Tag: Kybernetická bezpečnosť

Do you use ChatGPT? Then be careful what you discuss with bots.

While cybersecurity experts were pointing to possible impending security issues with chatbots such as ChatGPT, malicious actors attacked unexpectedly. Instead of hacking directly into these platforms, they have started the massive stealing of users’ credentials from right under their noses. They then sell these on the darknet. This puts users at considerable risk due to the enabled default setting of storing communication history with the chatbot.

According to Group-IB, a global cybersecurity company based in Singapore, it has identified 101,134 compromised ChatGPT credentials in the logs of an info-stealing malware popular with malicious actors over the past year. “This major leak raises serious concerns about the security of information stored within generative artificial intelligence tools, such as ChatGPT, and highlights the potential risks associated with their use,” said Petr Kocmich, Global Cyber Security Delivery Manager at Soitron.

Weaponized info-stealing malware

Most of the attacks were attributed to malwares Racoon, Vidar and Redline. They work just like any other common malware – they steal information from the target computer after the user, often unknowingly, has downloaded and installed the malware disguised as a desired application or file. This sophisticated type of malware is easy to use and available as a subscription-based service, making it a popular choice among attackers: often even amateurs.

Once activated, it collects credentials stored in browsers, bank card details, cryptocurrency wallets, cookies, and browsing history, sending it to the attacker. Since ChatGPT stores all user-conducted conversations by default, the acquisition of login credentials can lead to the conversations being viewed by anyone with access to the account.

Therefore, users should not enter any personal information that can identify them, such as full name, address, date of birth and birth number. Under no circumstances should they enter any credentials (usernames and passwords), financial information (account or credit card numbers), or health information. They should also keep work information confidential, i.e. not discuss any company information. “Users are often unaware that their ChatGPT accounts actually contain a large amount of sensitive information that is desirable to cyber criminals,” warns Kocmich. That is why he suggests disabling the chat history-storing feature unless absolutely necessary. The more data the account contains, the more attractive it is to cybercriminals. Kocmich therefore recommends carefully considering what information to discuss with cloud chatbots and other services.

The solution is to take precautions

The risk is similar to what would happen if attackers were able to breach the protection of the ChatGPT system itself and compromise it. If attackers gain access to the chat history, they can find sensitive information such as credentials to corporate networks, or personal information. In short, everything the victim has ever entered into ChatGPT.

“In response to this security threat it is recommended, in addition to considering disabling the chat history storage, that users change their passwords regularly and use security measures such as two-factor authentication,” says Kocmich. In general, these recommendations should be applied to all Internet services and especially where unauthorised access can cause damage.

Vigilance must come first

This incident demonstrates the urgency of the need to improve security practices in an internet world increasingly relying on artificial intelligence and digital interactions. With cybercriminals developing new and novel tactics, public awareness of cyber risks and how to mitigate them is becoming increasingly important. “Regardless of the tools and techniques you use, be constantly vigilant and apply known security principles and best practices to avoid becoming an easy target,” Kocmich concludes.

Scammers no longer need to be skilled in image editing. AI can create fake nudes from social media photos in minutes

Artificial intelligence (AI) is being extensively used to create fake explicit photos and videos. Unlike in the past where you had to have talent and advanced image editing skills to do it, today fake nudes can be automatically created in a few moments. These are then used for both bullying and sextortion. The US Federal Bureau of Investigation (FBI) has issued a warning about this cyberthreat. It can happen to anyone, including celebrities, successful businesspersons, as well as ordinary citizens.

In sextortion schemes, scammers usually try to extract money or other benefits from the victim by threatening to publish falsified compromising material. As the FBI points out, a particularly disturbing aspect of this threat is that scammers often use innocent photos and videos that people share on their social media profiles. They take an image of the victim’s face and using AI-enabled deepfake technology they generate pornographic material.

