Defense Against the Digital Dark Arts: Cybersecurity Lessons
In this class, we study the Digital Dark Arts.
They "are many, varied, ever-changing, and [seemingly] eternal. Fighting them is like fighting a many-headed monster, which, each time a neck is severed, sprouts a head even fiercer and cleverer than before. You are fighting that which is unfixed, mutating, indestructible."
Today, should you choose to pay attention and follow the lessons of the illustrious Mistress Minerva, you might just learn a thing or two that'll put you head (and shoulders) above the rest.
First things first, let's review our syllabus.
Intellectus Securitatis Minae: Understanding Security Threats
Class is in session.
You are here learning to defend yourselves against that which cannot easily be seen.
Dark creatures abound on the Internet. As we progress through our lessons, we'll seek to identify and uncover them — all the while discovering what incantations and ingredients best keep their dastardly deeds at bay.
These shadowy cybernauts seek to prey on us by accessing and damaging computers and networks. They revel in their ill-begotten spoils — in your business, personal, financial, or even medical information. And once they have it in hand, the damage has been done — no matter whether they're holding it for ransom or auctioning it off to another digital shade.
The average attack costs small to medium businesses $18,000. In the U.S. alone, 40% of cyberattacks swindle their victims to the cool tune of $25,000+, an 80% increase over last year.
And do not be so naive as to think that all a cyberattack could cost you is money. As the professional sector is so often the target, both your reputation and customer base are at stake.
In 2021, Norton discovered that 53% of mu—, I mean, adults, are more worried than ever about being a victim of cybercrime. Despite this, as of March 2022, 51% of SMBs have no protections against cyberattacks.
As these shadows hone their prowess in performing feats of the darkest digital arts, so too shall we learn to combat them.
Contra Mendaces Defende: Defend Against Phishing
Remember this well: At their cores, cyber attackers are liars.
They'll feed you sweet words, send you messages appearing to be from positions of authority, and offer deals too good to be true, all in attempts to ensnare you.
Their goal? To compromise you. To access your accounts and gain mastery over your assets.
But how can they achieve such things without specific personal information, like usernames and passwords?
There's one vulnerability these silver-tongued, digital serpents know is always exploitable: You.
These are known as social engineering attacks.
Social engineering attacks skirt cybersecurity tools by way of human loopholes.
Last year, the average cost of phishing attacks reached $4.24 million dollars. And that cost comprises a variety of things, like:
- Stolen funds/direct monetary loss
- Damage to brand and reputation
- Compliance fines and penalties
- Loss of customers
- Loss of revenue
- Cost of response and remediation
- Legal fees
- and others.
Do be careful — there are many forms of social engineering attacks. Below, we'll learn how to identify them.
A Compendium of Social Engineering Attacks:
Phishing – Here, digital dark artists use illusion to befuddle, confuse, and fish for your information.
They'll send emails appearing to be from a legitimate company asking you to update your payment method. Or you'll receive a text from an unknown number asking that you confirm your next doctor's appointment by clicking a link. Perhaps they'll disguise malware or viruses as an unassuming attachment, lulling you into a false sense of security so that you'll click "Download," and infect your device.
Phishing attacks are the handiwork of opportunistic cybercriminals — they have no specific target.
Phishing is alleged to have been created by a Nigerian prince, though this cannot be confirmed.
- Spear Phishing – Like phishing, but with an intended target, either an individual or a larger organization.
- Angler Phishing – Fake customer service accounts on social media pose as legitimate business accounts in hopes that you divulge your login information to said service.
- Whaling – A form of spear phishing targetting a high-profile person.
- High-profile targets often equate to larger payouts, so these are especially enticing to those practicing the digital dark arts.
- Smishing – Phishing attempts communicated via SMS/Text.
- Vishing – Phishing attempts communicated via telephone.
In this scenario, a phisher calls a business or leaves a voicemail pretending they're someone they're not. They want their target, the person receiving the call, to divulge sensitive information.
Baiting – Online Baiting Example: A pop-up or landing page claims that you've won an incredible amount of money! All you have to do is click a link to claim it. That link is chock-full of malware, unbeknownst to the target.
