fnC - 101 Series - The Known-Unknowns of Cybersecurity

40 - fnC - 101 Series - The Known-Unknowns of Cybersecurity.jpg

fnC - 101 Series - The Known-Unknowns of Cybersecurity

40 - fnC - 101 Series - The Known-Unknowns of Cybersecurity.jpg
Publish Date : 27-02-2024
Tags :
Author : Open-CISO

Knowing the Known-Unknowns of Cybersecurity is a Good Start

Cyber security is no more a concern for only the IT team. Each of us should understand the criticality of sensitive data and information we own and the potential threat to it. In today’s ever-changing world of technology, internet security has become a major global issue of concern. Maintaining online security to stay safe and protect the identity and data is one of the toughest jobs one can imagine. Cybersecurity is an open-ongoing war between bad actors and cybersecurity defenders. Today we should be more focused and concerned about cybersecurity than we were a decade ago. As we are surrounded by digital tools, with the release of each new technology, service, and electronic device, hackers are getting a whole new bunch of opportunities to crack and exploit them to gain unauthorized access. Resulting in undiscovered vulnerabilities and sophisticated attacks. A report from Gartner insight has projected that businesses will be spending a whopping $170.4 billion by 2022 on security. If we keep aside the state-sponsored attacks for a moment, then ransom is the first and only motivation for the hackers to exploit or launch attacks on any organization’s network infrastructure.  It is a digital age where a considerable percentage of the global population lives and depends on the internet for survival, success, and significance at personal and business levels. Presently, we have [4.66 billion netizens](https://www.statista.com/statistics/617136/digital-population-worldwide/) which are about 59.5% of the global population. With this insight, prioritizing a safe and secure life online is not just an option but a must. Whether you want to shop online, socialize or search for new information, you need to protect your private information from threat actors.

What is Cybersecurity Awareness?

Cybersecurity awareness is a thought-provoking term, process, or program aimed to provide basic cybersecurity skills to people from all backgrounds to recognize cyber threats, prevent attacks, and take immediate actions if anything seems suspicious. The main reason behind the cyber awareness program is just to educate people about the importance of privacy, data, and cybersecurity. People need to know what they are protecting and how valuable that information or data is.  Unless they understand the importance and criticality of the data and information they own, it will be difficult for them to practice cybersecurity and adapt it in their daily lives.

Cybersecurity is a shared responsibility

An individual or just a team can not protect and defend an organization from the bad actors. It is everybody's responsibility and each of us has a role to play. According to studies, 80% of cyber-attacks are triggered due to human error. So it’s the people, organizations should focus first and all other things come later.  Cybersecurity is part of our daily lives and we need to wake up now. If you are not concerned about your privacy and data then it is time to get paranoid if you want to be safe on the internet. Just like our physical security we seriously need to practice cybersecurity and apply it in our lives.

Cyber Awareness forms The Human Firewall

In any organization, people are the first line of defense and also the weakest link. Small enterprises to large corporations spend huge budgets on security measures like next-generation firewalls, email security, WAF, antivirus, and other security software. But the biggest risk is the people.  If they are unaware of the dynamic threats on the internet and their potential to cause severe catastrophic damages to individuals and organizations’ privacy and data, then there’s no point in having an allocated budget for cybersecurity alone.  Whether technical or non-technical, it is people who first interact with emails, messages, links, and other stuff. These people must possess at least a basic knowledge of cybersecurity. Whether you’re a working professional, student, or a housewife you definitely need to educate yourself and the people around you. By educating people about basic cybersecurity skills and methods to defend and prevent attacks, we are eliminating the first potential vulnerability and making the human firewall one of the strongest security measures.

Cybersecurity begins with categorizing the Assets and Information; controls and regulations apply based on how an organization processes the data. Types of personal information form the crux and thus end up being the crown jewels the hackers go after.

Types of Private Information

- Personally Identifiable Information (PII): This is the information that, when coupled with other relevant details, can identify you. For example, PII may incorporate direct identifiers such as your passport information that uniquely identifies you or quasi-identifiers such as your race. When combined with other details like your date of birth can generate your perfect identity.

