Embed Size (px)
Citation preview
NEVER CLICK AND TELLAlthough data breaches of confidential
personal information typically raise the most concern among consumers, social media users often forget how much personal information they themselves provide to strangers.
Billions of users are now connected on social media and criminals are there, too, lurking for information they can use to their advantage. Cybersecurity experts say it’s more important than ever to limit the information you make publicly available, no matter how insignificant it may seem.
Social media photos can reveal both valuables and insecure entry points into your home or office that make burglaries easier to plan.
Sharing about your current location or an upcoming or in-progress vacation broadcasts an unoccupied home, putting property at risk of physical theft.
Too much detail in your social media
profile can reveal answers to password reset questions, making account credentials easy to crack.
And those popular social media quizzes? Cybercriminals often use your publicized answers to carry out social engineering attempts.
Before you “click and tell,” think like a criminal. How could the information you’re sharing be useful to someone who wants to steal your identity, gain access to your accounts or otherwise harm you, your family or your employer?
While it’s not too late to remove information that’s too revealing, remember that even the information “deleted” from social media sites can live on forever via screen captures, cached pages and data backups.
Rather than working to remove sensitive information after the fact, consider not sharing it in the first place so it doesn’t get into the wrong hands.
Copyright © 2019, Optiv Security Inc. All rights reserved. Only for internal commercial and/or educational use by Optiv customer.
STRANGER THINGS: Update Privacy SettingsWould you want a stranger to know your physical location? What about your phone number, your children’s names, or sites you access regularly? If privacy settings on your devices, social media or search history are too broad, that’s exactly what can happen. Use the tips below to review your privacy settings.
KEEP TABS ON YOUR APPS: Best PracticesYour device’s operating system is the
backbone of its functionality, but apps enable you to interact with components, features and services. Unfortunately, malicious apps can also enable cybercriminals to interact with your device - often without your knowledge.
To protect your device and the information stored within, follow the PRO rule when considering whether to install apps: place, reputation, and outside connections.
PLACEObtain apps only from reputable sources.
Official app stores like the Apple App Store, Google Play and the Amazon Appstore incorporate standards that apps must meet in order to be offered in these marketplaces.
While this does not mean all apps from these retailers are safe, it does reduce risk by allowing you to review relevant details to scrutinize the safety of an app and an avenue to report any malicious activity.
Never install apps from unknown sources or apps that cannot be properly researched.
REPUTATIONEnsure apps have a positive reputation
before installing them on your devices. Examine and research the publisher and permissions for any signs that raise suspicions. Check the ratings and read reviews from other users for reports of unusual behaviors or performance issues like battery drain or high data usage.
OUTSIDE CONNECTIONSIf an app offers the ability to login using
existing credentials from other services like social media, a Google account or your Apple ID, be wary.
Connecting accounts across services is risky. If one account is compromised, others using the same credentials will follow. Instead, create a unique login for each app or service.
DEVICES
SOCIAL MEDIA
SEARCH HISTORY
Lock Up! Device theft happens. Protect information on devices, even if they are stolen or compromised, with a screen lock and a strong PIN, pattern or biometric method to gain access.
Where Are You? Review which apps use your location and disable the setting for those that aren’t necessary.
Permission Denied. Monitor and restrict permissions requested by apps when they seem excessive.
Lost and Found. Can strangers find your social media profiles when searching by name, email address or phone number? Check the discoverability settings for your profile to reduce exposure.
Public Post? When you post, who can see your content? Limit your audience by sharing only with legitimate connections.
Safe Selfies. Do you carefully review photo and video posts for details that are unintentionally revealed in images?
History Lesson. Many users don’t realize that popular search engines track user search histories to enable relevant advertising and results. Review your search history settings to see if you’re being tracked.
Shared Space. Many search engines share search histories and advertising profiles with partners. Opt out if you can.
Local Results. Search engines can use location data to improve relevance. Consider privacy when allowing this access.