Offline Baiting Example: Occasionally, our dark artists leave the Internet and enter the physical world. They may leave a non-descript USB stick strategically abandoned in a high-traffic cafeteria of a large business, knowing someone will be curious and plug it into their computer to find out more. But that USB stick is rife with malware — Avada Kedavra your network.
Mind your curiosity. Nefarious cybernauts know that humans are prone to wonder, and use it to their advantage.
Occurs either online or off.
Piggybacking (A.K.A. Tailgating) – Another form of in-person social engineering. In these scenarios, a scammer attempts to enter a secured premise immediately behind someone who has access.
To prevent it, don't let anyone into restricted areas after you. Ensure they have ID and make them use it to enter the premises, just as you had to do.
These dark artists do not have your best interests at heart. They anticipate that you'll be "too nice" to say anything to stop them, thereby giving them access.
Business Email Compromise
On 2021, the FBI received almost 20,000 reports of business email compromise.
These attacks range from cyber scammers spoofing emails posing as employees or other trusted persons requesting sensitive information in their emails, to full account compromise. That's when a hacker gains access to a legitimate account, instead of just spoofing one to look like it.
Quid Pro Quo
Fake tech support scams fall firmly into this camp. Someone calls or messages saying that your device is infected, or that you're eligible for a software upgrade. All you have to do is give them your credentials and they'll ensure you're taken care of. Do not fall for their lies.
Fear is a big motivator. Cyber attackers create pop-ups that appear in your browser saying something to the effect of, "Your system/device has been infected! Click here to fix."
Don't click, never click. Doing so will ensure your device becomes infected. It's a self-fulfilling prophecy.
With only a cursory glance, perhaps you won't realize these are naught but lies.
Use your powers of logic and observation. Ask yourself, "Is this too good to be true?" or "Does this message make sense?" and "Why would this person be asking that information of me?" if it seems out of character.
Sweet messages, deals simply too-good-to-be-true, and indiscriminate vagueries are all meant to pique your interest and ensnare you. If you engage positively with these villainous prompts — clicking their links or answering their texts — you lose.
Too much protection isn't a thing.
In addition to reviewing everything with a critical eye, you can use the following tools to keep your website and business email secure.
Lingua Occulta Notitia: Cryptology
How does information remain secure when it's communicated over the Internet?
To answer that, we'll need to take a step back and understand what happens when you traverse the interwebs.
Whenever you use your computer or smartphone to visit a website you're quite literally "docking into the Internet," as a boat would dock at a port. Once docked, you're then able to communicate information to and from others who are also docked. All ports are numbered differently to indicate their use and properties. These ports are called TCP, or Transmission Control Protocol Ports.
SSL, or Secure Sockets Layer, is a technology that keeps internet connections secure. It encrypts and protects sensitive information and data as it's sent between two systems (like your browser and another website or two servers). SSL stops cyber shadows and bots from reading or changing the information being sent between the systems (like credit card information during an e-commerce transaction.)
Can data be transferred from one server to another without SSL? Sure can. But why dance with the devil and take the chance of exposing your information?
So, how can you tell if your connection to a website is secure?
Look at the URL in the address bar in your browser. You'll see that the URL starts with one of two things: it's either HTTP or HTTPS. The HTTPS indicates a secure connection (and it uses port number 443.) HTTP, is an unsecure internet protocol, (and uses port number 80.)
Are you a website owner? It is your responsibility to secure your digital domain, both for you and your site visitors. Do so by purchasing and using SSL on your site.
Advantages to using SSL:
Faster web page loading – HTTPS loads pages faster than HTTP. Who waits around for a webpage to load nowadays when there's always a competitor around the digital corner whose site might be faster?
SEO Improvement – Your site is likely to rank higher in search results if you use HTTPS instead of HTTP.
Stop hackers and bad actors in their tracks – SSL encrypts the data transferred back and forth between two systems. Even if these bad people and bots could somehow see the data being transferred, they won't know what it says.
Maintain PCI Compliance – PCI Compliance stands for Payment Card Industry Compliance. This is required by all credit card companies when making transactions online to further secure and protect against data and identity theft.
Part of the PCI Compliance guidelines is that your site must use HTTPS, which means your SSL certificate needs to be configured on your site before you can accept payments via credit card for purchases.
