National Cyber Security Awareness Month: Targeted Attacks
Written by Christopher Abbey, DCSD IT Security Analyst
Knowing that the topic of security can hit some really dark and scary places, in this article we really want to shine a light on your role, responsibilities and the information you work with day to day. These powers combined will not make you into a blue earth saving superhero, but it will make you a potential target to criminals.
A phrase that has been floating around business/marketing circles goes like this, “Data is the new oil”. Meaning data is no longer simply small bits of the information we generate, but it’s a commodity that is actively taken, refined and sold to the highest bidder, every day. That means criminals are financially compelled to take advantage of the system and tools we interact with daily to collect/steal files, emails, social media, banking and other account information. However there are steps we can take to minimize our digital leaks, and protect sensitive information.
In the digital information age, criminals still rely on some tried and true tactics to separate you from your information and possibly your money. Whether it’s a phone call notifying you of that Bahama cruise you just won, or your bank notifying that your account is overdrawn, and they just need a few pieces of information to take care of the issue. In some statistics shared from Social-engineer.org, “it is a vector used in over 66% of all attacks by hackers, hacktivists and nation states”.
Simply put, when it comes to pulling data, social engineering is the most widely used means because it is cheap to implement and has a high success rate. In this case, a healthy amount of skepticism is the best medicine for these types of tactics. Be protective of your information, and if it doesn’t sound or feel right, it might not be.
Give a Man a Phish
Obviously the header is a play on the old saying, “Give a man a fish and you feed him for a day…”, however in this case you may be feeding the sharks instead. Phishing is a term for a digital form of Social Engineering in which criminals use the variety of digital platforms (email, social media, websites, instant messenger and SMS texts) to solicit information or even to change or take advantage of your behavior online. This tactic, like Social Engineering, is easy to implement and usually pretty effective! Like we have identified above, a healthy amount of skepticism and an understanding of the techniques criminals use will go a long way in protecting your data.
Conversations, Phone Calls and Emails...Oh My!
It can be overwhelming to think about how many ways you can be at risk. However there are a few ways for you to decypher the legitimacy and spot these phishing attempts. The website SANS Securing the Human also has shared a great visual in ways you can identify some of the concepts below.
Legitimate communications will never ask for sensitive information (like socials, passwords, bank accounts).
At no point in our adult lives have banks, or corporate service providers like Paypal or Ebay ever asked you for a password or account information (they already have all of it). Be aware that criminals often use tactics like threats or situations requiring urgency on your part. Their intent is to strike fear or tension into your mind to hopefully cause a lapse of judgement.
Look for grammar mistakes, general greetings and hover over links sent to you.
Typically phishing attempts originate from outside our country, and typically in countries where english is not the first language. Look for misspellings, or mistakes (images not right, font different..etc) in these emails as a sure sign that you are being phished. In addition to these tactics, on PC and Mac simply hovering over a link will show either under the link or at the bottom of your screen the real URL they are sending you to.
When in doubt, check it out!
Check with your bank or other establishments using communication channels like official customer service lines, websites and legitimate email addresses. Don’t click the links, don’t provide your information and don’t fall for these tricks.
Finally, report the Phish!
Google has made it really easy for you to report spam and phishing attempts. Just right of your reply button is a small down arrow, clicking it gives you a list of options to include Report Phishing. Doing this will allow Google to filter out these types of messages in the future.
Spear-Phishing and Drive-By Downloads
In some extreme cases, criminals may specifically target a group, school or an individual as potential prey. This concept of a focused attack is called spear-phishing. While general phishing activity casts a wide “net” of potential targets, spear-phishing targets a much smaller, more direct population. The criminal has done their research and has narrowed the focus to a target— possibly one individual.
