When you bring to mind someone “hacking” a computer one of the images that likely comes up is a screen of complex code designed to crack through your security technology. Whereas there is a technological element to every security incident, the issue usually starts with a simple mistake made by one person. Hackers understand that it is far easier to trick a person into providing a password, executing malicious software, or entering information into a fake website, than cracking an encrypted network — and hackers prey on the fact that you think “nobody is targeting me.”
Below are some guidelines to help keep you and your technology safe on the network.
General Best Practices
Let’s start with some general guidelines on things you should never do with regards to your computer or your online accounts.
First, never share your personal information with any individual or website unless you are certain you know with whom you are dealing. Hackers often will call their target (you) pretending to be a service desk technician or someone you would trust. The hacker than asks you to provide personal information such as passwords, login ids, computer names, etc.; which all can be used to compromise your accounts. The best thing to do in this case, unless you are expecting someone from your IT department to call you, is to politely end the conversation and call the service desk back on a number provided to you by your company. Note, this type of attack also applies to websites. Technology exists for hackers to quickly set up “spoofed” websites, or websites designed to look and act the same as legitimate sites with which you are familiar. In effect this is the same approach as pretending to be a legitimate IT employee; however, here the hacker entices you to enter information (username and password) into a bogus site in an attempt to steal the information. Be wary of links to sites that are sent to you through untrusted sources or email. If you encounter a site that doesn’t quite look right or isn’t responding the way you expect it to, don’t use the site. Try to access the site through a familiar link.
Second, whether or not you have a Bring-Your-Own-Device (“BYOD”) program at work chances are you will at some point be using a mobile device to conduct to conduct business. Don’t feel that your mobile phone is invulnerable to being compromised. (Every networked device — Apple, Microsoft, Android, Linux, etc. — can be compromised) Mobile hacking is one of the fastest growing areas for exploiting individuals and companies. This is largely because people do not typically have security programs — such as anti-virus software — on their mobile device. Additionally, people often connect their mobile devices to public networks, like those available at coffee shops, hotels, etc. — these networks are not secure. Your best defense against having your mobile device hacked is to install a decent security app and be sure to turn off the Wi-Fi, Bluetooth, and Hotspot settings when they are not in use. Also, try to only install apps from companies you recognize. Further, mobile banking and purchasing apps make life easy, but if you don’t have security software — or if you are conducting a larger transaction — you may want to do it on your computer.
Next, If your computer’s security software pops up a security warning, pay attention to it. Often times we are in a hurry and tend to click through these types of warnings, but that is a mistake. The warning is there for a purpose whether it is a flag indicating that a website is potentially dangerous or a notice that your computer has detected malware. When you see a warning it is best to stop what you are doing, close down any open websites, and call your help desk. You may also want to scan the computer with your security software. However, be careful of “security warnings” that pop-up from websites. If the warning does not look like the warnings you are used to, and does not indicate the name of your security software, it may be a malicious attempt to compromise your computer.
Finally, don’t plug USB drives into your computer unless you know where it comes from and where it has been. Rouge USB drives are a method by which hackers get malicious programs onto your computer. The drive may contain an enticing file that when clicked, loads a virus onto your computer, or in some cases the drive may load the malware simply by being plugged into your USB port. So, if you find a USB lying around it is best to turn it into IT, or throw it away.
Vulnerabilities in Email
Email is the most common avenue by which hackers attempt to compromise your computer; email is ubiquitous, cheap, simple, and effective. Email attacks generally take one of the following approaches and often combine more than one approach.
Spam and Scam emails are designed to trick you into: starting a dialogue with an attacker, entering personal information, clicking on a link , or downloading a file. Each of these actions is dangerous. An attacker who begins a dialogue with you over email is likely using a technique known as “social engineering.” The attacker is attempting to build your trust with the intent of using that trust against you to get compromising information in the future. The attack may come in the form of asking you to send or enter personal information via email or website. Next, clicking on links and downloading files from untrusted sources are never good ideas. It is possible for an attacker to send a link that, when clicked, will automatically download and execute malware on your computer. And if you download an untrusted file in an email and open it (regardless of the file type — .doc, .pdf, .xlsx) you may just well be doing the attackers job for them. These files can easily be disguised malware such as trojans, worms, or viruses.
In conjunction with scam and spam emails hackers often use a technique known as phishing. This is where a hacker sends an email that appears to be for a legitimate business purpose and may appear to come from a client or a business associate. The end goal is the same as with spam and scam emails — to trick you into providing information or executing a malicious program. Sophisticated hackers may also use a technique known as spear phishing. In a spear phishing attack, the hacker gets to know you first by researching your public profile — such as your Facebook page, company bio, or LinkedIn account — and then tailors the attack specifically for you. By using your own publically available information, the attacker is more likely to be able to build your trust and ultimately trick you.
To avoid email scams be mindful of the email address from which the email is sent. Often attackers will send the email from an address that resembles one you are familiar with but is slightly different. Also, look for unusual email formatting or language: is there usually a signature at the bottom of the email from this person but it is missing; is the grammar of the email poor; is the person sending the email using words or sentence structure in a way they normally would not; do you recognize the company from which the email is being sent. If you “know” the person who presumably sent the email, you can all them and ask if it came from them. If you don’t know the sender but are suspicious, contact IT.
Securing your Online Accounts
Today most web sites have password policies which require you to use special characters, numbers, caps, etc. when creating a password. These policies are all designed to thwart password cracking attempts by hackers. However, simply following the password policy isn’t always enough. Here, hackers prey on the fact that you will likely use natural language passwords because they are easier to remember — like MyPassword. Natural language passwords take seconds to crack using publically available password cracking technology — and “My1Password!” isn’t much more difficult to crack than the latter. When creating a password is best to stick with something you can remember but also something that cannot be found in a dictionary or on your Facebook profile — like your birthdate.
In addition to solid password protection be mindful that the site you are accessing has a valid “digital certificate.” Invariably you have seen a pop-up while traversing the internet that said something like “Warning, this site has an expired digital certificate.” And most certainly you simply clicked “okay” and went about your way. Sometimes this is fine, but other times it can be in indicator that you are on a spoofed or illegitimate website. When you are accessing any type of website that requires you to login, make sure it says “https:” in the navigation bar prior to the web address, not just “http:.” HTTPS is a sign that you are sending your information over a secure encrypted network. Also, if you are accessing an https site and you get that security certificate pop-up, it is probably best to navigate away.
Conducting Business Over the Internet
All of the above guidelines apply to conducting business over the internet; however, there are a few additional business specific pointers to keep you safe. For example, public Wi-Fi is never secure, but that goes double when you are conducting business or attempting a financial transaction. Your company may offer a secure channel to access your email or network such as VPN or Citrix. If you must use public Wi-Fi, be sure to connect using the secure channel. These channels provide a “secure wrapper” around communications with your work internet that make it much harder for attackers to get access to your information. Finally, regardless whether or not you are in a home, work, or private network, if you are conducting a financial transaction — such as wire transfer — it will benefit you to be overly cautious. When sending wire instructions be sure to password protect the document containing the instructions rather than including account and routing numbers in the body of an email or in an unsecure word document. Most major document software (MS Word, Adobe PDF, etc.) include a password protection option out-of-the-box available in the File menu. Additionally, secure messaging apps, such as Signal, are available for both Android and iPhone and allow for encrypted communication. Alternatively, consider faxing the instructions or simply dictating them over the phone. Finally, if you are the sender, it is always best to call the intended recipient to be sure the correct transaction went through.
Always remember, hackers count on you making simple mistakes. Following the guidelines above will go a long way to keeping you and your technology safe.