Security for a worldwide, high-crime neighborhood: The internet

It might seem counterintuitive to have a separate Cybersecurity Awareness Month (CSAM). After all, every month — practically every day — of the year is choked with newspaper headlines and breathless “breaking-news-as-we-come-on-the-air-tonight!” declarations from TV anchors about criminal cyber attacks enabled by cyber security failures. Anybody who’s unaware of the significance of cyber security has to be living way off the grid.

Still, a month set aside to focus on the topic remains a worthy event because it can bring a bit of balance to what headlines imply is an endless losing battle — reminders that the criminals don’t always win and that there are tools and techniques available to those who use the internet ethically to defeat them.

There’s no such thing as 100% security in the online world, of course, but that’s true of any element of life. The CSAM message aligns with what is preached in keynotes and panel discussions at every security conference: Doing basic “security hygiene” can make you a much more difficult target. And most cyber criminals are looking for easy targets.

CSAM, now in its 18th year, is sponsored by the federal Cybersecurity & Infrastructure Security Agency (CISA) and the National Cyber Security Alliance. As has been the case for a number of years, the overall theme is “Do Your Part #BeCyberSmart.” Since 2011 there have also been weekly themes focused on specific ways to improve cyber security. This year they are: Be Cyber Smart; Phight the Phish; Explore. Experience. Share. (a focus on cyber security careers); and Cybersecurity First.

Effective use of those weekly themes, especially the first and last, can vary considerably for both individuals and organizations depending on the level of the risk involved. Especially given that so many things are now connected to the internet, to the point where the Internet of Things (IoT) has been relabeled the Internet of Everything (IoE).

In the physical world, a cable or chain with a combination lock would offer reasonable protection for a bike. For a home, most people want doors with at least a double lock — a key and a deadbolt. A bank, given the value of its assets, would need a sophisticated array of locks, barriers, surveillance cameras and people to guard its assets.

That’s the case with connected devices as well. Strong passwords, multifactor authentication, and encryption offer reasonable protection for smartphones and their multiple apps. But a connected vehicle, smart home security system, or implanted medical device need more. It’s bad to have your credit card number stolen, but it’s much worse to have your life or safety put in jeopardy.

For businesses, the list of assets to protect is likely long and varied as well. Deirdre Hanford, chief security officer at Synopsys, said it includes “our source code, financial data, employee data, customer data, physical assets — and most importantly, our employees, visitors, interns and contractors. Finally, our reputation and our brand.”

And when it comes to critical infrastructure — traffic controls, water and sewer systems, the power grid, food and fuel supplies — the damage from failures to be cyber smart can be catastrophic. The spike in fuel prices and meat from the ransomware attacks on the Colonial Pipeline and JBS Foods are only the most recent reminders of that reality.

So the way to benefit from CSAM is to apply the numerous tips provided by the campaign based on what you do, what you own and the risks associated with them. Joe Jarzombek, director for government and critical infrastructure programs at Synopsys, said the four weekly themes of the national initiative “are broad enough for individual organizations to select specific topics to focus messages most relevant to their employees.”

Keep in mind that these are the basics — the equivalent of locking your door at night. If you don’t do them, you’re almost asking to be compromised. The internet is a worldwide high-crime neighborhood.

The following is a summary of the major items on lists by CISA that track with the weekly themes of CSAM.

