PREYING ON CURIOSITY AND ERROR

by: R.D. Gibson

Last year, Bird Box was released on Netflix and created a lot of buzz about its leading lady, Sandra Bullock; like Generation Z had no concept about who Sandra Bullock was and what an amazing actress she is; after all, she has been in the industry longer than a lot of them have been alive.

Social media lit up. “That Lady from Bird Box”. *Gasp* We are talking about the same woman who single-handedly saved the contestants at the Miss United States pageant (“Miss Congeniality”), she brought her sister’s boyfriend back from the dead as a witch (“Practical Magic”), roped in seven other amazing women to snatch a necklace at the Met Gala (“Ocean’s 8”), and drove “a really big Pinto” through Los Angeles and helped Keanu Reeves save its passengers from a literal ticking time bomb! She has done almost everything - literally!

But, in the middle of the 90s, Bullock took on a role as Angela Bennett as a computer programmer who had her identity erased after she is given highly-sensitive government-type conspiracy information on - wait for it - a floppy disk. If you have never seen it, there has to be a copy of it somewhere on the information superhighway.

From the film, the world would get just a glimpse at how much the Internet and computers could affect our lives. Fast forward 25 years later, the Internet is literally at our fingertips. Phones, laptops, wireless Internet, screengrabs, screenshots, global messaging, and transferring information has changed a lot - exponentially. Shopping, business transactions, the sharing of information, images, and so much more has opened everyone with WiFi and a cellular phone access to other people’s information; and this information can be used for more than just paperwork.

According to CISCO - a leader in information technology, networking, and cybersecurity solutions throughout the world, “Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks.” The website elaborated on cyberattacks, directly mentioning “accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes.” This just got real.

Raise your hand if you have ever received one of those emails that said, “your information has been compromised, blah, blah, blah”. It isn’t because someone may have just taken your information, but even that the company or program you trusted with it had holes in their systems through which someone came in and snagged the information. Even though most of the world is permanently attached to technology, it feels like someone violated that trust.

Ed Cruz stated, “Our information is personal and sacred.” He added, “Access should only be given with explicit permission.” And, cybersecurity goes beyond the ‘strong password suggestions’ we are offered. In an article for HelpNetSecurity.com, cybersecurity concerns and spending is rising, but so are opportunities for potential breaches. As the article cited in a 2019 report, nearly 1,000 businesses, government agencies, educational institutions, and healthcare providers were impacted by these breaches, and it cost them nearly $7.5B.

For Cruz, one of the most concerning cybersecurity risks deals with social engineering, which he explains, “preys on human curiosity and error.” He pointed directly to phishing; coincidentally when an email sounds ‘fishy’ and just too good to be true, businesses and individuals alike should be vigilant. “Be skeptical when receiving emails of alarm forcing you to act now,” he stated. He added that phishing or spear phishing attacks happen all too frequently when links are clicked and users are brought to an infected website where malware is being used - without the user even knowing it!

What we thought was meant to help us get information at the drop of a hat, has piled on another layer of anxiety for how we interact on the Internet. Another risk users can fall victim to is baiting, which employs the use of external drives like USBs, and gets users to open files with malware to do their bidding.

And then there’s ransomware. (Where are they even coming up with these names?) Cruz stated, “Many state Governments have fallen victim to ransomware.” He added how important information is technically held hostage until a ‘ransom’ is paid. It’s also a close relative to the phishing emails. According to the Cybersecurity and Infrastructure Security Agency (CISA), there has been an increase in ransomware incidents throughout the globe.

Seems atrocious, yes? Even moreso, according to the World Economic Forum, “one in four youth in the United States will experience identity theft or fraud by the age of 18.” These kids are on apps like Instagram, YouTube, and TikTok; What more for reputable businesses where a questionable link was clicked via email?

CISA is part of the Department of Homeland Security after being created by President Donald Trump in 2018. Their work entails federal network protection, comprehensive cyber protection, and infrastructure resilience and field operations, and emergency communications according to their website.

Jenna Blas, Public Information Officer from the Guam Homeland Security Office of Civil Defense said, “It is important, especially in this time of advanced technology when many businesses, including critical infrastructure agencies are reliant on cyber technology to conduct business.” She added, “Without good cyber hygiene, these entities risk the threat of having their cyber data breached, stolen, or shut down or worse, having customer data compromised.”

She commented with technological advancements throughout the world “cybersecurity is an emergent threat”. For Blas and Cruz, the community should remain educated and vigilant with how they use technology and navigate cyberspace. “The cyber adversaries are everywhere, and prey on the uninformed and the complacent,” said Blas.

