Login
Welcome back! In our last article, you cleared out your extraneous digital footprints by removing unnecessary accounts and opting-out of data broker services, and have finished a dedicated review of your online history. In this final section, we will answer the natural question encountered at the end of any journey: What’s next?
Before becoming the series you’ve just read, I presented a version of this many times as a live talk at conferences and training sessions. After the first few talks, I noticed a consistent trend in the feedback when I was approached afterwards: people who said they felt anxious about how their online activity going forward might share more than they want. So I went back and added a final section to the talk, one that we’re going to cover together now: risk acceptance and the value of routine in good security.
Some people think that the goal of good security is to eliminate risk. One of the first lessons you learn in this industry, though, is that eradicating every possible risk is very rarely practical, whether we’re talking about the individual or organizational level. This is because there are few choices one can make with zero possibility of a negative outcome, and because human beings are… human, and even with excellent discipline and good intent the best of us can mess up.
The goal of good security strategy is instead to assess risk and find a healthy balance: to decide what is more or less important and valuable, to determine how damaging the worst-case scenario might be and weigh that against the potential benefits, and figuring out how much you can reasonably do to tip the balance and increase your odds of success.
That’s fairly abstract, so let’s use a couple quick practical examples at both levels:
I don’t know about you, but I grew up as a child of the internet, and the thought of never going online again isn’t one I’m likely to seriously consider. So rather than logging off forever, let’s focus on how we can both stay safe and stay connected. We’ve completed the “3 R’s” of the self-dox process: Review, Restrict, and Remove. But now, a surprise more shocking than the Spanish Inquisition itself: we’re going to add two final steps-Repeat and Refine.
Every good security plan includes a plan for routine follow-up. We know that staying offline forever isn’t practical, so the next best thing is to set up a reminder to go through an easier version of this checklist on a regular schedule. Why is it easier? In this review, you had to look back on your entire life up to the present, and next time you’ll just need to look back from then to… well… now! Depending on how active you are online and how likely you are to be doxxed, this might make sense to do on an annual basis, or split into abbreviated and more frequent quarterly reviews.
There is no one-size-fits-all approach to this review, but here are some typical checks you may want to consider:
Before we move on to our final (final, I promise!) step, let’s talk one more kind of repeating. A wifi repeater is a gadget that can connect to and boost the signal from a wireless network, helping to expand the network’s reach and keep a strong connection. In the same way, by sharing the lessons you’ve learned with your family and friends you will expand the reach of that security knowledge. Not only does that help keep the people you care about safer… but since we’ve seen how information shared about us by others can also be discovered by doxxers, it helps to increase your own safety as well!
My goal in writing this series was to give a straightforward introduction and broadly-useful walkthrough of how to figure out what’s out there about you online. In the beginning of this series, I talked about how the level of risk for doxxing is not the same for everyone. You may want to go significantly further than we’ve covered in this guide if you are:
This can cover a wide range of additional steps like placing a freeze on your credit report, requesting a privacy removal from search engines, or even setting up dedicated secure devices/apps for communication online. The full scope of these additional protections is beyond what we can cover here, but I will again recommend the Self-Doxxing Guide from AccessNow and the Gender and Tech Safety Resource guide linked in the first post of this series as an excellent reference for where else you might want to check.
Thank you for following along with me on this journey, and I hope that you found this guide and the resources shared have been helpful for you. Still have questions, or have you discovered any of the links/tools here are no longer available? Please let me know! Life comes at you fast on the web, and I want to make sure this guide continues to be relevant and helpful for a long time to come. You can drop me a line at zoe@duo.com, or find me on Twitter. Until then, happy trails and stay safe out there!
If you can’t get enough security content and care deeply about making the web safer for everyone, we’d also love to hear from you. Please check out our open positions and how your passion can contribute to keeping people safe online.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Welcome back! Previously in our Go Dox Yourself series, we walked through reviewing what information is available about you online, prioritizing those accounts that are most important or still active, and then restricting how much we share through those accounts and who gets to see it. That’s two out of our three steps — maybe good enough for Meatloaf, but not for us! You’re in the home stretch now, and this is the most straightforward-if-slow portion of the process — so let’s dive right in.
In the review step , along with the top accounts that you wrote out in your initial brain dump, we used some email search tricks and the free services NameCheckup.com and NameChk.com to dig up any unused, forgotten, or now obsolete accounts you might have previously registered under your email address or favorite username (or, as us ʼ80s kids used to say, your “handle.”)
We set those old accounts to the side to focus on your active and sensitive data first, but now it’s time to make Marie Kondo proud and clean out the junk drawers of our online life – if it doesn’t still serve you or spark joy, let’s kiss it goodbye!
In a perfect world, this would be as simple as logging in, going to your account settings and clicking a big ol’ “Cancel My Account” button. However, many sites opt to bury the cancelation settings behind a series of smokescreen menus, sometimes even including a half dozen unskippable “are you SURE you want to leave?” and “but we’ll give you a super good deal to stay!” surveys to click through first.
If you find yourself thwarted and your first search of “[Unwanted Service] cancel” doesn’t take you where you need to go, try checking out AccountKiller. This collaborative resource takes submissions of step-by-step deletion instructions and direct links to cancel for a tremendous number of sites, and even includes phone tree options and direct support numbers for canceling offline accounts as well.
The first pass of your delete list might well be longer than a CVS receipt, because these days the average person has 100 password-protected accounts to manage, but don’t worry! You don’t have to sprint to the finish line, and slow progress checking off a few accounts in short sessions over a few weeks will serve you better than a several-hour slog of trying to clear them all at once and burning out.
An important lesson in security is that operating at max capacity isn’t sustainable all the time, and planning for rest and overflow in our personal security planning is no different. Remember that the work you’re doing is cumulative, each small step is one more forward, and every account you clear now is one less that you’ll need to revisit later.
You might notice that we’ve checked off most of the information from our initial brainstorm: emails, usernames, phone numbers, profile pictures… but so far, we haven’t done much with your location history: the cities you lived in and live now, the cities where you worked or went to school, and the city of your birth. Now that we’re going to see how much information on you is available through data brokers and public record sites, these details will be important to have handy.
For the unfamiliar, data brokers are companies which collect and bundle personal information for everything from ad customization to individual investigation. Brokers collect their data through a wide variety of methods, including:
These metrics and details are bundled and sold, either directly through lookup sites like we’ll review in just a moment, or in demographic bundles (for example, “Resilient Renters” or “Living on Loans: Young Urban Single Parents”). If you’ve ever walked through a car dealership window-shopping and suddenly found sponsored content for that car company in your feed, data brokers are the most likely reason.
For this step you should reference the previously-mentioned Personal Data Removal Workbook provided by Michael Bazzell through his company, IntelTechniques. Bazzell has maintained and updated this workbook for many years now, and it is by far the most comprehensive resource for keeping a handle on who is buying and selling your data.
One of the first things you’ll notice on opening the workbook is the sheer volume of businesses out there buying and selling your data: at time of writing, the current edition includes 220 separate brokers. But much like your initial account inventory likely included a select set of important accounts and a longer list of less-relevant ones, there are less than a dozen brokers who dominate most of the market and should be at the top of your list – and fortunately, they’re also at the top of the workbook! These sites are:
Aside from covering most of the market for data and analytics intelligence, these primary sites often act as “feeders” for smaller providers that are either directly affiliated or collect information for their own databases from the largest providers. Which means that as you remove your data from these sites, you’ll not only check off another box on your list, but you may also reduce the number of hits you find for your information on smaller sites as you work your way down.
Congratulations: if you’ve been following along, you’ve just made it through your self-doxxing! Hopefully you’re feeling much better informed and aware of what tracks you’ve left online, and addressed who you do and do not want to have your… addresses. Join us soon for our wrap-up post where we’ll recap with takeaway lessons, as well as good habits and check-ins to keep you safe going forward.
Care about keeping people and their data safe online? Check out our open roles.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
With passwords and MFA out of the way, let’s next look at connected apps or services that are tied to our priority accounts. When you log into other sites on the web through Facebook, Google, or another social account, as well as when you install social media apps or games, you are sharing information about those accounts with those services. This may be as limited as the email address and username on file, or may include much more information like your friends list, contacts, likes/subscriptions, or more.
A well-known example of this data-harvesting method is the Cambridge Analytica story, where installing a social media app opened up access to much more information than users realized. (Note: as mentioned in the linked article, Facebook added protective measures to limit the amount of data available to app developers, but connected accounts can still present a liability if misused.)
With this in mind, look under the Security or Privacy section of each of your account’s settings, and review where you have either used this account to log into a third-party website or allowed access when installing an app. Here are some handy links to some of the most common services to check:
If you aren’t going to use the app again or don’t want to share any details, remove them. Once you’ve checked your accounts, repeat this process with all the apps installed on your phone.
Just like connecting a social account to a third-party game can share information like your contact info and friend’s list, installing an app on your mobile device can share information including your contacts, camera roll and more. Fortunately, mobile OSes have gotten much better at notifying users before installation on what information is shared, so you should be able to see which apps might be nosier than you’re comfortable with.
Finally — and this is really for the nerds and techies out there — check if you have any API (short for “application programming interface”) keys or browser extensions connected to your accounts. API keys are commonly used to let different apps or services “talk” between one another. They let you use services like Zapier or IFTTT to do things like have your Spotify favorites automatically saved to a Google Sheet, or check Weather Underground to send a daily email with the forecast.
Browser extensions let you customize a web browser and integrate services, like quickly clicking to save an article for review on a “read it later” service like Instapaper. Even if you trust the developer when installing these apps, they may pose a risk later on if they are recovered or taken over by an attacker. These “zombie extensions” rely on a broad install base from a legitimate service which can later be misused to gather information or launch attacks by a malicious developer.
We’ve made great progress already, and taken steps to help defend your accounts from prying eyes going forward – now it’s time to lock down your previous activities on social media. Rather than enumerate every option on every service, I’ll highlight some common tools and privacy settings you’ll want to check:
Before moving on to email, I’ll add another plug for the NYT Social Media Security and Privacy Checklists if you, like me, would rather have a series of boxes to mark off while going through each step above.
Security experts know that you can’t erase the possibility of risk, and it can be counterproductive to build a plan to that expectation. What is realistic and achievable is identifying risk so you know what you’re up against, mitigating risk by following security best practices, and isolating risk where possible so that in the event of an incident, one failure doesn’t have a domino effect affecting other resources. If that seems a bit abstract, let’s take a look at a practical example.
Tech journalist Mat Honan was the unlucky victim of a targeted hack, which resulted in a near-complete lockout from his digital life requiring a Herculean effort to recover. Fortunately for us, Mat documented his experience in the Wired story, “How Apple and Amazon Security Flaws Led to My Epic Hacking,” which offers an excellent summary of exactly the type of domino effect I described. I encourage you to read the full article, but for a CliffsNotes version sufficient for our needs here:
Honan’s article goes into much more detail, including some of the changes made by the services exploited to prevent similar incidents in the future. The key takeaway is that having a couple of emails without strong authentication tied to all his most important accounts, including the recovery of these email accounts themselves, meant that the compromise of his Amazon account quickly snowballed into something much bigger.
