Year of Cyber - Social Engineering

The Uncomfortable Truth. Organisations and people are very prominent targets for cyber attackers. Almost every piece of technology you use has vulnerabilities that leave it open to compromise. Potentially hostile foreign intelligence services are actively targeting organisations – more than ever before. So are very capable cyber-criminals, hackers and others who want to compromise our sensitive information and computer systems. They may attack an organisations information / systems directly, or via their people. Anyone at all in an organisation could be targeted. Such is the extent of the threat that no-one should assume they are not a target – especially not if they work with information that is sensitive. And mobile phones, tablets, home computers and other IT devices are extremely vulnerable. They can be protected to a reasonable degree against cyber-criminals, but a determined foreign adversary could easily break into them. And having done so, it is a bit daunting what they could do. What a determined a cyber-attacker could do to your mobile phone or other personal electronic device: • Look at, take copies of, or delete all your information. • Eavesdrop on all your conversations. • Locate your device and you to an accuracy measured in metres. • Track your movements using your location information. • Activate the camera and microphone without you knowing. • Log every button press or lower security levels. • Infect connected systems (a laptop if the phone is connected via USB). • Turn the device on when switched off. All information is valuable and should be protected appropriately. We must give special protection to information that is classified as sensitive. But you can do a lot to protect yourself. Here are some useful tips to keep yourself safe: • Keep your personal information safe by thinking carefully about what you post online and who might be able to see it. • Don’t post sensitive work or personal information online (especially on open sites or social media). • Don’t download files you’re not sure about, open email attachments or click on links from addresses you do not recognise. • Disable Bluetooth, Wi-Fi, and InfraRed, when they are not needed, to prevent anyone connecting to your device without your knowledge. • Control your GPS access by turning off location information or controlling which services and apps access it - don’t leave it enabled all the time, e.g. linked to your Facebook account. • Keep anti-virus software and security patches up to date and switched on. Reporting The advice in this article underscores the necessity of consulting cyber security experts, such as Cybercentry, for addressing any cyber security incidents in both personal and professional contexts. Reporting concerns promptly to the relevant authorities is crucial for a swift response and safeguarding against potential threats.

Online Fraud – Don’t Be Hoodwinked. We’ve mentioned online fraud in previous articles – social media and phishing. But what is cyber fraud and how can you guard against it? This is the tenth theme in the Year of Cyber articles to help you use cyberspace safely at work and at home. Simple points to remember: 1. Don’t disclose personal details unless you know the person you are talking to or have verified their credentials. 2. Check credit card and bank statements to ensure that correct payments have been taken and no fraud has taken place. 3. Don’t assume others will protect your identity. What is Cyber Fraud? According to the Action Fraud website, Fraud is when trickery is used to gain a dishonest advantage, which is often financial, over another person. Fraud can be committed against a person, business, or an organisation. In Britain fraud costs people hundreds of millions of pounds every year and the costliest type of fraud usually occurs online, through online shopping, online banking, and ID theft. The internet has many online products and services which most people use without issue, but there are criminals who take the advantage of the worldwide web’s anonymity to hoodwink you if the opportunity presents itself. We covered social engineering (through social media) and phishing (emails) earlier this year, but other types of online fraud are: • Baiting. Commonly online this is posting video links to humorous, extreme, or lewd content to tempt people to click on the link which leads to phishing, or malware downloads. • Spear Phishing. Emails that appear to originate from legitimate organisations which contain a high degree of personal information or come from a ‘high jacked' account from your friends or colleagues. • Vishing. Telephone calls claiming to be from a trusted organisation, sometimes automated to get you to type in responses on your keypad to capture identity or financial information. • Smishing. A text message containing links to a false website to get you to input information. • Impersonations. Fraudsters impersonate persons of authority to gather information or gain access to secure areas, or harvest information under the guise of campaigning or conducting a survey. What is the risk? Not only might you lose money against something you pay for but don’t receive, but you might also have unexpected payments taken, even amounting to emptying your account. Your information can also be used to commit identity theft, opening accounts in your name, and destroying your credit rating, or to commit further fraud through posting material which appears to come from you. Clearing up the mess can be very costly and time-consuming. So, what can I do? Fraudsters rely on people to be ignorant of