We regularly see the bad people getting into peoples “stuff”. While there are tons of ways they can attempt to get in, we definitely see a handful of popular and common attacks that stand out.
They tend to go through seasons where a few types of attacks get very popular because they work and the bad guys get in. Eventually, people (the victims) catch on and those methods no longer work and then they will find new and clever ways to get in and those become popular for a while. So here are the ones we see a lot of currently.
These are the keys to the kingdom. Once they have this they can just walk past all the other defenses because, for all intents and purposes, at that point they may as well be you. There is soooo much they can do to you at that point. Worse, they can often pose as you to trick your friends, family, and clients by sending an email or logging in as you. It’s horrible.
There are tons of ways to get passwords. They can guess using dictionary attacks or cycling through every possible combination. They can get them off the Dark Web from websites and databases that have been hacked. They can trick users. But they are constantly getting them. So what to do?
There are a few simple things you can do that dramatically improve your safety in this area. The simplest is to use unique passwords for Every, Single, Site. These unique passwords should be long (think 10 characters or longer) and complex using uppercase, lower case, symbols, and numbers. But how to remember all these unique and complex passwords? There are a few amazing and helpful password tracking apps out there that even go so far as to fill in the passwords for you!
Why unique on every site? Here is a common example. LinkedIn had their password database stolen (true story!). Let’s say your LinkedIn password is the same one you use other places. Probably not the worst thing ever if someone got your LinkedIn password but if it’s the same as your bank's password or investment account, they could empty out all of your money! And it’s NOT the bank's fault. You may NEVER get that money back again. Even your entire life’s savings!
Do you use the same passwords on more than one site?
Another way to dramatically protect sites with passwords is to use something called Two Factor Authentication or 2FA. Sometimes it is called Multifactor Authentication or MFA. This involves something you know (password) and something you have (randomly generated code or cell phone) or something you are (your fingerprint, eye scan, etc).
So if you log into a site that has 2FA available as an option, you enter your password AND something else. They may text a code to your phone or have an app you have to go into and enter a random number.
So even if the bad guys HAVE your password, it is not enough. Even if they have the password and the last code used it’s not enough as the code usually changed every 10 seconds or so.
Tons of sites and services work with 2FA. Facebook, many email systems, banks, sensitive programs, investment accounts, etc.
Are you protecting your email, bank account and other sensitive systems with 2FA? It’s easy and kinda fun!
Another popular attack is through Remote Desktop connections. This is often what people use to work from home.
The bad guys often know how to scan for remote desktop availability on a companies network. It’s like looking for a back door or window on a house. Easy to find. Once they find them, they look for ways to open this door/window and often find a way in.
There are ways to improve the security on these connections. Or better yet, they can be hidden! There are ways to put these ports into the office network behind a barrier to greatly increase security.
The key thing to know and to ask is, are staff remoting into the office to work? What method are they using? Could it be more secure?
Q: What is THE weakest part of all of your computer security systems?
A: The person in front of the keyboard!
The easiest and best way to get into a network is to trick someone. If you can get them to click something or give some information – you’re in! And it is shockingly easy to con most people. Even people that are otherwise sharp and street savvy.
The best way to fix this is through (1) training and teaching what to look for and when to be on alert and (2) Testing by Phishing your staff with actual harmless phishing attempts.
There are a bunch of tricks and tips to spot a fake email. We even did a series of posts recently on InfoStream’s Facebook page (you DID like our FB page right? ) on samples and what the secret giveaway is. Ways to check the link, check the sender and other goodies.
Even with training and preaching safety, people either ignore this advice or THINK they already know it… until they get burned and fall for it. So an amazing fix for that is to Phish your own staff! There are services that will send a good fake phishing email to everyone in your firm and track who fell for it and who didn’t. Almost like a game. When we have done this, it gets everyone talking! About security no less! Fool them once… and it’s MUCH harder the next time.
So there you have it. The three hottest attacks we see that cause damage right now. Passwords, Remote Desktop and Phishing. EASY to make a huge improvement in these areas. The bad guys are always on the lookout for the easiest targets. It doesn’t take much to make a big difference and save yourself from a painful and expensive situation.
If you have any questions or would like some advice or help, let us know!