The pandemic situation moved a big chunk of the work-related activities online. This gives some leverage on how our private data can be exposed and exploited. So, in order to find out what to do in these situations and to mark the European Cybersecurity Month, we spoke with Nicușor Nedelcu, IT-Security Engineer Ethical Hacker at CGM, inside our Group Information Security Department.
Here are some mistakes that Nicușor says that makes it easier for hackers to get your data and more that this (worst case scenario) gain control over your PC. For sure you cannot be 100% safe, but there are things that we can do to keep our data/pc/network safe.
1. Surely it cannot happen to me! – Everything you read about hackers' techniques, attacks... be sure that in the right context can happen to you. So, make sure that you take all the measures to protect your data, your pc from any external and unauthorized access.
2. Insecure and publicly kept passwords – „The most common mistake people make is using the name of a pet or loved one, a street address or similar term that an attacker can quickly find out, as a password. Secure passwords contain letters (both upper and lower case), numbers and special characters. Passwords should also be changed at regular intervals. Common practice, still a bad idea: Writing the password onto a piece of paper and sticking it to the memo board behind your desk. If you then use your webcam in the public domain, you could just as well share your password on Twitter.” (Source here)
3. Using the same password for different purposes – In the efforts of trying to keep it simple, many of the users set the same password for different accounts. An alternative to this practice might be the use of password managers.
4. Phishing and Spear phishing — Even though (almost) everyone heard of phishing it is still the most used type of cybercrime. An initial attack often involves a phishing email. These emails make a user open an attachment or click on a link, which then loads and activates malware. Many phishing mails come in as spam and can be easily identified. „According to FBI, phishing was the most common type of cybercrime in 2020”. (Source here and also, some interesting statistics).
Spear phishing – The attacker addresses a person by making his intention appear legitimate — sometimes even emphasized by a friendly telephone call. The malware can be included in an application letter to Human Resources or in an invoice to the procurement department. For this the cyber-criminal needs skills to communicate and appear credible. He also must forge the email's sender ID to make his claim believable (source here).
5. Software is not up-to-date – always keep your software up-to-date! Thru updates there are a lot of issues fixed and among them there are security issues. Even though your anti-virus didn’t manage to detect suspicious activity, good software could detect and intercept such activities.
6. Attack on day zero: a security gap that's closed too late – „Even if administrators are working carefully and quickly patch all software gaps, they can still be too late to keep out hackers. There can be months between the first discovery of a vulnerability in the software design and the release of the respective patch. One reason is that software companies often wait a while before going public with information until they have designed a matching patch. They know that the bad guys are eagerly screening all announcements to move quickly once a fault has been announced, before users have an opportunity to patch it. The worst-case scenario is for a hole in the system to become public before a patch has been designed. But the danger isn't over once there's a patch, since users and admins aren't always fast enough to install it before the attack hits. That was the case with the ransomware "WannaCry," for example.” (Source here)
7. Not Using 2FA – Two Factor Authentication asks you to prove who you are via several means before logging in into a system/account (for example via a text message: before logging in an authentication code is asked and it is previously sent via SMS; or an authentication app). Statistics says that „99.9% of all accounts hacked are those that don’t bother to use 2FA.” (Source here)
8. You can take a look into The Open Web Application Security Project® (OWASP) Top 10 Web Application Security Risks for 2021
You will find out more about Nicușor and his colleagues inside The White Hacking Team in the following months. Until then, check the Romanian website on Online Security and look on the official European Cybersecurity Month website and delight yourself with this Cybersecurity Quiz.