Somehow, it’s already October. Fall is officially upon us, pumpkin spice is back with a vengeance, and we all get to celebrate another Cybersecurity Awareness Month! We’ve seen a lot of threats come out of the woodwork in the last year, so it’s the perfect time to take stock of your digital security, revisit best practices, and get familiar with what today’s cybercriminals are up to.
If you don’t know, Cybersecurity Awareness Month was started by the U.S. Department of Homeland Security and the National Cyber Security Alliance. Every October, we come together to raise awareness about cybersecurity, promote ways to reduce risk online, and celebrate all the work being done to combat cyber threats. In this blog post, we’ll be sharing some of our hottest tips, tricks, and opinions to help you stay safe and secure online—during this month, and all year long.
1. Ransomware’s Back in a Big Way
Ransomware is great at ruining anyone’s day, but it’s not like it’s some zero-day exploit we’re just learning about. I mean, ransomware’s been an ongoing issue since 1989 when it very publicly entered the fray via some infected floppy disks. Since then, for better or worse, we’ve gotten very familiar with ransomware as it, and our defenses, have evolved. Around this time last year, it had even become somewhat of a known quantity. That was until the malware Qakbot was taken down.
When the FBI announced they’d dismantled Qakbot, there was due cause to celebrate. We love to see a botnet brought down. But cybercriminals are flexible. The absence of Qakbot opened up a flood of ransomware, quickly dragging us down from having a grasp on the threat to being underwater, catching up with variants and new tradecraft.
So, as ransomware has suddenly become trendier than ever, it’s critical you stay aware and protect yourself, especially as attackers’ methods change. For instance, ransomware operators have begun more often implementing Bring Your Own Vulnerable Driver (BYOVD) tactics to disable defense systems and elevate privileges.
If ransomware can strike some of the largest corporations, everyone’s at risk—and threat actors love targeting small and mid-sized businesses. So, here are some easy tips to protect against ransomware:
- Keep your devices up to date: A primary method threat actors use to launch a ransomware attack is through a vulnerability in your applications or operating systems. Keeping them up to date can help prevent that.
- Verify first, trust later: Always verify that email attachments, links, and the sender of the email are legitimate before opening or clicking anything.
- Confirm a secure connection: Whenever you submit personal or sensitive information, make sure the site’s connection is secure. Always verify that the URL you’ve visited starts with https, or check that there’s a padlock icon next to the URL bar to signify a site is secure.
- Stay up-to-date on cybersecurity education: These tips aren’t the end-all be-all of cybersecurity best practices. Threats are always evolving. Be sure to stay current on threats and vulnerabilities, and follow the advice of cyber experts.
- Be aware of your endpoint protection software’s protection status: Ensure features like Tamper Protection and Self-Protection mechanisms are enabled to help protect against BYOVD attacks.
- Always investigate suspicious activity involving endpoint protection: Defensive software that isn’t responding, is disabled, or hasn’t reported back is all an indicator of compromise.
2. MFA-Free VPNs are Scarier Than You Think
You wouldn’t ever give a threat actor total, unfiltered access to your network, would you? Of course not, that’d be silly. We are talking about cybersecurity here, after all.
And yet, there are so many exposed VPNs out there without multi-factor authentication (MFA) or that haven’t been patched. Hot take: SSL VPNs without MFA are as big of a target as exposed Remote Desktop Protocol (RDP) and Remote Monitoring and Management (RMM) software, and are more dangerous.
SSL VPN, or secure sockets layer VPN, is meant to provide a secure, direct connection between a user and a network. It’s great for a ton of businesses, and makes working remotely convenient and safe. But if you’re not careful, it’s like laying out a red carpet for threat actors.
Additionally, most VPNs aren’t configured to retain logs for a long time. If they’re left exposed, attackers can simply poke and prod at an environment until they break through, all without any alerts going off. You wouldn’t know an attack was happening until it was over because there’d be no way to even know a VPN account was compromised.
Now, why is this more dangerous than exposed RDP or RMM? VPNs aren’t likely to have the same level of security or monitoring as RDP or RMM, like endpoint detection and response. When an attacker lands on a machine through RDP, your EDR's going to know what’s happening. The attack will be detected on that machine, and you can handle the threat. That’s not the case with VPN. Your EDR isn’t going to do anything when attackers are connecting directly to your network via their machine. When your VPN’s unpatched and exposed, you may as well say, “The door’s open, help yourself to anything you’d like.”
So, what can you do to protect yourself? Here are some options:
- Add MFA to your VPN: Ensure all your VPN accounts have MFA enabled. Now, if an attacker tries to gain access, you and the account owner will know what’s happening and can act to prevent attacks.
