One of the most appalling practices in the current world of online hacking and phishing is the constant attacks on our elderly friends and family because the attackers know they are easy targets. Unfortunately, I don’t see technology becoming any easier for anyone, especially the elderly, so if they are going to continue using technology for things like shopping, paying bills and handling various elements of their health and property, see if you can get them to abide by some simple but critical rules when they get into unfamiliar situations. This may mean more calls to you on trivial things, but if you are like me, I’d rather that then getting the, “I’ve been hacked,” call.
Rule Number One: “Never trust popups on your devices that warn you about something scary and ask you to call a number.” None of the legitimate malware protection software on the market will do this. This is nearly always a scam. If they get something like this on their computer, tell them to take a picture of it and then just power off the device, manually if it won’t shutdown normally, and physically by unplugging the cord if that doesn’t seem to be working. These fake popups are meant to be frightening, disorienting and sometimes incredibly annoying. If the popup comes back after powering up their device (and it may, as many are designed to do just this) it may require some additional, technical expertise to get rid of it. For actual tech savvy users, it’s a quick fix, but it may be hard to explain over the phone if the recipient is flustered or otherwise frightened. If you can’t go yourself, it may require a visit from a local technician.
Rule Number Two: “Don’t “google” the contact number or email for important services.” All of the popular search services offer ad results at the top of actual search results that are often hard to distinguish from the legitimate information you were seeking. Bad actors are paying for ads that pretend to provide support for various commonplace companies. They will answer the phone as that service, including pretending to be Microsoft, Amazon, Apple, or Google in order to trick callers into giving them access to their devices. If your loved one is fond of using the phone in this manner, provide them with a printed list of known-good numbers for their most used services like their banks, pharmacies, etc, as well as including lines like “FACEBOOK: NO NUMBER TO CALL-DO NOT TRY” as a reminder that certain services are never available via phone.
Rule Number Three: “Always call someone you trust about anything on which you are uncertain.” Our loved ones often will refuse to call us because they don’t want to be a bother. Frequent calls may seem like a nuisance, but they pale in comparison to the absolute disaster you will both have to handle if they get hacked. I’d rather have dozens of calls of “Is this OK?” than the single, “I may have done something bad.” Reinforce their caution with approval, and if you have the time, perhaps explore with the caller what clued them into making the call. If it boils down to them just applying the above 3 rules, then score one for the good guys!
Image by Fernando Arcos from Pixabay
If there’s one thing I can state with certainty in 2024, technology is not getting easier. Just about every aspect of our lives, personal and professional, is getting automated, appified and otherwise “wired up” like we were living in a 90’s cyberpunk novel. Many aspects of those landscapes were eerily prescient (hello mega corporations), but there is one trope that you might not have considered yourself to be a part of: “hacking” your own technology to fix a problem or change an outcome. Let’s be clear, when I say “hacking” I’m referring to the more genteel, non-criminal activity of solving a technical need or problem via unconventional and/or creative methodology and materials. At a certain point, lots of people started using the term ironically (or in self-deprecation) when they managed to solve technical issues on their own, sometimes without even understanding how it was done.
Hang on, Neo. You don’t know Kung Fu yet.
Internet purists will lambast me if I don’t post the usual disclaimer, “In order to truly hack something, you need have a full understanding of how that thing works.” In the day and age of YouTube videos on just about anything and everything, it’s possible to find an endless supply of “How to hack (a thing)” and a lot of them are quite good. But many of them are not, so how do you sort out the bad from the good? Well, you can either work for 30+ years as a technology consultant, or you can at least try to get some basics under your belt, at least as far as hacking personal technology is concerned. I’m only going to outline the topics – there isn’t enough space nor attention span to spell it out in full. Not all of these areas of study are compelling – some are hella boring, but these are things that I believe everyone should know at least a minimal amount about in order to be competent, productive person.
- Know how your internet works – do you know the difference between a modem, router, firewall and access point? Wired and wireless? What’s an SSID? Do I have guest WIFI? How do I “reboot” my router? Is Bluetooth the same as WiFi? What’s bandwidth and why is it important (or not)?
- Know the parts of your computer and peripherals – is that USB-C port or a Thunderbolt port? What’s a function key? Is that a power button or a reset button? Is my printer wireless or wired? Whats the difference between “sleep” and “shutdown”? How do I change my ink cartridge? Does my phone have a sim card? Is there a warranty on my device? How would I go about getting it repaired?
