The Myth of Security by Anonymity

It is comforting to think of cyber threats as always targeting specific people or companies.  That allows us to believe that if we are small enough, are not involved in high-profile matters, or are outside of a big city that we are at a reduced risk for cyber attacks.  Unfortunately, this is a false sense of security.

Imagine you are visiting Disney World.  You parked your car in the Mickey lot and headed in to enjoy the park.  Unknown to you, there are people wandering the lot, pulling on door handles to see if cars are unlocked.  If one is found, they look through it and take whatever they perceive as being valuable.  It is not worth the risk of smashing windows – that would get noticed.  You become a victim not because of the type of car or what could be seen in it, but because the door was unlocked and it was easy to snoop around.

And so it is with many cyber threats out there today.  Sure there are highly specific and sophisticated threats.  We have written about some common scams (here and here) and wire fraud (here and here) in the past.

However, many times it is a crime of opportunity.  By being able to detect that your network has a vulnerability – be it a machine that has not been updated, a weak/missing password, etc. – the “bad guys” are able to take a look inside your system and take information.  Most times it is not even a human doing this, but merely a computer program or a “bot” that is automatically sweeping up information.

Another example is clicking on an ad on a website or on a phishing email.  Both actions can lead to viruses, malware, and ransomware being downloaded on your system.  Most of the time you will not even realize something happened.  This can even happen without clicking on an ad as was the case in 2015-2016 when a vulnerability in Flash and Silverlight allowed ransomware to be installed in legitimate video ads on legitimate websites, and that ransomware would download automatically on a user’s computer when the video auto-played.

Finally, you would not pick up a toothbrush off the street and use it right away, would you?  The same thought process should be applied to external media devices (jump drives/thumb drives/SD cards/memory sticks/etc.).  If it is not yours, do not stick it in your computer!  For a high-profile example, look no further than Iran in 2007.  USB sticks containing a virus were planted in the parking lot of a government facility, when someone plugged one in to see what was on it, a virus infected their systems which caused the destruction of 984 uranium enriching centrifuges. 

But wait, there is some good news as well!

Protecting yourself from these crimes of opportunity can be easy, and many times cost very little or nothing at all!

• Ensure all computers, servers, devices are updated and patched.
• Add an adblocker extension to your web browser.
• Disable pop-ups on your web browser.
• Educate employees not to plug unknown removable media into work computers.
  • Even known media can be a threat if it is used on other outside computers.
• Consider disabling the removable media drives on your work machines.
• Use a dedicated computer for all banking activities to reduce the risk of compromise.
• If you have Wi-Fi at work, have a strong password and do not allow anyone else on it. If guests need access, you can create a separate guest network that does not allow access to your internal systems (it should also have a good password).
• Change passwords on all connected devices (printers, copiers, routers, etc.).
• Use a business-level email service with upgraded security features, do not use free email services for work.
• Do not share passwords.
• Consider the risks and benefits of a password vault that randomly generates passwords.
• Use multi-factor authentication where available.

 If you missed last week's post on encryption, check it out here. 

Next week we’ll take a look at common internal threats and tips to reduce your risk.