technology and what it can do, so the best defence is to really get to know the capabilities of your mobile device, smart phone, or tablet. Set up the security settings correctly and change default passwords and settings. Be suspicious of phone calls you weren’t expecting, especially from banks or people asking for your financial information – your banks website will tell you what information it will ask you for. It takes two people to terminate a phone call so ring back on a different line or call someone you know and trust first. Be suspicious of any emails you weren’t expecting from banks, credit card companies or other official organisations - especially if they ask for personal information or bank details. Don’t reply to unsolicited emails from companies you don’t recognise. Think about the ‘jigsaw’ effect and your online footprint - can a fraudster piece together information about you by searching across different social media and open-source channels to find an ‘in’? Fraudsters also set up false social media profiles to elicit information from their intended victims, be careful of friend requests, especially friends of friends (a common tactic to gain credibility). Always research any new online retailer you want to shop with or organisation you want to deal with. Look for trusted recommendations, privacy policy, returns policy, company address and telephone contact details. Make sure the website has a padlock symbol in the browser window frame and starts with https:// - the ‘s’ stands for ‘secure’. Always log out of sites into which you have logged in or registered details. Closing your browser is not enough to ensure privacy. As with most types of fraud, if something doesn’t feel quite right, it probably isn’t. If you feel you have been a victim of fraud then contact your bank, building society etc. as soon as possible so that changes can be put in place and transactions stopped. Reporting The advice in this article underscores the necessity of consulting cyber security experts, such as Cybercentry, for addressing any cyber security incidents in both personal and professional contexts. Reporting concerns promptly to the relevant authorities is crucial for a swift response and safeguarding against potential threats.

USB Use – Keep It Clean. The Year of Cyber, we are running a series of articles to help you use cyberspace safely at work and at home. This month we look at USB use – not just USB storage devices but anything else you can plug into a computer’s USB socket. Two simple instructions to remember are: 1. Don’t plug anything into the USB ports of organisational systems, not even to charge them. Only use officially procured devices on systems as this will reduce the risk of data loss and spreading malware. 2. If you find any unaccounted-for USB devices in your workplace you should hand them to your Information Security Officer. What is a USB device? USB stands for Universal Serial Bus – basically it is a standard defining the connection which allows devices to be plugged into the USB socket on a computer. These devices can be memory storage devices (often called USB drives, flash drives or memory sticks) or other devices (such as mobile phones, cameras, and music players) which can transfer data or receive power. What is the Risk? USB drives can hold large amounts of data and are small enough to be easily lost or stolen. While they have been used to remove data from organisations, they are also often used to spread malicious software (also known as malware – worms, viruses etc). Unfortunately, they are difficult to virus-scan properly, so it is difficult to know that they are safe unless they are from a trusted source. Only officially procured USB devices are permitted on organisational systems, to reduce the risk of both data loss and spreading malware. It’s a good idea to be careful at home, too. ‘Free’ USB sticks from exhibitions or other sources might come with unwanted ‘gifts’ of malware. It is not just USB memory sticks that are a problem. Any device with a USB connector can be used to spread malware, even if you are only connecting the device to recharge it. Just inserting the device into the USB socket will start it working. Even the most unlikely-sounding device may present a danger – such as a charger for e-cigarettes. It is also not just computers that can be affected. In one incident a contractor unknowingly used an infected USB on his work laptop. The virus was discovered once the USB was used on the contractor’s internal network and, specifically, on equipment that was used to update software on vehicles. Due to the way in which the software was updated, there was a real concern that the virus could have spread on to the vehicles themselves. An incident like this could have a very serious effect. Sanctions There have been cases where USB devices (such as mobile phones and MP3 players) have been plugged into organisational systems and have been confiscated, even destroyed. The individuals responsible have also been subject to disciplinary action. Given the risk that these devices might pose to an organisation it is sensible to look after these systems – and we are all responsible for maintaining the security of our working environment, including an organisation’s networks and systems. Reporting The advice in this article underscores the necessity of consulting cyber security experts, such as Cybercentry, for addressing any cyber security incidents in both personal and professional contexts. Reporting concerns promptly to the relevant authorities is crucial for a swift response and safeguarding against potential threats.