- Know who provides your technology – whats the brand or manufacturer of your smartphone? Model? Who provides your email? How do I contact technical support for this bit of software? Do you know who your internet provider is, and what they are supposed to be delivering to you for your monthly internet bill? Is this software free, or do I pay for it? Do I even own this software?
- Understand where your data “lives” – is it on your computer’s internal storage? How do you navigate your device’s internal storage to find things? Is your data in the cloud? Which cloud provider? How do you get access to that data from something that is not your computer or phone? Can you? Is your data backed up? Is it encrypted? Should it be? Who owns my social media posts? Is my private information searchable on the internet?
We are well past dismissing this type of knowledge as something only “nerds and geeks” need to know. Whether we like it or not, we should start thinking about this type of technology savvy on the same level of importance as understanding how road traffic works, managing personal finances and differentiating fact from fiction. Failure to grasp the basic concepts of technology will just add more struggle on top of the regular uphill battle we face everyday.
Image by Bruno /Germany from Pixabay
Depending on how long you’ve been using computers, you may well remember a time when, “Have you tried turning off and back on,” was the first thing you heard when trying to troubleshoot any issue. In the 90’s and into the 00’s this was the go-to first step of tech support. And then we entered what some of you might call the golden age of business computing ushered in by Windows 7, somewhat tarnished by Windows 8, and then, with Windows 10, an era that even I can look back on as a bastion of stability when compared to what we have now.
What the heck happened?
Two words: Internet and Cybercrime. I know, I know, both of those things have been around for a lot longer than Windows 10 and even Windows 7, but up until maybe 2012 or 2013, technology companies like Symantec, McAfee and Microsoft had the upper hand in that war. In 2013, with the arrival of the widely successful CryptoLocker-powered attacks, criminals understood what sort of money was at stake and poured all of their resources into cybercrime infrastructure that has evolved into a never-ending escalating battle of security breaches, software updates and increasingly complicated security rituals. All the while, technology itself has permeated every facet of our lives, resulting in things that we would have considered absurd 10 years ago, such as doorbells that require a two-factor login. Everything requires a password because everything is connected to the internet, and because of the ongoing arms race in cybersecurity, everything around us is constantly being updated in this frantic race with no finish line anywhere in sight. Long story short: expect to reboot your devices frequently going forward. There was a time when I could say, “Hey, reboot your computer every other week and you will be fine.” Nowadays, that guidance is, “Reboot your computer at least every 3 days, if not daily.” Microsoft Windows is being updated weekly, as are the major office productivity apps like Office and Acrobat, and not all of their updates are well tested – resulting in more crashing and rebooting until someone notices and issues yet another update to fix the previous update. If it feels excessive, it’s because it is excessive, but for the moment, we don’t have much choice. Right now, cybercrime has the edge, and it’s running everyone ragged.
It’s hard to be witty about something you despise with every ounce of your soul, so I’m not going to even try. Do whatever it takes to make sure your less savvy family members know how to identify and ignore the absolute deluge of scam emails and phone calls people have been getting this year. You can help by pointing out the patterns they use, which will hopefully lead them to recognize the patterns and the methods these criminals will use to scam them. At minimum, it will help instill a healthy skepticism which is an essential foundation for being secure in today’s internet-soaked society.
What to watch for
A very common scenario involves the target receiving an email letting them know either that the moderately expensive product they ordered or subscribed to is in danger of not being delivered because of a payment issue. They are hoping that their target is actually a user of this product and will call to make sure the purchase isn’t in jeopardy, or call to cancel, thinking either they forgot to cancel it previously, or somehow mistakenly ordered it (also not difficult to do for real, unfortunately – another despicable marketing tact used by every major technology platform).
It is distinctly possible that you might actually receive a legitimate email from any of the scapegoat products scammers are using, but where they will differ will be in how they attempt to solve “the problem”. The scammers top priority is to get their target on the phone and their primary objectives are fairly obvious – they want access to your PC, or they attempt to get various payment methods identified to make sure your “purchase” is completed. Most obvious is when they insist on getting access to a payment platform that is tied directly to a bank account, whether it be Venmo, Gazelle or your bank’s actual mobile app. As a rule of thumb, unless the person on the other end of the line is someone you know and trust, you should never grant someone access to your PC, or even consent to installing software on your computer or phone. Full stop, no exceptions. If there is ever any doubt or suspicion, stop what you are doing and get a second opinion from a trusted expert.
