Article written by contributing author Kyle Debruhl
I like to think that in the future, in addition to health checkups, teeth cleaning and physicals, we’ll also sometimes step into a professional’s office and have our personal security assessed. Instead of a stout woman with pursed lips and beady eyes critiquing our eating habits, she’ll instead assess the length of our passwords, the glibness of our Facebook pages and whether our software is up to date. And most of us will leave with a great, big to-do list.
For many of us looking to protect ourselves and our home computers from the threat of unauthorized access it’s easy to look at the current state of cyber security and agonize over our own personal digital safety. But far more than a database break-in, average end users should be far more concerned about the safety issues we can control. Most of the security risks in our digital lives have nothing to do with our operating system, the software on it or even our anti-virus programs; instead the greatest threat to our digital security is often ourselves.
Most commonly when people say they’ve been “hacked” they mean there has been some sort of unauthorized access to their digital accounts. Their Gmail has begun spurting out a salvo of spam to their contacts, their Twitter page has been taken over and their Amazon account no longer exists. Believe it or not, these instances of unauthorized access are fairly easy to perform on an unsuspecting victim, and these attacks mostly fall under the category of social engineering (a tactic used to obtain basic information from people in a subtle way or via links) or our own laziness. Hackers takes advantage of human error in order to work and is based entirely on mistakes that you or your account provider have made. Your accounts are linked, your passwords aren’t strong enough, and the people in charge of security on the other end are lax. Hackers have perfected a few techniques that take advantage of the fact that each of your accounts requires different security information, and they find most of that information about you online.
While the idea of someone having unfettered access to your accounts can seem like a pretty scary concept, it’s also fairly easy to foil these infiltrations. One of the first and easiest methods of foiling access seekers is signing up for two step verification from your email provider. Many providers offer this service in order to afford their users better security and more protection, and it can often stop an unauthorized access attempt dead in its tracks. Another place where end users are often vulnerable is their choice of passwords. Using the same password for each account can lead to a world of trouble if one of them is compromised. The best piece of advice for any end user is to keep unique, multifaceted (E.G.: Using letters, numbers, and punctuation) passwords for each account and never share them online.
According to Dustin Tatgenhorst, Director of IT for Axosoft, another handy step to prevent an account from getting compromised can be to lie on password reminder questions. Most of the information that’s simple enough for you to use in a password reminder is also simple enough to glean from your (probably) robust internet presence. Simple, yet outlandish lies on these types of security questions can be easily remembered by you without being easily guessed by them. For example, when asked for your “mother’s maiden name” as a password recovery question, make your answer something outlandish like “platypus” and use that as your answer instead of the real thing. Just make sure you remember your false information or else you may get locked out of an account for good.
While hacking is certainly nefarious in its own right, it’s still not quite the sleaziest trap you’ll fall into online. Phishing is the act of soliciting personal information by impersonating a friendly entity and tends to rely on link baiting in order to lead you to a malicious website and ultimately steal money, passwords, or personal information. While originally phishing was a general technique to obtain information under false pretenses online, it has become much more sophisticated over time. Spear-phishing is different from its ancestors in that an email from a spear-phisher will target a specific user with a specific agenda. A classic example might say something like “We had to bump the meeting, click here for directions” or “Problems verifying your account info, click here to resubmit.” From there the malicious link could lead you anywhere and ask you to do anything from inputting important information to asking you to download a “patch” or “map.” Phishing often relies on creating a stressful cue and then sitting back as you click anything and everything.
Fortunately phishing requires action on your part and with a little common sense it can be mostly avoided. The important thing to remember is that if something seems sketchy, don’t click it. The best thing to do in these cases is to simply call or text the other party and double check for yourself. If they didn’t send the email then you might want to let them know that they’ve been a victim of phishing themselves. Remember, in cases of spear-phishing the attempts are much more targeted and are often being actively monitored by the phisher and its important to not engage – don’t forward, unsubscribe or click on any links, just delete it.
It’s not just links in emails that can be a problem. It’s important to make sure that you’re watching what you click on regardless of where you are online. Various browser hijackers have been known to generate fake links and ads where there are none and when clicked will take the user to phishing sites. Be safe and pay attention to where the links appear and where they go. One simple technique is to hover your mouse over a link to display the real URL; the link is typically displayed in the browser status bar. If you identify a false link on the page you may need to disable an extension or uninstall malicious software from your system.
The digital world can seem scary when you don’t understand the risks that are out there and how to circumvent them. But while there are definitely thieves aplenty online, most of their techniques rely on negligence and laziness on the part of the end user. Understanding and minimalizing your security risks takes a little research and a bit of preparation, but in the end it’s totally worth it to save your identity and wallet.
Have you had your security breached in the past? Please share your story below and check back next week for our guide on keeping your business safe from DDoS techniques and other larger scale attacks.
Cyber Security I – How To Protect Yourself From "Phisherman"
Article written by contributing author Kyle Debruhl
1 thought on “Cyber Security I – How To Protect Yourself From "Phisherman"”
Great information and advice. Another important security practice to guard against is spear phishing. I’ve seen many instances where culprits have targeted various employees by making a very specific and direct attack on saying that we need to install an Outlook Update [hah: I use Thunderbird for OS X], reset our CRM password, or other very specific requests.
We’ve minimized nearly all of these threats by enforcing strict SPF email authentication rules on our domain and the various web-based vendors that we use to thwart potential new threats.
Again, I totally agree with your point — a majority of security issues starts and ends with users, not code. What good is a million-dollar RFID security system if I can just follow someone else into a building? 😉
Comments are closed.