Cybersecurity Awareness Month 2022: Four Best Practices for All Users to Follow

October is Cybersecurity Awareness Month, a national effort led by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA). Established in 2004, Cybersecurity Awareness Month is as relevant as ever in 2022: As cybersecurity efforts have become more sophisticated and effective, so have the techniques of malicious actors.

For Cybersecurity Awareness Month 2022, CISA and the NCA are focusing on four best practices that all users should follow. This article will delve into each of these practices, describing how individuals can protect themselves from the potential damage caused by a cybersecurity breach.

Password use alone is insufficient to ensure cybersecurity. Password authentication considers only a single factor: something the user knows. In 2021, CISA added single-factor authentication to its list of bad practices. An MFA solution authenticates users with additional factors that capture something they have (such as a mobile phone) and something they are (such as a fingerprint). Today, every enterprise should be incorporating multi-factor authentication (MFA), and users should enable MFA whenever a website they hold an account with offers it.    

MFA is crucial because cybercriminals are cracking passwords using increasingly sophisticated techniques. Cybercriminals widely use brute force attacks, deploying bots to perform endless login attempts on password-protected resources. When a password is the only line of defense, these attacks are much easier to execute.

While MFA is an essential part of cybersecurity, it is still subject to vulnerabilities that users should be aware of. With MFA becoming commonplace, cybercriminals are working hard to find ways to bypass it. A modern approach attackers are using is known as an MFA fatigue attack. In this type of attack, a cybercriminal attempts to access a victim’s account using a known valid username+password combination. The criminal repeatedly prompts the victim with MFA requests in an attempt to irritate or frustrate them. As we have seen in recent attacks, the cybercriminal then employs a social engineering attack, often purporting to be someone who can assist in resolving the “glitch" if the victim simply accepts the MFA push notification or divulges the OTP code they have received.

To avoid becoming a victim of an MFA fatigue attack, it is crucial never to divulge your OTP codes or to accept MFA requests without explicitly having incited them yourself.

While the future of authentication is passwordless, passwordless adoption is still in its infancy. As long as passwords remain a component of authentication, users must follow safe password practices. Poor password hygiene includes using weak and common passwords such as “123456”, “password”, or “qwerty”, which are still among the most frequently used passwords in the US.

Reusing passwords–even strong ones–across multiple websites is also unsafe. If an attacker obtains matching username+password credentials for a user on one account, they may try the combination on multiple other websites. Additionally, even strong passwords should be changed frequently.

Of course, following these healthy password practices also makes passwords difficult, if not impossible, to remember. Password managers can help. Popular browsers like Google Chrome have built-in password managers that can suggest strong passwords and then store them securely for the next time the user logs into a certain account on their device. Alternatively, depending on their preferences for different features, users may opt to download their own password manager as a separate app or browser plugin.

Keeping software and apps updated on desktops, phones, and tablets is one of the easiest steps users can take to protect themselves online. Update prompts can be seen as a nuisance, popping up when a user is focusing on something else on their device. While it can be tempting to delay or avoid these updates, users should not wait too long before setting time aside to install them. Behind every update prompt are teams of cybersecurity and technology experts working to ensure that software operates smoothly and securely.

Some major software companies release updates on a regular basis. For instance, Microsoft and Adobe release software patches on the second Tuesday of every month, a day referred to as Patch Tuesday. Not all software updates are scheduled, however; some are issued at unscheduled times in response to vulnerabilities. It is up to users to stay informed about necessary software updates and respond quickly.

Phishing is a form of social engineering in which cybercriminals fool users into divulging sensitive information. One classic example of a phishing attack is when a cybercriminal sends an email or text message posing as a bank. The message claims that the recipient’s account has been compromised and urges them to take immediate action by clicking on the provided link. If the recipient clicks on that link and enters the information they use to log into their bank, this information goes to the cybercriminal, who can then use the credentials to commit fraud.

Whereas one phishing message may be sent at random to a huge number of recipients, spear phishing is more targeted. In this type of attack, a cybercriminal has some information on the recipient, such as the name of their company. The criminal may then disguise themselves as an executive of that company and send the recipient a phishing email. The email may contain a link or attachment that will install malware if the recipient clicks on it.

The CSA’s phishing tip sheet is a free and helpful resource for more information about avoiding this common threat.

Ping Identity will continue recognizing Cybersecurity Awareness Month 2022 throughout October. Check out our blog and our website to learn more about cybersecurity practices and identity solutions that can help you stay secure.