Jan

Keep the Smithsonian Cyber Safe

10 Security Awareness Best Practices tips

As we begin a new year, it’s important to refresh your memory when it comes to security awareness best practices. From phishing prevention and password protection to newer threats like IoT and mobile malware, we are walking you through 10 easy ways to keep yourself and your organization secure in the new year.

1) Check Emails for Signs of Phishing

Phishing is a technique used by cybercriminals to acquire your personal information (such as credit card numbers or login credentials) by sending an email that is designed to look just like it came from a legitimate source but is intended to trick you into clicking on a malicious link or downloading an attachment potentially laced with malware.

Phishers often create fake email addresses that look like they were sent from legitimate ones. Although the sender’s name may be visible, the email address is often hidden. In a Netflix phishing email, for example, the visible alias might be “Netflix Support,” but the hidden email address is “no-reply-support-team_._@qwfdt.com.” The goal is for the recipient to trust the senders name is legitimate and not double check the email address. With many users checking email on their mobile device, this can be an easy way to trick someone with their guard down.

When you receive an email, it’s important to check things like the sender’s name, subject line, hover of links, and be cautious of links. Learn more about the framework of a phishing email here

2) Be Cautious of Vishing Calls

Vishing is the fraudulent practice of extracting sensitive information over the phone. Vishing scams can be done through direct phone calls, voicemails or even emails. Hackers use a VoIP, a technology that allows you to make calls using the Internet instead of a regular phone line, caller IDs can be spoofed making the call seem even more legitimate.

It’s crucial to remain vigilant and aware that the many emails you receive every day may include those that are trying to phish you. Cyber criminals who use vishing and other phishing methods employ tactics to catch you off-guard. Don’t fall for those that play to your emotions, like the example above, in which the email message is trying to scare you into taking quick action without thinking.

It’s also very important to that you never give out your sensitive information to anyone who calls you directly. Only consider providing sensitive information over the phone if you’ve called your bank from the phone number listed on the back of your card, or on the company’s website. This includes credit card information, social security number, account numbers, pin numbers, or any other information that could open the door for hackers.

Like phishers, vishers often use scare tactics to get you to hand over your sensitive information. Always be cautious of any phone call that uses threatening language to get your attention.

3) Know the Signs of SMShing

SMiShing occurs when a cybercriminal sends a text or SMS message to another individual requesting their personal information. Similar to attempts that occur via email, those who receive the text are more likely to trust this form of communication over an email.

Your first clue is receiving a text message from a number you don’t recognize. If you receive a text of this nature, read it carefully. These text messages could range from a simple link to a website or could be asking for specific personal information. They could ask you to verify your information for some reason or they could state you’ve won a contest that you never entered. Regardless of the message, no company or service would ever ask for personal information over a text.

Here are some steps you can take to avoid being SMiShed: don’t reply to the text message, call the business to verify any changes, check the phone number, do your research, look at the time of the text, and don’t store your banking information on your phone.

4) Use a Strong Password

When creating a strong password, it’s important to remember to use as many characters as possible while also using a mix of letters, numbers, and special characters. Once you’ve determined your strong password, never write it down or share it with anyone – that includes your web browser.

Do not reuse passwords – when you need to change a password, create an all-new one. It can be helpful to use password management software to help you manage multiple strong passwords.

Change your password immediately if you think one of your accounts has been hacked. (If this happens at work, report the incident immediately.) Using two-factor authentication whenever possible can help prevent your password from being compromised.

Although social media can be a great way to connect with friends and family, it can also be an easy way for cyber-criminals to acquire personal information about you to use when trying to hack your accounts. It’s important to remember to avoid posting any identity information or personal details that might allow a hacker to guess your security questions or passwords.

Social platforms can also be an easy way for cyber-criminals to share phishing links with unsuspecting users. Be cautious of any “social media deals” or promotions that include links and look too good to be true. In addition to infected links, scammers will try to acquire your credit card information through fake websites.

6) Update Devices to Prevent Ransomware

Ransomware is malware that finds its way into your system, blocks access to your files and data, and demands payment in order to restore your access. The cybercriminal responsible for the ransomware infecting your computer has encrypted your files, adding extensions and essentially holding your data or network hostage until you pay the requested fee.

To prevent a ransomware attack, don’t leave any devices (computers and printers, included) on for 24/7. Turn them on only when needed and unplug or disconnect them from the internet (and even power source) when not in use. But first and foremost: UPDATE! UPDATE! UPDATE! This goes for mobile devices, IoT devices, computers, routers, printers, all software, and all apps! Don’t forget to update your operating systems. If you are on an old version that is no longer serviced by its provider (e.g. Windows XP, Android 5 and below, or iOS 9 and below), then it’s time to invest in an upgrade.

7) Practice Mobile Security

With your wallet as their golden ticket, cyber criminals are churning out mobile banking malware as their top selling app on the dark web. These banking malware strains can steal payment data, credentials and funds from victims’ bank accounts, and make fraudulent purchases with victims’ credit card information. Fake apps or malicious links with this malware pre-embedded will proliferate every cyber landscape. Be wary of clicking on links that show up in text messages social media feeds, advertisement popups, email, and gaming platforms. Download apps from trusted sources only. Check the app reviews for anything suspicious like “too many ads,” “runs the battery down,” and “always freezes up my app or device.” Don’t fall for the fake app trap.

8) Ensure the Devices in Your Home Are Secure

IoT(Internet of Things) devices can add a significant amount of convenience to our lives. However, securing these devices and this new technology is still a major hurdle, we are opening our homes up for invasion. It is very easy for cyber criminals to gain access to our networks through these weak devices. With one attack, they can burn your house down by gaining control of your smart oven. With the same attack multiplied throughout your whole neighborhood of smart appliances, they can cause a mass fire or shut down the power grid by overloading the systems.

Check Point Software Technologies recommend “a more holistic approach to IoT security, with a combination of traditional and new controls to protect these ever-growing networks across all industry and business sectors.” One thing is for sure, security needs to be baked into the design of these devices rather than being slapped on as an afterthought. Just as we recall vehicles with faulty safety issues, IoT devices without proper security features should be recalled and taken off the market. Regulations need to be put in place.

For the consumer: Take advantage of technological conveniences but weigh the risks first. If possible, segregate your IoT network from your everyday use Wi-Fi network so that your computer and mobile devices are not sharing the same network as your smart home gadgets.

9) Use Cloud Security to Protect Your Company’s Data

Better cloud security starts with good planning and continues through continuous education and training. Security practices should become second nature in a data-conscious company, and a company should be willing to upgrade its policies to cope with new threats. The precise implementation of better cloud security varies depending on your company’s needs, but there are 5 key elements that every company should integrate into their security practices when dealing with the cloud. These are encrypting data, managing access, testing the cloud, creating security policies, and educating employees.

While phishing has become the most common form of social engineering, there are still many other forms that can be a danger to any organization. As we have become more and more vigilant against clicking on malicious links in suspicious emails, some social engineers have gone back to the classic person-to-person approach.

Their social engineering basic strategy is to prey on vulnerabilities in human nature, such as trust, fear, politeness, and helpfulness, rather than technical vulnerabilities in computer programs. Social engineers have done their research and are experts in manipulation. For example, An attacker may try to build rapport with you by finding common interests, and then ask you for a “favor,” or an attacker may call you pretending to be an executive in order to exploit your tendency to comply with authority figures.

Social engineers are clever impostors, but they can be easily thwarted when you know how to spot them. Always maintain a healthy sense of skepticism when dealing with unknown individuals, especially if they ask for sensitive information.