Cybersecurity Awareness Month – Week 1
October is Cybersecurity Awareness Month, and the theme for the first week is “Be Cyber Smart”. As the leader in hardware security, we at Sepio want to share some tips to help you “be cyber smart” when it comes to avoiding hardware-based attacks. Hardware-based attacks, despite their sore underreporting, are a significant and proliferating threat. According to Honeywell’s 2021 USB Threat Report, in 2020, 37% of threats were designed to exploit USB devices, almost double than the previous year. Layer 1 visibility issues – stemming from a general lack of hardware security – allow attackers to use manipulated USBs and other Rogue Devices to bypass air-gapped networks and perform malicious activities, such as malware injection, data theft and more. So, as cybercriminals continue their covert hardware attacks, we hope our tips will help you be cyber smart.
An enabling environment
Today’s digital environment provides ideal conditions for a hardware-based attack. Honeywell’s research found that USB usage was up 30% between 2019 and 2020, thus increasing organizations’ vulnerability. Further, our reliance on technology means we are using more devices than ever, each one acting as an access point for malicious actors. The Internet of Things (IoT) devices are especially valuable entry points due to their accessibility. The fast-growing teleworking trend has enabled hardware-based attacks as employees operate from less secure locations. Remote work has also lessened enterprise control over the devices their employees use, thereby increasing the risk.
Existing security solutions lack the Layer 1 visibility necessary to detect Rogue Devices, meaning employee awareness is critical. Below are some helpful tips to avoid hardware-based attacks and help you be cyber smart.
Tip 1 – Don’t Take What isn’t Yours
Discovering a misplaced iPhone charger in the office might seem like nothing short of a miracle when your phone is out of battery. But – and this cannot be stressed enough – do not use it. The “charger” (or any USB device that doesn’t appear to have an owner) might be a Spoofing Device that, when used by the unsuspecting victim, carries out malicious activities. In what is known as an “Evil Maid attack”, cybercriminals covertly gain access to their target and plant the manipulated device inside, with the hope that a negligent employee will pick it up and use it. To avoid such a scenario, wait until you have access to your own charger – it’s better to leave your phone dead than give criminals access to everything that’s on it.
Be cyber smart and don’t take what isn’t yours.
Tip 2 – Avoid What’s Accessible
Similarly, one should not connect to public charging kiosks. These stations are very accessible, meaning not only are they used by hundreds of people a day (all of whom are potential targets), but they are highly susceptible to physical manipulation. Such attacks are known as “juice jacking”, and federal agencies, both in Europe and the United States, have issued alerts warning about the dangers of public charging kiosks. In a juice jacking attack, the perpetrator conceals a Rogue Device within the docking station that provides access to the data on the device getting charged. Of course (most) cybercriminals aren’t interested in the contents of your family group chat. But, as we use technology in various aspects of daily life, such as online banking and work-related tasks, our devices collect more valuable data than we’d like to admit.
Be cyber smart and avoid what’s accessible.
Tip 3 – Be Aware of Stranger Danger
Hardware-based attacks require physical access and, sometimes, this means engaging directly with the target i.e. the employees. To do this, and do it well, cybercriminals put a lot of effort into reconnaissance activities; they know who to target, when and where. The kind stranger in the coffee shop who lent you their charger when your phone died might not be as innocent as they seem. Similarly, the free USB handout you took as part of a marketing effort might cost you more than you think. As they say, nothing is ever a coincidence, and nothing in life comes for free. While we all can get tempted by the kindness of others and a free goodie. It is such naiveté that malicious actors exploit.
Be cyber smart and be aware of stranger danger.
Tip 4 – Buy Straight from the Source
All this being said, when using your own charger (or any device), make sure it’s one you can trust. This is especially important with the rise in teleworking. When working from home, we want to be as comfortable and productive as possible. For many, this means buying gadgets and devices that make the home office a prime working location. Websites like Amazon and AliExpress offer thousands of home office devices that meet our needs while also fitting our aesthetic – usually at a very reasonable price.
But just because you can buy a funky neon keyboard online for $10, it doesn’t mean you should. Many e-commerce sites sell extremely well-made counterfeit goods; purchasing a Logitech keyboard doesn’t mean purchasing a Logitech keyboard. Unless you buy directly from the manufacturer or a trusted reseller, you can never be sure where a device comes from – or what it does. It’s always better to purchase straight from a reputable brand, even if it means spending a little more; trust me, you’ll be saving yourself a lot in the long run.
Be cyber smart and buy straight from the source.