No scary alerts – If you're using HTTP then chances are your site visitors are receiving notices telling them your website isn't secure when they land on it. Frankly, this looks bad. It causes them to lose confidence in your site and odds are good they won't be back.
Secure Possessiones Tuas: Protect Your Properties
Do you seek the formula for digital security? Followed correctly, the adherent of these steps will be lucky in all their online endeavors...
Custodi Domum Digitalis Tuam: Guard Your Digital HomeCyber attackers can't cross your online thresholds if you follow these steps.
- Use strong passwords.
- Install an SSL certificate.
- Use a reputable host.
- Perform regular malware scans.
- Backup your site.
- Keep WordPress plugins or other site plugins and web apps up to date.
- Perform regular site audits and tests.
Learn what makes for a strong password right here.
People are evermore distrustful of "HTTP" in their browsers and for good reason. They want to know you're doing what you can to protect their information. Your SSL port indicates there's a secure, encrypted connection keeping their data safe from prying eyes.
A reputable host has a proven history of maintaining their customers' security and is capable of helping you address threats and malware should they occur.
Who has the time to manually monitor their online security? SiteLock Security protects your website from malware, viruses, hackers, and spam. It scans your site for these malicious things, automatically removing any it finds, and alerts you when something doesn't look quite right.
Why? Backing up your website is the only guarantee you have that your site can be completely restored if you experience an egregious issue.
Human error (inadvertently deleting files), malicious cyber hackers, or outdated and unprotected themes and plugins can all introduce risk to your site.
The digital dark arts are ever-evolving. To stay ahead of them, keep your plugins up to date. Not doing so leaves your site vulnerable and open to attack. Not just that, but they can affect your site experience, causing issues for legitimate visitors.
As people, we're constantly striving to improve ourselves. Why should that be any different for our websites and other digital properties? — Do they not represent us?
Protegas Fama: Protect Your Brand
Digital dark artists understand the power of a name. It's why they're gunning for yours.
Your name is irrevocably yours — it's part and parcel of your brand — that special thing that makes you, you. It comprises every public-facing facet of yourself, and inversely, what people think of you.
Your personal brand CANNOT survive lies and deception.
This is why cybercriminals will always target it in addition to your digital properties, like your site and social media.
If they capture your name, they control your narrative.
How might they do this? The possibilities are legion.
- Counterfeit websites. If a customer lands on a fraudulent site and suffers real-world harm (malware on their device, compromised sensitive information) they will always associate it with your name. Would you want to continue doing business with someone if their name alone caused you memories of traumatic events? Probably not.
- Copyright piracy. Cyber shadows don't like honest work. They'll illegally reproduce and disseminate your copyrighted materials, hurting your bottom line.
- Trademark infringement.
To convince others that they are who they say they are, hackers have no qualms about using trademarks in unauthorized manners.
- Patent theft. A patent is representative of a great deal of work. Whatever your patent, behind it lies hours of ideation, creation, iteration, and finalization.
A digital dark artist will take the easy route. They'll do whatever they can to make, use, and sell your products without obtaining a license.
- Impersonation on social media. Social media is a fantastic tool for building your brand and connecting with your audience. Until someone else does it for you and deceives your unwitting audience into revealing their private information.
To protect your brand, follow these steps:
- Acquire misspellings of your domain. Cyber hackers purchase variations of domain names in hopes of catching traffic that was intended for your site.
- Purchase alternate domains/TLDs. Depending on your business, you might not want your brand name associated with a .sexy or .xxx domain name. Register those domains before someone else does and uses them to your detriment.
- Focus on the aesthetics and elements of your brand to reinforce trust. Increase trust in your customers' inboxes by using a professional email address that matches your domain name. It helps them know they aren't about to open a spam message and have their system infected with malware.
Refer to this Branding and Website Design Checklist to ensure your brand is cohesive no matter where you are online — your site, social media, and more.
Abundans cautela non nocet: Abundant caution does no harm
It does not do to dwell on a false sense of security and forget the dangers that lurk about the Internet seeking your ruin.
Man the boundaries of your site, social media, and email accounts. Do your duty to protect yourself and your customers.