data breach

Why is Cyberhygiene So Hard?

This blog comprises show notes for my CoolTimeLife podcast entitled Why is Cyberhygiene So Hard?

Just a couple of days ago, I received a text from my 75-year old mother. It read literally as follows: “I just received a message from Netflix saying an error had occurred during my last payment. Please verify you [sic] payment method by following this link. I followed the link, but it is asking for information regarding my credit card. Do you think this is a scam?”

She followed up with a second text where she highlighted the fact she noticed the grammatical error of “you” instead of “your.”

Of course, I texted her back immediately and told her this was a scam. “You didn’t click on anything did you?” I asked.

“Yes,” she replied, “but I only entered my email address and password. Was that OK?”

And so, I spent the next hour on the phone showing her how to change her Netflix password, and admonishing her once again about the danger of clicking on these types of messages.

Why does this continue to happen? Why are people still being seduced by stories of millions of dollars belonging to a Nigerian prince that needs to be parked in your bank account? Why do people click on badly written notifications of frozen bank accounts, missed courier shipments or job applications? Why is the most common password in use still PASSWORD123?

It’s because criminals are getting progressively more sophisticated while honest people generally are not.

Bad guys relentlessly focus on devising new ways to steal. That’s their primary occupation in many cases. But ordinary people have other pressing matters to attend to. Emails. Meetings. Groceries. The Kids. Phishing is a distraction crime, and people have too many things occupying their minds. It’s still easy for the phishing emails to slip through no matter how badly they are spelled.

In the case of my aged mother, there is also the notion of trust. She comes from a generation in which there was some degree of trust based on a common and more localized culture. In the 1960s and 1970s, before voice mail and robocalls, it was likely that anyone who called your home phone had a direct relationship with you. To answer it was a common courtesy. A habit that is now exploited by scammers every day.

Some of them don’t even need you to answer the phone. Do you get mysterious hang-up calls from distant countries like Albania or Chad? These calls are intended to get you to call back, curious as to who the caller might be, and as soon as you do so, an elaborate long-distance chargeback scam kicks in.

Online, the key issue is data. Hackers will do anything to get in, because once they do they have access  data of all types.

Lot of end users dismiss the threat or go blissfully unaware that a threat even exists. Let’s look at both of those for a moment.

First, dismissing the threat. “My company is too small to get hacked,” you might say. Or “I’m just a junior employee, I don’t have anything of value.” There appears to be no motivation to get strict on password management or cyberhygiene when the stakes seem so low.

But they are not low. They are incredibly high.

Every company and person is connected to every other company and person through the internet. As a criminal, I could easily pair up a common password, like Password123 with low tech approaches such researching your mother’s maiden name on Facebook to correctly answer a challenge question. Or if I was more sophisticated, I could use more brute force attacks like credential stuffing to overwhelm a company’s IT defenses. Software based attacks often take place once something has been allowed into the system, through a phishing email or an infected USB drive.

Every additional piece of data that an organization can collect from you – a home address here, a challenge question answer there, a medical record all pull together to form a stronger and stronger collection of pieces of data about you, and also about people connected to you, which is basically anyone and everyone.

Humans should never dismiss a small indiscretion as being insignificant. For example, re-using a password that you used on a different account a couple of years ago might mean nothing to your busy, distracted mind, but data is data. Someone out there is busy hammering away at your accounts with every piece of data about you they have been able to obtain, and just like inheriting a collection of unlabeled door keys, if you try every one of them, the odds are, one will connect.

Complacency. Ignorance. Optimism. These are dangerous things to have when all of your security is at stake.

Even though you personally are obviously not a hospital or a nuclear power plant, a simple infected document inadvertently sent to an HVAC contractor – a contract for some work at your house, for example, can easily infect the contactor’s own systems. If this contractor’s next job is working on the HVAC system at a nuclear power plant, the infection propagates. Yes, these large places have extensive IT and cybersecurity resources, but it’s always a cat and mouse game, as frequent data breach stories in the news will attest.

When was the last time you change the password on your home Wi-Fi router? Do you know how much your home assistant software, your phone, or your new big screen TV are listening to you? Do you know how easy it is for hackers to gain access to your new smart doorbell or nannycam – not only to steal data but to listen in and in some cases communicate with family members?

Password Manager

What brand of password manager are you using? Most people will look blankly at you when you ask them that question. To me that’s like someone saying, “What’s Ebola?” basically, as the expression goes, if you’re not part of this solution, you are part of the problem. And yes, Ebola can happen anywhere.

So, a lot of gloom and doom here? No not really. So much of this is eminently preventable. Criminals might be everywhere, but they are also very lazy. They want the easiest way to break into something, and basically, you are it.

One of the easiest ways to do this is to ensure the sanctity of your passwords by using two strong tools: a password manager and Two Factor Authentication.

A password manager is a software app like LastPass or Sticky Password, that generates passwords for you. These are long strings of characters, numbers and symbols that you could not possibly memorize and that bad actors could not possibly guess. Every time you log on to a website that requires a log on, the app will help you generate a password or replace the existing one. It will never create duplicates. Where do these passwords get stored? Not on your computer, and not on the servers at the app itself. Not even in transit on the wires of the internet. The password only reappears when you, as a logged-in user of the password go and visit a page where a password is needed. The password manager sends an encrypted message to an encrypted file on your computer, and only then will the actual password reconstitute itself from its encrypted state. It’s a little like alchemy and is more involved than the way I describe here, except to confirm that your passwords do not actually get stored anywhere. They get scrambled, like scrambled eggs and will only re-appear when your circumstances allow it.

The point here, as with much of what I write and speak about, is that the technology and techniques for effective cybersecurity exist. But it’s people that get in the way. Yes, it’s a hassle having to change your password every two weeks, but there’s a reason why that has to happen, and and app like LastPass makes it easy and effortless, and much more secure

The same applies to Two Factor Authentication or even Multi Factor Authentication. This technique is becoming just as vital as password management software since it broadens your defenses by an order of magnitude. IN short, Two Factor Authentication, called 2FA for short requires a second password sent to a second physical device that only you have. In most cases, that is your phone.

Whenever you are given the opportunity to use 2FA, take it. Yes, the few seconds of delay required waiting for the passcode to appear on your phone is worth it. It’s like putting a deadbolt on your door.

Why is Cyberhygiene so hard?

Cyberhygiene is a hard because it demands two things of you: time and comprehension. In a age of instant satisfaction, a delay of mere seconds can be enough to make an online consumer abandon a shopping cart or happily ignore the warnings and log on to public WiFi unprotected. Or click on “accept” to every Cookies warning that every website now presents. I mean have you ever read the terms of those things? Of course not.

Secondly, learning how to create secure passwords has a perceptual barrier. It appears difficult so it is passed by.

I it is easy to assume that as an individual you are too small, too insignificant to be of interest to a cybercriminal. But you would be wrong on two counts. Firstly, your personal data, including name, address, social security number and everything else, can be used by thieves open credit card accounts, buy houses, or create fake identities to be used in an infinite number of ways, and second, you, I, and everyone else is connected to everyone else in a global game of six degrees of separation, meaning we all become conduits to security breaches and crime at even the largest and highest levels.

If you want to boil it down to three simple rules, I would propose these three.

  1. Use a password manager for everything that you connect to, including home devices.
  2. Never answer the phone unless you know who it is. Phone scammers need you to answer.
  3. Never click on any link that comes to you through email, even if it looks legit. If it’s something that might be a real transaction, go to the source directly – log in to your account through the website and password you have on hand, but never through the email itself.

Cyberhygiene is both a learned physical skill and a mindset, and both are vital to your existence both on and offline. Just like stopping off to get gas for your car, it’s something you have to do in order to keep going.

If you have a comment about the show, or a question you would like answered in a future episode, please, let me know. You can drop me a line through the contact form at steveprentice.com, and you can follow me on Twitter @stevenprentice (spell out) and on LinkedIn – just search for CoolTimeLife – no spaces, just as just one word. If you like what you hear, please subscribe and leave a review.

The theme music for the CoolTimeLife was obtained through PodCastThemes.com.

Until next time, I’m Steve Prentice. Thanks for listening.

This is the transcript of the CoolTimeLife podcast entitled Why is Cyberhygiene So Hard? If you would like to listen to it, you can check it out at our podcast site here. If you would like to review other podcasts in this series, visit my podcast page at stevenprentice.com/podcast.html