Training: Security Awareness Basics
This training module will cover: IT Accounts, Identity and the importance of protecting them, good password hygiene, How to spot dodgy emails/fake login pages and the importance of updates. It’s aim is to improve your general security awareness making you much less likely to fall prey to common scam and hacking attempts.
1. Your accounts are valuable
1.1 Why protecting your accounts is important
You may not realise it but accounts and the information they contain have value to those with malicious intent (such as hackers and scammers). Basic account credentials (usernames and passwords) are frequently sold online with hackers and scammers finding many ways to monetise and exploit your accounts.
In recent years we have seen the emergence of “Crypto” ransoms, where an attacker will encrypt your data and request money to allow you access to it again. Both individuals and businesses are targeted, putting your reputation at risk if it’s discovered a weak password, or simple scam targeting your accounts is the reason an attacker got in and caused damage.
Most of the time businesses have things such as firewalls, antivirus and other protection methods, but this doesn’t protect the company if you unknowingly provide an attacker the keys to the system (your password). So it’s important to take account and password security seriously for both your personal and professional life.
1.2 Accounts, usernames, emails & passwords
It is important to clarify the difference between accounts, email addresses, usernames and passwords, when talking about security. Accounts are a combination of a username and a password used by a company or a service to identify you. Usernames most often are your email address. While you can use the same email address for multiple accounts, this does not make them the same account. An account is specific to a company or service identifying you, even if you’ve chosen to use the the same email address and passwords across multiple accounts.
Account 1 – Email – Used to Sign into Gmail.com(email)
Account 2 – Facebook – Used to sign into facebook.com
The first provides access to the email account for Example.Name@gmail.com, the second only provides access to facebook. In the above example as the same password has been used for both, if one account is compromised and the password leaked, it won’t take long for hackers to attempt to login to other services using the same password.
1.3 Work vs personal accounts
Having different passwords for your work and personal accounts, it means if there is a compromise it’ll be limited to just those at work or just personal accounts, greatly reducing the impact it could have on your life.
It’s also very important to avoid mixing personal and work services. With cloud storage services becoming ubiquitous and easier to setup and use, you can to inadvertadly upload personal files into your work system (or vice versa). This risk becomes even easier to accidentally do if using the same device to access both work and personal accounts. It’s important to create a reasonable degree of separation between work and personal accounts. For those using BYOD or personal devices for work, having a separate work login is usually a good idea for making sure to keep track of which accounts you are logged into.
2: Password hygiene
2.1 Use strong passwords
A good password is one that is unique to you, and only something you know. It should be at least 10 characters (though longer is better), and should not be something that could be easily guessed. Think pass phrases rather than passwords.
Password dictionary attacks work by attempting to login to accounts using lists of commonly known or weak passwords, or in some cases generating passwords to try based on a users personal information. For example, if someone’s password was JaneDoe234 and their name was Jane Doe, this is a terrible password as a password guessing software would defiantly attempt this. This applies to things like addresses, names, birthdates or personal information. A password should be random, impersonal and unique to you.
Avoid passwords that others may have also chosen or sharing the same password with family or friends. For example starwars00 may seem unique but many people have already used this and it will be used as part of dictionary attacks.
2.2 Don’t use old passwords
Many old accounts you have have likely been compromised or leaked, as these events are common. Reusing the same password you’ve had for many years across multiple sites is a bad idea, as that information might be sitting in a list somewhere, waiting for a hacker to try use it. Learning a new password can be a hassle but much less than having you accounts compromised and used without your permission.
A simple way to see what kind of sites have leaked your password or information is to enter it in haveibeenpwned.com if your account does show up in a compromise, securing it is as simple as setting a new password.
2.3 Avoid using the same password for multiple accounts
While you can use the same password against multiple accounts, the are two reasons why this is a bad idea.
The first comes down to confusion and keeping track of different accounts. Different accounts might have different password requirements or require you to change your password from time to time. Unless you are diligent in keeping all your passwords in sync this can result in lots of time spent resetting or trying different variances on your common password to get into software. You will be better off with memorable passwords that are specific to each account, or a group of accounts (such as important personal accounts and work accounts). Your password can even contain a hint in it to what it is for making it easier to remember and reducing the likelihood of getting them muddled.
The second reason is security, if you use a password for a website, and that website gets compromised, it’s only a matter of time before hackers/scammers attempt that same leaked username and password on other services. This happens often and is a regular issue. This also applies to very old passwords that have not been changed in years. If you’re using a password you’ve used on multiple sites and it’s more than 4 years old, think about changing it.
At minimum you should have a separate password for:
Your personal email account – as this can be used to reset any accounts you have used this email for.
Your work email account – same as above.
Email should always be separate as this is often used as the recovery method for other accounts so you never want this account to be compromised.
2.4 Use MFA (multi-factor authentication) when available
Multifactor authentication refers to using more than one “factor” to authenticate you. Commonly this refers to something you know (password) and something you have (your mobile phone – which is sent a one time code). By having two factor enabled on important accounts, even with a compromised password, an attacker won’t be able to get access to your phone.
