5 min. read
ISO intern Josh Baker contributed the “protecting others by protecting ourselves” theme to this article.
Others have eloquently addressed the injustice that is the ongoing Russian aggression against the people and the state of Ukraine; suffice it to say that no one deserves to be subject to physical violence, and we dearly hope that we soon see the Ukrainian people back in their homes and restored to peace, engaged in the challenge that is self-government by democratic means.
We are no experts in warfare here, but it seems that war has long been waged across the combatants’ full spectrum of capabilities. The addition of cyberattacks — whether designed to spread disinformation or destroy/take control of critical infrastructure like power and water supplies — represents a logical (if frustrating) progression of war’s malignancy. Reliable sources indicate that Russia has waged cyberattacks in its current campaign against Ukraine* and, as global governments move to pressure Russia into abandoning that campaign, many citizens (including leaders) are wondering whether Russia will use its cyberarsenal against their country or their organization in response.
* Attributing cyberattacks to a specific source is difficult and fraught with peril. Our recommendations here apply no matter who’s on the offensive.
Here at Why?security we’re almost always writing about how the UVM community can protect itself from online threats. What if, this time, we look at a few cyber hygiene basics in terms of how we can help others?
Protecting others by protecting ourselves
We can do some meaningful work to improve the cyber landscape, each of us making it just a little more difficult for any adversary to succeed in attacking both ourselves and others. Modern cyberattacks may be a study in variety with endless combinations of the old and the new, but there are a few common themes and we as individuals can actually exert control over two of them in particular. Let’s imagine these as two doors, and a cyberattacker must open at least one of them in order to succeed.
Door #1: unlocked, unguarded
Update your software. All of it. Run current versions of your applications. MS Word. Chrome. And your operating systems. Windows. macOS. Android. On all devices in your control. Laptop. Phone. Watch. Thermostat. Why?
All these devices run software, and all software has flaws. Some of these flaws can allow intruders to remotely control the devices, which means some of them can be turned into cyberweapons in an attack against you. Or your school. Or your town government. Or even someone else entirely. Like a country thousands of miles away that’s fighting for its life. Old, outdated software is like a door that’s cracked open and unwatched. Cyberattackers can waltz right through.
We can’t (yet) stop software from having these flaws, but we can address them by applying updates as soon as they’re available. Successful cyberattacks require an unbroken chain of events. Yes: Updating your web browser may just break that chain. And when enough of us do it, we limit the attackers’ options, increasing the chances that they’ll fail and we’ll win.
Door #2: locked, but…
Pay attention to the places you use your passwords. For your UVM NetID, that’s sites whose domain name ends in uvm.edu, and nowhere else.
Your NetID password secures an account that can do lots of things. Things that probably seem innocuous, like sending or receiving email. Email which can spread malicious software. Or try to harvest others’ passwords. Or sign up for a social account to publish disinformation or intimidation. We can be tricked — especially if we’re in a hurry — into giving away our passwords. That’s like having a locked door with someone on the inside letting in anyone who knocks.
Many of us — even those of us who feel confident we can’t be tricked — have a tendency to hurry when under pressure. And maybe skip steps. Like forgetting to check what site we’re on when entering our NetID and password. Attackers capitalize on this very human tendency by making us feel pressured. Your email will be shut off tonight. Your account will be suspended. You ordered this very expensive thing and we’re about to charge your card. And the message looks like it came from someone else at UVM.
Excellent. Now: Check the site you’re on. No uvm.edu? No NetID and password. Use a password manager; many will prompt for an extra confirmation if asked to fill a password into the wrong site. Find yourself at some other website trying to charm — or intimidate — your UVM password out of you? Window: closed. Threatening email: deleted. Chain: broken. We’re winning.
Is this saving Ukraine?
Directly? Maybe not. But if taking these small steps keeps some weapons out of the hands of cyberattackers, then maybe so. Take as many other meaningful, positive actions as you’re able: Make your voice heard, contribute resources, volunteer. But also guard Door #1 and Door #2, because a world where fewer cyberweapons are left lying around for use in conflict is a world where cyberwarfare won’t grow unchecked. And that’s meaningful too.