Recognizing Cybersecurity Awareness Month, McCrary Institute expert weighs in on new threats, means of protection

Why should people take cyber security seriously? Simple. We're surrounded by computer systems where connectivity is everywhere… automobiles, smart appliances, smart TVs, hand-held devices, even vacuum cleaners.

“A new device with a blinking light might be capable of Internet connectivity,” said Marc Sachs, deputy director for research at Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security. “I'm not trying to say connectivity is bad, but it’s like giving your child keys to your car back when they were just riding their bicycle up and down the sidewalk. Now, they are on the highway with everybody else. It’s the connectivity piece that introduces the problem.”

The problem is cyber criminals… common thieves, or state-sponsored specialists. This, the 20^th anniversary of Cybersecurity Awareness Month, is a collaborative effort between government and industry to enhance cybersecurity awareness, encourage actions by the public to reduce online risk and generate discussion on cyber threats on a national and global scale.

Sachs, a former White House National Security Council director for communication infrastructure protection and U.S. Department of Homeland Security cyber program director, took time to answer a few questions about cyber security, how threats have evolved and how we can protect ourselves.

How are cyber criminals targeting individuals and/or organizations differently now than they were a year or two ago?

Marc Sachs: The criminal community changes its tactics along with the way their victims change their interests or habits. A few years ago, the big change for all of us was COVID. Most people, if possible, worked from home and criminals took immediate advantage of that. One was how phishing and spam began to take on a COVID fear factor. Traps like, “click here to learn more” or “watch this video about Dr. Fauci,” or “click here to get a five pack of face masks.” Another was the fact that working from home made it much easier for criminals to gain access to corporate information, because you don't have the business infrastructure at home, the firewalls and other things that can protect you like you did at the office.

“Now that we're post-COVID, you've seen them change tactics again. The new thing that’s happened is with ChatGPT. What a great tool for them to create realistic phishing emails. They’ll download a bunch of emails from you, or from somebody in charge of a company. They will learn “here's the way this individual writes an email,” and use an AI tool to create one with the same voice or style that imitates you. They'll send it as a phishing message with no spelling errors, no grammar mistakes and other things that you would normally look for. It just shows how the criminal world adapts to changes in technology. Next year, I expect phishing emails that are election related. They will mimic the major candidates and play on fears of the electorate.

What measures can be taken to protect ourselves?

Marc Sachs: I’m sure you're familiar with the username/password approach, authenticating yourself into a website, bank or other online resource. Many banking sites and others are now enforcing what they call multi- factor authentication. That’s when you log in and it says, “I'm going to send a text message to your phone, and you need to type back in the six digits.” We would highly recommend that multi-factor authentication be turned on for all e-commerce sites and social media. People tend to reuse their username and password across many sites. If a hacker can compromise one site, they will repeat that username/password on other sites to see if they can get lucky. The attacker is not going to have your cell phone. They're not going to have the ability to receive a text message for authentication.

Another factor is bio-metric, such as facial recognition and finger recognition. Yet another factor emerging is where you are. You might work this out with your bank where your app works only if you’re in a specific ZIP code. Using GPS, it’ll figure out if you're physically within your ZIP code area and you can access your bank only if you’re within that area.

Can we be attacked remotely, via hand-held devices, and how to we protect ourselves?

Marc Sachs: There are several ways. Normally, it’s not the device that’s getting hacked. It’s the mind of the user of that device. We trust it like a little puppy dog or pet, and you think it's never going to lie. For example, you receive a text message from your boss, perhaps the president of the corporation. This might read, “Hello, I’m in a meeting right now and can’t talk, but this is urgent. Please purchase some gift cards for me as I’m presenting them to a dignitary. You will be repaid.” So, you purchase $500 in gift cards and never see that money again. That’s a very popular scam. People trust their phones because they (people) are good, they're vulnerable and because they want to help, particularly if it’s the president of a corporation or the CEO that’s paying attention to them.

A new scam that’s emerging involves QR codes. QR codes are popular and they're being used by the good guys as well as the bad guys. The criminal community will put QR codes in bus stops, train stations or airport terminals and make false advertisements using the QR code for victims to fall into their trap. What they’re doing is using them as pointers to malicious web sites, where they can inject malicious codes or malware into your phone. Be careful with unfamiliar QR codes, especially in public area advertisements.

What about smart devices in the home?

Marc Sachs: Any computer system is vulnerable if it's connected. If it's not connected, it's not exposed to online criminal behavior. If you have a smart home with devices connected to the internet, you’ve introduced what we call an attack surface. It’s not just your laptop, or cell phone, but now your TV, microwave oven, doorbell, cameras, all the things you have connected, are now available for the criminal world to attack. The same thing applies to your connected car. It applies to water systems, overhead traffic lights that you see on the highway and hospitals that are connected. Even farm equipment that's connected.

How do we protect ourselves? Begin by allowing these devices to have access to only the minimum amount of resources needed. Some connected devices come with apps, like your Roomba robotic vacuum cleaner. Some apps want to do things like connect to your camera or connect to your microphone. A vacuum cleaner probably doesn’t need access to your camera. Look at the app’s permissions and give that device and the app that goes with the device the bare number of permissions it needs to get the job done.