Cyber Essentials

Financial Information

A private company's revenue, loss, or even potential sales are confidential information that you shouldn't share with others.

Account Numbers

Bank Accounts

Watch what you post on social media

Be careful about how much personal information you post on social media. The more information you post, the easier you make it for someone to stalk you, steal your identity, or commit other crimes.

Confidential Information

Before we learn about HOW to protect ourselves online, We first need to talk about WHAT to protect and WHY it's important—confidential information that you need to be extra careful about. What information about you is already available? The value of your home: Who lives with you, Your age, Driving record, Education, Occupation, Estimated income, Purchasing habits, Political affiliations. All may be available through a simple search.

Process

Attackers employ numerous tactics to investigate you and the systems you may have access to for potential vulnerabilities. These vulnerabilities once exploited allow them to get a foothold into the system. So how does this happen?

Backup

Backup your important files.If your computer is lost, stolen, or breaks, make sure you always have backups of your important files. Saving your information to the cloud, using a service like Microsoft OneDrive, Google Drive, or Dropbox is a great way to make sure all your important files are backed up.

So now that you're aware just how convincing some phishing emails can be, what can you do to protect yourself against them?

Beware of phishing scams and fake emails. We just saw some examples of how convincing some of the fake emails can be—it's very hard to tell the difference. The accounts you want to be especially careful of are those that have access to your money, such as banking accounts or PayPal. Unsolicited, legitimate emails will almost never ask you to login.Legitimate companies will rarely send you an email that prompts you to log into an account. If you're not sure if an email is genuine, ask the sender (if possible) or a more tech-savvy friend or colleague. Never open attachments in unsolicited or suspicious emails.You probably wouldn't open an unsolicited present from a stranger on the street, so don't open attachments from unsolicited or suspicious emails either, as they often contain malware.

Kill Chain

By taking advantage of holes in their built-in security measures, hackers infiltrate networks and devices. Black hat hackers, who are malicious hackers, use this technique to access private data without authorization

Virus

Computer Virus, which is a program that is designed to copy itself to other computers and eventually execute some kind of code. Sometimes that code can be a practical joke, other times it can be an instruction to delete everything on the computer

Confidential Information

Confidential information is sensitive corporate information that, if exposed, can damage a company, either directly or indirectly. Think about KFC's or Coca-Cola's secret formula. If it was publicly exposed, it could be very advantageous to competitors. Information that is often considered confidential might consist of trade secrets, financial records, contracts and credit cards, strategies, customer lists, plans and pricing, salaries and employment records, physical plant details, designs and prototypes and merger or acquisition plans.

Why you should care

Cybersecurity is becoming more and more important and relevant in many aspects of our daily life. Our screens are constantly filled with news headlines about the latest breach or data leak. A common misconception is that cyber-attacks are purely the result of sophisticated, targeted efforts by cybercriminals or nation-state actors. However, that is far from the truth, as nation-state-level attacks are not that common for the vast majority of organizations. In contrast, a significant percentage of attacks can be attributed to unintended risk choices, competitors' determination, and a small degree of bad luck.

Phase 1: Reconnaissance:

During the Reconnaissance phase, a malicious actor identifies a target and explores vulnerabilities and weaknesses that can be exploited within the network. As part of this process, the attacker may harvest login credentials or gather other information, such as email addresses, user IDs, physical locations, software applications, and operating system details, all of which may be useful in phishing or spoofing attacks. Generally speaking, the more information the attacker is able to gather during the Reconnaissance phase, the more sophisticated and convincing the attack will be and, hence, the higher the likelihood of success. Starts with a phishing email

Phase 2: Weaponization:

During the Weaponization phase, the attacker creates an attack vector (develops a pathway used to gain access to your system), such as remote access malware, ransomware, virus, or worm that can exploit a known vulnerability. During this phase, the attacker may also set up back doors so that they can continue to access the system if their original point of entry is identified and closed by network administrators. This generally occurs when a user clicks on a malicious link.

SSN

Social Security Numbers: Since this information is crucial, hackers will attempt to take it from you by using phony emails, false websites, and other methods. Unless there is a very good reason, a genuine business would virtually never ask you for sensitive information when you provide it online

Adware

Software designed to hijack your web browser to display advertisements on your computer and redirect your search requests to advertising websites to collect marketing data about you.

Keep your confidential information in a secure location.

A confidential location isn't an unprotected Microsoft Word document or a Post-it note on your monitor. Make sure you save your passwords and confidential information in a secured location, both online and physically. Consider using a password manager.

Imagine if your computer is stolen

A good exercise is to imagine what it would mean if your device was stolen—stolen, not lost. If someone found or stole your computer, what kinds of things could they find?

Sites

A lock icon will usually appear in your web browser, in front of the site address, to indicate you're using HTTPS, meaning the site is secure.

Email & Phishing

It's easy to overlook email security. For most of us, it just exists on our computer or smartphone, and it works—until it doesn't. If your email account is breached, it will have long-reaching consequences for your online accounts, social media accounts, and, worst of all, even your bank accounts. Not to mention the time it takes to restore and recover all those accounts or wait for your bank to recover and return stolen funds. Everyone has probably seen a fake email before, but you probably don't appreciate how good some of the fake emails are. Let's talk about fake emails and phishing...

Human intelligence and behavior is the best defense against cyber attacks

Knowing how you're vulnerable online is the best way to prevent the costly consequences of being hacked.

Mail 3

Last one; look carefully at this email.

Examples

Let's look at some example of passwords: Bad Here are some insecure passwords. These words all have at least 8 characters, and they have strong syllables, which make them a little easier to remember.So why aren't these passwords secure? [Optional audience feedback]They're all in lowercase and they don't include any numbers or special symbols. Better These passwords are better, because they include either upper and lowercase letters or a number. How can we make these passwords even more secure? BestThese passwords are even better, now they include both upper and lowercase letters, AND a number, AND a special character.

Mail 1

Let's look carefully at this email. Do you think it's real or fake?

How to Prevent Malware

So how can you prevent your computer from being infected with malware? Install antivirus/malware software. Make sure your computer has good, up-to-date antivirus software installed; this is probably the most important part in protecting you from malware. Keep your antivirus software up to date. New viruses are released every day, so make sure you keep your antivirus software up-to-date with the latest definitions and updates. Run regularly scheduled antivirus scans. It's a good idea to run a quick antivirus scan daily and a longer, more thorough one weekly; most antivirus software can be setup to run scans on an automatic schedule. Keep your operating system and software up to date. Hackers keep finding exploits in most operating systems and software companies are constantly updating their software to close these vulnerabilities. It can be a little annoying and time-consuming to update your software, but it helps protect you from malware.

How to keep this information secure?

So how do we make sure to keep both our personal and work information safe? Mostly through common sense:

Text 1

Look carefully at this email. Do you think it's real or fake?

When to use HTTP

Make sure the website you are on is using HTTPS if you are: Signing in; sending your user name & password. Most legitimate websites will use HTTPS for their login pages. Older or more "homemade" sites might not use HTTPS, and ask you to provide your password in the open. Make sure you never enter your password or important information unless you know the site is secure. Making purchases; sending your credit card. Your credit card number is something a hacker would love to get their hands on. Make sure you only enter your credit card or banking information on trusted, secure sites. Sending or working with confidential information. If you need to upload any important files to a website, make sure that site is using HTTPS.

Mail 2

The email is just informational, it's just about a new bank policy. It's not asking you to login in or do anything. If you hover over the links in an email, your email program will usually display their destination URL. Notice the URL here is indeed the official Wells Fargo website.

Intro

The modern cybersecurity environment is a quickly changing, hostile environment full of cutting-edge threats and ever-smarter threat actors. Our goal here today isto share information on steps you can take to reduce your attack surface and your risk of becoming a victim of an attack.

Second place passwords should be required

The second place where you need to require a password is when your computer resumes from sleep or after a screensaver. Requiring a password after resuming from sleep will also protect the information on your computer if you're away from it for a few hours.

Where should passwords be used?

There are 2 important places where you should require a password on your computer. The first is a login password. Even if someone steals your computer, if it requires a password to login, it becomes difficult to access your computer's information. By default, PCs and Macs are set up to require login passwords.

What constitutes 2FA

There are 3 recognized factors for authentication: Something you know, or a password. This is almost always one of the two requirements for two-factor authentication. Something you have, like a mobile phone or a hardware token. Something you are; a biometric scan of your fingerprint or Apple's Face ID. Two-factor authentication uses two of these three options.

