Following the Equifax breach in early September, in which 143 million records were stolen, The New York Times updated their interactive tool for individuals to comprehend how much of their data has been exposed across a range of breaches. Just a few weeks later, they updated it again following the announcement that the 2013 Yahoo breach impacted three billion accounts. Given the extent of the data theft, individuals may feel hopeless since, across these breaches, the majority of personally identifiable information (PII) is available somewhere.
Now is not the time to abandon good security habits. Targeted attacks continue unabated on high profile individuals, such as political candidates and executives, often to inflict reputational damage and steal data. But the vulnerabilities extend beyond high profile individuals and exist throughout organization charts and production supply chains. Cobalt Gypsy infiltrates corporate networks through employees. Target was successfully compromised through an HVAC company. If an attacker is determined to access a network, they will likely figure it out. But there are many steps individuals can and should take to make it harder and ideally deter an attacker, while also limiting collateral damage should an attack succeed. To kick-off national cybersecurity awareness month, below are some background and tips that are relevant for everyone, from candidates running for office to parents wanting to protect their kids online.
It’s All Social
It is true that attackers are increasingly finding innovative technical means to compromise a network, but the most prominent initial attack vector remains phishing. Phishing refers to when attackers disguise themselves and seek to dupe targets in order to access sensitive data or information. This occurs largely through electronic modes of communication, frequently emails. Phishing attempts reflect a range of creative malfeasance to achieve a variety of objectives. Attackers may impersonate colleagues to solicit sensitive information or access credentials as the springboard to broader access. An attacker may convince a target to download what appears to be a document or spreadsheet, but in reality contains malicious software, such as ransomware and spyware. Ransomware, wherein data is encrypted and inaccessible until a fee is paid (and maybe not even then), has rapidly increased over the last two years and often gains entry through phishing. Also, while spyware is most commonly associated with nation-state attacks on NGOs and journalists largely in authoritarian countries, spyware is also a prominent tool in domestic abuse and bullying. Finally, long gone are the days of blatantly obvious phishing emails. Today’s attacks leverage the variety of online information available, and are increasingly difficult to differentiate from legitimate emails. Recently, authentic G20 invitations were manipulated with a backdoor Trojan for espionage purposes.
In addition, social media is also a popular means for compromise, with similar objectives of gaining sensitive data, acquiring credentials, and compromising machines. These socially engineered attacks target victims through popular social media platforms such as LinkedIn, Facebook, and Instagram, and often manipulate the victim to download a document or spreadsheet. For example, the Iranian affiliated group, Cobalt Gypsy, created a fake persona named Mia Ash. She connected with employees of energy, technology, defense, and finance companies generally through LinkedIn, and then expanded the relationship through Facebook, WhatsApp, and email. The fake persona eventually convinces the target to download a spreadsheet with malicious software, enabling access to the corporate network. In other cases, fake personas pose as recruiters and convince potential job applicants to download malicious software hidden within false job descriptions. The opposite also occurs, wherein fake job applications containing ransomware are sent to HR departments. In short, social media platforms are a prime attack vector for both gathering information to be used in future attacks, or as the mode of compromise.
What to Do?
There is no way to protect 100% across the variety of social and digital attack vectors, but there are several minimal to no cost steps that can greatly protect your data and your identity.
Password considerations: This usually tops most lists, but 123456 remained the most popular password of 2016. Strong passwords changed frequently without reuse across sites is recommended. When you do change passwords, do so directly through the secure website. Do not change them through an email received, as password reset emails are generally fraudulent. Run two-factor authentication, such as Google offers for gmail, everywhere it is offered. This means that when you log in, another point of verification is required, often through a text message to your phone. It also is a good idea to provide fake answers for password recovery. Keep in mind how much information is easily accessible via social media, and this begins to make sense. Finally, given how hard it is to keep up with all your passwords, a password manager can greatly help.
Security best practices: There are a variety of security actions individuals can take that require minimal cost. Keeping patches up to date is especially helpful in preventing widespread attacks like NotPetya. Running basic anti-virus software, such as Windows Defender which is built into Windows 8, is also helpful. Virtual Private Networks (VPNs) also help obfuscate your online activity, but be sure to research first as their capabilities vary. VPNs are especially useful for people who travel and rely on external networks. In general, however, it is best to avoid public Wi-Fi if at all possible. Thanks to products such as the WiFi Pineapple, both nation-states and criminal actors can easily create fake Wi-Fi accounts or gain access through public Wi-Fi. In addition to VPNs, there are also mobile hotspot devices to help avoid connecting to public Wi-Fi if you don’t want to tether to a known device. Security keys based on universal second factor provide another layer of authentication. And only keeping bluetooth on while in use, and downloading apps from known sources are a few additional, easy steps to limit your risk. Finally, back-up all data (but don’t lose the backup device!) and opt for https sites, which as of early 2017 comprised over half the internet.
Protecting your social data: As the examples for phishing demonstrate, social media is increasingly a source for data collection, reconnaissance, and infiltration for attackers. Avoid providing personally identifiable information, such as your birthday or mother’s maiden name, which makes it easier for attackers. Similarly, be protective of your social networks, accepting invitations only from known and trusted people. Even if someone is connected with people you know, that should not serve as validation of legitimacy. Reiterating the previous point in password management, enable two-factor authentication across all of your social media and don’t reuse passwords across accounts. Moreover, choose messaging apps with encryption and leverage those for more sensitive communications. These steps don’t just pertain to work email, but personal correspondence as well. Remember that the hacks of both Hillary Clinton campaign chairman, John Podesta, and then-CIA director John Brennan were personal accounts. If you feel you have received a suspicious email or suspect a fraudulent profile on either account, report it to your security officer if one exists. Many social media outlets also provide easy means for submitting phishing attempts. This helps organizations better understand and protect you against attacks. Finally, particularly for high profile individuals, ensure correspondence passes the front page headline test. That is, don’t write anything in communication that if hacked, would make the front page news (e.g, Sony breach).
Remember, there is no perfect security, but there is better, resilient security. Too often, attacks are avoidable. A few low cost steps can make it harder for attackers, and help you protect your data and privacy.