Tech Today w/ Ken May

Making the most of technology safely and securely can seem overwhelming and confusing. However, regardless of what technology you are using or how you are using it, here are four simple steps that will help you stay secure.

1. You: First and foremost, technology alone cannot fully protect you; you are your best defense. Attackers have learned that the easiest way to get what they want is to target you rather than your computer or other devices. If they want your password, credit card, or control of your computer, they’ll attempt to trick you into giving it to them, often by creating a sense of urgency. For example, they might call you pretending to be Microsoft tech support and claim that your computer is infected, when in reality they are just cyber criminals who want you to give them access to your computer. Or perhaps they send you an email warning that your package could not be delivered and pressuring you into clicking a link to confirm your mailing address, when in reality they are tricking you into visiting a malicious website that will hack into your computer. Ultimately, the greatest defense against attackers is you. By using common sense, you can spot and stop many attacks.

2. Passphrases: Modern computing speeds have made the old, eight-character password outdated and vulnerable. When a site asks you to create a password, create a strong and unique passphrase instead. A passphrase is a type of password that uses a series of words that is easy to remember, such as bee honey bourbon rain. The longer your passphrase is, the stronger. A unique passphrase means using a different one for each device or online account. This way, if one passphrase is compromised, all of your other accounts and devices are still safe. Can’t remember all those passphrases? Use a password manager, which is a specialized program that securely stores all your passphrases in an encrypted format (and offers lots of other great features as well).

Finally, enable two-step verification (also called two-factor or multi-factor authentication). It uses your password but also adds a second step, such as entering a code sent to your smartphone or from an app that generates the code for you. Enabling two-step verification is probably the most important step you can take to protect your online accounts, and it’s much easier than you may think.

3. Updating: Make sure each of your computers, mobile devices, programs, and apps is running the latest version of its software. Cyber attackers are constantly looking for new vulnerabilities in the software your devices use. When they discover vulnerabilities, they use special programs to exploit them and hack into the devices you are using. Meanwhile, the companies that created the software for these devices are hard at work fixing the vulnerabilities by releasing updates. By ensuring your computers and mobile devices install these updates promptly, you make it much harder for someone to hack you. To stay current, simply enable automatic updating whenever possible. This rule applies to almost any technology connected to a network, including internet-connected TVs, baby monitors, security cameras, home routers, gaming consoles, and even your car.

4. Backups and recovery: No matter how careful you are, you still may be hacked. If that is the case, often the only way to restore all of your personal information is from backup. Make sure you make regular backups of any important information and verify that you can restore your data from them. Most operating systems and mobile devices support automatic backups, either to external drives or to the cloud.

h/t SANS Ouch!

Many of us have received phishing email, either at work or home. These emails look legitimate, such as from your bank, your boss, or your favorite online store, but are really an attack, attempting to pressure or trick you into taking an action you should not take, such as opening an infected email attachment, sharing your password, or transferring money. The challenge is, the more savvy we become at spotting and stopping these email attacks, the more cyber criminals try other ways of contacting and scamming us.

Attempts to scam or fool you can happen over almost any form of communication you use—from Skype, WhatsApp, and Slack to Twitter, Facebook, Snapchat, Instagram, and even gaming apps. Communication over these platforms or channels can feel more informal or trustworthy, which is precisely why attackers are using them to fool others. In addition, with today’s technologies, it has become much easier for any attacker anywhere in the world to pretend to be anything or anyone they want. It is important to remember that any communications that come your way might not be what they seem and that people are not always who they appear to be.

Here are the most common clues that a message you just received or a post you just read may be an attack:

Urgency: The message has a sense of urgency that demands “immediate action” before something bad happens, like threatening to close your account or send you to jail. The attacker wants to rush you into making a mistake.

Pressure: The message pressures you to bypass or ignore policies or procedures at work.

Curiosity: The message invokes a strong sense of curiosity or promises something that is too good to be true. No, you did not just win the lottery.

Sensitive: The message includes a request for highly sensitive information, such as your credit card number or password, or any information that you’re just not comfortable sharing.

Official: The message says it comes from an official organization, but has poor grammar or spelling. Most government organizations will not use social media for official communications directly with you. If you are not sure if the message is legitimate, call the organization back, but use a trusted phone number, such as one from their website.

Impersonation: You receive a message from a friend or co-worker, but the tone or wording just does not sound like them. If you are suspicious, call the sender on the phone to verify they sent the message. It is easy for a cyber attacker to create messages that appear to be from someone you know. In some cases, they can take over one of your friend’s accounts and then pretend to be your friend and reach out to you. Be particularly aware of text messages, Twitter, and other short message formats, where it is more difficult to get a sense of the sender’s personality.

You are the best defense against scams, cons, and attacks like these. If a post or message seems odd or suspicious, simply ignore or delete it. If it is from someone you personally know, call the person on the phone to confirm if they really sent it.

h/t SANS Ouch!