Victims report that criminals take their benign social media posts (photos, videos, etc.) and edit them using AI content generators. This isn’t a new type of attack, it’s just that professional photo editing tools such as Photoshop are no longer necessary. Today, criminals don’t need any image editing skills, experience, or hours of tedious manual editing work to produce such fakes. All they need now is a few photos and AI.

With the emergence of ChatGPT in November 2022, AI tools have recently become generally available and easily accessible to everybody, which revolutionised this type of attacks.

Rising number of victims subject to the new trend of deepfake fraud

The FBI is receiving more and more complaints from victims whose photos or videos have been explicitly edited. This material is then publicly circulated on social media or pornographic websites to harass and extort victims. “Advances in generative content creation technologies and the easy availability of personal photos online provide a new opportunity for criminals seeking and targeting their victims,” says Peter Kocmich, Global Cyber Security Delivery Manager at Soitron.

Extortionists most often demand money from victims and threaten to share photos and videos with the victim’s family members and friends on social media unless the victim pays. Alternatively, they demand actual sexually-themed images or videos from the victim. This new trend of deepfake scams is becoming more and more widespread, not only in sextortion but also, for example, in scams related to virtual calls.

How to protect yourself from online extortion and sexual abuse

No one is completely safe from these extortion techniques unless they remove all their images from the internet. Even then, however, they may not be completely safe, as someone may secretly photograph or film them in real life and then exploit the footage for sextortion or other fraudulent purposes. With deepfake technology becoming increasingly advanced and accessible, it is essential that governments and legislative bodies take appropriate measures to protect their citizens. Some jurisdictions already have laws that penalise the creation of fake images without the consent of the person depicted. The UK, for example, plans to take action against the dissemination of such material as part of the forthcoming Online Safety Bill.

“If you become a victim of sextortion, we recommend keeping calm. Definitely do not pay anyone, as this will not guarantee the removal of explicit material from the internet. Contact the Czech Police instead. As a precaution, we recommend observing standard social network safety practices, such as refusing friend requests from strangers and using all available privacy settings,” advises Kocmich.

The first AI-generated nude deepfake photos and videos began circulating online in 2017, when users on forums such as Reddit tested the potential of AI to create sexually explicit content of female celebrities. While there have been attempts to stop the spread of such content, online tools and websites for creating deepfake nude photos are still easily accessible to anyone.

The NIS2 Directive can increase the security level of organizations in the Czech Republic

The European NIS2 (Network and Information Security Directive 2) can make things more difficult for Czech organizations, but it can also help them solve their cybersecurity problems. This is particularly the case for those organizations that have not yet addressed this serious threat until now or could not justify the necessary budget for sufficiently qualified staff.

The NIS2 Directive aims to make the EU’s digital infrastructure more resilient to cyber attacks and improve coordination and incident response capabilities. “Many entities in the Czech Republic and elsewhere are not taking these matters seriously enough. This is due to the fact that there is a shortage of IT experts – let alone cybersecurity experts – on the market. Since the entities affected by the new directive will be obliged to ensure that their IT networks and information systems are sufficiently protected against cyber threats, this problem may become even worse,” says Petr Kocmich, Global Cyber Security Delivery Manager at Soitron.

What the directive changes

The institutions concerned must implement measures to prevent cyber attacks and threats, such as performing regular software updates, securing network devices, and providing protection against phishing attacks. In addition, they must prepare contingency plans for cyber incidents and establish mechanisms to deal with them quickly and effectively.

Major incidents must be reported within twenty-four hours of becoming aware of the incident and cooperation with national security authorities will be required. Any company that fails to comply with these requirements may be subject to fines and other sanctions.

Dvě mouchy jednou ranou

It would be great if the NIS2 Directive could help end the shortage of cyber security experts; however, this is unlikely, and, at first glance, it might even seem to exacerbate the problem. Having said that, the new regulation is an excellent opportunity to make organizations more secure. External cybersecurity service providers can help. They have sufficient capabilities that organizations are lacking. “Specialized companies focus on providing these services and can help entities implement security measures and risk management as a complete package, i.e. a turnkey service or a solution delivery including support and compliance with the NIS2 Directive,” says Kocmich.

notebook

Specialized companies can help organizations solve both problems in ensuring compliance with the new requirement and improving previously incomplete security of their IT infrastructure and information systems; however, even if organizations use the services of such providers, the responsibility is still theirs.

They should choose their service provider cautiously and ensure that they are sufficiently qualified, experienced, and certified. It is also important to make sure the tasks are properly assigned and that the contractor’s performance is monitored. To ensure the efficiency and effectiveness of the model, the roles and responsibilities should be clearly defined in the contract between the organization and the cybersecurity service provider. It should be understood that the quality of the service delivered often reflects the quality and management capabilities of the provider.

Who the NIS2 Directive applies to and from when

The directive will mean greater obligations for companies in the Czech Republic in relation to network and information system cybersecurity and protection. However, it will also improve protection and resilience against cyber threats and cooperation between European countries. Last but not least, meeting the requirements of the NIS2 Directive can help organizations gain the trust of their customers and partners, who will be more satisfied with the protection of their data and information. Overall, the directive could help entities to improve their security practices and minimize risks.

The NIS2 Directive applies to electricity producers, healthcare providers, electronic communications services, and over sixty other services categorized into eighteen sectors. In the Czech Republic, the directive will start to apply on 16 October 2024 and will cover up to 15,000 entities – these are medium and large companies with over fifty employees and companies with an annual turnover of over CZK 250 million. Although the NIS2 Directive will only apply to organizations that meet the defined criteria, and others are not directly obliged to comply with the requirements, it is worth considering using it as a recommendation for improving general cybersecurity in other companies.

Opportunities for other entities

“It is estimated that up to 70% of domestic organizations have a problem with their cybersecurity. Smaller and medium-sized enterprises in particular do not have sufficiently secure IT systems and do not comply with basic security measures,” says Kocmich. Common problems include benevolent user access rights, a lack of two/multi-factor authentication in combination with weak passwords (including those of administrators), mismanagement and the decentralization of user identities, outdated and unpatched hardware and software containing vulnerabilities, missing network segmentation, weak or missing email and Internet access protection, inadequate perimeter protection, low visibility into network traffic, low or missing endpoint security, a lack of central log management, and inadequate employee training. “Cybersecurity is a big issue for many companies in the country. They can become easy targets for attackers. The NIS2 Directive should help raise awareness and protection against cyber threats,” adds Kocmich.

For more information on obligations under the NIS2 Directive, see the dedicated website (http://nis2.nukib.cz) of the National Cyber and Information Security Bureau (NCISB).

The effect of misconfigurations on business

International and Czech organizations continue to move their IT systems and data to the cloud environment. However, moving to the cloud is not just about migrating data. It is also about changing the access of system administrators, and this often brings new challenges and configuration procedures. During the migration process, it is easy for something not to be taken care of, set up, or configured properly in accordance with best practices. This leads to “misconfigurations”. As a result, companies are unnecessarily exposed to more attacks than before and cannot adequately defend themselves against them.

Both cloud and on-premise solutions offer clear benefits and address specific challenges and needs of organizations. However, taking the existing fully local IT infrastructure and moving it to the cloud without making necessary changes (the so called “Lift & Shift” approach) is a common mistake. Both on-premise and cloud environments have their pros and cons, which is why customers often use hybrid environments. The reason for this solution is usually a legal requirement (due to data sensitivity and where this data might be physically stored), the architecture, and the complexity of legacy applications that can be made compatible with the cloud only with disproportionate investment and efforts or not at all.

Forcing it is not acceptable

Migrating to the cloud can help organizations reduce IT costs (if cloud resources are used appropriately) and have more computing power. More importantly, they can have more scalable performance available at any time, increase storage flexibility, and simplify and accelerate the deployment of systems and applications, while accessing data and systems from anywhere, anytime, 365 days a year.

However, as far as cyber security is concerned, deploying the cloud can increase the likelihood of an organization being attacked by malicious actors. If the “let’s go to the cloud” decision is made, it should be taken with due responsibility. First and foremost, it is important to understand that the cloud as such is a shared responsibility between the cloud service provider and the customer, so the cloud is never a panacea. We can talk about choosing the right model (IaaS/PaaS/SaaS), but if we want to relieve the inhouse IT/SEC team, the right way should be the PaaS and SaaS model, where most of the responsibility falls on the cloud service provider. In addition, the act of moving to the cloud should also be seen as an opportunity to move to a modern and secure corporate infrastructure solution. At the same time, we must not forget to involve the security department, which should be a fundamental and integral part of any project like this.

Unfortunately, most cloud migrations often mean just forcing and moving the existing system in its current form. This means that companies should ideally start utilizing native cloud resources, which often requires the replacement of existing monolithic applications. Otherwise, they gain nothing by simply moving their systems and data to the cloud, and it will most likely cost them more than their original on-premise solution.

cloud

Misconfiguration playing the main part

Today’s on-premise solutions are relatively well-equipped with security monitoring and auditing tools in terms of established and proven standards, but this is not necessarily true for migration to the cloud.  Cloud misconfigurations are vulnerabilities waiting to be noticed by attackers. These are gateways through which it is possible to infiltrate the cloud infrastructure and, thanks to the interconnection and hybrid mode, also laterally affect the existing on-premise infrastructure. This allows attackers to exfiltrate data, including access data, telemetry data of machines in the OT environment, health records, and personal data, and then do something like deploy some ransomware.

According to experts, an average enterprise has hundreds of misconfigurations every year, but their IT departments are unaware of the vast majority of them. All misconfigurations are the result of human error and missing cloud configuration health check tools (e.g. Cloud Security Posture Management – CSPM).

The impact of cloud misconfiguration on system security

When migrating systems, what often happens is that selected services that had only been available internally within the on-premise solution are exposed to the public online space after the migration without any filtering and blocking of external network traffic. Many companies suffer from this, including critical infrastructure operators. It may therefore happen that a console for controlling industrial control systems becomes publicly available online. We recently detected an ICS console of a production and assembly line control system available online without any authentication required. What we often see are services containing exploitable vulnerabilities without any additional security. The security may have been deployed in the on-premise solution but has not been implemented in the cloud (e.g. a missing Web Application Firewall). Quite common are services with default credentials and services used for the remote management of customers’ internal systems or even freely accessible sensitive data.

This is why there are dozens to hundreds of incidents per month, as seen in the statistics of our monitoring centre. Security misconfigurations become easy targets for attackers who know that they are present in almost every enterprise. This neglect can have disastrous consequences. It helps attackers to reconnoitre and infiltrate customer environments, create persistent links for remote access, take control of systems, and exfiltrate data and login credentials, which are then disclosed or sold to be used for further attacks. Alternatively, it opens the door to lateral ransomware or cryptojacking attacks, in which cloud computing resources are exploited to support cryptojacking activities.

Steps to minimize the risks of misconfigurations

Configuration management, and especially monitoring, requires a multifaceted approach.

Organizations should implement well-established security practices, such as regular Cloud Security Posture Management assessments, to help detect a range of security defects and misconfigurations. It is important to follow the Least-Privilege principle and to continuously monitor and audit cloud systems.

Maintaining sufficient visibility of cloud assets should be a priority, just as it is in on-premise solutions. Strong identity and access management helps scale permissions to ensure the right level of access to cloud services.

The identification and prevention of various misconfigurations during cloud migration help enterprises eliminate major security issues. Specialized companies can help by guiding the organization through the entire process and setting everything up correctly.

A secure home office

Many employers offer home office as one of the benefits. However, during the COVID-19 pandemic, working from home has become a day-to-day reality for many people. Although this type of work brings many benefits to both employees and employers, it also poses an inherent risk. Cyber security turns out to be one of the main threats.