We’re going to learn from that painful lesson, and do some segmentation on our email channels based on the priority and how public we want that account to be. (“Segmentation” is an industry term that can be mostly boiled down to “don’t put all your eggs in one basket”, and keep critical or vulnerable resources separate from each other.) I would suggest setting up a few different emails, listed here from least- to most-public:
For all of the above, of course, we’ll create strong passwords and set up 2FA. And speaking of 2FA, you can use the same split-channel approach we followed for email to set up a dedicated verification number (using a VOIP service or something like Google Voice) when sending a passcode by SMS is the only option supported. Keeping these recovery numbers separate from your main phone number reduces the risk of them being leaked, sold, or captured in an unrelated breach.
Good news: We’re almost done with doxxing ourselves! In the next section, we’ll sweep out those unused accounts to avoid leaving data-filled loose ends and take a look at how data brokers profit off of your personal information and what you can do to opt-out.
You’ve made it this far so maybe you’re passionate like we are about developing innovative ways to make security accessible. We’d love for you to join our mission.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Just a few years ago when the topic of supporting offsite workers arose, some of the key conversation topics were related to purchase, logistics, deployment, maintenance and similar issues. The discussions back then were more like “special cases” vs. today’s environment where supporting workers offsite (now known as the hybrid workforce) has become a critical mainstream topic.
Now with the bulk of many organization’s workers off-premise, the topic of security and the ability of a security vendor to help support an organization’s hybrid workers has risen to the top of the selection criteria. In a soon to be released Cisco endpoint survey, it’s not surprising that the ability of a security vendor to make supporting the hybrid workforce easier and more efficient was the key motivating factor when organizations choose security solutions.
Today, when prospects and existing customers look at Cisco’s ability to support hybrid workers with our advanced security solution set and open platform, it’s quite clear that we can deliver on that promise. But, yes, good tools make it easier and more efficient, but the reality is that running a SOC or any security group, large or small, still takes a lot of work. Most organizations not only rely on advanced security tools but utilize a set of best practices to provide clarity of roles, efficiency of operation, and for the more prepared, have tested these best practices to prove to themselves that they are prepared for what’s next.
Knowing that not all organizations have this degree of security maturity and preparedness, we gathered a couple of subject matter experts together to discuss 5 areas of time-tested best practices that, besides the advanced tools offered by Cisco and others, can help your SOC (or small security team) yield actionable insights and guide you faster, and with more confidence, toward the outcomes you want.
In this webinar you will hear practical advice from Cisco technical marketing and a representative from our award winning Talos Threat Intelligence group, the same group who have created and are maintaining breach defense in partnership with Fortune 500 Security Operating Centers (SOC) around the globe.
You can expect to hear our 5 Best Practices recommendations on the following topics;
Check out our webinar to find out how you can become more security resilient and be better prepared for what’s next.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Scott Heider is a manager within the Cisco Security Visibility and Incident Command team that reports to the company’s Security & Trust Organization. Primarily tasked with helping to keep the integration of an acquired company’s solutions as efficient as possible, Heider and his team are typically brought into the process after a public announcement of the acquisition has already been made. This blog is the final in a series focused on M&A cybersecurity, following Dan Burke’s post on Making Merger and Acquisition Cybersecurity More Manageable.
Mergers and acquisitions (M&A) are complicated. Many factors are involved, ensuring cybersecurity across the entire ecosystem as an organization integrates a newly acquired company’s products and solutions—and personnel—into its workstreams.
Through decades of acquisitions, Cisco has gained expertise and experience to make its M&A efforts seamless and successful. This success is in large part to a variety of internal teams that keep cybersecurity top of mind throughout the implementation and integration process.
“Priority one for the team,” says Heider, “is to balance the enablement of business innovation with the protection of Cisco’s information and systems. Because Cisco is now the ultimate responsible party of that acquisition, we make sure that the acquisition adheres to a minimum level of security policy standards and guidelines.”
The team looks at the acquired company’s security posture and then partners with the company to educate and influence them to take necessary actions to achieve Cisco’s security baseline.
That process starts with assessing the acquired company’s infrastructure to identify and rate attack surfaces and threats. Heider asks questions that help identify issues around what he calls the four pillars of security, monitoring, and incident response:
The infrastructure that Heider’s team evaluates isn’t just the company’s servers and data center infrastructure. It can also include the systems the acquisition rents data center space to or public cloud infrastructure. Those considerations further complicate security and must be assessed for threats and vulnerabilities.
Once Heider’s team is activated, they partner with the acquired company and meet with them regularly to suggest areas where that acquisition can improve its security posture and reduce the overall risk to Cisco.
Identifying and addressing risk is critical for both sides of the table, however, not just for Cisco. “A lot of acquisitions don’t realize that when Cisco acquires a company, that organization suddenly has a bigger target on its back,” says Heider. “Threat actors will often look at who Cisco is acquiring, and they might know that that company’s security posture isn’t adequate—because a lot of times these acquisitions are just focused on their go-to-market strategy.”
Those security vulnerabilities can become easy entry points for threat actors to gain access to Cisco’s systems and data. That’s why Heider works so closely with acquisitions to gain visibility into the company’s environment to reduce those security threats. Some companies are more focused on security than others, and it’s up to Heider’s team to figure out what each acquisition needs.
“The acquisition might not have an established forensics program, for instance, and that’s where Cisco can come in and help out,” Heider says. “They might not have tools like Stealthwatch or NetFlow monitoring, or Firepower for IDS/IPS operations.”
When Heider’s team can bring in their established toolset and experienced personnel, “that’s where the relationship between my team and that acquisition grows because they see we can provide things that they just never thought about, or that they don’t have at their disposal,” he says.
One of the most important factors in a successful acquisition, according to Heider, is to develop a true partnership with the acquired company and work with the new personnel to reduce risk as efficiently as possible—but without major disruption.
Cisco acquires companies to expand its solution offerings to customers, so disrupting an acquisition’s infrastructure or workflow would only slow down its integration. “We don’t want to disrupt that acquisition’s processes. We don’t want to disrupt their people. We don’t want to disrupt the technology,” says Heider. “What we want to do is be a complement to that acquisition, – that approach is an evolution, not a revolution.”
The focus on evolution can sometimes result in a long process, but along the way, the teams come to trust each other and work together. “They know their environment better than we do. They often know what works—so we try to learn from them. And that’s where constant discussion, constant partnership with them helps them know that we are not a threat, we’re an ally,” says Heider. “My team can’t be everywhere. And that’s where we need these acquisitions to be the eyes and ears of specific areas of Cisco’s infrastructure.”
Training is another way Heider, and his team help acquisitions get up to speed on Cisco’s security standards. “Training is one of the top priorities within our commitments to both Cisco and the industry,” Heider says. “That includes training in Cisco technologies, but also making sure that these individuals are able to connect with other security professionals at conferences and other industry events.”
When asked what advice he has for enterprises that want to maintain security while acquiring other companies, Heider has a few recommendations.
Having the right security agents and clear visibility into endpoints is critical. As is inputting the data logs of those endpoints into a security event and incident management (SEIM) system. That way, explains Heider, you have visibility into your endpoints and can run plays against those logs to identify security threats. “We’ll reach out to the asset owner and say they might have malware on their system—which is something nobody wants to hear,” says Heider. “But that’s what the job entails.”
Often, end users don’t know that they’re clicking on something that could have malware on it. Heider says user education is almost as important as visibility into endpoints. “Cisco really believes in training our users to be custodians of security, because they’re safeguarding our assets and our customers’ data as well.”
End users should be educated about practices such as creating strong passwords and not reusing passwords across different applications. Multi-factor authentication is a good practice, and end users should become familiar with the guidelines around it.
Updating software and systems is a never-ending job, but it’s crucial for keeping infrastructure operating. Sometimes, updating a system can weaken security and create vulnerabilities. Enterprises must maintain a balance between enabling business innovation and keeping systems and data secure. Patching systems can be challenging but neglecting the task can also allow threat actors into a vulnerable system.
Heider says public cloud operations can be beneficial because you’re transferring ownership liability operations to a third party, like Amazon Web Services or Google Cloud platform. “The only caveat,” he says, “is to make sure you understand that environment before you go and put your customer’s data on it. You might make one false click and expose your certificates to the Internet.”
Heider says that while a big part of his job is helping acquisitions uplevel their security domain to meet baseline security requirements, there’s always the goal to do even better. “We don’t want to be just that baseline,” he says. His team has learned from acquisitions in the past and taken some of those functionalities and technologies back to the product groups to make improvements across Cisco’s solutions portfolio.
“We’re customer zero – Cisco is Cisco’s premier customer,” says Heider, “because we will take a product or technology into our environment, identify any gaps, and then circle back to product engineering to improve upon it for us and our customers.”
Managing Cybersecurity Risk in M&A
Demonstrating Trust and Transparency in Mergers and Acquisitions
When It Comes to M&A, Security Is a Journey
Making Merger and Acquisition Cybersecurity More Manageable
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
In the first step of our doxxing research, we collected a list of our online footprint, digging out the most important accounts that you want to protect and obsolete or forgotten accounts you no longer use. Because the most recent and relevant data is likely to live in the accounts you use regularly, our next step will be to review the full scope of what’s visible from these accounts and to set more intentional boundaries on what is shared.
It’s important to note here that the goal isn’t to eliminate every trace of yourself from the internet and never go online again. That’s not realistic for the vast majority of people in our connected world (and I don’t know about you, but even if it was I wouldn’t want to!) And whether it’s planning for an individual or a giant organization, security built to an impossible standard is destined to fail. Instead, we are shifting you from default to intentional sharing, and improving visibility and control over what you do want to share.
Before making changes to the settings and permissions for each of these accounts, we’re going to make sure that access to the account itself is secure. You can start with your email accounts (especially any that you use as a recovery email for forgotten passwords, or use for financial, medical, or other sensitive communications). This shouldn’t take very long for each site, and involves a few straightforward steps:
The best way to prevent a breached password from exposing another account to attack is to use a unique password for for every website you visit. And while you may have heard previous advice on strong passwords (along the lines of “eight or more characters, with a mix of upper/lower case letters, numbers, and special characters”), more recent standards emphasize the importance of longer passwords. For a great explanation of why longer passwords work better than shorter, multi-character type passwords, check out this excellent XKCD strip:
A password manager will make this process much easier, as most have the ability to generate unique passwords and allow you to tailor their length and complexity. While we’re on the topic of what makes a good password, make sure that the password to access your password manager is both long and memorable.
You don’t want to save or auto-fill that password because it acts as the “keys to the kingdom” for everything else, so I recommend following a process like the one outlined in the comic above, or another mnemonic device, to help you remember that password. Once you’ve reset the password, check for a “log out of active devices” option to make sure the new password is used.
MFA uses two or more “factors” verifying something you know, something you have, or something you are. A password is an example of “something you know”, and here are a few of the most common methods used for an additional layer of security:
If you want to know more about the different ways you can log in with strong authentication and how they vary in effectiveness, check out the Google Security Team blog post “Understanding the Root Cause of Account Takeover.”
Before we move on from passwords and 2FA, I want to highlight a second step to log in that doesn’t meet the standard of strong authentication: password questions. These are usually either a secondary prompt after entering username and password, or used to verify your identity before sending a password reset link. The problem is that many of the most commonly-used questions rely on semi-public information and, like passcodes, are entered on the same device used to log in.
