Skip to content

Contrast Security champions Cybersecurity Awareness Month

    
Contrast Security champions Cybersecurity Awareness Month

Another year has passed, and once again Contrast is proud to be a Champion for Cybersecurity Awareness Month throughout October, to help in promoting global awareness of online safety and privacy. Co-led by the National Cyber Security Alliance and the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security, this annual campaign is a global effort between businesses, government agencies, colleges and universities, associations, nonprofit organizations, and individuals and is designed to raise awareness and help everyone stay safe online.

Cybersecurity has become one of the biggest hot topics both inside and outside of technology circles over the last two years. From securing learning devices due to a rise in digital learning during the COVID-19 pandemic to coping with the fallout of high-profile breaches of national infrastructure such as the Colonial Pipeline attack, there is a seemingly endless news cycle dedicated to cybersecurity mishaps and concerns.

With this onslaught of negative news, it can be easy for individuals to become overwhelmed and to feel powerless in the face of what can feel like insurmountable threats posed by cybersecurity. But in actuality, nothing could be further from the truth.

Why security matters more than ever right now

Even security professionals can become complacent when it comes to practicing good online hygiene and maintaining security best practices every day. It is important to remember why these sorts of standards matter when it comes to protecting both yourself and your place of work from exploitation.

With all of the jargon that is typically thrown around in relation to cybersecurity, there is a long-standing misperception that cybersecurity is beyond everyday people and that it should be left to the professionals. Moreover, there is a prevailing sense among the public that breaches are simply a fact of life and that we should just learn to live with them. But this just isn’t true. In fact, everyone has a huge role to play in cybersecurity threat prevention, detection and remediation, regardless of their level of technical expertise. Any and all technology users are very much the first line of defense when it comes to thwarting cybercrime. Unfortunately, many individuals aren’t familiar with  some of the best practices for boosting cybersecurity and how easy they are to use.

Reviewing the cyber basics

Luckily, there are several steps that we all can take on a daily basis to mitigate risks and stay one step ahead of malefactors. Here are a few quick tips:

Enable multifactor authentication (MFA)

As of 2020, more than 99.9% of Microsoft enterprise accounts that get invaded by attackers didn’t use MFA. MFA adds a necessary second check to verify your identity when logging into one of your accounts. By requiring multiple methods of authentication, your account is further protected from being compromised, even if a malicious actor hijacks your password. In this way, MFAs make it more difficult for password-cracking tools to enable attackers to break into accounts. If MFA is available, enable it! Having it is always better than not. 

Now, you might be wondering about the recent breaches in 2022 involving Uber, Okta, Twilio and others, in which malicious actors took advantage of users and bypassed MFA requirements to compromise accounts. This is a rare exception, and MFA is still a critical component of providing another layer of authentication and identification protections on your accounts. 

Use strong passwords 

This may seem obvious, but all too often, securing strong passphrases/password managers are overlooked. But the reality is that 62% of data breaches used compromised credentials, according to the DBIR. Using long, complex and unique passwords for all of your accounts is a good way to stop your account from being hacked, and an easy way of keeping track and remembering your passwords is by using a password manager. The National Institute of Standards and Technology (NIST) provides great guidance in setting password standards.

Recognize and report phishing

Phishing is one of the most common forms of social engineering attacks, and over 60% of reported data breaches in the last year using social engineering started with phishing. Phishing — when a cybercriminal poses as a legitimate party in hopes of getting individuals to engage with malicious content or links — remains one of the most popular tactics among cybercriminals today. While phishing has gotten more sophisticated, you should still keep an eye out for typos, poor graphics, out-of-character messages, unexpected messages and other suspicious characteristics, as these can be telltale signs that the content is potentially coming from a “phish.” In addition, if you think you have spotted a phishing attempt, be sure to report the incident so that internal IT teams and service providers can remediate the situation and prevent others from possibly becoming victims.

One of the more common avenues of phishing these days is through the use of SMS, also called smishing. Some common smishing attacks send SMS messages to unsuspecting users, purportedly coming  from businesses such as shipping companies, phone providers, Amazon, etc. These text messages contain links that aim to steal credentials or install malware on the mobile devices. The best approach to thwarting these attacks is to copy the offending message and send it  to 7726 (SPAM), and your provider can take it from there. You may also want to block any further communication from the number if your mobile device provides that functionality.

Update your software

When a device prompts that it is time to update the software, it may be tempting to simply click postpone and ignore the message. However, having the latest security software, web browser and operating system on devices is one of the best defenses against online threats. So, don’t wait —update. Malicious actors take advantage of disclosed vulnerabilities due to the lag time between initial reporting and patching across all affected systems. The faster we can keep our software up to date, the more protected we will be in the long run.

And for software vendors in particular, shortening Mean Time to Respond/Remediate (MTTR) for application vulnerabilities can help customers to reduce their windows of exposure. Application vulnerabilities simply need to be found and fixed faster. For one major application security vendor, the average MTTR is currently 171 days. To remediate vulnerabilities faster, software vendors need to focus on vulnerabilities that matter — and ignore those that don’t. Recent research shows that a majority of vulnerabilities — including 54% of those rated “Critical” and 49% rated “Major” — would be classified as false positives with traditional tools.

Trust your gut

Common sense is a crucial part of maintaining good online and security hygiene, and an intuitive step to stay safe online is to do some research before downloading anything new to your device — both web-based applications as well as mobile apps. Before downloading any new learning application on your device, make sure that it’s safe by checking who created the application, what the user reviews say, and if there are any articles published online about the application’s privacy and security features. I also recommend that people listen to their gut when interacting with the web. Our human intuition and ability to question the legitimacy of things can help to keep us safe online from things like malicious websites or phishing schemes. If it feels wrong, if it seems too good to be true, if you receive a download link from someone out of band, question it and do your homework.

‘See yourself in cyber’

It’s more than just a catchy theme for this year’s Cybersecurity Awareness Month campaign. Everyone has a responsibility to do their part in securing our interconnected world. This year, instead of doing weekly themes as in the past, Cyber Security Awareness Month is focused on four specific things: enabling MFA, using strong passwords, recognizing and reporting phishing, and updating your software. These four themes should resonate with every single individual and organization alike and provide the basics they need to attain good security hygiene. Own your role in cybersecurity by starting with these basics. 

For more information about Cybersecurity Awareness Month 2022 and how to participate in a wide variety of activities, visit staysafeonline.org/cybersecurity-awareness-month/. You can also follow and use the official hashtag #BeCyberSmart on social media throughout the month. 

 

David Lindner, Chief Information Security Officer

David Lindner, Chief Information Security Officer

David is an experienced application security professional with over 20 years in cybersecurity. In addition to serving as the chief information security officer, David leads the Contrast Labs team that is focused on analyzing threat intelligence to help enterprise clients develop more proactive approaches to their application security programs. Throughout his career, David has worked within multiple disciplines in the security field—from application development, to network architecture design and support, to IT security and consulting, to security training, to application security. Over the past decade, David has specialized in all things related to mobile applications and securing them. He has worked with many clients across industry sectors, including financial, government, automobile, healthcare, and retail. David is an active participant in numerous bug bounty programs.