Home and Remote Working – Are you being careful? Many of us work from home, or other locations, either regularly or occasionally. It can help maintain a good work / life balance, but are there any specific cyber risks we should be aware of? And it’s not just home – what about other remote locations, such as public transport or hotels? This is the ninth in the Year of Cyber articles to help you use cyberspace safely at work and at home. Simple points to remember: 1. We are all responsible for protecting work and home assets, and information is one of our key assets. Report any concerns immediately. 2. Be alert to your surroundings – can anyone overlook or eavesdrop on what you are doing? 3. Take the minimum you need and keep access tokens and passwords separate from devices. Home working or remote working? Remote working is any kind of work done outside your normal place of work – whether you are accessing, storing, processing or simply discussing organisational information. Home working is a specific type of remote working, where you work regularly or occasionally from your home, either because of personal circumstances or because (for occasional home working) you need to concentrate on a specific piece of work. Both remote and home working can offer flexibility to support work / life balance – which helps both individuals and organisations. Organisations encourage flexible working, and provide IT equipment to support it, including laptops and smart phones. Some services and networks, such as organisational portals can also be accessed remotely from personal devices. What is the Risk? Whenever you are working outside the office, there is always a risk that you will be overlooked or overheard. Even small pieces of information can be pieced together and can be useful for an adversary – and working on a document, or talking on the phone, about something which is obviously related to work is often enough to pique the interest of those around you. Even when you are in your own home, overlooking and eavesdropping can be an issue. There have been instances where information has been passed to others by family members who have seen documents or information on a laptop and not appreciated the sensitivity, sometimes with serious repercussions. And what about workmen and other visitors to your house - often they are the reason you may be at home in the first place. Personal devices (smart phones, tablets, laptops etc) and online accounts do not have the same level of protection as those provided by an organisation (although even these cannot guarantee total security), and so should not usually be used for organisational work, except for services specifically designed for use with them. And remember that any organisational information on your personal devices is also subject to release in line with Freedom of Information and Data Protection legislation. There is also an increased risk of malware from imported files, and from equipment being linked to our networks. Last year there was an incident where a contractor picked up a virus from his home PC and spread it using his laptop as he visited different sites. While organisational systems are well-protected against malware, no system can guarantee complete protection against everything, so we all need to be careful. And of course, there is always the risk of leaving something behind – dropping or forgetting documents or devices when you leave the train, café or wherever – or of equipment being damaged or stolen. So, it’s a good idea to check you have everything before you leave a remote location. So, what can I do? Remember that you are personally responsible for securely handling any assets entrusted to you – this includes information. Try not to draw attention to the fact that you are working on organisational information and be alert to anyone showing undue interest in your work – report any concerns immediately to your line manager or Information Security Officer, including loss or possible compromise of equipment or information. Take the minimum of information you need and keep papers and screens out of view from others – use a laptop privacy screen if appropriate – and lock them away, if possible, when not in use. Keep access tokens (e.g security ‘dongles’) and passwords separate from devices, and shut down unattended devices, rather than leaving on standby so that the encryption on them is enabled. Take care that you are not being watched as you type your password in – the normal rules about avoiding being overlooked apply. Use Organisation-provided equipment where possible, but if you must use your personal device then make sure it is patched and uses anti-virus software and firewalls, and is password protected. Remember that email over the Internet is like sending a postcard in the ordinary mail – anyone can read it during its journey. Get Safe Online has good advice to help you protect your personal equipment. Sanctions We are all responsible for maintaining the security of our working environment, including an organisation’s networks and systems. If you put sensitive organisational information at risk, whether at work or through outside activities, you should expect action to be taken against you. Reporting The advice in this article underscores the necessity of consulting cyber security experts, such as Cybercentry, for addressing any cyber security incidents in both personal and professional contexts. Reporting concerns promptly to the relevant authorities is crucial for a swift response and safeguarding against potential threats.