Another common practice is leveraging common social media quizzes/questionnaires that people post on their social media account. If you’ve seen your friends post their “stage name” by taking the name of their first pet and the street they grew up on, you may notice that’s a combination of two pretty common password questions! While not a very targeted or precise method of attack, the casual sharing of these surveys can have consequences beyond their momentary diversion.
One of the first widely-publicized doxxings happened when Paris Hilton’s contact list, notes, and photos were accessed by resetting her password using the password question, “what is your favorite pet’s name?”. Because Hilton had previously discussed her beloved chihuahua, Tinkerbell, the attacker was able to use this information to access the account.
Sometimes, though, you’ll be required to use these password questions, and in those cases I’ve got a simple rule to keep you safe: lie! That’s right, you won’t be punished if you fib when entering the answers to your password questions so that the answers can’t be researched, and most password managers also include a secure note field that will let you save your questions and answers in case you need to recall them later.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Dan Burke is the director of strategy, risk, and compliance for AppDynamics, a company acquired by Cisco in 2017. Burke and his team are a vital part of the Cisco acquisition process in helping acquired companies adhere to a higher level of cybersecurity. This blog is the fourth in a series focused on M&A cybersecurity, following Shiva Persaud’s post on When It Comes to M&A, Security Is a Journey.
Part of the secret to Cisco’s success is its ability to acquire companies that strengthen its technology portfolio and securely integrate them into the larger organization. From the outside, that process might appear seamless—consider Webex or Duo Security, for instance—but a fruitful acquisition takes tremendous work by multiple cross-functional teams, mainly to ensure the acquired company’s solutions and products meet Cisco’s rigorous security requirements.
“My team is responsible for aligning new acquisitions to Cisco controls to maintain our compliance with SOC2 and FedRAMP, as well as other required certifications,” says Burke.
When Cisco acquires a new company, it conducts an assessment and produces a security readiness plan (SRP) document. The SRP details the identified weaknesses and risks within that company and what they need to fix to meet Cisco standards.
“In the past, my team wouldn’t find out about an acquisition until they received a completed SRP. The downside of this approach was that the assessments and negotiations had been done without input from our group of experts, and target dates for resolution had already been decided on,” shares Burke.
“We needed to be involved in the process before the SRP was created to understand all risks and compliance issues in advance. Now we have a partnership with the Cisco Security and Trust M&A team and know about an acquisition months before we can start working to address risks and other issues—before the SRP is completed and the due dates have been assigned,” Burke adds.
“Another issue resolved in this process change is that Cisco can gain earlier access to the people in the acquired company who know the security risks of their solutions. During acquisitions, people will often leave the company, taking with them their institutional knowledge, resulting in Cisco having to start from scratch to identify and assess the risks and determine how best to resolve them as quickly as possible,” says Burke. “It could be vulnerabilities in physical infrastructure or software code or both. It could be that the company isn’t scanning often enough, or they don’t have SOC 2 or FedRAMP certification yet—or they’re not using Cisco’s tools.”
“Third-party vendors and suppliers can also present an issue,” he adds. “One of the biggest risk areas of any company is outside vendors who have access to a company’s data. It’s vital to identify who these vendors are and understand the level of access they have to data and applications. The earlier we know all these things, the more time we must devise solutions to solve them.”
“Now that I’m in the process earlier, I can build a relationship with the people who have the security knowledge—before they leave. If I can understand their mindset and how all these issues came about, I can help them assimilate more easily into the bigger Cisco family,” says Burke.
The additional benefits of bringing teams in earlier are reduced risk and compliance requirements can be met earlier. It also provides a smoother transition for the company being acquired and ensures they meet the security requirements that customers expect when using their technology solutions.
“Without that early involvement, we might treat a low-risk issue as high risk, or vice versa. The misclassification of risk is extremely dangerous. If you’re treating something as high risk, that’s low risk, and you’re wasting people’s time and money. But if something’s high risk and you’re treating it as low risk, then you’re in danger of harming your company,” Burke shares.
“The key is to involve their risk, compliance, and security professionals from the beginning. I think other companies keep the M&A process so closely guarded, to their detriment. I understand the need for privacy and to make sure deals are confidential but bringing us in earlier was an advantage for the M&A team and us,” Burke adds.
When asked what he thinks makes Cisco successful in M&A, Burke says, “Cisco does an excellent job of assimilating everyone into the larger organization. I have worked at other companies where they kept their acquisitions separate, which means you have people operating separately with different controls for different companies. That’s not only a financial burden but also a compliance headache.”
“That’s why Cisco tries to drive all its acquisitions through our main programs and controls. It makes life easier for everyone in terms of compliance. With Cisco, you have that security confidence knowing that all these companies are brought up to their already very high standards, and you can rely on the fact that they don’t treat them separately. And when an acquisition has vulnerabilities, we identify them, set out a remediation path, and manage the process until those risks are resolved,” Burke concludes.
Managing Cybersecurity Risk in M&A
Demonstrating Trust and Transparency in Mergers and Acquisitions
When It Comes to M&A, Security Is a Journey
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Technology has typically had a reputation for being exciting and inventive. Unfortunately, this hasn’t always been the case for security. But times have changed. We are now recognizing the crucial role security plays in any groundbreaking technology. Without strong defenses, even the most visionary app is likely to crash and burn. So it’s imperative that big security players like Cisco stay on top of what’s next.
I am thrilled to announce that in November, we will be launching our new video series, “NEXT” by Cisco Secure. In the series, my esteemed co-host TK Keanini and I will interview some of the brightest new minds in tech to find out more about the future of the industry and how we can best secure it. Watch the series preview below!
As the CTO of Cisco Secure, TK has over 25 years of networking and security expertise, as well as a penchant for driving technical innovation. As for me, I’m a cybersecurity specialist of 10 years with an obsession for communication and empathy. Together, TK and I will bring new cyber pioneers to the forefront and highlight the criticality of digital protection and privacy for everyone.
Whether we’re discussing Web3, the metaverse, or next-generation healthcare, we’ll learn and laugh a lot. Through simple conversations about complex topics, we’re building a bridge between leading-edge tech and how Cisco is helping to safeguard what’s on the horizon.
And what better time to preview this series than during Cybersecurity Awareness Month? A time when we focus on the reality that security belongs to everyone — not just the threat hunter, or the product engineer, or the incident responder — but everyone.
We all have a responsibility to protect the world’s data and infrastructure, and should all have a seat at the table for important security conversations. We hope you’ll join us as we dive into what’s making waves out there, and how we can keep it safe.
Follow our Cisco Secure social channels to catch our first episode in November, when we will speak with Michael Ebel, CEO of Atmosfy. Atmosfy is revolutionizing restaurant reviews by incorporating engaging live video that inspires others and supports local businesses. TK and I will chat with Michael about the origin of Atmosfy, and how the company keeps its content authentic and organization resilient.
In the meantime, explore our other Cybersecurity Awareness Month resources.
Who do you want to hear from next? Tell us your ideas for future guests in the comments.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Sharing is caring… but on the internet, sharing can also be tricky! When we post something, we have to look at the forest and not just the trees. Doxxers usually start with one or two pieces of relatively innocent or public information, but by connecting the dots between those pieces they can build a frighteningly detailed picture of an individual.
Seemingly innocuous details can be pieced together into a much more personal profile when collected and leveraged to learn more. As one example, your wish list/wedding registry makes it easy for friends and family to get you gifts that you actually want, but could also be used to find out products/services you’re interested in as pretext (setting the scene) of a conversation or phishing email trying to gather more. You may have Google Alerts set up for your name (a great idea!), but this may not flag text in scanned documents such as school yearbooks, newspapers and other digitized paper records available online.
If the above sounds scary – don’t panic! Your first step in this auto-dox is going to be brainstorming as much personally identifying information (PII) shared online as possible. I suggest doing this either in a secure note or longhand. The goal is to write down all of the accounts/addresses/phone numbers that come to mind, as these are some of the top things that attackers will try to gather in their search. Start your list here:
Email addresses are an especially juicy target for someone trying to locate you, because most people only use one personal and maaaybe a second school or work email account. Those accounts are tied to all our other online identities and often double as our username for logging in.
When you finish this process, you will likely have dozens or even hundreds of “breadcrumbs” between your account list and search results. Read through your list again, and we’re going to sort it into three categories:
Great job! You’ve already got a much better idea of what people can learn about you than most folks ever do, and are well on your way to cleaning up your online footprint. In our next step, we’ll start locking down everything that you want to keep!
P.S. If you’re enjoying this process and value keeping people safe online, please check out our open roles at Cisco Secure.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
It is never too late to start a career in cybersecurity — this may sound cliché, but it holds a lot of truth. If you are passionate about the topic and are ready to put in the work to acquire the skills and knowledge needed, anyone, regardless of educational background, can break into cybersecurity.
At the age of 26, I started a four-year bachelor’s degree in digital forensics. I got introduced to the field by chance after working in data analytics for a few years and taking a college class on criminology. The program that I signed up for was mostly remote, with 80% independent preparation and bi-monthly on-site weekends at the university. I quickly realized that this model of education works great for me — I could read the materials provided by the program at my own pace and use as much external materials to supplement my understanding as needed. While the program was designed for working professionals and classes were spread out over four years, instead of the usual three years for a bachelor’s degree in Germany, it required a lot of discipline to complete the coursework while having a full-time job. Along the way, I learned several things about combining the responsibilities of adult life and achieving the study goals I had set for myself.
Below, I will outline a few recommendations to follow if you would like to break into the security field as an adult learner.
Use visual support to communicate your goals and timeline to others. This makes it easy for them to understand where you stand and why you might pass on the dinner invitation for next weekend.
Small reminders like the one above can help you stay motivated and focused.
One of the first events that I attended as a student was an information day by the German research institute Fraunhofer Institute for Secure Information Technology (SIT). Public institutions like this one tend to offer more affordable events and discount rates for students.
Appreciate the small steps forward and be gentle to your mental health.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Shiva Persaud is the director of security engineering for Cisco. His team is responsible for the Cisco Secure Development Lifecycle (CSDL), a set of practices based on a “secure-by-design” philosophy developed to ensure that security and compliance are top-of-mind in every step of a solution’s lifecycle. This blog is the third in a series focused on M&A cybersecurity, following Jason Button’s post on Demonstrating Trust and Transparency in Mergers and Acquisitions.
One of the most important considerations when Cisco acquires a company, is ensuring that the security posture of the acquisition’s solutions and infrastructure meets the enterprise’s security standards. That can be a tricky proposition and certainly doesn’t happen overnight. In fact, at Cisco, it only comes about thanks to the efforts of a multitude of people working hard behind the scenes.
“The consistent message is that no matter where a product is in its security journey, from inception to end-of-life activities, there’s still a lot of work that can happen to lead to a better security outcome,” says Persaud.
While Persaud and his team work within Cisco on all the company’s products and solutions, they also play a critical role in maintaining security standards in Cisco’s mergers and acquisitions (M&A) work.
Simply put, Persaud’s team is tasked with identifying the security risks posed by an acquisition’s technology and helping teams mitigate those risks.
“It starts with a risk assessment where we ask ourselves what an attacker would do to compromise this specific technology,” says Persaud. “What are the industry best practices for securing this type of technology? What do our customers expect this technology to provide from a security perspective? And once we have those risks enumerated, we prioritize them to decide which is the most important to take care of first.”
