Cybersecurity Awareness Month
While cyber awareness is important every single day in today’s cyber threat landscape, Cybersecurity Awareness Month in October provides a great platform to engage a wider audience to focus on reducing online risks with direct messages and actionable advice.
CISA’s 2023 message “Secure Our World” aims to encourage everyone to take four key ways to protect networks, whether it’s a personal or professional setting.
Those four keys for Cybersecurity Awareness Month in 2023 are:
- Use Strong Passwords
- Turn on Multi-Factor Authentication
- Recognize and Report Phishing
- Update Software
SecuLore has been long promoting strong password awareness with policies and lessons on how harmful poor password constitution can be. We’ve also explored multiple ways to leverage and enhance multi-factor authentication. We know that phishing remains the top attack method by cyber threat actors, and patching software with the latest safe update is always crucial.
Use Strong Passwords
The best way to ensure that your organization is utilizing strong passwords is to create a strong password policy. However, some organizations have gone away from that with some policies leading to complicated passwords that are hard to remember. Using a password management tool can be helpful, but we’ve also seen some of those tools hacked as well.
Why are strong passwords key? A cyber criminal’s ability to crack even just one password to one account in your organization can compromise the cyber resiliency of your entire network. Gaining access to one account can lead to escalating privileges across your network with tactics like password spraying, which is why creating strong passwords and password policies are critical.
{Learn more about creating cyber resiliency by downloading our free on-demand webinar – Creating Cyber Resiliency: Policies, Procedures and Planning)
As recently as 2022, 81% of incidents impacting US and Canadian public-sector agencies were due to credentials according to Verizon’s 2021 Data Breach Investigation Report.
Estimated Time It Takes To Crack A Password?
You should also be aware of the impact AI is having on cracking passwords as well.
The unchecked growth in artificial intelligence has made it easier to crack passwords. Here’s a good charge from our free webinar Artificial Intelligence: AI and the Cyber Threat Frontier on how fast AI can crack a password based on character, number, and letter combinations.
What Should Go Into Constructing A Strong Password?
- Password Length
- 8 is too short! Go for minimum of 12, preferably 14+
- Complexity
- Mix it up – but in a way you can remember!
- Randomness
- Predictability will kill the above items
- Freshness
- Be prepared if your agency forces password changes
- Be creative
- Use different passwords each time – don’t “tweak”
- Lock out users after three failures
- But not forever – ten minutes is sufficient
What SHOULD you avoid when creating a password, and what advice should you include in a password policy?
- Avoid consecutive keyboard combinations
- qwerty or asdfg
- 123456
- Avoid names & birthdays (PII)
- Kids, spouse, pets, or other relatives
- These can often be found easily on social media
- Same rules apply to security questions
- Resetting your password could give them access & lock you out (this is evidence you may have been compromised).
Learn more about password policies in our free webinar – Practical Principles for PSAPS
Strong passwords are your first line of defense against cyber threats. Don’t settle for weak combinations.
Turn On Multi-Factor Authentication
On the subject of strong passwords, Multi-factor authentication is a good way to fix the ability of cyber criminals and artificial intelligence’s ability to crack your passwords.
Two-Factor Authentication Example:
- Enter Password
- Enter Passcode sent via text or email to phone
Using more levels of authentication increases security. Multi-factor authentication can mean more, including:
- What you carry
- Keys
- ID card
- Phone
- Who you are
- Retinal scan
- Fingerprint
- What you know
- Passwords
(This is also covered in our free webinar, Creating Cyber Resiliency: Policies, Procedures and Planning)
Where should you use MFA?
- On accounts with your financial info like banks and online stores
- On accounts with personal info, like social media and healthcare apps
- On accounts with info you use for work
Multifactor authentication doubles the security, making your accounts much more fortified.
Recognize And Report Phishing
Phishing is still the most used attack vector by cyber criminal organizations because it’s the easiest. Social engineering is the lowest effort way to gain access to an organization’s network.
How Prevalent Is Phishing?
