Cyber attacks are concomitant effects of our progressive expansion into cyberspace—which means we cannot completely shield ourselves from them. There will always be a new cyber threat that will make us hold our breath in fear and desperately search for a solution.
We do always find a solution. However, as soon as we think we have arrived at a “digital fortress”, we are compelled to wrap our heads around another novel attack. It has become like a ride around an endless loop in chase of chaffs floating in the wind, which can be exactly alarming and at the same time ideally exhilarating.
Therefore, in order not to lose our minds to this bittersweet reality, cybersecurity experts recommend not sharing more than necessary as the best way of maintaining conscious cybersecurity hygiene.
What does sharing more than necessary mean?
Conscious cybersecurity hygiene is the most potent weapon against cyber-attacks. It is, in addition to other technical measures, the habit of minimizing the unconscious revealing of sensitive information. However, individuals, mostly inadvertently, leave a behavioral pattern on cyberspace. This may be from sharing personal information on Facebook and Instagram, taking selfies in sensitive places in a company and posting them on social media for public consumption, or even writing a post on LinkedIn to congratulate a colleague who recently got promoted to a higher position.
Whichever way, individuals are constantly leaving behind digital footprints that cyber-attackers can effectively utilize to launch yet another novel attack. Since individuals constitute an active part of businesses, they inherently expose the digital assets of these businesses to cyber threats through sharing more than necessary.
How is sharing more than necessary an effective enabler of social engineering attacks?
Sharing more than necessary exposes both the individual as a person and the business for which they work. It lands sensitive information on the laps of cyber-attackers who do nothing but thrive on gathering information on their targets.
With this information, cyber-attackers are then able to launch more targeted attacks, like spear-phishing, on these targets—and if the targets happen to be high-profile individuals, like CEOs, CFOs, or CIOs of businesses, the attackers can then target them with whaling attacks, with which they can gain deeper access to more sensitive information of the businesses. Using extensive access, cyber-attackers can penetrate other parts of the businesses, abusing, modifying and holding to ransom their digital assets.
This method, known as social engineering, enables cyber-attackers to weaponize your information as well as your desires against you. For instance, it is easy to target you with a phishing email about phony scholarships if your digital footprint confirms the desire for a scholarship. It is easy to target you with a phishing email about how to make a huge amount of money in the shortest amount of time if your digital footprint suggests such a desire. It is easy to target you with a phishing email about bogus investment opportunities if you have shown such interest in your digital footprint. In essence, the information that the attackers weaponize against you is carved in your personal post on social media and in your browser's history.
Whether a post on social media or a harmless search with a search engine or innocent surfing of a webpage, you always leave behind a digital footprint, which cyber-attackers can comb through for information on your interests, job, activities, etc.
With this information, the attackers are able to abuse specific details about your job or interests and impersonate you using a fake profile through a method known technically as profile cloning—it is the use of your job details, interests, activities, etc. to create a profile (especially social media profile) that is like yours if you already have one, or a profile that is befitting of your person and your job. It is part of identity theft.
With social engineering, you are not the only one at risk: All of your professional, and in many cases, your private, circles are at risk too!
Take for example, if an attacker is able to clone an email from you, albeit with a malicious link attached to it, and another person in your professional communication circle receives it, they may not bother to check the email for malicious intent or to confirm if you are truly the sender, because they trust you—which makes them more or less careless. It can be a close relative or friend whom you chat with on social media that might receive the social media phishing, which poses to have come from you. As such, they will not harbor any doubt or hesitation about the contents of the message, hence are likely to fall victim to the phishing exploit.
This is why you have to quit sharing more than necessary: You are equipping the attackers with more arms and ammunition with which to further exploit you. Sharing more than necessary is a vulnerability—and like every other vulnerability, you have to patch it. You cannot maintain conscious cybersecurity hygiene when you are still sharing more than necessary. Even if you keep the operating system of your systems up-to-date, patch all vulnerabilities in your application and employ the services of new technology—as long as you are still sharing more than necessary, you and your business are still extremely susceptible to cyber-attacks. There is no panacea for them other than not sharing more than necessary.
How does reverse social engineering help you to maintain conscious cybersecurity hygiene?
You can think of reverse social engineering as not sharing more than necessary, not allowing cookies on websites that you are not sure of so that if there happens to be any malware on the websites, it will not be able to read your browser’s history. Reverse social engineering means misleading the attacker with phony details or information that you couldn't care less about in any way. It also means being mindful of every detail you share and knowing exactly how it might affect you. It further entails being a step ahead of the attackers by minimizing the digital footprint you unconsciously leave behind each time you are on a public network.
In essence, reverse social engineering demands that you
- think twice before posting anything, whether personal or not, on social media. If it is a selfie, does it expose any sensitive information about you as a person or your place of work? If it is a verbal post, like a congratulatory post on social media, can you get it across in person or with restricted private access?
- do not reveal, let alone share, your location: Turn off your location whenever you want to make a public post on social media and cover your webcam always.
- Customize the privacy setting of your social media profile to be as restrictive as possible. In fact, you are advised to have one account for the people you trust and another account for the public.
- Avoid clicking on any link in an email whose sender you neither know nor can verify. If it comes from someone in your communication circle, pick up a phone and call them to confirm the message in the email! It might take a little of your time, but it will save you loads of trouble in the end.
It is true that you cannot shield yourself from cyber-attacks, at least not technically—but you can minimize how often you experience them. You can minimize how much information you are sharing inadvertently each time. Are you sharing more than necessary? You can minimize the digital footprint you are leaving behind.
Does it bare you for attackers to party on you? All you need is reverse social engineering to enable You to maintain conscious cybersecurity hygiene in every space at all times. That way you can rest assured that any cyber-attack you might experience in the future will be owing to vulnerability in software or failure of hardware, and not from you—not from sharing more than necessary.