Randy Linco, an InfoSec recruiter and trainer, Certified Ethical Hacker, and consultant, stated, “Information is currency on the dark web. How much is your identity worth?” He elaborated how people online are working overtime gathering information on anyone and anything. Linco pulls several pop culture references, including TV shows like NCIS and Black Mirrors to the Hollywood blockbusters, like The Social Network and Swordfish. And victims follow anywhere on the spectrum of vulnerability - company CEOs and bosses to average, everyday salarymen and women.

Linco talked about how compromised credit cards and social security number information are not at the forefront of cybersecurity issues, but “our social-media driven lives put us at risk.” He added, “It's not a matter of whether or not we're willing to ‘accept’ the risk - it's whether or not we have an idea of the so-called "attack surface" and what can be used against us. It's not always apparent and not always

More pointedly, he cited information from Allaboutcookies.org while talking about cookies used on popular social media sites, like Facebook. Cookies collect bits and pieces of user’s personal information, like email addresses, passwords, friends, types of posts, and ‘likes’. This can also be used to build an identity about users based on their online behavior. In addition to cookies, cybersecurity can always boomerang its way around plain old data breaches. But, according to Linco, it takes a conscious effort every day to make sure we know what we’re up against and the consequences.

From the common, everyday websurfer to larger businesses, working with cybersecurity and requires “understanding the risks and putting together a realistic, consistent, and scalable security education and training plan…” With literally almost every bit of information on devices, it isn’t difficult to navigate our way to educating ourselves and taking a minute or five to read up on protecting our information - heck, some of them are video tutorials on YouTube.

The Guam Homeland Security Office advised businesses to practice several “simple steps” to improve cybersecurity. These include the use and regularly updating anti-virus and anti-spyware softwares, secure Internet connections with firewalls, establish and implement security practices to protect sensitive information, invest in data loss prevention software, and train employees on ‘cyber hygiene’, among others.

Cruz simply advised to stop when something is suspicious, question everything that comes up on a screen, and look at the legitimacy of emails or any communication.

Sometimes it’s taking a step back from what we’re already doing and examining how we can make it better. Linco said, “Ease up on the paranoia and FUD (Fear, Uncertainty, and Doubt) and open up conversations based on what we're actually seeing.” It’s also important to talk about real-world concepts and incidents. He pointed to very common cybersecurity red flags, including catfishing, having unknown or unfamiliar information come up on a credit report, having computers slow down because of the malware and adware, and accounts opening up in your name, just to name a few. Incidents like these require a broader conversation with professionals and have an opportunity to learn how to take preventative measures rather than reactive ones when it could be too late.

With how much information the general public actually puts out there, it doesn’t seem too difficult for someone to take that information and share it. It requires users, businesses, government agencies, and even young children to get a little education about what it is they’re working with, and how they can protect their information.

Earlier this year, another film from the 90s called Hackers popped back up. It was one of Angelina Jolie’s first features; a cult classic. It was about a group of pre-millenium, high school computer geniuses who began working on a way to bring down a corporation for its extortion practices. Through all of the keyboard clacking and “who has the better, more elaborately designed laptop” competitions, it shed some light on just what anyone with an Internet connection could literally do at that time with a plain old connection to a landline; imagine what it is like now.

Some Basic Tips

1. Keep Your Software Up to Date • Turn on automatic system updates for your device • Make sure your desktop web browser uses automatic security updates • Keep your web browser plugins like Flash, Java, etc. updated

2. Use Anti-Virus Protection & Firewall

3. Use Strong Passwords & Use a Password Management Tool • Drop the complex mixture of upper case, symbols, and numbers. Instead, make it a phrase that you can remember like “!L!k3Chocolat3!c3cr3amW!thNoNuts”. • Don’t use the same password twice. • The password should contain at least one lowercase letter, one uppercase letter, one number, and four symbols but not the following &%#@_. • Never leave a password hint out in the open or make it publicly available for hackers to see • Reset your password if you forget it.

4. Use Two-Factor or Multi-Factor Authentication

5. Learn about Phishing Scams – be very suspicious of emails, phone calls, and flyers • Don’t open email from people you don’t know • Hover over a link to discover where it directs to • Be suspicious of the emails sent to you in general – look and see where it came from and if there are grammatical errors • Malicious links can come from friends who have been infected too.

6. Protect Your Sensitive Personal Identifiable Information (PII)

7. Use Your Mobile Devices Securely • Create a Difficult Mobile Passcode – Not Your Birthdate or Bank PIN • Install Apps from Trusted Sources • Keep Your Device Updated – Hackers Use Vulnerabilities in Unpatched Older Operating Systems • Avoid sending PII or sensitive information over text message or email

8. Don’t Use Public WFi 9. Review Your Accounts & Credit Reports Often for Changes