Phishing – would you spot it? Don’t be a victim. Trials conducted suggest that we are not as good at spotting phishing as we think we are. In a survey nearly 90% thought they could spot a phishing email leaving around 10% not sure. However, in a recent exercise 20% failed to spot an obvious one - clicking on the links which could have potentially downloaded malicious software. The cyber hero is an employee, who thought the email looked suspicious and forwarded it to IT Department - all within the first minute. Would you have fallen for the emails? The concern for organisations is that with one in five taken in by this simple phishing email it implies that more carefully crafted are likely to get through. The bottom line: we all need to be more vigilant. Social engineers will try to manipulate us to get what they want. Phishing is one of those ways – and it presents a serious threat to organisations as well as to us in our personal lives. This is the seventh in the Year of Cyber articles to help you use cyberspace safely at work and at home. Simple points to remember: 1. If you think an email is suspicious, at work forward it as an attachment to your IT Department or at home forward it to report@phishing.gov.uk and delete from your Inbox using Shift-Del (so it won’t be in your Deleted Items). If you think you have opened something by mistake, then report it at once. Never reply to spam email. 2. If unsure, don’t click on any links or open attachments. Use Favourites for websites you visit often. 3. Never reply to spam email. Would you have fallen for this? We recently sampled several personnel to get a view of how vulnerable we might be to a phishing attack. While most staff are confident that they would spot a phishing email, the trial showed how easily many are taken in – although being summer holidays a lot of emails were probably unopened. What is phishing? Email is great for communicating, but it can be used to send junk mail (spam) or malicious phishing emails which entice you to give away information or download malware. Social engineers will construct an email carefully to encourage you to act on it. This might be about a parcel delivery or invoice that you weren’t expecting, or perhaps an offer of a discount, or something about a system upgrade inviting you to enter your details. There might also be a degree of urgency – suggesting that if you don’t respond now then your account will be closed, or you will lose a discount. The common thread is to get you to open an attachment (which may contain malware which will then infect your system) or click on a link (which may infect your system with malware, or may ask you to enter your details, including passwords). Unfortunately, phishing attacks can be very well crafted, which can make them hard to spot, and may include logos to make you think they are from legitimate sources (such as HMRC, banks, parcel delivery firms). Or they might use a slight variant of a name – one colleague spotted that an email was from “paypai” rather than “paypal”, which isn’t immediately obvious from a quick glance. Phishing can also be very carefully targeted (“spear-phishing”) using information about you gained from social media or even business cards. What is the Risk? If you enter information on a link in a phishing website, you are giving the information away to whoever owns that website. So, if you enter your bank login and password then the phisher can pretend to be you and empty your account or use the information you have provided for identity theft. Even if you don’t enter any information, simply by visiting the website linked in the email or opening an attachment may result in malware being downloaded on to your device – and in the case of a network this may mean other users are affected, and that the malware can access any information on that network. The risk is serious. There have been some very well-crafted phishing attacks which have targeted employees, as well as more general phishing campaigns. And anyone can be a target – everyone really is in the front line in cyberspace. Remember that no system can ever be completely secure – anti-virus and spam checkers can’t identify everything. Most phishing emails achieve success quickly: the recent trial conducted by the Year of Cyber resulted in several clicks within a minute of the email being sent – too soon for any external reporting to identify the risk. So, what can I do? If you think an email is suspicious, at work forward it as an attachment to your IT Department or at home forward it to report@phishing.gov.uk and delete from your Inbox using Shift-Del (so it won’t be in your Deleted Items). If you think you have opened something by mistake, then report it at once. Never reply to spam email. Were you expecting the email? If it was unexpected and you haven’t ordered anything, treat it as suspicious. If you know the sender, contact them to check it is real. If it is about a system upgrade, have you seen anything about this on the Internet? Does the email ask you to disclose information? Are any links what you would expect? Are they to external websites? Could they be misleading in some way? A common ruse is to put the purported sender somewhere within a website address, so it looks plausible but not quite right. Alternatively, hovering over an address with your cursor might show that what you see in the email is not the same as the actual address it will take you to. Avoid clicking on links in emails - use Favourites for websites you visit often. If it sounds too good to be true, then it probably is. Are you being asked for more information than you would expect to get that discount? Don’t make purchases or charity donations in response to unsolicited spam emails – they can be scams. Never reply to spam email – that confirms that your email account is live and may result in you getting more spam in the future. Don’t enter organisational usernames or passwords on external websites and take care with the information you give out on social media or at events. Remember that you are personally responsible for securely handling any assets entrusted to you – this includes information. If you have any concerns or think you may have been the target of a phishing email, then report any concerns immediately to your line manager or Information Security Officer, including loss or possible compromise of information. Get Safe Online has good advice to help you protect yourself against phishing. Reporting The advice in this article underscores the necessity of consulting cyber security experts, such as Cybercentry, for addressing any cyber security incidents in both personal and professional contexts. Reporting concerns promptly to the relevant authorities is crucial for a swift response and safeguarding against potential threats.

Social Media – Don’t Be An Easy Target: Think Before You Post. Social media applications enable us to share information and exchange ideas online, and to keep in touch with friends and family. They are also used increasingly by organisations for informing the public and other stakeholders about their work and as in-house collaboration tools. This is the seventh in the Year of Cyber articles to help you use cyberspace safely at work and at home. It’s the longest article so far, but this reflects the place social media has in many of our lives and the real benefits it can bring – and the risks if we don’t think before we click. Simple points to remember: 1. Follow the same high standards of conduct and behaviour online as would be expected in the workplace. 2. Think before you share online – could you be giving away information which could impact on personal security? 3. Be careful about contact and friend requests – are you sure who they are? What is Social Media? Social media takes a variety of forms which allow you to share information, images, and videos. You will probably think of Facebook, X, YouTube, LinkedIn and maybe even Instagram when we talk about social media, but it also includes forums such as Mumsnet - these sites cannot be accessed from an organisations system. All these offer external routes to share something you think is useful with connections or the wider world. Organisations are increasingly adopting social media internally, to keep individuals in touch with the professional communities of practice or interest relevant to them. But this article focuses on external social media, both general and sites focused specifically on the audience. What is the Risk? The success of social media in bringing people together also creates risks. It’s a fair bet that hostile actors can access all the main social media networks and will be actively searching for information posted by people connected with organisations. Social media sites also attract unscrupulous people who are more than happy to circulate embarrassing or personal information about you. And there are also criminals who will try to use information gleaned from social media sites to con you, steal your money/identity, or attack your computer. So, the bottom line is - Think about what you are posting. Is it sensitive? Could it be useful to an adversary? Could it be misinterpreted? Would you want your line manager or your close family seeing it? It is very difficult to remove information once posted. Get Safe Online advises against disclosing personal information in your profile or posts – such as phone numbers, pictures of your home or workplace, your address or birthday. These could be used for identity theft or abuse like cyberstalking or bullying, and do you really want to advertise where your empty house is when you go on holiday? The risks can be more serious as inadvertent posting can give away organisational information. Examples include information relating to a planned rollouts being found online, despite the details being SECRET, and inappropriate images which could cause serious reputational damage both to the individual and to organisation, as well as breaches noted in the Press. Even tiny bits of information, innocuous on their own, can be assembled into a detailed intelligence picture by a capable adversary – so don’t give them your piece of the jigsaw. Who are you sharing with? It’s said that on the Internet nobody knows you are a dog – are you sure that friend request is really from the person it claims to be? Information posted on social media can also be valuable to those creating phishing attacks by giving away information on your interests or places you visit – they can then target you with emails tailored to your interests or to travel details, and the more tailored a phishing email is, the more likely it is to succeed in getting you to give away further information or unintentionally download malware. This can affect you at home at a personal level and at work as a way for an attacker to gain entry to organisational systems. This is a real problem – a recent study into personnel use of social media found evidence of risky online behaviours, including bypassing official protocols, and discovering alternative ways of connecting and communicating through social media using different mobile devices. With 80% of personnel who responded to the study using Facebook, these behaviours, and the different levels of understanding of the significance of social media present a real risk to organisations. So, what can I do? You wouldn’t invite a total stranger you have just encountered on the street to have free run of your house, so why do it online? Putting sensible bounds on who can see your information will help to keep you safe in the same way as closing the windows and locking your door – you can’t stop a really determined thief or attacker, but don’t make it too easy for the casual thief. Think before you share. Use your common sense: think about what you are posting, who you are sharing it with and whether it could be misinterpreted or misused. Just because colleagues use a site, or it is focused on professional connections (such as LinkedIn), that doesn’t mean it is secure – so be particularly careful about giving away clearance and sensitive career information. When accessing social media from overseas, anything you post could potentially be intercepted by hackers. Check your settings. Make sure your privacy settings are set to ensure only your friends can see your social media pages – check the safety pages on the social media site to find out how. And check these settings regularly. Be aware of what your family and friends post about you and highlight the need for good practice to them. Remember – what goes online stays online – it can be very hard to remove. Sanctions We are all responsible for maintaining the security of our working environment, including an organisation’s networks and systems. Action is taken against people who put this at risk, including through inappropriate posting on social media sites. Reporting The advice in this article underscores the necessity of consulting cyber security experts, such as Cybercentry, for addressing any cyber security incidents in both personal and professional contexts. Reporting concerns promptly to the relevant authorities is crucial for a swift response and safeguarding against potential threats. Facebook: Privacy and Safety Instagram: Privacy and Safety LinkedIn: Privacy and Safety X: Privacy and Safety YouTube: Privacy and Safety Snapchat: Privacy and Safety