2FA

There's another problem with passwords. That is that a good password is only secure if the sites where you use them is secure. Unfortunately, there is no guarantee that any site is completely secure and there have been many breaches of high-profile sites over the years. Two-factor authentication is one of the best ways for us to keep our accounts safe. It adds an extra layer of security to passwords by requiring another point or "factor" for authentication. Fortunately, most accounts now have this option and make it available. Let's look at what this additional factor is.

Inside Company Information

This could be information about new products, policies, or marketing strategies. Many companies will protect this kind of information by having their employees sign a non-disclosure agreement.

Mail 4

This email is a very clever fake. It's asking you to log into your PayPal account. But, look at the website where the link sends you. The site contains the word PayPal, but it's not the official PayPal site; it's an impostor that would steal your PayPal credentials if you tried logging into it. A legitimate website will almost never send you an email that prompts you to log into your account.

95% of cybersecurity breaches are due to human error.

This is a particularly crucial point, as the majority of data breaches are entirely avoidable because they are brought on by human error rather than technical flaws.

Software Installation

So how do you safely install software? Don't install personal software on company computers. If you have a company computer, your company has probably already installed all the software you need and they probably have a policy against installing personal software on company equipment. Have up-to-date antivirus software. This is probably the most important tip to safely install software—if you have good, up-to-date antivirus software it should detect any malware installation and block it. Make sure the software comes from a reliable source. Reliable sources include software in the Microsoft and Apple App stores that have been vetted. A reliable source isn't a pop-up window in your browser that tells you to install something. Be careful when you install new software; decline any additional software you don't want. When you're installing software, pay close attention to all the options. Make sure you're only installing the software you want; decline or unselect any additional software that you don't want to install.

Spyware

Spyware is a kind of stealth program that secretly runs on your computer and monitors all your activities, like what you're typing, and then sends that information to someone.

What access is possible if your computer is stolen?

The computer itself; although the information saved on a computer is often even more valuable. Credentials to log into all your sites. If you use a password manager to make it easier to log into all your sites, you've just made it easier for the person who found your computer to log into those sites too. Information about your financial accounts. If someone has your account number and transaction details, it's fairly easy for them to gain access to your financial accounts. Email and message history, which could include very confidential information. Files and projects you've been working on, even if these aren't confidential, it could be a lot of your work that gets lost.

Client Information

Who a company's clients are: especially their contact information: is also sensitive.

Phase 5: Installation

Immediately following the Exploitation phase, the malware or other attack vector will be installed on the victim's system. This is a turning point in the attack lifecycle, as the threat actor has entered the system and can now assume control.

Email Security Tips

Email: We all receive dozens of emails daily, mostly from people we know and trust and some from strangers or companies. We also get some attachments with our emails, like files we can open, download, or simply look at. Some of them can be handy, but watch out! Some are bad news and can mess up our computers. Don't open email attachments from unknown or suspicious senders. If you're unsure, trash suspicious messages or mark them as spam. Better be safe than sorry. You should also not open email attachments with unusual file extensions or names. For example, an email with a file called "invoice.exe" is most likely not a real invoice; it's malware, as ".exe" means it's an executable file. Just delete it and move on. Additionally, use antivirus software and keep it updated, as it can scan email attachments and block or remove any malware found. And lastly, use a safe attachments feature if your email provider offers one. This can check email attachments in a virtual environment before they're delivered to you and prevent any malicious ones from reaching your inbox. So now that you're aware just how convincing some phishing emails can be, what can you do to protect yourself against them?

Never send confidential information through email.

Emails aren't secure, plus they can be forwarded on to others.

Text 2

Fake emails can sometimes appear to come from a person you know and some viruses can use your email account to send fake emails to all your contacts. The attached project file is likely a malware that would infect your computer, if you opened it. Even if an email comes from someone you know, notice how vague the message is. Were you expecting Julie to send you a project file?

What constitutes a secure password

Fortunately, password security is one of the easiest things we can get it right? Use at least 12 digits. Compound words or words, like windmill and football, are easier to remember and they also meet the 8-digit character requirement of most systems. However, many websites are now starting to require as many as 12 digits. Use a combination of both upper and lowercase letters. Since passwords are case-sensitive using a mix of capital and lowercase letters makes a password much harder to hack. Include both a number and a special symbol. Make sure your passwords include both a number, like the number 3, and a symbol, like an exclamation point (!). Don't use the same password for all your accounts. This one is easier to say than it is to put into practice, because of the number of websites that we log into. However, the reason this is a good practice is that if a site gets hacked it only compromises one of your passwords. Luckily a password manager can help you manage multiple sites and passwords. Change your passwords every 3 to 6 months. This will help in the event that someone gains access to one of your accounts, they can only use it until you change it.

