WHAT WILL PREVENT YOUR BUSINESS EMAIL FROM BEING COMPROMISED?
We have talked a lot about the dangers of phishing emails. For those who may not know, these are malicious emails that are used by hackers and scam artists. In fact, they are one of the most common ways in which businesses and individuals get hacked every day. Thankfully, there is some good news to tell! Phishing emails and the like are actually not that hard to defeat. Let’s go over a few simple tips that, if followed, can greatly reduce the risk. There is no way to completely remove the risk of email hacking, but we can bring it down to a tiny minimum.
1. EMPLOYEE EDUCATION: LOOK BEFORE YOU CLICK
This is where we should begin because this is where many hacking attacks begin. The malicious actor will create an email that looks like something normal and legitimate. For instance, they might make it look like a message from Paypal, advising you to log in and check something on your account. Unfortunately, the link will take you to a fake page. This fake page will also be disguised as the real thing and will prompt you to enter the desired information.
Obviously, once the hapless victim enters that information, it’s game over. The hacker will use a keylogger (a program that records every stroke of the keyboard) to capture all that login information. Some of the more sophisticated ones can even simulate multi-factor authentication, allowing them to capture that info as well.
The first thing you need to do is educate your employees and make sure they are aware of this threat. They should never click on embedded links from an email, and attachments aren’t really any better. Before you respond to an email, you need to look at several things. If you hover over the link with your mouse, it will tell you exactly where that link goes. One close look should be enough to tell you if it’s going to a legitimate site. For instance, in our hypothetical Paypal scam, you would not click on the link because you can see that it isn’t going to take you to paypal.com.
USE A SANDBOX ENVIRONMENT FOR TESTING
The advice given in the previous section may seem too simple for some people. Such people are probably wondering: “What about the cases where things aren’t so obvious?” Certainly, there are some cases in which it might be hard to tell a fake email from a real one. If you run into one of these difficult cases, your best solution is a sandbox environment.
A sandbox environment is a virtual system existing within your physical system. For instance, some people use it to run more than one operating system on the same computer. It takes hard drive space and converts it into “virtual memory,” which does the same thing as RAM without having a physical presence. These environments make the best testing grounds for suspicious programs, attachments, or links.
To do this, you would start by opening up a virtualization program (like Sandboxie, Virtualbox, or something similar). You can either select a pre-configured OS or load one from a disk, but we would recommend using an OS that is pre-configured to be exactly the same as your real one. That way, you can eliminate another variable and get a surer conclusion.
Once everything is loaded up, you just open the browser, go to your email, and open the suspicious link/attachment. This is followed by a complete diagnostic of the system, including viral scans and other security sweeps. If the file is contaminated or corrupt, you simply delete the virtual system, taking the contamination down in the bargain. The loss of this virtual system doesn’t matter because you can easily make another one within minutes. Of course, it is very important to make sure that your virtual system is properly isolated from your physical one.
BEWARE OF UNSOLICITED IT CALLS
Boobytrapped links are not the only way in which hackers can steal your information. Many cybercriminals will choose to forego the email phishing and concentrate on “social engineering.” This is a term that hackers and cybersecurity people use to describe the act of tricking a user with an elaborate deception.
One good example of a social engineering hack would be the phenomenon known as “vishing,” which is basically like email phishing. The difference is that vishing uses vocal communication rather than an email or text message. The cybersecurity section of the DHS recently issued an alert about these kinds of scams.
Most of the time, these malicious criminals will stalk a person on social media, learning as much as possible about their personality and habits. Then, they use that information to contact that person (usually by phone) and gain their trust. In most cases, they will pretend to be members of your company’s IT department and will try to trick you into clicking a tracker link or entering your private info.
For this reason, you need to make sure that your employees can recognize a legitimate IT call. Here’s one way to get it done: Whenever your IT people call an employee, they should give an identification code. The employee should then be able to call or message the IT department and verify that the caller is legitimate. Obviously, that ID code should be changed on a daily basis and should never be posted online.
MAKE YOUR EMPLOYEES USE STRONG PASSWORDS
As we have already explained, hackers will sometimes use very complex and elaborate methods to ensnare their victims. However, they don’t always have to do that. If you use a weak password, they can use a “brute force” attack to bypass your security and obtain your username/password in minutes. In the end, the only way to defeat this method is by using strong passwords.
