awareness

Cybersecurity: 5 winning reflexes to adopt

This article has originally been written in french and then translated with tools. The translation should be on point, but please forgive us if some parts are not perfect.

You can put in place all the technological measures you want, but if your employees aren’t aware of the risk and don’t adopt the right behaviors, the cyberincident is closer than you can imagine.

The best way to help them is to train them. For this, there are a multitude of solutions: live training, awareness-raising platforms, coaching on your part, often difficult to achieve due to lack of time.

That said, the aim of this article is to give you some tips on how to educate your employees. Whether you already have a practice in place or not, it’s repetition that works when it comes to raising awareness.

Here’s a top 5 list of good behaviors to adopt. If you want something more visual to plaster around your offices, we’ve put together a downloadable poster (at the end of the article).

PS: People are often fed up with being told what to do and reading procedures. Our tips are presented in an original way to make them a bit more fun to read, and make your employees want to get to the end for real 😉

PS2: A good strategy would be to send one tip a week to your whole organization – little time to read it and more chance they’ll assimilate the content than reading the whole thing at once.

Happy reading!

1. A panda dies as soon as someone uses the password 123456

Bingo, another subject that must be making you sick: passwords! 😃

It’s the biggest pain in cybersecurity. Yes, you’re sick and tired of being told over and over that your password must be unique, at least 12 characters long and include special characters, both upper and lower case.

First of all, the experts have changed their tune: forget the characters and concentrate on length.

A good way to make long passwords memorable is paraphrasing, such as: IT-is-getting-on-my-nerves-about-passwords. This one’s perfect 😎

Why unique? It’s not your fault, but data is regularly leaked from platforms like Adobe or Linkedin. If your (unbreakable right?) password is known to hackers and you use it elsewhere, they can easily guess it. Yes, really easily, with the “credential stuffing” method, which allows you to test thousands of password combinations in just a few minutes (another concept that’s well said in happy hour 😎).

There aren’t 50 ways to manage your passwords (unless you can learn dozens or even hundreds of paraphrases and remember which website they’re linked to): a password manager (it’s a dolphin that dies every time someone uses an excel file to write down their passwords). If your organization doesn’t offer one, it’s your turn to go tan your IT friends and ask for one, or you can go ahead and use one. Free ones are available. We highly recommend (paid): https://1password.com/.

We assume you know what a phishing email is. And we also assume that you’re disgusted that anyone would still talk to you about it… The thing is, since everyone knows what it is and doesn’t want to hear about it anymore, you’d think it was an outdated technique that just doesn’t work anymore, right?

Stealing your punch, it’s still one of the most popular attack vectors. In 2022, 36% of data leaks originated from phishing emails (a statistic that comes out well in a happy hour 😎).

Why does it still work? It’s not only the users who have improved over the years, but also the scammers. 10 years ago, it was easy to identify a fraudulent e-mail: strange sender address, at least 5 spelling mistakes per line and a link even your cat wouldn’t click. These days, they’re perfectly written, reproduce legitimate e-mails to the letter, and even the links and urls, read quickly, can appear legitimate (go0gle.ca, mlcrosoft.com, etc.). Not to mention spoofing attempts (when the scammer outright impersonates the sender by actually using their e-mail address).

So, do we say a prayer every morning? Don’t open your e-mails?

Here are a few reflexes that can help you for real:

  • If possible, never click on the link: open your Teams, go to your bank’s website from your browser, and so on. If the message is legitimate, you’ll find the information on your account.
  • Context is key: why do you receive an invoice when you don’t buy anything? Why does this company contact you when you don’t work with them? Why is your president on vacation talking to you about an urgent investment? If the e-mail doesn’t make sense to you, you’ve already got a good clue. You can then check to see if there’s anything else in the e-mail.
  • Pick up the phone: you know the person who supposedly sent you the e-mail, but you find it suspicious: a request to change bank details, a request to reset passwords, etc? Call the person on the number you have on file (not the one on the e-mail) and validate.

Still in doubt? Forward the email to your IT friends, they’ll help you 🙂

3. Yes, the duck is cute on the USB stick, but don’t plug it into your computer.

Have you found a USB stick in the parking lot of your job? You’re thinking of your colleague John, who may be panicking as he desperately searches for it because his power point presentation is on the USB stick. The poor guy may need it by 10 a.m. for his hyper-mega-important meeting with senior management. You’re a fantastic colleague, so you quickly plug the USB stick into your computer to see what’s on it and identify the poor person who’s misplaced it.

NEVER PLUG IN A FOUND USB STICK

There’s only one thing to do: take it back to your IT friends so they can analyze it, and also to prevent someone else, less alert than you, from making the mistake of plugging it into their computer.

Why?

usb-rubber-ducky-1

Cute duck on the key, right?

This USB key, sold online for a mere $79, is called a Rubber Ducky. It looks like a standard USB key, but your computer will recognize it as a new, approved keyboard. If we simplify the concept as much as possible, inserting this USB key is like leaving your keyboard to a hacker. The computer trusts it, so it can do whatever it wants.

That’s the advanced USB flash drive. Without going that far, any standard USB flash drive can be infected with viruses or other malicious code just waiting to find a victim.

4. Are you feeling watched? You are  👀

Public Wifi, what a wonderful invention! (Especially as long as operators continue to sell their data at a premium…)

We’re not the only ones who love public Wifi. Hackers love it too, and more than we do. When you’re at Starbuck’s, are you 100% sure you’re using the café’s Wifi and not one created by a hacker?

The risks are:

  • Anyone behind you can read what you’re posting and watch what you’re typing (nothing to do with WiFi, but if you’re looking at confidential reports, it’s not a brilliant idea).
  • Ready for your #shininginhappyhours notion? A hacker could use the Evil Twin attack (yes, the name is cool 😎). It’s a radically effective attack: it creates a Wifi network with the same name (SSID) as your café, say Starbuck_Wifi. If you’re used to connecting to this Starbuck’s Wifi, your phone is smart and will connect itself. Except that if the hacker’s Wifi is stronger/closer than the Starbuck’s, your phone will connect to the Starbuck’s (even if your phone doesn’t do it automatically, you’ll select it thinking you’re connecting to the café’s). It will then be able to access everything you do: if you connect to your bank account, for example, it will leave with your login/password. Jackpot!

So, no public Wifi for work (or even in general).

If you must use it, ALWAYS activate your VPN. No VPN? We can share our cell phone connection with our laptop 😉

5. Configuration of Windows 7% updates completed. Do not turn off your computer.

You probably don’t have much control over software and application updates, since they’re handled by your IT friends. But you surely have a role to play in updating your web browser, laptop and cell phone. Our thoughts are with you when Microsoft takes 45 minutes to update*, but it’s for your own good. 🥺

Why is this important? Updates often contain security patches that correct new vulnerabilities that hackers are actively exploiting.

As we like to make you shine in society, we’re going to tell you about another concept that plugs in well in happy hour, that of Zero day vulnerabilities:

“A zero-day vulnerability is a computer security flaw of which the software publisher or service provider is not yet aware, or which has not yet been patched. By extension, the term zero-day exploit is used when this type of vulnerability is used by cybercriminals to launch attacks against vulnerable installations.”

Once a Zero Day vulnerability has been exploited and discovered, the company (like Microsoft) races against time to find a patch and make it available to its users via an update. Until this is done, it’s open bar for hackers to exploit the flaw as they see fit.

For your general knowledge, there is a vast black market in Zero Day vulnerabilities, estimated at several billion dollars. Governments are the main buyers: they buy a stockpile of vulnerabilities and keep them to use against their enemies, rather than reporting them to companies (yes, even towards Google, Apple or Microsoft, American companies…). It’s a fascinating subject. If you’re intrigued, here are some ideas for reading and listening (you’ll soon fall into rabbit hole 😅):


* When you want to send your updating Windows computer into the wall, take a deep breath and listen to this video, you’ll feel better 😉: https://www.youtube.com/watch?v=xDLvUqhwHZc


So much for the written version!

Once again, if you send each tip in the form of an e-mail to your employees every week, we think that’s the winning formula.

As promised at the start of this article, you can download the poster to stick up all over your offices (yes, in the president’s office too, especially) here:

If you like the format, we’ll be back with a second edition of other tips for your employees (don’t email confidential information, talk a little more about president and supplier fraud, etc.).

So if you’re using our tips, please share your thoughts with us 🙂 And if you have any comments from your employees, we’d love to hear from them!

If you’d like to be notified when we publish future articles or discover major vulnerabilities, you can follow us on our social networks:

Peace & enjoy your reading! ✌️

Cyndie & Nicholas

    Why Yack?

    First, for those of you who don't know, the yak is an animal. The energy it radiates (chill with its toupee, but we wouldn't want to piss it off with its horns...) represents us well, and the nerdiest among you might see the little nod to Linux 😉. Of course, Yack's resemblance to Hack is no mere coincidence. It's also a short, punchy name that, once again, sounds like us. Finally, it's a word that earns you 24 points in Scrabble (hello Office de la langue française). Why did you choose .one? In offensive security, all it takes is one attack..."
    A little more about us

    "Pourquoi Yack?

    First, pour ceux qui ne le savent pas, le yack est un animal. L'énergie qu'il dégage (chill avec son toupet, mais on ne voudrait pas l'énerver avec ses cornes...) nous représente bien, et les plus nerds d'entre vous verront peut-être le petit clin d'œil à Linux 😉. Bien sûr, la ressemblance de Yack avec Hack n'est pas une simple coïncidence. C'est aussi un nom court, qui punch, et qui encore une fois, nous ressemble. Enfin, c'est un mot qui te rapporte 24 points au scrabble (bonjour office de la langue française). Pourquoi avoir choisi .one? En sécurité offensive, il suffit d'une (one) attaque..."
    Un peu plus sur nous