Our Blog

Cybersecurity: Where does it begin? Where does it end?

Mitchell Feather, Vice-President, Creative Associates

 

It seems like every day brings news of more cyber threats and breaches, which seems to leave you with more questions than answers. Has my information been stolen? How should I respond? What can I do to protect myself? What can I do to detect and avoid threats?

Companies may take measures to protect – or share – your information. Regardless of new technologies, tools, patches, laws, and regulations, there is one unwavering fact: Cybersecurity begins with you – and ends with you. What you do or don’t do is critical and that cannot be overemphasized. When it comes down to it, you control what you do or don’t do to protect yourself, your money, and your information. And you cannot delegate that responsibility.

Protect Your Tools and Toys: The first thing you should do, if you haven’t already, is to ensure that you have installed the appropriate software and that the appropriate settings have been enabled (or disabled) to protect your computers, smartphones, tablets, etc.

You should have antivirus/antimalware software/apps installed on all of your devices. There are a number of very good products to choose from such as Sophos, McAfee, and Malwarebytes. Even though it might be tempting to install just free versions of some of these, you should look at the paid versions. They generally offer more features that can enhance your security and peace of mind.  

One thing that you must NOT do is respond to pop-up alerts that warn you that your device has been infected and recommending that you click on a link or button to install software to protect your computer or device. If you click on that link or button, you will probably achieve just the opposite and infect your device. More about this later.

Sometimes, while browsing websites, you may end up on a malicious web page that that results in your computer or device becoming infected. This is why a utility like McAfee’s WebAdvisor can be very helpful, and it is a free download which offers a number of protections. If you are looking for similar utilities, be careful with what you find in your search results. Some malicious threat actors have paid ads for product names that sound very legitimate but, in reality, are carefully thought-out schemes that are designed to trick you into installing malicious software.

Plan For the Worst: Sometimes, no matter how hard you try, bad things still seem to happen such as lost or stolen smart phones or computers or ransomware infections. This is one of the reasons you should always make backups of your devices – and keep the backups current. Procedures vary depending on the type of device. For Windows and Apple computers, you can backup hard drives you have physically connected to your computer or you can back up to a number of cloud services. For Android and Apple devices, there are settings on the devices to allow for automatic backups to Google or iCloud, respectively. Whether you are backing up to a USB-connected hard drive or to a cloud storage service, you want to make a practice of disconnecting it from the computer after you make the backup. Some variants of ransomware are “smart” enough to not only access all of your computer’s files, but they will also seek out any backups you may have and gain access to those as well.

Now, Assume the Worst: It is not unrealistic to assume that your personal and/or financial information has already been compromised by one or more of the many breaches that have occurred last year or prior. This means that you should be monitoring your financial assets.

You are entitled to a free copy of your credit report from Equifax, Experian, and TransUnion every 12 months. Nobody says that you have to take them all at once. Spread them out so you are getting a copy of your credit report every 4 months and review them carefully for signs of unusual activity or identity theft. You can order the free reports from annualcreditreport.com. That same website can also help explain what you should be looking for when you review your credit report. And do not think somebody is too young or too old to bother with this task. If somebody has a social security number, then their credit reports should be monitored.

Also, many banks now offer free credit score monitoring for their credit card customers. Depending on the bank, the information they offer will vary. But, generally, they will tell you if your credit score has moved up or down and provide some insight as to why it changed.

Talking About Credit Cards and Banks, most banks offer notification options, so you can be kept informed regarding any activity. Some banks will allow you to set an alert so that you can be notified if there is any credit card charge activity, even as small as a few cents. This may seem a little extreme but some fraudsters will run extremely small charges to test if credit card numbers are still valid while maintaining a low profile.

If you have not already, you should take other steps to secure your credit card and online banking accounts. Specifically, you should seek out if your online banking websites offer two factor authentication. If they offer two factor authentication, also known as 2FA, I strongly recommend you implement it. This advice extends beyond just online banking. You should implement 2FA for any of your online services that offer it: banks, brokerage accounts, telephone company, gas/water/electric utilities, email, Google, Facebook, etc. What if your bank does not offer two factor authentication? You may want to consider changing banks. You can find a list of banks, as well as other business and services, which support 2FA at https://twofactorauth.org.

Two factor authentication is based on two pieces of information rather than just a password. These factors can be various combinations of things like something you know (e.g., passwords or PINs), something you have (e.g., ATM card, smartphone), or something you are (e.g., fingerprint, voice print, or facial recognition). For greater security, we sometimes use more than 2 factors. This is referred to as Multi-factor authentication, or MFA. This is an area that is always changing in an effort to try to create more secure but also easier for you to use. Currently, the most common 2FA implementations you will find include sending you a security code by text message (SMS), by telephone call, or by email. Be careful if you are access any of your online sites from a smartphone and you have the security code sent to the same smartphone. If your smartphone gets lost or stolen, you may find yourself or your accounts a little vulnerable.

Many online websites also take advantage of security questions (e.g., In what town was your elementary school?, where did you meet your spouse?, etc.). I strongly advise you to lie when you answer these questions. Use answers that are totally irrelevant (e.g., What is your favorite color? Answer: “Outer Mongolia”) and meaningless to you or somebody else. Nobody says you have to tell the truth. All you have to do is remember your answers. And do not use the same questions or answers among different websites.