For hackers, computers and other devices outside the protected corporate network are usually an easier target to attack. There are several reasons for this which will be explained in this article. We will also offer measures which will make it much harder for hackers to do what they please. As a result, you will be able to better protect your devices from malicious attacks.

What are the main risks we should focus on?

  • An unsecured home network and Wi-Fi – Many employees working from home use their home network to connect to the internet and to their employer’s network. Hackers can attack an insufficiently secured network and gain access to network devices, sensitive business data, and even your personal data.
  • Email attacks – Many attackers send phishing emails to gain access to sensitive data, services, and devices. They usually try to win the employee’s trust and thus lower their guard when checking the legitimacy of an email message and what it asks them to do (such as open an attached file, click on a link, or enter sensitive information).
  • Use of private devices for work – Many employees use their personal devices for work and vice versa. It is also not uncommon for employees to copy business data to their personal devices to work on it. In the event of a successful attack or a loss of their device, they expose (often sensitive) business data – and therefore their employer – to risk.

How to protect yourself

Secure your home network – We recommend the following:

  • never use the default passwords on your home router or other network devices
  • use a WPA2 or WPA3 encryption protocol to secure your Wi-Fi
  • turn off WPS on your router
  • disable remote administrator access to the router from the internet (WAN)
  • if you are a tech-savvy person, you can set network access only to predefined devices based on their MAC address

Beware of phishing – When receiving emails, check the actual sender and pay attention to any grammatical or factual errors in the text, or presence of suspicious attachments or links. If you need to share sensitive data, use email encryption. Email encryption technology is usually chosen and provided by your employer.

Use multi-factor authentication – Multi-factor authentication means that a combination of “different factors” is required to log in – i.e. a combination of something you know (such as a login, password, or PIN), something you possess (such as a phone or a card), and something that is a part of you (such as your voice or a fingerprint). Even though this is somewhat less convenient, this type of security is a very effective protection against attacks. Use it wherever possible or where it makes sense.

Use strong passwords – We have written an article about passwords, but here is a summary of the basic tips.

  • Create passwords including characters, numbers, and uppercase and lowercase letters.
  • Do not use a single password for multiple accounts.
  • Use a password manager.

Use secure applications to communicate – Instead of SMS or social networks, use secure applications to communicate with your colleagues and clients. The same applies to video conferencing applications. A suitable technology should usually be chosen and provided by your employer. If this is not the case, try to reach out to them. After all, this is also in your employer’s interest.

Encrypt your data – Encryption is the process of encoding information into a code that can only be deciphered by those who know the encryption key or the password – i.e. company staff and other authorized people. As a result, the attacker will not be able to make sense of the information even if they get access to the data. This applies to all data – what you transmit (send and receive) as well as what you store on your devices.

Use an antivirus software – Your employer usually provides an antivirus solution to protect your device. If you use your personal device for work, you need to protect it. Use updated antivirus software.

Don’t let your family use your business computer – Remember that your business device contains sensitive data, and if it is compromised it can become a gateway for hackers into your employer’s network.

Respect company policies – Report any unusual behaviour of your business devices to the IT department and follow the basic cyber hygiene rules, such as keeping your operating system, antivirus software, and web browser updated and regularly scanning your device for malware. Common security rules include measures such as:

  • using a corporate VPN to securely connect to an employer’s protected network
  • only using software approved by your employer
  • not using your business device to visit unknown or suspicious websites
  • not using business devices for personal purposes

Use the data store provided by your company – All documents or data you work with should be stored safely. Often this is a cloud or centralized repository kept by your employer. As a result, the company can better manage data access, protection (encryption), and backup. At the same time, this reduces the likelihood of employees copying files to their personal devices.

Set up an automatic screen lock – Set your screen to lock automatically. This is another simple way to protect your company’s data.