To anticipate where a hacker might find vulnerabilities and the actions they might take, the CSDL team must put themselves in that attack mindset. Fortunately for Persaud, his interest in computer security started as early as middle school. “It just kind of grew from there,” he says. “For many folks I’ve worked with and hired over the years, it’s a similar situation.”
That lifelong interest and experience work to the team’s advantage. They take a risk-based approach to security, in which they identify all the issues that need to be fixed and then rate them based on the likelihood of occurrence and seriousness of the results of an attack. Those ratings inform their decisions on which issues to fix first.
“We come up with ways to go mitigate those risks and co-author a plan called the Security Readiness Plan, or SRP,” Persaud says. “Then we partner with teams to take that plan and execute it over time.”
In alignment with CSDL’s continuous approach to security throughout a solution’s lifecycle, Persaud says that “security is a journey, so the workflow to finish the secure development lifecycle never ends.”
While initial onboarding of an acquired company—including completion of the initial risk assessment and the SRP—typically ends within several months of the acquisition. Persaud adds, “The work continues as the technology is integrated into a larger tech stack or as it’s modified and sold as a standalone offering to our customers.” As the solution or technology evolves and begins to include new features and functionalities, the CSDL work continues to make sure those features are secure as well.
That work can have its obstacles. Persaud says that one of the primary challenges his team deals with is cutting through the flurry of activity and bids for the acquisition’s attention that come pouring in from all sides. It’s a crazy time for both Cisco and the acquisition, with many important tasks at the top of everyone’s to-do lists. “Not just in the security realm,” says Persaud,” but in many other areas, too. So being able to get the acquisition to focus on security in a meaningful way in the context of everything else that’s happening is a major challenge.”
Another challenge is dealing with acquisitions that might not have much security expertise on their original team. That means they’re not able to give Persaud’s team much help in determining where security risks lie and how serious they are—so Cisco’s engineers have a lot more investigative work to do.
When asked what advice he would give to organizations that want to maintain a good security posture when acquiring another company, Persaud names three key factors.
To succeed in M&A security, it’s critical that the organization’s board of directors, CEO, and all subsequent levels of management support and be committed to meeting a high level of security standards and outcomes. The remaining management of the acquisition also needs to be on board with the security commitment, and both organizations should make sure that all employees recognize that commitment and support. If management support is not there, the work ultimately won’t get done. It can be difficult and time-consuming and without companywide recognition of its key importance, it won’t get prioritized, and it will get lost in the myriad of other things that all the teams have to do.
The issue of security can get really complicated, very quickly. Persaud says it’s smart to find industry standards and best practices that already exist and are available to everyone, “so you’re not reinventing the wheel—or more concerning, reinventing the wheel poorly.”
Where to look for those industry standards will vary, depending on the technology stack that needs to be secured. “If you are interested in securing a web application,” says Persaud, “then starting with the OWASP Top Ten list is a good place to start. If you are selling a cloud offer or cloud service, then look at the Cloud Security Alliance’s Cloud Controls Matrix (CCM) or the Cisco Cloud Controls Framework.”
One way to think of it, Persaud says, is that there are a variety of security frameworks certain customers will need a company to adhere to before they can use their solutions. Think frameworks like FedRAMP, SOC-2, Common Criteria, or FIPS.
“You can align your product security work to those frameworks as a baseline and then build on top of them to make technology more resilient.” It’s a great place to start.
It’s essential that an organization be very clear on what it wants to accomplish when it comes to ensuring security of an acquisition’s solutions and infrastructure. This will help it avoid “trying to boil the whole ocean,” says Persaud.
Persaud and his team talk about working up to security fitness the way a runner would start with a 5K and work up to an Ironman competition. “You take progressive steps towards improving,” he says. “You’re very explicit about what milestones of improvement you’ll encounter on your journey of good security.”
Persaud says Cisco is uniquely positioned to help organizations maintain security standards when acquiring other companies. He points to three critical differentiators.
“The level of visibility and support that we have for security at Cisco, starts with our board of directors and our CEO, and then throughout the organization,” says Persaud. “This is a very special and unique situation that allows us to do a lot of impactful work from a security perspective,”
Cisco has long been adamant about security that’s built in from the ground up and not bolted on as an afterthought. It’s the reason the CSDL exists, as well as the Cisco Security & Trust Organization and the many, many teams that work every day to infuse security and privacy awareness into every product, service, and solution—including the technology and infrastructure of newly acquired companies.
Once Persaud’s team has identified and assessed the security risks of an acquisition, his and other teams go about helping the acquisition address and mitigate those risks. Cisco provides a set of common building blocks or tools that teams can use to improve the security posture of an acquisition.
“We have secure libraries that teams can integrate into their code base to help them do certain things securely, so that the individual teams don’t have to implement that security functionality from scratch,” says Persaud. “And Cisco produces certain pieces of hardware that can be leveraged across our product lines, such as secure boot and secure storage.”
“Cisco’s operations stack also has various services acquisitions can use,” says Persaud. “An example of this comes from our Security Vulnerability and Incident Command team (SVIC). They provide logging capabilities that cloud offers at Cisco can leverage to do centralized logging, and then monitor those logs. SVIC also offers a security vulnerability scanning service so individual teams don’t have to do it independently.”
Another critical building block is Persaud’s team and their expertise. They act as a valuable resource that teams can consult when they want to build a new feature securely or improve the security of an existing feature.
Persaud concludes, “Cisco has an extremely strong and active security community where teams can ask questions, gain insights, give guidance, troubleshoot issues, share ideas and technology, and discuss emerging security topics. The community is committed to helping others instead of competing against each other. Members have the mindset of enriching the overall approach to security at Cisco and learning from any source they can to make things continually better.
Managing Cybersecurity Risk in M&A
Demonstrating Trust and Transparency in Mergers and Acquisitions
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Whether or not you’ve heard the term “doxxing” before, you’re probably familiar with the problem it names: collecting personal information about someone online to track down and reveal their real-life identity. The motivations for doxxing are many, and mostly malicious: for some doxxers, the goal in tracking someone is identity theft. For others, it’s part of a pattern of stalking or online harassment to intimidate, silence or punish their victim – and overwhelmingly, victims are youth and young adults, women, and LGBTQ+ people. The truth is, most of us have information online that we don’t realize can put us at risk, and that’s why I’ve written this series: to inform readers about how doxxing happens, and how you can protect yourself from this very real and growing problem by doxxing yourself.
In computer security, we talk about the idea of a “security mindset”: understanding how someone with bad intentions would cause harm, and being able to think like they would to find weak spots. In this series, you will learn by doing. By understanding the tools and methods used by those with ill intent, you’ll be better prepared to keep yourself safe and your information secure.
Your mission, should you choose to accept it, is to follow along and find out everything the internet knows about… you!
This series will provide simple steps for you to follow as you begin your investigation. Along the way, as you get familiar with the tools and tactics of internet sleuths, you’ll get a better idea of your current internet footprint as well as know what tracks you leave in the future. Our process will be split into three main sections:
Information is power. And in the case of doxxing, most people don’t realize how much of their power they’re giving up! My goal in this series is to demystify the methods used for doxxing, so in the spirit of “showing my work,” here are some of the best resources and collected checklists I referenced when planning these exercises, along with how to best use each:
If this looks like a whole lot of homework… don’t worry! We’ll cover most of the core tools and tips mentioned in these resources through the course of this series, and we’ll revisit these links at the end of the series when you’ve gotten more context on what they cover. In the next article, we’ll take on the review step of our process, getting a holistic inventory of what personal information is currently available online so you can prioritize the most important fixes. See you soon!
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Happy Cybersecurity Awareness Month!
Every October, the National Cybersecurity Alliance selects a theme around which to publish extensive awareness resources and practical tips to help you improve your cybersecurity.1 This year’s theme is “It’s easy to stay safe online.” With the number of cyberthreats and breaches dominating the headlines, it can seem like a Herculean task to cover all your bases; however, with just four easy habits, you can actually protect yourself against a large percentage of these threats!
Don’t be scared of hackers, phishers, or cybercriminals this month. Leave that to the ghosts, ghouls, and your upcoming holiday social calendar.
Multifactor authentication (MFA) is an excellent way to frustrate cybercriminals attempting to break into your online accounts. MFA means that you need more than a username and password to log in, such as a one-time code sent to by email, text, or through an authentication app or a face or fingerprint scan. This adds an extra layer of security, because a thief would have to have access to your device, your email, or be able to trick a biometric reader to get into your online account.
Most online sites offer the option to turn on MFA. While it may add an extra few seconds to the login process, it’s well worth it. Username and password combinations can be up for sale on the dark web following a breach. With these in hand, a cybercriminal could then help themselves to your online bank account, online medical records, and possibly your identity. When an account is secured with MFA, a criminal may quickly move on to another target that’s easier to crack.
Most sites won’t even let you proceed with creating an account if you don’t have a strong enough password. A strong password is one with a mix of capital and lowercase letters, numbers, and special characters. What also makes for an excellent password is one that’s unique. Reusing passwords can be just as risky as using “password123” or your pet’s name plus your birthday as a password. A reused password can put all your online accounts at risk, due to a practice called credential stuffing. Credential stuffing is a tactic where a cybercriminal attempts to input a stolen username and password combination in dozens of random websites and to see which doors it opens.
Remembering a different password for each of your online accounts is almost an impossible task. Luckily, password managers make it so you only have to remember one password ever again! Password managers, like the one available in McAfee+. safeguard all your passwords in one secure desktop extension or cellphone app that you can use anywhere. McAfee+ is secured with one of the most secure encryption algorithms available, and multifactor authentication is always standard.
It’s best to create passwords or passphrases that have a secret meaning that only you know. Stay away from using significant dates, names, or places, because those are easier to guess. You can also leave it up to your password manager to randomly generate a password for you. The resulting unintelligible jumble of numbers, letters, and symbols is virtually impossible for anyone to guess.
Software update notifications always seem ping on the outskirts of your desktop and mobile device at the most inconvenient times. What’s more inconvenient though is having your device hacked. Another easy tip to improve your cybersecurity is to update your device software whenever upgrades are available. Most software updates include security patches that smart teams have created to foil cybercriminals. The more outdated your apps or operating system is, the more time criminals have had to work out ways to infiltrate them.
Consider enabling automatic updates on all your devices. Many major updates occur in the early hours of the morning, meaning that you’ll never know your devices were offline. You’ll just wake up to new, secure software!
You’ve likely already experienced a phishing attempt, whether you were aware of it or not. Phishing is a common tactic used to eke personal details from unsuspecting or trusting people. Phishers often initiate contact through texts, emails, or social media direct messages, and they aim to get enough information to hack into your online accounts or to impersonate you.
Luckily, it’s usually easy to identify a phisher. Here are a few tell-tale signs for be on the lookout for:
Never engage with a phishing attempt. Do not forward the message or respond to them and never click on any links included in their message. The links could direct to malicious sites that could infect your device with malware or spyware.
Before you delete the message, block the sender, mark the message as junk, and report the phisher. Reporting can go a long way toward hopefully preventing the phisher from targeting someone else.
The best complement to your newfound excellent cyberhabits is a toolbelt of excellent services to patch any holes in your defense. McAfee+ includes all the services you need to boost your peace of mind about your online identity and privacy. You can surf public Wi-Fis safely with its secure VPN, protect your device with antivirus software, scan risky sites for your personally identifiable information, and more!
