Are You Cyber Savvy?

Tuesday, October 25, 2011

Joel Harding

94ae16c30d35ee7345f3235dfb11113c

Most people lack computer user education, plain and simple.

Most people turn on their computer, sigh when they have to enter their password (if they have one at all) and start using their computer to read email, cruise through their favorite website, do some online shopping and perhaps banking.

They might watch videos, read some humorous things and share them, perhaps use other ways to have a shared experience online or stay all to themselves. They might have a virus checker, a security suite of sorts, but many don’t.  Every three years or so they have to buy a new computer because their older computer is just ‘so slow’…

Much of this ignores what cybersecurity professionals advise you to do. This is Computer Security Awareness Month and here are a few things we could all use.

DHS protects the government and critical infrastructure. DHS also owns the US CERT, who is supposed to be the ultimate Computer Emergency Response Team. They watch out for everybody not covered by NSA and the US Cyber Command.

DHS is working with the National Cyber Security Alliance, who have an excellent website for home users. They also have a fairly comprehensive list covering a wide variety of devices many of us have in our homes, here. These are all websites that I recommend you visit and learn a few things.

I have a few pet peeves I’d like to share with you. If you are really computer savvy you can stop here, otherwise enjoy a few words of wisdom, please?

The first is about spear phishing.  Please, it’s spelled correctly. When you receive an email from what appears to be a friend and it contains a link and a short message that seems strangely out of character, freeze. 

More than likely this is someone faking that they are your friend, this is known as spoofing. Everything, including the name of the sender, appears correct but it only takes a few seconds for an experienced user to pretend to be you or your friend (and there’s nothing you can do about it).

If you dig deep into the data behind the email you’ll see it’s not really from your friend, but most people don’t do that. What is happening is the link might take you to a website that contains malicious code that installs a virus or another kind of infection on your computer, sometimes without you authorizing it. 

This is a very common attack today.  The lesson to learn here is never clink on a link in any email unless you know and truly trust the sender, and then only if the message seems totally legitimate.

The last point I’d like to make is about Social Engineering.  Technically spear phishing is a form of Social Engineering, but bear with me.  The former King of Social Engineering was Kevin Mitnick, he went to jail for five years for being the excellent hacker he is.

But what really set him apart from mere mortals was Social Engineering combined with his hacking. He did his research, he would study, he would probe, and then he would do whatever it took to get a password, to get a free account, to get root access, to get into a facility and physically touch the system he was trying to break into. 

He dug through dumpsters to get names, phone numbers, account information and generally know details that only an insider would know. He might call you on the phone and pose as IT support and have you assist him, gaining access to a trusted system, totally fooling you. 

His book, “The Art of Deception: Controlling the Human Element of Security“, is an excellent book.  He covers much of how he broke into a wide variety of computer networks and shows the effectiveness of social engineering. Please don’t get lured into a trap either online, on the phone or in person without confirming someone’s identity. 

Whenever anyone calls me on the phone and asks me for any information, I ask for their phone number and I call them back.  Sorry, no phone number, no information. I also don’t trust caller ID, it also can be spoofed.

Please, browse through these sites, add to your expertise and don’t forget: It’s all of our responsibilities to protect our computers.

Cross-posted from To Inform is to Influence

Possibly Related Articles:
10203
Security Awareness
Information Security
Social Engineering Cyber Security DHS CERT NSA spear-phishing U.S. Cyber Command
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.