The digital world! A space where millions of people get connected globally, billion-dollar transactions being consummated in seconds and countless interactions between individuals from all walks of life.
Flashback five decades ago, before the advent of the internet, the world moved at the pace of a snail, however it is without doubt that the level of cybercrimes was low.
We cannot disagree that improvements in online technologies have brought cybersecurity challenges that barely existed before. Continuous sensitization about cybersecurity risks seems like an over flogged topic, but it’s significance cannot be overemphasized.
According to a February 2018 report by the Center for Strategic and International Studies, Cybercrime costs almost $600bn worldwide, that’s about 0.8% of world GDP. Some of us may think we have gotten to a level where it is impossible to fall victim, but our Personally identifiable information (PII) may be compromised without even knowing.
Also, the advent of Open-Source Intelligence (OSINT) has made information publicly available to both good and bad users. For example, a company trying to recruit over social media can contact you via your email or phone number because it is publicly available while a black hat hacker may maliciously contact you for the purpose of extracting more PII for fraudulent purposes. While it is beneficial to connect with other users over the internet and through social media, it is more important to take necessary steps and precaution in our online activities.
Below are some techniques used by cyber criminals to extort personal information for suspicious purposes:
Data Scraping
Have you ever gotten spoofed mails or calls from unknown persons trying to phish your data? Chances are your data was scraped from your social media; however, this does not necessarily mean that you were careless with your personal data.
Data scraping is the process of extracting data from websites without the explicit permission of the individual whose data is being scraped.
These may include email, phone number, birth date, current city, organization, spouse, or partner details. In early 2020, a vulnerability that enabled seeing the phone number linked to every.
Facebook account was exploited, creating a database containing the information of 533 million users across all countries. Another data scrape was discovered in July 2021 when threat actors posted the personal data contained in 700 million LinkedIn user profiles in the RaidForums underground market.
Information gotten from this data scrape can then be used to perform different attacks like phishing, brute force, ransomware etc. While we might not be primarily responsible for our data being scraped, we cannot deny the impact if the attackers perform a successful attack from the personal information gotten.
Unsecured Website Data protection regulations i.e GDPR and NDPR outline the need for protection of user data. Some websites collect personal information such as computer or phone’s technical configurations, previous sites visited, IP address, location etc.
Cookies are also used to collect information about the user visiting the website, these are unique to your computer and can be traced back to you. For instance, a website without a proper Secure Sockets Layer (SSL) Certificate can create an unsafe connection for the user which can lead to a man in the middle attack.
Also, there are open-source tools which hackers use to collect data from websites that are unsecured. The easiest and simplest way of determining an unsecure website is to check the website URL as it will start with HTTP instead of HTTPS. You can also get a prompt from certain browsers like chrome about the insecure connection. Before giving out sensitive information such as emails, credit card, username, and password, it is best to do a quick check.
Malwares While surfing the web, you may have come across an ad for a software available for free download or received a crafty email from the supposed Chief Financial Officer of your organization with an attachment.
Both these scenarios are samples of ways by which viruses are transmitted into our computer.
Files that look legitimate can be purposefully infected with malwares, this can come in different forms including spyware, trojan, worm, rootkit, bots etc.
There have been many successful attacks which have utilized malware to compromise systems and assets – some examples are the AET Attack (Amsterdam 2012) and the USB Attack (London 2011). It is reported that malware accounts for two third of the world data breaches as attackers develop malicious code or tactics to get unauthorized access to people’s data stored on their computer or mobile devices.
It is therefore imperative for users to protect sensitive information on their systems by staying clear of viruses.
Are there remedies?
Having considered some causes of data leakage and breaches, below are a few tips for protecting your Personal Identifiable Information, including the organization you work for:
1) To prevent a successful data scrape, leave out personal information not explicitly required on your social media. i.e. phone numbers, organization, official email address, date of birth etc. This will reduce the chances of being spoofed.
2) Change your social media passwords regularly or when you notice any suspicious activity.
3) Utilise open-source tools to check if there has been a breach on your email or phone number. You can do a quick check on Haveibeenpwned.com, Social recon, Goolag scanner.
4) As an administrator, ensure that your website is secured. If not, purchase an up to date SSL certificate.
5) There are free open-source intelligence (OSINT) applications that can be used to verify the security of a website if you are unsure about the safety of your information. Spiderfoot, screaming frog, Shodan, Paliscope etc.
6) Constant training and awareness for employees about cybersecurity and the need for data protection.
7) Tighten your network security by making use of a firewall to prevent unauthorized access by users outside your network.
8) Ensure appropriate security measures have been implemented to protect data including encryption and storage.
9) Purchase a robust anti-virus software and make regular updates and patches.
10) Also configure your antivirus software to automatically scan downloads before files are stored on your computer.
In conclusion, it is important to note that continuous awareness and security consciousness is important in our every day cyber-life. In the words of Mark Bouchard (CISSP), a hacker with persistence only has to be successful once, whereas your defense has to be successful every time.
Adedeji Adeboye ACA, ACIB, CISA, CCSP (IS Auditor, Development Bank of Nig. PLC)