Last updated at Fri, 25 Mar 2022 14:52:41 GMT
As security professionals, we are currently being bombarded with warnings and alerts of a heightened threat level due to the possibility that Russia will start to more aggressively leverage cyberattacks as part of their offensive. If you are feeling the pressure of getting everything done, check out this post that identifies the 8 most important emergency conflict actions for your security program.
This post is meant as a companion piece that gives advice for non-security-pro digital citizens to protect themselves and, by extension, help protect their organizations.
As security pros, we do not live in a perfect technical vacuum where we make system-wide Decisions That Will Be Obeyed by Everyone in Our Domain. Rather, we must acknowledge that our users are part of the equation. They can be tricked and manipulated. They lose devices or leave them unlocked in public. They may not follow policy, connecting to unsecured networks, using personal devices for work, or buying unvetted apps.
In other words, they make your life more complicated. But they are likely also watching the same news reports you are and may be wondering what they can do to help protect against the prospect of Russian aggression. This is your opportunity to harness that desire to help, and educate your non-security friends, family, and end users on making it through a cyber conflict. This could be a step toward inspiring them to think more about security in the long term.
1. Control who can access your accounts, apps, or devices
Password hygiene and password managers
These days, most technical devices or apps will give you the option to set up a password, PIN, or pattern. It’s highly recommended that you do so in addition to avoiding reusing passwords and changing them often.
If you follow that advice, you’ll end up with a lot of information to remember. This is where a password manager comes in. They automatically store and fill passwords as needed. They’ll also help you generate passwords if you want them to, ensuring each one is unique and adheres to the requirements of the site, app, or device. Some also offer other benefits, such as working across multiple devices so your passwords can sync across your laptop, tablet, and mobile. Another cool feature is the ability to share selected passwords with designees — for example, if you want to give a family member access to your Netflix account. There are plenty of decent and inexpensive password managers out there. Examples include LastPass, Bitwarden, 1Password, and Dashlane.
Turn on a second layer of protection for your accounts (2FA/MFA)
Having unique and hard-to-guess passwords is important, but it’s not a magical fix that will make you invulnerable to hacking. Cyberattackers will try to trick you into giving them your password, or they may try to guess or crack it. If you are reusing passwords (which is a bad bet), they may already have your password from a previous successful hack.
In situations such as these, having a second way to prove who you are when accessing your accounts is critical to help you protect your private data and accounts. This is referred to as two-step verification, two-factor authentication (2FA), or multi-factor authentication (MFA). The second step or factor might be a code sent to a trusted device, a physical token (such as a scannable key tab or a yubikey), or a biometric (such as your fingerprint or a facial scan). You don’t have to set up 2FA on everything (though it definitely doesn’t hurt to do so), but we strongly recommend you add it to anything holding very sensitive information, such as your online or mobile banking apps, your mobile phone, or other devices.
2. Pay attention to experts
Listen to your employer or other affiliated organization
Pay attention to all internal communications from your work/school/organization, as they likely have situation-specific guidance pertaining to any malicious activity against that organization. Be sure to follow any guidance or policies they issue.
Look out for alerts from apps and services
The vendors and other organizations you do business with should notify you if they are victims of a cyberattack. Look out for communications from them, but be cautious of anything asking you for info or to take an action, as these could be fraudulent. If you receive a communication asking you to take an action, instead of clicking on links within the email, we recommend going directly to the company website or using a search engine to find the information. You should find information to indicate whether it’s legitimate or a scam.
Relevant regional information
Ensure you know where to find information on local services and infrastructure — for example, your local government’s website, social media feeds, or other forms of local media, such as TV, radio and print.
One way that Russia may try to gain footholds on organizations is through identity theft of individuals. Signing up to credit reports — and actually paying attention to them — is one way to catch and respond to this activity early on. Many credit card companies offer this service for free.
3. Hope for the best, but prepare for the worst
Attacks against critical infrastructure
There is a lot of speculation that Russia will target cyberattacks at critical infrastructure. A great deal of effort is going into building resilience into these organizations and systems, and we hope that widespread outages will not occur. However, the Colonial Pipeline, JBS, and HSE attacks in 2021 highlighted the scale of disruption that can be caused by cyberattacks against critical infrastructure. In the same way you would plan for warnings of incoming hurricane activity, we recommend you consider what you might need to weather outages of power, water, or other critical services.
Backup your data offline
The major technology companies typically invest a great deal in cybersecurity to ensure your data is protected; however, they also may make for attractive targets of Russian hacking. They will also be just as affected as everyone else is in the case of power outages. If you are worried about being able to access information in these events, you may want to create an offline backup of your most essential data.
The guidance above focuses on the most critical actions to help individuals navigate the current threats of cyber conflict related to the Russian invasion of Ukraine. For more general advice to individuals for protecting your digital identity, check out this guide, which was created in a collaboration with the UK government’s Cyber Aware campaign.
- Russia-Ukraine Cybersecurity Updates
- 8 Tips for Securing Networks When Time Is Scarce
- The Top 5 Russian Cyber Threat Actors to Watch
- Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict