October is Cybersecurity Awareness Month. So, here’s your annual reminder of the four ways to keep yourself cyber safe both at work and at home:
And yes, Lt. Cmdr. Michael Cook can feel your eyes glazing over, too. Cook works for CGCyber’s Cybersecurity Operations Center (CSOC), where he spends all day, every day helping keep the Coast Guard network safe from intrusion. “It’s like when everybody clicks through the annual cyber challenge,” he says. “They think none of this will ever happen to them and get complacent. They don’t realize how much of their personal information is already out there.”
To counter this, Cook offered a behind-the-scenes look on why it’s so important to use these simple safeguards and what can happen if you don’t.
Why do I have to keep changing to stronger passwords?
Unfortunately, a vast amount of password information from users is now available out there due to data spills. In fact, for the past six months, Cook says, there’s been an attack going on where bad actors are using stolen passwords from the dark web to try to log into Coast Guard systems.
“We’ve seen thousands of attempts to get into our system using Coast Guard email addresses,” he says. “We see them trying, so our policies block it. But it shows that the adversary is trying to get in. And just because they can’t get into the Coast Guard doesn’t mean they can’t get into your personal network.”
But aren’t members good about protecting passwords?
Not always. This week alone, Cook’s department received 2,100 alerts that members were sending passwords around the Coast Guard. Some were in Outlook email messages; others were posted in a Word document, or Teams chat. “If an adversary were to get into our system, they could see that and take advantage of it to hack into our network,” he says. “And on your home network you’re not going to have DoD-level protection.” Cooks says he gets calls constantly from members whose personal computer or routers at home have been attacked.
How am I supposed to remember all these new passwords?
Cook recommends using a password manager. “That’s a secure way to do it,” he says. “Then you don’t have to worry about it. I use KeePass – which is approved by the Coast Guard. KeePass will generate a password and then store it. KeePass itself is protected by a long password that is secure.” To get KeePass for your workstation, go to USCG Storefront and type in KeePass to request it.
Do I really need to update my software again?
If you think you’re being asked to update your software more often, both at work, and on your personal computer, you’re right. “The reason for all the patches is that the adversaries are finding security holes, constantly,” Cook says. “If your computer is not patched correctly and malware executes, an adversary could get a foothold.”
At the Coast Guard, security tools would block this. Over the last week, for example, 11 Coast Guard users accessed phishing sites, and three downloaded malwares to their computer, but Cook’s team was able to step with incident management, do forensics, and prevent any damage. Even if you have solid anti-virus software, your home computer likely doesn’t enjoy that level of protection.
What about phishing?
Those fake emails that land in your inbox, aren’t tapering off, they’re gaining steam and getting more sophisticated. Phishing emails remain the #1 way adversaries try to gain access to information. Don’t open what you don’t recognize.
At the Coast Guard, you should also report it. About six months ago, a Report Phishing button was added on Microsoft Outlook to allow members to turn these bad actors in. “This goes directly to us,” Cook says. “So, we can act on it and block the domain.” Last week alone, his team received 85 phishing reports.
If you’re not sure the message is phishing attempt, but it looks suspicious in general, there’s also a Report Message button to send that one for review, too.
Why do I need multi-factor authentication?
Multi-factor authentication (MFA) is a multi-step login process that requires more than a password. If you work at the Coast Guard, your CAC essentially provides MFA. But you should also get in the habit of setting up MFA whenever it is offered.
Why? Because it adds another layer of protection. From Cook’s viewpoint, you should just assume that your information or passwords are out there even if you haven’t been hacked. “Just because it hasn’t happened yet doesn’t mean it won’t,” he says. “And wouldn’t you rather have MFA as a check on that, so you get a text or a phone call or before someone tries to get in? This will make it harder for a bad actor to access your stuff.”
-USCG-
Resources:
In the news: