FortiGuard Labs Perspectives
Many people forget how easy it is for cybercriminals to gain access to their data without taking the appropriate steps to cyber hygiene. Breach fatigue is a reality, but cybercriminals are relentless in their pursuit to gain access to all kinds of sensitive information – including usernames and passwords. These passwords, especially if used on multiple sites, can lead to multiple of your online accounts being compromised. Exposed passwords are an easy target for cybercriminals and put your critical data and also corporate networks at risk. This is just another reminder of the constant risk we face every day as cybercriminals continue with their cyberattack campaigns.
Aamir Lakhani and Jonas Walker of Fortinet’s FortiGuard Labs discuss cyber hygiene as hybrid work and learning become the norm and as many organizations start to bring workers or students back in person. Securing information online while working or learning across multiple devices as well as while on-the-go more frequently will not be the same as it was pre-pandemic. It is a good time to review some fundamentals. Here are some tips for good cyber hygiene.
Cyber hygiene involves a series of practices and precautions that keeps employees and their devices safe, especially with a hybrid work model. With distributed networks, IoT everywhere, the adoption of multi-cloud infrastructures, and a growing reliance on SaaS application usage can be a challenge to keep up with.
Jonas - Still a very important question that still needs attention. Many people will reuse one password for different applications or come up with variations and similar patterns – for example by changing the number at the end of their password from 1 to 2 - of that password when they need to update it. The pattern may have changed, but the password is essentially still the same. They're not really unique, and in my opinion, this is a big problem as data breaches continue and reusable passwords are something that is quite easy for attackers to abuse since they don't need to have any security details and they can just use credentials to log in to the systems. The keyboard layout is a great indicator of how common these patterns can be. Very often, if a website asks for a password with a special character or number, that special character is very likely going to be an exclamation mark, because it is right above the 1 key. Attackers are well aware of these common patterns and they can use technology to correlate these kinds of data to figure out what kind of structures people are using. This is a great example of machine learning technologies being used by attackers these days.
Aamir - Let’s not forget, there are millions of passwords that have been leaked, some of which are very, very old passwords. These passwords are being used over and over again by people on new sites. Sometimes they change a number or add or remove something from it, substitute a zero with an O, and so on. There are programs and tools that attackers use that look for these common substitutions and find easy access points. The programs can create new password lists, and from those hundreds of millions of passwords, they can generate millions of more new passwords with combinations and try them automatically until they get a hit. I always encourage people to use unique usernames for each site. Some sites require you to use an email address for a username but it is wise to create a new email address if possible in this situation. Personally, I create unique email addresses so I can identify if a site is selling my data.
Jonas - I'm a big fan of password managers. These password managers make life very convenient because whenever we sign up for a different platform, it will automatically generate a new unique password, and store it in its forms.
Aamir -Two-factor or multi-factor authentication are often implemented in these password managers, but they can provide users with a false sense of security at times. Many people will use multi-factor authentication with text or SMS verification, but those are not always as secure as some may think and this is when cyber hygiene can help prevent potential threats. These days most mobile phone operating systems provide pop-ups that ask “are you sure you want to share SMS data with this application” or “are you sure these are the permissions you want to give to these apps” in the terms and agreements, but not everyone is reading these. They usually just click "yes" and provide the application with more data than they originally planned to. Now, all apps don't necessarily need all permissions, but they may want them for a variety of reasons, such as data mining for advertisements. Malicious apps will ask for the ability to access your SMS messages and steal the codes sent when going through the multi-factor authentication process. Users really should consider what permissions they are giving the apps they download and what is being done with the information shared.
Jonas - Bringing remote work devices back to the corporate network needs to be very carefully handled because if you have breached devices outside your network and now you bring them in as an internal employee, this can be very critical if cyber hygiene is not taken into consideration. Keep in mind that home networks have been heavily under attack while people were working from home the last 18 months. Bringing these devices inside the corporate network might be something for attackers to leverage. Cybercriminals are always anticipating the next move and I have no doubt that they have thought about this already. That said, educating employees and providing training is essential as more devices access the corporate network.
Aamir - I agree, training employees and providing guidance on how to become cyber aware is essential for this shift in working and learning. Phishing attacks for example will remain common and as abundant as they have always been, but there are many other tactics cybercriminals will use to try to access the network. Training and security awareness is a big deal for safely returning to work. Sometimes knowing how to filter incoming email can be a really easy way to avoid phishing attacks. I recommend having two boxes, one for internal email and one for external, and using digital signatures to easily identify the trustworthiness of an email that might be posing as an executive or a coworker.
Learn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans program. Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security Subscriptions and Services portfolio.