Based on Verizon’s 2024 Data Breach Investigations Report, “68% of breaches involved a non-malicious human element, like a person falling victim to a social engineering attack or making an error”. In other words, the leading cause of cyber attacks is a lack of security awareness.
Security awareness can be increased through training or educating people to recognize different threat vectors, such as phishing, password security, social engineering, and more. In this blog post, we will learn what 5 of the most common cyber attacks are, and how to avoid becoming a victim.
Phishing is a term used to describe the impersonation of an authority figure in an attempt to steal sensitive information from a user. In the security information field we call this person a malicious actor. The malicious actor may send out an eMail to a user pretending to be from a third-party vendor, but behind the scenes the actor is trying to gain access to personally identifiable information (or PII), such as credit card, social security, or passport numbers, and addresses.
Years ago — long before I became an IT professional — I received an eMail from what looked like my bank, urgently telling me to confirm my account details. The eMail looked legitimate, until I noticed something odd about the sender’s address, so I called my bank and they confirmed that this was a scam.
Ever since that incident, I have always double-checked the sender’s address on eMails I receive, and have never clicked a fishy looking URL. There are other forms of phishing attacks to be aware of. Have you ever received a spam call or text? These types of phishing attacks are called vishing and smishing, respectively.
Vishing is a form of phishing where the malicious actor calls their intended victim in an attempt to deceive them, while smishing uses text messages to establish communication with the target. I know that these two terms might sound ridiculous to some, but you can just ask the fine folks at Cisco about it, and they’ll set you straight.
Password security is another common issue, so let’s discuss two of the most important best practice password security measures:
A. Make sure your passwords are at least 12 characters long, with a mix of letters, numbers, and special symbols.
B. Use a unique password for each of your accounts.
When combined, these are, perhaps, the most effective steps an average user can take in keeping malicious actors out of their accounts. Yes, it is not uncommon for users to struggle when attempting recall a lengthy password — it can happen to the best of us — but you can simply use a password manager, like the aptly named pass, to keep track of them.
Finally, users should regularly change their passwords, and remember to never, ever, share their account information with anyone.
Safe internet and social media habits are crucial to security awareness. People tend to share too much personal information on social media. For example, people will share their location, vacation times, and post photos containing detailed metadata that makes it trivial to track and build profiles of their actions and habits.
Steps you can take toward being a safer user are to not give away personal information on social media, and to log out of all accounts before walking away from your computer, especially if you are using a public device. If you are using a personal or work device, make sure you not only log out of all accounts, but lock your computer before leaving your device unattended as well.
More savvy users can also use a tool like ExifCleaner to sanitize their photos of sensitive data before uploading them to a public platform. Cultivating these habits are essential to keeping your information guarded from prying eyes.
Social engineering involves manipulating an unsuspecting user in order to steal sensitive information and gain access to computer systems or accounts. Aside from phishing, some other examples of social engineering are shoulder surfing, tailgating, and piggybacking.
Shoulder surfing is the act of looking over a user’s shoulder to discover their login credentials or other bits of sensitive information without their knowledge. Tailgating is acquiring access to a secure area by following closely behind someone to pass through barriers. Piggybacking is similar to tailgating, except the malicious actor has received permission to access the secure area through deceptive means.
The malicious actor often manipulates a target to gain their trust in these social engineering attacks. Such methods prove that, sometimes, the weakest link in cyber security is not your firewall, or any other component of your network’s infrastructure; but the friendly guy holding a door open for you.
Social engineering is so common because we have an inborn tendency to trust those who show us kindness. Beware of these tactics, and remember to be cautious about where you access personal accounts, and who is acting suspiciously around you.
Malware is a portmanteau of the terms malicious and software. Malware is used to describe software designed to compromise computers or entire networks. Malware can be used for many purposes, such as stealing data, corrupting devices, or interrupting network systems. Some common types of malware are viruses, spyware, and ransomware.
Malware can be spread through phishing attacks, removable drives, and common mistakes like installing software before vetting it. There are signs that indicate malware may have effected your device, and some to look out for are:
A. Extremely slow computer performance / high resource usage
B. Pop-up ads (especially outside of the web browser)
C. Frequent cases of applications crashing or hanging
D. The default search engine in your browser unexpectedly changing
E. Filenames changing or files becoming inaccessible at random
Make sure to protect yourself from malware by learning to recognize it. Stay vigilant. Do not indiscriminately click on links in eMails, be cautious when opening attachments you receive, and keep your software updated.
More experienced users can configure their firewall to deny most or all incoming connections, and less experienced users should look into anti-malware or anti-virus software for increased protection. These are just a few examples of the proactive measures you can take.
There you have it! 5 of the most common security awareness topics. Remember to help safeguard the security, and privacy, of your colleagues, students, friends and family, by doing your best to educate them on these topics.
Make it fun! You can even send out simulated phishing eMails to test their awareness level. Listen to their feedback to get a better understanding of what they learned, and how your efforts can improve.
Reach out to learn more about security awareness, or to schedule a Security Awareness Training Session with CETSE!