Let’s Pass on Passwords: Probably as far back as you can remember, you’ve been saddled with the task of creating and remembering passwords to access all sorts of information. Some of you used easily-remembered personal details like your anniversary date, your spouse’s name, your pet’s name, your mother’s maiden name, etc. Some of you may have just used easily remembered words such as your favorite food or flower. Some of you still use “password12345” or “qwerty” as your password. Even worse, many of you use the same password for many of your online login passwords.

There are serious security risks associated with these practices: If you use personal information as a password, a threat actor can figure out that password just by researching your personally identifiable information. Common words as passwords are also easily determined by threat actors by use of tools called password crackers, which use large dictionaries.

You are better protected by using complicated collections of letters, numbers and symbols, such as “P^MP2F7~HRnZ)LU”. You can also better protect yourself by using passphrases instead of passwords, complete with spaces when allowed. Additionally, replace some letters with numbers and symbols. You can go with lyrics to a song, poetry lines, etc. As an example, consider the lyrics of Over the Rainbow: Start with “Somewhere over the rainbow Way up high.” Replacing letters with numbers and/or symbols, this can become “50meWh3r3ov3rther@!nb0w#wAyupHi!”. Or you can take just the initial characters of each word and put those together and similarly swap out some letters. This can become: “50TrWuH!” Just use your imagination: the more complicated it is, the safer you are.

Remember not to use the same password or passphrase with more than one account. And change your passwords regularly. Also, if you get notified or read that any service that you use has been breached or compromised in any way, immediately change that password/passphrase.

Also, it is very important to remember to change the default passwords on any software service to which you subscribe or any hardware that you purchase. This is especially true for any internet routers, switches, wireless cameras, televisions, appliances, etc. The FBI and other agencies have released alerts warning about the threat actors from foreign countries that are trying to penetrate these devices.

You Expect Me To Remember This?: You have no decided to follow all of my advice about passwords. Remembering all of these passwords may prove to be more than challenging. Fortunately, there are some very good password managers available to you. Some are available for free, some you have to pay for. Two of the better password managers are Dashlane and LastPass.

Reign In Your Privacy: Now that we’ve covered the basics, let’s turn attention to keeping your information more private and less at risk. You should review and adjust some of your web browser settings. Additionally, you should review and adjust your privacy settings on your social media sites and other online accounts.

Check your web browser settings for privacy and security settings. There, you will find a number of options that would be useful to you. With Chrome, for example, you will find settings like “Protect you and your device from dangerous sites” and “Send a ‘Do Not Track’ request…”. I recommend enabling both of them. You will also find settings like “Automatically send usage statistics…” I recommend that you seriously consider whether or not you want to share this private information with Google.

You will also find a section to enable or disable the capability to Autofill information when you need to fill out online forms. I strongly recommend that you disable this functionality. Among the many reasons is the possibility that a threat actor can setup a web page to secretly retrieve all the fields of information that you have stored in the autofill feature. You should also NEVER store credit card information in a web browser’s autofill feature.

With your online accounts like Google and Facebook, you will see features like privacy checkup and security checkup. You should perform these checkups and appropriately limit which features are enabled and what information you are allowing to be tracked. In the case of Google, as an example, this may include actual recording of your voice. You can – and should – purge any of this tracking information that you do not wish to be shared and/or stored. Also check your social media settings such that you only share information and files as you desire.

Time To Be Diligent: Now that you have addressed many of your hardware, software, and account settings tasks, you now come to the never-ending task: Be Diligent! The greatest risk to you is social engineering. Threat actors are always trying to take advantage of you by getting you to lower your guard, cause you to panic, take advantage of your trusting nature, etc. All it takes is one click on a link or opening one attachment to cause all kinds of problems for yourself and possibly others. These social engineering attempts, also known as phishing, can appear as very legitimate-looking emails or websites. It might appear as a PDF attachment in an email, or a Docusign email, a link to a dropbox document, an alleged invoice, or a multitude of others.

The rule is a simple one: if you are sent an attachment or an email telling you to click on a link and you do not recognize the source, do NOT open it nor click on the link. If you recognize the sender of the email but you are not expecting the attachment, call the sender by telephone and ask him/her if he/she really sent you the attachment or link. Do NOT just reply to the email and ask if it is legitimate because you may not be sending the email to the individual that you think you are sending it to.

There are a many websites that you can visit to learn more about phishing or where you can take phishing quizzes. A good starting point is www.phishing.org.

Don’t Be Proud or Shy: Some phishing attacks are so realistic and so well done that trained professionals can sometimes be fooled. So do not be embarrassed if you are not sure what to do or you are afraid your device or your information may have been compromised. As someone you trust for help. Or file complaint with agencies like The Internet Crime Complaint Center (www.ic3.gov) or the Federal Trade Commission (www.ftc.gov). If you really don’t know where to turn, you can always reach out to your local police department for assistance. If they cannot help you, they can help steer you to appropriate individuals for help.

 

©2018 by The LBC Group, Inc. All rights reserved