Sunday, February 28, 2021
Cybersecurity speak: Is it all geek to you?
When IT folks like me start talking about cybersecurity we often throw around a lot of terms we just assume everyone is already familiar with. I mean in this day and age, who could possibly NOT know what phishing, ransomware, smishing, vishing, spear-phishing or even malware is?
Yet according to a 2020 report from the e-mail security firm, Proofpoint, quite a few non-IT people don’t.
So before I start telling you how you can better defend yourself against online threats, I’d like to spend some time defining the terms we IT folks often use to make sure everyone understands what I’m talking about from here on out.
MALWARE
Let’s start with the most generic term, malware.
As the name implies, malware is any program or application that does bad things to your device (Mal = malicious or bad / Ware = an abbreviated form of software). It’s also not just something that can get installed on your computer or laptop. Malware can infect your cell phone, tablet, smart TV or any other internet-connected device. And contrary to what you might have heard, users of Apple devices are just as vulnerable to malware as those running Microsoft or Android-based software.
The writers of this bad software go where the users are and will target their programs to take advantage of the most popular platforms. So if iPhones are the most popular type of cell phones, you can bet that cyber crooks are working on ways to exploit these devices.
To get users to download these bad programs, criminals will often disguise this software as something desirable, often a “free” or heavily discounted version of a legitimate program like Microsoft Office, Adobe Photoshop; a game or pirated copy of a popular TV show, movie or music.
RANSOMWARE
Ransomware is a particularly nasty subset of malware which
seeks out a user’s data, encrypts it so it cannot be opened by any program
until the user pays a cyber criminal a fee to unlock it. What makes this type
of malware so insidious is that the malware not only effects the device that
it’s downloaded on, but can also spread to other devices the infected machine
is connected to.
Ransoms can be as “small” as $100 or range into the
millions. It’s often demanded in bitcoin, a type of virtual or electronic
currency that is hard to trace, and there is no guarantee that even if you pay
the ransom, the hostage taker will give you the key to unlock your data.
Most people have probably heard about the recent ransomware
attacks on big hospitals and municipal governments, but do not let that fool
you into thinking that cybercriminals only target big institutions with deep
pockets.
They don’t.
PHISHING
 |
| SOURCE: Jeffrey L. Price, 2020 |
your computer or lockup your data. It’s to trick you into willingly reveal your sensitive information or data to an attacker. Attackers will do this by trying to impersonate someone you know or an institution you trust to not only get you to reveal your usernames, passwords and/or financial information, but also trick you into sending money to some fake account they have control of. Phishers also use these types of attacks to gather other background information on you such as your birthdate, social security number, previous employers, salary, etc. so they can use that information to open fake credit accounts in your name.
These types of attacks come in the form of e-mails, but have been branching out to other types of electronic communications as well
SPEAR-PISHING
Spear-phishing is a phishing attack where the cyber crook is directly targeting someone or some company, using information specific to the targeted victim, rather than sending out a more generic-sounding message aimed at everyone on the Internet. It is designed to make the victim think they are communicating with a known or trusted colleague. An example of this type of attack is a fake e-mail purporting to be from a company’s chief financial officer, directing some low-level staff accountant to transfer money to some new or unknown account.
SMISHING
While phishing attacks generally take place over e-mail, smishing happens through text messages. So instead of getting an e-mail from someone masquerading as a trusted friend, colleague or institution, the fake message comes in the form of text. This type of text often asks you to click on a link which takes you to fake website which will then ask you for things like a username or passwords.
VISHING
While the term vishing maybe new, this type of attack has been around for a long time. It’s just a fake phone call from someone saying they are from a company you might do business with or government agency demanding money or other information. Examples of this might be a recorded call from the IRS saying you are behind on your taxes and will be audited unless you call a certain number.
