Everyone’s at risk for a cyber security attack

By: 
KATIE DUNN
Staff Reporter

In our modern world, most people have a digital personal information hackers would love to get their hands on.

At the Colville Tech Expo, keynote speaker Paul Carugati, Director of Information Security at Ecova Cyber Self Defense, addressed the importance of cyber security and introduced self-defense tactics anyone can apply.

Carugati has over 15 years of IT and Information Security experience. He works at Ecova, a Sustainability and Energy Management company.

Having worked in cyber security, Carugati is used to encountering security breaches, but in the last 15 years he said the methods have changed.

Impact

Thousands of businesses and their data are breached each year.

According to a Wall Street Journal article, the cost to a U.S. company of a single lost or stolen digital record containing sensitive or confidential information reached $221 this year, up two percent over last year.

“This is no longer just an enterprise or a company grade threat,” noted Carugati. “This is a risk to everyone because we all have our digital footprint.”

Most people have an email account and use a type of social media platform, like Facebook, Instagram or Twitter. People bank and shop online, a trend that’s not going away.

“This is a threat that’s constantly increasing and is effecting each of us individually.”

Carugati said in the last 10 years there’s been a dramatic increase in cyber attacks, no longer just targeting companies and corporations.

The technology industry used to rely on a separate internal and external network, only connecting the external system online, according to Carugati.

Now the lines between the two are blurred, with devices like phones that are used for both work and personal life.

More people access personal social media while at work than ever before.

Carugati said as this continues to happen, the potential for attack increases and “we become more of a risk to our organization.”

While cyber security used to heavily rely on technology for protection, firewalls and antivirus programs, it’s no longer as effective. Carugati stressed that they’re still important, but cyber criminals no longer just attack the technology, but the individual.

Carugati said most companies fail to educate their employees on cyber security. Instead, they rely on the latest firewall for protection. Employees are not taught what signs to look for and fall for scams.

For the sake of cyber security, Carugati said everyone on the Internet needs the skills to spot modern security attacks.

Phishing

Social engineering is the most common methodology for today’s cyber attack landscape, according to Carugati.

Social engineering has con-artists taking advantage of someone’s good-naturedness.

There are numerous ways of attack, but Carugati chose to focus on the most common ones at the Expo.

The first common type of attack is phishing.

Phishing is a fraudulent email that usually contains a malicious attachment link that when clicked, will infect a computer.

Carugati said these types of emails will always try to get the receiver to take some sort of action, usually clicking a link or opening an attachment.

The emails will be disguised to gain a person’s trust. Methods include using important looking email addresses, adding business logos and claiming to be from an authoritative source.

The emails also give urgency to the message, prompting the receiver to act quickly, according to Carugati.

To protect from these type of emails, Carugati said people should ask themselves if they’re expecting an email from the sender.

Carugati said don’t base trust on an email address because “an email address can be masqueraded.

“That’s why you need layered defense,” elaborated Carugati. “You can’t rely on one telltale indicator, you have to look at a number of things to determine if it’s legitimate or fraudulent.”

Before clicking, he advises people to hover over the link to see its true destination. Usually the internet destination will look fishy and not go to the website it claims to.

When it comes to attachments, Carugati said keep an eye on the document type, and don’t just look at the icon.

Rich Text Files (.rtf), a legacy file type originating in the 90s, are highly vulnerable, according to Carugati.

Docm files (.docm) are another dangerous file type. These documents have macros imbedded into them that execute automated repetitive tasks in Word. Macros are a means for attackers to gain access to someone’s computer through the application.

“Most people aren’t going to know that,” Carugati noted.

Other signs of a possible phish are high pressure topics, irrelevant subject matters and bad grammar and spelling.

A different social engineering type of attack that leverages phishing is called credential theft.

Credential theft

Where phishing utilizes links and attachments to infect a computer, credential theft is targeting someone’s name and password.

All it takes is one username and password, maybe for an account to something of small importance, to gain access to copious amounts of personal data.

Carugati says given human nature “we all use the same username and password everywhere.”

Most people will use the same information for all accounts: Facebook, Netflix, Amazon et al.

The attacker will then use that information “across the board” to gain access to all accounts.

Credential theft emails are trickier than pure phishing ones because instead of having a person click on a malicious attachment or link, they trick them into signing into a familiar account, according to Carugati.

Con-artists are capable of recreating the appearance of a familiar website, like Outlook or Office 360. The fake website can be identical to the actual one except for one aspect, the url (Uniform Resource Locator). But most people don’t check the url before typing in their information.

Carugati said in some of the attacks he’s seen, after typing in email information, the fake website will actually log the user into the real one, making the scam harder to detect.

Carugati warns everyone to: think twice before they click, never reply to the sender, look at attachment file types and not to forward the message to someone else.

“If you do end up clicking the link or opening the attachment it’s not the end of the world,” said Carugati. “Stay calm and don’t panic.”

If at work, he told people to report it to the security or IT department. If at home, he said to run virus and malware tools and to keep an eye out for abnormal computer behavior.

To protect against this type of scam, two types of security verification is recommended. This could be entering a code sent to a user’s phone, or having additional passwords required.

It also helps to not use the same username and password for every account and to change passwords multiple times a year.

A third type of security breach Carugati addressed at the Tech Expo was ransomware.

Ransomware

Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid, according to Microsoft Malware Protection Center.

Carugati said ransomware is usually installed on a computer through phishing.

There are different types of ransomware, but all of them prevents a person from using their computer normally.

“It’s a very upfront in your face infection,” Carugati noted.

The malware will encrypt all of a person’s files and afterward notify the owner.

Carugati explained that encryption is the most effective way to achieve data security because to read an encrypted file, a secret key or password is required.

The attacker will make a demand, usually asking for a sum of money, and threaten to lose the key if the demand is not met.

“They are literally holding your data ransom,” Carugati said.

On a personal level it’s family photos, financial data, computer game save files. But for a corporation the threat escalates.

Protecting against ransomware is tricky because most traditional security methods won’t catch it, according to Carugati.

He said the best protection against ransomware is having good data backups.

“You never pay the ransom,” said Carugati, adding that it’s likely an attacker will strike more than once if they know their victim will pay.

Carugati said a victim of this type of attack should call a professional and restore their computer to recent backup data.

The final method Carugati introduced was Business Email Compromise (BEC).

BEC

According to the FBI, BEC is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.

Using phishing, these types of emails actually contain no malware, the email themselves are perfectly safe, according to Carugati.

The danger comes in the email’s message.

Usually the attacker will assume the role of CEO or boss, and send an employee a spoof email that mimics a legitimate one. The fraudulent email will request for a wire transfer to some disclosed account.

The FBI has identified most targets for this type of scam are individuals responsible for handling wire transfers.

Employees are put under pressure from the fake CEO and some, not all, will fall for it.

But as Carugati points out, it only takes one person in a company to fall for this scam for the damage to be done.

The FBI reported in June that in the last couple of years, worldwide companies have lost over $3.1 billion to this type of scam.

For companies to protect themselves, they are urged by the FBI to never use free web-based emails.

Carugati said in all these scenarios, it’s best to never act under duress. It’s also important to be suspicious of any requests for action to be taken quickly.

Carugati added that it never hurts to verify the money transfer request offline.

“These are the most common forms of social engineering that we’ve seen in awhile,” said Carugati. “These are the ones you’re going to see either at home or work, so it’s important to pay attention and know what to look for.”

As seen in the Statesman-Examiner

Category: