Be a Cybersecurity Advocate in Your Organization

If you’re of a certain age, you remember Toothopolis and the Cavity Creeps courtesy of a series of commercials for Crest Gel. The animated city walls of Toothopolis were, of course, comprised of tall, perfect, gleaming white teeth. The Cavity Creeps arrived underwater alongside ominous music and were depicted as muscular villains brandishing pickaxes and chipping away at the tooth city walls screaming “DECAY!”

Hackers are rarely as obvious as Cavity Creeps, but a strong parallel exists regarding your organization’s IT security and city walls. Preventing intrusion is the primary goal.  Detecting intrusion is next. Detecting attempts at intrusion, paramount.

What small steps can you and others undertake to keep the city walls gleaming and strong, even if you’re not an official IT person centered on security? Even if you haven’t thought much about cyberattacks and their consequences?

Chris Hadnagy, owner of Social-Engineer LLC and author of Human Hacking: Win Friend, Influence People and Leave Them Feeling Better For Having Met You spoke on November 5^th Joplin, MO Tech Summit regarding the rising costs of cybercrime and how to bolster your organization’s security to ensure no easy attacks. Listing here a few of the most vital:

• Never reuse passwords. Each of us accesses a vast number of websites, and each website should be accessed by its own password. Remembering all of these passwords and what they belong to is impossible, so that leads to a best practice of using Password Management software.  The password you use to secure your other passwords on a password management system can and should be the most enigmatic but rememberable phrase you can muster. One such system Chris mentioned is LastPass.
• Embrace multi-factor authentication.  Password + text-to-phone code authentication is a great example of multi-factor authentication and augments security to a far greater level than a mere password alone. If a site offers multi-factor authentication, then always opt to use it.  Applications are more secure than text-based multi-factor authentication. Research Duo, Authenticate, and Authy to learn more. The advice here is to add layers of security without adding layers of complexity to your day-to-day workflow.
• Keep your virus checker installed, working, and up to date – at home and in the office. Notify IT staff if it expires.  Virus checkers are amazing at keeping that tooth wall solid and shiny…against known attacks. Keep your devices – phones, tablets, laptops, and desktops – patched with operating systems up to date.
• Most importantly – and the actions that most make cybersecurity advocates out of regular people: report and discuss with IT staff, colleagues, and friends the strange contacts and persuasion attempts that you encounter via emails, texts, and phone calls you receive. 

Because rhymes catch your attention, you may know these as phishing, smishing, and vishing attacks. The more information circulating about specific attempts and types of attempts, the less power each may have over time.

We all know to beware of email as a breach point into a device or network and to beware especially attachments that look odd. The 11^th commandment may well be “Thou shalt not click unexpected links and attachments.”

I encountered a recent phishing email at work that originated from a trusted email address asking me to check payment status of an invoice. I had previously paid an invoice to this organization, though I did not recognize the sender’s name. Spider sense tingle one. Here’s the full path I took to validate whether I was dealing with a real email that required my attention. (The answer is no; it was a definite phishing attempt).

1. Review the request – is it something that might be valid.  (Yes)
2. Who’s the request from?  Is this person shown as the email’s sender with the organization he or she claims to represent (Yes)
3. Is the email address itself valid for the organization? Is it in the same format as other email addresses for the organization, such as [firstname].[lastname]@[domain].com?  (Yes)
4. Stop if anything before this is a no. But, for more investigation, review the details of the request asked in the email with a discerning eye. In this case, I was supposed to click a link to review an invoice.
   1. Is the from email originating from a domain (the name part of the email – typically after the @) that corresponds to the organization sending the email. (Yes)
   2. Is the message written in English you would expect from the organization?  Grammatically correct and phrased English? Keep in mind, though, that nefarious actors are getting more sophisticated with spell and grammar check tools, so don’t use this approach to be less concerned about phishing, only as something that might indicate an issue.  (No – this email was definitely weird in its language use).
   3. If the sender is a known contact, call that person and ask about the email. (No)
   4. If there’s a link in the email, with your IT staff’s blessing, as you’ve engaged the IT team by now, hover your mouse over the link but do not click.  What’s the URL domain contained in the link?  If it doesn’t match the domain name of the email, be wary. (Definite non match)
   5. Mini geek challenge: What do the email headers say? This is worth researching if you’re interested. Google “review email headers” and add your email client name in the search.  Within an individual email’s headers, you can find:
      • Received from (tech details)
      • Sender IP address
      • From email address
      • To email address
      • Subject
      • Date
      • Other goodies if you want to dig deeper and learn what they mean, like details regarding whether this email was sent from a list.

There are many more investigative tactics. Usually the answer of “is this suspicious?” is found before the more detailed investigation of an email header review. 

Err on the side of caution and report strange emails to IT and supply all of the information you’ve gleaned in your early “I’ve clicked nothing” analysis.

A culture of discussion regarding attempts to break into your organization is something each individual can foster. Publicly celebrating detection of bad actors before they can attack can help.

Cybersecurity isn’t my specialty area of IT, but as a citizen in the digital world, I recognize the need to regularly practice cyber hygiene. We are the IT staff of our homes, so here’s another a good “read more” recommendation: https://us.norton.com/internetsecurity-how-to-good-cyber-hygiene.html originating from Norton, one of the long-standing antivirus software providers. It gets bonus points for its teeth reference.

For home, monthly or quarterly review – a personal audit of your Internet connected practices and addressing where they fall short can earn you a cyberadvocacy “way to go.”

Back to work – your company’s IT staff works hard on defense against known and unknown threats – keeping your network secure and building and enforcing policies on how to bolster the organization’s approach to cyber safety. It can’t protect against all human-centered “please open the door” attacks. These simple practices above help provide awareness to the human vulnerability.  If these resonate, share them with your colleagues and friends in other organizations.  Embrace the first level – the human level – of cybersecurity advocacy.

For follow-up reading:

1. For everyone: https://www.social-engineer.com/, especially news and updates. Check out Chris’ book, too! Human Hacking: Win Friend, Influence People and Leave Them Feeling Better For Having Met You
2. For IT: https://www.nist.gov/publications/cybersecurity-advocates-discovering-characteristics-and-skills-emergent-role