October means baseball playoffs and National Cybersecurity Awareness Month. Governments, businesses, and individuals should be actively promoting and implementing security practices every day, but it’s still a good idea to focus more time on security. Hence, cybersecurity awareness month.
This is the 13th year the United States is observing National Cybersecurity Awareness Month (NCSAM). NCSAM is sponsored by the nonprofit 501c (3) organization National Cybersecurity Alliance and the Department of Homeland Security’s National Cybersecurity Division.
This year there are 5 themes, 1 for each week of the month:
Week 1: Simple Steps to Online Safety
There will always be someone trying to circumvent security controls to steal something valuable from individuals. You must learn to be vigilant. Many times, individuals are compromised from answering or clicking on a link in a Spam or Phishing email. Security systems that try to prevent these attacks do not always stop these messages. It’s up to the individual to determine if the email is legitimate.
Some things to keep in mind:
- If you don’t know the sender feel free to ignore it and delete the message. If it’s really important, the sender may try to contact you again via phone (voice), text, or actually mail a real letter.
- If the message is of urgent nature to “act now” because something negative like your electricity is going to be shut off, the IRS is going to audit you, or your bank account has been hacked, think about your recent activity regarding the message. Call customer service to verify the account in question is in order and don’t answer the email because that will tip off the attacker you successfully received the message. As for the threat of an IRS audit, the IRS will almost always contact you via the United States Postal Service.
This is only scratching the service of protecting yourself online. You may still want to learn more about protecting yourself when shopping online, or how to prepare for ransomware. Check out StaySafeOnline.org’s Online Safety Basics for more information.
Week 2: Cybersecurity in the Workplace is Everyone’s Business
Many organizations offer security awareness training to their employees. When the spam or phishing message still gets delivered to the user’s inbox, you want that person to know how to recognize and delete it.
Often organizations start with training users on how to detect phishing and spam messages with an automated tool. The automated tool sends the employee the emulated spam message to determine if they either click on the link or supply their username and password. If the employee falls for the message, they receive either a message or webpage letting them know they failed the test and are provided information about how they can do better.
It is far less effective to fail to provide immediate feedback to the user and then later have someone in management follow up with the employee about failing the test. Another failure is management neglects to train employees about phishing and spam prior to testing, then wonder why the initials test results are so poor. The idea is not to train people to pass a test, the idea is to really educate them to understand what they are looking for. The best approach is to provide initial training in-person on how to identify spam and phishing emails. This gives the employees time to ask questions and interact with each other. During these training sessions, other employees in the training will often share when they have been duped by a spam or phishing message.
- Inform employees that they will be tested at random, to help reinforce what they learned.
- Be upfront with the fact that some fellow employees will still fall for the phish and this will help make everyone better.
- Let them know the phishes are going to be challenging, because the malicious actors are not going to be nice when trying to get information from you.
When providing security awareness training to employees, make it about them. While there are specific policies and standards employees are expected to follow as part of the organization, all other security training can be applied to their professional and personal life.
Week 3: Today’s Predictions for Tomorrow’s Internet
IoT devices are cheap and easy to use. Most devices are plugin and go. These devices are built on less secured operating systems or have proprietary operating systems that have never be tested for security. An operating system takes up a lot of space, so IoT manufactures remove services that are not required to save space on the chip. Often these are services that can provide security. When there is a flaw, a malicious actor can hide in these devices collecting information about your organization
Mitigating security risks for IoT devices is not any different than any other device connected to your organization’s network—restricted to what it is permitted to connect to on your organization’s network. They should only be allowed to connect to the required services on the Internet. If the vendor offers patches and updates, they should be applied per your organizations patch management policy. As part of your organization’s vendor management program, IoT vendors should fall under the same restrictions and rules.
Week 4: The Internet Wants YOU: Consider a Career in Cybersecurity
Cybersecurity can be a daunting field to enter, but there is a wide range of positions to choose from. One of the best perks of having a skill in cybersecurity and information technology is you’re not limited to 1 industry. Your skillset can be applied anywhere, whether it be medical, insurance, finance, manufacturing, education, or energy.
Learning security can be challenging for some and easier for others, and security curriculum must be continuously updated. Hopefully curriculum and interest in the field will evolve together.
Week 5: Protecting Critical Infrastructure from Cyber Threats
Think about the latest hurricane, Maria, that hit Puerto Rico. Most of the island is without power and it’s expected to take months to restore services. Without power, there is no refrigeration and limited commerce and communications. This is an example of what could happen if the power grid is interrupted by malicious actors.
Protecting energy companies from cyber threats is nothing new. This has been a hot topic for over a decade. The Industrial Control Systems (ICS) that supported the energy industry are now being connected to computer networks at a rapid pace. These ICSs provide a wealth of information to the utility company that can be utilized to save energy, predict and prevent failures, or automate tasks that used to be completed by an individual. These systems were upgraded to connect to the utility’s network but security was sometimes an afterthought. Now utilities are trying to protect these networks, yet still utilize all the benefits of the information generated by the ICS.
While there are a variety of technologies out that try to protect us from cybersecurity threats, the final responsibility falls to you. You must take to the time to understand what threats may be applicable to you. Ask yourself, what do you have of value that someone would want? No matter how many security controls your bank, employer, or government put in place, malicious actors will always be trying to bypass their security. The best thing you and your organization do is to be prepared to handle the incidents that do occur. The better prepared you are, the less painful the incident will be.