
Ensuring that your contact details are kept up to date is an essential way to ensure that you are warned when suspicious activity occurs on your accounts. New sign-ins, failed password attempts and sign ins from new locations are all examples of alerts that you should keep an eye on for your accounts, providing that the system supports it.
When you are notified, you should immediately login to your account and view the activity. Majority of systems will provide information about logins, such as a device name and location that the login came from as well as the time of login or attempted login. You can then verify if this was you, or someone else, and in the event it wasn’t you, change your password to secure your account. And make sure you have MFA enabled to add a second layer of protection!
ANTI-VIRUS & UPDATES
You have an important update that needs to be applied -> (SKIP)
We’ve all been there, right in the middle of an important task, a thrilling series or podcast and that pesky update box comes on the screen. Or an Anti-Virus alert saying the system needs a reboot. Either way, it’s a pain and we hit skip thinking that you will come back to it later.
Both anti-virus and updates work against known vulnerabilities with systems – providing protection for the device that they are on. But they can only do so much, and work against vulnerabilities their developers know about – meaning that they are constantly updated in response to new issues being discovered. So, the longer you choose to ignore an update or an anti-virus scan, the longer your device is unprotected against the latest known threats. Personally, I use Malwarebytes across all of my devices for anti-virus security. Admittedly I got a free premium subscription through my bank, but it does a good job across up to 10 devices, as well as through a browser plugin, blocking annoying ads, tracking software and malicious pop ups. These are must haves when it comes to device security.
PHISHING
No fishing here.
Phishing has been one of the largest growing attack vectors for some time in the cyber space – primarily because of the ease in which fake domains can be created and content copied, and attacks launched. The most common ones I receive on a near daily basis include fake Amazon and eBay orders, package deliveries from UPS and DPD, and requests to change my bank passwords. And these don’t just come through on email either, a growing trend has seen attackers target users over text messages, with fake messages coming from PayPal and other financial transaction warnings.
Whilst there are a number of tricks and techniques to use to spot phishing emails, the most effective way to ensure that you do not fall victim to a phishing scam is to make the following spot checks on emails and texts you receive;
- What request is being made?
Often a phishing message will be requesting you to take urgent action and click a link, update a password, or give them information – legitimate companies will never ask you to provide sensitive information over email or text message.
- Who is the target of the email?
Often phishing emails are sent out in bulk (think of a fishing net) to see what gets brought back. This involves the user of placeholders such as
“Dear <user>”
If you carefully read the email, you will likely find that it is addressed to your email address or a generic field, rather than your full name. However, more targeted attacks will likely include an accurate name.
- Where has the email come from?
A key step here is to inspect the email or phone number. Often attackers will use similar domains to try and deceive a user, such as “google-secure.com” instead of “google.com” or a misspelling like “micoosoft.com” instead of “microsoft.com”.
- Where is it trying to send you?
Hovering over a link but not clicking will show you where the intended link is trying to take you to, which will often be a separate domain and an obvious dodgy flag. You can also copy the link and use a link checker such as URLScan or PhishTank to see if it is what you believe it to be.
The safest method is to always login to the account separately and confirm if there are any notifications, messages, or alerts inside. If the company have legitimately contacted you, then there will also be a record inside your account.
PRIVACY SETTINGS
How did you know about that? It’s on your social media account…
Social media accounts are powerful facilitators of social content sharing, which is a fantastic feature for your intended audience, but are you oversharing? By making social media profiles completely public, you can provide an attacker with a wealth of information to use against you. If they are planning a phishing or social engineering attack, where they attempt to gain your trust using targeted information, an open social media account can help them do just that.
Here, they could potentially identify key people you contact, locations and activities that you do on a regular basis and use these as a means of deception. Ensure that you regularly visit and update your privacy settings for social media accounts to ensure that you are content with the information that you are displaying to the world.
CONCLUSION
This was by no means an exhaustive list, but several key areas that you can target in the immediate term to help secure your accounts. Never make the mistake of assuming that you aren’t interesting or rich enough to be targeted by an attacker, as different attackers have different motivations, and often things like phishing are done to a wide random audience to see what they can catch.
Looking for some advice about how you can improve your cyber security? Contact sales@digif9.co.uk today and lean on our years of experience toiling in the cyber security sector.
Don’t be another statistic.
