Skip to main content

Everyday Habits That'll Increase Your Cybersecurity

DATE: November 30, 2021

TAGS:

Before coming to cybersecurity, many professionals have different ideas and practices than are required to preserve the security of information. These practices often include: clicking on links in email, opening a door for the person rushing in behind you, or leaving a computer unlocked when only being absent a couple of minutes. While each of these things may seem like harmless acts, a cybersecurity mindset would not allow these things, and there are good reasons for this.

Let’s take a look at some examples together.

Although it isn’t the first thought that comes to the mind of most, the physical security of the building where valuable information is being created and stored is of vital importance. This is why many higher security areas have cameras, guards, limited points of entry, or any other number of methods to control who enters and leaves a building. Knowing that the only people in the building are people that have a defined need to be there is one method to help secure information. To that end, holding a door open for that person who is seemingly in a rush to get somewhere and wants to save some time would seem like a courteous thing to do, however, that person rushing could be rushing because they see an opportunity to evade the physical security of the building and the unsuspecting employee would then be helping that threat actor into the building to compromise the security. While I am not stating that every person in a rush is a possible threat actor, what I am stating is that in a large building with hundreds or thousands of people entering and leaving at any given time, it is imperative that the procedures set forth be followed and that everyone should follow the proper methods for entering and leaving a secure facility.

Another example would be the excuse that “I’m only going to be gone from my desk to pick up something from the printer.” Yes, this is a short amount of time, and it is unlikely that anything bad will happen, but it only takes one time of a malicious person to compromise the entire system and in that time to an investigator, it would appear that the person who left to pickup the print was at fault as they were logged in.

Have you heard of a device called a rubber ducky? No, not the famous plastic yellow duck that floats on water. This rubber ducky is a bit more devious. It looks like a typical flash drive but acts much differently. This device can be programmed to act like a virtual keyboard and input keystrokes much faster than is typical. You can insert the rubber ducky into a USB port, wait 30 seconds and that device can locate passwords stored on the computer, save those passwords to a file on the USB drive and then be removed without the malicious actor doing anything other than plugging and unplugging a USB drive for 30 seconds. Plenty of time to steal your passwords before returning from the printer.

Finally, don’t click on links in emails. This is something that many people fully understand now, but it is extremely popular amongst threat actors and the reason it is popular is that it works; it works at alarming rates. There are several methods for suggesting a user to click on a link. One method is that the email will create a sense of urgency by stating there is a short amount of time before the deal expires. Maybe the email sent appears to be from a friend or coworker, as those are people that you presumably trust the email link will surely be safe, right? Not always! Emails can often change the From name in the emails to appear from a known or trusted source, but the email address often does not match the name. Another tricky method can be the use of URL shorteners to mask the real link in the email. The real address in the link may be thisisanattack.fake.com but be shortened to a seemingly real URL such as thisisreal.notfake.com.

This article outlines just a few examples of how thinking like a cybersecurity professional changes as they become more aware of different issues in cybersecurity. One more thing to consider is that in cybersecurity there are entire teams dedicated to thinking like an attacker would think. The goal is for these teams to try and do what a hacker would do so that the organization can prepare to defend against those attacks. These teams will do everything from physically trying to enter the building without proper access to bypass security on website and electronic devices to get the information they should not get. These types of proactive defenses greatly increase security overall for an organization. However, they would not be possible without those individuals who think like an attacker.

About the author

Brian Zuel

Lead Technical Instructor

812-230-6286, bzuel@purdue.edu

Sign up for the monthly newsletter

Return to main content

Purdue University, 610 Purdue Mall, West Lafayette, IN 47907, (765) 494-4600

© 2021 Purdue University | An equal access/equal opportunity university | Copyright Complaints | Maintained by Technical Assistance Program

Trouble with this page? Disability-related accessibility issue? Please contact Technical Assistance Program at tap@purdue.edu.