Staying Safe And Secure Online
THIS GUIDE IS WRITTEN TO ALLOW YOU TO CUT & PASTE INFORMATION INTO YOUR OWN COMMUNICATIONS WITH YOUR STAFF.
Staying safe and secure online!
This is a general guide based around staying secure online. We have also written a guide to secure passwords which is available here.
Social engineering is undoubtedly on the rise, and is one of the most widespread and successful ways in which criminals gain access to secure systems and sensitive information. Compounded by the fact that to do it effectively requires minimal technical skill, the threat is very real. Chances are your network has already fallen victim to an attempted social engineering attack.
Attacks vary from bulk phishing emails with little sophistication through to highly targeted, multi layered attacks which use a range of social engineering techniques.
Social engineering mimics normal human behavioural traits and therefore there are only limited technical solutions to guard against it. As a result, the best defence is to educate yourself and your users on the techniques used by social engineers, and raising awareness as to how both humans and computer systems can be manipulated to create a false level of trust.
Social engineering preys on common aspects of human psychology such as curiosity, courtesy, gullibility, greed, thoughtlessness, shyness and apathy. Individuals are manipulated using one or many of these traits in order to induce them to carry out specific actions or divulge sensitive information that can be of use to an attacked. These techniques are commonly used to deliver malicious software (malware) but in some cases only form part of an attack, as an enabler to gain additional information, commit fraud or obtain access to secure systems. Social engineering techniques range from indiscriminate wide scale attacks, which are crude and can normally be easily identified, through to sophisticated multi layered tailored attacks which can be almost indistinguishable from genuine interactions.
The most common of social engineering techniques is what is commonly referred to as phishing. Unique fishing attacks in 2014 topped 120,000 (source: https://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.pdf). Phishing is the fraudulent attempt to steal personal or sensitive information by masquerading as a well known or trusted contact. Whilst email phishing is the most common, phishing attacks can also be conducted via phone calls, text messages and fax, as well as other methods of communication, including social media.
Common things to watch for in an email are:
- Messages are unsolicited (i.e. the victim did nothing to initiate the action)
- Messages are vague, not addressed to the target by name and beyond purporting to be from a known organisation, contain little other specific or accurate information to build trust
- May be from an organisation with which the target has no dealing with
- Contain poor spelling and grammar, typos or use odd phrases
- Are too good to be true or make unrealistic threats, often with a sense of urgency
- Are sent from an email address that, whilst perhaps similar, does not match ones used officially by an organisation
- Contain incorrect or poor versions of an organisation’s logo, and may contain web links to sites that, whilst perhaps similar, are not ones used by that organisation
- Display links that display as a valid location but in reality direct the user elsewhere. You can often see the ultimate destination if you hover over the link first.
Phishing has become so common in the modern age that it is almost second nature to be able to spot the ‘usual ones’ – we’ve all received the email from the 3rd in line to the Nigerian throne who just needs to use our bank account to keep a few billion nairas safe while they try to locate the dead king. However, these attack attempts are becoming much more sophisticated and harder to spot now, to the point where the victim may end up at an exact replica of a legitimate website that encourages them to enter sensitive information. Sophisticated attackers will limit the target audience and increase the precision of their messages, increasing the appeal of the message and apparent legitimacy. This precision targeted form of phishing is called spear phishing.
A spear phishing attack may target individuals within a particular business sector, who work in the same company, in the same department, or who share some other common attribute. A spear phishing email may even target just one specific individual if they are seen to be of sufficient value to the attacker. Whilst this decreases the number of potential victims, it is also likely to result in a higher proportion falling for their attack. Some spear phishing attacks can still be crude, and still remain easy to spot as they contain some of the indicators listed above. Others can appear legitimate and are extremely difficult to identify as malicious.
The above blog article offers a perfect example of how spear phishing can be used to penetrate a network, and this one in particular is one that was experienced first hand here at activereach.
The company Out Of Eden are a legitimate company, and were someone who a customer of ours had done business with in the past, so legitimate emails had gone back and forth between the two companies before. The attackers had mocked up an email and source to target fellow companies within the industry. The original email looked for all purposes a genuine email. However the email was malicious, and the attached “invoice”, which came in the form of a Word document, contained a macro that downloaded malicious code from elsewhere on the Internet. The macro was Dridex (https://blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/) and as well as attempting to capture banking information, the code also attempts to propagate by email. Within minutes their entire email system had been brought to a halt, as the infected client on their network was sending out hundreds upon hundreds of spurious emails to everyone in their contact list. As well as slowing access to the internal MS Exchange server, it also caused significant levels of traffic on their outbound 50mb internet circuit.
Layer 1 Baiting
Another form of social engineering is Layer 1 Baiting. An attacker may also use layer 1 devices to gain access to or infect machines. A USB drive or a disc can find its way into the hands of a victim very easily. For instance you they can be left unattended in communal areas or could be sent anonymously via. internal or external post. The drive or disc could be labelled with something alluring, such as important confidential information that would be advantageous to the victim. You could even go so far as to distribute them at a trade fair or conference. All that is required is some sort of auto run feature on the drive or disc, and as soon as it is accessed, the machine could be compromised with malware or controlled by the attacker.
Staying safe and secure online can be a tricky business. The number one way to improve your online safety is experience. Over time, and by making the common mistakes we all do, you will improve your knowledge on what is safe and what isn’t. In this document we will try and give you some handy hints that should steer you in the right direction.
There are a number of key things to look out for when you are browsing the Internet and using email that will help keep you safe.
- Always keep your operating system and browser software up to date with the latest updates released online. It may seem annoying and time consuming, but this will help protect you from the latest vulnerabilities and backdoors that have been discovered for the software you are using, and help keep performance optimised.
- Whenever there is a clickable link within your browser or an email you have received, make sure that the link is actually taking you where you want to go. It is very easy for people with malicious intent to guide you into a trap unless you are careful. When browsing, hover over the link with your mouse and look along the bottom of the screen – this should tell you exactly where it is taking you. Similarly for email, hover over a link and the destination should appear in a little box. If you can’t determine where the link is taking you, and the source is doubtful, then don’t click – find the destination yourself by using Google. The same applies for clickable graphics within a webpage, another easy way to be caught out – always hover and make sure you are not being taken anywhere you don’t want to go. This goes for macros that are contained within documents or spreadsheets also – make sure the default settings do not activate macros automatically, and have users check before running them.
- Be wary of websites that are trying to refer you to another website, especially when browsing social networking. The website you are currently using might be safe, but this additional site may not be. If you are logged into a website with your personal information, all it takes is a couple of clicks in the wrong direction and your information is open to someone else. The link may promise discounts, or extra content, or some fantastical viral video of a man eating his own shoes that is a “MUST SEE”. If in doubt, make a note of the website where it is trying to take you and Google it to see if it has a reputation. Googling “is xxxxxx.com safe?” should display enough results to help you make your mind up.
- Another thing to be acutely aware of when using social networking is the privacy settings of whatever site you are using, and the golden rule that what goes online, stays online. Familiarise yourself with the privacy settings and functions, and make sure you are happy that what you are uploading is only visible by the area of people you are comfortable with. Don’t upload anything publically that you wouldn’t want to be discovered by a potential or current employer – job interviewers can and will Google you before you have even sat in front of them.
- Remember: if something seems too good to be true, it probably is, and is best left avoided.
- Maintain some virus and malware protection on your machine. There are a plethora of good products on the market for solely these purposes, and you might find that your business machine is already protected. However a good free piece of software to use is Avast Free Antivirus, which runs in the background and is not too intrusive. Spybot and MalwareBytes are another couple of good pieces of software that you can run every few days or weeks to scan your machine and keep it clean. Again, if you are going to use them, keep them up to date.
- Always be wary when attempting to download files from the Internet. Make sure that the type of file you are trying to download is the actual type of file that you have received. It’s always a good idea to have file extensions switched on within your operating system – a lot of modern operating systems have this disabled by default. If you are having trouble enabling this, a quick Google should help you. The file extension is usually 3 letters long and sits after the full stop in a filename. Those 3 letters at the end are very important and tell your machine what to do with it. For instance a .doc or .docx file is usually a Microsoft Word file, a .txt file is plain text, a .mp3 file is a sound clip encoded using the MP3 codec, and so on and so on. Always be wary of files that have a .exe .bat .dll or .com extensions – these files are runnable programs and will attempt to install or change your machine. If you have tried to download a text file for instance, but when you look at the file it has a .exe extension at the end, this is clearly not a text file and could harm your machine. Be on the look out for files that have a double extension also, so you might have a file that has .txt.exe at the end. Always avoid these – there are very few legitimate reasons for a file to have a double extension.
- Be careful of fake downloads or updates whilst browsing websites. You might get a message popup that looks legitimate that is saying you have to upgrade or update your software to continue using the website. Always be careful and always make sure not to click on anything you are not 100% sure about. If you are unsure, exit the website and visit the vendor website for that software and check for updates manually.
- Be careful of pop ups in general. They are frequently malicious, and at the very least want to redirect to their website to buy something you don’t need. Be wary of pop ups that look to imitate genuine vendors. Adobe Flash is a common plugin used by everyone. It is also a common imitation that comes up, especially if you are using streaming websites. The website may suggest to you that you can’t view the content unless you download and install their own player. Always avoid this – if you can’t view the content on the website, go elsewhere.
- Avoid installing toolbars and browser add-ons that are suggested to you during install processes. When you are installing a new piece of software, don’t be scared – always choose the “custom” installation. This will enable you to determine exactly what is being installed on your machine and what is being tacked on to you browsing experience. A lot of the time, you will find that the “custom” installation just involves a couple of extra tick boxes for useless toolbars or annoying malware that can be very difficult to get rid of.
- Lastly, and this may be considered controversial in some circles, try to avoid using Microsoft Internet Explorer if you can. This is the most common browser that is bundled with almost every single PC or laptop in the world, which means it is the most common target for hackers and virus authors. There are plenty of very good alternatives out there. activereach recommends using Mozilla Firefox, which you can get here: https://www.mozilla.org/en-GB/firefox/new/ or Google Chrome.
Watch this video also for some online safety tips.