Advice for employers

  • Only allow employees to connect to your corporate network through a VPN.
  • Introduce a password policy so that your employees use strong and secure passwords.
  • Implement multi-factor authentication to access your company’s most sensitive data (or wherever it makes sense).
  • Set inactive connection timeouts for applications working with sensitive company data. Employees do not always log out on their own.
  • Only allow employees access to the data they need to perform their work.
  • Use encryption on all corporate devices.
  • Make sure all your web applications use HTTPS.
  • Use all available instruments to secure employee communication (email, messaging, and video conferencing).
  • Monitor your suppliers and service providers.
  • Create and provide employees with a secure centralized data repository.
  • Create a set of corporate security policies and rules for employees and make sure that employees become familiar with them.
  • Train your employees on cybersecurity regularly.

Cyber security dictionary

Cyber risk is increasing, cyber attackers are becoming more aggressive and are creating new ways to reach their goals. What methods are they using to get closer to you and your data? How to become more aware of what is waiting for you in the cybersecurity world? We created a cybersecurity dictionary to help you better understand the attacker’s behavior, so you won’t get fooled (anymore). Read more about cybersecurity terminology in our growing dictionary.

A-K

L-P

R-Z

Botnet

is a network created out of malware infected devices (computers, smartphones, IoT devices) which is remotely controlled by an attacker. Infected devices working altogether as a botnet are performing malicious tasks, such as DDoS attacks or sending spam emails. Created botnets can be further leased to third parties (other hackers).

Exploit

can be explained as a special program, a piece of code or a sequence of commands. It takes advantage of vulnerability or bug in software or hardware aiming to take over control, gain privileged access or disrupt the service completely. Therefore it is important for developers to identify software or app bug/vulnerability and patch it before it may get misused. Exploits are unknown to everyone/not known to everyone but the people that developed them are called “zero day” exploits and are dangerous because there is no defense against them yet. Users should always keep their software or apps updated to secure it against all the known bugs and vulnerabilities.

Honeypot

is a security mechanism (usually a server), which aims to attract potential attacks and record them for further analysis. It is a kind of trap which lures attackers and fools them into thinking it is a legitimate target. Since honeypot has no other function, almost any interaction with it is a signal of suspicious activity. Honeypot is usually used to obtain information about attackers, their behavior, methods or tools. Understanding attacker’s behavior helps to find better and more effective ways of defense.

Malware

is an abbreviation for malicious software. It is any software intentionally designed to damage computers, serves or networks. Malware is an inclusive term for different types of malicious software, such as virus, worm, trojan horse, spyware, adware or ransomware.

Phishing

is a type of attack in which attackers try to lure confidential information from users through messages. Their goal is to collect usernames, passwords or credit card information and further use it to rob the user, gain unauthorized access to devices, networks, information or other people, install a malware or steal user’s identity. Phishing often starts with a fraudulent email, that appears to be legitimate. This fools the victim and makes him/her click on a malicious link or open infected attachment. Be careful when you receive an email from unknown or suspiciously looking email address with many grammatical or factual errors. Don’t click on links or suspicious attachments and always think before you click.

Ransomware

encrypts or blocks user’s data and then blackmails him/her and requires a ransom for making them available again. The threat of sharing the obtained data is often involved in this attack

Smishing

is basically a type of phishing using fraudulent SMS or text messages. Term smishing is combination of words SMS and phishing. As people are getting more aware of phishing and email scams are being filtered out, attackers are moving to a different device – mobile phones.

Spam

is unsolicited bulk message, mostly an email that distributes ad. Spam itself is more annoying than dangerous, but be careful, because spam campaigns may contain elements of phishing, smishing or spread malicious links and attachments.

Spyware

is a malicious software, that collects information about a user or organization in order to send it to another entity or to cause harm. It may cause a breach of privacy by sharing the obtained data or a security threat to the device. This behavior can be present in malware, but also in a legitimate software. For instance some websites use spyware-like practices to track user’s activity.

Social engineering

is a psychological manipulation of people into performing certain actions in order to obtain confidential information or an unauthorized access to a system or device. It does not require any technical skills as attackers rely on human error. The well-known types of social engineering are phishing, vishing, smishing or spam.

