Cyber Self-Defense Is Not Complicated

A.J. Nash
Vice President of Intelligence   ZeroFOX

Whether it be texts that include personal content not meant for public consumption, emails, hard drives, cloud storage containing sensitive business information, or the endless supply of finance transaction data that most of us pass across the Internet daily, few people in the modern world are immune to the threat of a cyber-attack. Hence, the importance of cyber self-defense.

The most common avenue of attack for cyber actors continues to be phishing. Phishing enables cybercriminals to gain the access needed for a ransomware attack, cyber extortion, or the theft of personally identifiable information (PII) which is used to steal money or identities. 

While the threat of compromise may be daunting to many who do not see themselves as very technical, even those with limited knowledge can employ a few simple techniques and tools to greatly reduce the potential for being compromised. Before we talk solutions, let us briefly examine the common threats most of us face and nearly all of us can minimize through simple cyber self-defense.

4 Common Threats Faced in Cyberspace

  • Phishing: Someone poses as a legitimate institution or individual in an email or text to lure victims into providing sensitive data such as PII, banking and credit card details, and passwords.

  • Ransomware: Malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files until a ransom is paid.

  • Theft of PII: The theft of data that may include a Social Security number, date of birth, driver’s license number, bank account and financial information, as well as a passport number. All this data can be assembled into a full financial record file (AKA, “fullz”) for identity theft. These reportedly sell for as little as $8/each on cybercriminal markets across the Dark Web.

  • Cyber Extortion/Blackmail: A crime in which a threat actor demands payment to prevent the release of potentially embarrassing or damaging information. In most cases involving individual victims (not companies), a threat actor pretends to have compromised a victim’s computer or an account tied to something embarrassing. By quoting credentials usually gathered from a previously published breach, the threat actor quotes those credentials as “evidence” of access to the more embarrassing data. Because people commonly use the same credentials for multiple accounts, this bluff often works, leading to the victim being forced to provide more embarrassing content for extortion, pay money, or both.

Cyber Self-Defense practices: Safely Using Wi-Fi and Bluetooth

Wireless connectivity to the Internet and other devices is one of the most convenient inventions in recent memory. Unfortunately, these technologies also come with risks many users fail to recognize or mitigate. Thankfully, it only takes a few simple changes to greatly reduce the risk of personal compromise and practice cyber self-defense.

  1. Keep Wi-Fi and Bluetooth features turned off on mobile phones and laptops until ready to use.

  2. Do not pass sensitive data over a Bluetooth connection unless it is encrypted.

  3. Do not connect to wireless networks or devices you do not know and trust unless.. While this may mean higher costs or slower service through a mobile data provider, that is less costly than data loss.

  4. If you are forced to use a publicly available or shared wireless network, use a Virtual Private Network (VPN) application. This widely available and easy to use technology creates a secure tunnel within the Internet traffic and encrypts data from end-to-end, including masking that data from the Internet Service Provider (ISP).

cyber self-defense practices: Securing Text, Audio, Video, and Email

According to a 2019 study, texting is a more popular form of communication than both emails and phone calls. The overwhelming use of this technology naturally creates a false sense of trust and security that can result in the exchange of sensitive, or potentially embarrassing information that can be compromised and used for extortion purposes. 

The best and easiest way to secure against this threat is to move to a secure texting application. The key features to look for in one of these applications is end-to-end encryption that ensures not even the provider can decrypt the messages being exchanged. Also, make sure the feature to encrypt audio and video conversations is included. With free and effective applications that provide this level of security in communications to anyone, there is no excuse to be texting or calling unencrypted.

Turning to email, the recommendation of encryption will remain one of the easiest and most effective security solutions. Just as with text and audio, there are several effective and free applications for encrypting emails that ensure the contents of an email cannot be compromised, even if the host network or email provider is.

Passwords and Multi-Factor Authentication (MFA)
The greatest weakness in most user’s security is bad and recycled passwords. Simple passwords can often be hacked in no more than a few hours. Worse yet, most people use the same credentials (username and password) for multiple websites or applications. This means that, if one account is compromised, the threat actor is likely to gain access to additional accounts by using the same credentials.

While strong passwords with as few as 9-12 characters can be remarkably secure (see chart above), most users remain unwilling to create or memorize more than one such password. There are two viable and easy to implement solutions for password insecurity.

  • Password managers generate and store passwords that are virtually impossible to hack and empower clients to stop re-using the same passwords across several platforms or accounts. Instead, a user needs only to memorize one “master password” to gain access to their password manager. Several password manager applications are on the market today for little or no cost.

  • Multi-Factor Authentication software requires users to prove their identity in two or more ways before granting access to accounts, sensitive information, systems, or applications. This process ensures that, even if a password is compromised – through a large data breach, for instance – a threat actor still cannot access a potential victim’s account. Instead, the threat actor is challenged to supply the MFA code and denied access when they cannot. There are several respected and free MFA options on the market today, including offerings by Google, Microsoft, and those integrated into some password managers.

CYBER SELF-DEFENSE, IT IS NOT COMPLICATED

Whether you are technical or not, committing to cyber self-defense is an increasingly effective way to minimize the risks that certainly lurk. With all the free tools offered and all the techniques to put into action, there is no reason you should not be the protector of your information. Cyber self-defense is not complicated. 


A.J. Nash

Tags: , , , , , , ,