If you or they have received an email from a recognized brand but are unsure of whether it is a legitimate notification and don’t have ready access to an IT or security professional, pick up the phone and call a known, good phone number for the company, or at minimum, go to the brand’s website typing in the website address directly into the URL field. DO NOT USE SEARCH UNLESS YOU KNOW HOW TO SPOT THE DIFFERENCE BETWEEN ADVERTISEMENTS AND SEARCH RESULTS. Teach yourself and everyone around you how to go directly to a website by typing in the actual website address. Searching for “(famous brand) Support” can lead to various fake websites built expressly to trick people into calling them instead of the actual company. Hackers pay to push these fake sites to what appears to be the top search result, but they are in fact relying on the various search engine advertising page placements to trick people into thinking they picking the top search result.
Criminals are counting on everyone being overwhelmed and rushed. They are hoping you will call the number or click the link they have conveniently provided to you. They will catch you in a moment of weakness and that mistake may end up being very costly. Go slow. Verify carefully. Be sceptical. Ask for advice from someone you trust and know personally.
Image by kewl from Pixabay
Most of you know that I do not recommend using certain “freemail” accounts for any aspect of your professional lives. In short, many of them are poorly supported, barely secured and frequently targeted by cybercriminals because of these elements and because of who uses them. The ones that are being heavily targeted now are mostly legacy accounts that were established by old ISP companies that have since merged, sold or otherwise transformed into another company. Examples include sbcglobal.net, att.net, roadrunner.net, aol.com, yahoo.com, earthlink.net, etc, but they all share a common aspect: responsibility for maintaining the services that power these emails has been passed from company to company like a red-headed stepchild and the services are clearly suffering from neglect.
I’ve had this email for years! I can’t change this email!!
Invariably, we’re going to have this conversation, with you or perhaps with an elder member of your family. And yes, for some folks, changing an email address that you’ve had for 10+ years is going to be a huge pain. There are alternatives to completely abandoning the account, but there is still going to be some work to keep it, you and your loved ones safe. It depends highly on the email service, but most of them have made token efforts to upgrade their security and accessibility. Log into the account, look for account settings, specifically security to see if any of the following are available:
- First and foremost, if they offer multi-factor/2-factor authentication, set it up and use it. This is a no-brainer, and just about everyone has a cell phone.
- Set up a backup email account – most email services offer the ability to set another email account as a way to rescue or recover a forgotten password.
- Even if they can’t do 2-factor, some freemail services let you attach a cellphone for recovery purposes. Support personnel (if/when you can actually reach them) can use the cellphone to verify you are the proper owner of the account when you are in the process of attempting to recover access.
- Check to see if the password to secure this account has been compromised using this website: https://haveibeenpwned.com/Passwords. Even if it hasn’t, if it’s an easy to guess password, change it and write it down if it’s not one you or they are going to easily remember.
In the end, these are only stop-gap measures. Some email domains are currently on their 4th or 5th handoff, and at a certain point they are likely going to end up with the lowest bidder – something you never want for a critical technology service like email. Your eye should be on transitioning to a more sustainable platform like Gmail or Outlook.com.
Photo by Christin Hume on Unsplash
Traditionally I like my year-end messages to be hopeful, but as I am someone who does not mince words when it comes to your technology, I don’t come to you at the close of 2022 with a message of optimism. If anything, I want to congratulate you for surviving this year with your sanity and health intact, if not your technology security. Accomplishing all three is something to be commended, and I am sad to report that not all of our clients were as successful, including a client and good friend who passed unexpectedly this year. This post is dedicated to him, and to everyone who fought the good fight this year, either against cyberattacks, Covid and everything between.
“Don’t take security for granted.”
This is my year-end message for you: If there is one trend I can clearly point to in this past year (and in years previous), is that you are the first and last line of defense in the war for your technology security. You are the first and last line of defense in maintaining your privacy. We here at C2 Technology are willing and able to throw ourselves in front of as many attacks as we can, but we can’t be with you in every moment, everywhere you touch technology, nor should you want us there. In almost nearly all cases of hacks that we have worked through this year, and numerous others I have read about, breaches and compromises have occurred because attackers are very successful at exploiting human, not technology, weaknesses.
