Users are considered the weakest link in IT risk management. Yes, it’s true…we are towing around the weakest link with us. We are too careless and quick-to-click. So, how do the bad guys find ways to take advantage of these facts? They are crafty, skillful and us of social engineering, (psychological tricks) in their method to manipulate us into falling for their spam email, which when coming from a cybercriminal is called a phishing email or phishing attempt. This is an attempt that prompts you to click a link within the email or to view an attachment.
Review the following 7 Cardinal Sins and make sure you don’t fall into their trap.
1. Using Public WiFi Unprotected
It’s called the Man-in-the-Middle attack. Yes, literally. Think about your last business trip. Your limousine drops you off at your hotel; you check in, go up to your room to fire-up the laptop, which connects to the hotels Wi-Fi network. At the same time, someone is sitting in the hotel lobby that has infiltrated the hotel’s Wi-Fi router. You want to check your bank balance. The bad guy is watching every web site you are connecting to copying down your login credentials. Next time you check your balance, there’s nothing there. This local bad guy’s got a very inexpensive and easily obtainable Wi-Fi router exploit kit. Never, connect to a sensitive domain, like your bank, or your company’s corporate network through public Wi-Fi, without connecting using an encrypted VPN (virtual private network) first.
2. Taking the Bait
The most powerful, yet simple ways to begin gaining access to your personal information is to get you to fall for a malicious email. A Verizon Data Breach Report out last week states that 23% of phishing recipients open the malicious messages and 11% open attachments. According to Verizon, it takes only 82 seconds from when phishing campaign is created and launched to when people start biting the worm.
3. Falling Prey to Phony Phone Calls
Just as with email phishing, often the easiest method for attackers to obtain your login credentials is to simply ask for it. They’ll initial a phone call to your home or office and pose as an IT professional working your company or a vendor of yours or of your company. Once they’ve achieved a small amount of trust, they’ll direct you to go to a specific website. Once there, will begin downloading a piece of software called a ‘Trojan’ that when imbedded in your PC, like E.T., will ‘phone home’. That ‘Trojan’ will communicate secretly to the software’s creator and ask for additional instructions, which activate a specific set of instructions deep within the inner workings of your PC, or simply download ransomware.
4. Keeping Systems Unpatched
Verizon’s latest update to their cyber security report showed that an astonishing percentage of breaches come from a few already known, common network vulnerabilities. Many of these vulnerabilities have been known for years. And it’s just not the network software that hasn’t been updated or patched, but devices on the network, e.g., copiers, phone systems, workstations, etc… are all susceptible to infiltration. Use Qualys or Nesses to scan your networks and devices for out of date operating systems, software, drivers and applications.
5. Using Weak Passwords
How do we maintain a level of usability, and have a high degree of security? It’s a balancing act. The Sony hack and the pile of information that was released illustrate that many in corporate America place no value on cyber security. Sony employees had distressingly weak passwords like “password” or “12345.” This allowed the thieves quick access to the email server and eventually all the network drives and servers. If remembering a tricky password, with all the recommended features, e.g., upper and lower case letters, numbers and symbols is to challenging, then consider using a password vault.
6. Going TMI On Social Media
You’ve heard the expression, To-Much-Information. Sharing so much of ourselves assists the cybercriminal. Knowing our birthdays, home address, nicknames, pet’s names… allows them to guess our financial institutions password reset question and/or our password itself. Along with that, it could provide enough information that a cybercriminal could craft a very convincing and effective spear-phishing email message. Spear-phishing is a term used to denote a message that is specifically created for a particular person. For example, they could copy a LinkedIn logo and paste it into their message to you to connect with them on that social media site. When you click lick that invites you to find out who has sent the invitation, malware is instantly being downloaded to your PC.
7. Going Off The IT Grid
I performed a security scan of the desktop PC’s for an oil services firm recently. It was surprising to find so many user installed applications, and cloud based storage accounts, think Dropbox. Because so many corporate users bring their own devices to work, it’s fostered a culture of ‘any app that I think I need to do my job is permissible on my company supplied PC.’ The more freedom users have to install what they want, when they want on their business systems and move data to non-sanctioned cloud resources, the more risk they incur for the organization. Corporate IT Managers must be able to find a way to allow users the freedom to get their jobs done while still imposing data governance and audit controls over the processes.