October 2017 marks the 14th National Cybersecurity Awareness Month (NCSAM). The National Cyber Security Alliance (@NatlCyberSecAlliance) is once again hosting a series of Twitter chats every Thursday in October using the hashtag #ChatSTC (moderated by @STOPTHNKCONNECT), in which ESET researchers are once again participating. While we've gathered our own thoughts on the topics chosen each week for this short series of blogs that will be published twice a week, we encourage you to check out the chats on Twitter and other events, and take advantage of the commentary and advice offered by other players in the security industry.
We also encourage you to check out a page put up by ESET offering lots of free cybersecurity resources to help you become more #CyberAware.
You may notice that in some instances we've expanded our commentary here beyond the 140-character limit imposed by Twitter. However, I haven't edited out any textspeak/twitterspeak abbreviations.
Simple Steps to Online Safety: Thursday, Oct. 5, 2017, 3:00-4:00 p.m. EDT/12:00-1:00 p.m. PDT
Twitter Q&A
Q1: What role does the everyday internet user play in making the internet a safer place?
Bruce P. Burrell: Unfortunately, everyday users usually make the 'Net less safe. Unless they are educated and well-armored technically, by using top-quality antivirus software and keeping it current. And keeping their OSes and apps patched. Of course, if indeed they are well-educated about computer security, it's more likely that they will do these things, but education is a major component and one that is not easy to enforce among the population of the Internet as a whole. I mean, it's hard even in a corporate environment. Even with the free training ESET offers (which, of course, is great, but it doesn't make one a security maven), how would we manage to make sure everyone takes the course and also masters all the concepts? And if they did, how would we enforce their getting new training to refresh, and to cover new attack vectors?
Aryeh Goretsky: Users are the front-line troops + first line of defense.
David Harley: End users are often the weakest link. (That usually includes non-technical management.) Education, realistic policies, and access to good support are critical in making them part of the security process.
Lysa Myers: Every1 needs to be part of keeping us all safe. Being aware of our digital surroundings, we can make crime less profitable.
Q2: What does it mean to you to Stop. Think. Connect?
Bruce P. Burrell: Well, it probably doesn’t matter what it means to me, but to the end user it should mean "Think before you act." Of course, it helps a lot to know what to think….
Aryeh Goretsky: To me, it's the digital version of "look both ways before crossing the street."
David Harley: Frankly, not much. It's just saying 'think before you decide to click'. What's important, as Bruce suggests, is knowing what to look for before you decide whether to click.
Lysa Myers: There are a lot of potential hazards online; we have the power to mitigate those risks with awareness.
Q3: How does ID theft work, and what is the value of our personal information for identity thieves?
Bruce P. Burrell: How does it work? The attackers get the victims' PII (Personally Identifiable Information) by whatever means. Dumpster diving, phishing (electronic or over the phone/in person), compromising the victims' computers or breaking into an external source that contains the PII. And that breaking in could be physical, though here we tend to think of it as computer-based.
As for the value? Depends on what it is. Could be used to get health care benefits for someone other than the insured. Could be the ability to transfer funds from victim's bank accounts. Could be the attackers getting tax refunds due to the victims. Could be access to email accounts, then used to send spam or malware. [Maybe it's a mild stretch to consider the password to an email account to be PII, but close enough.]
Aryeh Goretsky: It means impersonating someone to get loans, bank accounts+credit cards, tax refunds, etc. Losses can be in the tens to hundreds of 1000s of dollars for an individual, which they are on the hook for until ID fraud is proved.
Lysa Myers: ID theft is something more far-reaching than payment card theft; uses medical or gov’t ID to create fraudulent acts.
The second part of this Twitter chat will be coming out later this week, so please check back on WeLiveSecurity.com for the latest in our blog series on all things related to cybersecurity.