by Larry Magid
This post first appeared in the Mercury News
Although it’s very unlikely that average Americans will be directly targeted by a Russian cyberattack, it is quite possible to become an indirect victim of an attack against a company, health care organization or government agency we rely on. It’s also possible for Americans to suffer collateral damage as a result of a Russian attack against facilities in the U.S., Ukraine or anywhere else in the world.
I see no reason to curtail any online activities, but like when we hear of a natural disaster in another part of the world, the likelihood of cyberattacks anywhere are a good reminder to shore up our personal defenses. Even though the Russian government isn’t likely to attack your personal devices and accounts, there are plenty of cybercriminals around the world attacking who are constantly attempting to separate people from their money through cyberattacks.
Russia is likely to unleash cyberattacks against government and financial institutions around the world, including the United States. These days, a cyberattack can do as much damage as blowing up a bridge—even more when you consider the number of people that can be affected by a single attack. The company behind the Colonial Pipeline had to stop delivering fuel to millions of Americans after a hacker group infiltrated its systems in a ransomware attack. Though the attack was against a single company, innocent people were affected. The attackers, according to published reports, are believed to have been operating out of Eastern Europe or Russia. The 2017 Equifax Data breach may have been aimed at a single company, but it compromised the security of nearly 150 million Americans who did nothing to deserve having their personal information stolen and potentially used against them. There are plenty of other examples.
Even if the attack isn’t aimed at an institution you rely on, there is also the possibility of malware aimed at one entity, affecting others. Malware has a tendency to replicate itself and — once unleashed into the wild — can spread like a virus to other systems, even if they aren’t the intended victims.
What you can do
If institutions you rely on are attacked, it could affect essential services so — just as with a natural disaster — it’s a good idea to have food, water and cash on hand, a way to charge devices if your power goes out along with flashlights and batteries, nonperishable food and other emergency supplies. You’ll find an emergency tech checklist at connectsafely.org/disaster.
As an individual or small business, there is nothing you can do to protect the institutions you rely on, but there are things you can do to shore up your own defenses and information sources you can use to know if you may have been a victim of a data breach.
The advice I’m giving during this period of increased risk is the same advice I would give at any time:
- Make sure you have strong and unique passwords
- Use multifactor authentication for email, social, media, financial and health-related accounts
- Make sure all your software, operating systems and browsers are up-to-date
- Use anti-malware software
- Be careful what you click on or download
- Don’t believe everything you see or read
I’m always amazed at reports of people using common dictionary words or the names of their pets or children as passwords. Your passwords should be unique, at least eight characters long (longer is better) and not dictionary words. I know it’s impossible to remember multiple passwords, but you can use a trick—such as constructing a sentence and using the first character of each word. For example, you could remember the phrase “My best friend Sam T Jones is really a very nice guy” as the basis for the password Mbf$TJ1ravng. If you’re not able to remember multiple passwords, you could adapt this one so it’s different for different sites but adding letters to numbers to it.
Multifactor authentication is similar to your ATM card where you need both the card and the pin code. In most cases, it involves the site operator sending you a text message with a code that you use in addition to your username and password. An even more secure method is to use an authenticator app such as Authy, Google Authenticator, or Microsoft Authenticator or LastPass Authenticator that will generate a code for you either on your smartphone or PC. This method isn’t 100% hacker-proof, but it is much stronger than only using a password. And lest you worry about inconvenience, most of these systems only require you to authenticate yourself if you’re using a new device or browser.
You’ll find more about passwords and multifactor authentication at ConnectSafely.org/passwords.
Keeping your software up-to-date is important because it protects you against flaws that the company knows about and has fixed. If the company behind your software knows about a flaw, there is a good chance that hackers do as well, which makes these known flaws even more dangerous. Most operating systems can be configured to automatically update themselves, but as a precaution, I manually check every few weeks. Sure enough, sometimes I find that my phone or PC is out-of-date. Applications, especially browsers, can also be vectors for attacks, so make sure they, too, are up-to-date. The same goes for smartphone apps.
Antivirus software isn’t foolproof, but it’s yet another defense. PCMag does an annual review of antivirus software for PCs and Macs. Search for “PCMag antivirus.”
Be careful what you click on, download and believe
Being careful about websites you visit and what you download is important because of the possibility of having malware installed on your device. Once it’s there, all bets are off in terms of device security, because it’s possible for malware to completely take over your device. Be especially cautious if you get a link via email or text. It could be a “phishing attack,” where a criminal creates a webpage that impersonates a legitimate one such as a bank site. When you log into that fake site, you’re turning over your username and passwords to criminals who can use them to access your real accounts. But don’t just limit your caution to financial sites. Phishing attacks have been used to access people’s email accounts, which can then be used to compromise other accounts. They can also be used to gain access to social media credentials so that hackers can commit crimes in your name, sometimes against your friends and family.
Finally, be careful about what you read, see and share online. Disinformation has become a major weapon in the last few years, and Russia is a major source of disinformation around the world. But it’s not just Russia. Always check information sources carefully before believing them, acting on them or passing them on to others. You’ll find a guide and a Quick-Guide on this at ConnectSafely.org/MediaLiteracy.