Basic Cyber Hygiene, Part 1
Humans are the weakest link in security, and this saying is often repeated for good reason. The majority of cybersecurity incidents are the result of human error on some level. The COVID-19 lockdowns have resulted in more employees working from home than ever before, which means that more employees are reliant on information technologies for work, so they are more susceptible to cyber threats. It is important to train employees to practice good cyber hygiene. Cyber hygiene is comprised of best practices that users can take to improve their security online. Employees who follow these best practices are less susceptible to the tricks employed by cybercriminals. This article is one part of a series of articles that summarize the practices of good cyber hygiene.
The following is a list of some of the best practices for cybersecurity:
Make strong passwords
The most straightforward way to access a computer, a private network, or an account on a website is to enter a username and a password. People without technical expertise can still hack into a victim’s account if they have enough information. Cybercriminals who don’t have enough information about a victim’s account can use a variety of password cracking tools. Once a cybercriminal discovers a correct username and password combination, they can log in as that user for further reconnaissance or sell the credentials on the black market. Cybercriminals can use a compromised account to plant a backdoor that can give them access to a network later on so they can do further damage. In many ways, strong passwords are the first line of defense. All employees should follow best practices for usernames and passwords:
- Never keep the default usernames and passwords provided by hardware and software. Many routers and Internet of Things (IoT) devices have default username and password combinations, and many people forget to change them. As a result, cybercriminals have an easier time hacking them.
- Never re-use the same password for everything. When a cybercriminal discovers a successful username and password combination, they will try to use it on other websites. This is known as credential stuffing.
- Never use passwords that are commonly used or otherwise easy to guess, like “password”, “qwerty”, “12345”, “starwars”, etc. Cybercriminals can perform dictionary attacks that try every password in a list of common passwords.
- Never use a single dictionary word as a password, as these are vulnerable to the aforementioned dictionary attacks.
- Similarly, never use passwords that contain information that can be discovered on social media. Cybercriminals often conduct cyber reconnaissance to find potential username and password combinations.
- Try to make long passwords or even passphrases if possible. Cybercriminals can perform brute-force attacks to try every possible password, and the shorter they are, the easier they are to guess.
- Consider using a password manager capable of generating strong passwords.
Two-Factor Authentication (2FA) is an extra step in the authentication process that increases security. 2FA relies on two things: something the user knows, like a password, and something the user has, like a smartphone or a hardware token. 2FA is an excellent failsafe in the event that a cybercriminal obtains your username and password. If the cybercriminal manages to obtain them, they will not be able to log in without your 2FA device. Some companies and institutions require users to set up 2FA for this reason.
Update software regularly
A vulnerability is a flaw within software, firmware, or even hardware. Cybercriminals can use these flaws to compromise something, either a specific computer application or an entire system. Viruses, ransomware, and other forms of malware often exploit a specific vulnerability within an operating system or an application. The developers of affected software release security patches that fix vulnerabilities. These patches are typically included in software updates that should be applied as soon as possible. If the vulnerability is within a hardware device, the device should not be exposed to the internet.
Beware of social engineering
There are typically two ways a cybercriminal can break into a network: by exploiting a vulnerability or by social engineering. Social engineering is the act of trying to trick someone into revealing sensitive data or doing something to give someone else unauthorized access. Cybercriminals can directly use social engineering to get things like login credentials or even credit card numbers. They might also conduct reconnaissance and use information that is freely available on the internet in order to launch future attacks. In the age of social media, people share all sorts of sensitive details about their lives—where they were born, their favorite color, the name of their favorite pet, etc.—that can be used to crack passwords or security questions. One should always be mindful of the information they share on the internet.
Phishing is arguably the most common social engineering attack. Cybercriminals will disguise malicious emails as legitimate ones from employers or IT staff. These emails will ask the recipients to click on a link, download something, or reply with information. Doing these things helps the cybercriminals steal something or find a way into your network or cloud environment. Phishing emails may contain malware attachments or links that go to websites that automatically download malware onto visiting computers. Cybercriminals may also send a link to a webpage that asks for information and appears to be legitimate, but is actually fake, and everything entered into it gets sent to the cybercriminals. Cybercriminals will use sensitive information given to them to try to log into an account or trick other users. In addition to sending malicious emails, cybercriminals may conduct voice phishing. They may call employees while impersonating coworkers or IT staff. A real-world example of this was analyzed in a previous article about social engineering. Employees should be wary of phishing scams and other forms of social engineering. Here are some key facts about phishing:
- According to Coveware, phishing emails were the #1 means of spreading ransomware in Q4 of 2020.
- Phishing emails can be identified by having incorrect addresses. Sometimes, these addresses look similar to the real ones. For example, if your company’s website is “yourcompany.com”, a phishing email might be sent from “firstname.lastname@example.org” with a ‘0’ instead of “email@example.com”.
- Similarly, links in phishing emails may lead to websites with domain names that look similar to the real ones but contain typos.
- Sometimes, phishing emails may contain Microsoft Office files or PDFs that contain malicious code. People fall for these attacks because they trust these types of files.
- Scammers often try to create a sense of urgency to scare victims into giving up information or clicking on links.
- Scammers may also try to impersonate people with authority, such as CEOs and supervisors. These phishing emails can be identified if the language used in the body of the message is not normally used by the person with authority.
- If you suspect that an email is a phishing email, and the sender claims to be someone you work with, you could call your coworker or contact them through another medium to verify that they sent it.