The Biggest Security Risk: REVEALED!

I have all ready talked about a number of ways corporate and personal information can be compromised by bringing to light a few of the security risks involved. Well, now I’m going to reveal what the absolute, without a doubt biggest risk you will face personally and professionally… IT’S YOU! Okay it’s me too, I am my own biggest risk as well. I wouldn’t exclude myself from this category. We are our own worst enemies. I have gotten better as I have grown more aware of the risks out there. To be honest, I have become more aware of risks by just talking to other people and having them just casually mention something that I consider a huge risk. My earlier blog “Something You Probably Never Thought About Regarding Your ID Badge” was inspired by an off the cuff comment someone made about leaving their ID badge in their car that was at the garage. Most people don’t realize how big a target they are much less how much they compromise their own security. I’d like to take this opportunity to mention that when I say people compromise their own security, I mean all phases of their security: personal, professional, and cyber security. They are all interwoven in some aspects because you could inadvertently compromise your own personal cyber security and do damage in your professional life as well.

The Human Element

We have all kinds of technology to provide us with security and protection from hackers, scammers, corporate spies and so on, but all the technology in the world cannot prevent the biggest risk: the human element. Security will always be compromised by the human element by incompetence, inattentiveness, or complacency. The technical aspect of security vulnerabilities can be fixed, patched, or updated to prevent the vulnerabilities from becoming a problem. Humans will always be vulnerable. We often over estimate our abilities, fail to pay attention when it matters, and many times we are unaware of the risks our security is under.

The Incompetent Ones

I’m not trying to offend anyone, when I say there are people that are incompetent. I mean it in the true form of the word, lacking ability. There are still some people who lack the ability to preform even simple actions on a computer. These people are generally also the ones that know nothing about social engineering tactics and often fall prey to their schemes. Everyone knows at least one of these people. I know several, and don’t get me wrong they are nice people, but it’s scary to me that they compromise their own security as well as in their work place. I don’t want to pat my own back here, but I have been helping a few of them by teaching them some of the basics. They don’t need to be experts in cyberspace or know what all the latest social engineering tricks are, but in my opinion they need the basics and not much more. That is unless they want to learn more, then learn away!

The Inattentive Ones

These people range in knowledge between novice and expert. We are all at times the inattentive ones because sometimes it’s easier to do things the easy way and not really pay attention to what we are doing. I’m sure we have all done things haphazardly just to get them done and over with, not really caring about the process or the end result. This can also be seen as being lazy. Being lazy on a rainy day when you have nothing to do is a great break from the hustle and bustle of everyday life, but it’s not so great when laziness compromises your security. Being lazy about your personal security could leave you open to being attacked or robbed. Inattentiveness to red flags is what hackers and social engineers count on to get our personal information. They want us to not pay attention so they can get what they want.

The Complacent Ones

These people are bit of a hybrid of the incompetent ones and the inattentive ones. They are unaware of their incompetence as well as the dangers that their security faces. These are generally the people that know just a little bit about computers. They know just enough to be dangerous, as I always say. They way overestimate their abilities and unknowingly risk their security because of their lack of ability. They think that because they do have some knowledge that they are safe from getting attacked. They feel that that it couldn’t happen to them. I feel I’m fairly competent, but I know I am still vulnerable to attack if I don’t pay attention. What makes them so dangerous is the fact that they are unaware of the dangers out there and satisfied with that and have no desire to change. These people pose a danger to others as well because as I have said before one wrong click and it could have wide ranging effects. They are also the ones who don’t want to change because they are satisfied with the way things are. They are the people that use the same password for everything or do not change the passwords and PINs to their important accounts regularly because they are content with things the way they are.

All of these different types of people that pose a risk to themselves and others can be mitigated by just paying attention and being aware of what is going on around you. It’s easy to forgo the little extra time it takes to make sure we know what we are agreeing to or clicking on. It’s also easy to forgo the extra security measures that will provide us better protection. But the benefits of paying attention, taking extra time, and putting in place that extra measure of security will far out way the convenience of getting it done faster. If you or someone you know is one of the incompetent ones, please either take the time to get some knowledge or ask someone who knows what they are doing to help you. If you are one of the inattentive ones, please pay attention. It really is as simple as that. Just take a few extra seconds to make sure you know what you are doing and what is going on around you. If you are one of the complacent ones, take the time to learn what you want to know and stop being satisfied with the way things are and make things better for you.

Stay Secure!

Security Risk Myths

 

Despite the fact we are assured constantly by companies that we are safe using their web sites, email accounts, banking, or electronic purchasing, hackers are growing more sophisticated and creative in their techniques. We are bombarded with ads saying something to the effect: “Our product will keep you safe on the internet,” which in some cases is misleading and can provide us with a false sense of security. There are some myths that have been perpetuated that we are safe that can be dispelled to a point.

I am not a target

I touched on the topic of being a target in my post “Social Engineers Are Not Friendly Train Conductors.” Anyone can be a target for any reason, personally or professionally. Personally you might not have a pot to pee in or a window to throw it out of as my Mum is fond of saying about being broke, but you have a name and a social security number. With those two items alone you are now a target, congratulations! Even with a poor credit score, someone somewhere will be willing to give a criminal who has stolen your identity a line of credit or the ability to purchase in your name and stick you with the bill. Professionally you can be a target simply because you work at a certain place. Regardless of whether you work with the highest level of secure information or no secure information at all, you can still be a target, congratulations! I recently read an article that said that some very bad malware was found in software that ran important machines at a very big energy provider that had gone undetected for over a year. That malware was traced back to one employee that clicked a bad link in an email. While we have no way of knowing if that one employee was targeted because of where they worked, but it is not entirely out of the realm of possibility. It’s actually more likely that many employees at that facility were targeted, but only one employee clicked the bad link. That’s all it takes some times – a careless click of a link – in an email or on a website. An associate of mine clicked on a link that lead to his laptop being hijacked by a ransomware program. All’s he did was click one bad link. He was eventually able to fix it, but it was distressing for him.

I stay away from sketchy sites

Another myth that often provides a false sense of security is the thought process that as long as you visit “reputable” sites you are safe. Staying away from sketchy sites is a good idea, but that won’t necessarily prevent you from getting attacked. Reputable search engines and high volume shopping web sites can harbor malware more frequently that counterfeit or sketchy sites. This can be upwards of 20 times more likely – just one click on a bad link. Here’s a scary item – you are over 180 times more likely to get malware from a search engine or a shopping site than you are from a porn site. My theory is (and this is just my own personal thought process) that hackers know that we are leery of sketchy sites. That’s why they target “reputable” sites because they know they are more frequently used. That speaks to our false sense of security. If you are a hacker looking for that one in a million person to click your bad link, why would you only connect it to sites with a low volume of visitors? Why not hitch it to a high volume site with millions of visitors?

My anti-virus program and my firewall will keep me safe

This is one of the biggest providers of a false sense of security. Even big retailers and financial institutions get targeted, and I’m sure they have much, much better anti-virus programs and firewalls then we do. Don’t get me wrong, these tools are great and they do provide a good measure of security, but using them does not mean you are completely protected and you will not get attacked. There are many levels of protection and in some cases it’s a “you get what you pay for” type of deal. While I don’t think the average person needs to go out and purchase anti-virus software and firewall programs that would protect top secret level information, but I do think you need to research what you are purchasing or getting for free. Look at the level of protection and what it will keep out of your system. Also gauge the level of security you want. If you don’t have any secure or personal information on a certain device and you do not connect it with any other device or link it to a system, then it would be reasonable to not get the highest level of security for that device. The same associate that I mentioned earlier didn’t want to pay for anti-virus software, so he was trying all the free ones. He got what he paid for – his computer had multiple viruses on it. He spent much more money on getting the viruses off his computer than he would have if he had bought good anti-virus software in the first place. This isn’t to say that all free or cheap ones do not work, but just know what you’re getting.

