ARLINGTON — Bryan Terry manages the information systems and security for the city of Arlington, and he spoke the Arlington-Smokey Point Chamber of Commerce July 12 about how they could do the same for their businesses and households.
Terry warned against getting hooked by “phishing,” when scammers send emails that direct recipients to click links that will collect their data, as well as “spear-phishing,” a more targeted version of the same scam.
“It’ll look like it’s from Amazon or PayPal or your bank, telling you there’s a problem with your account, but they will almost never send you an email directing you to another site,” Terry said. “So instead, log into your account to see if there’s anything that you need to fix.”
Spear-phishing uses more personal details about you that are available through LinkedIn or social media sites to create even more specific charades.
“They can find out which high school you went to, or what community colleges you might be attending, then send emails that look like they’re from the reunion committee, or from the registrar saying there’s an issue with your transcript, preventing you from receiving certain credits,” Terry said. “They’ll butter you up, Google the actual area code of the organization, use an official-sounding title, even copy the organization’s logo and paste it at the bottom of the email.”
Even if such emails don’t ask recipients to click a link and volunteer information, they can include embedded files, containing malware that launches silently. Terry recommended disabling macros on your computer to prevent that.
“As soon as they have your data, you can distribute it instantly,” Terry said. “By the same token, if they sneak a virus into your system, it can lay dormant for months before launching too rapidly to respond.”
Terry noted that, while smartphones such as Apple and Android are encrypted, older phones might not be.
Regardless, he emphasized the necessity of creating, maintaining and regularly testing data backups on all of your important computer and cellphone files so that you can afford to lose the originals if they’re wiped.
“If you’re backing it up onto the cloud, it’s better to go with someone reputable, like Google, Apple or Microsoft,” Terry said. “If you’re using another hard drive or a USB stick, it probably shouldn’t be your only one in case it gets lost in a fire.”
Terry prefers brand names with history because if a relatively new cloud company goes out of business, all that data could be lost.
He also urged folks to use effective passwords.
“Bad passwords include names, dictionary words, consecutive digits and anniversary dates,” said Terry, who also warned against using the same password for multiple accounts.
To make his passwords extra secure, he uses a password manager, and singled out KeePass, LastPass and True Key as effective. If possible, users should also opt for password protection that’s part of a two-factor authentication system, asking for additional data such as your ZIP code or sending your phone a text.
Without such measures, your computer network could be hacked by ransomware that can encrypt files at a rate of 30,000 per second, or file-sharing by the “dark web.”
“Ransomers typically demand to be paid in Bitcoin to release your network back to you, but there’s no guarantee that they’ll do it,” Terry said. “If they’re operating out of Eastern European countries that have no extradition treaties with America. The FBI has no leverage against them.”
Terry warned that small businesses represent low-hanging fruit for hackers, who also circulate tax and insurance records, Social Security numbers, HIPAA-protected information and customer accounts with J.P. Morgan, eBay, Target and Ashley Madison. Even copy machines that capture scans of every document and fax that are run though them should have their hard drives scrubbed before they’re shipped out of an office.
“Install a good antivirus program, keep up to date with all your software updates, and limit users’ admin access whenever possible,” Terry said. “And limit the amount of information you divulge on social media. Remember, the human element is always the greatest risk to information security.”