National Cybersecurity Awareness Month 2022
Cyber security is the application of technologies, processes, practices and controls to protect systems, networks, programs, devices and data from cyber-attacks.
Cybersecurity is the protection of internet-connected systems such as hardware, software and data from cyberthreats.
National Cybersecurity Awareness Month (November) designated for the raising of awareness about the importance of cybersecurity across the Kingdom of Eswatini.
The theme for this year (2022) is:
A secure Cyberspace for All #Be Cybersmart
Passwords provide the first line of defence against unauthorized access to your computer and personal information. The stronger your password, the more protected your computer will be from hackers and malicious software. You should maintain strong passwords for all accounts on your computer.
There are a number of methods criminals can employ to crack passwords, including:
- Intercepting them as they are transmitted over the network.
- Brute force – automated guessing of millions of passwords.
- Physically stealing them, for example when they are written down close to a device.
- Searching IT infrastructure for stored password information.
- Manual guessing based on easily accessible personal information (e.g. name, date of birth).
- Shoulder surfing – observing people typing in their passwords in public places.
- Social engineering – tricking people into handing over passwords.
- Key-logging malware which records passwords as they are entered.
Passwords that are easily cracked tend to include:
- Your actual or user name.
- Place names
- Family members’ or pets’ names / birthdays.
- Single dictionary words
- Personal information such as your date or place of birth.
- Favourite sports teams or other things relevant to your interests.
- Numerical or keyboard sequences (e.g. qwerty, 12345).
Tips for creating strong passwords.
- Use a unique passwordfor each of your important accounts (i.e. email and online banking). Do not use the same password across multiple accounts.
- Your password should be at least 8 characters long. Password should consist of lowercase and uppercase letters, numbers and symbols. A long password will offer more protection than a short password if it is properly constructed.
- Do not use personal informationsuch as your name, age, date of birth, child’s name, pet’s name, or favourite colour/song when constructing your password.
- Avoid consecutive keyboard combinations(i.e. qwerty or asdfg).
- Look around and make sure no one is watchingwhile you enter your password. If somebody is, politely ask them to look away.
- Always log off/sign outif you leave your device for the day – it just takes a few seconds to do and it’ll help ensure that no one uses your system for malicious purposes.
- Avoid entering passwords on computers you don’t control– they may have malicious software installed to purposely steal your password.
- Avoid entering passwords when connected to unsecured Wi-Fi connections(like at an airport or coffee shop) – hackers can intercept your passwords and data over unsecured connections.
- Never tell your password to anyone.
- Change your passwords regularlyand avoid using same password over and over again.
- Never write down your passwordson a sticky paper and hide underneath your workstation or telephone. Somebody will find it.
- Always select “never”when your Internet browser asks for your permission to remember your passwords.
Multi-factor authentication is sometimes called two-factor authentication or two-step verification, and it is often abbreviated to MFA.
MFA is a cybersecurity measure for an account that requires anyone logging in to prove their identity multiple ways. Typically, you will enter your username, password, and then prove your identity some other way, like with a fingerprint or by responding to a text message.
MFA makes it extremely hard for hackers to access your online accounts, even if they know your password.
We recommend that you implement MFA for any account that permits it, especially any account associated with work, school, email, banking, and social media.
How does MFA work?
When you turn MFA on for an account or device, your log-in process will require a bit more verification.
You will be asked for your username and password.
If these are correct, you will then be prompted to prove your identity another way.
You might be able to set up your smartphone, for example, to use a facial scan as verification. Other online accounts might send your phone number or email address a one-time use code that you must enter within a certain frame of time. Some accounts will require you to approve access with a standalone authenticator app like Duo or Google Authenticator.
The three categories of multi-factor authentication methods
A multi-factor authentication method is typically categorized in one of three ways:
Something you know—PIN, password or answer to a security question
Something you have—OTP, token, trusted device, smart card or badge
Something you are—face, fingerprint, retinal scan or other biometric
Forms of MFA
Inputting an extra PIN (personal identification number) as well as your password
The answer to an extra security question like “What town did you go to high school in?”
A code sent to your email or texted to your device that you must enter within a short span of time
Biometric identifiers like facial recognition or fingerprint scan
A standalone app that requires you to approve each attempt to access an account
An additional code either emailed to an account or texted to a mobile number
A secure token – a separate piece of physical hardware, like a key fob, that verifies a person’s identity with a database or system
What type of accounts offer MFA?
Not every account and device offer MFA, but it is becoming more common every day. You might already have it set up for your devices, like if you use a Face ID or fingerprint scan to unlock your phone or laptop. MFA is now often found in many workplaces and universities, too.
Here are some types of accounts that often offer MFA. Check to see if you can turn MFA on:
- Social media
- Online stores
MFA adds an entire layer of security on your important accounts beyond your password. Your data is precious and important – multiplying its protection is a great idea. Let’s use MFA everywhere!
What is ransomware?
Ransomware is a type of malware that encrypts files and even entire computer systems, then demands a ransom payment in exchange for returning access. Ransomware uses encryption to block access to infected files or computer systems, making them unusable to the victims. Ransomware attacks target all kinds of files, from personal to business-critical. After a ransomware attack, the hackers or cybercriminals behind it will contact victims with their demands, promising to unlock their computer or decrypt their files after a ransom is paid. Ransomware attacks may not begin immediately. Some ransomware is designed to lie dormant on your device to keep you from identifying its source. For example, the AIDS Trojan strain did not activate until the 90th reboot of the computers it infected.
How ransomware infects your device
- Exploit kits: Malicious actors develop exploit kits to take advantage of vulnerabilities in applications, networks, or devices. This type of ransomware can infect any network-connected device running outdated software. Keep your systems and apps updated to shield your hardware and files from attacks.
- Phishing: In a phishing attack, cybercriminals will impersonate trusted contacts or organizations and send you an email with a seemingly legitimate attachment or link. This type of social engineering attack often includes a fake order form, receipt, or invoice.
- Malvertising: Attackers can distribute malware by embedding it in fake online ads in a practice known as malvertising. Even the most trustworthy sites can be compromised with malvertising. While some malvertising ads only install ransomware onto your device after you click, others will download the ransomware as soon as they load on the webpage — without requiring a click. An ad blocker, such as the one in Avast Secure Browser, can protect you against these malicious ads.
- Drive-by downloads: Attackers can prime websites with malware so that when you visit, the site automatically and secretly downloads the malware onto your device. If you’re using outdated browsers and apps, you’re especially vulnerable to this technique, but a free antivirus appcan help.
Preventing a Ransomware Attack
The best way to protect your devices is to keep ransomware from infecting them in the first place. By practicing smart internet habits and using a reliable ransomware prevention tool, you’ll be a much tougher target for cyber attackers to hit.
Keep your software updated. Making sure your OS and apps get new updates as soon as they’re released will plug security holes and prevent hackers from using exploits to deploy ransomware.
Back up your system regularly. Ransomware gains its power from blocking access to important files. If you have the files backed up safely elsewhere, you’ll never have to pay a ransom. Perform regular backups of your system and files — cloud services and physical storage are both viable options, and you should use both if you can. If your device lets you set an automatic backup schedule, do that as well.
Use an ad blocker. Load up your browser with one of the ad best blockers to shield yourself from malvertising and drive-by-downloads: two ad-related ways ransomware can make its way into your system.
Be skeptical. Be wary of strange links sent in emails or on other messaging platforms. Even if the link comes from someone you know, they could have been hacked. Learn the signs of unsafe websites and avoid visiting them.
Use an antivirus. Ransomware can hurt you only if it can reach you. Employ a robust cybersecurity app that blocks malware and viruses before they can get anywhere near you.
Why Software Updates Matter
Our computers, tablets and phones are great devices to have. But for all the benefit they bring us, they also leave us exposed to cyber threats. Our devices contain a ton of information about our online activities, personal data and even our banking and financial information.
That’s why we need to keep them safe from cyber threats.
If you protect your devices, you protect yourself. And one of the best – and easiest – ways to protect your device is to regularly update your software.
How software updates can help protect you
Because your operating system manages all the functionality on your computer, it can be a vulnerable target for hackers. Operating systems have many built-in functions to help prevent attacks.
The problem is, though, that cyber threats are constantly changing. That’s why operating system providers regularly offer operating system updates: To keep on top of changing threats from cyber criminals.
If you don’t update your OS, you leave yourself vulnerable to losing the information on your device or compromising access to key accounts. That can cost you your identity, your information and even money.
So, how can you protect yourself? Software updates.
- Tricks for remembering to update your software
Understanding the importance of software updates is one thing. Actually, doing them? Another matter entirely.
Here are a few tricks you can use to remember to update your software.
- Enable automatic updates
Most operating systems – for both mobile devices and personal computers – come with a feature that allows you to automatically download and install updates.
This is the simplest way to ensure that your computers and other devices are constantly up-to-date.
The only trick? Taking the time to enable the automatic updates in the first place!
Once you do that, your operating system will automatically update key cyber security fixes as soon as they’re available.
- Open your device at off hours
The worst time to update your software is when you’re trying to get something done. We get reminders when we open up a computer or laptop, but chances are we opened it to complete a particular task.
Software updates frequently require your device to be unavailable (and then likely have to restart) for at least a period of time. That makes it tough to set aside time out of your work or personal time to allow for these to be completed.
Thankfully, there are some solutions to help you download updates at off hours.
- Set a timer during an off-period to remind yourself to update your device: This ensures you don’t need your computer or phone during the time you’ve set aside for software updates.
- Check for software updates before bed: This will allow you to start any software updates so they happen while you sleep.
- Take a quick work break
We all need to take a break some time, right?
The next time you get prompted with a software update request when you open up your device in the morning but don’t have time to do it right away, set yourself a reminder for later. That way, when that mid-morning coffee break rolls around, all you need to do is enable the update.
Software updates are about a lot more than just getting the latest features for your device or computer. They have important updates that allow you to keep you – and your device – safe from cyber threats.
Ensure you’re staying cyber secure by ensuring your operating system is always up-to-date.