This October, make a commitment to improving your cybersecurity with the guidance of the National Cybersecurity Alliance and McAfee.
1National Cybersecurity Alliance, “Cybersecurity Awareness Month”
The post 4 Easy Things You Can Do Today to Improve Your Cybersecurity appeared first on McAfee Blog.
With “See Yourself in Cyber” as the theme for this year’s Cybersecurity Awareness Month, the focus is on you with a look at several quick ways you can quickly get safer online.
Now in its 21st year, Cybersecurity Awareness Month marks a long-standing collaboration between the U.S. government and private industry. It’s aim, empower people to protect themselves from digital forms of crime. And that stands as a good reminder. Phishing attacks, malware, and the other threats we regularly talk about in our blog are indeed forms of crime. And where there’s crime, there’s a person behind it.
It can be easy to lose sight of that, particularly as the crook on the other end of the attack is hiding behind a computer. Cybercrime can feel anonymous that way, yet it’s anything but. Whether a single bad actor or as part of a large crime organization, people power cybercrime.
Yet just as you secure your home to prevent yourself from becoming a victim of a criminal, you can also secure your digital life to prevent yourself from becoming a victim of cybercriminal.
You have plenty of places where you can start, and they’re all good ones. Even a handful of the simplest measures can significantly decrease your risk. Better yet, several take far less time to put into place than you might think, while yet more work automatically once you implement them—making them a sort of “set it and forget it” security measure.
With that, this five-step list can get you going:
Strong, unique passwords offer another primary line of defense. Yet with all the accounts we have floating around, juggling dozens of strong and unique passwords can feel like a task—thus the temptation to use (and re-use) simpler passwords. Hackers love this because one password can be the key to several accounts. Instead, try a password manager that can create those passwords for you and safely store them as well. Comprehensive security software will include one, and McAfee also offers a free service with True Key.
Updates do all kinds of great things for gaming, streaming, and chatting apps, like add more features and functionality over time. Updates do something else—they make those apps more secure. Hackers will hammer away at apps to find or create vulnerabilities, which can steal personal info or compromise the device itself. Updates will often include security improvements, in addition to performance improvements.
For your computers and laptops:
For your smartphones:
For your smartphone apps:
Often overlooked is the humble browser. Yet if you think about it, the browser is one of the apps we use most often. Particularly on our desktops. It takes us shopping, to shows, the bank, and even work. Hackers realize that, which is why they love targeting browsers. Whether it’s through vulnerabilities in the code that runs the browser, injecting malicious code into a browser session, or any one of several other attack vectors, hackers will try to find a way to compromise computers via the browser.
One of the best ways to keep your browser safe is to keep it updated. By updating your browser, you’ll get the latest in features and functionality in addition to security fixes that can prevent attacks from hackers. It’s a straightforward process, and this article will show you can set your browser to automatically update.
Whether they come by way of an email, text, direct message, or as bogus ads on social media and in search, phishing attacks remain popular with cybercriminals. Across their various forms, the intent remains the same—to steal personal or account information by posing as a well-known company, organization, or even someone the victim knows. And depending on the information that gets stolen, it can result in a drained bank account, a hijacked social media profile, or any number of different identity crimes. What makes some phishing attacks so effective is how some hackers can make the phishing emails and sites they use look like the real thing, so learning how to spot phishing attacks has become a valuable skill nowadays. Additionally, comprehensive online protection software will include web protection that can spot bogus links and sites and warn you away from them, even if they look legit.
Some signs of a phishing attack include:
Email addresses that slightly alter the address of a trusted brand name so it looks close at first glance.
Again, this can take a sharp eye to spot. When you get emails like these, take a moment to scrutinize them and certainly don’t click on any links.
Another way you can fight back against crooks who phish is to report them. Check out ReportFraud.ftc.gov, which shares reports of phishing and other fraud with law enforcement. Taken together with other reports, your information can aid an investigation and help bring charges on a cybercriminal or an organized ring.
Chances are you’re using multi-factor authentication (MFA) on a few of your accounts already, like with your bank or financial institutions. MFA provides an additional layer of protection that makes it much more difficult for a hacker or bad actor to compromise your accounts even if they know your password and username. It’s quite common nowadays, where an online account will ask you to use an email or a text to your smartphone to as part of your logon process. If you have MFA as an option when logging into your accounts, strongly consider using it.
This list can get you started, and you can take even more steps now that you’re rolling. Keep dropping by our blog for more ways you can make yourself safer, such as on social media, your smartphone, in app stores, and more. Visit us any time!
The post See Yourself in Cyber – Five Quick Ways You Can Quickly Get Safer Online appeared first on McAfee Blog.
Like most things in life, online privacy is a 2-way street. As consumers, we expect the companies we deal with online to manage and safeguard our data to a super professional level however we also have a role to play here too. So, this Privacy Awareness Week (PAW), let’s focus on what we can do to ensure our personal information is kept as secure, and private as possible.
There’s nothing like a dedicated ‘week’ to renew our focus and in my opinion, this year’s PAW does just that. This year’s theme is – The Foundation of Trust – we all have a role to play, a great reminder of how it’s up to all of us to ensure we manage online privacy. There’s no doubt that managing our privacy is low on the to-do list for many. And I get it – we’re all strapped for time, and we don’t ever think privacy breaches will affect us. Well, my friends, I’m here to tell you that privacy breaches do happen. Identity theft is a reality of living life online. In fact, in 2020/21, nearly 155,000 Aussies had their identities stolen and they were the cases that were reported. But the good news is that if you take a proactive approach, you can minimise the risk of this ever happening.
Believe it or not, most of your privacy action plan involves small steps that are, I promise, relatively painless. The most important thing here is that you need to commit to doing them. The last thing you want is to spend months dealing with the fallout from having your identity stolen. It’s exhausting, stressful, and absolutely worth avoiding.
Without further ado, here’s your action plan:
Strong and complex passwords are essential to keeping your online information tight. Ideally, a password should have between 8-10 characters and be a combination of letters – both lower and uppercase, numbers and symbols. Each online account should also have its own password too – which is a very overwhelming concept! Consider using a password manager such as McAfee’s TrueKey to help generate and manage passwords.
Ensure all the family checks their social media accounts to ensure they are set to private. This will mean that only their chosen friends can see their private information. Each social media platform will have its own ‘help’ page which provides specific steps on how to do this.
If you are serious about your online privacy, then you need to use public Wi-Fi sparingly. Unsecured public Wi-Fi is a very risky business. Anything you share could easily find its way into the hands of cybercriminals. So, avoid sharing any sensitive or personal information while using public Wi-Fi. If you travel regularly, consider investing in a VPN. A VPN (Virtual Private Network) encrypts your activity which means your login details and other sensitive information is protected. A great insurance policy!
Adding an additional layer of security to protect yourself when accessing your online accounts is another great way of guarding your online privacy. Turn on two-factor authentication for Google, Dropbox, Facebook and whatever other site offers it. For those new to this option, this means that in addition to your password, you will need to provide another form of identification to ensure you are who you say you are. Most commonly, this is a code sent to your mobile phone or generated by a smartphone app.
Most web surfers rely on Google for their searching but why not use a search engine that doesn’t collect and store the information? And there are loads of more ‘privacy focussed’ options to choose from. Check out DuckDuckGo, that doesn’t profile users or track or sell your information to third parties.
Comprehensive security protection software is an easy way to help firm up your online privacy too as it does a great job of keeping malicious software (malware) at bay. Malware can wreak absolute havoc: from installing pop ups to scanning for personal information. And if you’re likely to click dodgy links (we’re all human after all), then this is a no brainer! Super-duper security software will also guard you against viruses and online threats, direct you away from risky websites and dangerous downloads and protect your smartphones and tablets too, it can also back up your files. McAfee’s LiveSafe protection software comes with a 100% guarantee to protect you against viruses.
So, this Privacy Awareness week, please take the time to ensure you are doing all you can to nail your online privacy. And of course, please get your kids involved too. Do your research and find some stories of ‘real life’ people who have had their identity stolen to share around the dinner table because identity theft can absolutely happen to anyone!
Till next time,
Stay Safe!
Alex
The post Are You Playing A Role In Protecting Your Online Privacy? appeared first on McAfee Blog.
We hope you’ve enjoyed Cyber Awareness month. This year’s theme asked us all to do our part to stay safer online. The idea is that if we each take steps to secure our lives online, then together we all contribute to creating a safer, more secure internet. Of course, it’s our job to help you #BeCyberSmart. With that in mind, we’ve pulled together all the safety tips we featured in October. From family security to protecting your latest smart home gadgets, they’re all here and organized by theme. So take a look below and let’s all do our part today, tomorrow, and in the year to come!
10 quick tips for keeping the whole family safe
Online security for senior citizens
A quick list of tips for protecting kids on apps and social networking
How to protect baby’s first digital footprints
Millennials are major targets for identity theft. Check out this quick guide for protecting identity online
Ways for online gamers to #BeCyberSmart.
#Phishing is a common #scam that pops up in emails, DMs, and texts where crooks try and get you to click sketchy links. Learn how to spot them.
Securing your mobile phone.
Protecting your #socialmedia accounts from hacks and attacks.
Keeping the whole family safer
Spotting fake news and misinformation
https://www.mcafee.com/blogs/consumer/spot-fake-news-and-misinformation-in-your-social-media-feed
How to avoid oversharing online.
https://www.mcafee.com/blogs/consumer/family-safety/is-this-tmi
Managing your personal photos online safely.
Interested in starting a podcast? Here are some tips to get you started.
https://www.mcafee.com/blogs/consumer/entertainment-fromhome-how-to-start-your-own-podcast
Check out some tips for keeping your family safe when you hit the road with your phones, tablets, and laptops
Have smart home devices like a doorbell or smart lightbulbs? See how you can enjoy it all safely
Staying safe while banking online
App scams aimed at kids
https://www.mcafee.com/blogs/consumer/family-safety/9-tips-to-help-kids-avoid-popular-app-scams
Take a look at some of the ways you can improve your privacy
Using payment apps safely
Protecting kids from identity theft
Let’s talk online shopping and ways you can score some great deals safely during a time of year when hackers break out some of their oldest (yet effective) tricks
Thanks for celebrating Cyber Awareness month with us this October. More importantly, we hope you’re able to take the tips above and not only make your life safer but also the lives of friends and family as well. After all, we all need to do our part to #BeCyberSmart and protected online.
The post Do your part and #BeCyberSmart with these online safety tips appeared first on McAfee Blog.
When it comes to crime, what do people worry about most? Having their car stolen? A break-in while they’re not at home? Good answers, but not the top answer by a long shot. In this U.S.-based survey, hacker-related crime weighed in at 72%, with a home burglary at 35% and auto theft at 34%, indicating that people’s concerns about cybercrime are very much front and center.
The good news is that plenty of cybercrime can be prevented, or at least made less likely, provided you protect yourself online, much in the same way you take steps to protect your car or home. And that’s the focus of this year’s Cybersecurity Awareness Month. With the theme of “Do Your Part. #BeCyberSmart,” it reminds us of how we can take charge of our own safety—the ways we can look out for ourselves and others as we enjoy our time online.
