Cybersecurity Awareness Month: Four ways to stay safe online

Most email and texting platforms now recognize phishing attempts and may even provide the capability to report the attack directly in the application. However, you should also encourage your employees to alert your enterprise cybersecurity team of suspected phishing attempts so they can proactively monitor potential threats.

To add to the phishing problem, AI is being used by many cybercriminals to create and execute these attacks. With the sophistication improving rapidly, unfortunately, not all anti-phishing is foolproof, with some phishing attacks slipping through your existing security web. If a phishing email gets to a user’s inbox, it will likely include links to encrypted web pages or files. And once the user clicks that link to access the web page or file, it’s officially “trick” time for your organization.

Most web links are now encrypted, and the threats hidden inside encrypted traffic can be spine-chilling. You need to be able to see what’s in the traffic before you can defend against it. Decrypting encrypted traffic at scale as it enters your environment and steering and orchestrating it through a customized gauntlet of your existing security controls will help uncover gnarly encrypted threats before they can wreak havoc on your network and users

Technology and security teams are great defenses, but your employees are the last line of defense should both fail. You should arm them with three simple rules:

• Recognize the trap. Train employees to be suspicious of any urgent request, like emotional appeals that claim foreboding consequences and require them to enter business, personal, or financial information. Or last minute, insistent emails from your company CEO—who never emails the employee—to provide them with the corporate bank account and routing numbers or credit card number, or to transfer corporate funds into a strange account. Misspellings and bad grammar used to be dead giveaways to a potential phishing attempt. But generative AI writing tools are available to anyone, including cybercriminals—and you can bet they’re using them to fix and smooth over anything noticeably off in their phishing attempts.
• Resist the bait. Train your users to avoid clicking on any link or attachment from a suspected phishing attempt. In fact, if your organization or employees use “read receipts” on business text or email platforms, encourage them to resist opening a suspected scam communication from the preview. A simple read notification gives cybercriminals feedback on what communication tactics were effective enough to be opened, even if their attempt didn’t result in a breach. But if a user does click on a link or attachment that’s more than likely encrypted, the F5 Application Delivery and Security Platform (ADSP) can help. Its F5 BIG-IP SSL Orchestrator decrypts incoming encrypted traffic at scale, orchestrates the decrypted traffic based on customized, context-aware policies, and routes the traffic through dynamic service chains to the right security solutions in your stack to stop the phishing attempt in its tracks.
• Trash rather than ask. After training your users to report phishing attempts via email or texting applications to your enterprise security teams, you also need to remind them to delete the message. Many phishing attempts now contain “unsubscribe” buttons that are actually lures. It’s natural to ask to be removed from these communications if “unsubscribe” is offered, but your users must learn that the trash button can be their best friend.

A strong password is a moving target, especially as computers and AI grow more powerful at brute-force generation and pattern-based recognition and prediction. The latest strong password recommendations from CISA are now:

• 16+ characters in length
• Completely random
• Unique

The best way to do this for the dozens, if not hundreds, of accounts and applications requiring passwords nowadays is to use a password manager. Most browsers and operating systems now include password managers that generate strong passwords and store them. Consider making their use mandatory for your organization.

Requiring verification through multiple methods before granting access is the next level of security after a strong password. Multi-factor authentication (MFA) could include entering a code received via text or email, using an authenticator application that frequently generates random new codes that must be entered to successfully log in, or biometric data such as facial recognition or fingerprints. Two-factor authentication should be the minimum for your organization, but three-factor is better.

MFA is just a small part in establishing a zero trust security framework where no user or device is implicitly trusted, regardless of location. This zero trust architecture needs to extend beyond verifying the identity of the user, but to the context of users’ access to every API and application, too. However, establishing a zero trust architecture requires more than just securing access. It demands a layered approach to protect web apps, APIs, data, and more—combining web application firewalls (WAF), distributed denial-of-service (DDoS) mitigation, bot defense strategies, API discovery and security, protection against encrypted threats, securing AI and using AI to secure and inspect every request, enforce security policies, and mitigate threats across your hybrid, multicloud environment, regardless of where apps, APIs, data, and more live.

Every application and API vendor issues regular updates and security patches, which should be implemented quickly. However, software and application support can vary widely depending on the vendor. There’s almost certainly a lag time from threat identification to patches being issued. And what about the unknown vulnerabilities you don’t know about that can—and do—turn into zero day attacks? With critical vulnerabilities emerging every nine hours, you can bet attackers quickly exploit them. What is an enterprise to do in between the time a critical vulnerability is identified, and the vendor issues a patch?

This is where a robust WAF and the concept of virtual patching can help plug holes until a security patch is released by the vendor. A WAF sits between the Internet and your web applications, monitoring and blocking malicious web traffic.  When a vulnerability is found in a web application, your WAF can provide a base level of defense. The next quickest method of defending against an exploit is issuing a “virtual patch” through your WAF until a code-level fix arrives. A virtual patch isn’t a permanent solution; it’s simply a rule enforced through your WAF that prevents the exploitation of the vulnerability. While a virtual patch doesn’t update the software, it can be a critical step toward keeping your users and data safe and your enterprise secure from known exploits.

Another critical best practice for keeping software updated is regularly scanning for known vulnerabilities in web applications and software. Scanning must include APIs in use as well as common vulnerabilities and exposures (CVEs) for software to help understand and reduce your potential risk. Regular penetration testing done in an automated fashion can also help identify application weaknesses or outdated software before they can be exploited.