Cybersecurity Without Insanity in 3 articles, 2 numbers and 1 thing to think about.
This week: Happy New Year. I know I’ve been talking a lot this week (here, here, and here) about how it’s not so happy for LastPass users, so I will not linger too much on that carnage. Instead, let’s talk about what Ukraine’s Cyber Police, the UK’s NCSC, and Ireland’s DPC have been up to while we’ve been eating too much chocolate.
To listen to Cyber 3-2-1: All episodes are accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
1. Naked Security recently reported on a raid by the Ukraine Cyber Police on a call centre with 37 staff, which had been running banking scams targeting customers in Kazakhstan. Apparently, this particular operation had defrauded 18,000 people. The Naked Security article is worth a read, because it also describes the common ways that these types of crooks fool people into believing that they are calling from their bank, so they perform actions that later turn out to be detrimental (e.g. revealing their bank account login details; transferring money to the crooks’ account). One interesting angle is that you should be suspicious if the call centre staff seem to be “more prompt and more helpful than you’ve experienced in a long time when calling a real support line”!
2. The UK’s National Cyber Security Centre (NCSC) recently released ‘Exercise in a Box’, an online tool which is described as helping “test and practise [your] response to a cyber attack”. The facility is completely free and, unfortunately for someone like me, it is designed so non-techies can use it to assess their preparedness through desk-based exercises. There are a number of exercises included, such as a “ransomware attack delivered by phishing email”, “mobile phone theft and response”, and “insider threat leading to a data breach”. It’s certainly worth a look when you’re planning the next social event at work! Who wouldn’t want to go to a “Ransomware and Pizza Party”?
3. Ireland’s data protection regulator, the DPC, recently published its Five Steps to Secure Cloud-based Environments. It includes the usual suspects (e.g. Multi-Factor Authentication; Regular reviews of user accounts; Appropriate staff training). It also recommends that where a business is relying on an external IT provider to manage these cloud environments on their behalf, the business should seek assurances from the provider that “the security controls which have been implemented meet an organisation’s specific security requirements” and they should “proactively engage and conduct regular security reviews [..] to ensure the security controls in place are up-to-date and are effective”. Unfortunately, many businesses do not know what “effective security” looks like, and they assume the IT provider knows what to do. Unfortunately, in my experience, many IT providers don’t know either. Even worse, they don’t know that they don’t know. If you need someone to help you with this type of security review or guidance, you know where I am.
7.7% – According to a recent report by Acronis, a security solutions provider, 7.7% of the 750,000 endpoints (e.g. Windows PCs) monitored by Acronis security software tried to access a malicious website in Q3 2022. If this is an accurate reflection of every country and every organisation, it means that, on average, at least 1 in every 20 of your staff members has tried to access a malicious website within the last 3 months. Are you sure your staff are better than the average, or are you sure there is effective security in place that would prevent one of your staff members from getting to the malicious site?
€64 million – €64 million was laundered through Ireland by a crime gang that was formed in West Africa in the 1970’s but switched their activities to online frauds in more recent years. The money was laundered through the bank accounts of Irish residents who were recruited through social media and using people who flew into Ireland to open up Irish bank accounts using fake documentation. This is according to the Gardaí, Ireland’s police force, and recently reported in The Journal.
ONE THING TO THINK ABOUT
Despite this carnage, you should still regard a password manager as a good thing to use, for all the reasons I mention here.
But when using a password manager, remember the following:
- Make sure your master password is long and unique.
- Make sure your password manager is also protected with MFA.
- Don’t store everything in your password manager – Focus on the information that you tend to need at short notice (e.g, passwords). You can leave a photo of your grandad’s treasure map at home in the attic.
- Don’t store all required information in your password manager – For very high value accounts, a password hint may be enough for you but a serious barrier to a crook if they ever gain access to your password vault.
- Don’t store MFA bypass codes / emergency access codes in the password manager, as these could be used by the bad guys to circumvent MFA on your other accounts.
- And finally, don’t use LastPass!