Copyright © 2019, Optiv Security Inc. All rights reserved. Only for internal commercial and/or educational use by Optiv customer. Copyright © 2019, Optiv Security Inc. All rights reserved. Only for internal commercial and/or educational use by Optiv customer.
SHAKE UP YOUR PASSPHRASE PROTOCOL: Strong, Unique PasswordsPassword, passphrase, keyword, login
credential - no matter what you call it, it’s the first line of defense against unauthorized access to your accounts, so yours should be as strong and unique as possible.
Every account or service should have its own unique, complex password. Using the same password across multiple accounts invites disaster. If credentials are compromised for one account, it’s easy for a cybercriminal to gain access to any other account using the same password.
While most accounts have minimum requirements for password creation, such as number of characters and types of characters, don’t opt for the bare minimum. It’s not the safest option.
Shorter passwords are easier to crack by both computer algorithms and human attackers, so increased length reduces the chance that your password can be guessed.
It’s all in the math: a password made up of eight letters, numbers and special characters can have 645 trillion possible combinations. Adding just one additional
character to the length increases the number of possible combinations to 45 quadrillion.
If you use the same password strategy in all your accounts, a cyberattacker could quickly recognize the pattern. For example, some users think it’s safe to use the same password if they add an account identifier like “Amazon.C00ki3s4Evr” for an Amazon account and “Gmail.C00ki3s4Evr” for a Gmail account.
Shake up your strategy for each account to ensure there’s no logical pattern to be found.
Still using the same password you did a decade ago? You’re overdue for an update. Passwords should be changed regularly and you should avoid using the same password again for at least a year.
In addition, if any of your accounts are compromised, you should immediately change passwords for all accounts to limit the risk of additional compromise. Even if accounts don’t share a common password, it’s possible a cybercriminal may have your credentials for other accounts or services.
REINFORCE YOUR CREDENTIALS: Multi-Factor Authentication
Creating a Password
Start with a long,memorable phrase:
I brake for turtles
Replace some letters withnumbers and symbols:
!brake4turtles
Change some characters to uppercase:
!BRAKE4turtles
Unique passwords can be created easily:
A strong and secure password is one step toward limiting access to your accounts. But any password, no matter how strong, can be compromised when data breaches, malware, human error or phishing attempts expose credentials.
Adding an extra layer of security by enabling multi-factor authentication can limit access to your accounts, even if someone does get their hands on your password.
Multi-factor authentication helps to confirm you’re the individual attempting to login by using a combination of at least two types of verification in addition to your username: something you know, something you have and something you are.
If your password (something you know)
is compromised, anyone attempting to login to an account with multi-factor authentication enabled must also be able to access and verify the additional factor or factors (something you have or something you are) before access is granted.
If the additional factors cannot be confirmed, the login is denied.
Many of your existing accounts likely offer a multi-factor authentication method. Check the settings in your accounts and enable multi-factor authentication as soon as possible to protect your accounts and information.
Some services can also notify you if someone attempts and fails to access your accounts. Enabling this option can alert you to possible nefarious activity.
SOMETHING YOU KNOW:• Password
• PIN
SOMETHING YOU HAVE:• Authentication code delivered by text message, email, phone call or token device
• Login verification request from a mobile application linked to your account
• USB device plugged into the device attempting to access the account
SOMETHING YOU ARE:• Fingerprint scan
• Facial recognition
• Retina scan
• Voice recognition
Copyright © 2019, Optiv Security Inc. All rights reserved. Only for internal commercial and/or educational use by Optiv customer.
SHOP SAFE ONLINE: Five Tips for Finding Deals Without the StealsShopping online is convenient and quick. Without
leaving the comfort of your home or office, you can order groceries for the week, purchase a new wardrobe, and send a gift to friends and family across the country.
Sales completed online are quickly outpacing those conducted in physical stores and online buyers can now purchase almost anything and have it delivered to their front door, sometimes the same day.
This level of convenience is not without risks, however, and cybercriminals are pouncing. Theft of your personal and financial information is an ever-present threat, so be sure you know how to be a smart online shopper.
The five tips to the right highlight simple steps you can take to make your online shopping experience safer.
