Cyber safety tips from CUE ExpertsPosted on: Oct 19, 2022
According to reports world-wide cybercriminals scam people and companies out of billions of dollars each year. As many of you may remember, MacEwan University was defrauded out of $11.8 million dollars in 2017 when cybercriminals requested to have banking information changed and staff failed to call a vendor to verify the validity of the request.
Individual mistakes play a major role in these hacks, and for Cybersecurity Awareness Month, we want the CUE community to be mindful and create a security-aware culture. Human behavior flaws are thought to be behind 99% of breaches.
There are many ways to outsmart the scammers and social engineers in our midst.
We spoke with three experts on tips and tricks and what look out for
- Eslam AbdAllah, Assistant Professor, Master of Information Systems Security Management (MISSM)
- Shawn Thompson, instructor at the MISSM/MISSAM program
- Brechin Piper, Current CUE MISSM Student, and former Signal Officer and Information Systems Security Officer at Canadian Armed Forces Base Edmonton
5 steps to protecting your digital life
1. Hack proof your passwords
Nobody wants to remember 40 passwords in their head, isn’t it so much easier to use the same password for multiple accounts?
Shawn says, “Social media sites are far easier for cybercriminals to hack into than a bank, but once they’ve obtained your credentials from one of the many data breaches that have occurred, they might try it out on your bank or other accounts you use, and they’re in.” The key is to have each account protected with a unique password – adding or changing one letter or number, does not make it unique.
“A lot of people think that just changing a number slightly each year will help prevent attacks” says Breckin, “Let’s say you have chosen Mom2021, Dad2021 and Kid2021 for you family’s passwords one year, then the following year you changed it to Mom2022, Dad2022 and Kid2022. Well, that just made my life easier as an attacker. If I can get a hold of your previous passwords, I can easily guess your current one.”
Shawn and Brechin say never to use predictable entries like qwerty, abc123 or 123456 – they are always among the top hacked passwords.
“There was a time when Game of Thrones was at its height and everyone was using Game of Thrones passwords – that year, the world “Dragon” was one of the most used passwords,” says Shawn
Brechin added, “The first year after it premiered some of the worst data leaks occurred, character names like Drogo and Quaithe were common. The same thing occurred when the Star Wars released their newest trilogy. Skywalker and other new names were very popular in leaks.”
Lengthy passwords are ideal says Shawn “If you can remember a favorite lyric to a song, use that. The longer a password, like a phrase or lyric, the harder for cybercriminals to discover it.” says Shawn. A pass phrase that is at least 24 or more characters is much more secure than the typical 8 character complex passwords many sites demand.
If you can make the password complex with special characters – like “? and !” even better, but Shawn stresses that length of a password is just as important to consider.
Changing passwords can be a time consuming endeavor, when asked if this was important, Shawn reassured us that if we do all of the above in making sure our passwords are long, unique, and different for each use you may not require changing it too often.
The key is “Your password for your bank should only be used for your bank!” Shawn recommends.
It can be easy to forget passwords if you have to remember them all, that is why storing your passwords in a password manager system, for Apple, Android, etc. you will just need to remember one password to unlock the vault.
Also remember to check for alerts and change your password right away, says Brechin, “If my randomly generated Gmail password for Concordia ended up on the dark web, I would get an alert saying, ‘Your password has been compromised’ – change your password as soon as possible.”
It goes without saying, but don’t tell someone your password when asked. “It might seem obvious but that is exactly what people did on Jimmy Kimmel Live,” Shawn mentioned.
2. Add the extra steps to deter hackers with MFA
Two-factor or two-step verification, also called Multi Factor Authentication (MFA) is a measure that requires one to prove their identity in multiple ways before logging in. You may need to insert a code delivered by text to your phone, require a face ID, or your fingerprint, for example.
Yes, those extra steps can sometimes be time consuming, but that extra minute or two could be the difference between a hacker and your account – even if they were sneaky enough to find your password.
If you’ve ever filed taxes you will notice that sites like Canada Revenue Agency use MFA where you can allow for extra security questions, like “Who was your favorite teacher at school?”
The MISSM program at CUE, helps businesses set up apps that require MFA and provide an extra layer of resistance to unauthorized users.
It is advised that businesses, universities, and institutions dealing with people’s credit card information use MFA.
3. Don’t take the bait when criminals go phishing
Phishing is the use of fake emails, social media accounts or a message with the goal of leading you to a link or download with malicious malware attached.
Clicking on a link that is not safe, can lead you to handing over your personal information, or to malware being installed on your computer.
The emails can be incredibly deceptive, says Shawn, “Criminals can find out your work colleagues name, and act as though they are emailing you from within the company. All of a sudden they’re asking you for details, and many people will provide that information to someone they know and trust.”
Brechin says that within the federal government they are regularly giving out credit card information and one person could easily be getting five or more bills a day asking for payment.
“Getting an email saying, ‘You have an overdue bill.’ is not out of the ordinary,” says Brechin. So how do we figure out which ones are legitimate? Brechan recounts three steps:
Step 1: Don’t panic.
Step 2: Talk to a friend.
Step 3: If a friend doesn’t say ‘oh yeah, that’s totally legit’, but instead says ‘hmm that’s weird’ pick up the phone and call the vendor (not from the number in the email) the number you personally looked up online from the real vendor.