Physical Security Awareness
Physical Security is an important aspect of protecting your organization’s networks, hardware, and data. However, physical security is often overlooked when cybersecurity policies are written, and often times sub-par security measures will be installed, opening the organization to the risk of a malicious intruder.
WHAT DOES PHYSICAL SECURITY HAVE TO DO WITH CYBERSECURITY?
Cyber criminals have been known to breach an organization by infiltrating the physical perimeter and plugging in an infected piece of hardware, or by downloading malicious software directly to systems. These attacks should not be taken lightly, and often indicate a serious risk of insider threats within the organization. Many times, the attacker has performed reconnaissance on the organization and has already mapped out most of the vulnerabilities within the attack surface. Once an attacker has physical access to your networks they can perform several attacks that could be devastating to the organization.
COMMON PHYSICAL THREAT VECTORS
An attacker employs Social Engineering to disguise themselves as an employee, maintenance worker, or authoritative figure to gain access to unauthorized areas.
An attacker plants an infected USB drive into common areas of the organization. The attacker can leave it in a lobby, parking lot, or other organizational watering hole hoping someone will plug in the device. Once plugged in, the device will begin secretly downloading malicious software onto the infected system.
An attacker deploys his own infected hardware by connecting the device straight into the network. The device is often in an unsuspecting spot and is usually small and unassuming.
An attacker breaches a server room and installs a device onto the system, allowing the attacker remote access directly to the server.
An attacker targets an internet drop line and intercepts communications, allowing them to collect critical business data. They can also use these drop lines to disrupt services.
An insider threat leverages their privileges and escalates their security credentials to gain unauthorized access to restricted areas.
HOW CAN I PROTECT MY ORGANIZATION FROM PHYSICAL SECURITY THREATS?
Secure your organization’s equipment, paper files, data storage devices, and hardware by limiting physical access to authorized personnel only. Store data, devices, and files in a locked room and keep an active inventory of all information assets being protected. Perform regular inventory checks to ensure there are no unexpected anomalies that could impact your information security, such as missing assets or additional devices.
Ensure that you are training your employees to practice safe data usage, including:
remembering to lock doors or cabinets;
logging out of systems, applications, and networks when away from the computer or not in use;
never plugging in unfamiliar devices;
shred documents promptly and regularly when no longer needed;
how to properly erase data (the “delete” key does not permanently erase data)
and never leaving sensitive files/devices unattended.
Implement strong password policies by requiring complex passwords (such as pass-phrases), utilizing multi-factor authentication, and limiting login attempts to unlock devices.
Ensure all hardware and communications are encrypted at all times.
Enforce strong Physical Information Security Controls
PHYSICAL INFORMATION SECURITY CONTROLS
- Access Control
- Security Staff
- Proper Lighting Inside and Outside the Building
- Picture IDs
- Video Surveillance
- Intrusion Alarms
- Employee and Management Training
- Equipment Documentation
HOW DO I KNOW IF MY PHYSICAL SECURITY IS PROTECTED?
The most effective way to ensure your critical infrastructure is protected is to implement regular physical penetration tests and continue to improve your physical security according to the results of your pen test. Additionally, be certain you are constantly auditing and documenting the physical devices within your organization. If any piece of critical hardware goes missing, or you discover an undocumented device, it could indicate that an attacker may already have gained access to your systems. Keep track of all physical security controls that exist within your organization and consult with your information security team to determine any gaps that may exist in your critical infrastructure.
ATM fraud is described as a fraudulent activity where the criminal uses the ATM card of another person to withdraw money instantly from that account. This is done by using the PIN. The other type of ATM fraud is stealing from the machine in the ATM by breaking in.
TIPS TO AVOID BECOMING A VICTIM OF ATM FRAUD
- Perform an A.T.M. Inspection
Before swiping your card, consumers should examine A.T.M.’s for tell-tale signs of skimmers. Visible glue marks around the reader or PIN pad is a sign of tampering.
- Perform an A.T.M. Area Inspection
Consumers should look around the A.T.M. area to see if anything looks out of the ordinary. For instance, are there brochures near the keypad, possibly hiding a miniature camera? Legitimate security cameras for banks will be clearly visible, while miniature cameras can easily be hidden and very small in size.
- Cover Your PIN
When you type in your PIN, use your other hand to shield the keypad to block it from hidden cameras. This will also help protect your information from “shoulder surfers,” thieves who stand off to the side and try to record your PIN.
- Know Which A.T.M.’s to Pay Special Attention To
T.M.’s in heavily trafficked areas like malls, airports and gas stations can have skimmers attached and may go unnoticed for a long period of time because there usually isn’t anyone nearby monitoring the machines.
- Know When to Use Your Credit Card
In situations where your card goes out of your line of sight (like at a restaurant or hotel), use a credit card rather than a debit card. Many times, you are afforded protections through your credit card company that are not available with your debit card.
- Don’t accept help from strangers.
- Never divulge your PIN to anyone.
- Use ATMs in well-lit areas and where you feel the most comfortable.
- Don’t be distracted when using an ATM. If you’re disturbed, cancel the transaction immediately and report the incident using your bank’s stop-card toll-free number.
- Be aware of your surroundings and avoid using the ATM where individuals are loitering.