The FBI recently disclosed that nation-state cyber attackers – such as the North Koreans – conduct extensive reconnaissance on their targets prior to carrying out their attacks which really shouldn’t come as a surprise. But there is still little public understanding of what motivations or vulnerabilities these attackers key in on when assessing their targets. An increased understanding of how this target assessment process works is key to preventing yourself from becoming one. The below checklist is designed to help us see how our own behavior and online persona can drive attackers to take an interest in targeting us as individuals. Most importantly, adopting these best practices will help keep you off the radar of sophisticated adversaries looking to personalize their attacks against future victims.
1. Boring is Beautiful
We now live in an era where social media stardom can be achieved overnight by people doing dumb things and crossing their fingers the video goes viral. On a different but similar note, anyone can create a social media platform to make bold, controversial statements about politics, race, or any emotionally-charged issue. Sophisticated foreign adversaries like to focus on people who draw attention to themselves because it’s perceived these attention-seekers likely possess other eccentric qualities that can be manipulated and leveraged. While it’s fine to be quirky and unique, it’s a good idea to keep the bad guys from finding you by not drawing undue attention to yourself and the company you work for.
2. Praise in Public but Criticize in Private
The First Amendment is a privilege we all enjoy. The fact we can speak out against our government, our managers, and constructively dissent is a freedom citizens of other countries envy. But this freedom also makes us vulnerable to would-be attackers. The proverbial “disgruntled employee” will always be a prime target as history has shown this profile of individuals has often been recruited or duped into providing nonpublic information. If you do have a significant problem or issue with your leaders or managers, it’s always safer to address these problems in private rather than venting on social media platforms in a way that may scream you are disgruntled and vulnerable. You never know who is watching or reading what you post.
3. Avoid Snarky, or Witty Emails
Before you hit send on that email message that you’re certain will elicit all kinds of praise from your colleagues about how clever you are, remember that some careers have been ruined when hackers got a hold of emails where people thought they were being funny. Wikileaks, anyone?
4. Know Your Social Media Followers
It’s human nature to crave popularity and social media only whets our appetite to build large followings. Do you actually know all the accounts following you on Twitter? Are you able to distinguish real people from bots? It is a simple and common tactic for hackers to use burner Twitter accounts to collect information about their targets. Do not allow your Twitter follower count to cloud your judgement of who has direct access to your opinions, hot-button issues, and personal matters.
5. Open Bar Does Not Mean Open Mic
Sometimes we make it far too easy for adversaries to socially engineer us and to know exactly how, when, and where to target us. For example, do you openly display your work badge at the local food court during lunch hour advertising who you are and where you work? When you attend a conference or event do you pay attention to who is sitting near you at the bar and eavesdropping on your conversations? Foreign adversaries aren’t just trying to hack you from thousands of miles away; they also have an assembled ground game and are equally capable of collecting information on you in person, remember Maria Butina?
6. Does it feel off? Report It.
Lastly, make sure if you experience anything odd or feel like a stranger has taken an interest in who you are, where you work, and what makes you tick, say something to your security or human resources team. It’s possible you’re not the first person to sense something is wrong, but unless it gets reported the bad guys will keep at it until they get caught.