There are technical, physical and administrative security vulnerabilities.
Equifax’s breach exploited the technical vulnerability of having a server that was not patched, opening the door to hackers who target devices with published updates. What allowed them into their database was mainly administrative – either a lack of policy when it comes to passwords, or staff not following – the database user name and password that had not been changed from a very well-known default: admin admin.
At CSTC2017, Maximo focused on the greatest vulnerability overall – us. Human nature causes us to be susceptible to being snookered. Social Engineering is the term for the Psychological or Situational Manipulation that hackers use so often to exploit human vulnerabilities to gain access and information. Phishing, Vishing and Impersonation often involves distraction and urgency to create a better environment to trick us – remember, stay calm, the “keys to the kingdom” might be at risk. Starting only with a photo, Maximo demonstrated how your Digital Footprint leaves behind all kinds of Open Source Intelligence (free personal information) for hackers to easily find that allows them to more easily target people through deception, impersonation and trickery.
Maximo’s take home message:
- THINK before you CLICK
- Hackers love to download programs onto your computer. Delivered through links and attachments.
- THINK before you DOWNLOAD
- Antivirus and Security Software helps us by throwing up alerts – but you must read them instead of quickly clicking through them.
- Use a Password Manager: Lastpass www.lastpass.com
- alternative: 1password: www.1password.com
- Know if your email address been compromised: www.haveibeenpwned.com
- Use a good Antivirus: https://home.sophos.com/ (Free HOME version),
- alternative: www.avast.com
- Periodically scan for and get rid of malware: www.malwarebytes.com
- Handy Key Combinations:
- “windows+L” = Locks computer – LOCK your computer when you walk away and when not in use.
- “alt+F4” = Closes window
- Sign up for Identity Theft Protection! We don’t have a recommendation, but Maximo and a few others here use AllClearID: https://www.allclearid.com/ It was used by Anthem when they had their breach a few years ago. If you are offered it free, sign up and consider continuing it because, it’s not getting any better.
- Sign up for email/text alerts on Credit Cards and Bank Accounts, it makes monitoring much easier.
- Some interesting reads:
- “Stuxnet”: https://www.lifewire.com/stuxnet-worm-computer-virus-153570
- “RAT” (Remote access tool): This type of tool is used legitimately all the time to help and support users – but hackers love to get this type of tool installed on your device so they can control it remotely.
- Know what you download. READ before you CLICK.
- Beaware of P2P file-sharing (peer to peer), like the old Napster. There are many more now popular for sharing movies and games.
- Install security software and allow it to do its job
- Awesome read! “Future Crimes” – by Mark Goodman