This October, GroupSense is celebrating Cybersecurity Awareness Month (CSAM). As a CSAM champion, it’s our duty to pass on lessons learned and practical advice that will make you and your organization more secure. This year, Stay Safe Online, CISA, and CSAM champions are exploring four key behaviors:
- Enabling multi-factor authentication
- Using strong passwords and a password manager
- Updating software
- Recognizing and reporting phishing
To better understand the impact of these behaviors, we spoke with four of our intelligence analysts. Check out their stories, advice, and expertise below.
Multi-Factor Authentication
Sean Jones, senior intelligence analyst
Multi-factor authentication is a way of providing a user access to a service or resource. This authentication requires a user to provide more than one piece of information, such as a username and password. Another type of information needed may include what the user has, such as a token. The token may be a cell phone with special authentication software or a USB security key.
The system may also require something the user is, including biometric data such as retina or fingerprint information. Additionally, MFA may ask where a person is. This information could include a GPS location or specific workstations on the network.
Multi-factor authentication provides more protection than a username and password alone. This form of authentication does not stop dictionary attacks, which use a dictionary file to enter as many passwords as possible, or credential stuffing attacks, in which attackers use maliciously obtained credential pairs to try breaking into a system. It does, however, assist in defeating attacks by requiring extra information during authentication that an attacker would not have.
Using Strong Passwords
Robert Roccio, threat intelligence analyst
Weak passwords make you and your organization an easy target.
Recall the joke about the two friends and the bear? It goes something like this:
Two friends are in the woods. They spot a bear running at them. One friend opens his backpack, takes out his running shoes, changes out of his hiking boots, and starts stretching.
“Are you crazy?” the other friend shouts, looking over his shoulder as the bear closes in. “You can’t outrun a bear!”
“I don’t have to outrun the bear,” said the other. “I only have to outrun you.”
Passwords work in much the same way. Threat actors want easy targets and there are few things easier than guessing your dog’s name or your child’s birthday. Weak passwords make you the slowest friend in the woods.
Technical security solutions can not compensate for weak passwords.
Would you pay to install an expensive security system with smart locks on your house only to leave the front door wide open? When your passwords are weak, all the technical security and software solutions in the world won’t stop threat actors from walking through your digital front door. Strong passwords are often your first line of defense and they can ensure that your other weak points are never tested in earnest.
Consider using a password manager.
The unfortunate reality is that making passwords secure by creating complex passwords and never reusing passwords also makes them difficult and inconvenient for users. A partial solution to this tradeoff is a password manager. Password management solutions make it easy and convenient for users to follow best practices for keeping their own and their organization’s data secure. Many also include features like shared logins that can benefit security and productivity in other ways. I would recommend LastPass or Dashlane.
Updating Software
Carmen Deng, junior threat intelligence analyst
Patch management is important for your organization's cyber hygiene because it can address vulnerabilities in your software, greatly reducing the cyber risk for your organization. In 2017, Equifax faced a big data breach after they neglected to patch a flaw in their software. They lost over $500 million and put approximately 140 million customers’ data at risk. The negative consequences that follow are not worth putting patch management to the side. Unfortunately, it can be easy to neglect update notifications. As can be seen, delaying update notifications can make the job easier for threat actors to potentially exploit these software vulnerabilities. Threat actors will continue to become more sophisticated, and it is up to each of us to be responsible and stay many steps ahead of them.
Humans will always be the weakest link in security, so taking these steps to protect your organization will make a big impact:
- Always stay up-to-date with the latest version of your software.
- If possible, enable automatic software updates to reduce the chances of delaying or forgetting about updates.
- Do not use software that reached its end of life.
Recognizing and Reporting Phishing
Samira Pakmehr, senior threat intelligence analyst
Phishing has far-reaching effects on an organization’s data, including impacting the confidentiality, integrity, and availability of both organizational or client information. Unfortunately, it’s also a cheap and easy method for threat actors looking to get your data. Phishing typically acts as the entry point for malware, ransomware, and data breaches.
Once threat actors gain access to your accounts through phishing, they can get ahold of financial information and PII (personally identifiable information) like social security numbers. The potential financial and reputational losses associated with phishing attacks can be far more expensive than implementing a phishing awareness program. With attacks increasing by 6% from Q1-Q2 of 2022, it’s in your organization’s best interest to start educating employees on recognizing and reporting phishing.
Our team has seen an increase in phishing attempts on our clients’ new employees. Threat actors exploit public LinkedIn job updates, likely leading to a recent attempt to conduct fraudulent background checks requesting PII like social security numbers and direct deposit information from a GroupSense client. Without security training, new and existing employees are at risk of exposing your organization.
I would recommend implementing phishing training that includes training modules, simulated phishing campaigns, phishing reporting mechanisms and filters, and more targeted training for users with elevated privileges or more vulnerable departments and users. Phishing training reduces susceptibility to attacks by 75%.
Together, we can decrease the number of cyber attacks on our organizations. Implementing these cybersecurity behaviors benefits us all. If you’d like guidance on strengthening your organization’s cybersecurity posture, contact us today.