Malicious Websites – What to look out for? We all use a range of websites every day, whether finding information for work or checking the news, shopping, or banking at home. Most of these are perfectly trustworthy, but what about those that aren’t? Simple points to remember: 1. Avoid clicking on links in emails unless you are certain the message is genuine. Use Favourites for websites you visit often and use reputable organisations wherever possible. 2. Don’t enter sensitive information unless you’re sure you are on the right website – and that it is secure. 3. Keep your anti-virus up to date at home so that it can help reduce the risk of downloading malware. What do you mean by a malicious website? Most of the people we know are trustworthy. But unfortunately, we’ve all met some people who aren’t – the sort who seem nice to your face and then say something else behind your back, or those who would trick or even steal from you. And that’s pretty much the same with websites – most are fine, but some are out to trick and steal from us. A malicious website looks like any other but is either a tool for getting information from you directly (your bank login details, for example) or for putting some malicious software (malware) on your system to steal your information or take your system over for someone else’s use (often to send spam). A common way of encouraging you to go to a malicious website is through a link in a phishing email, so never click on a link unless you are certain it is correct – it’s far better to type links into your browser to ensure you are going where you want to (or use your usual search engine or Favourites). What is the Risk? Malicious websites will either capture your details (and use these for social engineering, identity theft or fraud) or will install malware on your system without you knowing. The malware might be a keystroke logger (which reports back everything you type) or might start searching your system, or the whole of the network you are using, and send interesting files to an adversary. The consequences could be very severe. While some networks will block access to many sites which are potentially dangerous, it can’t identify all malicious websites, as more are springing up all the time and new malware is constantly being developed, no system can guarantee to protect against everything. So, it’s up to all of us to be vigilant – to think before we click. Alerts are raised when users view inappropriate content on some networks and recognised malicious software attempts to download on to the user’s computer. Networks blocks access to many of the websites which typically contain malware, such as gambling and pornography websites which will download as users click images and links. But it’s not only inappropriate sites which can host malware – in November 2013, the popular humour site cracked.com was compromised with a malicious JavaScript insert that would force a download of a malicious document. Fortunately, some networks were protected in this case by several technical measures, but these can’t always be relied on 100% as the threats become ever more sophisticated. At home, the consequences of identity theft or fraud can be serious, and an attacker might take over your system to send spam or commit further fraud and attacks. As noted above, it’s best to avoid high risk sites like gambling and pornography sites. Also beware of scams, like bogus charity sites – often set up during well publicised disasters like famines and earthquakes) – Get Safe Online has excellent advice on donating safely to charities online to help you ensure your money goes to the charity you want to give it to, not to fraudsters who might use your information for identity theft, and the bogus website itself may host malware. So, what can I do? To check the links in emails, hover over the hyperlink to check the actual address (shown when you hover over) is the same as the hyperlink shown in the text. It is generally good practice to avoid clicking on email links and instead type links into your browser or use your usual search engine – or use your Favourites for websites you visit often. And avoid entering personal or other sensitive information into websites unless they are secure (address shows “https:” rather than “http:”). Use your common sense. Does the website look strange in any way? Is the URL spelt correctly and what you expect it to be? If you right-click a hyperlink and select “Properties” you will see the real destination of any hyperlinks on the site – are these what you would expect? Is it offering you something that seems too good to be true? (If so then it probably is.) Is it asking for more information than you would expect to have to give? Finally, don’t click on pop-up messages, even if they are telling you your computer may have a virus – this is a common ruse used by malware authors to get you to reveal your credit card numbers or even to download malware. Sanctions We are all responsible for maintaining the security of our working environment, including work’s networks and systems. Action is taken against people who put this at risk, including through inappropriate web browsing – and where that browsing is also illegal it can lead to prosecution. Reporting The advice in this article underscores the necessity of consulting cyber security experts, such as Cybercentry, for addressing any cyber security incidents in both personal and professional contexts. Reporting concerns promptly to the relevant authorities is crucial for a swift response and safeguarding against potential threats.

Who are you? Passwords – the key to your identity. Passwords are commonly used to prove your identity to your computer and to a host of other applications. That means that getting them right – both memorable and secure – is important. This is the forth in the Year of Cyber articles to help you use cyberspace safely at work and at home. Simple points to remember: 1. Use strong passwords (using 3 random words). 2. Protect passwords - never share them or leave them where they can be found. 3. Frequently changed passwords often lead to weaker, reused passwords, compromising security. What is a password? Okay – I know you already know the answer - passwords are those strings of letters and numbers that we must use to log on to our computers, and on to a host of other applications at work, and banking and social media at home. But what are passwords? Passwords are the most usual way to provide your identity on a computer system – the technical term is authentication. As humans, we recognise our friends – so effectively seeing their face or hearing their voice is often enough for us to know who someone is. But if you don’t know who someone is, you might ask for proof – possibly their passport or their security pass, depending on the circumstances. Basically, your username is your means of saying “it’s me” to the computer, and the password is your proof that “this really is me” (like your passport). If you think about a password this way you can see why they are important, even though they might sometimes seem a nuisance. Why so many passwords? Think for a moment about your house, your car or bicycle, the locker you use at the gym, possibly even a desk or cupboard at work. They all have keys - different keys. Some, like your house, have complex locks and keys that are hard to break, others don’t – it depends on the impact of someone else getting the key. Passwords are the same – some need to be secure, others less so. It depends on what the password is protecting and the impact of someone “breaking in”. You wouldn’t have the same key for your house, car, and desk, as anyone who got one of your keys could then open all of them. It’s the same with having different passwords for different applications. That said, it is frustrating to have to log on separately to different services at work and at home, so a single sign-on solution to support Identity and Access Management (IdAM), should be used. What is the Risk? If you use weak passwords, or the same passwords for different applications, it makes it easy for people to impersonate you. Depending on the system and application, they might be able to access sensitive information (emails or staff reports, perhaps), send emails in your name or access your bank account. Good passwords, that you keep secure, can help to protect you against fraud and identity theft. Passwords also need to be something that can’t be easily guessed. So, anything about you, as well as ordinary dictionary words, are out, unless you can combine them in more secure ways. Criminals can easily run searches of dictionary words, and of common phrases (including celebrity names, films, and TV programmes) and even foreign words. Anything that might be easily known about you (including from your social media profiles) is also easy for them to find. So, you might love your dog, or be a committed football fan, but “Rover”, “GoldenLabrador” and “ManchesterUtd” would not be very good passwords. But there’s a balance – good passwords don’t have to be impossible to remember. Misuse really does happen. In one example, an employee received a warning after leaving their user login and password details in an unlocked desk while they went away, and the login had then been used by another person to access inappropriate websites. Only evidence that the employee had not been in the country at the time of the breach prevented further action being taken against them. So, what can I do? System Administrators enforce good passwords by offering consonant-vowel-consonant triplets with numbers. If you need to write them down in full then remember that they must be marked at the highest classification level allowed on the relevant system and kept in an appropriate secure cupboard. A better idea, if you need a written record, is to write them in a private ‘code’ others would be unable to guess and protect this suitably. Alternatively, think of ways to remember them by making the triplets into words to tell a story – e.g “yog” could suggest yoghurt, or a youthful old granny! (This is the same technique of creating a story used by those performing memory feats.) Make Them Hard to Guess. New guidance from the National Cyber Security Centre (NCSC) is to use three random words, although you can use numbers and special characters if you wish. Avoid words or anything that might be associated with you. So, a proud dog owner might want to consider something more complex, perhaps an image of a Rover chasing a ginger cat down Oxford Street, and take the first 3 letters of "chasing", "ginger" and "oxford" to give "chaginoxf" Never share passwords – if someone has a legitimate reason to do something, they should have an account set up to allow them to do it. Giving them your password is like giving them the keys to your house when you aren’t there. If you need to give a colleague access to an email account, then do it through proper mailbox delegation. Also, helpdesk staff never need access to your password, so be very suspicious of anyone who requests it. Take care that you are not being watched as you type your password in – the normal rules about avoiding being overlooked apply. Reconsidering frequent password changes is advised, as it may lead to weaker security practices. Emphasis is now on strong, unique passwords and multifactor authentication (MFA) to counteract sophisticated cyber security threats, moving away from routine password resets unless a compromise is detected. And don’t leave them where they can be found – so not on sticky notes under the keyboard, or in your notebook. Get Safe Online has good advice on protecting your passwords at home – including making sure you don’t use administrator accounts on your home PC for routine access, which will help to protect you from the effects of malicious software. Sanctions We are all responsible for maintaining the security of our working environment, including an organisation’s networks and systems. Action is taken against people who put this at risk, including through password misuse. Reporting The advice in this article underscores the necessity of consulting cyber security experts, such as Cybercentry, for addressing any cyber security incidents in both personal and professional contexts. Reporting concerns promptly to the relevant authorities is crucial for a swift response and safeguarding against potential threats.