123
45
BRANDShop with reputable retailers.
Unfamiliar shopping sites may be nothing more than a fake retailer set up to steal
information.
BUYER BEWAREFound a deal that’s too good to be true? That’s
probably because it is. An unreasonably high discount
should raise suspicion.
CONNECTION CHECKNever shop online when
connected to public WiFi. Your information can be
intercepted. Use a private, secure connection instead.
SECURE SITE?Check the web address of
the site. If it doesn’t start with “https://” it is not a secure site and information exchanged
is not encrypted.
FRAUD PROTECTIONUse a payment method
that offers liability protection for fraudulent purchases
or transactions. Most credit cards offer this feature.
PLAYING HARD TO GET: How to Spot and Avoid Phishing Emails
Phishing emails are false messages used to bait unsuspecting recipients to divulge information or download malicious files that wreak havoc on a device.
Most phishing emails appear to come from someone other than the actual sender and many seem authentic. This dangerous disguise is one of the most common methods used by cybercriminals to obtain sensitive data.
Understanding some of the basic characteristics of phishing emails can help you recognize and respond appropriately when a phishing attempt lands in your inbox.
Review all emails carefully, even those that appear to come from a known contact. Cybercriminals can easily “spoof” someone from your contact list.
For tips regarding general characteristics to watch for, compare the sample email on the left and the characteristics below.
1
2
3
4
5
Characteristic #1 - Unusual Senders & Recipients
Check the senders and other recipients for anything strange. Is the sender’s address
unfamiliar or does it contain misspellings? Do any other recipients seem normal for
the type of message sent?
Characteristic #2 - Generic Greetings
Does the sender greet you by name? Generic greetings like “Dear Customer”, “Dear Client” or “Dear User” should be a red flag, but beware that some phishing
emails may still address you by name.
Characteristic #3 - Errors & Unusual Language
Frequent misspellings, unusual wording and grammatical errors are common in
phishing emails. Messages containing this characteristic should be approached with
caution and reviewed carefully.
Characteristic #4 - Unusual Links & Attachments
Do not click links or open attachments in suspicious messages. If the message appears to be related to a real service, navigate directly to its legitimate site to
login. Attachments may contain malware.
Characteristic #5 - Generic Signature
Phishing emails often contain a generic signature like “Administrator”, “Customer
Service Team” or “IT”. If the signature seems generic or suspicious, check the message
for other signs of phishing.
These characteristics are meant to serve as a general guide. Some phishing emails may contain none of these characteristics.
Copyright © 2019, Optiv Security Inc. All rights reserved. Only for internal commercial and/or educational use by Optiv customer.
DON’T HESITATE, UPDATE: Strengthen the Security of Your DevicesClicking “Later” or “Dismiss” when a
device or software prompts you to update to the latest version is a precarious practice. It may seem harmless to put off an update until tomorrow or continue using an outdated operating system, but doing so greatly increases the chance of a successful cyberattack.
Updates are not merely suggestions intended to annoy users. They serve a very important purpose: repairing known bugs and vulnerabilities that cyberattackers can use to access your device and steal information or install malicious software.
Developers are constantly looking for security holes within their software. Once a risk has been discovered, these same developers correct the problems identified and push out updates. If you don’t update the software, you remain vulnerable and cyberattackers will know which specific vulnerabilities to exploit in the outdated software.
When it comes to antivirus, antimalware and other system security components, updates also increase your protection
against general threats against your system as a whole. Updates to security software often include new virus definitions and malware identifiers used to identify and defend against the latest threats.
If you use a browser to access the internet, browser updates can help protect and alert you about newly-discovered malicious sites, dangerous plug-ins or unsafe extensions.
Running outdated software puts your device and information at risk of exposure or damage. Doing so on work devices also threatens your organization’s data.
Whenever a device or piece of software prompts you to update, do not ignore the notification. Instead, immediately save your work, install the update and restart your device. Most updates will not be completely effective until you restart.
