In the first article of this three part series, we’re going to explore if having a cyber security really matters (spoiler alert: it does).
When it comes to believing the legitimacy of cyber-security threats, I’m probably one of the worst culprits. I float through life convincing myself that no one is interested in what I’m doing online. Since I have historically viewed hackers as bad guys in basements trolling the internet, I can’t imagine that they’d be concerned with my minuscule bank account and 200 Facebook friends. Why would they target me? Bottom line, I pretty much assume as far as cyber schemes go, I’m living under the radar.
In the wake of the Equifax attack, I attempted to confirm this theory with our support team, and found that I could literally not have been more wrong (yes, telling you this may be embarrassing, but that’s how dedicated I am to sharing cyber safety with you). Turns out that cyber threats are much more than a man with a yellow legal pad trying to guess one variable at a time in my passwords. It’s actually a highly sophisticated, thought-out process. Thankfully, our support team is on their game and takes such good care of us (and our customers) that it’s not something I have ever needed to worry about before. But just the same, I wanted to be informed, so I asked them to put together some info for me to better understand how online attacks work, and here’s what I got from Alex:
The most common ways to “crack” a password is either through Brute Force or Password Phishing. In Brute force attacks, hackers generate username and password wordlists that can contain anywhere from 10 to 1 trillion username and password combinations. Then a script or code is run on the target portal, dashboard, email, etc until a single or multiple matches are found. They key to brute force attacks is time. Think of it like this:
If we have a house with a lock on it, then a hacker come up with his huge keyring full of different keys and tries them one at a time. Given time he will go through every key in hopes of finding just one that will work on the lock. The hacker doesn’t care how long it takes as long as one works.
Phishing attempts work a bit differently. These types of attacks are usually more widespread in attempts to recover as many credentials as possible. Hackers duplicate a common email, portal, or login in attempt to get people to input their username, password, or credit card information. This is very successful, especially when paired with a global tool like Google Drive. You receive a document from a colleague, but it turns out to be a hacker asking you to put your username and passwords into a Google Sheet. Let’s use our house example one last time.
If we have a house with a security system on it, a hacker knows the key won’t work and if he tries to break in (brute force attack) he will get caught. Instead he is going to monitor the house and see when the maintenance company comes and does the work. He notices the maintenance company shows up at 11am every other Tuesday, so he decides to show up that same Tuesday before the normal person (about 10:30am). He uses the excuse that he is new to the company that takes care of their maintenance and wanted to be early. The Homeowner gives him the password and he is now in.
When we apply this same concept to emails, portals, and dashboards it becomes increasingly important to know what URL you are on, who sent this email (is it legit?), and check for any glaring issues in spelling/grammar.
Convinced now? I know I am. Stay tuned for our next article about how to create a super secure password–coming soon!