Location Services – What are you telling them? Mobile devices and social media are great for finding restaurants and other facilities near you, and there are apps which help record your fitness activities, as well as the value of sharing photos with family and friends online. But are you sharing more than you intend to? This is the third in the Year of Cyber articles to help you use cyberspace safely at work and at home. Simple points to remember: 1. Think about what you are posting online and review your privacy and security settings regularly. 2. Follow the rules for wherever you are – such as not using mobile devices. 3. We are all responsible for protecting all work and home assets, including information. Report any concerns about information you find online immediately. What are location services? In short, anything with location data attached to it – so obviously apps which show directions from where you are, but also digital photographs, fitness and online dating apps, some aspects of social media and even mobile games. And the list goes on… Mobile devices “know” where they are by using Global Positioning Services (GPS) – that’s great for apps which help you find your way around, but there can be a downside if you don’t think about what you are posting and where you are checking in. Photographs from mobile devices like smart phones, for example, include metadata which describes where and when a photograph was taken and even what device it was taken with. It’s the digital equivalent of the captions we used to put in photograph albums or write on the back of the print (e.g “London Bridge, 17 August 2023”) – except that it’s automatic, so you don’t need to do anything, and more precise, so it records exactly where you were when you took the picture. Fitness apps like Strava and MapMyRun will track your progress in training, identifying where and when you have cycled or run, and how you have performed against previous rides or runs – and how you have performed against others. And of course, there is the option of “checking in” at wherever you are to help your friends know where to find you. All these are examples of what is called “geotagging” – attaching location data to what you are doing. What is the Risk? Publicly announcing where you are presents obvious risks to personal security. While you may be happy for your friends to know, unless your social media profiles are protected then anyone can see it, and you could be cyberstalked. And when you check in to that restaurant in Leeds or post the photos you took on the beach in Blackpool earlier today (and the metadata will give the date), then you might be unintentionally telling a thief that you aren’t at home (and are unlikely to be tonight). Pattern of life information can also be gleaned from checking in and fitness apps if you visit the same bar every Thursday evening or run the same route every Tuesday lunchtime – and if your run starts and ends at a work location then anyone (including those with ill intent) would probably be right in guessing you have a connection with the company. There have been recent occasions when information on Strava.com not only showed routes starting and ending at companies, but also linked to personnel profiles and even to a running club which listed its members (with photographs). This presents a clear risk to personal security. So, what can I do? Think about what you are posting, including what you might be giving away inadvertently. Review your privacy and security settings for all sites and online apps and don’t link everything back to a single social media profile (e.g your Facebook page). Don’t assume that others want their details made public – this might be colleagues, club members or even family – and don’t check them in or post their details without permission. Turn off the GPS facility on your device when you don’t need it. Consider where you might be giving away pattern of life information that could put you or your colleagues at risk. Keep to any rules about not using mobiles devices or cameras at specific locations – the rules are there for a reason. Remember that you are personally responsible for securely handling any assets, including information, entrusted to you. So, think about the potential impact of information about work and home assets, including images and location data. Get Safe Online has good advice to help you protect yourself against cyberstalking and an informative blog about keeping safe on social networking and with location services. Reporting The advice in this article underscores the necessity of consulting cyber security experts, such as Cybercentry, for addressing any cyber security incidents in both personal and professional contexts. Reporting concerns promptly to the relevant authorities is crucial for a swift response and safeguarding against potential threats.