 - Sensitive PII: Your personally identifiable information can either be sensitive or non-sensitive. Companies that share these data leverage anonymization techniques to mask and encrypt the PII. That way, it is masked and cannot be easily identified, and the company gets to achieve its objectives.
   - Full name
   - Drive's license
   - Social Security Number (SSN)
   - Mailing address
   - Medical records
   - Financial details

 - Non-sensitive PII: can be accessed from the public or corporate directory or downloaded from the internet. You cannot use this form of information alone to identify an individual. However, while they are not delicate, they are linkable with other details about an individual. Examples incorporate:
   - Gender
   - Race
   - Zipcode
   - Place of birth
   - Date of birth
   - Religion  

- Personal Health Information (PHI): This form of information refers to your health record and history and is protected by the Health Insurance Portability and  Accountability Act (HIPAA). For instance, lab tests, covid-19 results, or records revealing procedure descriptions will come under PHI. Thus, PHI is also called Protected Health Information and incorporates medical indicators such as: 
  - Test results
  - Diagnoses
  - Procedure descriptions
  - Family Medical History

- Personal Financial Information (PFI): Personal Financial Information includes all the details you make available to the financial institution and cannot be made available publicly. PFI may include:

  - Your Full name
  - Contact addresses
  - Credit card number
  - Bank account number
  - Social security number

As long as you have a bank account, you are obligated to keep every information associated with that account secured. The introduction of internet banking has given more opportunities to cybercriminals to gain access to people's bank accounts.  Several people have lost vast amounts of money to them, and the World Economic Forum noted that fraud and financial crime was a trillion-dollar industry.

- Personal Special Information (PSI): PSI is a set of information about your religious belief and philosophical stance, ethnicity, association or union you belong to, political affiliation, sexual information, biometric information, genetic information, and criminal records. This is a piece of sensitive information about you that should be kept private to avoid controversies that it can bring.

Importance of Protecting Your Private Information 

Knowing the reason for an action can help you do what is suitable to prevent unpleasant occurrences or get the best out of the action. For example, you might be wondering why you have to protect your private information. Well, you don't have to look too far. Here is why it is essential to protect your confidential information. Prevent identity theft: Protecting your private information is you safeguarding your information from cybercriminals who can steal your identity and impersonate you. Their illegal actions could ruin your reputation and land you in trouble. For example, in 2020, some of the most influential persons globally, such as Joe Biden, Barack Obama, and Elon Musks, were victims of identity theft on Twitter. The cybercriminals made $121,000 from this action. Protect your personal/business brand: If a cybercriminal uses your identity to commit a crime, it could get your details into the state's criminal records. No organization would want to employ or do business with you because of your criminal record. Protect bank accounts from unauthorized withdrawals,  purchases, and transfers: Should cybercriminals get hold of your financial information, they can wipe out all that you have worked for within seconds. So to protect your financial information if you don't want another person to deprive you of your life savings. Protect yourself from harassment, threats, and bullying: Granting public access to your private information could welcome threats from cyberbullying, affecting your mental health as a person. Protect yourself from burglary: Your home address should be kept private. This helps reduce the risk of your home getting burgled and robbed by thieves.

How to protect your Private information?