Unfortunately not all services support this, but more and more are turning it on by default to keep their clients and customers secure. There are many guides on how to turn on MFA here.
2.5 Writing down passwords
In a perfect IT security world, everyone would use different passwords for different accounts and each would be 15+ characters long. Unfortunately, reality is not like that. If given the choice between remembering and using a simple password across multiple sites or using a different strong password for every website but storing them somewhere…the latter is much more secure.
If you do wish to keep note of your passwords there are some rules to follow.
- Store them somewhere secure.
Naming the document or folder “passwords” or “accounts” or making it too obvious is not recommended. If someone stumbled across it or was searching your phone you’d want to reduce the chance they know what it’s for. An unmarked note in a password/PIN protected phone is suitable, written down on a post-it stuck to your computer is definitely not.
- Do not label the document or note
Including the word “passwords” or the other account details such as the full username makes it too obvious and not recommended. Even if someone found your password. this would at least ensure they don’t know what it is for.
- Hide or change some of the information
When making note, exclude the username or something from the written down password that you will remember is missing (such as a number) or change something in it. This is most important because even if someone gained access they would still not know your actual password but you would have enough to remember. For example if your password was Horse+Dance+23, you might right it down as Horse+Dance+00, if you are confident you will remember the number.
2.6 Password managers
If you’re struggling to keep track of passwords and account details, a great solution is a password manager. These securely store your password and account details behind a “master” password, meaning you only need to remember one good password and you can simply store the rest in your password manager. Some web browsers such as google chrome and Firefox have simple password managers built in. They’ll offer to remember your password and store it for you. If you make use of this, it’s best to setup access to your password on multiple devices (such as your phone and laptop) to ensure you always have access to your passwords and account details.
Common brands of more full featured password managers include LastPass, Dashlane or 1Password. Which works best depends on your requirements and needs, most offer a free trial or even a free personal account for you to test out. Just make sure you don’t lose access, these services are very secure so resetting account passwords can sometimes be hard or even impossible if you don’t have the right information.
3. Spotting suspicious emails
3.1 Be suspicious
Whenever you get any of the following emails you should immediately be suspicious, and approach with caution until you can verify they are legitimate:
- An urgent request, requiring immediate action.
- An email you are not expecting or that seems strange or out of character for the sender.
These are the two most common “red flags”, and you should always be suspicious when you encounter them. Often hackers use fear or urgency to get unsuspecting victims to do something they shouldn’t. Common examples of these are:
- Emails pretending to be from Australia Post, requesting you pay a small fee within a few hours for delivery now or you’ll get a larger fine.
- Fake “Microsoft Account” stating your account has been compromised and you need to login to fix it. However it takes you to a fake login page to steal your login details.
- An overdue invoice (that doesn’t exist) requesting payment or some service or feature will be cut off.
- An email supposedly from a senior staff member in your business requesting an urgent electronic funds transfer to a new contact.
3.2 Check the senders email address
The email address is more important than the display name as that can easily be changed. If an email displays from “Microsoft” but the email is “Msemail@example.com”, then you know the email is not coming from Microsoft as Microsoft would not use a random google gmail address for communication.
Sometimes attackers might be clever and register a similar looking domain when trying to imitate a company, such as miicrosoft.com (notice the duplicate ii). If it’s a more targeted attack, they may even register a different domain that looks similar to your organisation’s domain. If your company name was AwesomeSuperSupplies.com.au they might register AwesomeSuperSupplier.com.au (notice the slight difference?).
If you’re unsure what domain is correct, look for past emails from the supplier, company or contact, and see if it’s the same domain name and if you are still not sure if the email is fake or real, ask your IT team.
Keep in mind if the email domain is correct, and it’s coming from a known and trusted account, this does not automatically mean the email is safe, your contact might have had their account compromised or in some cases a sender has been able to forge/spoof their email address. If something seems strange, it never hurts to contact the sender for more information or get your IT support to review.
3.3. Verify with the sender using a different method.
If still not sure, you should try contacting the sender using a different method than email. If their email is compromised it’s likely the response may not be from the contact. A quick phone call is often best so you can confirm an unexpected email has been intentionally sent. If it is for a company or bank, you could try logging onto the service but DO NOT use any links supplied in the dodgy email, go to the website directly and login to check.
Once again, if unsure or confused, talk to your IT team.
3.4 Be very suspicious of links to login pages.
It’s rare for services to link you to a login page. They almost always request for you go to their website directly to logon. Fake emails stating “Your account has been compromised, reset your password here” are a common trick to get people to login to a fake page, providing the attacker with their username and password. Always check you are logging into the correct website and not an imitation.
3.5 Take the Quiz
The Australian Cyber Security Center website has a fantastic quiz that tests your ability to spot fake/scam emails and shows you in-depth what to look out for. Give it go by clicking the link below:
ACSC Scam Messages Quiz
4. Spotting fake login pages
4.1 When to be suspicious
Fake login pages are a common method used to get peoples otherwise secure usernames and passwords. Some are designed to look almost exactly like the real thing. When logging onto to important accounts you should always attempt to verify you’re using the real login and be extremely suspicious if you spot any of the following:
- The login page looks different to normal.
