InfoSec Advisory with Del ADEN:
October is Cybersecurity Awareness Month — your best opportunity to jumpstart security awareness at your organization and highlight the importance for every employee to adopt secure habits. From this month going forward, each and every one of us needs to do our part to make sure that our online lives are kept safe and secure. That’s what Cybersecurity Awareness Month – observed in October – is all about!
Here at Delta3 International, we specialize in Cybersecurity, Digital Transformation and Business Continuity, as such we are able to provide services, solutions, and corporate training and education to support and empower ALL of your employees to elevate and improve your organization security posture this October and beyond.
Theme for Cybersecurity Awareness Month
The theme for 2020 is ‘Do Your Part. #BeCyberSmart’, helping to empower individuals and organizations to own their role in protecting their part of cyberspace. The line between our online and offline lives is indistinguishable. This network of connections creates both opportunities and challenges for individuals and organizations across the globe; Consequently, our advice is: If you connect it, protect it.
Leading with a Security-first Mindset – Know Your Attackers!
As organizations continue to shift to a remote work business model, the rush to deploy digital and cloud solutions has created new and heightened cyber risk concerns. Protecting these digital connections needs to stay top of the mind for leaders looking to help their organizations adapt to these changes while continuing to innovate. No matter what kind of password attack is being used, the end goal for the attacker is to “spoof” your identity by using your compromised password and successfully authenticate as you.
In honour of National Cybersecurity Awareness month, it is important we are all aware some of the most common methods of stealing or compromising passwords attackers use to gain unauthorized entry into your corporate data and confidential information.
Attack Type #1: Credential Stuffing
Credential stuffing occurs when an attacker already has access to username and password combinations which are commonly obtained from data breaches. In this kind of attack, attackers send automated requests containing these username and password combinations to try to successfully authenticate as you.
If successful, attackers can steal your sensitive data, make changes on your account, or even impersonate you. To combat credential stuffing attacks, make sure you are not reusing passwords across sites. Monitor your credentials to verify that they haven’t been exposed in a data breach. If your passwords are ever compromised, change them immediately.
Attack Type #2: Password Cracking
There are several password cracking techniques that attackers use to “guess” passwords to systems and accounts. The top three most common password cracking techniques we see are brute force attacks, dictionary attacks, and rainbow table attacks. In a dictionary attack, an attacker will use a dictionary list of words and combinations of dictionary words to try and guess the password.
A Brute force attack takes things a little further than a dictionary attack, an attacker will try various different combinations of letters, numbers, and special characters to try and “guess” the right password. Establishing resources to automate brute force attacks is easy and inexpensive, and attackers usually end up with large databases of credentials due to users using weak passwords.
A Rainbow table attack occurs when an attacker uses a precomputed table of hashes based on common passwords, dictionary words, and pre-computed passwords to try and find a password-based on its hash. Weak passwords can take seconds to crack with the right tools, making it incredibly important to use strong, unique passwords across all sites.
Attack Type #3: Shoulder Surfing
Shoulder surfing occurs when a malicious bystander observes the sensitive information you type on your keyboard or on your screen from over the shoulder. This can occur anywhere, whether in an office space, in a coffee shop, on an airplane, etc. Be aware of your surroundings when authenticating into sites or resources and ensure no one is watching you. Privacy screens that block screen visibility can be protective if you frequently work in public spaces.
Attack Type #4: Social Engineering
Social engineering targets the weakest link in security: humans. These attacks are incredibly common and often fairly successful. Social engineering is primarily a psychological attack tricking human into performing an action they might not otherwise do based on social trust. For example, an attacker might engineer their way into a corporate physical facility.
Once inside, they could approach an employee and say they’re troubleshooting a problem with a very specific service, and their credentials aren’t working. To combat Social Engineering attacks, continuous security awareness training to your employees is very important, so they never provide sensitive information or passwords to strangers, regardless of who they claim to be.
Attack Type #5: Phishing
While often considered a subcategory of social engineering, phishing is so prevalent that it deserves its own “attack” category. Phishing occurs when an attacker crafts an email to look like it is coming from a legitimate source in order to trick the victim into clicking a link or supplying sensitive information like passwords, social security numbers, bank account information, and more. To combat phishing attacks, your employees should be trained to know how to verify the source of any email they receive and never to click links in emails as they can often lead to phishing attacks.
Attack Type #6: Wireless Sniffing
An attacker using tools to examine network traffic can “sniff” the network to capture and read packets of data sent. Wireless sniffing captures data being sent between an unsuspecting user’s computer and the server that the client is making the request to. If a site isn’t using a TLS/SSL certificate, an attacker with these tools can easily obtain your passwords just by capturing the packets that are sent.
Use a VPN when accessing sites on public Wi-Fi so that an attacker cannot easily capture and read your data. Ensure that you have a TLS/SSL certificate installed on your website to help keep your site visitors’ data, including passwords, safe in transit.
Attack Type #7: Man-in-the-Middle Attack
A Man-in-the-Middle attack occurs when an attacker intercepts traffic, acting as the receiving server of requests and subsequently observing all the traffic being sent to the server they are attacking before forwarding the packets to the legitimate server. Your best protection when it comes to man-in-the-middle attacks is to ensure the site you are visiting is trusted, and the SSL/TLS certificate installed on the site is valid.
The line between our online and offline lives is indistinguishable. In these tech-fuelled times, our homes, societal well-being, economic prosperity and nation’s security are impacted by the internet.
As stated earlier, the overarching theme for Cybersecurity Awareness Month 2020 is “Do Your Part. #BeCyberSmart.” The theme empowers individuals and organizations to own their role in protecting their part of cyberspace, with a particular emphasis on the key message for 2020: “If you connect it, protect it.” If everyone does their part – implementing stronger security practices, raising community awareness, educating vulnerable audiences or training employees – our interconnected world will be safer and more resilient for everyone.
About the Author
Del Aden is a UK-based Enterprise Security Architect and Solution Consultant with expertise in Digital Transformation, Cyber Security, Data Governance and Business Continuity. Building & running Digital Transformation programs, Security Strategy and Strategic Consulting. Del is also an astute speaker, a trainer and a technology journalist. Contact: [email protected] | WhatsApp:+44 7973 623 624 | Web: www.delta3.co