The Fun, Friendly Ways You’re Opening Yourself Up to Cybersecurity Threats
October is National Cybersecurity Awareness Month, which is a great time to consider the seemingly innocuous ways you’re making yourself – and your organization – vulnerable to attack.
The term “cybersecurity threat” conjures up images of shadowy hackers probing at firewalls and digging through code to find flaws and unchecked pathways into your data. But what if the biggest threat to your cybersecurity…was you? And, unwittingly, your end-users?
As October is National Cybersecurity Awareness Month, it is the ideal time to recognize the myriad of ways you are making yourself vulnerable without even realizing it. Games, trivia questions, even simple status updates can be a goldmine of potentially exploitable data for anyone inclined to be searching for it. Here are some ways you can challenge yourself, and your users, to approach their digital life more cautiously, and protect their data more thoroughly.
Fun & Games
Frequent Twitter users have no doubt had experience with crowdsourced “ice breaker” questions that, on the surface, seem little more than playful attempts to share in some communal nostalgia. Questions like: “What was the first car you owned?” “Does anyone remember their first phone number?” “What were the top 3 movies that came out while you were in high school?”
They may seem harmless, but you’re giving away more information about yourself than you may realize. Seemingly innocuous questions about early car ownership, for example, like “what kind of car did you learn to drive stick on?” or “what kind of car were you driving in high school?” are potential motherloads of information, as journalist and investigative reporter Brian Krebs wrote on his Krebs On Security site. “I hope this is painfully obvious,” says Krebs, “But for many people the answer will be the same as to the question, ‘What was the make and model of your first car?’, which is one of several ‘secret questions’ most commonly used by banks and other companies to let customers reset their passwords or gain access to the account without knowing the password.”
Other questions might seem less obvious but could provide malicious actors with useful context to make better assumptions about your identity. Giving away your first phone number could help someone pinpoint a prior address or at least city, which is often used as an identity test. Giving away the dates of popular movies (or, say, first concerts) sets a pretty narrow window for your high school years and, consequently, makes it easier to assess your age. If someone were motivated enough, they could start to piece together enough details to overcome some basic security protocols.
Status Updates
There is no way wishing your mother a “Happy Birthday” on Facebook could result in anything harmful, could it? While the goal of National Cybersecurity Awareness Month isn’t to make people paranoid or obsessive, it should at least cause you to think a bit more about your social habits. And, yes, we’re sorry to say it, but that “Happy Birthday” to Mom could be a problem.
Once again, you have to think like a motivated hacker. What details are you giving away when you wish Mom well on her birthday? For one, you are giving away her date of birth, clearly. But what if your mother goes by her maiden name? Now someone has her DOB and her maiden name, both elements that can be used in identity authentication processes.
Our love of documenting every significant (and insignificant) event in our lives is making it easier for hackers to access data and, in some extreme cases, even social engineer their way into physical spaces. A hacker named “Snow” (real name: Stephanie Carruthers) who tests out security flaws for IBM recently wrote an editorial for Fast Company about how social media addiction has both obvious security risks – including how location data on Instagram or Twitter posts makes your every move trackable – and more subtle ones:
“The first thing you may be surprised to know is that 75% of the time, the information I’m finding is coming from interns or new hires. Younger generations entering the workforce today have grown up on social media, and internships or new jobs are exciting updates to share. Add in the fact that companies often delay security training for new hires until weeks or months after they’ve started, and you’ve got a recipe for disaster. Knowing this weak point, along with some handy hashtags, allows me to find tons of information I need within just a few hours. Take a look for yourself on your favorite social apps for posts tagged with #firstday, #newjob, or #intern + [#companyname].”
Carruthers goes on to add that a quick photo of you and your new workmates may include background information that can be used in phishing attempts (a flyer for a corporate softball league may inspire a hacker to send a “team email” asking for info), and a proud photo of your new security badge and headshot makes it easy for someone to mock up their own version at home.
Even a site like LinkedIn, which is usually free of personal content, can be more revealing than you want it to be. Too much information about previous employers can, for example, reveal locations where you’ve lived, and when. All details that can begin to paint a pretty thorough, and convincing, digital portrait of your identity.
So, is it safer to avoid social media altogether? Yes. But it’s also not realistic. Social media is too ingrained in the fabric of our society, and in both our personal and professional lives, to be completely abandoned. Being more conscious of the potential dangers – as remote as they could be – and more selective in the type of information you post freely goes a long way towards strengthening your overall digital security. Take these measures to protect yourself and reinforce this with your end-users.
Awareness is step one. #BeCyberAware
Corey Williams
Corey Williams is the Vice President of Marketing & Strategy and lead evangelist for Idaptive, leading all marketing functions, as well as market development and strategy. Corey served as the Senior Director of Products and Marketing for more than a decade at Centrify where he was the visionary behind, and the first product manager of, the set of products that were ultimately spun out of Centrify to become Idaptive, including leading SaaS services for Single Sign-on (SSO), Adaptive Multi-factor Authentication (MFA), endpoint and mobile context, and User Behavior and Risk Analytics (UBA).
While at Centrify, Corey defined and brought to market seven net-new product offerings directly contributing to the growth of the existing customer base from less than 400 customers to over 5000 customers. He also led efforts with major industry analysts that directly resulted in Centrify being named as a leader in all of the major analyst reports including the Gartner Magic Quadrant and Critical Capabilities reports for Access Management, Worldwide; Forrester IDaaS Wave; KuppingerCole Cloud MFA Leadership Compass; and Network World Clear Choice Winner for Single Sign-on Solutions.
Corey is a frequent speaker and commentator on IT Security and IT Management. He has authored several publications, including “Zero Trust Security for Dummies”, a leading guide for enterprise managers.
Prior to Centrify, Corey led products and marketing for SpikeSource (acquired by Black Duck Software), Syndera (acquired by Tibco), and Journee Software (acquired by Initiate Systems). Earlier in his career, he managed pre- and post-sales consulting for Active Software (acquired by webMethods).
Corey holds degrees in Mathematics (BS) and Computer Science (BS) from New Mexico State University, as well as an MS in Engineering and an MBA from San Jose State University.
CHAMELEON-LIKE SUPERPOWER
If Corey could have any chameleon-like superpower, it would be the chameleon's tongue, which is ridiculously fast. Some of the world's smallest chameleons have the world's fastest tongues. In automotive terms, the tongue could go from 0 to 60 miles per hour in a hundredth of a second! “I would be able to complete webinars in 4.5 seconds instead of 45 minutes!”