Sharing the Power of Cybersecurity Awareness

Every October, Cybersecurity Awareness Month is a friendly reminder for Bishop Fox that our passion for improving digital privacy is what inspires our work. However, protecting our clients' digital footprints is not the only security that matters to us - it extends equally to our families, friends, and communities. As offensive security professionals, we often field questions (and intrigue) from those closest to us about various types of dangerous activities in cyberspace, but these frequently equate to inquiries about suspicious links in email or SMS, for example.

While advice like “don’t click the link!” to avoid those threats is useful, it doesn’t equate to a strategic or comprehensive plan to stay safe and private in the virtual world. We’ve compiled helpful tips and tricks that we recommend to the most important people in our lives that often don’t have the same technical prowess that we do. These recommendations enforce stronger personal boundaries in cyberspace without the need for deep technical expertise. Preventing our loved ones from recklessly navigating the internet is a battle that we will gladly continue to fight to protect and defend against unseen cyber threats.

“We need to make security easier and more obtainable for everyone, so that my mom and dad are secure no matter what they are doing on the computer.” – Steve Ragan, Team Leader/Story Teller/Editor at Cisco

Protect Passwords Like Your Life Depends on It

Imagine if you regularly left a house key outside your front door in plain sight when you aren’t home. Well, failing to protect your online passwords is essentially the same thing – giving unwanted visitors an open invitation to steal from you. Here are a few easy recommendations that we share with our family and friends to make password management less daunting: 

If a virtual password manager is too tricky, simply write down your passwords and keep them in a safe place. There is no wrong or right answer to securing passwords BUT do something instead of nothing or repeatedly using the same password. And an important note: Please don’t log into your bank accounts, healthcare accounts, 401K, email, and food delivery service with the same password.

“I got my parents a book to write down their passwords. I told them as long as the book is in a safe location, write down your passwords in it. I would much rather they write down passwords than use ‘mysonsteve25’ as their password for everything online.” – Steve Ragan, Team Leader/Story Teller/Editor at Cisco

Change your passwords regularly. Block off a little bit of time, just like you would for any other household chore, to update passwords for your important accounts.

Use a checklist to make sure you are proactively protecting passwords.

Making complex passwords is not always as easy as it seems, but there are approachable ways to simplify the process! To make your passwords more complex, think of a familiar phrase, song lyric, or favorite sports team that mean something to you. Use parts of those words to make a seemingly random password. If you want to get really fancy (and we recommend this) swap out a few letters for numbers and symbols but start with a familiar phrase that doesn’t contain personal information like your birthday or name, for example. Aim for eight characters or more for each password.

Is Biometrics an option? If it is, take it! There is less of a chance that your fingerprint can be replicated compared to a password. Also, biometrics reduces the need for passwords in some scenarios.

Strengthen password usage with Two-Factor Authentication (2FA). It acts as a barrier against threat actors trying to impersonate you because only you should be able to receive a temporary code to authenticate your login request. Once 2FA is set up, it is generally easy to use, but don’t be afraid to ask for help from a trusted confidante to keep private information like email, PII, or financial info better protected. 

Know Your Digital Worth

Financial crime is a real threat to just about anyone with an online presence these days, especially with the sharp rise in online purchasing fueled by shelter-in-place restrictions during the height of the COVID-19 pandemic. Many people acutely increased their digital footprint with online purchases of new types of goods and services, like grocery or food delivery, that were previously in-person only activities. While financial crime has become a pervasive and prevalent modern phenomenon, understanding your digital worth from a threat actor’s point of view is one way to protect yourself without a heavy technical lift.

Think about your online purchasing activity. Do you use debit cards or credit cards for online purchases – if so, how many? Every time that you add a card to a website, you are expanding your digital worth and opportunity to be exploited. Instead, choose a single credit card, instead of a debit card, for online purchases to keep a layer in between your purchase and your bank account. It is very common (and newsworthy) these days for credit card numbers to be stolen in data breaches and sold on the Dark Web; however, criminals can also brute force card numbers to get to the same end game. The bottom line is that using fewer card numbers online removes potential opportunities from cybercriminals to commit financial crimes against innocent victims.

Many retail sites prompt you to store your credit card information for your future purchases. This can be tempting because of the convenience factor, but this could put your financial information at unnecessary risk down the road.

Check your bank account and/or credit card statements on a regular basis. Many financial institutions have robust fraud programs and procedures in place, but taking five minutes to review your activity may be worth its weight in gold if you discover and report any fraudulent activity on your own. This is information that you already have access to and doesn’t require technical know-how or copious amounts of time; use it to your advantage. It also doesn’t hurt to check your credit report at least once a year to ensure fraudulent activity is not taking place right under you.

Don’t Be a Social Butterfly

Being a social butterfly in cyberspace may seem tempting at times, especially with the prevalence of social media, but it is always safer to keep personal information private while interacting online, especially when you don’t know your exact audience. Any information that you put into cyberspace can remain there forever, so it is best to think twice before you type. You wouldn’t share valuable personal information with strangers on the street, so follow the same guidance online.

A great example of this is avoiding the trivia games where it asks for your personal information during holidays like Valentine’s Day in which you list the name of your spouse/loved one, how long you’ve been dating, your wedding anniversary date, etc. This type of engagement reveals a lot of personal information without you thinking twice about it, as it comes off as an innocent game.

Reduce Your Digital Footprint

It is very common these days for an average household to have multiple devices running concurrently – tablets, laptops, smartphones, desktop computers, gaming systems, etc. But how many devices do you really need at one time? One low-tech way to maintain a safer virtual environment is to simply consider reducing your digital footprint in a few different ways.

Assess how many devices you need and their purpose. Perhaps you can get by with fewer devices and hence less potential attack surface. If you can’t cut down on the number of devices, make sure to power down those that you aren’t regularly using. This may interrupt an opportunity for attackers to exploit and take advantage of your information.

Consider how often you require protocols like Bluetooth or Wi-Fi to connect to the internet. Cutting down on these connection protocols, especially public Wi-Fi, is an easy way to prevent hackers and criminals from using your network or accessing your devices without your knowledge.

Maybe you can’t reduce your footprint, but you may be able to segment your activity. For example, segmenting work and personal business on different designated devices is a way to have more control over your footprint and know where your virtual activity originates from; i.e. your work computer is for work; don’t use it to log in to personal bank accounts. Check out our DIY network segmentation guide for additional ideas.

Making Personal Cybersecurity Simple

Improving cybersecurity habits doesn’t have to be complicated. Cybersecurity Awareness Month is an important reminder that one of our biggest assets as offensive security professionals is being able to share our knowledge with those people that are most important to us and improving their digital security postures. Don’t forget to check in on your families, friends, and communities during Cybersecurity Awareness Month to evaluate their cybersecurity needs!