Think and verify. How can each of us defend ourselves against the most common cyber attacks?
Even one ill-considered action can cause a lot of trouble. It doesn't have to be financial fraud, where tens of thousands of crowns suddenly disappear from your account. It can also lead to a loss of identity and with it a loss of reputation and credibility. The number of cyber-attacks targeting businesses and individuals continues to grow, only the strategies and vulnerabilities change. What approach can each of us take to ensure a higher level of cybersecurity?
1. Trust but verify? Stick to a zero-trust strategy
Zero-trust, or the zero-trust principle, is a cybersecurity framework that has been adopted by a number of organizations during the pandemic and the shift of work. According to it, no actor can be trusted in an online environment unless they have been vetted. It is a holistic, strategic approach to security that ensures that everyone and every device that is granted access is who they say they are.
This same approach should not only work at the organizational level, but should be adapted by everyone. The simple rule here is to not disclose vital information about yourself, such as ID, credit card number, home address, etc., to anyone. And if we do want to share information, it's a good idea to keep it to the minimum necessary.
An example of a cyberattack where the level of information provided matters might be an email that asks the recipient to provide medical information - for example, a statement from a medical record. In this case, it is important to verify who is making the request and for what purpose.
2. A celebrity on the internet? Every piece of information about you can be a clue to hackers
Everyone should behave in cyberspace as if their entire life were a public affair. Why? Whether it's sharing our location or simply giving our name, with every piece of information we reveal about ourselves on social media or elsewhere on the web, we increase the amount of information that hackers can work with for social engineering. Even just our mere presence on social media increases the likelihood that a hacker will more easily guess and crack our password.
The same applies to vishing conversations over the phone, where an imposter pretends to be someone else and tries to convince the recipient of the call that they really are who they say they are. So it makes sense to think about the information provided and vice versa. If someone is calling you under the identity of a service or company you actually use, make sure they know your context and the information you have actually given the organisation access to.
At the same time, many of us often think we are not an interesting target for hackers and so underestimate the basic rules for securing private devices. But if you work for a company, for example, the opposite is true. In the modern age of BYOD (Bring Your Own Device), it is necessary to be vigilant in our private lives as well. We are giving an attacker the opportunity to infiltrate a business solution through private email, phone, computer, etc. The number of such attacks has become very widespread, especially during a pandemic.
3. Different channel, different level of security
The key then is to provide information in a secure way. Whether we're buying or selling something online, we always need to verify that we're working with the right app or website, or using a verified and secure payment method.
Therefore, in the case of transactional payments, it is more secure to use mainstream payment methods such as Google Pay or Apple Pay, which are well-known channels and have a high level of security. At the same time, it is important to verify the apps through which we buy or sell, for example through Google reviews, certificate verification or by consulting discussions. Payment transactions should do without disclosing the card number directly in the app. Ideally, the process redirects to a payment gateway that is easier to identify and reclaim any money issues through. It is true that solid organizations, in order to perform an action involving the provision of sensitive data, usually require logging into their own sites, which are controlled by them from a cybersecurity perspective.
When using credit cards, one can also protect oneself by using single-use cards or secondary cards that have a set limit for charges. For unverified channels, it is also advisable to use payments through another account where you have limited funds.
4. And the passwords again. If you don't remember them, use the Advanced Password Manager
The basic rules for strong and secure passwords are still the same. Never use the same password twice and focus on its strength. And if you can't remember all your passwords, using a password manager is strongly recommended.
Current versions of password managers already have a number of advanced features and can check which of your passwords are available within known leaks on the web, compare how many of the same passwords you use, and can also flag weak passwords and recommend higher strength passwords. Of course, passwords are automatically generated. In addition, some more advanced variants of password managers are able to keep track of the age of the password, as well as monitor any security incidents and alert the user that the platform where I have my account has been compromised and it is therefore advisable to change my password for this reason.
A weak password can perhaps be cracked by brute force method:
- An eight-character password with upper and lower case letters and numbers can be cracked in tens of minutes
- The minimum recommendation for a secure password is 12 or more characters using upper and lower case letters, numbers and a special symbol
5. Use more complex forms of authentication
Multi-factor authentication (MFA) should be used wherever possible. However, this is also evolving, so for example, checking via SMS is no longer a completely secure variant of multi-factor authentication. If an app or service allows it, it's a good idea to use mobile tokens to log in. Another current trend is so-called step-up/adaptive authentication, which automatically assesses security risks in systems and selects the required level of authentication accordingly.
The systems and applications themselves then find out, for example, where you are logging in from, what region, what IP address, what device, etc. - and set the complexity of authentication themselves based on this.
In the context of payment transactions, systems with step-up/adaptive authentication can then evaluate, for example, a situation where a payment request is made from Ethiopia while you are in the Czech Republic, and provide more stringent identity verification, without which the payment cannot take place. Some financial institutions (e.g. Revolut) work with this prevention principle and can recognize when the owner's card is located somewhere other than their phone - and automatically block the payment in such a situation.
6. Cookies and cookies again. Use a sandbox to move safely in cyberspace
When it comes to collecting personal data and approving it, the vast majority of solid websites nowadays default to necessary cookies that the user only approves when entering the website. However, many websites have it the other way around and force the user to manually click additional cookies, which many will pass and prefer to approve.
The solution to this situation may not be just browsing the site in anonymous mode. Nowadays, it is possible to use sandbox solutions, which are gradually being used more and more on mobile phones. Sandboxing is a secure way to run untrusted or only partially trusted code. It is a one-off environment identical to ours, which is isolated from the rest of the system and can be started and shut down quickly. In Windows 10/11, the Windows Sandbox behaves like a freshly installed system window. When you close it, the sandbox is closed.
7. A smart device, but a big danger. Verify vendors and isolate the network for IoT
If you have various IoT (Internet of Things) devices in your home, always verify their vendors - just like apps. You should be sure you are relying on reputable technology. That's because the risk with smart homes and IoT, in general, is the absolute invasion of your privacy - from surveillance of your home via a home camera, eavesdropping, or even unlocking an electronic lock.
When acquiring smart devices, even a smart bulb that you can control via a mobile app, then think about network connectivity and ideally, use these tools on an isolated network. Quality routers allow you to isolate networks using VLANs and then configure FireWall rules to communicate between those networks. It is advisable to reach out to professionals for such a configuration.
If you are unsure about the security of the device, have it verified. A prerequisite for smart technology is a good quality and well-secured mobile phone with a verified system - it is the center of our lives today and almost nothing can be done without a mobile phone.
Basic techniques and settings to help protect it include:
- Protect your phone with a PIN, fingerprint, or facial recognition
- Data protection through encryption of stored data
- Protecting wireless technologies such as WiFi, Bluetooth, or NFC
- Check for installed apps, updates
- Use of security applications (anti-virus systems, DLP, MDM)
- Detection of unwanted access to the phone's operating system
- Regular updates of the operating system
- Data backup