Staying safe online: Observing good digital hygiene

Published: Oct 09, 2017
Author: Amy Ayers

Online safety is more important than ever. Almost half of the world's population are using the internet. And they’re not just using it to access general information, but also to conduct their sensitive business online—including financial, health, personal and business transactions.

We’re also seeing the rise of Internet of Things (IoT) technology. Today’s connected devices contain a wealth of sensitive data, making them a tempting target for cyberattacks. Combined with the increasing use of the internet for social media, web browsing, and business transactions, this has created many opportunities for cybercriminals seeking to compromise devices and steal data.

A quick query of VERIS (Vocabulary for Event Recording and Information Sharing) for 2016 revealed that 23% of data breaches were associated with banking Trojan viruses that started as a result of social engineering attacks against customers. In terms of malicious software, the top two vectors for malware installation were email (via attachment, link or auto-execution) at 73%, and website drive-by at 6%.

Although this information is based on data breaches targeting businesses, it helps to illustrate an important point. Cybercriminals have been very successful at infecting computer systems by introducing malware through email and websites—the two services most people use on a daily basis.

Maintaining digital hygiene at home

Good digital hygiene is important both at home and at work. A single compromised device could result in a threat actor gaining information that could help them access other devices or accounts. This means that a compromised home device could lead to an attack on business assets. Files may be stolen, re-used passwords cracked, or home email accounts hacked—giving the attacker what they need to gain access to the victim’s corporate network.

The attack could be as simple as accessing the victim’s corporate email with the same password they’ve used for their personal email. A more complex scheme could involve blackmailing an employee with personal photos or information stolen from their home system.

It’s also important to maintain good digital hygiene at home because poor security habits may carry over into the workplace. There’s a risk that employees could bring this relaxed attitude to work, or even forget about security best practices because they’re not using them at home.

A lesson from the 2017 Data Breach Digest

The importance of staying safe online is illustrated by a real-life scenario featured in the 2017 Data Breach Digest (DBD), called “Mobile Assault—the Secret Squirrel.”

In this incident, a traveling Chief Security Officer (CSO) reported that his laptop and cellphone were displaying odd behavior after his return from an overseas trip. The organization had issued him with a temporary travel laptop and phone to minimize the impact from any compromise. Although strict policies were in place, the CSO reported leaving the devices in his room when hitting the gym and connecting to public Wi-Fi.

Verizon analyzed the devices looking for known malicious indicators of compromise (IoCs). Several IoCs were identified on each system, including Windows Registry changes, scheduled tasks with known malware names, and malicious domains. An in-depth examination revealed that these two infections were likely unrelated and opportunistic, rather than targeted threats.

An application had been installed on the smartphone to avoid overseas call charges, and this application was vulnerable to code injection attacks when connected to the public Wi-Fi. The malware on the laptop was determined to be the result of a drive-by download from a malicious advertisement displayed on a webpage.

This organization was well prepared, and by providing dedicated travel devices had prevented this minor incident from becoming a major one. But improved digital hygiene might have prevented this incident all together.

Recommendations for staying safe online

There are many threats to online safety—at home, in the workplace and while travelling. These include social engineering, website malware, malicious emails, social networking scams, cyber harassment, and hacked accounts or devices. It’s imperative that all internet users understand these threats and practice good digital hygiene on a daily basis. Below are some tips for staying safe online.

Email security

  • Never provide information by email, phone, text or any other method to an unknown person. Always verify the requestor's identity before passing on information.
  • Carefully evaluate domain names and email addresses for misspelling (for example, “@Verizon” not “@Ver1zon”).
  • Double-check embedded links by hovering over them, so you know what they are pointing to.
  • Only open attachments from known senders, and if they’re expected.
  • Always check the “reply to” address before you reply.
  • Virus scan all email attachments, even those sent by known persons.
  • Educate yourself on current scams. Keep in mind that Microsoft won’t call you because your computer is infected. And it’s fairly safe to assume that no-one has left you a million dollars.
  • Be wary of any email concerning a recent disaster or asking for donations.

Web browsing security

  • Be careful where you browse. Just because a link appears in Google, or was sent by a friend, does not mean it is safe. If you need to access an unknown site, do some research first.
  • Check your web browser settings for proper security, including third-party cookies, web history and add-on settings.
  • Don’t store passwords in web browsers.
  • Don’t install untrusted or unknown plug-ins.
  • Even known safe sites are prone to compromise, so always virus-scan downloaded files.
  • Keep your anti-virus up to date, and don’t be fooled by fake anti-virus pop-ups.

Social media security

  • Don’t accept friend requests from people you don’t know.
  • Harassment is harassment, whether it’s face-to-face or online. Always report it.
  • Be careful what you post online. Understand your account security settings and who can read your posts.
  • Don’t share personal information that can be used against you.
  • Never put anything in writing you would not want the whole world to read. Remember, social network sites can be hacked and your private messages could be made public.

Home security

  • Use WPA2 encryption on wireless networks.
  • Change default router names and passwords.
  • Don’t broadcast your Service Set Identifier (SSID).
  • Create a guest network for visitors (but still use a strong password).
  • Use the Access Control List (ACL) function to prevent rogue connections.
  • Encourage employees to use their online security training at home, along with anyone who may be using their home network.

Device security

  • Keep all systems up to date with security patches.
  • Keep virus scanners up to date and never disable them.
  • Be aware of suspicious system behavior.
  • Don’t plug in unknown USB devices, accept devices from strangers or share storage devices with friends.
  • Keep personal USB storage devices encrypted. Securely wipe and physically destroy old devices.
  • Avoid connecting to public Wi-Fi. If using it is necessary, do not conduct sensitive transactions.

Keep physical security in mind

  • Be constantly aware of your devices and your surroundings; never leave a device unattended in public.
  • Encrypt and protect all of your devices with strong passwords.
  • Never be so engrossed in looking at your mobile device while in public that you do not notice your surroundings, such as physical hazards or potential thieves.

More about Data Breaches

Would you like to know more about data breaches?

2017 Data Breach Investigations Report

Get the 2017 Data Breach Investigations Report (DBIR). It’s our foremost publication on security, and one of the industry’s most respected sources of information.

http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/

2017 Data Breach Digest

Read the 2017 Data Breach Digest (DBD) for the story of Verizon’s most intriguing cybercrime investigations. Learn about the attacker’s tactics, the victim’s mistakes and the scramble to limit the damage.

http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/

About the author

Amy Ayers holds a Master’s Degree in Cybersecurity, Intelligence and Forensics and is a Certified GIAC Forensic Analyst. Amy is a Senior Security Consultant working as part of the VTRAC (Verizon Threat Research Advisory Center) Investigative Response Team. As part of the VTRAC IR Team, Amy responds to cybersecurity incidents, including data breach and PCI incidents, provides incident response training along with tabletop simulation exercises and performs incident response capability assessments.