The Cybersecurity Infrastructure Security Agency (CISA) has set this year’s theme as making cybersecurity easier for the end user. By identifying and expanding on four fundamental pillars of online security, 2023’s Cybersecurity Awareness Month aims to guide end users in performing safe practices online.
Two of our regulars, Dan Lohrmann, Field Chief Information Security Officer (CISO) for Public Sector at Presidio, and Dave Trader, Field CISO at Presidio, join us again to discuss the importance of building a strong foundation for cybersecurity through the four pillars associated with this year’s theme.
Creating a strong foundation for cybersecurity
The theme serves a higher purpose: reinforcing the basics of online safety to build upon that conversation. When discussing cybersecurity, it is important to understand that basic online safety principles, such as proper password management and software maintenance, must be completed before any in-depth conversations can successfully occur.
“I like the messaging of the theme and the premise of back to basics. There is a lot of support behind ensuring we can secure our systems personally and professionally. I just think no one knows where to take that next step,” Dave says.
With a complete, thorough understanding of the basics, discussions can move further into deeper conversations.
“We cannot have high-speed, deep conversations if the fundamentals of cybersecurity are not in place. I see us returning to this conversation quite often because we continue to miss the smaller stuff,” Dave says.
Cyber adversaries capitalize on little mistakes and use those to leverage big wins for the bad guys. Dave uses the comparison of ensuring every window and door is locked each night in your home. While it is a tedious process to ensure basic online safety precautions are in place, it must be done with vigor and intentionality to build positive outcomes for the good guys.
The four pillars of basic cybersecurity
“Hackers, like water or a hand grenade, will follow the path of least resistance,” Dave says.
The four main pillars of basic cyber security discussed with this year’s theme are the core areas. These areas are the low-hanging fruit that cyber adversaries target most frequently and utilize to create massive problems for unsuspecting individuals and even some of the largest enterprises.
Using strong passwords and a password manager
Many individuals created a password based on something simple such as the name of a pet at the dawn of the internet. Since then, each password for every account they have ever held has been some derivative of that first one.
When a hacker gains access to one of those passwords, it will eventually be used to create a profile of the individual on the dark web. When the cyber adversaries have ready access to one derivate, they can utilize a password cracker tool, such as a rainbow password cracker, and have access to all of the other accounts belonging to the individual within less than ten seconds.
Starting with changing the password to the central hub of all of your accounts, your email account, is crucial. A password manager tool, such as 1Password or Keeper, can create extremely unique passwords containing 48 complex characters.
If that centralized factor in your password does not exist, the bad actors cannot access your accounts.
Turning on multi-factor authentication (MFA)
Multi-factor authentication tools are a hacker’s worst nightmare. By requiring multiple forms of authentication, it makes it much harder to gain access to an account by guessing a password or even by having access to one account.
MFA applications, such as Cisco’s Duo, offer an even deeper layer of protection compared to a standard SMS text MFA.
Updating your software
Many enterprises and individuals do not keep their software up-to-date, meaning any patch fixes released since the last update performed are not in place for protection.
The bad actors prey upon this. Often, older malware strains from years prior are still extremely effective at hacking, solely because hackers rest assured that the majority of systems are not up-to-date with the latest fixes.
“It is still the same theme in the world. Hackers do not have to be the best in the world, they just have to be better than their neighbor,” Dan says.
Recognizing and reporting phishing attacks
In the old days, even the best phishing attempt would be an unexpected email full of misspellings and erroneous sender information that alluded to the recipient winning a lucrative prize, encouraging them to click a suspicious link.
Those days are over. AI and Deep Fakes are giving bad actors a new added leverage.
“This is like phishing on steroids. They are using voice credentials they harvest on the deep web. People are getting calls from familiar-sounding individuals with extreme threats, such as demanding ransom payments for the release of their granddaughter who was kidnapped,” Dan says.
While previous phishing attempts were much easier to spot, many people still fell for them. With Deep Fakes and AI pushing the bad actors, it is becoming nearly impossible to distinguish real from scam. Performing due diligence research before providing additional information and ensuring protective measures are in place are crucial when dealing with potential phishing attacks.
Most importantly, reporting potential scams and phishing attempts that you encounter is the only way to stop hacking organizations.
Interested in learning more? Listen to our full conversation with Dave and Dan where we take a deep dive into adhering to basic cybersecurity principles, the added risks from AI and Deep Fakes, the hack experienced by MGM and Caesars Palace and more. Listen on Apple Podcasts, Spotify, or your favorite podcast player.