One thing that I know for sure is that you can count on even more cybersecurity attacks in every aspect of your personal and business technology. There is big money in compromising your security – organized crime has moved, full-scale, into funding, staffing and managing highly effective fraud call centers and hit-squads whose primary objective is to trick you into giving them access to your stuff and then cleaning house. On top of this, there is no singular magic bullet, app, governing body nor enforcement agency that can protect you. Let me reiterate – there is no perfect, monolithic solution C2 or any other organization can provide to you to keep you perfectly safe. As with cold weather, layers are better than just a single, bulky jacket. Your best defense will be a collection of services, software and best practices. Your configuration of those layers will vary based on personal or organizational need, but everyone should at minimum be considering the following:
- Constant vigilance is the key. You should assume that you are under constant cyberthreat and act accordingly. As much as it feels distasteful say this given the current political climate, you should consider yourself on cyber-wartime footing with no armistice or ceasefire in your near future. You may have heard me jokingly compare this vigilance with paranoia, but my gallows humor may have done you a disservice in making light of this situation. Make no mistake, this is very serious, and I do not see anyone being able to let down their guard anytime soon. As I mentioned above, C2 can’t always be there for a magical, “Get down, Mr. President!” moment. All we can do is attempt to train you to spot the peril. If you have employees, you should bolster their vigilance with actual, formal training – not everyone will have the same level of urgency on technology security as the principals of the organization, but training and testing will help them understand the importance and impress upon them that this is a part of their job responsibilities, regardless of their role in the organization.
- If you aren’t using unique passwords and multi-factor authentication for your critical online accounts, you are doing the cyber equivalent of leaving the keys in your running car in a dangerous neighborhood. You should check your most-used passwords here, and if any of them show up on the list, immediately change that password everywhere you used it. Right. Now. If you can turn on multi-factor authentication for your banking and other critical service accounts and haven’t already done so, do so. Right. Now.
- Back up your files to a cloud provider on a daily basis. You can get a very reliable, easy to use service for as little as $7/month, and you might already have access to a form of cloud backups through Apple or Microsoft by virtue of other services for which you are already paying. Keep in mind, services like OneDrive and iCloud are a form of short-term backup, but do not normally provide long-term recovery of files deleted more than 30 days ago, nor can they fully protect against certain forms of ransomware attacks, so make sure you consult with your friendly neighborhood technology professional about what would be appropriate for your use case.
- Keep work and personal separate. This may be difficult to do especially if you work from home on your own technology, but the more you intermingle, the more risk you take from one side or the other. This also goes for using your home network if you have family that aren’t as security conscious as you, especially seniors and young children, both of whom are particularly vulnerable to scams that most of us spot in a heartbeat. Your technology professional will have ways to segment your work and home life, but it will result in additional expense and inconvenience.
- At the business level, antivirus and malware protection has evolved into what is now known as “endpoint protection.” The free software that comes with your new PC is NOT endpoint protection, nor is the product they are trying to upsell you. The primary difference between the two is that last generation products relied heavily on definition tables and scheduled scans of your files, which is not nearly as effective against modern malware tactics that sometimes don’t even involve something being installed in your hard drive, or software that literally changes by the hour. Endpoint protection relies on algorithms that are able to analyze the behavior of softwares and services to determine if they might be harmful, and more importantly, are designed not only to protect the device on which it’s installed, but also to protect the network to which it is connected, something that previous gen antivirus software could not do.
- If you deal with any kind of PII (personally-identifiable information) where that information is stored on your computer – even if only in transit – your hard drive should be encrypted, especially if the device housing it is easily stolen, such as a laptop. Fortunately, both Windows and Mac OS do include encryption, but it isn’t always enabled, and in the case of Windows, it is only readily available in the “Professional” (more expensive) variant of their OS.
- You should be making sure your operating system and main software apps are kept up to date. Microsoft releases updates on a weekly basis, and about half of them require a reboot to full apply. Windows 10 (and to a certain degree 11) is so stable that it can go weeks without rebooting but waiting that long can cause other problems that will be a lot more inconvenient than restarting your PC. We recommend clients restart their PCs as frequently as every 3 days – this accomplishes needed housekeeping tasks as well as clearing the “virtual crud” that all PCs accumulate through daily use, especially if you like having lots of windows and apps open.
Technology security requires a holistic approach, and I don’t mean tuning your chakras and making sure your gut biome is balanced. Every aspect of your technology, from internet provider to software services, every device used in the work process, all users, and even your clients’ and customers’ technology should be reviewed and considered when formulating your security approach. The days of “set and forget” are long gone. Protecting your technology is something that will require effort and, dare I say, constant vigilance.