You can also take a more proactive approach by manually checking for updates on a regular basis rather than waiting for a prompt. Some updates may not provide a notification, so this method will keep you one step ahead.
STAY GUARDED, YOU’RE A TARGET: WiFi SafetyIs there a cybersecurity threat in the air
around you? Surprisingly, yes. With today’s wireless technology, the days of computers and devices being cord-bound are nearly gone and wireless signals now carry the majority of our communications.
With WiFi access points at home, at work and in the community, today’s technology is almost always just one quick connection away from the internet.
Unfortunately, this means that criminals are also one quick connection away from our devices and information.
Unsecure wireless connections - those that do not require a password or PIN to gain access - are located in people’s homes, offices and businesses.
A favorite trick of cybercriminals is to join these poorly-secured connections to quietly monitor activity and steal data moving across the network.
If you connect to an open and unsecured wireless network, anyone with the right program and skills can intercept almost anything you are sending or receiving over the connection.
When your home WiFi network is not
adequately protected, anyone within the signal’s reach can join and use your network to secretly connect to and monitor other devices within your home or carry out illegal or malicious activities that could be tied to you.
In public areas like airports, hotels and coffee shops, cybercriminals often set up fake WiFi networks to lure in unwitting connectors. Once you’re connected, these criminals monitor and steal the information you’re sharing on the connection or prompt you to download malicious software.
Limiting connections to those you can control and secure with a strong password reduces the risk of this type of exposure.
If you must use a WiFi connection outside of your control, ensure it is a legitimate connection and limit its use to activities that don’t involve exchanging any personal information.
Using a virtual private network (VPN) when connecting to a public network can also help to protect your information. This type of connection encrypts data sent and received so it cannot be so easily intercepted.
WiFi Best Practices• Avoid connecting to a WiFi network you do not own or control, like those in public spaces such as airports, coffee shops and businesses.
• If you must connect to a public WiFi network, ensure it is legitimate and properly secured. Limit any activities that exchange personal information.
• If possible, use a virtual private network (VPN) while connected to a public WiFi network to encrypt the connection.
• Protect your home WiFi network with a unique, secure password. Never use the default password on the router.
• If you have guests in your home, implement a separate guest WiFi network with an equally strong password.
Copyright © 2019, Optiv Security Inc. All rights reserved. Only for internal commercial and/or educational use by Optiv customer. Copyright © 2019, Optiv Security Inc. All rights reserved. Only for internal commercial and/or educational use by Optiv customer.
IF YOU COLLECT IT, PROTECT IT: Data PrivacyNo matter your job, there’s a strong
possibility that you collect or interact with some sort of customer or employee data. As such, it is your responsibility to protect and maintain that data as if it were your own.
When data is compromised, the consequences are costly and far-reaching for everyone involved.
Identity theft, insurance fraud, brand damage, financial losses and phishing and social engineering attacks affect both organizations and their customers when information is not properly protected.
Cybercriminals will use whatever means necessary to obtain sensitive information and use it to cause personal and harm to the organization, so it’s important for you to understand how to properly store, handle and dispose of the data you collect and use.
Be mindful of how you handle both hard copies and electronic data. Store hard copies and drives in locked file cabinets or drawers. Only print to a secure printer when a hard copy is truly needed and retrieve your printed documents
immediately.Make sure to use only approved secure
file transfer technologies and encrypt data when sending sensitive items.
Back up data regularly. Archive old data as read-only and store it according to the data retention policy of your company.
When sensitive information is no longer in use or needed, always properly remove the data to eliminate further access to it.
Data found on computer hard drives, flash drives, mobile devices and other technology can all be used by a cyberattacker if it is not removed prior to sale or disposal. Ensure data is removed from all areas of the device including archives, copies, back-ups and downloads.
Even deleted files can be easily accessed if not removed completely. Work with your internal support team to ensure proper removal of this data.
Physical documents that are no longer needed should be disposed of by shredding them in a shredder that renders them incapable of being reassembled.
Copyright © 2019, Optiv Security Inc. All rights reserved. Only for internal commercial and/or educational use by Optiv customer.
