As a regular reader of Tripwire, you are aware that October is National Cyber Security Awareness Month. Way back in 2015, when the world was an entirely different place, I contributed an article that offered some tips for protecting yourself. Those tips are still relevant:
- Password management. This should be very old news, but the majority of the population still does not use a password manager.
- Multi-factor authentication. Fortunately, many online institutions (mostly financial) now force multi-factor in order to transact any business.
- How do you connect? Similar to password management, many folks still do not hesitate to connect to any open Wi-Fi connection. This is still a bad idea.
- Remember the basics. The simple lesson here is to learn to recognize a scam early.
Since that article, other scams have taken a front seat towards compromising our security. They are not new, but they seem to be the new “flavor of the day.” Some of the more prevalent scams include credential theft. This is the one where you are taken to a fraudulent login O365 or similar page, and if you fill in your username and password, that information is then sent to a scammer. The risk here is that if you use that same username and password anywhere else on the internet, your accounts can be taken over by the scammers. Ransomware – the current scourge of the internet. Again, this is not new, but the social engineering tactics are becoming much craftier, tricking people into clicking a malicious link or navigating to a compromised site. How can you protect yourself from these top threats? If you are following the steps described earlier, you are in better shape than most, and I applaud you. Here are a couple of other tips. If you use a password manager, then you are fairly well-protected from navigating to a phony credential page, as your password manager knows the true page and will not fill in the information on a mimicked site. If you want an extra layer of protection from fraudulent sites that use hidden Unicode characters to look like the authentic site, a plug-in such as IDN Safe can help. Pay attention to the security awareness training offered by your employer. Even though you may be more security savvy than most, it is always best to review the trainings with a fresh – almost a beginner’s – approach. Like all training, security awareness training must be practiced, or else it is forgotten. Think about first-responders who practice the same drills multiple times. If you ever see first-responders during these drills, they treat them very seriously as if it was the real event. Why do they do this? They treat drills like the real thing to force it to become a habit. Remember, practice makes permanent. Do the same with your security awareness training. Don’t gloss over or rush through it, even if you have done it a hundred times before. It will make it so much more valuable when you encounter the real thing. Here’s wishing you continued security during National Cyber Security Awareness Month and all other months.