Personal and Corporate Cybersecurity Tips to Send the Hackers Elsewhere (at least for now)
By Jared Hrabak, Consulting Cybersecurity Engineer, cStor
As the world goes online and continues to deal with the global health crisis, cybercriminals are capitalizing on the opportunity, and identities and privileges are at the top of the ‘hit list.’
According to the FBI, the number of cyber-attacks being reported has skyrocketed to more than 4,000 per day, up more than 400% compared to pre-pandemic numbers. Ransomware attacks are up more than 800%, COVID-19 themed phishing and social engineering attacks are reported at 20,000 to 30,000 per day (according to Microsoft), and Interpol reports that attacks targeted towards major corporations, government and critical infrastructure are increasing at an alarming rate.1
Adapt Enough to Send Cybercrimials Elsewhere
Wow – those numbers are overwhelming! Yes, we’re being forced to change our ways at a rate we never imagined. It’s making everyone’s heads spin. Although it’s already been said in some of our past blogs, I’ll say it again here: embracing change and learning to adjust faster than ever is your biggest challenge right now. At the same time, it’s potentially your best weapon… at least to deter cybercriminals just enough to send them elsewhere, and that might be the name of the game for the foreseeable future.
Latest Cyber Attack Trend
A big part of the latest attacks cStor is seeing through customers and the industry are focused on stealing credentials for both personal and business email. Once your password is compromised, it can then be used to access private networks, other email accounts, systems and applications. So here’s the gist of what some cybercriminals are doing:
- They start by using phishing and social engineering to steal personal and/or business account credentials to use to gain application access.
- Then, they use automation to test the stolen credentials very quickly and validate access across multiple systems.
- Next, they experiment with smaller financial transactions or other actions to stay under the fraud alert and cybersecurity system triggers.
- Finally, they move in for the kill and enlarge the attack to the main target – a bigger account, whether it’s personal or corporate.
In many cases, the hackers use phishing to gain access to corporate email credentials, then use that email to create a set of inbox rules that forwards emails to the hacker’s email. And then they wait… for something juicy to arrive. More access information, sensitive data, financial account information– the list goes on. Rember, this is being done on a massive scale – it’s no wonder that cybersecurity pros are reeling.
Personal and Corporate Security Tips to Stay Ahead
So, here are a few tips to make it a little harder for the attackers, which could be enough to send them elsewhere, to easier targets both on the personal and corporate fronts.
Of course, in this environment these could change, so we’ll keep an eye on things and post a follow-up if needed.
1. Stop using the same password everywhere, and actually change them once in a while. It’s hard to tell people to do this on a personal level, I get it. Your passwords are tied to multiple accounts and it’s a pain to deal with it all. I recommend using a password keeper app to help (more on this below).
2. Use a random password generator to create more difficult passwords. It may feel like a pain, but isn’t protecting your accounts worth a little effort? Figure out a way that works for you to manage more passwords and more difficult passwords with a trusted password keeper app such as LastPass or OnePass. Here’s a helpful article from PCMag that reviews password keeper apps.
3. Stop opting to save your CC# in your browser. Maybe this makes it easier for you to speed checkout next time, but it also puts you at great risk. Many browsers will automatically save your card by default so you have to specifically UNCHECK the option to save it… please do that! If you’re uncertain about this one, my recommendation is to weigh the time it takes you to re-enter a credit card next time against the time and hassle it takes you to find and dispute fraudulent charges on your account. Seems like a simple equation… RIGHT?!
4. Use 2-factor (2FA) or multi-factor security options. Turn on 2FA or MFA to be sent a code via text message, for example, when logging in so the system can verify your identity faster. There are also some great apps where you can use adaptive 2FA all in one place for all of your accounts, such as AUTHY. Here’s a free useful comparison guide to help you compare.
5. Check haveibeenpwnd.com, a legit site to verify if your personal information has been compromised. This is a data breach search website that allows non-technical users to see if their personal information has been compromised.
Truth be told, all of the same personal tips apply to the corporate world, some just need to be tweaked and formalized in a cybersecurity policy document – and to update the policies as the evolving security environment dictates. It’s equally important to communicate and train your employees.
1. MFA is more than a nice to have, it’s a new requirement for privileged accounts. If you haven’t already rolled out MFA yet, you’re probably taking more at risk than you should. This is a great place to start, and companies like Thales offer enterprise-wide, context-based, adaptive MFA. Remember that once a hacker has access to your company, their goal is to quickly pivot to other workstations, so finding a corporate-wide answer that relies less on individual employees using the solution correctly is an important consideration.
2. MFA is not just hardware tokens anymore. I know getting employees to buy into and use a new security protocol is hard enough, let alone doling out hardware – but now it’s a little easier to manage because the good MFA solutions offer you a number of token choices including hardware, mobile apps, SMS, pattern matching, and more. You’ll still need to do the employee education part but overall, it is a great way to go.
3. Define your security process, protocols, and strategy before you buy security tools, not after. Time and again, I see clients trying to retrofit their security policy to work with a tool they’ve already purchased and rolled out. Not only is this painful, but it’s also backward. Consider your entire attack surface, what’s in the cloud, what’s on-premise, mission-critical apps vs. non-critical apps, etc., and start there. THEN, do the homework to find the right tools to fit the bill. Not only will that save you critical time and mitigate your exposure points, but it will also be a more intelligent investment.
So, I’ll end with this: Passwords are like underwear: make them sexy (unique & exotic), change them often, and don’t share them with anyone.
Did I miss anything? Send me your feedback, I’d love to hear from you to update or add on to this. Our goal is to help clients stay ahead of the curve, and bring the expertise you may not have in-house. Together, we can stay vigilant in unique times.