Happy Halloween! What are you scared of?
Cybercriminals are at the top of my “Things that Keep Me Up at Night” list. No joke. Data breaches are a poisonous potion that is feared amongst small and medium-sized businesses (SMBs).
In fact, SMBs are now the number 1 target for cybercrimes.
Why? Because many don’t have the protections in place to mitigate an attack. Being victimized is no longer a question of “if” but “when.”
Like it or not, there’s nothing these hackers enjoy more than the taste of your data. Therefore, it’s imperative that you ensure you’re taking the right precautions.
But where do you start?
You can start by educating yourself.
So, in the spirit of Halloween, my team and I prepared an illustrated guide of common cyber threats. We dressed these threats up in Halloween costumes to help paint a picture of how deadly they can be.
But like all monsters, they can be defeated…
Frankenstein – Brute Force Attack
Doctor Frankenstein’s monster is a classic fictional character who first appeared in Mary Shelly’s 1818 novel, Frankenstein. Shelley describes the monster as 8-foot-tall, and hideously ugly.
(But the monster is sympathetic!)
Above all else, the monster has superhero strength–much like a brute force attack.
By definition, a brute force attack is an attack that uses automated software to continually try to guess the credentials (like username and password) to gain access to systems, data or accounts.
It’s like someone repeatedly pounding on a locked door until it bursts open.
The thing is passwords are often the ONLY thing standing between a hacker and your accounts. If your password isn’t strong, it’s not going to withstand the attack.
And if the hacker does get into your system, your data doesn’t stand a chance. So, please don’t go head-to-head with Frankenstein’s monster. Instead, protect your data.
The best protection against a brute force attack:
Make sure your password is strong.
Your passwords should be unique, long, and be a mix of letters, numbers, and symbols. Check out our 10 Rules for Stronger Passwords to see if you’re using a strong password.
Use multi-factor authentication whenever possible.
Multi-factor authentication (MFA) is a form of security authentication that requires a user to present two or more authentication factors. In order for the authentication to be complete, the user must validate each factor.
MFA can be a lot of things. But a common one is when a user first enters a password followed by an SMS code they receive on their phone. For more information on setting up MFA for business accounts, check out this blog.
Consider using a password manager.
Password managers like LastPass and Dashlane are great for managing your passwords and creating new, secure ones. Plus, you won’t have to remember a password for each site, just your master password.
We wrote a beginner’s guide to password managers that breaks down the process and how to make the switch.
Identify where your vulnerable data lives.
Your best protection from a brute force attack is to identify what content is the top priority for protection and put safeguards in place. With a brute force attack, criminals take considerable time to identify the information that will be the most rewarding to compromise.
Haunted Armor – Trojan
Wait, did that piece of armor just move? The haunted armor trope is a familiar face in popular culture. But perhaps the better-known example is from Scooby Doo and the Black Knight episode.
In the episode, a villain disguises himself as The Black Knight to scare visitors away from a museum during his art forgery scheme. The villain pretends to be an empty suit of armor and then “comes to life” to scare off visitors.
This act of deception is similar to a trojan attack.
A trojan is a software designed to breach the security of a computer system by disguising itself as a very common, harmless program.
Trojans look like legitimate programs, just like how a haunted suit of armor looks like wall décor. However, once activated, they both unleash destruction on your network.
The best protection against a Trojans:
If you are unsure, don’t click.
Trojans are named to signify programs that need your permission to run on the computer. Only after you start the program or open the document/image does the program actually start to run. Trojans are made to look safe.
With this in mind, the first and best defense against Trojans is to never open an email attachment or run a program when you aren’t 100 percent certain of its source.
Keep your software up to date.
The main reason for downloading and installing the latest updates is to stay protected against security threats.
Have a functional, up to date firewall.
At the bare minimum, your company should have a firewall. Both software and hardware firewalls are excellent at controlling malicious Internet traffic. Also, they can often stop trojans from downloading to your computer in the first place.
Werewolf – Phishing
In folklore, a werewolf is a human with the ability to shapeshift into a wolf under a full moon. Werewolves, in recent years, have been the centerpiece for modern fantasy pop culture.
But when I think of werewolves, I don’t think about Twilight and sparkly vampires. Instead, I think of phishing attacks.
On the surface, the werewolf looks like an ordinary man, but when the full moon hits, it becomes a monster. Similar to how a fake email looks like an ordinary email until you click on one of its links… and then, catastrophe strikes your desktop.
By definition, phishing is the fraudulent practice of sending bogus emails claiming to be from a reputable company in order to trick individuals into revealing personal information, like passwords and credit card numbers.
The best defense against phishing attacks is to block fake emails before they reach your inbox by using a spam filter. But unfortunately, some phishing emails will make it to the inbox even with protection.
How to spot a phishing email:
Who is the real sender?
Make sure the sender’s name in the “From” field matches the address between the brackets. If it’s a legit company, the sender should not be using a public account, like Gmail, Yahoo, etc.
Check the greeting.
Phishing emails will often address the receiver as “valued customer” or something similar. Remember if this email is real, the sender should have your correct information on file.
Use your mouse hover.