Throughout October, we’re participating in Cybersecurity Month here on our blogs and across our social media channels, posting a host of ways that you can help keep cybercrooks away from your digital doorstep. Each week, we’ll tackle a different aspect of online protection:
Maybe it comes as no surprise to hear it, yet one recent study shows the average person spends nearly eight hours a day online. With that, we’re taking this week to focus on the family, how they spend their time online and how they can be safer when they do.
Whether they come by email, text, or DM, phishing attacks account for the most common types of reported cybercrime, according to the FBI Internet Crime Complaint Center. This week, we’ll show you how you can indeed fight the phish!
This sentiment sums up the best of the internet in so many ways. Getting out there, discovering, catching up with friends online. Our focus this week is helping you enjoy it all without any of the bad apples out there spoiling your fun.
We wrap it up with a look at some of the top priorities so everyone in the family can #BeCyberSmart—online banking, app scams, privacy, identity theft, and more—along with plenty of straightforward tips that can help you stay safer.
We hope our posts throughout Cybersecurity Awareness Month help you get a little sharper and feel a little safer so you can enjoy your time online, free from hassles or headaches. Look for more from us throughout October!
The post Cybersecurity Awareness Month: Taking Charge of Your Safety Online appeared first on McAfee Blog.
The COVID-19 pandemic flipped the world on its head in so many ways. Offices and schools stood empty while living rooms were transformed into classrooms and workspaces. Misinformation ran rampant and made people unsure of what to believe. Cybercriminals took advantage of the confusion and new way of daily life, giving rise to many COVID-19 scams.
Luckily, when armed with the facts, you can sidestep scams and keep your personal information safe from cybercriminals. Here’s a list of the top 10 COVID-19 scams you should keep an eye on plus tips on how to avoid each and help you navigate the current landscape and the future with confidence.
Finally getting your COVID-19 vaccine is an exciting occasion. Many people’s first reaction to exciting news is to share it with their extended networks on social media. There was a trend going around where people were posting pictures of their vaccination cards. Little did they know, vaccination cards hold a trove of valuable information (name, birth dates, vaccination location, and dates) that can be used to create counterfeit vaccination cards.
Additionally, the information on vaccination cards can be paired together with other details from your social media profile to steal your identity. Consider altering the privacy settings on your social media profiles so it is only visible to people you know. If you’d like additional peace of mind that your identity is safe, McAfee Identity Theft Protection Plus provides up to $1 million in identity theft insurance and restoration assistance.
Some of the false claims about COVID-19 circulating on social media are outrageous, such as 5G aiding the spread of the virus and eating garlic as a preventive measure. Cybercriminals might not have been the origin of false claims, but they certainly benefit from the chaos created by misinformation. They capitalize on commonly held fears by swooping in with cure-alls that swindle money from concerned people.
Be a source of truth for your social media following. The Centers for Disease Control and Prevention, the National Health Service, and the World Health Organization can be trusted for up-to-date resources concerning COVID-19, the vaccine, and how to remain healthy.
To firmly and quickly debunk this myth right now: There are no COVID-19 miracle cures. The best way to protect your and your loved one’s health is to receive a CDC-approved vaccination from a medical institution. Any homemade online treatment claiming to cure the disease is a hoax to steal money. Also, healing potions purchased online could be hazardous to your health, as in the case of one fraudulent operation in Florida. A Florida family sold a bleach solution that swindled $1 million and left many people hospitalized.
For the latest news about COVID-19 treatment, preventive measures, and the vaccine, refer to the CDC or WHO.
Various stimulus check scams were swirling around in early 2021. Scammers impersonating government workers contacted citizens by phone, text, and email asking them to verify personal information or to pay fees to receive their checks.
As with other IRS scams, the best way to avoid them is to know how the IRS typically communicates. The IRS will never ask for private personal information over email or over the phone. Never share your Social Security Number over email or the phone. The IRS only gets in touch with people through postal mail or in person.
A new COVID-19 phishing scam is on the rise: proof of vaccination scam. Cybercriminals are sending phishing emails posing as healthcare institutions asking for urgent confirmation of vaccine status. The emails ask for full names, birth dates, Social Security Numbers, and photos of vaccine cards. This scam is dangerous, not only because it asks for sensitive information, but because the request is a believable one. Employers and various other institutions are on the fence about asking people for their vaccine status, and people are unsure to whom they should divulge this information.
Like with other phishing scams, pay close attention to the message and how it’s written. Does it convey urgency and penalties for ignoring it? Phishing emails often use language that causes readers to panic and give up their information quickly without taking the time to determine if the message is real or not. Also, does the email or text have typos and is it poorly written? Never click on links or respond to suspicious emails. Instead, contact the supposed sender through the phone number or email address listed on their official website.
Video conferencing popularity soared as businesses and schools conducted work and learning online. Cybercriminals capitalized on the surge by forcing their way into video conferencing software and spying on meetings and classrooms.
The key to protecting the privacy of your teleconference calls is to always have the most up-to-date software installed. Software upgrades often include security patches. One way to ensure you always have the latest, most secure version installed is to enable automatic updates. Also, be careful about what you share over teleconference. Just in case a cybercriminal is eavesdropping, never say aloud or instant message your Social Security Number or other sensitive personal information. Finally, follow your workplace’s IT team’s cybersecurity policies and use only your company-issued device for work purposes. Company-issued devices often have additional security protections to keep your personal and company information safe from prying eyes.
Unfortunately, many people lost their jobs during the pandemic. Cybercriminals, aware that people without jobs were likely to jump on an employment opportunity due to economic uncertainty, flooded job boards with fake employment ads and sent fraudulent job offer emails. These job scams turned out to be phishing attempts to extract personal and banking details. In some cases, the scammers asked job seekers to wire money for pre-employment training.
If you receive a job offer, make sure that it is for a company you actually applied to. Even though companies are looking to hire people quickly, a reputable institution likely won’t offer a job without interviewing candidates first. Most interviews are happening online, so request a video conference to make sure that the person on the other end of the line is real and has honest intentions. Research the interviewer on professional networking sites to make sure they are who they say they are.
Similar to job scams, the urgency of the real estate market during the pandemic may make people act more impulsively than they would under normal circumstances. The rental and housing markets have been extremely competitive, which is causing people to put deposits down for residences that weren’t even real. Since home tours were moved online due to social distancing requirements, buyers and renters were OK with making a decision based on pictures.
Real estate scams play up the urgency of acting quickly. In their hurry to claim a real estate gem, homebuyers and renters may overlook the most glaring red flag of real estate scams during the pandemic: not viewing the property in person. Additionally, never share your banking information or wire money to someone you have never met in person or cannot verify the accredited real estate agency for which they work.
When a cybercriminal poses as a legitimate organization, it’s more difficult to determine what information to trust. For example, criminals circulated a scam impersonating the CDC that downloaded malware onto users’ devices.
A great tip to thwart cybercriminals hiding behind the name of a credible organization is to always hover your cursor over links in emails and texts. If a link redirects to a URL that looks suspicious, immediately delete the message. A suspicious URL could contain a typo, a variant spelling of the organization its impersonating, or be a string of jumbled letters and numbers. Emails that claim to be from official organizations will often have the organization’s logo somewhere on the message. Check the clarity of the logo and compare it to the organization’s official site. If the logo is blurry or the coloring seems off, that’s a sign that the message is fake.
COVID-19 led to a boom in e-commerce. Shopping that was normally conducted in person moved online, and a pile of packages on the front stoop was a common occurrence. There was a fake delivery notice scam where cybercriminals posed as UPS and Amazon to phish for personal details in order to release a hold on deliveries.
One final phishing avoidance tip is: Consider what the message is asking. Has UPS ever asked for your Social Security Number before? If they had it, what would they use it for? And there’s no reason for Amazon to have your banking information. Don’t let the urgency of the scammer’s message stress you out. A quick phone call with the delivery service in question should solve the problem.
The post Top 10 COVID-19 Scams: How to Stay Protected appeared first on McAfee Blog.
October is Cybersecurity Awareness Month, which is led by the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) in conjunction with the National Cyber Security Alliance (NCSA)—a national non-profit focused on cybersecurity education & awareness. McAfee is pleased to announce that we’re a proud participant.
Imagine it’s 20 years ago and someone at a dinner party predicts that one day you could pop down to the appliance store and buy an internet-connected fridge. Your year 2000 self might have shook that off and then then asked, “Why would someone ever do that?”
Yet here we are.
Today, so much is getting connected. Our appliances, security systems, and even our coffeemakers too. So far this month, we’ve talked about protecting these connected things and securing these new digital frontiers as Internet of Things (IoT) devices transform not only our homes, but businesses and communities as well.
To wrap up Cybersecurity Awareness Month, let’s take a look ahead at how the next wave of connected devices could take shape by taking a look at the network that billions of them will find themselves on: 5G networks.
You’ve no doubt seen plenty of commercials from the big mobile carriers as they tout the rollout of their new, more powerful 5G networks. And more powerful they are. For starters, 5G is expected to operate roughly 10 times faster than the 4G LTE networks many of us enjoy now—with the potential to get yet faster than that over time.
While mention of faster speeds continues to be the top selling point in ads and the like, 5G offers another pair of big benefits: greater bandwidth and lower latency. Taken together, that means 5G networks can host more devices than before and with a near-instantaneous response time.
The implication of these advances is that billions and billions of new devices will connect to mobile networks directly, at terrific speeds, rather than to Wi-Fi networks. Of those, many billions will be IoT devices. And that means more than just phones.
What will those devices look like?
One answer is plenty more of what we’re already starting to see today—such as commercial and industrial devices that track fleet vehicles, open locks on tractor trailer deliveries based on location, monitor heating and air conditioning systems, oversee supply chains. We’ll also see more devices that manage traffic, meter utilities, and connect devices used in healthcare, energy, and agriculture. That’s in addition to the ones we’ll own ourselves, like wearables and even IoT tech in our cars.
All together, we’ll add about 15 billion new IoT devices to the 26 billion IoT devices already in play today for a total of an expected 41 billion IoT devices in 2025.
Citing those examples of IoT applications underscores the critical need for safety and security in the new 5G networks. This is a network we will count on in numerous ways. Businesses will trust their operations to the IoT devices that operate on it. Cities will run their infrastructure on 5G IoT devices. And we, as people, will use 5G networks for everything from entertainment to healthcare. Not only will IoT devices themselves need protection, yet the networks will need to be hardened for protection as well. And you can be certain that increased network security, and security in general, is a part of our future forecast.
The GSMA, an industry group representing more than 750 operators in the mobile space, calls out the inherent need for security for 5G networks in their 5G Reference Guide for Operators. In their words, “New threats will be developed as attackers are provided live service environment to develop their techniques. 5G is the first generation that recognizes this threat and has security at its foundation.” When you consider the multitude of devices and the multitude of applications that will find their way onto 5G, a “square one” emphasis on security makes absolute sense. It’s a must.
While standards and architectures are taking shape and in their first stages of implementation, we can expect operators to put even more stringent defenses in place, like improved encryption, ways of authenticating devices to ensure they’re not malicious, creating secure “slices” of the network, and more, which can all improve security.
