By Paul Gillespie
Faculty Member, School of STEM at American Military University
Hardly a day goes by without a reporting of a hack or an intrusion into an organizations network. Do you remember the Target credit card “hack” story from a couple years ago? I was one of the victims. Utilizing a basic risk management strategy can go a long way to protecting yourself at home as a consumer. The basic remediation strategies are:
Risk Avoidance: Stay away from the activity that causes the threat.
Risk Transfer: Usually some form of insurance as a reassurance measure; make it someone else’s problem.
Risk Mitigation: Apply some form of countermeasure that would reduce the pain from the threat.
Risk Acceptance: Here you are taking on the full load as a consequence of doing business.
Here are some of the cybersecurity attacks I’ve been exposed to and how one can employ the basic risk management strategies at home.
Attack: My Credit Card number was stolen by the Target attack.
Risk Avoidance: We can reduce the use of credit cards or eliminate them altogether.
Risk Transfer: Many banks offer fraud protection for a monthly fee. This moves the damage from the consumer to the credit card company.
On a trip I only used my card once, and it was to make a small purchase at a convenience store/gas station. The bank actually discovered a series of purchases in the Tampa area and notified me.
Attack: During a business trip to Florida, my credit card number was compromised.
Risk Mitigation: Be choosy on the bank you select. A proactive bank that allows one to file a fraudulent claim and alerts the consumer if unusual purchases are made is a must. I recently bought three plane tickets to Europe and my bank immediately called me to verify the purchase.
Attack: A company was making unusual charges and actually mailed me a product.
Risk Mitigation: Pay close attention to your charges. I have to give my wife credit here. She scrutinizes our charge accounts. This scam here has the credit card company making minor charges monthly pretending that you ordered their product. The low charges (about $9.00 once or twice a month) often go unnoticed by many consumers. We actually received a bottle of diet pills in the mail – we hadn’t ordered it.
Risk Mitigation: Use the Internet and research. I reviewed the list of scams on the Internet and sure enough, this one was present and had quite a few angry respondents. The key here – Don’t call the company, call the bank. In this case the organization that was scamming the consumers would argue when you called and would try to convince you to keep getting their product, or they would imply that you owed them something.
Attack: A threatening phone call stating that legal action was pending.
Risk Avoidance: Screen your phone calls and don’t reply to threats or anyone who requests any kind of sensitive information over the phone. In this case a caller who claimed to be from the IRS stated that a case was open against us and legal action would be taken unless we called a certain phone number and made a credit card payment to them. Never give personal information over the phone, and never make a payment. Legitimate organizations don’t do this.
Risk Mitigation: Use the Internet and do your research. I reviewed the list of scams online and again, this one was present and had quite a few angry respondents. I can’t stress how invaluable this is, research the scams on a periodic basis.
Attack: A phone call stating that my Windows OS was outdated and I needed to purchase anti-virus software. They said if I didn’t that I would be in grave danger of an attack.
Risk Mitigation: This is similar to the case above. Apply the common sense test. How would somebody know my OS unless they did a port or vulnerability scan? You could avoid this by not answering but in this case I answered the phone and simply responded “I know this is a scam, and I’m reporting this to the FBI” and abruptly hung up the phone. I haven’t heard from them again.
These are just a few examples of some attacks and strategies to protect yourself. I’m sure students and faculty have many more of their own. Feel free to share them.
About the Author
Mr. Paul Gillespie has worked in the Information Technology and Security field for over 15 years. Aside from teaching at Information Security at APUS, he is currently the Branch Chief for Project and Policy Management for US MEPCOM, the organization that processes new personnel into the military. Mr. Gillespie is a retired Navy Chief Warrant Officer, serving for 23 years. His specialty was Engineering, Quality Assurance, Information Technology and Project Management. He has continued his professional career in the Federal Government sector, specializing in Project Management and Information Security.