Have you ever clicked a link on a website or social media platform that crashed your computer? Has an adware attack seized up your laptop? If those things sound familiar, it may be time for a “crash” course in cyber security.
What is cyber security?
Cyber security refers to processes, procedures and software applications that protect computers, networks, data and devices from malicious attacks. It goes far beyond safeguarding your home devices from viruses and malware, although that’s a significant part of cyber security.
Businesses and government agencies also use cyber security to protect sensitive data—such as personally identifiable information or state secrets—from being hacked by bad actors. According to the Department of Homeland Security, the definition of cyber security also includes ensuring the integrity, confidentiality and availability of protected information.
Cyberattacks are a huge problem and one of the reasons the demand for cyber security experts is growing much faster than most other professions. Cyberattacks are projected to cause $6 trillion in damage in 2021, according to Cybersecurity Ventures.
Dave Hatter, a cyber security consultant with Intrust IT, said everyone should be concerned about cyberattacks. “Just look at recent headlines and you see some really crazy things. A Florida city just sent hundreds of thousands of dollars to hackers in a ransomware attack. If you’re a Florida taxpayer, it affects you. Companies are going out of business from cyberattack losses—this is something that affects everyone.”
Cybercriminals pocketed about $1.5 trillion in profits in 2018—and that’s a conservative figure. The FBI’s Internet Crime Complaint Center believes that only about 10% of cybercrimes are ever reported.
Hatter said the problem will get worse. “The average person doesn’t understand that we are all targets because so much data has leaked in these massive data breaches,” he said. The numbers are shocking: In the first six months of 2019, there were 3,800 data breaches. Since 2013, nearly 15 billion data records have been exposed—everything from Social Security and credit card numbers to account login credentials.
Chelsea Brown, CEO and founder of Digital Mom Talk, said cyber security is everyone’s job in today’s digital world. “These are the skills that protect us from dangerous places online. Parents don’t realize that many of the problems and issues they face with their children online can be prevented by learning simple cyber security practices.”
What are the most common cyber security threats?
Cyber threats take many different forms, but the CIA organizes them into three different categories:
- Confidentiality: This means keeping your personal information private. Data theft is an example of an attack on confidentiality.
- Integrity: This refers to malware, viruses and other attacks that compromise your operating systems, apps and devices.
- Availability: Ransomware is a classic availability attack. The criminal denies you access to your data until you pay a fee. Businesses are often threatened with data deletion or denial of service attacks, another form of availability attack.
When it comes to specific cyberthreats, these are some of the most common and damaging:
Malware is malicious software created to steal data or damage networks and devices. It takes many different forms—viruses, trojans, spyware, adware and botnets—and it can be very difficult to defend against. Not only are malware programs masters of disguise, they can actually evolve and change their code “signature” every 15 to 20 seconds, making them extremely difficult to detect and block.
You can infect your device with malware by downloading MP3 or video files, installing an app, or clicking links in emails or text messages.
Cybercriminals can buy hacking kits on the dark web for about a dollar, and there are apps and tools available on sites like Amazon to help budding hackers set up shop. Hatter said these tools and automations make it cheap and easy for criminals to launch malware attacks, especially in the app market.
“In one month, Google took 25 apps off the market because they had malware, but not before millions of people had downloaded them,” Hatter said. “These app developers are writing hundreds of thousands of lines of code, and a criminal only has to find one hole or vulnerability to exploit it.”
Policing the hackers before their apps hit the market is easier said than done. There are more than 20 million registered iOS developers in the App Store alone; users downloaded 194 billion iOS apps in 2018.
During a phishing attack, a hacker sends an email or text message that appears to be from a legitimate business. If you click the link in the message, one of two things happens: You either download malware onto your device or you’re directed to a form to collect your personal information, which the hacker then steals. By some estimates, nearly $18,000 is lost every minute to phishing attacks. That’s more than $9 billion a year.
Phishing relies on social engineering tactics as opposed to exploiting vulnerabilities in software or devices. During a social engineering attack, the hacker appeals to your emotions—they try to scare you, alarm you or bait you with promises for free stuff.
These attacks often involve spoofing, where the hacker impersonates an official business or someone you know. Spoofing attacks can be very convincing. Facebook and Google, two of the most tech-savvy companies on the planet, were caught up in a $100 million spoofing scam. Is it any wonder average consumers get fooled?
Man-in-the-middle attacks are the digital equivalent of eavesdropping. During these attacks, a hacker gets between you and the business you’re communicating with and intercepts your personal data.
Wi-Fi eavesdropping is one of the most common types of man-in-the-middle attacks. It works like this: A hacker sets up near a business with public Wi-Fi—coffee shops are popular choices—and creates a fake connection with a legitimate-sounding name very similar to the business’s connection name. You connect to the fake network and fire up your tablet or laptop to shop, read email or check your bank balance. The hacker intercepts your communications and steals your login credentials.
