Cybersecurity: Why every employee is a target, and what you can do about it

As of late you've probably been hearing about various types of cyber attacks and the methods used to execute them relating to the ever mounting number of security and data breaches at large organizations.  Advanced Persistent Threats (APTs), spear phishing, and whaling are just some of the more sophisticated ways threat agents are launching attacks by specifically targeting employees and vendors to gain access to corporate and government networks.

Social media sites like Facebook and LinkedIn offer a wealth of information which is used to select and target individuals for social engineering, phishing, and malware attacks.  From information in your profile such as your job title, department, and company, attackers can extrapolate the type and extent of your access to data and systems within their target organization, and begin launching attacks against YOU.  Examples include emailing or in-app messaging of a job with a description attachment, that you might be interested in, which executes malware or the message might contain links to articles in your field which direct you to a website attempting to execute malware. .

Zero-day vulnerabilities, which are as yet unknown and do not have a patch, have always been a risk, however the attacks have become increasingly more sophisticated. You may have noticed web browsers on your home computers complaining about Adobe Flash needing to be updated frequently over the past couple of months. This was due to recent zero-day vulnerabilities in the Adobe software.  In an effort to compromise government and U.S. financial services employees, attackers compromised advertising servers used by Forbes.com to serve up malicious advertisements.  The malicious advertisements were then displayed on Forbes.com which exploited Adobe Flash and Internet Explorer of visitors to the site1.  The end result of this targeted attack was malware installed on home, work, and government workstations which sent data back to the attackers.

Threat agents are not only attacking the front door but targeting those who have the keys and stealing them.

What you can do about it.

1. Limit public information on social media and be cautious of who you let in your social media network.  Use privacy settings to limit the information for people you don’t know but wish to network with.  If settings are unavailable, limit the information provided on your job and responsibilities.

2. Think before you click. Links and attachments in email, on social media, and advertising are often the way computers become compromised. If it looks suspicious, even if you know the source, it’s best to delete it.

3. Passwords, we're stuck with them until there's a better and more secure method of authentication.  I’m sure you’ve heard this before, make passwords long, complex, and change them regularly.  Use two-factor authentication if available.   Also, use different passwords, especially between work and personal accounts in the event one is compromised.

4. Keep software updated.  Having the latest updates to your anti-virus software, operating system, and web browser is one of the best defenses against viruses and malware.  Use the option to have these automatically update.

5. Using public Wi-Fi is like talking on the phone in the middle of a crowd, assume everyone can hear your conversation.  Limit the type of usage and if you must use it, be sure to use secure VPN.

6. BYOD, a convenience and security risk. Using your personal device for work means what you do at home or on other networks can put your corporate network at risk.  The best thing to do is keep your work and personal devices separate.

These measures will not only protect your organization but also yourself from identity theft and fraud.

1 http://arstechnica.com/security/2015/02/pwned-in-7-seconds-hackers-use-flash-and-ie-to-target-forbes-visitors/
Photo by Gianni Dominici  / CC BY