“Again? I just took my security awareness training! Why am I taking it again? It’s just more of the same stuff. I don’t have time to keep doing this.”
How many times have I heard that litany of questions, statements and, as you can imagine, sometimes accompanied by a string of epithets. The simple answer is that awareness training works.
There is a human element to cybersecurity that is often overlooked in light of the technological threat to systems and data from bad actors. Security awareness training is integral to mitigating the risks associated with the human element. SANS Institute’s Lance Spitzner, training director for the Securing the Human program, said recently, "Computers have become much more secure over the past 15 years, but humans have not. The human really has become the weakest link."
Humans, users and customers, are the hack of choice. Social engineering is the tool of choice. Each of us is on the front line of network defense because our work and personal data is a coveted prize to criminal scammers and adversaries, whether we are enterprise system administrators, executives, or every day users. As a result, we should expect to be targeted by bad actors using social engineering tools at work and at home every day.
What is social engineering? US-CERT defines social engineering: "In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems."
The complexity and callousness of some of the recent attacks and tactics used by cybercriminals demonstrate how vulnerable all of us are online. Our personal privacy is less and less private. Personal photos, login credentials, financial data and even health information are prime targets for scammers and hacks.
Many scams still rely on poor security habits to succeed. However, we have also seen how poor website security can expose customer data. It doesn’t matter how strong a password may be if the website is vulnerable to a data breach.
Other attacks made use of sophisticated social engineering to bypass the two-factor authentication systems designed to safeguard users. How many of you reading this right now use Gmail for your personal email? By going through a legitimate password-reset process and posing as Google via SMS (text messaging), scammers were able exploit the public’s trust in Google’s reputable brand to gain access to email accounts, according to the Symantec Internet Security Threat Report, published in April 2016.
Knowing some of the details of Gmail’s user agreement might have caused some of the victims to be suspicious of the text message, according to Symantec.
"How do I reduce my susceptibility to this and other social engineering hacking attempts? It appears hopeless and what’s the use? Nothing’s private anymore and they’ve probably hacked into everyone’s data already,” users may say. That’s like saying, “I’m going to get the flu anyway so why take the flu shot?” Remember, just like with your health, taking risks with cybersecurity is not acceptable. We should reject the misconception that true data protection and privacy no longer exist. Our data and our privacy are precious, and should be protected carefully.
For us in the Department of the Navy (DON) this means cybersecurity is not just about employing the right kind of technology, it also requires good digital hygiene on the part of everyone, both at home, and in the office. Education and greater awareness of cybersecurity issues will help everyone to become more digitally healthy.
By being aware of just how many risks you face, you can reduce them, and learn how to recognize symptoms and diagnose “digital diseases” before they put your data, whether at work or at home, at risk. The DON Cybersecurity Awareness Training provides the initial inoculation but must be bolstered by continual cybersecurity education and vigilance.
Here are some specific things we can all do:
• Do not open attachments unless they are expected and come from a known and trusted source, and do not execute software that is downloaded from the internet (if such actions are permitted) unless from a trusted source or the download has been scanned for malware.
• Be cautious when clicking on URLs in emails or social media programs, even when coming from trusted sources and friends.
• Deploy web browser URL reputation plugin solutions that display the reputation of websites from searches.
• Be aware of and practice safe social media conduct. Offers that look too good to be true usually are, and hot topics are prime bait for scams. Not all links lead to real login pages.
• For your personal web interfaces, adopt two-step authentication on any website or app that offers it.
• Employ password discipline. Have different passwords for every email account, applications and login, especially for work-related sites and services.
• Use common sense. Having antivirus and security software doesn’t mean it is OK to visit malicious or questionable websites.
• Raise the alarm if you see anything suspicious.
As ever, basic common sense and the introduction of good security habits can go a long way to keeping our data safe.
Visit the DON CIO website: www.doncio.navy.mil/ for more information about protecting your personal and DON electronic devices and online accounts.