By: Shannon McMurtrey
As I sit down to write this column, we are in the middle of the 12th annual Cyber Security Awareness Month. Established in October 2004 by the National Cyber Security Division with the Department of Homeland Security and the National Cyber Security Alliance, this month is intended to help all of us step back and consider what steps we can take to be more secure online. With that theme in mind, I want to share some best practices we can follow to increase safety online for ourselves, our families and the businesses we work for.
I want to start with our kids. Parents today face a wider range of threats from online adversaries than at any time in our history. Not only do we have to worry about bullying on the playground, now we also need to be aware of bullying online. Prohibiting kids from playing games online might work while they are very young, but as they get older, it becomes imperative that we teach our kids about the risks they face online and help them to develop good judgment. This comes from a good relationship with our kids, where we establish trust and open lines of face-to-face communication. If we can do a good job of that when they are young, they will be less likely to run into trouble when they are older.
All of us could probably use a reminder to put down our phones and spend more time playing games with our kids and grandkids. Help them know what is and is not OK and how to report offensive behavior. Oftentimes kids may be interacting with adults while they are online and not even realize it. We have to teach them that just because a social profile says that the person on the other end is a boy or girl their same age, that is not always the case.
Speaking of interacting with others online, how safe are your habits in that area? Do you really know all of the people on your Facebook friends list? One of the most common attacks leveraged against companies today is called “spear-phishing.” The name originated from “phishing” attacks. A “phishing” attack is one of those emails you get that is often riddled with spelling errors, bad grammar and obvious mistakes promising that if you click on their link, you will win a million dollars. While those may be easy to avoid, “spear-phishing” emails are more problematic. Those emails are directed toward top-level executives in companies or people who may have access to information that the bad guys want – and they are very convincing.
The first step in a spear phishing campaign is reconnaissance. This goal of this stage is to learn as much about the victim as possible so that an email can be crafted in such a way that it sounds legitimate and makes it more likely that someone will click on it. Facebook is a fantastic weapon in this attack. The spearfisher creates a fake profile on Facebook and sends out a friend request to their potential victim. The victim will very often accept the friend request without knowing the person at all. Once that request has been accepted, the spearfisher is free to browse all of their target’s postings, learn about the potential victim’s hobbies, friends, interests, etc. and then go to work writing the perfect email. So think twice the next time you receive that friend request from someone you don’t really recognize. While you are at it, go through and clean up your friends list. Stay safe online and think twice before accepting my friend request!
Shannon McMurtrey, Ph.D., is director of Missouri State University’s master’s program in cybersecurity, as well as program director for the master’s in computer information systems in the department of computer information systems. Email:firstname.lastname@example.org.
This article appeared in the January 30th, 2016 edition of the News-Leader and can be accessed online here.