Network Connection: Securing the Human
By Philip Baczewski, executive director, University IT
Oct. 15, 2018—Most cybersecurity experts agree that the number one vulnerability leading to IT system and data breaches are the people who are using or have responsibility for managing those systems. It's not a coincidence that UNT's mandated employee security training is entitled "Securing the Human." As more of our business and communications occur on computer networks, it is unfortunately natural that some will attempt to gain an advantage (monetary or otherwise) by breaching those networks and the systems they connect. The easiest path is via social engineering — that is, tricking humans into divulging information that would and should normally remain private.
October marks National Cyber Security Awareness Month with weekly themes around protecting online resources. This marks the 15th such observance, and it seems that cybersecurity grows more and more critical every year. But our awareness of cybersecurity issues is also expanding and perhaps we are getting better at keeping our internet doors locked. But we still have a ways to go. Reports are that those under the age of 45 are more likely to fall for scams (hooray for us skeptical baby boomers.) It seems that phone scams are getting increasingly more sophisticated in prying important access information from our vulnerable brains. And, unfortunately, clever phishing emails are still likely to cause some people to give up their login information before they realize they've been fooled.
Face IT
It's bad enough that we are constantly being socially engineered out of our login info, but it compounds matters when organizations we trust enable large-scale breaches of personal information. Facebook has a particularly bad track record right now. They previously allowed Cambridge Analytica to harvest users' personal profiles in support of political activity in support of Donald Trump's presidential election campaign. Now more recently comes the notice that bugs in Facebook's software may have allowed access to as many as 90 million users' profile information. Affected were those who stayed logged into Facebook or other online apps and services authenticated via their Facebook account.
On the heels of the Facebook issue comes word that Google's social networking platform, Google+, could have exposed its users' personal data. Google+ has never rivaled Facebook, so the exposure was limited to "only" 500,000 users. The Google issue was also was due to a bug in software used by other programs interacting with the Google+ platform (known as an application programming interface or API.) These breaches of personal information are particularly bad because they can lead to targetted attacks (spear phishing) that use your own information to fool you into thinking that communication is coming from a trusted source.
Hard Lessons
On the heels of this news about the social media compromises comes word that certain computer server hardware used for streaming online media may have included an additional hardware chip inserted at manufacture time in China. The addition chip reportedly would allow attackers to gain illicit access to the affected servers. Amazon and Apple have been named as affected companies but have denied the report as has the U.S. Department of Homeland Security. But, a further report indicates that a "major U.S. telecommunications company" may also have been utilizing the affected hardware. As of this writing, the validity of these reports is still unclear.
There have not been indications of security breaches due to altered hardware, yet if these reports are true, it could have a chilling effect on the trust placed in computer hardware manufacturing, much of which is done in Asia. Targeting the servers that transmit information and services to us over the internet is serious enough, but many of the personal devices we use on a daily basis are manufactured outside of the United States. Lenovo, the PC brand that was originally owned by IBM, i.e., IBM PC, and sold to China has a history of questionable software installed on their computers sold in the U.S. Products from companies like Lenovo, Huawei, and ZTE have raised the suspicion of the U.S. Government as a "cyberespionage risk."
Be Very Afraid?
Perhaps a Facebook account is now the scariest Halloween costume you can think of. It certainly seems that our information and identity are under attack from multiple directions. Have our carefree days of browsing the internet and liking social media posts turned into a constant struggle against dark forces? The real world is a dangerous place, yet most of us still venture out into it. With a bit of attention and care, we can mitigate any online risk just as we do in the physical world.
Just be Safe
Hopefully, you don't ride in an automobile without using a safety belt. So, what you need for the online world is an internet safety belt. This will come in the form of a few recommendations you can follow to stay safe—thanks in part to UC Berkeley.
- Be aware that you are a target
If you are using any networked services, you have a responsibility to be sure you are doing all you can to protect against unauthorized access. In other words, be vigilant. - Use virus and malware protection
UNT provides anti-virus software for all employees and students. Many computers have an option to bundle anti-virus software with the purchase. Many cellular providers offer such protection for mobile devices. Install and keep your anti-virus program up to date. 
Back up your data
Windows and Mac OS both now include built-in backup capability. Even if you can't back up your whole computer, copy critical files to an external storage device so you'll have them in case you need to recover or reinstall your computer OS.- Practice good password management
Create good passwords. Long password phrases with numbers and punctuation included are the best choices. Use different passwords for different systems. The more special the system, the more unique the password should be. In other words, don't use your pool game password for your banking access as well. It's also advisable to avoid using Facebook or Google for login access to third-party systems. Not only are multiple services compromised when that one password is compromised, but Google and Facebook track your activity and can tell when you are playing pool or accessing any other game or service using your Facebook or Google authentication. - Be skeptical
Phishing and other kinds of scams usually create a sense of urgency to propel you to follow a link to a bogus login site or open a document that has a malware payload. If an email message or login site seems out of character, be suspicious and investigate before clicking on any links or providing your username and password. Use known login addresses that you have bookmarked or can easily type rather than relying on links in emails or on websites. - Look before you click
Before following a link provided in an email or on a website, you can hover your pointer over it and most applications (browser and email) will show you the actual destination URL. Also, be suspicious of search results. Note what is sponsored content and what is content that directly matches your query. Notice also where the link is taking you before you click on it by looking at URL. If the last part is ".ru" or ".ro" (rather than the usual ".com", ".org", ".edu", etc.) or some other unknown domain, you might not want to follow that link. The domain space has been greatly expanded in the last 10 years, so you may run across some unfamiliar but legitimate sources. But, if you see that a URL ends in a two-letter country code, you might ask yourself if it is likely that what you are requesting would be hosted in that country. Remember that you can always search for the top level domain (TLD - the end part of a URL address) to learn more about it. - Keep your software up to date
Often, older versions of browsers and other programs that access the internet have vulnerabilities that have been fixed in the latest version. Hackers can take advantage of those vulnerabilities to compromise your computer. Likewise, for devices such as routers and webcams, check and update the firmware (internal programs that make those devices work.) Usually, the administrative interface will allow for such an update. - Don't leave your computer or device unattended
Just as you wouldn't (shouldn't!) leave your car keys in the ignition, you should not leave access to your computer available when you are not using it. Use a password-protected screen on your desktop and laptop computers. Use the screen lock on your mobile devices and keep them within reach when they are not in use. - Keep up to date on best computer security practices
Technology changes and with it our knowledge about its use needs to be continually updated. You might want to subscribe to a computer security news feed if you use an online news reader. Or you may find a reliable site that offers news on IT security. For example, SANS, a long-standing IT security information and training organization, offers a Security Awareness Tip of the Day.
Backups, passwords, and software require ongoing, but occasional management. I think the most important traits to maintain on a daily basis are to be skeptical and observant. The more you are aware of your activity the better you can avoid potential pitfalls. This is similar to looking up from your smartphone before you start crossing the street. We were all taught to look both ways before crossing, and when we do we have a much better chance of survival. A bit of vigilance will also go a long way toward protecting us online.