October is National Cybersecurity Awareness Month!
This is CISA’s 17th year of National Cybersecurity Awareness Month (NCSAM). In efforts to raise awareness about the importance of cybersecurity across our Nation, Intellectual Point has many great resources to offer. We are here for you and want to help support you are safer and more secure online.
CISA and the National Cyber Security Alliance (NCSA) are proud to announce this year’s theme:
“Do Your Part. #BeCyberSmart.”
This theme encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity.
NCSAM emphasizes “If You Connect It, Protect It.” Throughout October, CISA and NCSA will focus on the following areas in our promotions and outreach:
- October 1 and 2: Official NCSAM Kick-off
- Week of October 5 (Week 1): If You Connect It, Protect It
- Week of October 12 (Week 2): Securing Devices at Home and Work
- Week of October 19 (Week 3): Securing Internet-Connected Devices in Healthcare
- Week of October 26 (Week 4): The Future of Connected Devices
Use NCSAM’s hashtag #BeCyberSmart before and during October to promote your involvement in raising cybersecurity awareness.
Here are the main topics to be aware of to #BeCyberSmart
1. Cybercrime – any crime which is committed electronically. This can include identity theft, child sexual abuse materials, financial theft, intellectual property violations, malware, and malicious social engineering.
The Marriott Data Breach impacted the data of more than 5.2 million hotel guests who used their company’s loyalty application. Hackers obtained login credentials of two accounts of Marriott employees who had access to customer information regarding the loyalty scheme of the hotel chain. They used the information to siphon off the data approximately a month before the breach was discovered. According to the Marriot, hackers might have obtained credentials of their employees either by credential stuffing or phishing.
2. Malware – any software intended to damage, disable, or give someone unauthorized access to your computer of other internet-connected device. Some examples are ransomware, adware, botnets, rootkits, spyware, viruses, and worms.
Fear in relation to the Coronavirus (COVID-19) has been widely exploited by cybercriminals. CovidLock ransomware is an example. This type of ransomware infects victims via malicious files promising to offer more information about the disease. The problem is that, once installed, CovidLock encrypts data from Android devices and denies data access to victims. To be granted access, you must pay a ransom of USD 100 per device.
3. Ransomware – is malware designed to make date or hardware inaccessible to the victim until a ransom is paid. Some examples are Cryptolocker, winlock, crytowall, reventon ransomware, bad rabbit, crysis, and wannacry.
One of Fortune 500 companies, Magellan Health was struck by a ransomware attack and data breach in April 2020. The healthcare giant confirmed by stating that about 365,000 patients were affected in the sophisticated cyberattack. According to the investigation, the attack was launched with a fully planned process where hackers first installed malware to steal employee login credentials. Then they leveraged a phishing scheme to gain access to systems of Magellan after sending out a phishing email and impersonating as their client before deploying ransomware attack.
4. Bots – are a type of program used for automating tasks on the internet. Not all bots are bad. When you use a search engine, these results are made possible by the help of bots “crawling” the internet and indexing content. Chatbots like Siri and Alexa are another common type of “good” bot. Malicious bots can gather passwords, log keystrokes, obtain financial information, hijack social media accounts, use your email to send spam, and open back doors on the infected device.
3ve was the “mother” to three distinct yet interconnected sub-operations, each of which perpetrated ad fraud and were able to skillfully evade detection. A months long investigation led by White Ops, Google and law enforcement that began in early 2017 resulted in an unprecedented take down in the Fall of 2018. 3ve’s demise was historic in that it was the first time several individuals were arrested and indicted for ad fraud, subsequently altering the risk-reward ratio for would be fraudsters.
5. Physical Cyber Attacks – use hardware, external storage devices, or other physical attack vectors to infect, damage, or otherwise compromise digital systems. This can include USB Storage devices, CD/DVD, and Internet of Things. Anything connected to the internet is potentially vulnerable, from e-scooters to laptops to cargo ships.
Verizon’s 2018 Data Breach Investigations Report found that more than one in 10 data breaches in the previous year had a physical component.
6. Social Engineering – cybercriminals can take advantage of you by using information commonly available through social media platforms, location sharing, and in-person conversations. Examples are phishing, pretexting, baiting, quid pro quo, tailgating, inside job, and swatting.
Twitter took the whole internet by storm when it was hit by one of the most brazen online attacks in history! The social media platform suffered a breach where the hackers verified Twitter accounts of high profile US personalities like Barack Obama, Elon Musk, Joseph R. Biden Jr., Bill Gates, and many more. Reportedly, the Twitter breach well-coordinated scam made attackers swindle $121,000 in Bitcoin through nearly 300 transactions.
7. Phishing – fake messages from a seemingly trusted or reputable source designed to convince you to reveal information, give unauthorized access to a system, clink on a link, or commit to a financial transaction. Examples are emails, text messages, phone calls, social media messages and posts, and suspicious hyperlinks.
Hackers targeted the World Health Organization (WHO) in another attempted data breach. In this phishing incident, attackers created a fake website to imitate a login screen used by WHO employees. The attack to steal employee passwords was unsuccessful the website was exposed as fraudulent right after it went live on March 13.
8. Swatting – an attack centered around location sharing in which bad actors call the police claiming the victim has committed a crime like a bomb threat, armed intruder, or other violent incident. Your location is embedded as metadata in every picture you take with your phone. Turn location services off when you aren’t using them to make it more difficult for bad actors to view this information.
Federal prosecutors have charged three men with carrying out a deadly hoax known as “swatting,” in which perpetrators call or message a target’s local 911 operators claiming a fake hostage situation or a bomb threat in progress at the target’s address — with the expectation that local police may respond to the scene with deadly force. While only one of the three men is accused of making the phony call to police that got an innocent man shot and killed, investigators say the other two men’s efforts to taunt and deceive one another ultimately helped point the gun.
9. Other Avenues of Attack – some of the other vulnerabilities are internet of everything, any device connected to your network, information collection, remote access, bluetooth, and open ports. Examples are smart devices, mobile phone, thermostat, vehicles, gaming consoles, printers, medical equipment, and industrial systems.
Ring devices took a very big hit on security flaws . In one case a hacker taunted a child in Mississippi, in another someone hurled racist insults at a Florida family. Motherboard found hackers have made dedicated software for more swiftly gaining access to Ring cameras by churning through previously compromised email addresses and passwords, and that some hackers were live-streaming the Ring abuse on their own so-called podcast dubbed “NulledCast.” Ring lacked basic security features, making it easy for hackers to turn the company’s camera against its customers.
Another BIG topic is PASSWORDS!
Password or credential stuffing is a cyberattack that tries “stuffing” already comprised username and passwords from one site into another site in hopes that the user uses the same login information across platforms.
- Use different passwords on different systems and accounts
- Use the longest password allowed
- Use a mix of uppercase and lowercase letter, numbers, and symbols
- Reset your password every few months
- Use a password manager
One big example of this is when more than half a million Zoom account credentials, usernames and passwords were made available in dark web crime forums. Some were given away for free while others were sold for as low as a penny each.
See our calendar of classes to learn how to defend these attacks. Schedule