Cyber Crime Part 3: How you’re making yourself an easy target

Your safety is your own concern and, online just as offline, your actions have a direct bearing on your wellbeing. It’s not up to others to protect you; you need to take responsibility for your own security.

According to Verizon’s 2013 Data Breach Investigations Report, 75% of victims were the targets of opportunistic attacks and 78% of initial intrusions were rated as being of low difficulty, proving that we are making it too easy for hackers to steal our information.

The National Audit Office (NAO)’s UK Cyber Security Strategy Landscape Review states that 80% of 2011’s 44 million cyber attacks could have been prevented by ‘basic hygiene’. That’s 35.2 million entirely preventable attacks. So what is meant by ‘basic hygiene’?

  • Email is very useful to hack for a criminal. Consider how much personal information you will have sent and received over the years, how many reset password emails and ecommerce order confirmations, how many social media notifications and online billing accounts have gone through your inbox. Do you archive that information so that it’s readily available when you need to check it? What if someone else had access to all of it? How many of your accounts could be compromised? Add that to all the other information available online and you can easily pose as someone to commit fraud, can send phishing emails to gain further information from others, and can hack into numerous other accounts. A single breach can have a vast knock-on effect. Is your email account secure?
  • Passwords. Widely quoted research by Mark Burnett, the author of Perfect Passwords, found that 8.5% of passwords are ‘password’ or ‘123456’. You may protest that you wouldn’t be foolish enough to be that obviously insecure, but how would you react if you were to learn that 40% of all sampled passwords featured in a list of the 100 most common passwords? How about if you were told that 91% of passwords were in the top 1000? If cyber criminals can hack 91% of passwords in only 1000 attempts (something that would take a rudimentary computer program seconds, if that), they’re not exactly struggling to gain access to information. Have a look at the list yourself and see if you recognise anything. Further research shows that the popularity of birthdates and pet names remains popular, and that password re-use across sites is rife. If your password on a single site can be hacked in fewer than 1000 attempts, and you re-use that password on multiple sites then you urgently need to reconsider your password security. You’re leaving yourself wide open to attack.
  • Social Media. How much information do you give away on social media sites? Are your profiles on Facebook, Twitter and the like available to all? Have you checked your privacy settings recently? If your other passwords are weak, and you’ve got your birthdate and pet’s name listed online, you could be enabling identity theft.
  • Mobile security. Do you use a smartphone or tablet? Are you permanently signed in to all your personal and work email accounts, your apps, social media and file sharing accounts? (That’s normally the default setting.) Does the device itself have a password lock? Do you back up onto your home computer and have settings enabled to wipe the phone if the password is entered incorrectly a certain number of times? Some 10,000 mobile phones are stolen in London alone every month. 700,000 handsets were stolen in the UK last year. If you lose your smartphone what are you losing with it? A lot of mobile phone theft may be low-level criminal activity committed by opportunistic thieves looking to make a quick profit (the current resale value of a mobile phone is between £10 and £60; eBay is full of them), but think where the phones go when sold on, and what happens to the information on them. It’s not just your phone bill you need worry about: a criminal will instantly have access to your online banking, your social media and other linked accounts, your contacts, and your personal and work email accounts.
  • Pharming and phishing. With access to your email accounts, even for a relatively short time, criminals can send pharming emails purporting to be from you, and spread malware which they can use to take control of your website, or can send phishing or spear-phishing emails to dupe others into revealing sensitive information which they can also abuse. If you received an email from a friend or colleague asking you for information or offering you a link to click, you wouldn’t think twice about it. You certainly wouldn’t automatically assume that they had been hacked, would you? In cases where actual information security systems are strong, people are often the weakest link in the chain, and ‘hacking the human’ is a well-known tactic.

Phishing doesn’t require carefully honed skills, either: there are numerous books on social engineering and multiple toolkits available online that will write phishing emails for you. Many are even used by legitimate information security companies to test for weaknesses in clients’ information security systems. Phishing has certainly come a long way since the so-called 419 scams which asked you to send your bank details to Nigeria on trust.

Cyber Health Check

Assess the state of your vulnerability to attack with IT Governance’s Cyber Health Check, a two-day service that combines on-site consultancy with remote vulnerability assessments to assess your cyber risk exposure. The four-step approach will identify your actual cyber risks, audit the effectiveness of your responses to those risks, analyse your real risk exposure and then create a prioritised action plan for managing those risks in line with your business objectives.

Read Cyber Crime Part 4: What information do hackers actually target?