Another important tip is to check that emails you receive match the company it’s from. A minor misspelling might not be caught. Like, @concrdia.ab.ca, for example – it might not be easy to catch that missing “o”.
If you get a scam email like this, make sure you report it to the CUE’s Helpdesk support team as soon as possible. If you click on a link, even if it says “unsubscribe” you could be taking a major risk. Delete, block, and report it… but do not click!
Be careful of any message that asks you to urgently click on a link, or offers you something that is too good to be true.
“If someone’s trying to scam you or extort you, there’s a couple telltale signs and one of them is the pressure to act now.” – Brechin.
“If you get a call claiming to be from Canada Revenue Agency and they said your taxes are overdue and want your credit card number before the end of the call, beware. CRA never puts pressure on you to hand over your credit card that minute, and will never say they’re sending police over to arrest you,” Brechin warned.
If there is a terrible consequence for you not complying with their demand, it could be a scam. “A power company is not going to cut off your power unless they have made multiple contacts to warn you,” says Brechin.
There are three levels of phishing sophistication says Brechin:
- Phishing – emailing to many people, hoping one person will pay the shortfall in an opportunistic attack.
- Spear phishing – More targeted contact – perhaps using a targets name or inside information found on the internet about them.
- Whaling – often targeting someone like the CFO of a big company. “A lot more effort goes into targeting that specific person. And it’s a lot easier to fall for because there might be a whole team of cybercriminals analyzing your company, making a convincing email and hoping you make a bank account change, or whatever it may be.” says Brechin.
This level of targeted phishing is paying off for criminals says Brechin:
“If you look at cybercrime as a country, they would have the third largest GDP in the world after the United States and China. “
One of the best ways to combat phishing emails is to report it as spam, then delete it. “Google, Yahoo and Microsoft have very sophisticated checks in place, so marking it as spam will be very helpful for these companies to flag phishing campaigns.”
4. Be quick to update your software
Updates to your computer and phone can be put off due to the “I’m not ready yet” mentality. But many of these updates are fixing gaps in their security, where cybercriminals can find a way in. Updates are ways for software companies to try to stay one step ahead of hackers – hackers do not take days off from finding loopholes to take advantage of operating systems.
Have a new device? Check out the getcybersafe.ca new device checklist
5. Don’t use removable media you found lying around
Brechin also stressed the importance of using only your own USB sticks, hard drives, and CDs. “A common attack is leaving a USB stick on someone’s desk, in a hallway, or a parking lot, hoping that someone will pick it up and insert it into their computer.”
“They may just be doing the good samaritan thing by plugging it in just to see who owns it, or the intent to keep it for themselves, “ Brechin explained. “But either way, they’re getting what they want, embedding malware they can use to exploit you.”
Even the brightest security aware people have fallen for this trick. Brechin referenced Stuxnet and conferences like DEF CON, the oldest continuously running hacker conventions.
“At the DEF CON conference they left USB sticks all over the place with non malicious software. At the end of the conference they flashed up on the screen ‘Hey, we’re all really smart, but 45 people still plugged in the USB stick they found on the floor.” – Brechin
“Having people make these mistakes in a safe environment is a great way of educating people,” says Brechin.
Graduate from CUE as a highly skilled cybersecurity expert:
CUE programs excel at teaching cybersecurity within the Master of Information Systems Security Management program – the only Masters in western Canada with both a cybersecurity and business focus.
“There is a very high demand for students graduating from the program,” says Eslam. “In fact, there is currently a shortage of qualified professionals in this area. There is a growing reliance of businesses in all sectors who need reliable cybersecurity.”
“Students at CUE will learn governance, risk management, disaster recovery planning, and other areas all with the outcome of identifying and mitigating risks for senior management and on financial resources. Many students are even involved in creating apps that have a security component,” says Eslam.
Brechin and other students speak very highly of the course, saying that what sets the course apart is that they can go into a boardroom and explain to business managers the needs of cybersecurity for their business.
“It’s a really good mix of hands-on technical work, with higher level management practices,” says Brechin.
“Many of the courses teach you about governance and how to write good policy. I don’t think there’s anyone who is not being challenged by at least half of the courses. It gives you well rounded exposure to both sides – the management side and how to employ the technical aspects.” – Brechin
Shawn says many students will graduate and quickly move up the ladder due to the quality of teaching at CUE. “One student went for an entry level position at a bank, and within two years was in management making 6-figures,” says Shawn.
Our graduates are employed in cybersecurity related jobs in most Canadian industries including KPMG, Deloitte, Fortinet, Sophos, Arctic Wolf, PaloAlto, RBC, ScotiaBank, and many others.
What the program offers is “professionalizing the field of cybersecurity,” Brechin explains. “We may be nerdy IT people but we still need to know what the business is doing and what they need. It’s hard to justify the newest shiny IT thing if you can’t link it to something that makes money or turns a profit – students at Concordia learn to link it to a business outcome.”
Brechin is proud to describe himself as a “nerd translator.” “I have to translate some very nerdy and super technical terms in an operational and business focussed way,” he says. “So I find that where I’m happiest is actually being a bridge between those two teams. I am not fully a techy nerd or a C-level exec, and I wouldn’t be happy being just one of those, but I’m happy having my foot in both those worlds.”