Be Aware of Common Threat Categories
Spam—unsolicited messages sent to your email address or phone—is a major problem. Besides the fact that the billions of spam messages transmitted daily consume a fortune in network bandwidth, they also carry thousands of varieties of dangerous malware and just plain waste our time.
Your first line of defense against spam is to make sure your email service’s spam filter is active. Your next step: educate yourself about the ways spammers use social engineering as part of their strategy.
Spoofing involves email messages that misrepresent the sender’s address and identity. You probably wouldn’t respond to an email from [email protected], but if he presented himself as [email protected], you might reconsider. At the least, recognize that email and web addresses can be faked. Organizations using DomainKeys Identified Mail (DKIM) to confirm the actual source of each email message can be effective in the fight against spoofing.
Phishing attacks, which are often packaged with spoofed emails, involve criminals claiming to represent legitimate organizations like banks. A phishing email might contain a link to a website that looks like it belongs to, perhaps, your bank, but doesn’t. When you enter your credentials to log in, those credentials are captured by the website backend and then used to authenticate to the actual banking or service site using your identity. I don’t have to tell you how that can end.
Always carefully read the actual web address you’re following before clicking—or at the least, before providing authentication details. Spelling counts: gmall.com is not the same as gmail.com. Consider using multifactor authentication (MFA) for all your account logins. That way, besides protecting you from the unauthorized use of your passwords, you should ideally notice when you’re not prompted for the secondary authentication method and back away.
In general, be deeply suspicious of desperate requests for help and unsolicited job offers. Scammers often pretend to be relatives or close friends who have gotten into trouble while traveling and require a quick wire transfer. Job offers can sometimes mask attempts to access your bank account or launder fake checks written against legitimate businesses.
It’s a nasty and dangerous world out there. Think carefully. Ask questions. Seek a second opinion. Always remember this wise rule: “If it’s too good to be true, it probably isn’t.” And remember, the widow of Nigeria’s former defense minister does not want you to keep $34 million safe for her in your bank account. Really.
Summary
You are responsible for digital interactions and operations taking place using your accounts or on accounts administrated by you. You should work to prevent harm from resulting from any of that activity.
Understanding how criminals—and careless administrators—can put your data at risk is critical to learning how to protect yourself and the users you’re responsible for.
Before engaging in online activity, always try to think through the possible short- and long-term consequences. Is what you’re about to do likely to cause you or others harm?
Reading the privacy policy documents associated with the platforms and services you use can help you understand the threat environment you’ll be using.
Always examine the context of online information: is it part of a reliable website or associated with a well-known institution?
Be aware of the kinds of threats you’re likely to face as you go about your life on the internet. Only by understanding what can go wrong can you hope to protect yourself and the people who rely on you.
Back to the Basics
Understand common online attack behaviors, including cyberstalking, cybermobbing, and doxxing. Cyberstalking involves persistently pursuing an individual’s online and private identity in a threatening way. Cybermobbing is the cooperation of the owners of large numbers of online social media accounts to harass an individual with whom they don’t agree. Doxxers research and then publicize private information about an individual they want to harm.
Understand the kinds of personal data that are the most sensitive and vulnerable to abuse. Your browser history, social media account activities, online ecommerce transaction information, and health records are all categories of personal data that require special attention and protection.
Understand the regulatory requirements for which you and your infrastructure are responsible. Businesses operating in the European Union must conform to the policies of the General Data Protection Regulation (GDPR). The Payment Card Industry Data Security Standards (PCI-DSS), and the US government’s Health Insurance Portability and Accountability Act (HIPAA) are also important standards.
Be familiar with common kinds of digital “social engineering” attacks. Spam describes unsolicited email messages sent with the goal of getting you to respond, usually by purchasing a product of doubtful value. Spoofing misrepresents the origin and sender of the email. Phishing attacks try to get you to interact with a web resource that’s made to look like an actual legitimate site.
Review Questions
You can find the answers in the Appendix.
1 What best describes doxxing?Falsely and illegally directing law enforcement authorities toward a nonexistent crimePublicizing a target’s personal contact and location information without authorizationPersistent and unwanted monitoring and harassing of a targetA coordinated social media attack against an individual involving large numbers of attackers
2 What best describes cybermobbing?Publicizing a target’s personal contact and location information without authorizationFalsely and illegally directing law enforcement authorities toward a nonexistent crimeA coordinated social media attack against an individual involving large numbers of attackersPersistent and unwanted monitoring and harassing of a target
3 As an employer, which of the following are most likely to present legal liabilities for you and your organization? (Choose two.)Threatening comments posted by your employees on your organization’s websiteThreatening comments posted by your employees on their own social media accountsCriminal activity (like cyberstalking) launched by an employee using public resourcesCriminal activity (like cyberstalking) launched using your organization’s website resources (like a technical support forum)
4 Which of the following types of data should generally be considered personal and private? (Choose two.)The browser history on a user’s personal computerOld social media postsA consumer’s purchasing history with an online storeOfficial records of criminal trial proceedings
5 What elements are likely to be included in your “browser history”? (Choose two.)Transcripts of recent text message conversationsPasswords you’ve used for online application authenticationInformation about your computer and software profileInformation about the state of a past website session
6 Why should you be conscious and concerned about any of your personal data that the owners of online services and applications might control? (Choose two.)Because you could be prevented from accessing such information on your ownBecause it might be stolen by third parties and mined for information that might prove damaging to youBecause it might be sold to third parties or used by the services themselves in ways that infringe on your rightsBecause your information might change and updating remote