Threat Intelligence Blog

Posted December 13, 2018

Hackers are making a list, checking it twice, and they’re going to find out if you’ve been naughty or nice… with your cyber habits. Around the holidays we reflect on our actions from the past year wondering if we’ll end up on the Naughty or Nice list, and cybercriminals are evaluating the same thing. However in their case, they are looking for those of us who haven’t secured our data, networks, and other confidential/sensitive information, so they can exploit these security vulnerabilities.

When it comes to good cyber hygiene habits, we often put off the basics like updating our passwords or patching our systems because it isn’t convenient – and that’s how the bad guys get you. Taking a couple of minutes out of your day to keep up with your online security may seem like a pain, but it is the best way to make sure you’re staying safe and will pay off in the long run.

This holiday season keep yourself and your organization from being an easy target for cybercriminals. To help you determine how secure you are, we put together a cheat sheet of good and bad cyber habits.  See if your cyber actions – or inaction – made the Cyber Naughty and Nice list!

The Nice List:

1. Leverage online privacy settings

Social media is a great way to share your thoughts, important events, and pictures. But there is such a thing as sharing too much. Though we post online to share things with friends, family, and people with similar interests, do you know exactly what you are sharing?

Unless your privacy is on the highest setting, strangers can see your personal posts, making it easier to determine your location and other personal information that could help them develop a targeted a phishing campaign against your, or learn something like your mother’s maiden name to crack a privacy question.

2.  Download from trusted sources

Downloading files is something we all do every day and often don’t think twice about. At work, we download word documents, PDFs, and other files. Even at home we frequently download music, videos, and games. How can we make sure that we are downloading the files we think we are downloading?

  • Ensure that you have updated all antivirus and antispyware software and your firewall is running before starting your download.
  • Download executable files (.exe) with extreme caution. These are files used in programs to run your computer. However, they are commonly used in viruses.
  • Be wary about downloading anything, as people can call their files anything they like.

 

3. Turn off your geolocation on social media

Making headlines recently was a string of celebrity home burglaries that weren’t as random as they appeared to be. Rihanna, Robert Woods, and Yasiel Puig were all targeted based on their social media postings, touring, or travel schedules.

When posting on social media some platforms automatically include your location or it can be an option. Always think twice before posting with your location, it can make it a lot easier for people to commit crimes like stalking or burglary if they know exactly where you are and when you are not at home.

 

4. Verify who you are talking to online

We might not always be talking to who we think we are, whether on social media, a networking site, or even email. An increasing number of attack methods are utilizing emotional connections/information found online to target unsuspecting victims.

Angler Phishing is a newer method taking social media by storm. The attack targets people reaching out for customer support on social media by engaging with them using a fake customer service account. Cybercriminals try to coax potential victims into giving them their account credentials or other personal data. To make sure you don’t fall for this scam, take these steps before giving away sensitive information to a customer support accounts:

  • Go to the official company website and reach out to their support from there. Also look for an official social media account that you can reach out to for support.
  • Look for account verification before engaging with a support account, verified accounts use a blue badge with a check mark to identify they are verified.

Business Email Compromise (BEC) is another exploit of which to be weary. In a BEC scam, the attacker gains access to a corporate email account and spoofs the owner’s identity to defraud the company or its employees, customers, or partners for sensitive information or money. These emails can be difficult to spot, so what are some ways you can “spot the spoof”?

  • Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, legitimate e-mail of abc_company.com would flag fraudulent e-mail of abc-company.com.
  • Create an e-mail rule to flag e-mail communications where the “reply” e-mail address is different from the “from” e-mail address shown.
  • Color code virtual correspondence so e-mails from employee/internal accounts are one color and e-mails from non-employee/external accounts are another.

The Naughty List:

1. Re-using/Weak passwords

A survey found that 55% of IT leaders have reused the same password throughout their work and personal life. Using the same password for multiple accounts might make it easy to remember your credentials, but if a cybercriminal gets one password then he/she now has access to multiple of your accounts. Having a separate password for all of your accounts helps to ward off hackers and keeps your accounts safe.

The longer your password is the better. Instead of using just one word as your password, consider using a passphrase. A passphrase consists of multiple words strung together along with symbols, numbers, and upper and lowercase letters. To help you keep track of all of your passwords, consider using a password manager.

 

2. Using public WiFi for secure transactions

When using public WiFi you have no direct control over its security. To avoid hackers and cybercriminal getting your personal information wait until you are on a secure WiFi network. If you really need to use public WiFi, always use a VPN to help secure your information.

 

3. Installing applications from unverified sources

Downloading apps from unverified sources can open up a big bag of malware on your device, and likely turn your device into a bot. Before downloading an app, make sure you read reviews and inspect the vendor or developer that created it.

Applications should not have permissions that are not necessary to perform. An application with a long list of permissions might not be exactly what you think it is, and you should think twice before downloading it.

Examples of legitimate permissions an app might ask for:

  • Contacts
  • Location
  • Calendars
  • Microphone
  • Camera
  • Cellular Data

 

4. Ignoring software updates

WannaCry ransomware infected 200,000 unpatched Windows machines in May 2017. The patch needed to prevent WannaCry from infecting machines was available two months before the attack began, in March 2017.

Updating your computer’s software always seems to pop up at the wrong time but it is essential to your network security. Many hackers exploit unpatched software to gain access to computers and other devices.

How to keep your software secure and up-to-date:

  • Set up automatic updates if available for your computer operating system, browser, and applications.
  • Pay attention to software installation messages. Always make sure to pay close attention to the message boxes before clicking ‘OK’, ‘Next’, or ‘I Agree’.
  • Use antivirus software and antispyware. Equip all of your personal and organization’s devices with these, and remember to update software regularly.

 

Even if some of your habits fall on the naughty list it is never too late to turn it around. Practicing safe cyber hygiene not only helps keep your secure, but also your organization. Employees are the first line of defense against cyber attacks and they should be armed with the right knowledge, tools, and tactics. The best gift you can give your your organization this holiday season is ensuring your employees have the knowledge needed to get on the nice list because Santa isn’t the only one watching.

Additional Posts

Millennium Alliance Transformational CISO West

Join The Millennium Alliance in partnership with its Advisory Board, as they launch ...

Tips to Big Data Use in Cybersecurity Operations

The term Big Data is often misused or used to represent many different concepts depending on who ...