Treat it like treasure, information security awareness event
"Treat it like treasure" was the main event of the 2016 Information Security Awareness week (3-7 October), organised by the University of Edinburgh. Speakers gave their own perspectives on some of today’s most common information security treats and how to combat them, and answered a number of questions from an engaged audience. I enjoyed the presentations and, after the event, I had the opportunity to talk to Dr Kami Vaniea (Lecturer of Cyber Security) and Alistair Fenimore (University Chief Information Security Officer) about matters related to data protection.
The first presentation was delivered by Detective Inspector Eamonn Keane from Police Scotland’s Specialist Crime Division. He described the current cyber threat landscape in Scotland and explained that cybercrime has caused significant business disruption and damage to revenues and reputation in the UK. He mentioned that recent victims of cybercrime include: Yahoo, Talktalk, Dropbox and Verizon.
The second speaker was Rafe Pilling, Principal Consultant at SecureWorks. He encouraged the audience to think of data as a “commodity” and reminded all that users’ personal data is being sold by cyber criminals in anonymous networks on the internet (such as the darknet). He also stressed that there has been a shift from some other forms of threats towards Ransomware because it is lucrative and relatively easy to deploy.
Rafe Pilling's security recommendations:
- Make sure you do regular data backups (If you are hit by Ransonware, you will have a copy of your files)
- If an email or website looks suspicious, don’t open or access it
- Create strong and unique passwords for each site you visit
- Keep your core email password safe (If it is hacked, password recovery mechanisms can be used to gain access to your other accounts)
- Do not save login credentials in web browsers
- Keep software up-to-date (software updates often include security features or fixes for vulnerabilities)
- Reject LinkedIn connection requests from people you don’t know
- Visit: www.getsafeonline.org for further advice.
Dr Kami Vaniea presented her ideas in a slightly different way. She had a few computer screenshots displayed in the auditorium screen and asked the audience about information security and privacy - to which she got a mixed response.
For example:
1. Where does the link https://facebook.mobile.com/ take you?
The link above goes to “mobile.com” which is owned by AT&T, not Facebook.
Like postal addresses, links are read right to left:
To spot a fake URL, check the information between the first double slashes "https://" and the first single slash "/" as in http://facebook.mobile.com /login.com. Read the link from right to left. This link goes to mobile.com.
2. Does Google know what you have typed before you click enter?
Yes. When you start to type in a search query, Google will begin to guess what you are looking for. Most search engines send text to their servers as you write it.
Pretty much everything is recorded.
3. Can we trust that the "from" information provided in an email is trustworthy?
No. Nothing on an email can be trusted, except for the actual URL generated by the local computer.
If there is a link on the email, hover your cursor over it (but do NOT click on it!) to reveal the real location of the link.
Dr Vaniea emphasised that a common misconception is that reading web pages, PDF documents and emails is like reading a physical paper. Users are normally not aware that code is actually being downloaded in the user's computer when they perform these actions. Even reputable websites can be at risk. This is because websites are built dynamically out of many other websites, which may have been compromised.
Kami Vaniea's security recommendations:
- Install an Anti-Virus / Check for updates regularly
- Connect to a VPN service when using free Wi-Fi (AnchorFree)
- Do not connect to any suspicious Wi-Fi hotspot
- Create strong passwords, write it down and keep it safe (Yes, this is fine).
- Memorise the most important passwords and keep all the other ones on a password manager such as LastPass, 1Password or KeePass.
- Use two-factor authentication such as YubiKey.
- Install Ad-Blockers to reduce the amount of content loaded when you visit a website
The last presenter was Detective Sergeant Adrian Ure from Police Scotland. He stressed that there are significant differences between traditional crime and cybercrime, which brings the police new challenges. We no longer see as many bank robberies as in the 70’s but cyber-attacks are much more common. Crime is also borderless. For example, designs for 3D-printed guns may be sent to another country over the internet, downloaded and printed.
Adrian Ure's security recommendations:
- Make sure your home Wi-Fi is set with a strong password
- Switch off location services if you don’t need it
- Choose restricted privacy settings on social media sites
- Be aware of spoofed friends requests
- Do not review on social media that your house is unattended (travelling information, social check-in)
- Be careful when using dating websites and online dating apps, such as Tinder.
- Review user privileges for staff members in your company
- Report any security breach incident to the police
Mr Ure finished his presentation on a positive note, saying that social media has also played a role in helping the police to solve crimes, such as the Boston Marathon Bombing, and that Pokemon Go has been used to lure and catch criminals. He also stated that anonymous networks have known legitimate uses.
Here are further recommendations drawn from the question-and-answer session, and my chat with Kami and Alistair:
- Free anti-virus may be sufficient, however, paying for it may help the software development community and may bring some extra benefits for users
- Do not send passwords by email. While encryption protects data in transit, it does not protect users from end-point compromise (like someone having access to your computer or email account)
- Be aware of social engineering techniques, such as seemingly lost USB flash drives
- Save files to secure network drives rather than keeping them in your computer
- Some computer viruses survive hard disk reformatting. Contact security experts, if necessary
- Report any security incidents at the University of Edinburgh to the Records Management team
Conclusions
Cybercrime is a growing threat for both companies and individuals. While there is no bulletproof solution, the majority of attacks can be stopped with good cyber hygiene. The important thing is to be aware of threats and spend some time making sure that you and your devices are secure.