Another consideration for security beyond the oncoming flood of emerging devices and services that’ll find their way onto 5G networks is the sheer volume of traffic and data they’ll generate. One estimate puts that figure of 5G traffic at 79.4 zettabytes (ZB) of data in 2025. (What’s a zettabyte? Imagine a 10 followed by 21 zeroes.) This will call for an evolution in security that makes further use of machine learning and AI to curb a similarly increased volume of threats—with technologies much like you see in our McAfee security products today.
“Siri/Alexa/Cortana/Google, play Neko Case I Wish I Was the Moon.”
We’ve all gotten increasingly comfy with the idea of connected devices in our homes, like our smart assistants. Just in 2018, Juniper Research estimated that there’d be some 8 billion digital voice assistants globally by 2023, thanks in large part to things like smart TVs and other devices for the home. Expect to see more IoT devices like those available for use in and around your house.
What shape and form might they take? Aside from the voice-activated variety, plenty of IoT devices will help us automate our homes more and more. For example, you might have smart sensors in your garden that can tell when your tomatoes are thirsty and activate your soaker hoses for a drink—or other smart sensors placed near your water heater that will text you when they detect a leak.
Beyond that, we’re already purchasing connected lights and smart thermostats, yet how about connecting these things all together to create presets for your home? Imagine a setting called “Movie Night,” where just a simple voice command draws the shades, lowers the lights, turns on the gas fireplace, and fires up the popcorn maker. All you need to do is get your slippers.
Next, add in a degree of household AI, which can learn your preferences and habits. Aspects of your home may run themselves and predict things for you, like the fact that you like your coffee piping hot at 5:30am on Tuesdays. Your connected coffeemaker will have it ready for you.
These scenarios were once purely of the George Jetson variety (remember him?), yet more and more people will get to indulge in these comforts and conveniences as the technology becomes more pervasive and affordable.
One point of consideration with any emerging technology like the IoT on 5G is access.
This year drove home a hard reality: access to high-speed internet, whether via mobile device or a home network is no longer a luxury. It’s a utility. Like running water. We need it to work. We need it to study. We need it to bank, shop, and simply get things done.
Yet people in underserved and rural communities in the U.S. still have no access to broadband internet in their homes. Nearly 6 in 10 of U.S. parents with lower incomes say their child may face digital obstacles in schoolwork because of reduced access to devices and quality internet service. And I’ve heard anecdotes from educators about kids taking classes online who have to pull into their school’s parking lot to get proper Wi-Fi, simply because they don’t have a quality connection at home.
The point is this: as these IoT innovations continue to knit their way into our lives and the way the world works, we can’t forget that there’s still a digital divide that will take years of effort, investment, and development before that gap gets closed. And I see us closing that gap in partnership, as people and communities, businesses and governments, all stand to benefit when access to technology increases.
So as we look to the future, my hope is that we all come to see high-speed internet connections for what they are—an absolute essential—and take the steps needed to deliver on it. That’s an advance I’d truly embrace.
To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post 5G and the IoT: A Look Ahead at What’s Next for Your Home and Community appeared first on McAfee Blogs.
These days, work and home mean practically the same thing. Our house is now an office space or a classroom, so that means a lot of our day-to-day happens online. We check emails, attend virtual meetings, help our children distance learn, use social media platforms to check in on our friends and family – our entire lives are digital! This increase in connectivity could mean more exposure to threats – but it doesn’t have to. That’s why this National Cybersecurity Awareness Month (NCSAM) you should learn what it means to be cyber smart.
In our third blog for this NCSAM this year, we examine what that entails. Let’s dive in.
Stay Secure While Working Remote
According to Stanford research, almost twice as many employees work from home than at the office in the U.S. in response to the COVID-19 pandemic. And this new work-from-home economy is probably only going to expand in the future. Your pets and children will continue to make surprise guest appearances on work calls, or you may continue your new job hunt from the kitchen table. But as you work on juggling your work life and personal life at home base, this doesn’t mean that you should have to juggle security threats too.
The new WFH landscape has also brought about increased risk from . Unlike corporate offices – which usually have IT staff responsible for making any necessary network security updates and patches – users’ home network security is in their own hands. This means users must ensure that their Wi-Fi connections are private and locked with a complex password or employ the help of a VPN to prevent hackers from infiltrating your work.
Be Cybersmart While Distance Learning
Work isn’t the only element of consumers’ lives that’s recently changed – school is also being conducted out of many students’ homes as they adapt to distance learning. As a result, parents are now both professionals and teachers, coaching students through new online learning obstacles. But as more students continue their curriculum from home and online activity increases, so does the possibility of exposure to inappropriate content or other threats.
For instance, the transition to distance learning has led to an increase in online students to lose valuable time meant to be spent on their education.
To help ensure that learning from home goes as smoothly as possible, parents must stay updated on the threats that could be lurking around the corner of their children’s online classrooms. Take the time to secure all the devices that power your kids’ learning with a comprehensive security solution.
Of course, everyone needs to find a balance between work, school, and play! These days, that means scavenging the internet for new content to help keep entertained at home. In fact, according to Nielson, there was an 85% increase in American streaming rates in the first three weeks of March this year compared to March 2019 reports. However, causing users to turn to other less secure alternatives such as illegal downloads and links to “free” content riddled with malware. This could open consumers up to a whole host of threats.
Users looking to stream the latest TV show or movie should be cautious and only access entertainment content directly from a reliable source. The safest thing to do is to subscribe to a streaming site that offers the content or download the movie from credible websites, instead of downloading a “free” version from a website that could contain malware.
We all need to be cybersmart and aware of the threats that come with our lifestyle changes. By following these pointers, you can block threats from impacting your new day-to-day and ensure security is one less thing to worry about. When looking ahead to the future, incorporate the aforementioned pointers into your digital life so that you are prepared to take on whatever the evolving security landscape brings – now that’s being cybersmart!
Stay Updated
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, look out for our other National Cybersecurity Awareness Month blogs, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Stay Connected and Protected During Work, School, and Play appeared first on McAfee Blogs.
October is Cybersecurity Awareness Month, which is led by the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) in conjunction with the National Cyber Security Alliance (NCSA)—a national non-profit focused on cybersecurity education & awareness. McAfee is pleased to announce that we’re a proud participant.
We live in a day and age when even lightbulbs can be hacked.
Perhaps you’ve caught the stories in the news: various devices like home cameras, smart appliances, and other Internet of Things (IoT) devices falling prey to hackers and attacks, such as when the Mirai botnet took out large swathes of the internet in 2016. As posted by Statista, estimates project that the world will have nearly 40 billion IoT devices in the next five years and upwards of 50 billion by 2030. That’s in homes and businesses alike, ranging anywhere from digital assistants, smart watches, medical devices, thermostats, vehicle fleet management devices, smart locks, and yes, even the humble lightbulb—and like our computers, laptops, smartphones, and tablets, they all need to be protected.
The reason is simple: your network is only as safe as the weakest device that’s on it. And we’re putting so much more on our networks than ever before. In effect, that means our homes have more targets for hackers than ever before as well. In the hands of a dedicated crook, one poorly protected device can open the door to your entire network—much like a thief stealing a bike by prying open the weak link in a chain lock. Therefore, so goes the saying, “If You Connect It, Protect It.”
What’s challenging is that our IoT devices don’t always lend themselves to the same sort of protections like our computers, laptops, and phones do. For example, you can’t actually install security software directly on them. However, there are things you can do to protect those devices, and the network they’re on too.
Just because that new smart device that’s caught your eye can connect to the internet doesn’t mean that it’s secure. Before you purchase, read up on reviews and comments from other customers. Look for news articles about the device manufacturer too. The fact of the matter is that some IoT device manufacturers are much better at baking security protocols into their devices than others, so look into their track record to see if you can uncover any issues with their products or security practices. Information such as this can help you make an even more informed choice.
One issue with many IoT devices is that they often come with a default username and password. This could mean that your device, and thousands of others just like it, all share the same credentials, which makes it painfully easy for a hacker to gain access to them as those default usernames and passwords are often published online.
When you purchase an IoT device, set a fresh password using a strong method of password creation. And keep those passwords safe. Instead of keeping them on a notebook or on sticky notes, consider using a password manager. It acts as a database for all your passwords and stores new codes as you create them. As always, don’t store them in an unprotected file on your computer, which can be subject to a hack or data loss.
Our banks, many of the online shopping sites we use, and numerous other accounts use two-factor authentication to make sure that we’re logging in we really are who we say we are. In short, a username and password combo is an example of one-factor authentication. The second factor in the mix is something you, and only you, own, like your mobile phone. Thus when you log in and get a prompt to enter a security code that’s sent to your mobile phone, you’re taking advantage of two-factor authentication. If your IoT device supports two-factor authentication as part of the login procedure, put it to use and get that extra layer of security.
Your router acts as the internet’s gateway into your home. From there, it works as a hub that connects all of your devices—computers, tablets, and phones, along with your IoT devices as well. That means it’s vital to keep your router secure. A quick word about routers: you typically access them via a browser window and a specific address that’s usually printed somewhere on your router. If you’re renting your router or you’ve purchased it through your internet provider, they should have help documentation that can guide you through this the process. Likewise, if you purchased your own, your manual should provide the guidance you need.
As we mentioned above, the first thing to do is change the default password and name of your router if you haven’t done so already. Again, use a strong method of password creation. Also, change the name of your router. When you choose a new one, go with name that doesn’t give away your address or identity. Something unique and even fun like “Pizza Lovers” or “The Internet Warehouse” are options that mask your identity and are memorable for you too. While you’re making that change, you can also check that your router is using an encryption method, like WPA2, which will keep your signal secure. If you’re unsure, reach out to your internet provider or check the documentation that came with your router.
Just as you can offer your guests secure access that’s separate from your own devices, creating an additional network on your router allows you to keep your computers and smartphones separate from IoT devices. This way, if an IoT device is compromised, a hacker will still have difficulty accessing your other devices, like computers and smartphones, along with the data and info that you have stored on them. You may also want to consider investing in an advanced internet router that has built-in protection and can secure and monitor any device that connects to your network.
Another line of defense that can hamper hackers is using a VPN, which allows you to send and receive data while encrypting your information so others can’t read it. When your data traffic is scrambled that way, it’s shielded from prying eyes, which helps protect your network and the devices you have connected to it.
As with our computers, laptops, phones, tablets, and apps, make sure you have the latest software updates for your IoT devices. The reasons here are the same: one, they’ll make sure you’re getting the latest functionality from your device; and two, updates often contain security upgrades. If there’s a setting that lets you receive automatic updates, enable it so that you always have the latest.
You’ve probably seen that you can control a lot of your connected things with your smartphone. We’re using them to set the temperature, turn our lights on and off, and even see who’s at the front door. With that, it seems like we can add the label “universal remote control” our smartphones—so protecting our phones has become yet more important. Whether you’re an Android owner or iOS owner, get security software installed on your phone so you can protect all the things it accesses and controls—in addition to you and the phone as well.
And of course, let’s not forget our computers and laptops. While we’ve been primarily talking about IoT devices here, it’s a good reminder that computers and laptops need protection too. Using a strong suite of security software like McAfee® Total Protection, can help defend your entire family from the latest threats and malware, make it safer to browse, and look out for your privacy too.
We’re connecting our homes and ourselves with IoT devices at an tremendous rate—now at an average of 10 connected devices in our homes in the U.S. Gone by are the days when all we had was a computer or phone or two to look after. Now, even when we’re not in front of a laptop or have a smartphone in our hand, we’re still online, nearly all the time. Take this week to make sure that what you’ve connected is protected. Even that little lightbulb.