I guess the lesson behind this post, if there even is one, is that you need to keep alert at all times. Pay attention to the sites you are going to as well as where a search engine is directing you. If the shopping site redirects you to somewhere off their site, be suspicious of that. Hackers are counting on you being their 1 in a million. There are many more myths out there, but I will save them for another blog!

Stay Secure!

Black Friday And Holiday Shopping Tips

With Thanksgiving upon us and Black Friday a day away I’d like to kick off the holiday shopping season with a few tips for keeping you safe. At the risk of sounding redundant because there are so many articles out there, I still feel these tips are important enough to repeat.

Always be aware of not only your surroundings, but the people surrounding you. Most retail associates are trained to be aware of suspicious people and suspicious activities, but they cannot see everything and they are more focused on their store merchandise and not yours. It is so easy to get distracted when you are busy trying to find the right color or size or even just browsing through a rack or table. A distracted shopper is a targeted shopper. Thieves want you to be distracted because they work best when you aren’t paying attention to them. You can also get distracted and set down your other packages, cell phone, purse or wallet and they could be gone in a flash. I recently saw a 10 second video that a local news station did a news story on where a woman in a grocery store had her purse stolen out of her cart. She had left it in the child seat of the cart, which I can’t stress strongly enough, DO NOT ever do that! The lady was distracted by an accomplice and the thief walked right up behind her, grabbed the purse, and calmly walked away. Like I said the video was about 10 seconds long with the majority of it being the accomplice’s distraction and the thief’s approach behind her. They were looking for a person like this – a distracted shopper.

You can also lose track of the people you are with, which is especially bad if you have children with you. Shopping in pairs or a small group is a very good idea for a number of security and safety reasons. Having a shopping buddy means you are not alone, which sticks with the old adage that there is safety in numbers. Multiple sets of eyes can not only spot a great sale, but they can also spot suspicious behavior. A thief is less likely to target a group because their chances of getting caught increase with the addition of more people paying attention. You can combine and share carrying the bags and packages so you are not try to carry more than you can handle.

If you are planning on using cash to pay for your holiday purchases, please DO NOT flash the cash. Keep it in a small wallet or change purse in your front pocket and be careful of how you take it out and who is watching you. This is another reason to be aware of your surroundings. I remember years ago when I was working as a server in a restaurant, I was in a grocery store and I pulled out a huge wad of cash to pay for my purchase. The cashier gave me a funny look so I explained to her that I was a server and this was my tip money. A woman standing two or three people behind me yelled up that I shouldn’t be waving that much cash around. I replied that it was mostly singles thinking that she was weird. I had no idea at the time I had just placed a big bull’s eye on my back. I had no problems, but I could have.

Ladies – these tips are aimed at you. Do not carry a purse with you unless it’s necessary. If you must, keep it small with a long strap that you can put over your head to go across you chest. If the purse has outside pockets, do not keep anything in them and keep them facing your body. If you have your purse on your shoulder or arm, you are not only a good target for a purse snatcher, but you are more likely to set it down if you become distracted. I live in Western New York where it is now fairly cold. I put my purse, when I do carry one when I’m shopping, over my head across my chest, and then I put my jacket on. I always carry a small purse so it isn’t to much of an inconvenience. Also do not wear a lot of nice or expensive jewelry. Do not make yourself the five-finger discount store for a thief while you are out shopping for great sales.

Try to avoid putting your bags and packages down on the ground or the top of your car while you are fumbling around for your keys. Have your keys in your hand already and be aware of your surroundings when you are making your way back to your car. Also in regards to your car, do not leave bags or packages in view, that is just an invitation for your car to get broken into. Lock them in the trunk if you can. If, however, you have a hatch back or some other type of vehicle where you can see in like I do, this becomes a little more difficult. I keep either a blanket or an extra jacket in the back seat of the car and throw that over the bags. If I am making large or expensive purchases, I always make the extra trip home to unload before going anywhere else. I would rather waste gas and time then lose all my purchases to a thief because they could see everything I had in my car.

