Security Best Practices: Tricks Attackers Use
In my last post, Security Training: Why Learning Security Best Practices is in Everyone’s Best Interest, I detailed the importance of security training, including the necessity of being taught to “think before clicking” on malicious links and how a security breach can have horrifying effects on your organization’s productivity. In case your organization chooses to forgo the formal training, this post details some potential threats and what they look like and covers basic security terminology that will come in handy when protecting your devices. Receiving formal security training is crucial. If, however, you choose not to, knowing what to be wary of will better equip you to think before clicking to safeguard your personal devices as well as your organization’s.
Tools to arm yourself can be found on securingthehuman.org, an informational website created by SANS, a security information and education organization. This site has several helpful guides that address security best practices and how best to teach, implement, and consistently utilize them. A useful place to start is understanding some basic security-related terms.
With these terms and their definitions in your arsenal, it will be easier to begin to detect and watch out for potential threats to your devices.
In Peer to Peer Magazine, Douglas Brush, the Director of the Information Security Governance practice at Kraft Kennedy in New York, details the different types of attackers and attacks you might face.
Brush divides attackers into two groups, interior and exterior threats. Interior threats are those that come from the employees within the organization or contractors and vendors that have easy access to company data and confidential information. Exterior threats are those that come from outside office personnel, like hackers and malicious groups. Brush describes the ways attackers can infiltrate an organization:
1. Reconnaissance: the actions an attacker takes to “case the joint.” This information gathering can be done by reviewing your own website, social media platforms, databases such as Public Access to Court Electronic Records (PACER), database lookups using Whois.net, and domain name system (DNS) records, and advanced tools to mine and correlate data.
2. Scanning: Scanning techniques use networks and networking technology to identify connected IT assets. The most common form of scanning uses tools to probe TCP/IP networks to map computers, routers and servers, identify the devices’ operating systems, and discover open ports and services.
3. Exploitation: an active attempt by an attacker to get a toehold in a system or network. This can come in the form of a phishing email, a USB flash drive or a compromised host with a known vulnerability.
4. Maintaining a Presence: Attackers who get in want to stay and be unnoticed. After a successful initial exploitation, an attacker scans an environment for new targets, harvests credentials, escalates privileges, and pivots to new systems to exploit.
5. Exfiltration: In most common breaches, attackers are attempting to remove data from its environment. This is called exfiltration. Exfiltration can be done by insider threats with USB flash drives, cloud storage platforms such as webmail or cloud storage, or even something as simple as printing confidential documents and walking out the door.
Being aware that there is a variety of threats is helpful when understanding the very real danger of a security breach. As Brush states, “It’s not a matter of whether you will experience a data breach; it is a matter of when you will experience one.”
Here are some examples of phishing emails so you can better avoid becoming a victim of one.
- If you receive an email from “IT Support” saying that your mailbox has exceeded its quota limit and you need to confirm your email or password in order to save your messages, be suspicious. Call or email your actual IT Support team and verify if this is true. If they tell you they didn’t send it, do not enter your password or click on any links.
- Similarly, if you receive a generic email from a “Package Delivery Specialist,” telling you that you need to verify your email and password to ensure your package is delivered, be wary. If your package cannot be delivered, the shipping company will contact you with descriptive detail as to why the delivery failed. You can even check the delivery status of a package online, through shipping confirmation emails, emails confirming your purchase, or online at USPS, FEDEX, or UPS.com. Do not enter your personal password or login information into generic and vague emails.
- Always check to see who the email is from. If you receive a message from a corporation but the email address is from a Gmail or Hotmail account, you should be suspicious, as organizations will use their company account or address to send messages. Check to whom the email is addressed and who is CC’ed. If there are hundreds of addresses that you don’t recognize, or if the same message is addressed to your entire organization, delete the message immediately.
- If an email is addressed to you as “Dear Customer,” but is sent from what could be a trusted source, be wary. If your bank, company, or client is trying to get a hold of you, they will use your proper name and title.
- Be wary of spelling or grammatical errors. Emails from actual businesses or banks would not send a message that has not been edited.
- Be suspicious of any email that requires “immediate action.” This is usually a ploy to create panic through urgency.
- Be cautious of links included in a vague email. If you do not trust the source, hover your cursor over the link, and it will show where the link is actually directed to. Once you see where the link will take you, you can use your own discretion before clicking.
- Be careful of any attachment in an email that you are not expecting.
- If an email seems too good to be true, it is.
- If an email sent from a friend or colleague seems overly vague or suspicious, call them to verify that they did in fact send you a message.
With these in mind, you are ready to face the scary inevitability that you and/or your organization will experience a security breach. If you are mindful of these introductory key points of security best practices, you have already begun to proactively defend yourself against attackers.