Be cyber smart

• Cyber secure at work: Cyber attacks that target businesses using stolen logins and passwords increased sharply in 2020. Criminals can exploit organizational vulnerabilities like failure to install software patches, or human error such as clicking malicious links to gain access to systems. At the organizational level, given that every business is either a software company or a company that uses software, the way to harden defenses is to build and maintain trust in software. That requires multiple automated testing tools, keeping track of the software you buy or use for free (open source), and keeping it all up-to-date. The good news is that there are plenty of tools to help do that. But of course, you have to use them. Jarzombek said software developers should “use testing tools that have security domain knowledge under the hood to identify and remediate weaknesses and vulnerabilities in software. They should understand that a key aspect of software assurance is the verification of software, so they should use the NIST [National Institute of Standards and Technology]-developed Guidelines on Minimum Standards for Developer Verification of Software and use key technologies for software assurance.” Organizations that buy cyber assets “should focus on more effective cyber supply chain risk management, especially exercising due diligence with a ‘lens of cyber security’ — use the Vendor Supply Chain Risk Management (SCRM) Template” he said.On the individual front, workers need training in how to spot and avoid social engineering attacks — scam emails, texts, or calls that are seeking your personally identifiable information (PII) or hoping to plant malware into your device or system.
• Multifactor authentication: This ought to be a standard security practice at the home, office, or on the road. Many banking and financial institutions already require it. It includes something you know — password or phrase or PIN; something you have — a token, verification text, call, or email, or smart card; and something you are — a biometric like fingerprint, face, or voice.
• Travel: Before you hit the road, update everything — your devices, applications, browser, operating system, and networks. Also back up your data, connect only to entities or people you trust, and enable multifactor authentication.
• Online privacy: Some of the best ways to protect PII are to use strong, complex passwords (a password manager can help with that), multifactor authentication, keeping your software up-to-date and never replying or clicking on a link to a text or email that comes from someone you don’t know. Finally, don’t put PII on social media — ever. Remember that every picture and status update is sharing information about yourself with the world.
• Protect your digital home: Another convenience with a caveat: It’s great to control your thermostats, door locks, coffee machines, and smoke alarms with your phone or laptop. But doing it safely means, at the start, securing your Wi-Fi by changing the default password and username. Then apply the same tips cited earlier for online privacy.

Phight the phish

• Identity theft and internet scams: Among the alarming statistics on the CISA website are that the average cost of a data breach for U.S. companies in 2020 was $8.84 million; that 7% to 10% of the U.S. population are victims of identity fraud each year; and that 47% of people living in the U.S. were victims of identity theft. Among the most effective scams of the past year were related to COVID economic payments or imposters claiming to be from Social Security, seeking your Social Security number or other PII. The ways to make yourself a more difficult target include rigorous passwords and multifactor authentication.
• Phishing: This is the big one, because the best technology in the world can’t trump human error. The 2020 Verizon Data Breach Investigations Report found that phishing attacks account for more than 80% of reported security incidents and data breaches. According to Synopsys, the four most common types of phishing are:

URL links: They prompt you to click on a URL that directs you to a website asking for your credentials or to download malware.

Credentials: This encourages you to enter your login usernames and passwords under the pretext of accessing a legitimate looking website.

Attachments: This tries to get you to download an infected attachment or file that contains a URL. When you click the link in the attachment, you are then triggered to enter your credentials or download malicious files.

Business email compromise: This seeks to trick an employee through social engineering into giving information or taking action under false pretenses.

In general, phishing emails that say you’ve failed to pay a bill, that there is an unauthorized transaction on your account, or that your identity couldn’t be verified may appear to come from a real financial institution, e-commerce site, government agency, or any other service, business, or individual.

Paul Ducklin, principal research scientist at Sophos, wrote earlier this month on the Sophos blog Naked Security that scammers “may pretend to be your ISP today, they may masquerade as Apple iTunes tomorrow, and yesterday they might have said they were a courier company trying to deliver your latest online order.”

In short, they have a list of ways to tempt users that grows longer every day. “And you only have to make one mistake for the crooks to win,” he wrote, concluding with a slogan to keep in mind: If in doubt, don’t give it out.

Explore. Experience. Share.:

• Cyber career profile: As CISA puts it, “career awareness is an important piece in solving the cyber workforce shortage.” The agency provides free resources at CYBER.ORG on careers ranging from pen testing to cyber security forensics, what skills, degrees, and certifications are needed, expected salary, and job growth.
• Cyber security workforce training guide: The guide is for current and future federal, state, local, tribal, and territorial staff looking to expand their cyber security skills and career options.

Cyber security first:

• Cyber security starts with you: Every time you’re online and accept friend requests, shop, go to your bank’s website, watch a video, play a game, or use the internet in any other of hundreds of ways, you also make security choices. So be aware of the phishing, identity theft, and malware threats listed above. Teach your children how to be safe online and regulate their use. And trust your instincts. If something sounds too good to be true, it probably is. Remember that the best technology in the world can’t protect you from yourself. “Being cyber smart doesn’t mean being a cyber security expert,” Jarzombek said. “It simply means keeping cyber security in the forefront of decisions that affect the development, buying, and use of connected cyber assets.”