- 90% of all cyber attacks begin with phishing (CISA)
- Extortion of 33 million records due to phishing is predicted in 2023. (GetAstra)
- There are now nearly 75 times as many phishing sites as there are other malware sites on the internet (Google Safe Browsing)
- Phishing attacks were up 61% between May 2022 and October 2022 YOY for the same time period (CNBC)
- The FBI’s Internet Crime Complaint Center (IC3), whose most recent Internet Crime Report found that phishing, including vishing, SMiShing and pharming is the most prevalent threat in the US, with 323,972 victims—up 34% in 2022 over 2021
6 Most Common Phishing Attacks
- Deceptive Phishing
- Email from recognized sender or impersonating legitimate entity to gain personal data or login credentials
- Spear Phishing
- Common on social media. Customized attack using information or people target is familiar with to click on malicious links to gain data/credentials
- Whaling
- Attempting to gain access to a CEO’s email to authorize financial transfers or gain access to data to sell on dark web.
- Vishing
- Uses a phone call, ID spoofing to mimicking entities to steal sensitive data/funds
- Smishing
- Uses text to get target to click on malicious links
- Pharming
- Targets a DNS server and changes the IP address associated with an alphabetical website name to redirect users to a malicious website of their choice.
(Learn more about different types of phishing attacks in our free webinar – Don’t Take the Bait: Phiting the Phish)
Train To Recognize And Report Phishing Attempts
Awareness makes you up to 40% safer against potential phishing scams and attacks.
Training to recognize and report phishing attempts is more important than ever with the impact AI is also having on phishing attempts. Cyber criminals have been able to utilize AI and tools similar to ChatGPT and develop their own language learning programs to write more realistic phishing emails.
What does training to recognize phishing scams look like?
Setting up a training course for your organization to learn how to spot the signs of a potential phishing email and remind them to report it.
A very basic and easy phishing training tip that everyone should follow is utilizing the ‘3 Second’ Rule.’ Take a moment to think before you click on a link or an attachment in an email. Is it urgent? Are you expecting it? Those are things you should take a few seconds to think about before clicking a link in any email.
AI Used To Write Phishing Emails
Artificial intelligence is probably having a bigger impact on phishing attempts than it is on password cracking. This makes training to spot phishing emails more important as AI can make the language in these emails nearly unrecognizable. Normally, you would look for spelling errors, grammar mistakes and other odd phrasing as a sign of spotting a phishing email. But AI has cleaned a lot of that up, making it more difficult than ever.
Social Engineering And Phishing
The main tool cyber criminals use in phishing attempts is yourself. Not only are they hoping for bad cyber awareness practices, such as not thinking before clicking on links, but finding information that is relevant to you is their best weapon, and we make it easier to find than ever. Cyber criminals will use familiarity, curiosity, and fear to manipulate a target’s behavior to gain access to critical systems, data, and infrastructure.
Update Software
Any device or software being used through a connection and your network is vulnerable to risks. Updates from any software or applications being used are important to install, especially to patch any security flaws.
One of the biggest Lessons Learned from 2022 Cyber Attacks is patching software updates with the last known safe update and making sure they are all up to date.
Log4shell was one of the most devastating software flaws we have seen in the past several years. Applying immediate patches and updates to new versions of Log4J was among the most important steps to take in order to mitigate further and future damage against possible exploits from the vulnerability.
Cybersecurity awareness and building cyber resiliency is a team effort and it takes buy-in from your entire organization to help keep your network ready to fight and respond to inevitable cyber threats.
Take advantage of SecuLore’s free cybersecurity resources, from our webinars, blogs, and cyber alerts, as well as our cyber attack database to help you stay up to date on the latest cyber threats and news that impacts your area and industry.
Contact SecuLore today to get help finding cybersecurity solutions, including training for phishing and other best cyber awareness practices for your entire organization, finding network vulnerabilities with actionable solutions to address them, and our 24/7/365 human monitored SOC team to respond to cyber incidents.
Stay cyber-safe,
Contents
Other Resources
- CJIS Security Policy Updates: Changes for Public Safety & Law Enforcement
- Unlocking Cybersecurity: How Encryption Protects Data and Fuels Cyber Threats
- Cybersecurity Awareness Month 2024: Steps to Secure Your Network
- Strengthen Your Defenses: The Essential Steps for Conducting a Cybersecurity Gap Analysis
- Insider Threat Awareness: Protecting Your Network From Within