Weekly Security Roundup #48: Keeping Emotions & Reactions in Check
Cyber criminals are not only techies, but also skilled manipulators
Many attackers rely on their ability to exploit not only vulnerabilities in infrastructure or software, but also in your personality and emotions.
Cyber criminals tap into basic human needs, such as the need to feel secure, to be socially recognized as being or having something special, the need to be socially accepted or to become part of an exclusive community, or even with symbols we blindly trust because we’ve known them for ever. There are plenty of emotions and reactions that malicious individuals can juggle with and they’re not afraid to do it either.
Take the case of this week’s security alert which depicts how Scandinavians are being targeted with malicious emails that appear to come from the post office. Two clicks later, their PC is being encrypted and their data is being held for ransom.
But there’s a way to counteract this type of manipulation: if we choose to educate ourselves on the tactics and tools that cyber criminals user to get to us, we can be better prepared to meet them with an appropriate response, be it in terms of technology and human interaction.
Security is about people, in the end. The people who create the security tools we use, the people who attack, who facilitate attacks and the ones who become victims. That’s why the Weekly Security Roundup is everyone involved, me and you included.
Security articles of the week
Just in time! Immediately after Mark Zuckerberg’s announcement, cyber criminals of all sorts saw the opportunity to manipulate naive Facebook users with a new scam.
By offering early access to this new “feature”, attackers could gain access to the victim’s Facebook account and start spreading infected links in their friends’ timeline. That’s why it’s vital to be able to make out the real stuff from cyber attacks, which often prey on users’ desires, ego and the social need to fit in or stand out.
“Once inside Target’s network, there was nothing to stop attackers from gaining direct and complete access to every single cash register in every Target store,” writes Brian Krebs in a long, but important blogpost.
It’s about time we understand that companies should be concerned with ensuring stronger cyber defenses not only inside their organizations, but also evaluate how their partners and providers are protecting themselves.
The more an industry grows, the bigger a target it becomes for cyber criminals. This applies to the gaming industry as well, who is not spared by cyber attacks. With malware like TeslaCrypt and other threats around, gamers are starting to realize that game makers may not be doing all they can to protect their personal and financial information.
What’s there to do? They can choose to take protection in their own hands and take their cyber security to the next level.
A recent experiment conducted by the Ponemon Institute shows just how easy it is to gather confidential information just by peeking at what others are typing on their smartphones, laptops or other devices. Shoulder surfing may not be new, but bigger screens for mobile devices just make it easier.
The energy and utilities sectors are the second and third most prone to become targets of cyber attacks, and the worse thing is that they are unprepared to defend themselves and mitigate the potential consequences. What’s more, we’re talking about critical infrastructure that, upon being damaged, could endanger lives and economies.
The only field that’s even worse equipped to deal with powerful cyber attacks is the healthcare sector, which “sees 340% more security incidents than the average industry.”
“The UK government has announced a £500,000 fund to help train up higher education students in advanced cybersecurity,” and that’s a great thing!
Being able to train skilled specialists that can improve cyber security in all fields, from software creation to enhanced corporate protection to increasing awareness of information security issues among the home users – any type of training can make a difference.
The OPM breach just keeps “giving”. Confidential information away, that is.
“Now the federal Office of Personnel Management says the number of individuals whose fingerprints were stolen is 5.6 million – up from 1.1 million – and that they can look forward to having those prints misused as criminals get better at exploiting them.”
Even though your fingerprints are not the same as your passwords, they could still become a liability for your personal security.
Cyber security has become a key issue not only for organizations and home users, but for states as well. So while “global spending on information security is set to grow by close to 5% this year to top $75bn, according to the latest figures from analyst Gartner,” cyber attacks are costing increasingly more:
“The total cost of attacks globally is estimated to be more than £200 billion (at least $315bn) over the past 12 months.” (Source.)
A recent survey shows that “24% of organisations admitted to a data loss caused by employee accidents in the last 12 months.” And it doesn’t stop there.
Human error has consistently been the biggest area of concern for organisations when it comes to data loss. People will always be your weakest link, but having said that, there is a lot that businesses could be doing to prevent it, so we’d expect this figure to be lower.
There are various types of employees that can become significant security risks, such as the disgruntled employee, the negligent user or the nosey worker.
What’s more, Intel found that “among companies experiencing data breaches (and that is to say, a majority), internal actors were responsible for 43% of data loss, half of which was intentional, and half accidental.”
The question of how we can make passwords that are easy to remember for humans but difficult for computers to guess has been around for quite a while, but it doesn’t seem that anyone can come up with a reasonably better solution.
Until we figure out a better solution, all we can do is follow best practices and automate at least some of our password management needs.
Security starts and ends with each one of us, just like many other things in our lives. We’re connected to the Internet and to each other in more ways than we can imagine, so if each of us made a small effort to get better protection, that could create a positive circle that would benefit us all.
With that in mind, you can start here.