- There are spelling or grammatical mistakes on the page.
- The domain looks incorrect or different.
- You are linked to the login page from an email.
- You were not expecting to need to login.
4.2 Check the domain
Look in the address bar for the domain name you are connected to. If it is a well-known company or service the domain will normally be the same as their main website, some examples below:
Google (Gmail, Google Drive, Google Apps) – starts with: accounts.google.com
Microsoft(365, Onedrive, Outlook Online, etc) – starts with: account.microsoft.com
Facebook – www.facebook.com
Instagram – www.instagram.com
Apple iCloud – www.icloud.com
There will also be a small lock symbol just left of the domain too that if you click on should say the site connection is secure and valid. If still unsure if the login page is real, try going to it directly instead of using a link.
4.3 If unsure, ask
It never hurts to be cautious, and almost all IT professionals would rather spend a few minutes checking for you than risking your account credentials being compromised. If you do suspect you’ve provided your username and password to a fake login page, contact your IT support and change your password straight away.
5. Updates and Backups
5.1 Keep software up to date and secure
Software is never perfect. After an initial release developers will often release new versions or security updates with the purpose of fixing performance and security issues. Even Google Chrome, one of the most popular web browsers, had over 175 vulnerabilities documented in 2019 alone. Updating software resolves these known security weaknesses.
Attackers are constantly looking for new vulnerabilities in the software your devices use. When they discover vulnerabilities, they attempt to exploit them before the software development company can patch them. Out of date devices with well known exploits are an easy target for those trying to gain unauthorized access. The more out of dates software is, the more vulnerable it can become.
By keeping all of your internet-connected devices up to date, you make your devices a much harder target for someone to hack you. To stay current, simply enable automatic updating whenever possible. This rule applies to almost any technology connected to a network, including internet-connected TVs, baby monitors, security cameras, home routers, gaming consoles and more.
The good news is most software will update itself, but for some you still need to manually update. If unsure if your software is up to date, ask your IT team or check on the software creators website.
5.2 The importance of backups
No matter how careful anyone ever is, there is always the chance you can be hacked. In the event they encrypt all your data and hold it to ransom, a good backup can provide a simple solution to an otherwise nasty situation. You can simply restore your files. Many operating systems and mobile devices support automatic backups, either to external drives or to the cloud.
It is recommended you have at least three copies of your data. The original, a backup and a secondary backup, with the latter being stored in a different location to the first, such as offsite or in the cloud.
If you’re unsure if your data is backed up and where, it’s an important question to ask your IT support.
6. Shared Devices and Shared Accounts
6.1 Sharing Accounts with Family
Unlike some of the previous examples, sometimes poor security can result in problems even when there is no malicious intent. A very common scenario is family sharing accounts that unintentionally provide access that a relative should not have.
A common example of this is parents logging into their iCloud account on their child’s iPad or iPhone, as this seems like a convenient way to setup the phone. This will grant that device holder access to things such as text messages, contacts, email private photos, and even the ability to make credit card purchases, depending on what has been setup for iCloud. It is very easy for someone given this unintentional access to accidentally contact a parents work contact, purchase items through the apple store, or delete important information (which deletion is synced via iCloud too all other devices).
The solution is to make sure that each personal has their own account to avoid any mix-ups of information and access. For iCloud, Apple has guidance’s you can read here: Family Sharing and Apple ID for your child – Apple Support. If kids need to use a computer for school that is also needed for work, there are also ways to create two windows accounts on one device to provide clear separation. Always pause and think before logging into one of your accounts on a device that is not primarily used by you.
6.2 Don’t forget to log out or lock your computer
Even in trusted environments such as the home, if a laptop or device is used by multiple people it’s important to think about when you should log out, and which service to log out of. For high risk services such as online banking, logging out as soon as you are done is best practice. Alternatively, for convenience, you may just want to set a good Windows account password and get into a habit of locking your computer or logging out when you are done.
This protects you from both accidental issues (such as someone using your computer and assuming they are logged on as themselves – it does happen) and malicious actions (such as someone attempting to perform undesirable or illegal actions under your name/account). Most importantly, knowing you are logged out or your computer is locked will give you piece of mind that only you have access to your data and the services you have logged onto within windows.
6.3 Decommissioning old devices
Whenever giving away or selling a device, it’s very important to make sure you have logged out of all accounts, and you have reset the device back to factory default. This stops the next owner from potentially getting access to any services you were logged into. Often people will try to simply delete all their data, and then log out of everything but this is time consuming and it’s still easy to miss certain accounts. When devices are factory reset they will also sometimes offer to ‘wipe’ the data. This involves overwriting any remaining data on the risk to make it extremely hard to recover it. Without this someone could potentially find files you deleted.
Congrats on reading through the above information and taking a step towards a more secure online experience.
If you’re looking for further reading on cyber security and how to keep yourself (or your business) secure check out the following resources provided by the Australian Cyber Security Center:
We hope you found this helpful, and if you didn’t or have feedback please reach out to us to let us know how we could improve.