14 Oct Cybersecurity Awareness Month, October 2022
Stay cyber aware, stay cyber safe
Cybersecurity Awareness Month relates to an initiative by the US Congress to dedicate the month of October to raising awareness about looming cyber-threats, and about ways to safeguard from them. The purpose of this globally adopted institution is to make the general public more cybersec-savvy, and more educated in the ways of cyber hygiene.
Specifically, Cybersecurity Awareness Month aims to help keep individuals, and more importantly children, safe from online abuse, identity theft, and personal information leakage. For corporations, it aims to foster the notion that businesses are part of the solution to cyber-threats, given their vast social responsibility. Lastly, Cybersecurity Awareness Month promotes cybersecurity as a professional specialty for young aspiring talents.
In light of this year’s Cybersecurity Awareness Month, here are a few cyber-threats of which everyone must be aware, as well as recommendations to minimize your exposure to them.
Social engineering refers to the gaslighting and skewing of someone’s perception of reality into believing falsehoods, and acting upon them to the benefit of the manipulator. A threat actor may use social engineering methods to deceive users or members of staff. This deception generally aims to grant the threat actor access to sensitive data, or to deliver a payload of malicious code onto a network. Sometimes, social engineering aims to even gain physical access onto secure premises.
A threat actor can appear as a government agent, or an employee of a third-party contractor of your organization, or even an interviewer for a dream job. Once they gain your trust, they can manipulate you into granting them access credentials or into downloading their malware, or even handing them your personal information, which they can then use for identity theft.
Phishing emails are the most common method of social engineering. They tend to deceive you into thinking they are from a legitimate sender so that you click on a malicious link, or download an attached payload of malware. Phishing can be especially convincing when the threat actors know your identity, and other details, so they can address you by name to appear authentic. This is personalized approach is called spear phishing, and it takes a keen eye for detail to spot them. If the wording is convincing enough, phishing can bypass even the strongest cyber defenses.
Voice Phishing or “Vishing”
Voice phishing works the same way as email phishing, but through the telephone. This can be even more convincing, as threat actors tend to take the role of a support engineer or a banker who calls to inform you of a supposed problem with your account. They then ask you to verify your identity by providing them with your personal details. In recent cases, threat actors called pretending to be from Microsoft technical support. The caller claimed there was a problem with the victim’s Microsoft account, and that they needed to act quickly to save it. All the victim had to do was to give the caller their access credentials to the organizational network so that the problem would be “fixed”. It helps to keep in mind that no legitimate support engineer would ever ask for credentials, especially not over the phone.
In general, social engineers, through phishing and other malicious techniques, use fake identities and false pretenses to deceive you, or a member of your staff. If you are not careful, you may inadvertently grant them access to your premises, network, valuable information, or to the controls of a sensitive operation. In the end, however, it is the individual responsibility of us all to stay informed, aware and vigilant of evolving social engineering tactics.
Ransomware is a form of malware that encrypts sensitive data, vital to an organization’s operations. If it manages to encrypt the right data, ransomware can render part, or the entirety, of the organization’s operations inert. Because this deprivation of information can bring a business to a standstill, threat actors use ransomware as a way to blackmail organizations. After a ransomware attack succeeds in encrypting key data, threat actors then demand ransom from the respective organization in exchange for the encryption key. With numerous examples of successful ransomware attacks against some of the largest organizations in the world, ransomware is a destructive threat with severe costs in damages and fines, not to mention irreparable reputation loss.
Extortionware is a category of malware that involves the theft of sensitive information, followed by the threat to release that information to the public unless the threat actors’ demands are met. Recent examples include the theft of a large software company’s source code by a cybercriminal group, who then blackmailed the company for ransom. Other common examples of extortionware include the theft of private information belonging to the personal lives of individuals, carried out via the infection of personal devices.
Cybersecurity Awareness Month teaches us that organizations, as well as private individuals, must stay informed, educated and vigilant, if they are to be cyber safe in a constantly expanding threat landscape.
Here are a few simple practices to minimize your digital risk:
- With most cyberattacks involving some sort of email, you should be aware of telltale signs of a phishing attempt against you. Check the sender’s email address, and see if it’s a suspiciously unrecognizable domain. Are the email’s date and time not within working hours? Does the subject line project exaggerated urgency? Is the topic relevant to you, or is it something generic that could apply to almost everyone? Most importantly, is the email urging you to take action, like downloading an attachment, clicking on a provided link, or doing anything else?
- Sophisticated phishing emails can seem extremely personalized, and directed at you personally. However, when an email urges you to download an attachment or use a link, it’s a good idea to double-check it with whomever is involved. Before you open such an email or open a link in its body or download its attachment, you can call or email someone from the organization that the email claims to originate from. A good thing to remember about email: if it’s too good to be true, it probably isn’t. If it’s as urgent as it sounds, then it shouldn’t come by email.
- It is also a good idea to use multi-factor authentication for your corporate credentials, and even for your personal online accounts. Even if a threat actor manages to steal your credentials, they won’t be able to go far, if they need to authenticate on a different device.
- Finally, it goes without saying that you require a good antivirus solution for your devices, as well as firewalls and email filters. You can go over and above with a tried-and-tested VPN service to avoid Man-in-the-Middle attacks that can intercept information shared online.
- Speaking of sharing personal information, it is also good practice to limit the information you share publicly online. This is because anyone can steal your identity and pretend to be you online. They can also blackmail you with your own private information, or use it to manipulate you into falling for their social engineering tactics. So, keep your private information sharing for face-to-face interactions.