Halloween marks the end of National Cybersecurity Awareness Month. The scary stuff, unfortunately, continues beyond the 31st.
The world’s communication networks give cyber-criminals a conduit to steal corporate and state secrets, as well as defraud businesses and individuals. Those bad actors only need to get past some locked doors.
“Oftentimes, for a malicious actor, it’s more a matter of trying several doors, and seeing which one is least secure,” said local cybersecurity expert Darren Bennett.
Bennett works as chief information security officer (CISO) for the City of San Diego, and previously worked for the FBI. He worked hundreds of cases for his previous employer. In the vast majority, he said, the actors who broke into a system didn’t use cutting-edge vulnerabilities. “They found a system that was not patched.”
Patching is important, he said. “It’s a fundamental step in protecting yourself and ensuring good cyber hygiene.”
Software patches are new bits of computer code that seal up vulnerabilities. Keeping software up to date by applying such patches can keep a company or an individual out of trouble.
The hacker might be compared to a person walking through a neighborhood, trying doorknobs to see if anything is unlocked. If, Bennett said, your neighbor has good security and you leave your door wide open ….
“In the world of IT, you ideally want to have perfect security. You want to make yourself a difficult target,” Bennett said.
Vulnerabilities by the Thousand
For the sixth year in a row, the National Institute of Standards and Technology (NIST) tallied more than 10,000 software vulnerabilities reported to the agency. The count in 2021 was slightly more than 20,000, with 4,074 of those deemed high-risk. The agency reported 13,166 vulnerabilities so far in 2022, with 3,243 of those high-risk vulnerabilities. NIST is part of the U.S. Department of Commerce.
Patching is an ongoing process as new vulnerabilities are uncovered every day.
If business owners have not yet taken stock of their computers and other internet-connected devices, the time to do so is now, said Tony Anscombe, chief security evangelist of ESET, which has its North American headquarters in San Diego’s Little Italy neighborhood.
Most people think this applies to laptops, servers or their phones, but it applies to anything connected to the internet, including autos, cameras, appliances and printers.
The good news, Anscombe said, is that many products can be set to download software updates automatically.
ESET markets a suite of antivirus and digital security software. It is the top provider of cybersecurity solutions in Europe, based on units sold. Clients include businesses, enterprises, governments and consumers.
Patch management is one of four cybersecurity best practices that the National Cybersecurity Alliance is putting in the spotlight this fall. The alliance consists of federal agencies and big businesses.
The alliance is also reminding businesses to use strong passwords and multifactor authentication.
Recognizing and reporting phishing is also very important.
Baiting the Hook
Phishing is an attempt to fool a person into doing something that compromises computer security — such as clicking on a link that will infect the computer with malware.
More than 90% of cyberattacks begin with phishing, according to CISA, the Cybersecurity & Infrastructure Security Agency, which is part of the U.S. Department of Homeland Security.
One way to foil bad actors is to keep an attitude of vigilance and skepticism while dealing with email.
A vague greeting, bad grammar, misspellings or a sense of urgency are all good clues that an email could be a phishing attempt.
Keeping a skeptical attitude may not be as easy as it sounds, said both Anscombe and Bennett.
“All of us are so busy,” Bennett said. “We race through email. We see something interesting, we click.”
Many experts suggest pausing before clicking on a link.
A victim will fall for a phishing email, Anscombe said, if the circumstances are right: if the email looks authentic, if it has an element of urgency about it, and if it resonates with the victim at that particular moment in time. Consider, he said, a person who gets a phony notice about a package shipment, when in real life, that person is expecting a package.
Package delivery emails are a timely scam.
The May-August 2022 period saw a six-fold increase in detections of shipping-themed phishing lures versus the January-to-April 2022 period, according to the latest ESET Threat Report. These emails often involved fake DHL and United States Post Office requests to verify shipping addresses.
If a person gets an email from a delivery company that could possibly be a fraud, Anscombe says don’t follow a link embedded into the message. Rather, visit the official website of the delivery company.
“Check by not clicking,” he said.
A hacker can craft a phishing message that aligns with a victim’s plans. “An experienced hacker can easily learn of those plans by monitoring the victim’s social media such as LinkedIn, Facebook or Twitter,” said Bennett, the city CISO.
If a phishing email arrives at the office, the National Cybersecurity Alliance recommends reporting the attempt to an IT manager or security officer as soon as possible.
Anscombe said reporting phishing attempts should be encouraged, even rewarded. “This is not about calling out bad behavior. It should be a positive experience.” He said he heard of one organization in the Netherlands that awards a box of chocolates to the first person who spots a previously unreported phishing tactic.
Resources Are a Click Away
- To learn more about internet safety, visit the National Cybersecurity Alliance at staysafeonline.org.
- Information on Cybersecurity Awareness Month, which is valuable 12 months out of the year, is at https://staysafeonline.org/programs/cybersecurity-awareness-month/
- ESET offers resources at welivesecurity.com.
- The San Diego Cyber Lab, developed by the city of San Diego Cyber Team and regional partners, is a collective resource for training, education and information sharing. Visit https://www.sandiego.gov/cyber-lab
- CCOE, the Cyber Center of Excellence, is at sdccoe.org.
The latter is a hub for San Diego’s rich cybersecurity community. CCOE is a nonprofit organization that mobilizes businesses, academia and government to grow the regional cyber economy and create a more secure digital community for all.