If you are a long-time reader of this blog, you’ll know that while the majority of our focus is on business technology, I like to keep an eye on all technology, especially issues that can affect our quality of life and personal safety. Hondas are very popular (even here in Los Angeles where it seems like every 3rd car is a Tesla) and according to at least one statistics website, Honda accounts for between 8-9% of the U.S. car market in 2020 and 2021, and the Honda CR-V is near the top of the list of best-selling vehicles for the past several years. It’s safe to say that there are probably millions of Hondas on the road right now, and apparently any that are accessed using a key fob are vulnerable to a hack that allows attackers to unlock car doors and remotely start engines if the car has that capability.
What this means for you
If you own a Honda, you may want to give this article a read, which was based a relatively unknown vulnerability dubbed “Rolling-PWN” by the researchers/hackers that discovered it. The vulnerability is documented and published in the National Vulnerability Database run by the National Institute of Standards and Technology, which is about as official as you can get in terms of documenting vulnerabilities. Despite this, Honda has yet to confirm or even acknowledge the issue. Which also means that there is very little you can do about it other than the following:
- Reconsider what sort of valuables you keep in your car, even if you don’t drive a Honda. This particular hack may not be limited to just Honda according to the researchers. It just happens to be the manufacturer they’ve tested and confirmed vulnerable across multiple years and models.
- Even though they may be able to start the car, they can’t drive the car because they can’t exploit the proximity requirements of the key fob…yet. Regardless, if you park your car in a garage, make sure that it is well ventilated. Carbon monoxide kills, and some prankster might put you in real danger by leaving your car running for hours in garage with poor ventilation.
- Perhaps write a letter to your local congress-critter (Representative and Senator) asking them to look into Honda’s seeming disregard for a significant security issue. If you are friendly with a local Honda dealership (because you own a Honda and use them for service), you could also stop in and show them the article and a link to the exploit on the official government website of vulnerabilities as well. If enough of us raise our voices, perhaps some of these big companies will take notice!
I tried to think up an appropriate bon mot about a platform like Craigslist getting hacked based upon how old and basic the platform is in comparison to “modern” services, but frankly, their easy-to-use and barebones approach strikes me as a rare unicorn in a world full of apps that (try to) do everything, or ones that do one thing in an overly complicated/cutesy/outlandish fashion to stand out in the crowded field. If anything, you may take my soft spot for Craigslist as an oblique self-burn on my age and get-off-my-lawn attitude about modern apps, but given the amount of troubleshooting I do on its contemporaries, barebones and utilitarian gets it done without a whole lot of fanfare and confusion. Sadly, like all things internet, this has a double-edge: hackers have taken advantage of one of Craigslist’s signature features – anonymous emails – to trick users into installing malware.
What this means for you
If you use Craigslist to offer something up – goods, services, your heart, etc. – you will want to pay attention. Craigslist uses a form of anonymized emails that allow users to keep their identity confidential until they decide they want to interact with someone answering their ad. Unfortunately, this also means an email arriving from an anonymized Craigslist email address claiming to be an official warning about an “inappropriate” ad is probably going to be taken seriously, and links contained in said email will likely be clicked, leading to a malware infection instead of an actual, legitimate Craigslist URL.
Attackers are using camouflage provided by a trusted, familiar environment that they 100% know their target is engaged with, combined with a malware delivery through OneDrive to give them additional cover against the usual malware detection provided by mail services that can smell bad URLs. Even with good malware protection installed on your computer, clicking and opening a document and then following the familiar process to allow editing of the document – something that occurs everytime when opening Office documents delivered via email or the internet (aka OneDrive, Dropbox, Google Drive, etc.), will bypass the usual protections and deliver a malware payload essentially because you allowed it.
This is what you are up against. This is what we all are up against. There is no good protection against this type of chicanery other than being savvy and vigilant, having up to date malware protection installed, backing up your data, and using unique passwords and two-factor authentication wherever possible. There is rarely an instance where the holy trinity of malware protection, backups and strong authentication practices is not warranted. Don’t make excuses – these three things will be your safety net when your vigilance wavers. We are all human and we can and will be tricked. That is one thing I can guarantee.
Image Courtesy of Stuart Miles at FreeDigitalPhotos.net
Back when I first heard about Facebook I was working for a private university known for its “dry” campus. I was asked to consult on the case of a student who was being disciplined for violating the no-alcohol policy because a picture had been discovered of them buying booze at a nearby supermarket. It had been uploaded by the student’s friend to a hot new website called Facebook. I distinctly remember discussing this with staff and faculty at the time, predicting, “This is going to get a lot of kids in trouble.” There was discussion of banning access to the site, but filtering internet content back then wasn’t as straightforward as it is now, and the discussion was tabled with a promise to review the issue at a later time. Fast-forward to the present, where Facebook is still getting a lot of people in trouble, and themselves as well.
