Humanizing Cybersecurity: Embrace Essential Fundamentals

Humanizing Cybersecurity: Embrace Essential Fundamentals

Focusing on Humanizing Cybersecurity Amid Global Threats

October marks the midway point of Cybersecurity Awareness Month, an initiative by the US government aimed at increasing cybersecurity awareness among the public. While the initiative has received mixed reactions, the importance of staying vigilant against cyber threats remains crucial.

In the words of the Cybersecurity and Infrastructure Security Agency (CISA), "cyber threats on a global scale" are not limited to advanced persistent threats (APTs) from nation-state attackers or state-sponsored actors as one might assume from mainstream news.

The term "state-sponsored actors" refers to cybercriminals who operate with the support or protection of a country's government. These actors can avoid investigation or prosecution, allowing them to keep and even flaunt their ill-gotten gains.

Exposing the True Global Risks

Almost all cybercrime operates on a global scale, transcending international borders. Even in countries with stringent censorship or network restrictions, cybercriminals can easily target victims outside their country. Conversely, cybercriminals outside the country can just as easily harm victims within it.

Cloud services make it effortless for anyone to establish an online presence – a web server or blogging site, for instance – almost anywhere in the world. These services often come with a custom domain name and an automatic HTTPS certificate to lend an air of safety.

In many cases, hosted websites are available for a limited period free of charge to attract new subscribers, and cybercriminals can take advantage of this to operate scam campaigns. By creating a convincing imitation of well-known sites like webmail services, file-sharing utilities, or payroll systems, they can trick users into entering their login details, leading to account takeovers and data breaches.

Consequences of Compromised Accounts

Cybercriminals who gain access to accounts have various avenues to exploit them:

1. Account Takeover: By heading straight for the account settings or user profile, the criminals may lock the legitimate user out, allowing them to control the account until the user regains access. Recovering a stolen account can take days, weeks, or even months.
2. Account Settings Modification: In a business email compromise (BEC) attack, cybercriminals set up hidden mail processing and forwarding rules to engage in industrial espionage. For example, they might divert emails mentioning accounts payable or receivable, monitoring when the company expects funds to be paid in or out.
3. Credential Stuffing: By trying the same password across multiple accounts, cybercriminals can gain control of all the user's accounts if they shared the same password.
4. Selling Access Credentials: Initial access brokers (IABs) buy, sell, or trade access details to underground forums, where buyers can request access to specific targets and sellers can offer cracked accounts.

Easing the Path for Cybercriminals

Starting as a cybercriminal who phishes for passwords and sells them online requires minimal technical skills. Ready-to-go web servers, domain names, and security certificates can be purchased in a matter of minutes for a few dollars. Open-source tools hosted on platforms like Github almost completely automate the process of creating a realistic yet harmful copy of a legitimate site.

Initial access brokers do not simply sell passwords but also traffic in 'attack directories' containing lists of unpatched servers with exploitable vulnerabilities. Many open-source tools make it simple for even novice attackers to scan the internet for vulnerable servers, automatically recording and updating lists of these targets.

Some attacks are highly targeted, with attackers choosing specific organizations to infiltrate, while others are more indiscriminate, focusing on vulnerable networks in a given category and moving through their list opportunistically. Regardless of the tactic, the underlying message is that simple precautions – phishing awareness, strong passwords, and software updates – remain crucial in keeping personal and business information secure.

Why not use Cybersecurity Awareness Month as a reminder to focus on the basics? Let us strive for a cybersecurity culture where we all prioritize getting the essentials right. The CISA's social media tiles offer a useful starting point:

1. Unique, long, random passwords: Forget artificial complexity rules and create passwords that are truly hard to guess.
2. Phishing awareness: If an email looks suspicious, treat it as phishing and report it. To improve cybersecurity practices across the board, let's reject even those emails that might be legitimate but seem too close to phishing.
3. Software updates: Stop delaying updates and learn to roll back updates that do not work as expected to improve your ability to respond to unexpected outages.
4. Become a cybersecurity champion: If you have cybersecurity covered in your personal life, don't forget to share information and encourage others to stay safe online.

Let us work together to build a culture where we consistently Prioritize the Basics. Why not consider using Cybersecurity Awareness Month as a rallying cry to achieve this goal in the coming year?

Consider how our platform can support you in implementing cybersecurity measures tailored to human needs. Don't let your security strategy be dictated by tools that may not suit your IT team, colleagues, or customers.

1. Embracing technology can significantly enhance cybersecurity education and self-development, as tools like automated phishing simulations, password managers, and security training modules can help individuals learn to identify and avoid cyber threats more effectively.
2. To ensure the successful implementation of cybersecurity measures, it's essential to prioritize education and self-development by fostering a culture of continuous learning and adaptation, utilizing the resources provided during Cybersecurity Awareness Month as a stepping stone towards a safer digital future.

Read also: