October is National Cybersecurity Awareness Month (NCSAM). The Cybersecurity and Infrastructure Security Agency (CISA) designates this month to bring attention to important cybersecurity topics affecting every American using the Internet. Here is an excerpt from this year’s NCSAM page:
Now in its 17th year, NCSAM continues to raise awareness about the importance of cybersecurity across our Nation, ensuring that all Americans have the resources they need to be safer and more secure online.
CISA and the National Cyber Security Alliance (NCSA) are proud to announce this year’s theme:
Do your part. #BeCyberSmart.
The four topics CISA outlined for this year are 1) If You Connect It, Protect It, 2) Securing Devices at Home and Work, 3) Securing Internet-Connected Devices in Healthcare, and 4) The Future of Connected Devices. You can follow these posts here:
- If You Connect It, Protect It (week 1, week of October 5th)
- Securing Devices at Home and Work (week 2, week of October 12)
- Securing Internet-Connected Devices in Healthcare (week 3, week of October 19)
- The Future of Connected Devices (week 4, week of October 26)
We’ve compiled important information from various CISA resources below. Here are three things you need to know to do your part:
Protect Your Information
One of the best things you can do to protect your devices is ensure they are updated to the newest available version of their respective software. Whether it be your phone, computer, tablet, or other device, the newest software update will always have the most secure and reliable protection in place. Staying on previous versions allows malicious actors more time to find exploits in those versions, and if your devices are on those same older versions, ill-intentioned people are more likely to be able to access your information.
Another important procedure to follow is switching up your passwords. Change your device’s default password as soon as possible; this includes devices like your modem or router. If your home Internet network is not password-protected, anyone could access all your traffic, data, and personal information. Further, be sure to use different variations of your password(s) on all online accounts. If you use the same password for all your social media accounts and one of those is compromised, all of your accounts are then compromised. This becomes increasingly worrying if a service has access to banking or credit card information, social security or driver’s license numbers, etc. Keep a log of your passwords somewhere you’ll have access to if you ever forget a password!
A final way to protect your devices is to manage app permissions carefully – especially on your phone. Many apps will ask for a list of permissions when you first install them. You should be wary of applications that you aren’t familiar with, and don’t allow apps to access more information than they need. An example would be a weather application asking for access to your contacts; there are hardly any practical reasons a weather application needs to know the names and numbers of everyone saved in your phone.
Secure Your Devices
Due to the coronavirus pandemic, this year has introduced a slew of new hurdles to how people work, learn, and socialize with each other. Since many people are now working from home, home and work networks are interacting more often than ever before, putting them at a much higher risk of being compromised. The following quote was taken from an interview with the National Institute of Standards and Technology’s (NIST) Dr. Julie Haney, Ph.D., lead for the NIST Usable Cybersecurity Program.
Please discuss NIST’s resources for telework/remote work? What are some important steps people can take to ensure their devices are safe while working at home?
NIST has some great security resources for both teleworkers and organizations supporting telework. For teleworkers, there are some informative articles on the Cybersecurity Insights Blog with tips on telework security and protecting privacy during virtual meetings. For organizations supporting telework, NIST has issued a new draft revision of Special Publication 800-46 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security that contains information on security considerations and recommendations when implementing remote access solutions.
In a nutshell, first, make sure you understand your organization’s telework policies and procedures. If your organization provides a VPN (virtual private network) for connecting into your work network, use that for stronger protection. If not, consider finding and using a reputable VPN (there are numerous available online) when conducting work-related activities. If you’re using a computer issued by your organization, hopefully it’s already configured securely and updated regularly, which can go a long way. However, if accessing work from your own computer, be sure to implement some basic security measures like using strong authentication (for example, passwords, PINs, or fingerprint or facial recognition), installing an anti-virus program on your Microsoft Windows computer (and keeping it updated!), and keeping up with the latest updates for your operating system and applications, especially those that fix security issues (enabling automatic updates if possible really helps). When using a wireless connection (Wi-Fi) on your home network, be sure to use WPA2/WPA3 for stronger protection and set a Wi-Fi password that is not easily guessable.