Tabnabbing

is a type of phishing attack designed to gain user’s login details to popular websites and services. Having multiple tabs open and getting back to them later? Then you may easily become a target of this attack. Tabnabbing causes browser to navigate user to a fake page after the page has been left unattended. Page often imitates well-known internet services and it looks pretty much the same as the legitimate one, so user doesn’t hesitate to log in. It is more difficult to avoid tabbnabbing, as it does not rely on human error.

Trojan horse

is a type of malware which fakes its true intent and pretends to be a useful and safe file. Trojans are spread by some form of social engineering, they may be hidden in email attachment, or are obtained by clicking on a fake advertisement on social media or anywhere on the web. Ransomware attacks are also often carried out using trojan horses.

Vishing

is a type of phishing carried out via phone calls, using methods of social engineering. Term vishing is a combination of words voice and phishing. Attacker tries to convince the victim to be a reputable company or person (police, bank, telecommunications company or a new colleague). After gaining victim’s trust, attacker asks for credentials or other confidential information. Vishing is quite popular because it is more difficult to track.

Virus (worm)

is a type of malware, that spreads through the network and makes copies of itself from one computer to another. It slows down the infected device, makes system unstable and destroys data.

Whaling

is a targeted phishing attack on a high-ranking, important person in the company structure (“big fish” or “whale”). Unlike phishing, it is more targeted, thoughtful and better prepared. The goal isto is to lure confidential information or to manipulate victim into performing certain actions (e.g.,money transfer).

5 tips how to secure your account

SORRY, BUT YOUR PASSWORD MUST CONTAIN…

Creating a password doesn’t sound like a difficult task, but sometimes it is. We often make fun of websites asking us to use strong passwords. Use longer password, use at least 1 numerical character, use at least one symbol, one upper case character,… But it’s for a reason. Weak passwords play a huge role in any hack. If you’ve been using a date of your birthday or your dog’s name as a password to access your bank account since you’ve been 18, let us tell you this is not safe.

PASSWORD HABITS THAT MAY PUT YOU AT RISK

Managing passwords is not only important for individuals but the responsibility falls on businesses too. Without proper password habits your employees might put your company at risk. Your systems may be secure and complex, but attackers may choose a different method – to wait for your employee to make a mistake. Educate all your employees at all levels from bottom to top, make them build good password habits and make them think before they click. Creating a cybersecurity-awareness culture in your company can save you a lot of headaches. Cyber-aware, educated employees can stand in the first line of defense.

BACK TO BASICS

Some of these tips may seem obvious, but practice makes perfect.

1. Make your passwords strong

As we mentioned earlier, weak passwords are easy to crack. Ask yourself a question. If there was a hacker trying to gain access to your account, how quickly would she/he be able to guess your password? Do you use your personal, easily accessible information about yourself in your password (date of your birthday, your wife’s name, etc.)? Do you use any popular strings like „qwerty“, “password” or „1234“? Make your password more unpredictable, don’t follow a pattern and use randomly generated passwords instead. It is recommended to have your passwords 15-20 characters long. Shorter passwords can be cracked by brute-forcing.

2. Store your passwords in password manager

Worried that you won’t be able to remember all those strong and unique passwords? Then password manager might come in handy. Password manager can store all your passwords in one place. It uses encryption to protect your data. Maybe now you are thinking if it is safe to provide your passwords to another third-party app and store it all there. Well, there are some risks too, as nothing online is 100% safe, but it is one of the best available options nowadays. But don’t forget to look for a trusted password manager. You can try Keepass. Secure your app with strong password and back it up regularly.

3. Change your passwords often

Many people use the same password for years. It is recommended to change your password few times a year, and the frequency also depends on what is the password used for and how strong it is. Be sure to change your password when there was a password leak, someone tried to access your account or you logged-in from a public wi-fi. Check if your mail or phone was breached.

