This year for Cybersecurity Awareness Month, we organised an interactive webinar featuring Patrick Wake, FDM’s Group Head of Information Security. He used an informative presentation to touch on some key aspects of staying safe online. From choosing strong usernames and passwords to guarding against phishing attacks and installing multi-factor authentication, he provided a comprehensive overview of the most common cyber threats and how to stay safe online.
He began with a set of interesting statistics from the security industry:
- 87% of UK businesses have enabled multi-factor authentication
- Phishing and social engineering attacks make up 83% of the attack vectors seen across UK companies
- 75% of companies had a policy in place to ensure employees have strong passwords
- 39% of organisations had a policy in place to update software within 14 days
Given the high volume of phishing attacks, Patrick used example emails to show the various methods of phishing that hackers can use to steal your data.
As an example he used DocuSign, commonly used for signing e-documents. One of the first red flags of a fraudulent DocuSign email is for the opening address to be ‘Dear Recipient’ instead of using the person’s name. The vendor may also customise a message for you. The other, even more obvious sign of a fraud email is the use of wrong spellings. So, docsign.net instead of ‘DocuSign’
At the bottom of a genuine email from DocuSign there is a code that you can use to directly access your documents. This is docusign.com and different from the .net email that was sent in Patrick’s example.
Patrick’s advice is to never enable macros on Microsoft Office documents. Enabling macros can allow malicious programs to download and run malware. They can run code at the back of your machine and download malicious software on it.
What do I do when I get phished?
‘Don’t do nothing’. Speak to the person next to you.
At FDM we have a reporting button with a fish logo to report phishing attempts. Clicking on this notifies the internal IT department who can then investigate this further and if it is a malicious email, they have the power to remove this email from all staff’s email accounts – which is what is helpful for the safety of the wider business.
What to do on your own devices?
There is a report button at the top of the page and if you click on it there’s a drop down with options that you can report it for like scam or phishing. If enough people report it, then Microsoft or Google will put rules in place that will either remove the email address or block any emails coming out of it.
How secure is your password?
We need to consider how common a password is and where else you’re using it. Using a tool called ‘aircrack ng’, it’s possible to break into a Wifi. It’s a matter of capturing someone’s file as they’re coming out of someone’s house or café by simply listening to the airwaves. Patrick demonstrated how he does this with a long list of 9.8 million passwords. By matching against 3000 passwords a second, it would take 55 minutes to go through 9.8 million passwords.
This system is essentially using a dictionary list of pre-written words so if your password isn’t on that list they can’t hack into it. However, if you were doing this as part of a penetration test or as a hacker, you wouldn’t be using a laptop that can test just 3000 passwords per second from a list of 9.8 million. Their lists are likely to be in the range of 200 million and the tools they use can filter through hundreds of thousands of passwords per second.
This is why it’s important to make sure your password is unique and not something easily associated with you like your child’s name or date of birth.
What happens when we have common passwords?
Patrick spoke of the potential dangers of using the same passwords for multiple platforms. So, Patrick1 for Facebook, Patrick2 for Netflix and Patrick3 for a banking app. In the event of the social media platform being hacked like Facebook was in 2012, and if you’re using the same credentials as you were back then, it is very likely that your username and password are on the internet.
He cited ‘Pastebin’, a website that is used as a virtual dumping ground where people can just copy and paste stuff for utility reasons but which can just as easily be used by hackers to show off that they managed to hack into a site and get cred from other hackers.
There are websites like haveibeenpwned.com that have a database that goes into the deep web and allow you to check in advance to see if your account has been compromised.
Patrick’s mentioned Example@gmail.com in his presentation. It is what people use to get out of receiving spam and marketing emails. There are 211 breaches using email@example.com.
Multi-factor authentication or MFA is having the ability to not just rely on one method to log into an account. Patrick cited five criteria and a need for a mix of at least two of those for it to be considered multi-factor authentication. The five criteria are:
- Something you have
- Something you do
- Something you know
- Somewhere you are
- Something you are (biometrics)
However, having a username and a password is 2 items of ‘something you know’. For MFA you need a mix up of two. For example - When logging onto your phone, you may have a pin-code and a biometric like facial recognition or thumb print.
When logging into Office 365 you have MFA through a mobile device. You can choose from text message or email message. From this you can have ‘Something you do’. Many academic institutions track the way people type and write and it allows them to monitor it is the person who they think it is behind the keyboard.
‘Somewhere you are’ – if you are in your local office do you need the text message or equally if you’re working remotely, there may be local laws that mandate that you can’t log into specific systems from certain locations.
How to set up MFA
You can do this in the admin area of your personal Gmail or Office 365. When you next log in you’ll go through this setup and you can choose whether you want it as a text message, an app or as a notification or to manually type in the code.
It’s important that you don’t have the same device that does the MFA as your login. For instance, if you do it all from your phone, and unfortunately, you have a bad pin code, hackers will have access to everything. So try and mix things up in terms of your devices.
Download and install the authenticator app from your app store. It will ask for access to your camera to be able to see the QR code on the browser of your laptop or device you’re logging in on. Once that’s done, your authenticator app will open with the one time password (OTP) which you then enter when logging into a website.
However, MFAs aren’t infallible either. They have weaknesses which are mostly human related. The most common one is MFA spamming. When logging onto a system you may get a notification which says someone’s trying to log into your account and if it’s you, you click accept. However, sometimes when you’re writing an email a popup comes that says ‘ do you want to login?’ Never click accept because if you do, you’re granting access to your account. Do remember to click Deny.
Even when you get lots of MFA requests, don’t click accept just to make them go away. Instead speak to a member of IT or to contact the security team about this attack vector.
Patrick also spoke at length about the importance of keeping your devices up to date. Not just the OS but everything else that’s on there. A robust antivirus provider is key if you use lots of different websites.
If you’re buying free antivirus, remember it’s free for a reason. Read the fine print. They might be selling your data online to potential buyers.
It’s a common perception that all ‘cyber stuff’ is the IT department’s sole domain. But this simply isn’t true. We all have a part to play in protecting the safety and privacy of our business and personal data.
Cyber crime can’t be altogether avoided but by educating ourselves and taking the right steps we can mitigate risks and any potential financial and reputational damage.