Norwegian security month

Safepath takes Cyber Security seriously.

The security month is part of the EU's information security agency ENISA's annual European campaign called Cyber Security Awareness Month. This year's campaign is about "ransomware" and "phishing", and how to avoid these types of attacks. 
Safepath takes everyone's safety and security seriously, internally and with customers and partners. In August 2022, we employed Rolf Rødahl in the position of Cyber security supervisor with the executive responsibility for cyber and information security in Safepath. 

Why is security important for Safepath? 
All businesses and individuals want to protect their own and other people's values, whether it in form a life, money or perhaps even a valued photo album. We practice fire safety, use seat belts in our cars, lock the bike. However, we also need to remember similar security measures when we use internet in order protect our values too! In October, Safepath and other businesses will put an extra spotlight on cyber security and how to protect your own, the company's and other people's values on the internet. 

What is Cyber Security? 
Cyber security is a collective term for data security and information security and refers to the security we apply when we use our computer, tablet or mobile phone. But cyber security can’t be limited to this “definition” because more and more of what we buy and use in our daily lives can be controlled by an app or is somehow connected to the internet. 
No one will ever reach a point where we are totally secure, we will never be good enough and security is never easy. This is something we need to realize before it is too late. Security and cyber security are about protecting yourself against something that might happen, and therefore it is often difficult to see the value of these types of countermeasures until you suddenly need it. By then it is usually too late. 

How can a cyber-attack affect you and your business? 
If we really simplify a cyber-attack, it can be divided into two phases, initial attack, followed by a subsequent attack. This initial attack has intention to gaining access to your devices, user accounts, passwords or other data. This initial attack can use several different attacking techniques like Phishing, "Spear phishing", "hacking", "brute force" or a “watering hole” to name a few. Simply put, an attacker needs a way into your systems and often tries to use social manipulation such as pretending to be someone else than you are, or other known or less known vulnerabilities to carry out the initial attack. This initial phase alone can be harmful and give an attacker access to much of your data, but often the attacker will follow this up with a subsequent attack that can be disastrous for you and/or your business. The intention of the subsequent attack will be to carry out harmful actions such as encrypting, retrieving or deleting your files. The subsequent attack can come in form of techniques such as a ransomware virus. This technique will potentially make your company's data inaccessible until a ransom is paid. This will possibly have greater consequences than if a random attack were to happen to you as a private individual. 

Phishing 
Phishing is, as we have previously discussed, a method of launching an attack against you or your business. The word comes from fishing and can be visually explained by imagining fish being caught into a fishing net. A typical phishing attack would involve an attacker sending out thousands of emails containing malware or attempting to obtain usernames and passwords. The attacker then hopes, as the fisherman does, that as many fish as possible end up in the net. Out of the thousand emails, the attacker usually would be more than satisfied if one person falls into the net. This method of initial attack is very widespread and thousands of random and targeted attacks are carried out every day. It is difficult to say with certainty who is behind such attacks due to the large magnitude of attacks every day. Phishing is a highly effective method used by organized crime, intelligence agencies, investigators as well as bored teenagers. The attacker often wants to make you want to trust him or her to be someone you know or an acquaintance who you may have a natural trust in, such as Apple, Microsoft, Facebook, FedEx, Paypal, DnB, or the Norwegian postal service to name a few. The attacker then sends out an email or text message (usually to thousands at once) and asks you to click on a link to, for example, cancel an order from Apple, even if you haven't ordered anything. What the attacker wants is for you to go to the attached link and either fill in your username and password or for something to be downloaded onto your computer, tablet or mobile phone. If the attacker succeeds, and a file is downloaded or if a username and password have been entered, it can be said with a high degree of certainty that the attacker either has access to your entire system or, for example, your Apple ID. 

Ransomware 
Ransomware is a type of malicious software that an attacker can use to lock/encrypt, steal or delete all or part of the content on the infected device (Mobile or computer). The purpose of this type of attack is to prevent you and your business from using the IT (or OT) systems to make your business feel pressured to pay the ransom to get out of the situation. You must obtain the “key” to unlock or give the content from the attacker. Unfortunately, the problem is that they usually want to be paid to do this. In addition, an attacker can in addition, threaten to publish sensitive information such as personal data or photos online if the ransom is not paid. 

Ransomware is a growing problem. The authorities constantly warn businesses and private individuals to expect such attacks, especially at times when the business is extra vulnerable, for example at weekends or public holidays where there is usually a reduced level of preparedness. 
 
