We posted a little about this a couple days ago. It really is easier than you think to become a trusted user to unsuspecting victims. If you didn’t see it, you can see it now.
So if it’s so easy to do then what’s the point, right? If people really want your information then they are going to get it and they can do it as simple as that. And as we have mentioned before, this can be overwhelming. But we can’t allow it to be. We can’t make it easy and we can’t just give in and accept.
We know how they attack, and we just saw how a sample attack goes down. So let’s use that.
- Adopt enhanced security measures. Change your passwords. Don’t use the same passwords for multiple sites or devices. Use passphrases, not codes. Change them every 60-90 days. Use two factor identification in as many sites/places as you can. It’s becoming more and more common so if you don’t have it, ask about it.
- Identify your critical information and have different levels of security. Everything is not critical and everything doesn’t need to be protected – find out what is the most important and implement additional security measures. Need help understanding this? Check out our prior post.
- Change things up. The military uses Random Access Measures. As the name implies, these are security measures implemented randomly to break up the monotony of your day to day security posture. The intended result – throw off operational planning and surveillance. When an attacker is doing their research they spend days observing all your actions, also known as footprinting. This tactic is designed to identify vulnerabilities, and the time and place for their attack. By implementing RAM, there is always the chance that the attack is disrupted or it fails because something that wasn’t planned for happened. For example, your receptionist now implements 100% identification check prior to entering, or security personnel are visible in and around your location, or you switch network security measures. Change it up; do something unexpected; throw off the attackers window. If they see it happen one day, they may decide that the randomness of your measures is enough to not risk an attack.
- Learn about social engineering. Studies have varied, but most agree that the overwhelming majority of attacks are a result of human error or human ignorance. Social engineers take advantage of our emotions and natural propensity to want to help. They use this to gain access and they will employ any number of tools to do it. Education yourself and those in your company. Try this link. Or this one. Even this.
- Review your policies. If you don’t have policies then start working on them.
- Be Alert and Aware. Security has to be a mindset; a state of mind. It’s not convenient and you can’t relax. Read, listen, and learn about new attacks. Trust but verify. This mantra is very simple. We should trust others, but we have to verify and follow our own instincts. If it doesn’t sound right then maybe it’s not. If you don’t know someone, then don’t just take them for their word, make them prove it. If you have security policies, default to those.
Security should not scare you. It needs to be commitment to protecting you and your company.