Brute force programs work by making many failed guesses, learning a little bit from each one. After a while, they can decipher the whole phrase, but it’s not always practical for people to hack you in this way. If your password is sufficiently strong, it could take months or even years for a brute-force program to decipher. That doesn’t prevent hackers from using social-engineering-type methods, but at least we can defeat the brute-force programs with ease.
So, what constitutes a strong password? Well, it should be 19-20 characters long, should have both uppercase and lowercase letters, and should contain some numbers and symbols along with its letters. In addition, some people choose to invent new words that do not exist in any language. If you have the creativity to do this, it is the best way to defeat brute-force attacks. Those programs can only search for known words, so using a random nonsense word like “Xoxylpixylkaflop” is really going to confuse them…and that’s a good thing!
For a password to be strong, it must also be unique. If you are using the same passwords for multiple sites/accounts, you should stop doing that immediately. Hackers know that people don’t like remembering large numbers of passwords and that they will often re-use the same ones. Thus, all they have to do is compromise one of those accounts, and they have access to everything. Not all computer systems are equally secure, and you often don’t know how secure they are until it’s too late. Thus, to be on the safe side, you should never use the same password twice.
EMPLOY STRONG ENCRYPTION
No primer on email security would be complete without a few words on encryption. In spite of how old this method is, it has proven to be one of the most effective ways of securing a computer or network against intrusion. The structure of encryption is such that it is theoretically impossible to break.
Encryption might also be described as “data jumbling” because that’s how it works. Behind the shiny veneer of your operating system, all the data on your computer actually consists of 1’s and 0’s. This basic form of data, known as binary code, is the very basis of all computer science. The code acts as a set of instructions that tell the computer what to do…so, what happens when you mix all those numbers into a jumbled mess?
The answer is simple: You get a computer that won’t boot up or do anything. Now, here’s the clever part: The computer can only decrypt (i.e., reconstruct) the data by using an encryption key. However, that encryption key is not stored anywhere on the computer. Instead, it is generated from the password. That means your computer is simply not capable of accessing that information without your password.
There are three ways in which you can deploy network encryption. First, you should be using a browser add-on called “HTTPS Everywhere.” It will take advantage of the internet’s native encryption protocols, using them wherever possible. Second, you should acquire a good VPN service. A VPN uses encryption like a wall and uses those walls to create a “tunnel” between you and the rest of the internet.
For a third option, you should use an encrypted email service (Protonmail is a popular one). This will add an extra layer of protection to your emails, and we have already seen that emails are a common route of attack. As long as you don’t give anyone your password, and as long as your password is strong, these encryptions are very unlikely to be cracked. You can also do full-disk encryption on machines that contain sensitive data (Encrypting the whole hard drive), as this is very effective against physical intrusion.
HARDEN YOUR ROUTER
Once your computers are protected, you need to think about other avenues of attack. One of these is your router, which acts as a gateway between you and the rest of the internet. Thus, if someone can infect the gateway, they don’t even need to hack your personal machine. At the very least, they will be able to learn more about your setup and plan their attack more precisely.
All networks have an SSID (service set identifier), which basically functions like a username. Most of the time, your router will already have an SSID from the manufacturer, so you want to change that immediately. This will make it so that an intruder is not able to figure out the make and model of your router. You might also need to update the router’s firmware, and that isn’t always an easy task.
USE MULTI-FACTOR AUTHENTICATION WHEREVER POSSIBLE
Although this one isn’t all that effective, it is another layer of security that can prevent an intruder from gaining illicit access. In case you aren’t familiar with the term, this is an identification process that requires you to confirm your identity in more than one way. For instance, you might use email verification combined with phone verification. Temporary access codes are sent to your email address and/or phone number so that the user can verify receipt of those messages.
That authentication process might be a little bit annoying, but it is absolutely necessary. Without it, most accounts can be hacked by using a simple trick. Here’s how it works: They start by finding out your username. Once they have that, they can go to a login page and request a password reset. The system will not know that they are an illegitimate user. If they are then able to gain access to your email account, they will be able to reset your passwords and gain access to every account you have.
When it comes to protecting your business emails, you can and should go to extremes. Email hacking represents the single easiest way for your company to suffer a data breach, and we could give you examples of that fact all day long. However, one simple internet search will be enough to show you just how many unfortunate companies have fallen prey to these scams. Still, we hope that you will not be one of them. If you follow the advice given in this article, you will be harder to hack than 90+% of the world’s population, so read well and learn well. If you need any further information, you can contact PCH Technologies at (856) 754-7500.