One final category of tips deals the use of credit/debit cards. I generally will get a prepaid card with a set amount on it to prevent a catastrophic loss if the card gets stolen or lost. It also prevents over spending, but that is an entirely different subject. A prepaid credit/debit card comes with all the convenience of your regular cards, but also with a reduced risk of loss because it is not attached to your personal credit or checking accounts. A single card is much easier carry securely than an entire wallet or purse. If you are using a card that requires a PIN, cover the hand you are entering the PIN with your other hand or a wallet. Again, be aware of your surroundings, I can’t stress that strongly enough. If you feel someone is a little to close to you, move closer to the machine to put your PIN in. Shield your hand with not only your other hand, but also your body. Shoulder surfing is an effective social engineering technique that works any time of the year.

In closing this blog I hope that if you take anything away from it, I hope it is to always be aware of your surroundings. Pretty much everything I mentioned comes back to being aware of your surroundings and the people that are around you. These tips apply year round, but seem to come into play more during the holiday shopping season.

Have a wonderful holiday season and as always Stay Secure!

Social Engineers Are Not Friendly Train Conductors

Social engineers may not drive a train, but they will be very friendly to you until they get what they want from you. What they want can vary from access to your building or a restricted area to stealing sensitive information regarding a project or proprietary company secrets. These are just a few of the reasons a social engineer might target you, there are many more based on where you work and what you do. Even if these reasons do not seem to apply to you, you have more usable information than you might think. A corporate spy looking for information about a certain project may target someone farther away from the project and use social engineering techniques on them. They may strike up a conversation with you and steer it towards what they want to find out about. For example, even though you may not be working on a particular project or just working on a low level of it, a crafty social engineer will count on you being friendly and chatty about work. You could say something that you think is harmless such as being ticked off that your boss or the project manager leaves at the same time every day while you have to stay later, or that your friend who works on that project said that she got yelled at for leaving her computer unlocked or files out when her boss does the same thing all the time. In these two examples, you just told the corporate spy that an office is left unattended at a certain time or that computers are left unsecure and files are left out in the open. It’s all right to be friendly, just watch the “over share.” I know it’s hard to not talk about work because it is such a big part of all of our lives, but just be careful how friendly you are and with whom. This also applies for friends (or people who you think are your friends) within the company. One small slip to a friend in another department and now two departments know about a situation, and so on and so on. Don’t be afraid to sound like a jerk and tell people you can’t talk about that topic.

Since the social engineer is counting on you to be friendly and polite, an effective technique that they might use to gain entry to your building or sensitive area is by pretending they have misplaced their ID badge. ID badge security is a subject I approached in an earlier blog, but I didn’t really touch on this aspect of it. If someone is hanging out around a secure door and asks you to get them in because they forgot their badge, please be a jerk and don’t let them in. Follow your building’s or company’s security policy on forgotten badges. Even if you recognize the person as an employee, don’t let them in; make them follow the policy. It’s not your fault or your problem that they forgot their badge. You may feel bad about making them go out of their way to gain proper entry into the building, but think of how much worse you would feel if you were the one to let in a thief or even worse someone who hurts or kills someone. The reason I mention not to let someone in even if you know them to be an employee is because chances are you wouldn’t know the current status of their employment. They could have been fired very recently and are trying to get back into the building to seek revenge on the person they feel is responsible or to steal sensitive information or property. They are counting on you being friendly. Be a jerk – don’t let any one in without proper identification.

Another example of a social engineering technique that relies on you being friendly and polite is a tech person saying they need to do upgrades on your computer that you know nothing about. The social engineer that uses this technique is counting on you not being a jerk by checking up on the legitimacy of the upgrade. They are hoping that you will figure you just missed the email and let them at your computer. Even if the tech gives you a sob story, be a jerk and check it out before you let them any where near your computer. Even if you don’t have sensitive information on that particular machine, malware, worms, viruses, key logging software, or back doors can be loaded on to your machine to seek out other machines or servers that may have more sensitive information on it.

