What I learned about cybersecurity that you should know, too

What I learned about cybersecurity that you should know, too
illustration by ruth macapagal

I finished high school without the internet. Access to it wasn’t widely available back then. Email wasn’t really a thing yet (this was before everyone started using Hotmail, Yahoo, Edsamail and Yehey) but we were already concerned about malware—or what we commonly referred to as virus. Back then, we were wary about it getting into our computers from using infected diskettes to access the many files stored in them—around five documents, max. We protected our computers by using an antivirus scanner. Those were simpler times.

Nowadays, with the accessibility of high-speed internet, protecting your computer data is much more challenging because your computer can be attacked remotely.

Exciting course

I have been taking cybersecurity classes in a college in California. There, we’ve been taught different ways to protect computer data against threats on an enterprise level. It’s been an exciting course which taught us the basics, like learning the parts of a computer by disassembling and reassembling its central processing unit, and also more complex lessons like studying the different ways of hacking a computer.

One of the concepts that was ingrained in us in class when it comes to protecting computers is layered security. Simply put, it’s placing several and varied security checks to deter or at least delay intrusion and prevent compromising your computer data. On an enterprise level, this includes using physical barriers, IDs, security personnel, staff training, alarms and a ton of computer programs such as antivirus, firewalls, intrusion detection system, encryption, etc. We even had a lesson about cryptography, which I thought would shed some light on cryptocurrency but sadly did not.

Since I don’t work in the information technology (IT) field, I just applied what I learned to our personal devices at home. These are some of the simple things I did to add some layers of security to our gadgets. You can do the same.

Protect access to your Wi-Fi. I learned how to hide a Wi-Fi’s network name (SSID) and so I hid ours. Now it doesn’t show up on devices as an option for an internet connection. If you don’t want to risk unauthorized users from guessing your Wi-Fi password, this won’t even give them that chance.

Make it hard for unauthorized users to log into your laptop. I placed several stops before anyone can log into my laptop. I have set up a firmware/Bios (basic input/output system) password so that when my laptop switches on, it would immediately require a password, even before booting up.

I also enabled Windows’ Secure Logon which requires the user to press the Ctrl+Alt+Delete keys simultaneously to be able to reach the login page. Pressing these three keys bring up the authentic login page of Windows, preventing the user from entering his/her credentials on a spoofed login page.

I then added a warning page for unauthorized users. If you get this far in your attempt to access my laptop, I hope my warning that unauthorized users can be detected by my computer, untrue as it may be, will scare you from proceeding further.

Strengthen your passwords. We all know by now that it’s not a safe practice to use one password for all your accounts. We also know how hard it is to memorize multiple passwords, especially if you must change it every so often, as may be required, like for online bank accounts.

There’s a solution for this: a password manager.

I use the Last Pass app as my password manager. It can be used for free on one device and you have the option to pay a fee if you want it running on multiple devices.

Last Pass has a secure password generator so there’s no need for you to come up with one hundred unique passwords. Once you have your login details saved in the password manager, the app can auto-fill the login details on accounts you would like to log into.

I started changing the passwords of my bank accounts first, as those were the most crucial ones for me. Then I worked my way to my emails, social media accounts, etc. Currently, I already have 45 unique login details stored in my password manager.

Protect data on your phone when using public charging stations. When you use a data cable to plug your phone into a public charging station, you’re putting the contents of your phone at risk of being accessed by unauthorized users. A simple way to prevent this is to use a USB data blocker, also known as a USB condom. With this small device, no data transfers are permitted to and from the phone and the charging station. You’re able to charge your phone without risking getting it infected with malware that hackers may use to access your data.

Update your software. This is probably the simplest yet one of the most important things you should do. Do not ignore software updates as software or apps are not released perfect. Vulnerabilities that can be exploited may be discovered by programmers or even users later. These vulnerabilities are fixed or patched by software updates. Install it as soon as there’s an alert to do so, to lessen the window of opportunity for exploitation.

The effectiveness of security features in place, however, will come to naught if you get tricked into giving out your access information or credentials to unauthorized persons who have malicious intent.

In cybersecurity, humans are considered to be the weakest link. Social engineering or “hacking the human” is getting information from someone or tricking someone to do something with the purpose of gaining information that will allow access to computer data.

There are different ways social engineering is achieved. One of the most common ways is by pretending to be someone else then and then sweet talking or intimidating a prospect into giving out information.

If you have watched the series “Homeland,” Carrie Mathison, the lead character played by Claire Danes, was a master of disguising herself to extract information from different people. She, however, was one of the good guys working for the Central Intelligence Agency.

Intimidation uses the sense of urgency or authority or both to obtain the desired information or action. There was a time when budol-budol was very rampant in Manila and scammers targeted kasambahays or the elderly. They would call to inform their victim that somebody from their household, often the head of the family, got into an accident. The scammer will tell them they need money for hospital expenses and would then instruct the victim to retrieve money or other valuables from wherever they are stored in the house and have them bring the cash or jewelry where the caller and the supposedly injured household member are. You already know what happens next.

Avoiding scammers

Like many other things, scammers have gone online and have evolved their social engineering strategies. They now reach prospective victims by email (phishing) or SMS (smishing). The scammer poses as a coworker, friend or a reputable company and requests for restricted information or tricks victims into clicking links. The link will then download and execute malware that may be used to penetrate and extract information from the compromised computer.

Commonly used themes in subject lines of phishing emails are financial security alerts, company announcements, order updates, tracking updates and rewards or winnings.

I was a victim of this when I was just new at the company I’m working in. We have a very secure email system, one that we can only access using company computers, so I let my guard down, which was very wrong. I received an email with a subject line about training schedules and there was a link inside it that I clicked. A notification then popped up—it said that I failed the phishing test. My professors would be ashamed of me.

Phishing emails, ideally, should not be opened at all. This is however challenging as we do not want to overlook legitimate emails. What we can do then is to proceed with caution. When you open a suspicious email, examine the email address of the sender. If you know the sender, check again: does the email address belong to the sender? If it’s from a company or organization, does it come from their official email address? When there’s a link provided in the email, and you have a serious fear of missing out, you may hover on the link first before clicking it, to see the actual website address the link the leads to. You might be seeing a legitimate looking link like www.yourbank.com but embedded in it is a different web address. Remember, hover to discover.

There are also manual ways of getting sensitive information like dumpster diving (retrieving documents from trash), shoulder surfing (discreetly eavesdropping over someone’s shoulder while they key in their login credentials) and tailgating (gaining entry access to badge- or ID-restricted areas by going in after somebody who has authorized access). If we are not mindful and vigilant, we might be unknowingly exposing sensitive information to unauthorized people.

Cybersecurity awareness is important in preventing the compromise of computer data. Consequences of our wrong moves, carelessness or inaction may not be limited only to our personal data. It may cause data leaks and breaches in organizations we are connected to. To demonstrate this, you can check your email address on the website Haveibeenpwned.com and see if your email has been compromised by companies or websites you’ve transacted with or logged into.

At the rate technology is developing, we cannot afford to be ignorant of how cybersecurity crimes are perpetuated. We cannot just rely on our IT people to protect our personal and organization’s computer data. We must do our share. Locks can restrict who will have access to your house, but it will also allow passage to anyone with the right keys. —CONTRIBUTED

Read more...