Cyber Security Awareness: Targeted Attacks

National Cyber Security Awareness Month: Targeted Attacks
Posted on 09/30/2016

Written by Christopher Abbey, DCSD IT Security Analyst

Knowing that the topic of security can hit some really dark and scary places, in this article we really want to shine a light on your role, responsibilities and the information you work with day to day. These powers combined will not make you into a blue earth saving superhero, but it will make you a potential target to criminals.

A phrase that has been floating around business/marketing circles goes like this, “Data is the new oil”. Meaning data is no longer simply small bits of the information we generate, but it’s a commodity that is actively taken, refined and sold to the highest bidder, every day. That means criminals are financially compelled to take advantage of the system and tools we interact with daily to collect/steal files, emails, social media, banking and other account information. However there are steps we can take to minimize our digital leaks, and protect sensitive information.

Social Engineering

In the digital information age, criminals still rely on some tried and true tactics to separate you from your information and possibly your money. Whether it’s a phone call notifying you of that Bahama cruise you just won, or your bank notifying that your account is overdrawn, and they just need a few pieces of information to take care of the issue. In some statistics shared from Social-engineer.org, “it is a vector used in over 66% of all attacks by hackers, hacktivists and nation states”.

Simply put, when it comes to pulling data, social engineering is the most widely used means because it is cheap to implement and has a high success rate. In this case, a healthy amount of skepticism is the best medicine for these types of tactics. Be protective of your information, and if it doesn’t sound or feel right, it might not be.

Give a Man a Phish

Obviously the header is a play on the old saying, “Give a man a fish and you feed him for a day…”, however in this case you may be feeding the sharks instead. Phishing is a term for a digital form of Social Engineering in which criminals use the variety of digital platforms (email, social media, websites, instant messenger and SMS texts) to solicit information or even to change or take advantage of your behavior online. This tactic, like Social Engineering, is easy to implement and usually pretty effective! Like we have identified above, a healthy amount of skepticism and an understanding of the techniques criminals use will go a long way in protecting your data.  

Conversations, Phone Calls and Emails...Oh My!

It can be overwhelming to think about how many ways you can be at risk. However there are a few ways for you to decypher the legitimacy and spot these phishing attempts. The website SANS Securing the Human also has shared a great visual in ways you can identify some of the concepts below.  

  1. Legitimate communications will never ask for sensitive information (like socials, passwords, bank accounts).
    At no point in our adult lives have banks, or corporate service providers like Paypal or Ebay ever asked you for a password or account information (they already have all of it). Be aware that criminals often use tactics like threats or situations requiring urgency on your part. Their intent is to strike fear or tension into your mind to hopefully cause a lapse of judgement.

  2. Look for grammar mistakes, general greetings and hover over links sent to you. 
    Typically phishing attempts originate from outside our country, and typically in countries where english is not the first language. Look for misspellings, or mistakes (images not right, font different..etc) in these emails as a sure sign that you are being phished. In addition to these tactics, on PC and Mac simply hovering over a link will show either under the link or at the bottom of your screen the real URL they are sending you to.

  3. When in doubt, check it out! 
    Check with your bank or other establishments using communication channels like official customer service lines, websites and legitimate email addresses. Don’t click the links, don’t provide your information and don’t fall for these tricks.

  4. Finally, report the Phish!
    Google has made it really easy for you to report spam and phishing attempts. Just right of your reply button is a small down arrow, clicking it gives you a list of options to include Report Phishing. Doing this will allow Google to filter out these types of messages in the future.

Spear-Phishing and Drive-By Downloads

In some extreme cases, criminals may specifically target a group, school or an individual as potential prey. This concept of a focused attack is called spear-phishing. While general phishing activity casts a wide “net” of potential targets, spear-phishing targets a much smaller, more direct population. The criminal has done their research and has narrowed the focus to a target— possibly one individual.

Using some of the same tactics above, criminals may use spoofed addresses/accounts of vendors, friends and even family to utilize the trust built within those relationships to pull information or even direct you to malicious websites loaded with malicious software or Malware set on infecting your device. This tactic of making a user click on a malicious site is called a “Drive by Download Attack”. The website itself may not seem malicious, however the payload delivered to your browser or computer may have some ill effects. Things like Keyloggers (software that tracks your keystrokes), Backdoors (software that allows hackers to peer into your machine) and Trojans (software built to mislead and propagate further attacks) could be installed without you even knowing.

Thanks for the Paranoia

Understandably so, you may be second guessing every email from family, and friends. You may even think about cutting off all communications with the outside world! Before you do that, be assured that there are steps we can take to protect you and your devices from these type of attacks.

  1. Strong “keys to the kingdom”
    Just like any secure home, the strength of lock on your front door is extremely important. The same goes for your accounts online, creating a strong password is key to ensuring social engineers and phishers do not use the information you share against you. That means if you really love the Broncos having a password like, Broncos123! is not a good idea. In a great image shared by Arstechnica, the act of using passphrases (using a sequence of words) is a great way to create memorable yet strong passwords. Going a step beyond you could also setup Two Factor Authentication (instructions below).   

  2. The best offense is a good defense!
    A phrase commonly associated with sports or military warfare, is also true when it comes to our devices. Each devices running it’s own software, or Operating System requires patching and other tools to keep it running smoothly. Keeping your Mac, PC, or mobile device up to date with current patches/versions is important. Utilizing tools like antivirus (here are some free options) will allow your software to work toward notifying and eliminating potential threats online.