To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Cybersecurity Awareness Month: If You Connect It, Protect It appeared first on McAfee Blogs.
October is Cybersecurity Awareness Month, which is led by the National Cyber Security Alliance (NCSA)—a national non-profit focused on cybersecurity education & awareness in conjunction with the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA). McAfee is pleased to announce that we’re a proud participant.
If there’s ever a year to observe Cybersecurity Awareness Month, this is it.
As millions worked, schooled, and simply entertained themselves at home (and continue to do so) this year, internet usage increased by up to 70%. Not surprisingly, cybercriminals followed. Looking at our threat dashboard statistics for the year so far, you’ll see:
And that doesn’t account for the millions of other online scams, ransomware, malicious sites, and malware out there in general—of which COVID-19-themed attacks are just a small percentage.
With such a high reliance on the internet right now, 2020 is an excellent year to observe Cybersecurity Awareness Month, along with its focus on what we can do collectively to stay safer together in light of today’s threats.
Unified under the hashtag #BeCyberSmart, Cybersecurity Awareness Month calls on individuals and organizations alike to take charge of protecting their slice of cyberspace. The aim, above making ourselves safer, is to make everyone safer by having us do our part to make the internet safer for all. In the words of the organizers, “If everyone does their part – implementing stronger security practices, raising community awareness, educating vulnerable audiences or training employees, our interconnected world will be safer and more resilient for everyone.”
Throughout October, we’re participating as well. Here in our blogs and across our broad and ongoing efforts to boost everyone’s awareness and expertise in cybersecurity and simply staying safe online, we’ll be supporting one key theme each week:
If you’ve kept up with our blogs, this is a theme you’ll know well. The idea behind “If you connect it, protect it” is that the line between our lives online and offline gets blurrier every day. For starters, the average person worldwide spends nearly 7 hours a day online thanks in large part to mobile devices and the time we spend actively connected on our computers. However, we’re also connecting our homes with Internet of Things (IoT) devices—all for an average of 10 connected devices in our homes in the U.S. So even when we don’t have a device in our hand, we’re still connected.
With this increasing number of connections comes an increasing number of opportunities—and challenges. During this weel, we’ll take a look at how internet-connected devices have impacted our lives and how you can take steps that reduce your risk.
As we shared at the open of this article, this year saw a major disruption in the way we work, learn, and socialize online. There’s no question that our reliance on the internet, a safe internet, is greater than before. And that calls for a fresh look at the way people and businesses look at security.
This week of Cybersecurity Awareness Month will focus on steps users and organizations can take to protect internet connected devices for both personal and professional use, all in light of a whole new set of potential vulnerabilities that are taking root.
Earlier this year, one of our articles on telemedicine reported that 39% of North Americans and Europeans consulted a doctor or health care provider online for the first time in 2020. stand as just one example of the many ways that the healthcare industry has embraced connected care. Another noteworthy example comes in the form of internet-connected medical devices, which are found inside care facilities and even worn by patients as they go about their day.
As this trend in medicine has introduced numerous benefits, such as digital health records, patient wellness apps, and more timely care, it’s also exposed the industry to vulnerabilities that cyber criminals regularly attempt to exploit. Here we’ll explore this topic and share what steps both can take do their part and #BeCyberSmart.
The growing trend of homeowners and businesses alike connecting all manner of things across the Internet of Things (IoT) continues. In our homes, we have smart assistants, smart security systems, smart door locks, and numerous other home IoT devices that all need to be protected. Businesses manage their fleets, optimize their supply chain, and run their HVAC systems with IoT devices, which also beg protection too as hackers employ new avenues of attack, such as GPS spoofing. And these are just a fraction of the applications that we can mention as the world races toward a predicted 50 billion IoT devices by 2030.
As part of Cybersecurity Awareness Month, we’ll look at the future of connected devices and how both people and businesses can protect themselves, their operations, and others.
As Cybersecurity Awareness Month ramps up, it presents an opportunity for each of us to take a look at our habits and to get a refresher on things we can do right now to keep ourselves, and our internet, a safer place. This brief list should give you a great start, along with a catalog of articles on identity theft, family safety, mobile & IoT security, and our regularly updated consumer threat notices.
Given the dozens of accounts you need to protect—from your social media accounts to your financial accounts—coming up with strong passwords can take both time and effort. Rather than keeping them on scraps of paper or in a notebook (and absolutely not on an unprotected file on your computer), consider using a password manager. It acts as a database for all your passwords and stores new codes as you create them. With just a single password, you can access all the tools your password manager offers.
Phishing scams like these are an old standard. If you receive an email or text from an unknown person or party that asks you to download software, share personal information, or take some kind of action, don’t click on anything. This will steer you clear of any scams or malicious content.
However, more sophisticated phishing attacks can look like they’re actually coming from a legitimate organization. Instead of clicking on a link within the email or text, it’s best to go straight to the organization’s website or contact customer service. Also, you can hover over the link and get a link preview. If the URL looks suspicious, delete the message and move on.
Avoid hackers infiltrating your network by using a VPN, which allows you to send and receive data while encrypting – or scrambling – your information so others can’t read it. By helping to protect your network, VPNs also prevent hackers from accessing other devices (work or personal) connected to your Wi-Fi.
In addition, use a robust security software like McAfee® Total Protection, which helps to defend your entire family from the latest threats and malware while providing safe web browsing.
At a time where data breaches occur and our identity is at risk of being stolen, checking your credit is a habit to get into. Aside from checking your existing accounts for false charges, checking your credit can spot if a fraudulent account has been opened in your name.
It’s a relatively straightforward process. In the U.S., the Fair Credit Reporting Act (FCRA) requires credit reporting agencies to provide you with a free credit check at least once every 12 months. Get your free credit report here from the U.S. Federal Trade Commission (FTC). Other nations provide similar services, such as the free credit reports for UK customers.
To track malicious pandemic-related campaigns, McAfee Advanced Programs Group (APG) has published a COVID-19 Threat Dashboard, which includes top threats leveraging the pandemic, most targeted verticals and countries, and most utilized threat types and volume over time. The dashboard is updated daily at 4pm ET.
To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Cybersecurity Awareness Month Helps Us All be #BeCyberSmart appeared first on McAfee Blogs.
Introduction Building and maintaining a brand is an important part of a successful business. Having a recognized brand confers recognition, and if done well, provides a way of developing trust between customers and company. Brand trust and loyalty go hand-in-hand. Research has shown that 80% of US customers look at the trustworthiness of a brand […]
The post Brand impersonation attacks targeting SMB organizations appeared first on Infosec Resources.
Multi-factor authentication (MFA) is one of the most popular authentication security solutions available to organizations today. It really comes as no surprise, as the multi-factor authentication benefits of enhanced security go beyond the basic password security measures by forcing the user to authenticate with another method that (presumably) only the legitimate user has access to. […]
The post How to avoid getting locked out of your own account with multi-factor authentication appeared first on Infosec Resources.
Introduction Confidentiality is a fundamental information security principle. According to ISO 27001, it is defined as ensuring that information is not made available or disclosed to unauthorized individuals, entities or processes. There are several security controls designed specifically to enforce confidentiality requirements, but one of the oldest and best known is the use of passwords. […]
The post How to find weak passwords in your organization’s Active Directory appeared first on Infosec Resources.
Introduction CAPTCHA seems to be everywhere we look. These sloppy characters are on blogs, ticket websites, shopping portals — you name it. Those cars you need to spot in a block of images before you can access a website? That’s CAPTCHA too. CAPTCHA was invented to help sites distinguish human users from bots and automated […]
The post How hackers use CAPTCHA to evade automated detection appeared first on Infosec Resources.
Working from home? How do you keep your employees cyber-safe and cyber-secure? How do you protect your reputation, profit, and cash flow when you depend on your IT infrastructure as never before?
The National Cyber Security Alliance is hosting a series of webinars for small business owners, and we’re proud to support this effort with guest speakers to share our threat intelligence and security expertise.
The topics will help small companies deal with the challenges of COVID-19. The agenda is at https://staysafeonline.org/event_category/cybersecure-my-business/.
Here’s a quick overview of each session and why it might benefit your organization to tune in.
Telework Cybersecurity Best Practices – April 7: Many small business owners rely on face-to-face meetings with their teams. But, social distancing and work-from-home directives interrupt that way of doing things. In this session, we’ll discuss how to adjust your business to deal with a remote workforce. For some managers, not seeing every member of the team can be unsettling. We’ll talk about ways to overcome that barrier. For many organizations, using remote tools can put an extra burden on your IT gear and staff. We’ll talk about alternatives to lighten that load. And for most organizations, the new way of working can expose new and different information security vulnerabilities. We’ll offer some good practices to reduce your exposure.
Guest speakers from Trend Micro will be Greg Young and Ed Cabrera.
Spring has Sprung! Time for a Digital Spring Cleaning – April 14: One way to cut down on IT resource use is to get rid of unnecessary stuff. This webcast will suggest tactics to reduce the burden on your infrastructure. You will learn about cleaning up your storage, getting off unnecessary email lists, improving your – and your customers’ – privacy, and lowering your attack profile by getting rid of stale applications and services.
E-Commerce Security During COVID-19 – April 21, 2020: Businesses that rely on foot traffic are pivoting to on-line offerings. Restaurants support demand with delivery or curbside pick-up, which both put a strain on your IT resources. Unfortunately, the bad guys are exploiting weaknesses in on-line ordering and payment systems. We’ll talk about measures small businesses should consider to protect their reputation, cash flow, and profits during this transition.
Guest speakers from Trend Micro will be myself and Mitchel Chang.
How to Avoid COVID-19 Scams – May 5, 2020: Bad guys are trying to make money off Covid-19 worries. In this session, Lesley Fair, a Senior Attorney with the Bureau of Consumer Protection at the Federal Trade Commission talks about different kinds of scams and what to do about them, hopefully before anyone gets conned, and what steps you can take if you think you might have gotten stung. Ths session will be repeated on May 26.
Guest speakers from Trend Micro will be myself and Jon Clay.
What Are Phishing, Vishing and Smishing? How Can I Protect My Small Business From These Threats? – May 12, 2020: This session will discuss attacks that can arrive through email, messages, and video chats. Small businesses are targets as well as big firms and the public at large – the bad guys are going anywhere they can to make a (dishonest) buck. You’ll help your employees and customers protect themselves with some good advice, practices, and tools.
Mitchel Chang will be a guest panelist.
How to Avoid COVID-19 Scams – May 26, 2020: A second session of the May 5 discussion. This time Jon Clay and Myla Pilao will be guest speakers from Trend Micro.
Telework Cybersecurity Best Practices – June 9, 2020: A second session of the April 7 event. Greg and Ed will give a repeat performance attendees.
Each session starts at 2:00 PM Eastern time. NCSA will record each session, but you should register to listen in and ask questions live. While the information is tuned to meet the needs of small businesses, individuals at larger organizations, and the general public, will find good ideas and helpful hints an tips to stay safe and cope with this challenging time. We hope to see you soon.
What do you think? Let me know in the comments below or @WilliamMalikTM
The post NCSA Small Business Webinar Series appeared first on .
FreshRSS 