Dan earned his CompTIA (CIOS) certification in 2010 and worked in the computer repair/networking industry for several years.
The Implications of the 2021 T-Mobile Data Breach
“Their security is awful.” These are the words uttered by a 21-year-old who hacked into the tech giant’s database in early August of 2021, stealing the personal data of millions.
According to T-Mobile, social security numbers and birthdays were disclosed along with phone-specific information such as IMEI and IMSI numbers. At a first glance, some of the stolen information might not be concerning. What needs to be understood, however, is that computer hackers work by building profiles on their victims. It’s all about obtaining little bits of info at a time — then cybercrime occurs almost right under your nose.
As is so often the case with computer security breaches, whether it pertains to businesses or consumers, poor security posture is the doorway by which tech-savvy criminals are successful. Even more important is recognizing complacency — the tendency to feel secure on the premise that no cybersecurity issues have occurred in your life.
Most don’t realize how much can be done for protection besides installing antivirus software — attainable with relative ease and free of cost. Below are some tips that can be applied to both consumers and businesses.
- Software Vetting
- Website Vetting
- Data Destruction
- Data Availability
- Physical Security
- Security Policies
- Phishing and Baiting Risk Mitigation
- Third-party Risk Management
- Patch Management
1. Software Vetting
Software should be carefully vetted before installing on a computer. When it is downloaded, typically for free, it’s often laced with malicious software. The primary factor that should be taken into consideration is the source to be downloaded from.
Websites that use security certificates tend to be trustworthy. Their certificates are issued by trusted third parties who verify the website owner is who they claim to be — much in the same way governments issue IDs to citizens for confirming identity.
There are various ways to check if a website has a security certificate. The easiest is to look for the lock icon in an internet browser’s address bar when visiting the website — it will reveal details when clicked. If no lock icon is present, then a security certificate for the website does not exist, in which case you should proceed with caution.
In general, it’s better to use websites with security certificates. However, hackers are known to set up websites with certificates to make them appear trustworthy. Proceed with caution and website vetting when downloading and installing software.
2. Website Vetting
Computers can be used in a variety of ways to lure users and hack into their personal lives. When surfing the internet and there is suspicion of foul play, chances are the suspicion is justified. Computers are designed to be an extension of the way people operate and think in everyday life — when suspicion arises, it should bring pause.
Some organizations that run honest operations will have their websites compromised by computer hackers. How this is done is irrelevant. What needs to be understood is that compromised sites can be utilized to exploit vulnerabilities on computers. Ads can be hijacked and drive-by-downloads can occur where computers automatically download and install malicious software.
There are various ways to vet websites. First and foremost, as mentioned above, a valid security certificate is a good sign that a website is safe. Online services such as Google Transparency Report use technology to verify whether a website is probably safe. Browser extensions are available so that when using them, only websites included in their whitelist can be accessed. When unsure whether a site is safe or not, using ad or script blocker browser extensions can add a layer of security (though their default settings might need to be adjusted for ease of use).
3. Data Destruction
Thoroughly destroying hard drives and other data storage devices before discarding them is important. Personal information stored on computing devices getting into the hands of criminals is a recipe for identity theft, to say the least. It’s important to make sure data storage devices are erased efficiently.
Even if they are malfunctioning, a tech-savvy person could tinker with the device to retrieve information from them. Moreover, merely deleting files from computers and data storage devices does not get rid of the information stored on them — the devices must be written over using specialized software that can actually be downloaded for free in some cases. There are also professionally built hard drive destroyers that can work, especially if having to discard the devices on a large scale.
4. Data Availability
Authoritative measures such as ISO 27001 incorporate data availability as part of the security paradigm — these can be applied to consumers as well as businesses. Since compromised computers can lead to lost data aside from identity theft, measures should be taken for data storage redundancy.
Best practices are to store copies of data off-site in case of disasters including but not limited to fires, floods, and theft. All sorts of backup solutions exist and no single backup method is appropriate for all situations, but the following are some common scenarios.
- Backup media: Storage devices that hold data greatly vary, as do the procedures for backup processes. If the capacity of files to be backed up is relatively small, storing the files on a USB flash drive or SD card can suffice for the average home or small business user. Carrying the media in a pocket, backpack, or purse can work as a type of off-site backup, depending on the situation.
- Cloud backup: This is available for free in some instances and at a cost in others. It allows automated or manual backup of files to a storage server on the internet. Examples include Google Drive, Microsoft OneDrive, and Dropbox. In any event that data is lost locally, the data can be restored by downloading it after normal computer operations have been restored.
Backup systems can be complex and require trained personnel to handle them. Backup servers can exist at the same site where the original data is kept — the data can be restored quickly if its use is time-sensitive. Organizations that store backups on-site often retain cloud storage services for redundancy.
5. Physical Security
If cybercriminals could gain physical access to a computer it would make their job much easier — they would not have to circumvent any network security typically part of their routine. When a cybercriminal across the internet wants access to another’s computer, they typically first try to acquire information that identifies the device, such as its IP address.
The address typically uses a private scheme that is protected by network equipment such as NAT (network address translation) devices. A computer hacker would have to work around this in order to obtain identifying information about the computer.
Physically breaking into a building allows direct access to the computer and renders sophisticated network hacking unnecessary. Security guards, video cameras, efficient locks (including tether locks), and safes are recommended to mitigate the risk of direct computer access.
6. Security Policies
As computers and networks climb the ladder to more sophisticated setups — where trust among users (and employees) becomes a factor — the computer network administrator must consider integrating a broader range of security policies. Separation of duties and least privilege are examples of extended security policies. Their purpose is to help prevent a single person from having too much access that could compromise security, especially in cases where an employee develops a grudge against their employer.
The concept can be applied in a general sense, even where computers are not being used. Microsoft Windows has ways to extend the concept into computer use, however. User accounts can be configured so that employees may access only the functions necessary to do their jobs.
7. Phishing and Baiting Risk Mitigation
Phishing is a type of social engineering where perpetrators use various methods to act like honest entities — in order to trick computer users into giving away private information. Phishing awareness is a first step and extremely helpful for reducing the risk of falling victim to the attack.
In addition to awareness, developing easy-to-understand and coherent policies is critical for risk mitigation. Companies spend hundreds to thousands of dollars reducing the risk of computer crime threats. A single employee who does not understand policies pertaining to phishing attacks could render security efforts null, wasting countless resources and measures put into place.
Baiting is similar to phishing in that it fools users into believing they are receiving something legitimate. Those who seek to commit computer-based crimes can send e-Mails that include offers for free products or services. It can occur through private messaging, texting, or phone conversations as well.
Engaging in links to these offers can provide a path for malicious software installation or illegally obtaining credit card information. Awareness is a primary tool in mitigating this type of threat
8. Third-Party Risk Management
While computer manufacturers often provide support for their products, businesses and consumers can opt for third-party services for the repair or support of computers or programs. However, although the services are helpful, they themselves can be subjected to security breaches in a variety of ways.
It especially becomes important to make sure third parties are following security best practices when providing them with personal or sensitive information. Developing protocols to manage the inherent risks of dealing with third parties can be done.
The subject of third-party risk management is broad. The solution any consumer or business requires varies depending on a variety of factors. ISO or the international organization for standardization defines frameworks for managing third parties. Factors within a framework can include and are by no means limited to prioritizing the level of risk, geographical location, reputation, and certifications. Services also exist to help facilitate the trust between parties in addition to developing a framework.
9. Patch Management
Flaws or security vulnerabilities are eventually discovered in operating systems and computer programs (or apps). Vendors such as Microsoft provide patches for their operating system, Windows, which can be configured to be installed manually or automatically.
Failure to install the patches raises the risk of becoming the victim of a computer crime. Third-party program/app vendors also provide patches for the software they release and routinely make updates available. Computer crime exploitations often make media headlines due to unpatched systems which is why patch management is an important concept to embrace.
Computer hackers also take advantage of undiscovered security flaws. These are referred to as zero-day threats. No update or patch can fix these types of flaws — the only practical solution is to become more active in computer security and less complacent.
Manage the Situation
The recommended security practices outlined herein are applicable to all types of computer users — residential users, small/medium-sized businesses, and large corporate/branch offices.
However, in residential setups, the security posture is relatively low maintenance and practical knowledge can be obtained through various internet tutorials. For relatively large networks, it’s generally recommended that the owners retain a managed service provider specializing in computer networking, especially for data preservation and security.
This content is accurate and true to the best of the author’s knowledge and is not meant to substitute for formal and individualized advice from a qualified professional.
© 2022 Dan Martino