4. Create a unique password for each account

Using the same password for every account increases your account vulnerability. Never use the same password for multiple accounts. Don’t make it easier for attackers to gain access to all your accounts by cracking your only password.

5. Two-Factor authentication is your best friend (2FA)

Even though you may find it annoying to confirm each and every login or transaction, it is strongly recommended to do so. Many apps or websites give you an option to enable 2FA and when they do, take advantage of it. It is an extra protection which makes it harder for attackers to get to your personal account. The most common forms are SMS or notification with unique passcode or the use of biometric data (which may be also risky, but let’s talk about it next time).

Download infographics

The safer internet may be dangerous: encryption is to blame

STANISLAV SMOLÁR

With commonly used computer network protection tools, organizations are either unable to view encrypted communication or can only achieve the desired visibility with great difficulty and at a disproportionately high cost. A better way is to integrate some new components into the existing essential security technology.

Today data encryption is an integral part of Internet communication, allowing us to safely shop or perform banking transactions online. Without encryption anyone could view the transferred data and easily access, for instance, passwords or personal data. Nowadays, almost all website operators are gradually starting to use security certificates.

 

Measurements by the Soitron Security Sensor system show that at least 60% of the communication in today’s organizations is encrypted. Typically, however, it is around 80%, which corresponds to the global estimates of 80% of all internet traffic being encrypted in 2019. For the sake of comparison, two years ago only less than half of the Internet was encrypted.

 

Blinded administrators

With more and more websites and services being encrypted, the encryption methods are also changing and new, improved protocols for protecting the network communication are emerging (e.g., CAA, DANE, TLS 1.3, eSNI, and DoT).

The newer and more modern protocols are designed to protect data against any inspection, even if for legitimate purposes. If we also take into account the significant increase in the network capacity and thus also the volume of data transmitted, we realize that today companies and public organizations face a tsunami of strongly encrypted communication.

Audits also often lead to a significantly compromised encryption quality. For instance, a study entitled “The Security Impact of HTTPS Interception” showed that only one out of twelve devices received a satisfactory rating.

What does it mean for IT departments?

In short, it means new challenges in administration and securing IT against cyber threats. Older security tools that didn’t count with encrypted communication inspection do not provide administrators with the necessary operation visibility, thus opening new possibilities for hackers to spread malicious code or send instructions for already infiltrated malware.

In addition, some (especially mobile) applications reject even legitimate inspections of security certificates in organizations. Attackers now successfully exploit the weakened capabilities of immature security solutions to scrutinize encrypted communication.

 

According to the cloud service provider Zscaler, last year the number of phishing attacks hidden in encrypted communications increased by 400% year-on-year. In general, in about half of the cyber-attacks encrypted traffic was exploited to spread malware. There is no reason to believe that this proportion would decrease in the future.

 

An inspection with no reading

The good news is that there are ways to make seemingly invisible and well-encrypted communication at least partially transparent. A number of security technology vendors have come up with solutions based on Encrypted Traffic Analytics (ETA) that is able to identify potential threats concealed in encrypted data with great accuracy and without compromising the user convenience.

They are not trying to crack the encryption and “read” the entire content of the communication; something like that would be technically difficult and not acceptable in terms of privacy protection. The purpose of technologies for gaining visibility into an encrypted environment is to detect any abnormal behaviour based on, for example, behavioural analyses of network communication and alert you to any suspicious communication. An advantage is that this approach also helps to identify unknown threats that have not yet been described. There are no signatures available, and we know nothing about them.

With the share of the encrypted Internet traffic approaching 100% in the next few years, the cracks in existing security architectures will only grow. This does not mean that IT departments have to throw away and replace their existing resources. Rather, sooner or later, they will need to add new tools which are able to identify threats in their data traffic which would otherwise be invisible to the naked eye. The sooner they do this, the fewer threats they expose themselves to.

Stanislav Smolár

Security Business Unit Manager

stanislav.smolar@soitron.com