The threat of being targeted online is unfortunately becoming ever more prevalent, as our ‘digital footprint’ grows larger. We have to accept that we will never be 100% safe whilst online, but there are many steps we can take to limit our exposure and decrease our vulnerability.
Digital footprint
In order to operate the devices we use to access the Internet we transmit additional information prior to, during, and after we send and receive our data. Nefarious sources are able to identify the devices and networks we communicate on as well as the software and hardware being used. Collectively, this information is commonly referred to as your digital footprint – and the bigger your footprint, the larger your individual ‘attack surface’. Criminals will always come up with more elaborate ways of extracting data from us, through means such as malware, fake websites, phishing e-mails and more.
We make digital connections that leak data every day. Sometimes this is unavoidable, but what you do online and the tenuous connections you make can increase your personal attack surface. Everything you do online leaves a trail. Social media sites also hold a vast amount of personal minutiae. The more information you share online, the greater the risk of it becoming attractive to cyber criminals.
What happens online stays online!
The data we place online can easily be harvested and added to the data that others place online about us. Facebook has been ‘top dog’ in the social network for many years, with the most recent statistics showing 1.39 billion active users per month, posting, liking, uploading, and sharing information. This offers a great deal of potential for advertisers, but also to fraudsters – so it’s imperative that we understand how sites like this operate and how to enjoy them without giving too much away.
It’s not always people you have to think about either. What apps have access to your account? What access do companies you’ve “liked” have to your data? We suggest you review your search privacy, particularly that which allows search engines and advertisers to scour your profile.
Apps & your Privacy
WhatsApp is a great messenger app, owned by Facebook. However it is widely acknowledged that it has become the target of cyber criminals due to its popularity. When installed on an Android device, WhatsApp needs access to other data and services on your phone that you may consider private. The app automatically uses your address book to add people you know, which in itself is not an issue, but it can share your contacts automatically.
Why does the app ask for your phone number – to subscribe on premium services or to send you spam? One thing is certain: the majority of social media services aim to collect information that can be used for marketing and advertising purposes. When misused, this results in you receiving SPAM.
People, processes and technology
World-leading security technologist Bruce Schneier popularised the above phrase as a way of getting people to understand that Information Security is more than just relying on IT security systems. In many cases, security breaches start off by attacking the human who sits behind the IT systems. If the cyber criminals or fraudsters can get staff to divulge information over the phone, click on a phishing link in an email or visit a malicious website, the bad guys win!
If it can happen to them…
On November 22nd 2014, Sony Pictures Entertainment (SPE) discovered it had been the victim of one of the worst corporate hacks in history – nearly all aspects of Sony’s internal system had been compromised, meaning the repercussions could last years. Sony acknowledged the security breach to staff as a “brazen attack,” comprised of ‘malicious criminal acts’. The group #GOP (Guardians of Peace) claimed responsibility for the attack, prompting an FBI investigation.
In August 2015, hackers reportedly swamped Carphone Warehouse with junk traffic as a smokescreen, before breaking into its systems and stealing the personal details of 2.4m customers. Up to 90,000 customers may also have had their encrypted credit card details accessed. Customers with accounts at OneStopPhoneShop.com, e2save.com and mobiles.co.uk are all understood to have been potentially affected by the data breach. Notwithstanding the recent Talk Talk breach with 4m customers impacted, with a very similar attack.
The Threats
Some of the most common threats today are software attacks, theft of intellectual property, identity theft, and information extortion. Phishing attacks are a common example of a low cost attack, and the theft of intellectual property is an extensive issue for organisations. Theft of equipment or information is becoming more prevalent today due to the fact that many devices are mobile. Mobile phones are prone to theft and have also become far more desirable as the amount of data and device capability increases.
Sabotage usually consists of the destruction or disablement of an organisation’s website or services in an attempt to cause loss of confidence to its customers. Information extortion, or Ransomware, consists of theft of a company’s property or personal information as an attempt to receive a payment in exchange for returning it. It has become apparent that in this digital age, many attacks are pitted against the IT systems we use.
Staying Safe
Overall, the best way to prevent being targeted online is to take the ‘detect, deter, defend’ approach. Detect the potential threats by being aware of where they come from; use this awareness to deter from being in a vulnerable position; and defend your digital footprint.[su_box title=”Richard Beck, Head of Cyber Security at QA” style=”noise” box_color=”#336588″]
Richard Beck is Head of Cyber Security at QA, responsible for the entire Cyber Security portfolio. He works with customers to build effective and successful security training solutions tailored for business needs. Richard has over 10 years’ experience in senior Information Security roles. Prior to QA, Richard was Head of Information Security for four years at Arqiva, who underpin 20% of the UK’s Critical National Infrastructure. Richard also held Security and Technical Management posts at CPP, GEC, Pearson and the Royal Air Force. Richard sits on the IBM European Board of Security Advisors and previously chaired the Communication Industry Personnel Security Information Exchange (CPNI).[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.