SOCIAL ENGINEERING
The one thing almost all these different types of “ishing”-attacks have in common is that the attackers are trying to fool you into thinking they are someone you already know or someone you can/should trust. In the pre-internet days, we would have called this people Con Men or Con Artists, because their game is exactly the same as their online counterparts. Only instead of trying to talk you out of your money face-to-face by putting on some great performance and pretending to be someone they aren’t, they substitute in-person contact with e-mail (phishing), texts (smishing) and phone calls (vishing). But that’s not the only way social engineers ply their trade. Many hang out on social media sights trying to lure you into revealing information that could be used to impersonate you by creating quizzes to see which celebrity you are most like or buddying up to you by claiming to be some half-remembered high school acquaintance or friend of old friend you haven’t talked to for a while.
AGE DOESN’T MATTER
 |
| SOURCE: Proofpoint 2020 State of the Phish report |
and older folks, you’d be dead wrong. “Digital natives” – the generation who has never known a world without all this technology – aren’t immune from falling victim to cybercrime.
In fact, it’s they appear even more clueless about the dangers lurking out there in cyberspace than their older counterparts.
Maybe it’s because they just take this always-connected world for granted. Or maybe it’s a case of familiarity breeding contempt. Maybe it’s even a failure by us older folks to teach them the little we know about keeping safe online.
Whatever the cause, Proofpoint’s “2020 State of the Phish” report showed “Baby boomers outperformed everyone in their recognition of phishing and ransomware terminology. Millennials had the best recognition of only one term: smishing.”
The report showed that only 47 percent of adults between the ages of 18 and 22 correctly identified what phishing was compared to 65 percent of adults aged 39-54 and 66 percent age 55 and over. Older adults also scored 20 percent better than younger ones in knowing what Ransomware was too.
Some of this isn’t really that surprising as other studies have shown folks that between 18-22 prefer texting to e-mailing. However, it’s still no excusing for not knowing that the same types of scams you might see in a text can and do effect other online communications as well.
So next time you see a member of the Instagram-generation dissing an older colleague for not understanding the latest tech with one of their “OK Boomer” memes, remind them of this: Old-timers may not be as adept at using the latest tech as they are, but we older folk are better at something even more important – identifying cyberscams. (Then tell them to get off your virtual lawn before you ask them for the millionth time what a ‘hashtag’ is!)
2FA/MFA
We’ve talked a lot about jargon we tech-types use to describe the types of attacks you might see out there in cyberspace, but what about other jargon we use to describe defensive measures? Aren’t there things called firewalls? DMZs? E-mail protection gateways? VPNs? IP addresses?
Yes, and while they are important, I’d argue they aren’t as important to the average person as 2FA or MFA is.
These acronyms stand for Two (2) Factor Authentication or Multi Factor Authentication, and what it does is require you to prove who you are by providing two (or more) forms of identification before you can login to a website or application.
Think of this as having to provide both your ticket and driver’s license before boarding a bus or airplane. Or having to provide your birth certificate, passport, and a current utility bill in order to renew your driver’s license.
In the online world, 2FA/MFA works by sending you a text message, e-mail or phone call with a temporary code to a secondary device or account you own. Without entering this one-time-use code on the website on in the program, you won’t be able to log in, even though you’ve entered the correct password.
The idea is that while a cyber crook might have figured out your username and password, they won’t have access that second piece of information or device (often your cell phone), thus be unable to impersonate you.
Like everything else in life, this is not foolproof, but the more hurdles you make cybercriminals jump over, the more likely they are to abandon the attack on you in favor of easier targets. So if you are not using 2FA/MFA now, you should start.
Immediately.
Look these days we all carry a cell phone, and while having to grab it, look for that code and enter it every time you need to login someplace may seem like a giant inconvenience, the extra 30 seconds it takes will seem like nothing when trying to get your Facebook account back after some hacker has stolen it from you.
Ultimately this is what cybersecurity is all about: taking time now to prevent a lot of headaches later. And that now that you understand some of the jargon we IT folk use, I hope you’ll come back next month when we start discussing how to actually spot and defend yourself against these types of attacks.
Until then, stay safe out there!
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment