Featured

4th July 2019 | Mansfield Thomas | Head of Security and Fraud Prevention

Cyber Awareness 102: Password Hygiene

Just as as people learned to check in both directions before crossing a street or to check the weather before leaving their homes, so too must modern information technology users learn and assimilate cyber awareness into their daily routine.

Developing Cyber Awareness

Whether surfing the web at home or checking emails at work, users of today’s cyberspace cannot afford to remain ignorant to the perils of cybercrime. Fortunately, securing one’s digital assets simply requires learning good cybersecurity habits, maintaining cyber awareness, and integrating modern technologies. 

Password Hygiene

Probably one of the simplest steps’ users can take to keep their accounts and data more secure is to practice good password hygiene. Using longer passwords that contain letters, numbers, and symbols, and which are not recognized words can go a long way in preventing successful brute-force and dictionary attacks. In this case, an exponential relationship exists in that the more characters a password contains, the greater number of possible permutations of the password exist, which thus increases the amount of time required to test all possible permutations of the password. Additionally, users should never use the same password for multiple accounts. While it is convenient and an easy habit to fall into, using the same password for multiple accounts runs the risk of compromising all of a user’s accounts should just one of them become compromised. Fortunately, a variety of tools exist to assist with user credential management.

Phishing

As previously mentioned, there exists a huge user susceptibility to phishing and social engineering attacks and as such, users must learn to look for the key indicators of these types of attacks in order to stop them before they compromise themselves and their networks. To catch these types of attacks, users must first assume the correct mindset, which is a guarded one that questions anything which is not 100% normal. While it is understood that some users can receive hundreds of emails a day in the course of their duties, any deviation from what might normally be received, content-wise, or by sender, during a normal day or week, should arouse suspicion and trigger a series of checks by the user. 

A user can first look at the sender of a suspicious email by checking the header of the email carefully. Cybercriminals will often attempt to spoof the sender address or create addresses very similar to what the user expects to see by slightly altering a domain name or account name, but careful inspection of the sender’s address can reveal these forgeries. A few examples of sender address forgery are listed below:

Proper sender address: joseph.smith@fakecompany.com

Email address forgeries: joseph.smith@fakecomqany.com or joseph.smith@fakecompny.com 

Proper sender address: customerservice@AnotherFakeCompany.com

Email address forgeries: customerservice@4notherFakeCompany.com or customerservice@AnotherFakeCompanys.com 

In other cases, the cybercriminals may have already compromised another user on the domain and be using the account to send attacks from a legitimate account using the compromised account’s address book to target individuals or departments. In this case, the targeted users will need to look for other indicators such as links or attachment file types.

For emails containing hyperlinks, whether they consist of the full URL, or are shortened using a variety of techniques, and even when not appearing as URLs but just simply as “click here” links, by hovering the mouse cursor over the link, the actual linked website is displayed. So, while at first glance, a link might appear as if would direct a user to a legitimate website, the user can quickly check if the link would redirect them to website forgeries or webpages other than what is indicated. On mobile devices where users cannot hover a mouse cursor, it is usually the case that touching and holding on the link will display the actual URL as well as a list of options for the user.              

Finally, and perhaps most importantly, users should be wary when receiving emails with attachments, especially when the emails are unexpected. While most electronic mailing services filter out the majority of attachments containing malicious software, there are still several key indicators a user should always check for before downloading or opening an attachment. Firstly, if unsure of the legitimacy of an attachment, the user should contact the sender, if known, to confirm the attachment was sent from them. Where not possible, the user should then check the attachment’s file type by looking at the filename extension. A filename extension is an identifier found at the end of a filename to denote the type of file. For example, a Microsoft Word document might have a filename of “Example.doc” where “.doc” identifies the file type as a Word document. While the total number of file types in existence is unknown, and too many exist for any user to be aware of all of them, there are still certain types of files that should never be opened. Files such as executables (.exe), batch files (.bat), PowerShell scripts (.ps1) and many other types of files should never be opened. These are files which, when opened, are designed to execute specific functions on a user’s device and while most emailing services filter out attachments containing these filetypes, cybercriminals constantly find ways to defeat these filters. One common practice involves sending Word documents or Excel spreadsheets containing macros, or a series of commands and instructions grouped together as a single command to accomplish a task automatically. These files can be identified by their .docm and .xlsm extensions and when opened, will either download and execute a malware payload or execute a payload already embedded in the file. It is of note that not all files containing macros are malicious as macros are commonly used in accounting and other types of work. Finally, users must be careful when checking the file type as cybercriminals will attempt to confuse users by including incorrect filetypes in file names or by using file icons that don’t match the types. For example, a file might be named “SampleDocument.doc.exe” or “ExampleFile.xls.ps1” but users must pay attention to the actual filetype extensions which are respectively .exe and .ps1. The case with icons is much the same as it is incredibly simple and easy to assign any file, any icon. For example, an executable file can be given a Word document icon or a batch file could be given an Excel icon. These are very simple and low-tech tricks but if a user is unaware or does not check the actual filetype, they are just as effective as a more complex attack. 

Guarding Personally Identifiable Informaton

Another major step the current, connected user can take is to carefully guard any personal information they choose to place online. Social media especially can be an excellent source of intelligence when targeting individuals for spear phishing attacks or other forms of social engineering. A more simple example might include attackers reviewing an individual’s social media profiles for the answers to common password reset security questions such as “What is your pet’s name?” or “What is your mother’s maiden name?” In other instances, attackers might use the information obtained from the targeting process to more effectively pose as someone entrusted by the targeted individual. Likewise, companies too can be targeted based on what social media presence they maintain and information they publish on those platforms. In the modern cyberscape, one of the largest cyber risks to a company is the advanced persistent threat, or APT. As the name implies, APTs are attacks that occur over a longer period of time, usually by a team of cybercriminals working in unison, using a wide variety of techniques to covertly penetrate and compromise a network. A major portion of laying the groundwork for these types of attacks involves researching the targeted individual or organisation in order to identify employees more susceptible to social engineering, employees with elevated user privileges, employees that are likely to process sensitive information, and any other gaps in a security strategy. As such, both individuals and companies should frequently review their security and privacy settings across any social media platforms they use in order to limit what information is visible to the general public. 

Trojan Horses

Much as a user can be tricked into opening email attachements bearing intriguing filenames, so too can they be compromised via storage devices such as CDs/DVDs, USB thumb drives, and various other forms of digital media storage. In a 2016 study conducted by Google, the University of Illinois Urbana-Champaign, and the University of Michigan, it was found that of 297 thumb drives dropped across a university campus, 290 were picked up and 135 of those were plugged into a computer.1 It seems obvious, much as one wouldn’t invite an unknown person into their home, so too should users not plug unknown peripherals or digital media into their computers or mobile devices as they then run the risk of infecting their systems. While “hacking” via hardware may sound a bit Hollywood, it is actually not that far-fetched. As recently as last year a series of eight eastern-European banks had millions of dollars stolen when cybercriminals were able to physically infiltrate the bank and plug in laptops, Raspberry Pi boards, and USB thumb drives to the banks’ systems.2

Multi-Factor Authentication

Lastly, where possible, users should always opt to use dual-factor (2FA) or multi-factor authenitication (MFA). Banks have used 2FA for decades with the advent of the bank card (e.g. card + PIN) and nowadays many systems and websites offer the option to require users to not only login with credentials, but also via a second or third means of authentication such as a one-time password (OTP) fob or mobile device application. By requiring additional methods of user authentication to access an account or system, users are adding additional layers of security to the asset which they are trying to protect thus making it that much more difficult for criminals, cyber or otherwise, to access the asset. As mentioned in a previous article,3 biometrics is a rapidly expanding field and is being increasingly employed as it offers a means of individual authentication that is linked to users’ physiological features and thus, very difficult to fool.

Similar topics

Security

4th July 2019 | Mansfield Thomas

Cyber Awareness 103: Tools of the Cyber-Savvy Individual

Security

4th July 2019 | Mansfield Thomas

Cyber Awareness 101: Avoiding the Pitfalls of the Information Age

Security

23rd February 2019 | Mansfield Thomas

Biometrics in Banking: A Hard Look into Iris Scanners and other Authentication Technology