In a warshipping attack, a victim organization receives a...
In This Article
The following article was originally published in Issue 16 of our sister magazine Concealment. It appears here in its entirety with permission. For more articles on guns, training, and gear, go to RECOILweb.com.
Illustration by Joe Oesterle
You’re busy. It’s a Friday, and you’ve set lunch as your deadline to get out of town for the weekend. A friend has just called, so you’re a bit distracted as you open your laptop, click on email, and start cleaning out junk. There’s one email in your inbox from a business associate who you’ve worked with previously. You open that one quickly and see he’d like you to take a look at a contract. You click on a link and nothing happens. Odd. Hmm. Well, take a sip of coffee and move on.
And, oh, by the way, you’ve just given nefarious Russian hackers a way into the electric grid of the entire western United States.
That’s essentially what happened in 2017 when, according to the Wall Street Journal, Russian hackers targeted the U.S. electric system by infiltrating the computers of hundreds of contractors and subcontractors who worked with utility companies. The Russians focused on small targets, like family owned construction companies, and worked their way into the electrical grid from there. The small-timers had no cause to believe their computers would be the focus of high-level, concerted hacking efforts by hostile nation states.
A version of that apocryphal anecdote is what James Goepel, CEO of Fathom Cyber, a cyber security company in southeastern Pennsylvania, often uses to help deliver a warning to potential clients. In this connected, online world nobody is really safe from security or privacy invasions. Nobody.
“Every day I hear stories about how even baby monitors are being hacked,” Goepel, who also teaches cybersecurity classes at Drexel University says. “The thing is,” he continued, “taking your own safety measures, practicing good cyber hygiene, isn’t really that hard.”
Before diving too deeply into best practices for good cyber hygiene, it’s important to draw a distinction between the two similar, yet often unrelated, types of issues that us inhabitants of the connected world face daily.
First, there are security issues. Russian hackers using a mom-and-pop construction company’s computer as backdoor into the U.S. electric grid is a security issue. Then, there are privacy issues, where companies or political operatives gather as much demographic information about you as possible — even tracking where you are at any given time — and use that information to influence your decisions: from what you eat, what brand of shoes you buy, or who you vote for.
It’s possible, of course, for a privacy issue to become a security issue. Your online identity, for instance, could be copied and manipulated and then used as part of a security attack. But, experts say, there are easy steps that can combat both security and privacy issues.
“Cyber security can seem like one of these huge, complex issues that feels really hard to get your head around,” says Benjamin Dynkin, cofounder and CEO of the Long Island-based Atlas Cybersecurity company. “Cyber security is shaping conversations from national politics all the way to local chambers of commerce, but it doesn’t always get filtered down to the average person.”
But it’s the average person, as illustrated in the Russian electric grid story that Goepel often uses, who is often most at risk. Every day we do things we shouldn’t. We use public Wi-Fi. We leave our computers open and connected on the table at Starbucks when we walk to the counter to pick up our order. We buy cheap, internet-connected surveillance cameras to deter home invasions. We use the same passwords.
“It may seem insurmountable,” says Dynkin, “but if you have the basics in place, it’s actually pretty easy to practice good cyber hygiene.”
For the average connected American, cyber security issues can manifest themselves through three types of devices: computers, phones, and connected devices. Let’s take care of the easiest, least vulnerable device first: your phone.
“A cell phone isn’t particularly easy to hack and extract secure data,” says Tyler Robinson, managing director of network operations for NISOS, a Virginia-based cyber security firm comprised mostly of former three-letter-agency employees. NISOS works almost exclusively for Fortune 100 companies, identifying security threats and accessing risks. “I’m not saying that phones are not a risk; they really are a device where a lot of the identity issues arise — apps that track your whereabouts for instance. But because they are made by companies like Apple or Samsung who have a vested in interest in security, they are fairly secure and complex.”
Still, cyber experts say, the easiest way to make sure you phone is safe and secure is to make sure the operating system updates and patches that you’re often reminded to install are updated.
Additionally, many apps use your location to track consumer behavior. Experts say simply shutting off location services on many seemingly benign apps will help combat some identity issues.
“Very few apps actually need to track you,” says Jeff Nathan, a cyber security expert in the Midwest. “If you download a product, an app, and you don’t pay for it, then you and your information are the ultimate product. You don’t know what happens to your location data when you give it away to a third party.”
Connected devices, things like Nest thermostats, Ring doorbells, solar power monitors, video baby monitors, lights you can control with your phone, all pose huge security risks. They give hackers easy, often unsecured, access to your internet connection.
“I’m really concerned about this growing internet of things,” Dynkin says. “Computers are the easiest target for criminals; we know the playbook for hacking them. But connected devices don’t have the same security awareness around them.” Cyber security experts note that the cheaper a connected device is, a $49, off-brand video camera you buy from Amazon for instance, the higher the chance there’s virtually no security features built into the device.
“I’m a big computer geek,” says Goepel, “but I don’t put any of that stuff in my home.”
Hands down, the biggest threats to cyber security are computers. The U.S. Census Bureau estimates almost 90 percent of American homes own computers. That means 90 percent of American homes pose security risks to both the homeowners themselves and the largest institutions in our society to whom consumers are connected — banks, schools, hospitals, electric companies, and the like.
But cyber experts agree there are several easy steps to minimize the threat your computer poses.
First, be vigilant in updating your software. As Jeff Nathan says, “All the nagging stuff you put off in your life, don’t put off your computer nagging at you to update your software. Unless you’re traveling out of the country, of course. If that’s the case, wait until you get back home and then update it.”
Second, use a password manager. LastPass, for instance, is a free password manager that stores encrypted passwords online. “The guidelines used to be you had to change passwords every 60 to 90 days,” said Dynkin. “Now you only have to change them if there’s a chance they’ve been compromised.”
Third, don’t click on links in emails that even look slightly suspicious. “Phishing is generally one of the biggest threats to security there is,” says Goepel. “Be really, really careful on clicking on any links in emails or even Facebook messages. Confirm the person sending it to you is actually sending it to you for a real reason.”
And finally, and this is difficult for most of us, stay off public Wi-Fi. Every cyber security expert interviewed for this story implored computer users to use a VPN (Virtual Private Network). A VPN extends your private connection to the internet, so every bit of data that travels between your devices and the internet is channeled through the VPN. A VPN encrypts your data, making it off limits to identity thieves, hackers, your ISP, the government, law enforcement, or hostile nation states. VPN apps and programs are ubiquitous and easy to install.
“I would treat the entire internet as hostile,” says Nathan. “If you keep that in the back of your mind every time you log in, you’ll be a lot better off.”
Clay Miller is the chief technology officer for SyncDog, a company that develop mobile security systems. Miller says that the gravitation toward convenience usually leaves security considerations as a mere afterthought when looking for connectivity and access. Below are seemingly innocuous activities that can expose us to potential risks. Don’t do these.
Using public wi-fi
By now, most people know that using public Wi-Fi is risky, but sometimes it’s just easier to connect to the free Wi-Fi in the coffee shop than thinking about security. Public Wi-Fi networks are an abyss of possible risks. Public network hardware may be compromised or have out-of-date security protocols. Man-in-the-middle attacks are a definite possibility along with other dangers.
Car RF car keys too close to the car when inside buildings
Recently, Mercedes-Benz S-Class owners have fallen victim to a unique attack, where a thief snuck onto their driveway and used a signal booster to amplify the RFID key signal from inside the house and was able access and start the vehicle.
Public charging stations
Anytime a device is plugged into a USB port, there’s a potential of data transfer or even potentially device rooting.
Leaving your phone unattended
It seems simple, but leaving your phone unlocked and unattended can lead to someone compromising your information. Given enough time, they may root your device, install keyloggers or other malware, or simply copy your private information for later use.
Not setting passwords on devices
It may be faster to not use PINs or other security features to unlock a mobile device, but it’s significantly riskier. An unlocked phone is vulnerable to anyone with physical access to it, and especially vulnerable if stolen.
Not using complex passwords
Many apps and websites require complex passwords, but many do not. It may be hard to remember, but it’s always best to have passwords of at least 10 characters or more, mix uppercase and lowercase letters, and use special characters.
Emailing or texting passwords to each other
Email and SMS are insecure platforms and shouldn’t be used for sharing data such as passwords, social security numbers, etc.
Too many public details on social media
Be careful how many personal details are available from your social media profiles. Information like your high school, favorite movies, and mother’s maiden name are common password reset questions. That makes it easier for someone to hijack your accounts.
Passwords in notepad on the phone
Complex passwords are hard to remember. It may seem convenient to use a notepad application on your computer or mobile device to save them for easy copy/paste access, but that exposing passwords to an insecure platform allows others to access them as easily as you do. The best place for storing passwords is inside your head.