Using some of the same tactics above, criminals may use spoofed addresses/accounts of vendors, friends and even family to utilize the trust built within those relationships to pull information or even direct you to malicious websites loaded with malicious software or Malware set on infecting your device. This tactic of making a user click on a malicious site is called a “Drive by Download Attack”. The website itself may not seem malicious, however the payload delivered to your browser or computer may have some ill effects. Things like Keyloggers (software that tracks your keystrokes), Backdoors (software that allows hackers to peer into your machine) and Trojans (software built to mislead and propagate further attacks) could be installed without you even knowing.
Thanks for the Paranoia
Understandably so, you may be second guessing every email from family, and friends. You may even think about cutting off all communications with the outside world! Before you do that, be assured that there are steps we can take to protect you and your devices from these type of attacks.
Strong “keys to the kingdom”
Just like any secure home, the strength of lock on your front door is extremely important. The same goes for your accounts online, creating a strong password is key to ensuring social engineers and phishers do not use the information you share against you. That means if you really love the Broncos having a password like, Broncos123! is not a good idea. In a great image shared by Arstechnica, the act of using passphrases (using a sequence of words) is a great way to create memorable yet strong passwords. Going a step beyond you could also setup Two Factor Authentication (instructions below).
The best offense is a good defense!
A phrase commonly associated with sports or military warfare, is also true when it comes to our devices. Each devices running it’s own software, or Operating System requires patching and other tools to keep it running smoothly. Keeping your Mac, PC, or mobile device up to date with current patches/versions is important. Utilizing tools like antivirus (here are some free options) will allow your software to work toward notifying and eliminating potential threats online.
Often times we make mistakes, and we fall victim to attacks. Honestly some of these emails are getting really sophisticated, and harder and harder to spot. Don’t fret (too much), and know that there are ways to minimize the impact.
DCSD Employees: Contact the Information Technology Service Desk (ITSC)
Opening a ticket with our staff at the ITSC is a great way to get help minimizing the impact of a phish. Share as much information as possible so we can best support you and minimize the impact of this type of an attack. Head to helpdesk.dcsdk12.org to start the process.
DCSD Employees: Use our Self Service Portal to change your password and update your security questions.
Changing your password, especially in cases where you are being specifically targeted and may or may not have fallen victim is a way to keep criminals out of your account and devices, minimizing the information stolen. Head to selfservice.dcsdk12.org to change your security questions, personal information and password.
Add additional layers of security to your work and personal accounts (Two Factor Authentication).
Two Factor Authentication (2FA) is the act of combining something you know (password) with something you have (mobile device). This additional layer protects you from hackers attempting to access your accounts remotely by enforcing a rule that you will use a special code forwarded to your text messages or through a special app on your phone. Google/Facebook/Twitter and most banks currently support 2FA and you can (and should) set it up on your work and personal accounts today. https://www.google.com/landing/2step/
Contact your banks, credit companies, stores to notify them of the attack on your information.
Similar to when you lose your credit card, purse or wallet, it is important to let law enforcement and your financial establishments know that you have potentially shared your financial account data with a criminal. Most institutions have fraud department and can monitor / adjust your accounts to stop any transfer or theft of funds onto your accounts.
If you have shared information like Socials, or other sensitive personal information
Identify theft is a huge issue, so much so that the government has created a resource site for combatting the effects of this horrible situation. Visit IdentityTheft.gov to view these steps.
There are a ton of great resources that are available that discuss everything from home security all the way to ways you can secure your family online.
StaySafeOnline: Protect your Personal Information Online: Offers information from Cyber Bullying all the way to the Data Privacy law, statutes and governance that School Districts are required to be aligned with, like the Family Educational Rights and Privacy Act or FERPA
Microsoft’s YouthSpark Online Safety for Families: This site provides a variety of resources on ways families can plan and implement changes at their home to protect their data and devices from attack.
Douglas County Sheriff’s Department Internet Safety Page: This site is our local Sheriff’s page on Internet Safety with a few things families can do to protect their information. Another a great resource is their Cyber Tip line.
Wombat Security Free Security Awareness Training Resources: Resources from a company built out of programs between the Department of Defense and Carnegie Mellon University, these resources are focused on reducing the risk of being phished, hacked and more.