The Cybersecurity and Infrastructure Security Agency (CISA) officially kicked off Cybersecurity Awareness Month on October 1st. According to CISA Director Jen Easterly, it is “important that everyone take a moment this month to implement common-sense steps like multi-factor authentication to keep themselves secure online. So much of our daily routines exist on digital platforms, and we need everyone to do their part to combat the growing threats our nation faces in cyberspace.” CISA’s announcement was made the day after the President’s proclamation to designate October as the month for all Americans to increase their awareness of cybersecurity, and for the public and private sectors to work together to increase the cybersecurity of the nation. CISA and the National Cyber Security Alliance (NCSA) are participating in public outreach to encourage Americans to improve their cybersecurity and stay safe online. CISA urges everyone to implement four things you can do to keep yourself cyber safe: turn on Multi-factor Authentication (MFA); use strong passwords, and ideally use a password manager; update your software, and turn on automatic updates; and think before you click on a potential phishing email. Overviews and insights into all four of these practices can be found on our blog, and especially in first our article about cyber hygiene. Note that MFA is often referred to as 2FA when only two factors are used for authentication, and phishing is a social engineering tactic.
The adoption of MFA is one of the five best cybersecurity practices listed within the President’s Improving the Nation’s Cybersecurity Executive Order, and for good reason. In June, we discussed the importance of MFA and how the lack of it can make ransomware attacks easier. As reported by William Turton and Kartikay Mehrotra of Bloomberg, the Colonial Pipeline ransomware attack was facilitated by the lack of MFA.
MFA is a great failsafe in the event in which your username and password have been stolen, or someone was able to correctly guess them. Brute force password attacks try multiple potential passwords in succession in hopes of finding the right one; these types of attacks often use lists of common or easy-to-guess passwords, such as “qwerty”, “12345”, “starwars”, or “password”. A strong, complex password is your first line of defense. However, since complex passwords are difficult to make and remember, it is often recommended to use a password manager to generate and store them.
Humans are the weakest link in cybersecurity, and humans write software, which means that software is bound to include vulnerabilities due to mistakes and oversights. Regular installation of security patches and updates that fix these vulnerabilities is necessary to ensure that bad actors cannot exploit them to attack your systems. The infamous WannaCry ransomware worm exploited a series of Windows vulnerabilities that Microsoft released patches for around two months prior to the cyberattack. WannaCry did widespread damage because many people did not apply the security patches, even though they were available for months.
At the end of our first article about cyber hygiene, we listed some facts about phishing emails. Phishing emails often manipulate victims by exploiting a sense of urgency or fear and/or by impersonating coworkers, partners, supervisors, or authority figures. Oftentimes, they can be spotted by carefully checking the sender address and verifying that it is not the real address used by the party being impersonated. Basic phishing emails are sent out to multiple people to maximize the chances of catching a victim. Spear phishing takes things a step further. Whereas normal phishing emails use generalized language, spear phishing emails are targeted towards specific individuals, and may use the recipient’s name, the name of their supervisor, along with other personal details to seem as legitimate as possible.
Having been recognized for providing excellent services to Federal clients, SD Solutions embraces collaboration between the public sector and the private sector. We are happy to celebrate Cybersecurity Awareness Month and encourage everyone to take the steps needed to stay safe online. Do your part, and #BeCyberSmart.