Hatter said you should never use public Wi-Fi unless you connect through a VPN. “If you need to connect in public, use the hot spot on your phone,” he said. “Your hotspot uses your cellphone network, so it’s very hard to hack, and it’s very difficult for hackers to ‘evil twin’ the hot spot on your phone.”
Social media attacks
Social media is emerging as one of the fastest-growing vectors for cybercrime; it generates over $3.25 billion a year for the cybercriminal underworld. When you consider that 95% of working-age adults are on Facebook and the average person spends about three hours a day on social media, it’s easy to see why it’s become a gold mine for hackers.
Hatter always expects the worst when he sees “the next cool thing” on social media. “These quizzes like ‘What Disney princess are you?’ or the apps that show you what you’ll look like in 20 years—they’re bad news,” he said. The hackers design these quizzes to include questions similar to the security questions you use with your bank or shopping accounts. When you let the app access your Facebook profile and you provide answers to questions such as the name of your first pet or fourth-grade teacher, a criminal has all the information he needs to hack your accounts.
Free game apps are another source of attack by cybercriminals because they can be used to launch malware on your phone or computer.
“The thing you need to remember,” Hatter said, “is that nothing is free. If you’re not paying for the app, the payoff is your data. You’re the product, not the customer. These apps are not free because the developer is nice—these apps are thinly veiled malware.”
Of course, not all free apps are chock-full of data-stealing code, but Hatter said you need to do your homework. “If they collect your data, they are sharing it. You need to know who they’re sharing it with and what they’re doing to protect your data once they get it.”
What are best practices for cyber security?
Hatter said your best defense against cybercrime is to make yourself a hard target. “Imagine you and I are neighbors,” he said. “I have lots of exterior lighting, no shrubs around my windows, obvious signs of my security system and two big, barking dogs. Your house is dark, overgrown with shrubs and your deadbolt is broken. A criminal will go to your house because I’m a hard target.”
He puts cyber security protection into four “buckets”: credential management, operating system integrity, virus protection and personal education. He recommends the following steps to “harden” your devices and minimize your risk of becoming a victim.
Use unique logins and strong passwords, and don’t use the same credentials for multiple accounts. “An eight-character password is easy for a hacker to crack, but a 40-character one is much harder,” he said.
If you have a hard time remembering all your login credentials, try a password manager. These tools create strong usernames and passwords and organize and store them so you can quickly plug them into the sites you visit.
Take advantage of two-factor authentication with every site that offers it. “Google said two-factor authentication will block over 99% of attacks,” said Hatter. “Some hackers can get around it, but it’s almost impossible. It’s really the safest thing.”
Operating system integrity
All connected devices have an operating system—computers, laptops, phones, tablets, even smart TVs and doorbells. Developers release patches and updates to enhance performance and address new cyberthreats as they become known. Installing them gives you the most up-to-date protection against cyberthreats.
The Department of Homeland Security offers these tips for managing your upgrades and patches:
- Install updates as soon as they are available, and enable automatic updates to keep your devices protected. Hackers will test and attack known vulnerabilities long after updates are released, so it’s important to protect yourself as soon as possible.
- Never download patches and updates from public Wi-Fi networks unless you use a VPN. If your device is set to automatically update, disable the feature if you are traveling or using an unsecure network.
- Only download updates from trusted vendor sites; never click an email link or attachment to download your updates.
Antivirus software searches for, detects and removes malicious software and viruses. Antivirus software looks at everything your device interacts with—software, apps, websites, files—and flags or blocks suspicious behavior. It even blocks spam email.
A device without virus protection can be infected as soon as it connects to the internet. There are more than 60,000 new versions of malware created every single day. It’s not enough to just protect your desktop or laptop computer. Hatter recommends installing virus protection on your phones and tablets, too.
“There are free antivirus programs that do a good job, and free is better than nothing,” Hatter said. “But if you’re not scanning your devices regularly, you’re just asking for trouble.”
Hatter said it’s everyone’s responsibility to learn about cyberthreats and how to protect yourself. “Bad guys prey on ignorance and people’s unwillingness to pay attention to cyber security. You need to be very skeptical of things you see online and on social media,” he said.
You can lower your risk by following these cybersafety tips:
- Never click links in emails or text messages from people you don’t know. An email search can help you decide if it’s safe to open emails from unknown senders.
- Research any free apps before you download them to your phone or device. Check the developer’s data protection policies so you know what you’re getting into.
- Avoid social media quizzes, and don’t give unknown applications access to your profile.
- Be extremely careful about sharing any personally identifiable information online. Update your privacy settings on the social media platforms you use.
- Consider using a VPN when you’re not on your home or work network.
“Cybercrime is big business,” Hatter said, “and a lot of it is automated. We have crimeware as a service now—hackers can rent the tools they need to do cyberattacks. We’ve even seen ransomware perpetrators who have help desks to show victims how to pay their ransom in bitcoin!”
Because of changing technology, Hatter said it’s difficult to completely protect yourself from becoming a victim. But you can take steps to become a hard target.