I guess you could say that the lessons behind this blog are be friendly, but not to friendly. Being to friendly could cost a lot more than you could ever imagine. Watch the “over share.” Oversharing is rarely a good thing. Just think of all the Facebook and Twitter posts that you have read that have had way to much information in them. A social engineer is counting on you to overshare. But above all else – it’s okay to be a jerk sometimes! Think of it this way; would you rather be seen as an occasional jerk because you followed policy, or the person responsible for the theft of sensitive information, property, assets, or even worse; the loss of a life.

Stay Secure!

 

Passwords: Weak vs. Strong

This blog post was inspired by a short news article that I found slightly amusing. The article was about a notorious hacker that made the FBI’s most wanted list. While serving a 10-year prison sentence, he said that he didn’t know how the FBI was able to break through his encryption program to gather the evidence that led to his incarceration, but he wondered if it could have been related to his weak password. He used his cat’s name as part of his password; it was chewy123. I sat back and thought to myself, why would he use such a weak password? He of all people, a notorious hacker, should know the value of a strong, complex password. I then followed a link to another news story on the same site that said weak passwords were not always such a bad thing. That got me to thinking about weak vs. strong passwords. The second article mentioned a study that had been done and it concluded that internet users may be better off using memorable or recycled passwords on low importance accounts because they were easier to remember. Banking, investment, medical, or any account with sensitive information should have a very strong or complex password. Some sites actually have requirements in order for a password to be acceptable. They may require a certain amount of characters that include uppercase, lowercase, numbers or special characters.

The thought process behind this is that users were more likely to remember unique, complex passwords if they are only used on high value accounts. While I tend to agree with that theory, I learned while preparing my Bachelor’s thesis on cyber security that most people picked one password and used it for all their accounts. I must admit that I was once guilty of that same thing, but I have long since retired that password forever. One hacked or guessed password and all of your accounts, low or high importance are now compromised. Even with a complex or strong password, we still tend to use familiar terms. It is far easier to remember something that means something to us than it is to remember a generic string of letters or numbers.

My biggest problem with using a recycled or memorable password on low importance accounts is what constitutes a low importance account? Maybe I’m just over thinking this a bit, (I probably am because I usually do) but even if I deemed one account as a low importance account it will invariably lead to a more important account. I have forgotten my password to what could be considered a low importance account and have had the password sent to me in an email. Therefore, if I was like the majority of people and I used the same password for all of my accounts, a hacker would now have access to all my accounts by having requested the password to a low importance account. Even if the hacker didn’t know the password to my email account, I have seen forgotten password requests that have the option to use a different email account because you no longer had access to the original account. Granted there are generally security questions that have to be answered, but the questions are fairly standard and with a little bit of research on social media sites, the answered could be guessed.

A different article I read on passwords mentioned that hackers cracked a database with millions of passwords. It was found after the database was published that about one out of ten passwords contained a name or a name, year combination. Even more interesting was the frequency of the use of the words “incorrect” and “password” as the password to accounts. Computer scientists have been studying this data breech for some time now and they found that male names were up to four times more likely to show up in passwords then female names. Some of the passwords with names started with “I love”.  Once again, it could be fairly easy to guess passwords like that with a little bit of social media research.

I have read that a passphrase is a more secure option when selecting a password. I agree with that to a certain extent because more than one word is harder to guess, but if you use a passphrase such as the one I mentioned in the previous paragraph, “I love” and then a name it is easier to guess. My suggestion is to create a password from a phrase by using the first letter of the words. You can also substitute special character for letters or use Roman numerals instead of numbers. Using this method you can still use things that mean something to you and that you will remember but it will be much harder to guess. Using this method will also make your password harder to be compromised in a dictionary attack, which is an attack that uses the words in a dictionary to guess passwords. I personally use made up words that would take a lot to be guessed. Basically I think it is best to use common sense when selecting passwords, regardless of the importance of the account. If you feel it would be easy to guess then it probably would be easy for a hacker to guess.

Stay Secure!