As National Cybersecurity Awareness Month wraps up for the 17th year, cybercrime has reached epidemic levels, especially with so many people working from home in environments that are typically much less secure than a corporate environment, and no individual or organization is too small or insignificant to be a target. Cyberattacks are increasing in frequency, impact, and cost, and sadly show no signs of slowing down because many are automated, criminals are raking in vast sums of money, and they are difficult to track down and prosecute. A study by Dr. Michael McGuire put value of the cybercrime economy at $1.5 trillion!.
Sadly, there are some widespread misconceptions about cybersecurity that must be dispelled:
• My personal data (or the data I have access to) has no value to anyone else: All data is valuable to someone and the bad guys, sometimes called “Black Hat” hackers, are constantly at work to get it. From identity theft, to fraud, to marketing, there is wide array of ways that your data is valuable, and you need to protect it.
Dave Hatter
• Cybersecurity is a technology-only issue: While there are important technological solutions that will help you defend against cyberattacks (more on that later), no technology is fool-proof and many attacks rely on social engineering and deception that allow hackers to bypass even the best technological solutions. Education and awareness in conjunction with technology are key to defeating the Black Hats.
• Strong cybersecurity requires a huge financial investment: There are many good solutions that can be implemented at little or no cost, and a little education will go a very long way.
• All hackers are technology wizards: Some certainly are, but many are using free or low-cost hacking tools and platforms that are readily available on the Internet to launch automated attacks. And many vulnerabilities are the result of human error.
• I need 100% bulletproof security: It’s nearly impossible and very expensive to be impervious to attacks. For most people, you merely need to improve your cybersecurity posture and make yourself a harder target so that hackers will move on to a softer target. This is not as difficult and expensive as you might think.
• New software and devices are secure when purchased: Many devices are rushed to market with security as an afterthought. The software they contain may have millions of lines of code that contain flaws and bugs, after all it’s written by humans and despite the best intentions, we make mistakes. Black Hats know they only need to find one flaw while the White Hats (the good guys) must try to find and fix ALL the flaws. Any device may be full of security issues out of the box and configuring it correctly and updating the software on it regularly is critical.
Here are some concrete steps you can take harden your systems and protect yourself, your family and your organization for very little cost.
• Ensure that you have anti-virus/anti-malware software on your devices, ensure that its virus definitions are updated regularly and schedule regular scans of your devices. There are many excellent low-cost and free options. If you’re a Windows user, Windows Defender is free and competitive with most of today’s quality options. Check this guide to compare products, click here.
• Install software updates regularly, on ALL your devices. All reputable vendors regularly release software updates for their products and it’s critical that you install them regularly. This includes the firmware in your devices, their operating systems (Windows, Android, iOS) and the software on the devices. For example, ensure that you keep your web browser (Chrome, Firefox) updated. In many cases, these updates can be automated, for help, Google “automatic updates for ” and fill in the blank for your situation. This is one of the most important things you can do. Don’t forget your “smart” Internet of Things (IoT) devices like TV’s, doorbells, lights, toasters, baby monitors, cameras, etc. Bad guys can use the Shodan search engine to find and compromise your devices if they are not updated.
• Use a strong, unique password for each account. While this sounds painful, password manager tools can provide a secure vault to store very strong, unique passwords for each site and will make easy for you to use these passwords while making it very hard for hackers to crack them. At Intrust-IT we recommend LastPass, but you can check out other good password manager software here.
Image from Two Factor Auth
• Enable Multi-factor Authentication everywhere you can. Multi-factor Authentication (MFA), sometimes called Two-factor Authentication (2FA) or Two-Step verification is a very powerful way to protect your accounts. Even if your password is breached an attacker requires an additional code to login. This code is typically sent to you via text message and is only valid for a short period of time. While MFA is not failsafe, both Microsoft and Google have recently said that enabling MFA will stop nearly 99% of all automated attacks. If you do nothing else, enable MFA on every account you can! This web site can help you get started.
• Use a Virtual Private Network (VPN). VPN software encrypts data before it goes out on the Internet which makes it difficult for hackers to access and can provide some level of privacy and anonymity. While I generally recommend not using free Public Wi-Fi in any case, a VPN is a must if you do, and generally a good thing even when accessing the Internet from a trusted network. This guide can help you select a quality VPN.
• Carefully vet any software/app prior to installing it on any of your devices. I know it’s hard to believe, but most developers don’t build software out of the goodness of their hearts to give to you free. If you’re not paying with money, you’re paying with data, you’re not the customer, you are the product. Many apps are nothing more than thinly-veiled malware. Only install what you need and vet it first. Many of the sites I’ve posted above have great guides where their editors and experts vet the software. If you no longer need software, remove it.
• Backup your data. Device failures, human error, and malware such as ransomware can be devasting when critical data is lost forever. A good, secure backup can be the difference between disaster and recovery. Be sure to consider the sensitivity of any data that you back up and secure it appropriately with strong passwords and encryption. There are many excellent low-cost options, here’s a good starting point.
• Secure your mobile devices. Keep sensitive data off your mobile devices. Secure them with a strong, unique password. Enable encryption. Don’t install any apps you don’t actually need and disable any services you don’t need. Enable remote wipe so that if the device is lost or stolen, you can erase it.
• Be skeptical. Just because you’re paranoid doesn’t mean that they’re not out to get you, they are! Think twice before you click a link in an email, text message, instant message or even a voicemail. This is especially true for anything you did not expect and even more so if it’s related
to your finances. When in doubt, reach out to the organization in question by calling them on the phone or going to their website from information that you lookup, NOT by using any links or information in their message, they are easy to spoof.
• Stay educated. The bad guys are constantly coming up with new attacks and you must remain vigilant. Here are some excellent resources to help you understand the fast changing cybersecurity landscape:
https://www.microsoft.com/security/blog/
www.ftc.gov/tips- advice/business-center/small-businesses/cybersecurity and
https://www.fbi.gov/investigate/cyber
You can also follow me on Twitter (@DaveHatter) where I share a steady stream of timely cybersecurity information that will help you, your family and your organization be more secure.
While the list above is not exhaustive, for little cost and a little work, you will make yourself a much harder target and most bad guys will move along to the next soft target they find. Stay safe and healthy out there.
Dave Hatter (CISSP, CCSP, CSSLP, Security+) is a cybersecurity consultant at Intrust IT and an adjunct Instructor at Cincinnati State. He provides a Tech Friday sebment on 55KRC, live at 6:30 a.m., and will be writing a regular tech column for the NKyTribune. He can be reached at davehatterlt@gmail.com.