Oops!

Often times we make mistakes, and we fall victim to attacks. Honestly some of these emails are getting really sophisticated, and harder and harder to spot. Don’t fret (too much), and know that there are ways to minimize the impact.

  1. DCSD Employees: Contact the Information Technology Service Desk (ITSC)
    Opening a ticket with our staff at the ITSC is a great way to get help minimizing the impact of a phish. Share as much information as possible so we can best support you and minimize the impact of this type of an attack. Head to helpdesk.dcsdk12.org to start the process.

  2. DCSD Employees: Use our Self Service Portal to change your password and update your security questions. 
    Changing your password, especially in cases where you are being specifically targeted and may or may not have fallen victim is a way to keep criminals out of your account and devices, minimizing the information stolen. Head to selfservice.dcsdk12.org to change your security questions, personal information and password.

  3. Add additional layers of security to your work and personal accounts (Two Factor Authentication). 
    Two Factor Authentication (2FA) is the act of combining something you know (password) with something you have (mobile device). This additional layer protects you from hackers attempting to access your accounts remotely by enforcing a rule that you will use a special code forwarded to your text messages or through a special app on your phone. Google/Facebook/Twitter and most banks currently support 2FA and you can (and should) set it up on your work and personal accounts today. https://www.google.com/landing/2step/

  4. Contact your banks, credit companies, stores to notify them of the attack on your information.
    Similar to when you lose your credit card, purse or wallet, it is important to let law enforcement and your financial establishments know that you have potentially shared your financial account data with a criminal. Most institutions have fraud department and can monitor / adjust your accounts to stop any transfer or theft of funds onto your accounts.

  5. If you have shared information like Socials, or other sensitive personal information
    Identify theft is a huge issue, so much so that the government has created a resource site for combatting the effects of this horrible situation. Visit IdentityTheft.gov to view these steps.

Other Resources:

There are a ton of great resources that are available that discuss everything from home security all the way to ways you can secure your family online.

StaySafeOnline: Protect your Personal Information Online: Offers information from Cyber Bullying all the way to the Data Privacy law, statutes and governance that School Districts are required to be aligned with, like the Family Educational Rights and Privacy Act or FERPA

Microsoft’s YouthSpark Online Safety for Families: This site provides a variety of resources on ways families can plan and implement changes at their home to protect their data and devices from attack.

Douglas County Sheriff’s Department Internet Safety Page: This site is our local Sheriff’s page on Internet Safety with a few things families can do to protect their information. Another a great resource is their Cyber Tip line.

Wombat Security Free Security Awareness Training Resources: Resources from a company built out of programs between the Department of Defense and Carnegie Mellon University, these resources are focused on reducing the risk of being phished, hacked and more.

Website by SchoolMessenger Presence. © 2024 SchoolMessenger Corporation. All rights reserved.

In compliance with Titles VI & VII of the Civil Rights Act of 1964, Title IX of the Education Amendments of 1972, Section 504 of the Rehabilitation Act of 1973, the Age Discrimination in Employment Act of 1967, the Americans with Disabilities Act, the Genetic Information Nondiscrimination Act of 2008, and Colorado law, the Douglas County School District RE-1 does not unlawfully discriminate against otherwise qualified students, employees, applicants for employment, or members of the public on the basis of disability, race, creed, color, sex, sexual orientation, marital status, national origin, religion, ancestry, or need for special education services. Discrimination against employees and applicants for employment based on age, genetic information, and conditions related to pregnancy or childbirth is also prohibited in accordance with state and/or federal law. Complaint procedures have been established for students, parents, employees, and members of the public. The School District's Compliance Officer and Title IX Coordinator to address complaints alleging sexual harassment under Title IX is Aaron Henderson, 620 Wilcox Street, Castle Rock, Colorado, [email protected], 303-387-0127.

Outside Agencies

Complaints regarding violations of Title VI, (race, national origin), Title IX (sex, gender), Section 504/ADA (handicap or disability), may be filed directly with the Office for Civil Rights, U.S. Department of Education, 1244 North Speer Blvd., Suite 310, Denver, CO 80204. Complaints regarding violations of Title VII (employment) and the ADEA (prohibiting age discrimination in employment) may be filed directly with the Federal Office of Equal Employment Opportunity Commission, 303 E. 17th Ave., Suite 510, Denver, CO 80202, or the Colorado Civil Rights Commission, 1560 Broadway, Suite 1050, Denver, CO 80202.

NOTICE OF DESTRUCTION OF SPECIAL EDUCATION RECORDS

Special Education records which have been collected by Douglas County School District related to the identification, evaluation, educational placement, or the provision of special education in the district, must be maintained under state and federal laws for the period of five (5) years after special education services have ended for the student. Special education services end when the student is no longer eligible for services, graduates, or completes his/her educational program at age 21, or moves from the district. This notification is to inform parents/guardians and former students of Douglas County School District's intent to destroy the special education records of students who exited special education services as of June 30, 2016. These records will be destroyed in accordance with state law unless the parent/guardian or eligible (adult) student notifies the school district otherwise. After five years, the records are no longer useful to the district, but may be useful to the parent/guardian or former student in applying for social security benefits, rehabilitation services, college entrance, etc. The parent/guardian or eligible (adult) student may request a copy of the records by requesting the records at this link ( Douglas County School District Transcripts and Records Requests ).