 
How to protect myself and business on the internet?  
So how do you protect yourself against phishing, ransomware, initial attacks, subsequent attacks and the whole rest of the jungle of threats you can encounter on the internet? As previously mentioned, the attacker must use a chosen method to gain access to your computer equipment. If you manage to minimize the chance that the initial attack will succeed, by using password hygiene, software- and hardware updates, antivirus, network monitoring, etc., you are already well on your way to increased security. Increased knowledge regarding cyber security is also one of the most effective and important measures to increase safety. Below we have listed some specific tips on how to avoid attacks and how to react if an accident occurs: 

Keep apps, programs, computers, tablets and mobiles up to date  
All the tech giants are more than interested in keeping you as a customer for their hardware and software. Therefore, they will do everything in their power to ensure that their products don’t contain "vulnerabilities" that can be exploited by an attacker as a way into your mobile or machine. Updates to the products are therefore sent out regularly. But these updates will only work if the person controlling the machine or mobile updates their device or software. If you are an administrator for servers or several computers, you should establish automatic, forced updating. 
Take control over your user accounts and enforce strong passwords. Do you have any idea how many different places you have registered a user account? Many user accounts are accounts that were created several years ago and haven’t been used since. If such an “unimportant” account on a forum or an online store is attacked and breached, it may not qualify as a crisis for you but if you think one step further, it can quickly get worse. For example, the attacker can gain access to your username (email), password and address to name a few things. If you have the same username and password in several places, these accounts are also at risk due to the exposed information in the unimportant account. Maybe you even have the same password on your e-mail account?  

We truly recommend that everyone has a good "password hygiene". This simply means that you should have strong passwords, preferably over 12 characters, with upper- and lower-case letters, numbers and characters, and don’t use the same password for more than one account. Many people find it difficult to come up with such passwords, so it is recommended that you combine words that have no connection, for example "Båt Papirark Drinkingbottle". Perhaps most cases of this type of account breaching are harmless on their own, but if an attacker takes control over several at the same time, you can put together personal information, addresses, payment and card details, etc, which makes you exposed to ID-theft for instance. If your account can utilize "multi-factor authentication", this also is highly recommended. In Safepath, all employees use a "password vault" to create and store usernames and passwords. In this way, we have control over which accounts we have, both as a company and as a private person. The password vault creates good passwords and simplifies the login process. 
 
If you want to learn more about passwords, we recommend reading the Nasjonal sikkerhetsmyndighet’s password advice: https://nsm.no/aktuelt/passordrad-for-personer-og-virksomheter 

Don't put all your eggs in one basket 
Old expression, but it holds up very well. Before anything else, start a backup of you and your company’s most valued files. If there is a lot to backup, you would want to store these backups or files in several places that are not connected via internet. The reason for this is that you want to prevent the information from disappearing for good due to a ransomware virus spreading to both your system and backups at the same time. You can to this by using cloud backup or even storing the most important and most sensitive things without internet access on an external hard drive or memory stick. This will ensure that you have access to this data in the event of an extensive cyber-attack.  

Stop, think, click 
Ask yourself, was I expecting this email or SMS? Does the sender or phone number seem unknown? Does the sender trigger emotions such as stress and fear? Does the sender want you to click on links or even enter personal information? Then it might be a good idea to take a minute, look over the content again before possibly clicking. Also, never forget that it is OK to ask for help. 

Another problem you see are links that are sent back and forth. Did you know that it is possible to compress links? Youtube and Google, does this for automatically when you choose to copy a URL. For example, https://www.youtube.com/watch?v=6O1Hf_gkD9c is the same link as: https://youtu.be/6O1Hf_gkD9c and LINK. It is often more difficult to determine whether a shortened link is safe or not. There are therefore two things you can do to get a better overview of where the link leads you. The first would be to simply hover over the hyperlink. You will then get the uncompressed URL where the link be visible, either at the bottom left of the screen or in connection to your mouse pointer, depending on which program you are using.  
The second trick would be to copy the compressed link and paste it into the search field of the site "unshorten.me" which is a free service that they compress these types of links for you. 

Summary  
At Safepath, we work every day to ensure our customers' safety and preparedness in all domains. We therefore put a lot of effort into maintaining our systems, taking care of our data and minimizing any potential downtime if the accident occurs. In October 2022, we will conduct internal courses to improve our employees' knowledge level in cyber security, in addition to having an additional spotlight on cyber.

Safepath can aid you and your company to master cyber security. Get in touch with us, and we will find a way to raise awaremess and security in the cyber universe for your business.
 
 
Kilder: 
https://nettvett.no/losepengevirus/ 
https://www.datatilsynet.no/rettigheter-og-plikter/virksomhetenes-plikter/informasjonssikkerhet-internkontroll/phishing---hvordan-beskytte-virksomheten/?print=true 
https://www.visma.no/blogg/hva-er-phishing/ 
https://nsm.no/hold-deg-oppdatert/meninger/beskytt-virksomheten-din-mot-digital-utpressing 
https://www.security.org/how-secure-is-my-password/ 
https://www.telenor.no/om/digital-sikkerhet/2021/sikkerhet-ikke-et-valgfag.jsp