Cybersecurity 101: We Have Met the Enemy, and It Is Our Own Behavior

Anything you write, photograph, or post can become public.
Your personal information is not private.
Everything on the Internet can live forever.

They’re supposed to connect us and provide useful services to improve our lives, but phones, smart devices, and social media are all too often used to scam, rob, stalk, and otherwise victimize us. In today’s uber-connected world, how can we feel safe without going off the grid and moving to a hut in the Himalayas (where we have to worry about avalanches and dying of exposure)?

We sat down with some cybersecurity experts at The College of Saint Rose to understand what risks we face every day, how hackers operate, and what we can do to protect ourselves and people we care about. We’ll explore various cybersecurity topics in a series of posts. Welcome to Part 1: how our own behavior puts us at risk.

The cybersecurity experts
Zumrut Akcam, Ph.D., assistant professor of computer science
Kimberly Cornell, Ph.D., assistant professor of computer science
Mark Gilder, Ph.D., assistant professor of computer science
Ian MacDonald, Ph.D., professor of computer science, dean of the School of Mathematics and Sciences

What is our biggest cybersecurity risk?
MacDonald: The No. 1 issue in cybersecurity is human behavior. The causes of most company breaches or loss can be traced to employees, current or former. There are industrial psychologists starting consultancies specifically to deal with the human element. The challenge is trying to understand and predict behaviors before they become action.

Disgruntled employees who sabotage systems?
Cornell: Yes, or people making innocent mistakes. Someone will pop a flash drive they’ve found into their computer, just to be helpful and find out who it belongs to. There could easily be a virus on there.
Gilder: If I were to put malware on a 100 USB drives and drop these drives in a parking lot, all I need is one person to plug the drive in to see what’s on there, and I’ve potentially infected the whole organization’s system.

That sounds a little like a phishing scheme.
MacDonald: Phishing is the No. 1 attack mechanism used to victimize people and businesses.

For example, I could go to a school’s website and get a list of all the faculty emails. Then I can pretend to be a student and email all the professors with a message saying “Click here to view my homework assignment,” which is of course something malicious.

It doesn’t matter how ridiculous the email looks – someone will click on it.

It sounds a little like those old email and phone scams, where someone would try to get you to provide your bank account for a wire transfer. Is it true that phishing attempts can be obvious?
Cornell: Many times, there will be spelling errors in the message. Or people will try to make a message look “official,” with lots of different colors and things going on.
Gilder: Many people don’t realize that by downloading an attachment like a Word or Excel document, there is a potential side effect that may be initiated, like running an embedded program or generating a web request somewhere very dangerous.

What are other warning signs of phishing?
Cornell: Be suspicious anytime you’re asked to provide personal information.
MacDonald: No bank, institution, or company will ever send you an email that says, “Click here to update your personal credentials.” You might go to a company’s website and request to reset your password, which might send you an email with a link you’re expecting. But you should never be solicited to “Click here to update your password,” or “Click here to confirm your Social Security number.”

If you’re suspicious of an email, what can you do?
Gilder: Phishing emails typically contain a link that looks like it was designed by the company that supposedly sent the message.
If you hover over the link, you’ll see the URL. One thing that will give it away will be that the URL will be extremely long and cryptic, and you probably won’t even see the initiator’s name in it.
Cornell: Check the sender. Even if the name makes it sound like it’s from someone you know, look at the address. If it says it’s from the school, it may not end in .edu, or there may be some special characters, or it may not be the person you usually hear from. However, be aware that people can also spoof other people’s emails.
Gilder: Don’t set email to automatically download images. If you’re getting images downloaded, that’s going out and contacting a website – which can trigger events. Have your email set up to display only raw text (just getting a preview screen is typically pretty safe).
MacDonald: Also, use common sense and verify offline. If I told you I’m sending you a document this afternoon, you’ll know to expect it. You can ask me if the document you just received is what I sent over. Don’t blindly trust and click on something you’re not reasonably sure about.

Can any old bozo set up a phishing scheme?
MacDonald: It’s surprisingly easy to create your own phishing scheme. You don’t need a lot of resources or even technology. People download toolkits from the dark web to create their own viruses, malware, phishing schemes.

What about weird phone calls?
Cornell: Cybersecurity also goes into social engineering, which has to do with human interaction. You may get a phone call from someone very personable, who apologizes for bothering you – but is also somehow trying to get information from you. They might be trying to figure out default passwords for school sites, or asking you to update your Social Security information.

Another tactic is leaving messages, like “Your account will be shut down if you do not log on,” or “You haven’t paid your taxes and can be prosecuted by the IRS.” If you receive threatening or bullying calls, or calls saying you have to do something within a given timeframe, they’re not legitimate. The IRS isn’t going to send you messages or emails with threats. They have other ways to contact you.
If in doubt, hang up and call back.

You can always screen your calls. Let them go to voicemail.

When in doubt, look it up. Do a search for the number a call came from. Have any complaints been reported for that number?

We keep hearing, “Use common sense.” But it’s not always obvious what “common sense” is.
Gilder: Sometimes the problem is that we’re so busy doing our work, we’ll get an email and click automatically. You have to make sure you’re focused, taking things seriously. Remember: The bad guys are waiting for just one slip-up.
Cornell: People often do things to be helpful or for their own convenience, like propping open doors that should be locked.

I remember seeing a student on the phone with her bank. She was asking them to give her full account information, and she was repeating everything back to them, out loud. On speaker phone. In a crowded hallway.

Are our sloppy habits to blame?
Cornell: One common problem is having answers to security questions that someone could find out from our social media, like your mother’s maiden name, a favorite color. There’s all sorts of information that someone could find out about you. Change your security questions. Make sure they don’t have answers that someone can find on social media.
Gilder: Don’t use the same passwords across sites. This may sound difficult to manage, but there are several password generator/managers that you can use (check out reviews of “best password managers” by reputable publications, such as Consumer Reports, PCMag, or CNET). It’s also possible to come up with your own scheme that uses a fixed portion with a variable portion based on the site name. Make sure to always embed numeric and punctuation characters in your password. This makes it much more difficult to perform brute-force attacks.
Cornell: When coming up with your passwords, don’t use words, which can fall victim to dictionary attacks or guessing attacks. You can use mnemonics. You can pick a theme like a TV show you like, a letter in a character’s name, combine it with a number that’s important to you, and so forth.
All: Change your passwords often.

Top takeaways:
If in doubt, don’t click on it. You don’t know where that USB drive has been. Don’t put it in your computer. Make your passwords difficult to crack, and change them often.

Coming soon:
Part 2: Some simple security measures you can take to prevent attacks and protect yourself.