Social Media Safety Tips

Here are a few basic social media safety tips: Adjust your privacy settings. Privacy and security settings exist for a reason. Make sure you understand and use these settings, as they control who sees what you post. Know and manage your friends.Some people like to connect with as many people as possible; just remember there is a big difference between a friend—someone you know, and an online follower—someone you don't know.If you want to be an influencer, consider using a separate open profile or account for your work, and another private profile to interact with your friends. Otherwise, make sure you really know your social media security settings and that your posts are reaching the right group of people. Keep personal information personal. The more personal information you post online, the easier you make it for someone to cause trouble for you. Be mindful of your online reputation. Everyone has seen how a tweet—even if it was posted years ago—can hurt people's reputations or even cost them their jobs. It's a good idea to review your old posts to make sure there aren't any you would regret people finding.

Agenda

Here you see the items that we are going to discuss Confidential Information [3 min] Choose a Password [4 min] Two-Factor Authentication [2 min] Malware, Viruses, and Spyware [3min] Safely Install Software [2 min] Email and Phishing [6 min] Browse Securely [3 min] Social Media [3 min] Protect Your Computer's Data [4 min]

How Effective is this?

How good are the "lures" or fake emails? A recent study showed that 80% of Americans could not distinguish fake and legitimate emails. Let's take a look at some examples of both real and fake emails; see if you can spot the difference.

Phase 6: Command and Control

In Command & Control, the attacker is able to use the malware previously installed to assume remote control of a device or identity within the target network. In this stage, the attacker may also work to move laterally throughout the network, expanding their access and establishing more points of entry for the future.

Phase 3: Delivery

In the Delivery step, the intruder launches the attack. The specific steps taken will depend on the type of attack they intend to carry out. For example, the attacker may send email attachments or a malicious link to spur user activity to advance the plan. This activity may be combined with social engineering techniques to increase the effectiveness of the campaign. If a connection is made, a malicious website launches an exploit

Phase 4: Exploitation

In the Exploitation phase, the malicious code, delivered in the previous phase, is executed within the victim's system. Connection is confirmed, and malicious websites begin sending malware.

Phase 7: Actions on Objective

In this stage, the attacker takes steps to carry out their intended goals, which may include data theft, destruction, encryption, or exfiltration. If the attack is successful, systems are breached and data is stolen

Most Used Password The Problems with passwords

It is estimated that passwords are responsible for more than 80% of data breaches. In a well-intentioned effort to strengthen passwords, businesses adopted password policies restrictions to increase complexity and make passwords more challenging to decipher. An unfortunate a by product of these policies is that passwords also became much more difficult for users to remember. Resulting in: More passwords are written down More passwords being reused Predictable complexity, such as adding a 1 or ! at the end of your chosen password. Can you guess what the most commonly-used password was in 2020? According to Nordpass, this was the most popular password across 30 countries, with nearly 5 million hits 123456The second most commonly-used password in 2020 was 123456 with with 1.5 million hits Obviously, these are not very good passwords, so let's look at how you can choose a secure password.

Malware

Malware is short for malicious software that either harms your device or tries to steal its data. Some examples of malware include...Email: We all receive dozens of emails daily, mostly from people we know and trust and some from strangers or companies. We also get some attachments with our emails, like files we can open, download, or simply look at. Some of them can be handy, but watch out! Some are bad news and can mess up our computers. Don't open email attachments from unknown or suspicious senders. If you're unsure, trash suspicious messages or mark them as spam. Better be safe than sorry. You should also not open email attachments with unusual file extensions or names. For example, an email with a file called "invoice.exe" is most likely not a real invoice; it's malware, as ".exe" means it's an executable file. Just delete it and move on. Additionally, use antivirus software and keep it updated, as it can scan email attachments and block or remove any malware found. And lastly, use a safe attachments feature if your email provider offers one. This can check email attachments in a virtual environment before they're delivered to you and prevent any malicious ones from reaching your inbox.