- Stay up to date: Always ensure your VPN is patched and updated to prevent vulnerabilities that give attackers access.
- Manage logs with SIEM: In case all else fails, you won’t be blindsided by an attack if you have visibility into your VPN logs. With Security Information and Event Management, or SIEM, you can securely store your VPN logs to always know who’s connecting.
- Review access controls regularly: Attackers often target legacy applications and outdated accounts that administrators accidentally left installed. Be sure to regularly review your software, account access, and permissions with all remote tools.
- Don’t forget your RMM and RDP: Attackers love exploiting both of these accessibility options whenever they’re enabled. Make sure you apply all of the above strategies to these remote management tools as well.
3. Your Mac’s Not That Secure
Every time I think about macOS cybersecurity, I think of a good friend of mine who happily watches pirated streams on some of the sketchiest websites I’ve ever seen. Why? He’s using a Mac, what could happen? Well, in reality, a lot.
It’s not that Macs were impervious to cyber threats back when Justin Long and his luscious locks were starring in those old Apple commercials. “I’m a Mac. I’m a PC.” There just weren’t that many threats that could target macOS devices at the time. That’s changed. State-sponsored malware, adware, advanced infostealers, and even spyware like LightSpy are what’s lurking in the shadows.
But with 57% of Mac users believing there isn’t malware that can hurt them, it’s critical that the people and businesses that rely on Macs learn the truth about these myths. Macs need to be protected like any other device, especially as Mac adoption by businesses has risen by 20% YoY. Using an EDR built for macOS, alongside solid cybersecurity awareness practices as backup, is the best way to protect your Mac devices and your business from threats.
4. When It Comes to Cybersecurity, Go Basic Before You Go Big
I’m going to pitch two cybersecurity solutions to you. Which one do you think is the better option for most businesses?
Solution A: Endpoint Vanguard X. It eviscerates cyber threats at enterprise scale—all made possible by a globally trailblazing, AI-fueled super team of cyber marines. It only costs $300 per endpoint.
Or Solution B: literally just knowing to not download files from random emails you get.
Did you pick Solution B? Good. Because I can promise you it would have an immediate and positive impact on most businesses’ cybersecurity—and would cost a lot less too.
Now, Solution A was only… slightly exaggerated. But cybersecurity tools and solutions vary in a lot of ways. There are tools out there that offer comprehensive defenses for some of the world’s largest, most complex organizations. Some are incredibly flexible and offer any solution you can think of; some are powered by advanced artificial intelligence; and some back you up with 24/7 support and oversight from real, human security experts.
But someone’s perfect cybersecurity solution could be as simple as teaching their employees to not write their passwords on a sticky note, or be able to recognize a phishing email. For most businesses, cybersecurity basics will get them a hell of a lot further in terms of protection than any advanced tool or platform.
Now, this might be a controversial take, but the human element in cybersecurity is an often forgotten superpower. It’s the first line of defense against threats, and can easily be someone’s strongest line of defense too. We’re all in on what security awareness training (SAT) can do, so here are a few basic best practices you can rely on that you may not have heard of:
- Use a password manager with unique passwords: Make sure all your passwords are unique, but don’t try to remember them all or write them down. Use a trustworthy password manager like LastPass to stay organized. And now, if one of your accounts is compromised, none of the others, are and you won't forget any passwords.
- MFA all day: Sure, it’s sometimes annoying to respond to an MFA notification—but it’s a lot easier than having your email compromised. MFA is incredibly effective at protecting your accounts when used correctly. Make sure you have MFA (phish-resistant, if possible) set up with the most security settings enabled as you can.
- Don’t overshare: If you receive an inbound call, never hand out any personal information. Even if caller ID says it’s your bank, your doctor, whoever. Caller ID can be spoofed, and attackers have no issue lying to you over the phone.
The Outro
Cybersecurity Awareness Month isn’t some event in a vacuum. Sure, we do take the time in October to really dig into awareness and education. But the goal for this month, especially for us and our community, is to carry what we learn now through to next year. Cybersecurity awareness doesn’t end on November 1. So, hopefully these tips were of some help to you—now, or any time of the year.
One last bonus tip: No legitimate service, business, government agency, or whatever, is going to ask you to pay for something in gift cards. Unless you’re literally discussing presents for a birthday or holiday with people you absolutely trust, the second someone says "gift cards," hang up. Delete the text. Et cetera. It’s 100% a scam.
Big thanks to Ethan Tancredi, Dima Kumets, Max Rogers, Alden Schmidt, Stuart Ashenbrenner, and Greg Linares for contributing their excellent expertise to this blog post.
