Dr Konstantinos Mersinas, Programme Director of the MSc Information Security programme, and his team talk about the increase of cybercrime, particularly during the COVID-19 era which has seen a big increase in fraud. The Royal Holloway, University of London (RHUL) team highlight tips to build security awareness and what future trends are emerging.
A recent BBC investigation in April reported that British firms and individuals have lost £1.86m to corona-virus related fraud. Bogus companies have set up scam websites to sell masks and sanitising products which even contain fake reviews. What are the warning signs of a scam site and how can one determine websites might be rouge?
It is not always easy to spot these sites as they become increasingly sophisticate, but a high level list of things to be aware may include the following:
Check the domain name: Scam sites often use misspellings or variations of popular brand names (such as discountmacbooks.com) or try to masquerade the domain (such as https.facebook.com.scamsite.net). This is not a simple issue due to our human underlying mechanisms of perception and decision-making. Situational circumstances like stress, time pressure and lack of attention make us all, even security experts, susceptible to social engineering attacks.
Check the padlock: Sites that display the padlock symbol in the address bar are encrypted - but that doesn't mean they're trustworthy. Click on the padlock icon to check the certificate is for a legitimate organisation (such as Google, Amazon, etc).
Check the reviews: Whether the site has good feedback on sites like Trustpilot, Sitejabber, Reviews.io, look out for fake reviews such as multiple 5-star reviews all posted at the same time, and similar reviews. Note that it takes human judgement to spot these fake posts!
What are some of the newer security threats for 2020 and are topics like “Zoom bombing” explored in the modules on the MSc Information Security programme?
Many well-known security threats continue to evolve, becoming more advanced and dangerous. Most of us can potentially detect simple phishing scams – for example, if they are badly written. But cybercriminals are upping their game. Modern, and more advanced, phishing attacks can include personal details from recent data breaches to lure victims. A recent data breach example is of the 9 million customers of EasyJet who had email addresses and credit card details exposed.
Our modules cover core topics of securing network communications. For example, we examine current popular trends, like the “Zoom bombing”, and how they relate to core security mechanisms taught in the programme. This allows our students to understand future security threats when they arise.
Smaller organisations can struggle more with managing cyber security because they often don’t have access to the same resources as bigger organisations to implement security management. In the current climate, where can these smaller business go to get sound advice to determine what support they require?
There are several useful sources of advice and guidance on information security for small to medium-sized enterprises.
For example, the Information Assurance for Small and Medium Enterprises (IASME) Consortium. They offer free and low-cost advice, services and certification, such as the Cyber Essentials scheme.
It is also worth obtaining a copy of the latest version of the ISO27001 (information security), ISO 31000 (risk management) and ISO22301 (business continuity) standards, which are all accessible via the University of London online library. Even if a company does not want to become certified, these standards contain a lot of good advice on best practices and how to decide what is appropriate in terms of for your organisation.
Reports show that COVID-19 phishing has increased by some 2,000 percent. For ordinary users, plus students studying and working from home, what are the most important things one can implement to ensure protection against hacking?
Many cybercriminals will exploit global trending topics, such as COVID-19, to gain more exposure to their attacks. There have been ‘coronavirus maps’ websites spreading malicious software. So, we always need to check the source of any social media post or news article - and never click on links from anyone we do not trust. Again, anyone can fall victim to a phishing attack, given the ‘right’ conditions. We specifically examine cybercrime and the underlying ‘mechanisms’ of phishing in our MSc programme.
Some tips to keep you safe are:
Use a different password for every website: If you use the same password for all your accounts, then if one website gets compromised the attacker has access to all your accounts. Don't make it so easy for the criminals. Password managers like LastPass, Dashlane or 1Password can securely store your passwords and promote security hygiene and security habits.
Keep software regularly updated: New software vulnerabilities and weaknesses are being discovered all the time and cybercriminals are quick to exploit them. Keep your software up-to-date to protect against these attacks.
As we become more and more interconnected, criminals are able to piggyback onto private networks through our home appliances and devices. There is a lack of security standards amongst device manufacturers and service providers. What sort of industry work is being done to address this global issue?
Everything is becoming interconnected these days and consequently the overall security risk increases. We have recently been involved in a UK government study to estimate the impact of various types of regulations on Internet-of-Things (IoT) device consumers. There are specific requirements which manufacturers might need to comply with to create a more secure landscape. There is a lot of work to be done, but there are also existing attempts to mitigate the risks.
Another attempt is reflected by the idea to develop ‘central devices’ which will measure and mitigate the combined security risk from the IoT devices, say in your smart home. Again, there are various ideas and attempts to make our environments more secure.
Are there any new fields or upcoming trends emerging in information security?
The information security field is constantly evolving and changing due to new vulnerabilities and exploits being discovered. Some of the key upcoming trends include:
Artificial Intelligence (AI) is increasingly being used to protect us from cyber security. However, criminals are also weaponising AI to create advanced malware and attacks methods.
The Internet-of-Things creates an interconnected world where, for example, you can control your kitchen appliances from your phone. But many IoT devices do not implement robust cyber security. IoT vulnerabilities can have many consequences such loss of personal data, letting criminals in, violating your privacy, or even allowing your toaster to set your house on fire. There have been cases where a hacker broke into a video baby monitor and was trying to give instructions to a toddler!
Advanced persistent threats (APT), leveraged by nation-state actors, are now a normal part of the global security landscape. Motives include stealing political and industrial secrets, spreading misinformation, and economic control.
Finally, the importance of humans is gradually being appreciated in the field. Insights from psychology and economics help us understand security behaviours and how we can make people the strongest line of defence in security.
With thanks to Konstantinos Mersinas and his colleagues Simon Bell, David Alexander, Raja Naeem Akram, Konstantinos Markantonakis and Lubna Ali for their ideas and contributions to the article.
If you are interested in a career as a security specialist, the NCSC-certified master’s degree Information Security addresses both the technical and the management aspects of cyber security. The programme is delivered online and can be studied over two to five years.