Always Use some form of MFA

Most major sites, like Amazon, Facebook, and Google, all use two-factor authentication—it's even required for some of them. Two-factor authentication takes a little more time to verify a text message, but the additional security this provides is totally worth it.

Browse Securely

Next we're going to talk about how to make sure you're browsing the web securely... https://www.makeuseof.com/common-sources-of-malware/?utm_source=MUO-NL-RP&utm_medium=newsletter&[email protected]

Malware/Viruses/Worms

Now let's talk about malware, computer viruses, and spyware...

Protect Your Data

Now we're going to talk about how to safeguard your computer's data...

Safely Install SW

One of the most common ways malware gets on computers is when users inadvertently install it, without realizing it. Malware can trick you into installing what you think is a fun or useful app, when it's secretly installing adware or spyware. Software downloads are a significant source of malware. You might want to download software from a particular search engine, but you don't know whether what you're adding to your machine is legit or actually harmful malware. In most cases, you might be downloading the right software. However, that software might be packed with so much malicious content that it will affect the legitimate software and your entire computer system. Perhaps the most disturbing aspect is that this malicious software can appear at the top of your targeted searches, which may lure you into believing that the software site is legitimate. To avoid malware from software downloads, simply don't download anything from shady sites that say they have free or cracked software versions. They're usually full of nasty malware that can ruin your devices. Stick to the legit sites or the ones you know are safe. Always scan downloaded files with a reliable antivirus or anti-malware software before opening them. Malwarebytes is one of the best tools to use in this case. Read the terms and conditions and uncheck any unwanted options before installing the software. Some software might try to install additional programs or change your browser settings. Be careful and opt out of any offers or features you don't need or want.

Protected Health Information (PHI)

PHI includes, but is not limited to, any past, present or future information about a person's health status, medical diagnoses, health care provided and payment for medical services.

Personally Identifiable Information (PII)

PII is considered sensitive when it can uniquely identify an individual. Things like your Social Security number, driver's license number, passport number, full credit card number, financial account numbers, birthdate and birthplace, and citizen or immigration status are considered PII.

Passwords Matter

Passwords Matter: They represent, after all, the keys to our digital kingdoms, which today can include social media, online banking, ride-sharing, and streaming services. And when you consider that often-times these platforms have our credit card details and personal data stored within their platforms. You begin to understand why they are also popular with cyber-criminals. Consider that once a cyber-criminal gets access to these credentials, they can sell the information on the dark web or use it to commit fraud. It was estimated that the fraudulent payment card transactions in 2021 exceed 32bn and its expected to continue to rise year over year. Unfortunately, we make this easier by choosing poor passwords. https://nordpass.com/most-common-passwords-list/ Let's talk about how to choose a secure password. As the slide depicts; an easy to remember password is easy to hack.

The "S" in HTTP

The Internet uses a protocol called HTTP to transfer information between your computer and the websites you visit. HTTP stands for Hypertext Transfer Protocol; you really don't need to remember what HTTP stands for, but the S at the end of HTTP is important—it stands for Secure. So...HTTP: (no S) is an open site. The information you send to this type of website—including your password—is sent in the open. Someone could monitor and intercept that information. HTTPS: (S at the end) is a secure site. The information you send—again, including your password—is encrypted so it's safe.

Use extreme caution when providing confidential information to a website.

Unless you're completing a secure financial application, a legitimate website will never ask you for information like your social security number.

Social Media

We could do an entire course on social media safety alone; we're just going to touch on this subject and go over some common sense basics.

Phishing

When you fish (spelled with an F) you throw out a line with a fake lure, hoping that a fish will bite and you can reel it in. When hackers phish (spelled with an P) they throw out thousands of fake emails, hoping that a few unsuspecting people will do what the email tells them, and they can reel in their passwords or confidential information. So for starters don't click on every link you see. Phishing attempts are all too common nowadays. Black-hat hackers mainly send emails, creating a sense of urgency and trick users into giving out their sensitive information. This is usually done by prompting them to change their password because their account has allegedly been compromised or that they need to log in because they got paid. It is vital to always check the sender's address even when it appears legitimate. This can be done by taking a look at the properties of the email. Another useful strategy is always checking for spelling mistakes, and if there are any, someone is probably trying to hack your account. Still, keep in mind that the latest virus threats and phishing attempts are getting more subtle and refined.