From the frying pan, to the fire, to…incinerator?
It might be hard to believe, but it was only June when we had to air out the latest load of dirty laundry from Facebook. Prior to that, they have been blog subjects seven times this year alone, and none of them were for something good! I’d say this month’s two-fer entry might be their pièce de résistance of colossal cock-ups, but there are still 90 days left in the year, and Facebook seems bent on setting some sort of record for destroying themselves.
First, they were caught red-handed letting advertisers use phone numbers provided by users for authentication purposes, something they had previously denied. To add insult to injury, it’s also come to light that they will also target individuals through contact information uploaded by their friends through the Facebook app, even if the individual never provided any sort of consent for such use.
If that isn’t enough to get your blood boiling, how about 50M Facebook users having their accounts compromised? Rather than the old-fashioned password hack, attackers exploited a bug in Facebook’s “View as” feature which allowed them to essentially steal the authentication token used to provide continued access after you’ve initially logged in. Think of this token as a VIP wristband you might wear at an event that also gets you access to the backstage. This token not only provides you a quick login to Facebook but to dozens of other connected services, such as Instagram and WhatsApp, that allow users to authenticate through Facebook instead of creating a unique login and password. Just like the wristband, Facebook only looks at the token and not the person using it, to determine what they are allowed to access, so you might get an inkling of why it being stolen is kind of a bad thing. The investigation is still ongoing, but according to Facebook, no passwords or credit cards were stolen, and it doesn’t look like the perpetrators of the September breach used their “wristbands” get into the various third-party platforms it could have granted access to, but I’d put even money on Facebook having yet another, “Wait, hold my beer,” moment, so don’t put the pitchforks too far out of reach.
Unfortunately for the two billion humans who are still trying to get some sort enjoyment (or livelihood) out of Facebook, there really isn’t any platform that comes close to being able to replace it. Your choices are “deal with it” or go cold turkey, the latter of which I don’t see any of my Facebook-hooked friends doing any time soon. If you’ve tied your various other online services to Facebook’s login in the pursuit of convenience, it only makes giving up Facebook that much harder and further illustrates just how dangerous this type of practice can be – Facebook login gave everyone a shovel, and quite a few people dug a hole that they have no idea how to get out of. Sadly, not climbing out of that hole and permanently putting the shovel aside essentially rewards Facebook for their negligent security practices, something that we should not do if we ever want the service to be something more than a way for advertisers and hackers (and Facebook!) to exploit for their own profit.
It had all the trappings of a Hollywood blockbuster: a massive data breach, hackers hired by Russian spies, and a secret operation that went on for years undetected. Except for one rather pedestrian and crucial element. According to indictments handed down by the US Federal Bureau of Investigation, the hackers penetrated Yahoo’s security not through some sophisticated cyber-tango of caffeine-fueled hacker artistry. There weren’t any high-tech micro computers covertly implanted into neon-lit server racks following a series of cleverly choreographed hi-jinks. No, the largest single leak of Personally Identifying Information was enabled by a Yahoo employee falling for a spear phishing attack.
Here comes the email security soapbox again!
What’s a spear phishing attack and what makes it different from the rest of the spam you get in your email? Typical spam and phishing emails are sent to as many people as possible in the hopes that a small percentage will click the link or open the attachment, whereas spear phishing is designed to target a very specific audience or even a particular individual. They are typically several levels more sophisticated than the usual garbage clogging our email as the content is custom-tailored to appear believable to the target. While I’m sure many of you are scratching your heads at how a single click on a fake email could lead to the largest breach in history against a storied dot-com darling, keep in mind that in the ongoing plate-spinning war of internet security, the good guys only win if they can keep all the plates spinning, and the bad guys win if even a single plate falls.
There are many lessons to be learned from this incident, but perhaps the most important one of all still remains: all security systems are only as strong as the weakest link, and many times that weakest link is a human. Given enough resources, time and determination, any security system can be hacked, and any company or organization can be breached. What’s a business owner to do in light of a seemingly unstoppable force? Just like preparing for two other famously unavoidable eventualities, planning for security breach will prepare you to react properly and deliberately rather than a mad scramble for recovery. Not sure how to get started? Pick up the phone and let C2 give you a leg up on getting ready.