Hackers use fake sites to steal your information. Hover over an email link to see the full URL it will direct you to. Do NOT click the link–just hover. If the address isn’t where you’d expect to go, don’t click it.
What do they want?
Legitimate companies will never ask for personal credentials, like PINs and card information, via email. You should be suspicious of all emails and websites requesting your Social Security number, passwords, or other sensitive information.
When in doubt, don’t click.
If you truly do not know whether an email is real or fake, don’t click it.
Zombies – Worms
Zombies had to make our Halloween list. They are a staple of popular culture. But if you have been living under a rock, a zombie is a fictional undead creature created through the reanimation of a human corpse. Zombies feast on basically any living thing–making them quite scary.
One bite from a zombie, and it’s over – you are infected with the zombie virus. Worms, a type of malicious computer program behaves very similarly.
Like the infectious zombie disease, worms have the special power of replicating themselves and spreading malicious program to other computers. However, a worm can replicate itself without any human interaction.
Worms typically use a computer network to replicate themselves, relying on security failures on target computers.
Worms almost always cause at least some harm to the network, even if only consuming bandwidth. Some worms can modify and delete files, and they can even inject additional malicious software onto a computer.
In addition to wreaking havoc on a computer’s resources, worms can also steal data, install backdoors, and allow hackers to gain control over a computer and its system settings.
No one wants worms.
How to protect yourself against worms.
Keep everything up to date.
I know we said this before, but updates are critical to your network’s health.
Since software vulnerabilities are major infection vectors for computer worms, be sure your computer’s operating system and applications are up to date with the latest versions. Install these updates as soon as they’re available because updates often include patches for security flaws.
Watch out for those phishing emails.
Phishing is a popular way for hackers to spread worms, so make sure you are extra cautious when opening unsolicited emails. If you aren’t 100% sure about something, don’t click it.
Antivirus is a must to protect yourself against worms.
Do regular backups.
Regular and periodical backups help you keep your data safe in case the system is infected by any kind of virus or infection. Also, make sure your backup works! Nothing is worse than not being able to access your files in a time of crisis.
Be wary of third-party installs.
Try to avoid freeware download websites–they make great places for worms to hide their ugly heads.
Witch – Spyware
Witches are known for having many types of powers. But for this example, we’re going to project onto witches the power of clairvoyance, which is the power to see into the past, present or future.
In pop culture, in order for witches to achieve clairvoyance, they often need to use a tool – like a crystal ball. With the crystal ball, the witch is able to spy on people without them knowing. Spyware is very similar, only it’s not magic.
Spyware is malicious software whose purpose is to gather information about the user or organization without their knowledge.
Hackers use spyware to collect personal information, like internet surfing habits, user logins, and credit account information. Some spyware can interfere with a user’s control of a computer, just like someone under a witch’s spell.
How to protect yourself against spyware.
Have high-quality antivirus.
Install individual antivirus and anti-spyware software on every computer. New threats are emerging all the time, so you should always download up-to-date definitions from your software provider.
While nothing is a guarantee against infection, antivirus and anti-spyware software can go a long way towards helping protect your organization.
Practice good web safety.
Be cautious when surfing the web and stay away from suspicious websites.
Educate employees and yourself.
An essential part of cybersecurity is educating employees to make smart decisions. For example, what would your staff do if someone emailed and asked for their social security number? Create regular security training sessions for your employees that cover security basics.
Consider enterprise-level tools.
Remember, spyware often goes undetected. Once you establish the basics, you may want to consider investing in 24/7 security monitoring and alerting programs. With security alerts, your cybersecurity team will be able to respond quickly and effectively to threats, breaches, and other events.
Vampires – Spoofing Attack
Again, no sparkling vampires here. Instead, I’m referencing the classic Bram Stoker’s Dracula, where a vampire is exceptionally cunning and calculative.
In the novel, Dracula expertly maneuvers his way around the heroes to get to his victims. This devious and strategic targeting of weaknesses is what spoofing attacks do.
A spoofing attack is a cyber-attack where a malicious party impersonates another user or device in order to launch attacks against the network host, steal data, spread malware or bypass access control.
Both use social engineering and research to collect information on their targets. They search for weak spots and vigilantly look for more openings until they get to their target, where they can do the most damage.
How to protect yourself against spoofing attacks:
Consistently update your network and upgrade to the latest cybersecurity software.
For the billionth-time, do NOT skip this step.
Use penetration testing to identify vulnerabilities in your network.
To truly understand your security posture, you must look at everything from every angle. Conducting penetration tests will help you find your weak spots and address them.
Train yourself and employees.
Provide cybersecurity training to employees to broaden knowledge and minimize insider and outsider attacks. In this training, make sure you discuss internet safety and how to identify spoofing emails and websites.
Use spoofing detection software.
There are many programs available that help organizations detect spoofing attacks. These programs work by inspecting and certifying data before it is transmitted and blocking data that appears to be spoofed.
Don’t overlook cybersecurity for your small businesses. As you can see from today’s examples, to protect against cybercrime, your business needs a multi-tiered approach to security. Having just one layer of protection, like a firewall, is not going to help you keep all of the monsters out of your network.
Illustrations by Katlyn Wolinski.