Other devices on your home network should be secured similarly so that they don’t become a jumping off point for bad actors to attack your network or telework device. You also need to stay vigilant when it comes to email and be careful not to click on potentially dangerous attachments or links that try to steal your personal information or install malicious programs on your computer.
There’s also the added complexity and potential security risks of all the other “smart” connected devices we have, whether that be our fitness trackers, voice-controlled assistants like Amazon Alexa or Google Home, or smart cameras. Unfortunately, some of these don’t have the basic security settings that your mobile devices and computers may have. Be sure to set a strong password or other type of authentication on the smartphone companion apps for these devices and immediately install updates if you’re notified to do so. Consider what your devices can do and how that might affect your work from a security perspective if someone with bad intent should gain access to the devices. For example, I certainly wouldn’t recommend having a smart camera pointed at your work monitor! If you’re a bit more technology-savvy, consider segmenting your home network so that these connected devices are in their own subnet with limited access to other devices on your home network (like your work and personal computers) that may contain more sensitive information.
Vulnerable New Devices
Millions of devices are purchased every year, especially around the holidays. As the holiday season quickly approaches, it’s important to keep in mind how a new device could put your home or work networks at risk. To make sure your new device is secure, CISA recommends that you:
- Use strong passwords. Passwords are a common form of authentication and are often the only barrier between you and your personal information. Some internet-enabled devices are configured with default passwords to simplify setup. These default passwords are easily found online, so they don’t provide any protection. Choose strong passwords to help secure your device. See Choosing and Protecting Passwords for more information.
- Use multi-factor authentication when available. Many manufacturers offer users the option to protect accounts with multi-factor authentication (MFA). MFA adds another layer of security and can significantly reduce the impact of a password compromise because the malicious cyber actor needs the other factor—often the user’s mobile phone—for authentication. See Supplementing Passwords for more information.
- Evaluate your security settings. Most devices offer a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more at risk. It is important to examine the settings, particularly security settings, and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of software, or if you become aware of something that might affect your device, reevaluate your settings to make sure they are still appropriate. See Good Security Habits for more information.
- Ensure you have up-to-date software. When manufacturers become aware of vulnerabilities in their products, they often issue patches to fix the problem. Patches are software updates that fix a particular issue or vulnerability within your device’s software. Make sure to apply relevant patches as soon as possible to protect your devices. See Understanding Patches for more information.
- Connect carefully. Once your device is connected to the internet, it’s also connected to millions of other computers, which could allow attackers access to your device. Consider whether continuous connectivity to the internet is needed. See Securing Your Home Network for more information.
Using COVID to Target Victims
In March 2020, ransomware attacks increased 148% over baseline levels from February 2020. Researchers found attacks spiked on days with significant news about COVID-19.
Scammers have leveraged the coronavirus pandemic as a means to take advantage of unsuspecting victims. Fraudulent emails claiming that the victims were exposed to someone with the coronavirus have been especially effective in gaining access to medical and financial information. These emails look official, often appearing to be sent from a real hospital.
On March 20th, the FBI released a Public Service Announcement highlighting the sharp increase in Internet scammers using the pandemic as a means of obtaining your private information. The FBI warned the public to “be on the lookout for fake emails from the U.S. Centers for Disease Control and Preparedness (CDC) claiming to offer information on the virus, including links and attachments.” They also warned the public to be cautious of “anyone selling products that claimed to prevent, treat, diagnose, or cure COVID-19.”
Further reading can be found here.
References:
https://www.naco.org/articles/cybersecurity-awareness-if-you-connect-it-protect-it
https://www.nist.gov/blogs/cybersecurity-insights/cybersecurity-awareness-month-securing-devices-home-and-work
https://www.cisa.gov/national-cyber-security-awareness-month
https://us-cert.cisa.gov/ncas/current-activity/2018/12/28/Securing-New-Devices
https://www.asisonline.org/security-management-magazine/articles/2020/06/how-cyber-criminals-use-coronavirus-scams-to-target-victims/