Now that you know why you should secure your private information, you should be curious about how to. There are intelligent and straightforward methods to protect your private information. For example, the following techniques can be deployed to secure your information.
  - Be careful of who and what platforms you submit your personal information to.  Only submit your information on secure and trusted websites. They usually have a trust icon, commonly represented by a padlock or an "S" after the "HTTP" in the website's address. This indicates that the site is protected by Secure Sockets Layer (SSL) encryption.
  - When filling an online form, do not reveal too many details about yourself.
  - Encrypt your sensitive data to prevent unauthorized users from gaining access.
  - Do not share your financial information (such as credit card number) or social security number over the phone or email. If you must do this, be sure to confirm that the call is genuine.
  - Be careful of connecting to a public hotspot. Secure your Wi-Fi by connecting to safe and secured hotspots only. This will help avoid people from accessing your private information.
  - Erase every information about you from an old phone before discarding it.
  - Use strong passwords of 10-12 characters, including letters in uppercase and lowercase, numbers, and symbols.
  - Enable two-factor authentication to confirm your identity when logging into your bank or email accounts.
  - Do not log into your banking app using an unsecured Wi-Fi connection to prevent other people from gaining access to your information.
  - Make online purchases from trusted e-commerce sites only.
  - Have a dedicated email for all your social media activities.
  - Block third party and ad-tracking cookies.
  - Read the policy agreement of a website before agreeing.
  - Do not share sensitive information about you on social media platforms.
  - Think twice before revealing confidential information about you in public.
  - Make use of VPN for untrusted websites.

Your private information is your existence on record. It says a lot about you as it encompasses all that has to do about you. Therefore, keeping them private and secure should be taken seriously to avoid leaking, reputation damage, and loss.

Is Cyber Awareness Knowledge and Training necessary for Organizations and ordinary people?

Why is cybersecurity a big deal today? Because it is a global issue and increasing in severity and frequency at a tremendous rate. We are definitely at war and the open internet is what we call the battle-ground. We can not always rely on specific tools and technologies like traditional anti-virus and firewalls.  Technology is evolving every day and so do cyber-criminals and their methods. Next-generation firewalls, anti-virus software, data analytics, NOC/SOC are all great stuff, but all of these come to an end with just a single click. If the end-user is unaware of well-known threats and attack measures, they are probably just a click away from a severe data breach.  This can be prevented by providing basic cybersecurity education, and training. An individual to large enterprises having critical infrastructure must organize cyber awareness training or cyber awareness information exchange programs at least once a year.  These programs help keep up to date about the latest threat landscape, vulnerabilities, and prevention methods.

Why is Cybersecurity Awareness critical for people from all backgrounds?

The time for weaponry war is over, powerful states and countries no longer fight with weapons and missiles, they fight digitally in the modern era and we call it a cyberwar. There was a time when countries would send spies to enemies' nuclear facilities to steal data and other crucial information, but today this is not the case anymore because of increased surveillance systems with motion sensors and high tech cameras and with physical security, which can detect any human activity or presence at the locale. So we send the crafted and customized cyberspies which are botnets and malicious programs launched to target and damage the enemy's system. These programs are specially designed and developed by a team of experts to get into the target network and gain all the crucial data. 
These kinds of attack methods save cost, effort, and time for the attackers. Let’s take an example; The ABC company is an ad agency with 30-50 employees. The company has physical security, a network firewall installed, and antivirus software as well. So the company is secure from outside threats as the firewall will prevent unwanted traffic. The CEO of the company found a USB drive on the road and got curious to check it out. He brought the USB to his office and inserted it into his laptop. Now guess what, the USB drive had a malware program that has been installed in the system and is now collecting data from all the network infrastructure. The malware program is handled by a remote command and control server.

The company has no idea of the data breach and continues to believe nothing has ever happened. These breaches go undetected for months and even for several years in some cases. Evidence shows many cyber-attacks estimated to have cost millions, could have been avoided with better employee training and management protocols and policies implementation by the companies at early stages. What we need to understand here is, all of this could have been avoided and prevented by just offering basic cyber awareness skills training and educating the people inside the company.

How should you deliver Cyber Awareness Education?

You simply can not teach everything related to cybersecurity to the people. But you can teach them the basics because it all starts with basics right. Instead of overwhelming yourself and the people around you with each aspect of threat and cybersecurity, present them with a simplified and comprehensive approach that shall cover all the concepts, the greatest risk, and concerns for cybersecurity awareness. Present them with basic and most common threats overviews like phishing and malware, password policies, social engineering, and email protection. 

- Stop Clicking: The most common cause for triggering an attack is when users are not aware of the malicious links on the web and emails and click on them by trusting them to be legitimate.  When a user clicks on the link trusting it to be authentic, the malicious link takes the user into a fake website or webpage where they are asked to log in by providing their credentials. But in the background the bad actors get it and the user has no idea their credential has been exposed. To avoid this, we must train the users to identify the links and avoid the risks of an attack. Even if the link seems to be from a trusted source, users should inform the security team or the network admin before clicking it. Phishing links and messages are the popular tactics used by cyber-criminals to win users’ trust. 

- Use Strong Passwords and Passphrases: Using strong passwords is safe but using long passphrases instead of passwords is even better. Sort passwords can be easily decrypted and cracked by bad actors, whereas an encrypted long passphrase offers comprehensive security and safety. The password length is superior to the complexity and is considered to be the best security practice.  A typical strong password is at least 12 characters long with a combination of lowercase and uppercase letters, numbers, and special symbols. The longer it is the stronger and better it is. Never reuse a password, using the same password for multiple accounts and platforms makes all your data at a higher risk and insecure. Cybercriminals know this, they just need to get access to one of your accounts and after that, your bank account, email, social media accounts are on a verge of getting hacked, you just opened the back doors for the bad actors. Use a different password for different accounts, yeah we know, we are humans and have the tendency to forget even important things and all excuses for using the same passwords. Instead use password managers, either free or paid. To further enhance the security you can use two-factor authentication and integrate it with your user accounts on various platforms.

- Phishing Links and Messages: Yes, you're thinking the right way, it's quite similar to the term and practice we use in the real world for catching Fish by offering them food and making them fall in our trap. Phishing is something like that, you receive an email with an attachment or hyperlinks, actually a trap or fraudulent mail which will seem to be legitimate from a trusted source like your loved ones or from the bank in which you might have an account. Asking for urgent requests, change your password, hence used to gain access to victims account, personal info, resulting in data theft and financial losses. Humans even trust when they should not. Unlike spam messages, phishing messages convince us to take some sort of action. If any message or links you receive via mail or text seems suspicious and you’re not sure what to do, please inform and consult with your IT or security team and only then take any actions. 

- Ensure Software is Up-To-Date.: The least we can expect from ordinary people with little or no knowledge about cybersecurity is to make sure that the software, applications they are using are up-to-date and up to date. Vulnerabilities in applications and software are another key factor leading to data breaches. The update schedules can be set to automatic so users won’t have to manually roll out each new update every single time. Doing so will ensure another layer of protection from cyber threats. 

- Use a VPN: The Covid-19 pandemic has forced people to work from home and while they travel. This makes users access important files and sensitive data from the office resources. Accessing these over an insecure public network just opens the front door for bad actors and invites them to launch severe cyber attacks. The use of a VPN can secure and protect a company against cyber threats and attacks. VPN establishes a secure encrypted tunnel between the user and office resources and all the traffic passes through that tunnel only. It uses the standard encryption and authentication algorithms like 3DES, AES, SHA, SHA256, and MD5. Users should be convinced and motivated to use the VPN service. They should also be educated about the benefits of using a VPN and how it can protect them from cyber-criminals. 

- Learn how to recognize potential Threats and Attacks.: Security professionals can easily spot and identify a malicious email or threat. This is not the case with people from other backgrounds. They should be educated on how and what to look for when trying to spot an attack. Common signals are, incorrect grammar, urgency, spelling mistakes, wrong addresses, and other scare tactics. A good practice is also reading the mail and message properly and in detail. Ask yourself did you buy anything online, applied for that job, or were expecting anything similar mentioned in the mail or attachment. These are pretty common self-evaluation techniques of which users should be aware.

Never hesitate to invest in educating in cyber self-defense and awareness to yourself and people in your company if cybersecurity is your greatest concern. The world around us is changing every second and so does technology. Whether you realize it or not, technology is impacting our businesses and lives, and cybersecurity is the greatest challenge. This is the final wake-up call and time to act. Ensure security and protect yourself and your company by learning next-generation cyber-self-defense skills. Present yourself on the edge in this digital era by showing that you know how to identify and defend against these cyber attacks.

Securing your information is securing You Digitally