Security Intelligence
In today’s ever-evolving cybersecurity landscape, protecting critical infrastructure is more important than ever.
During a recent session keynote for a leading Canadian healthcare organization, Field Effect’s CEO and Founder, Matt Holland, shared his expertise on practical cybersecurity best practices, emphasizing how everyone plays a crucial role in safeguarding Canada’s essential services.
Matt’s insights highlighted the growing risks organizations face and provided clear guidance on how individuals can help strengthen their organization’s defense against cyber threats. The session sparked great interest, and many attendees submitted thoughtful follow-up questions.
In this blog, we’ll dive into some of the top questions raised during the session and provide in-depth answers to help you better understand how to keep your systems and data secure.
1. How can someone hack and take control of an iPhone?
There are threat actors who can exploit and control iPhones, but these capabilities are expensive to develop and typically only used by state-level actors. The NSO Group, for example, is an Israeli cyber intelligence firm that sells these types of capabilities, often to governments.
Sometimes malicious apps make their way into the App Store. Once downloaded, users are tricked into providing the app permission to access things like photos, the camera, microphone, and location services, all of which can be used to surveil the victim and retrieve sensitive data.
Tips:
- Turn the device off at night
- Keep apps up to date
2. Is there a best practice for how often you should change your passwords?
Regularly rotating passwords is a widely debated best practice. Some say only change passwords when there is evidence of possible compromise. Some say to rotate passwords annually.
The more critical aspect of password hygiene is to use unique, complex passwords and to enable MFA on every single account you have.
3. Any recommendations for a good password manager app? Is a free option as safe as a paid version of the same product?
A password manager can help you to create, store, and use complex passwords and passphrases, and avoid password reuse across your accounts.
Many password managers offer both free and paid versions of their services. Choosing the right option for your personal or business use will depend on your specific needs (e.g., the number of accounts you may need to store or manage, or if you need advanced features only available in a premium or paid service).
We recommend choosing a password manager that:
- Supports multi-factor authentication
- Prompts you to change old, weak, or reused passwords
- Notifies you if your password appears within a known data breach
- Is supported for the devices you use (e.g., your phone or computer)
4. How would you evaluate a website to determine if it is fake before making a purchase?
- https://urlscan.io/ can help
- Launch it in browserling.com
- Search it in Virus Total
5. Shouldn't links starting with HTTPS be safe?
HTTPS means that the network traffic is encrypted using a certificate. Actors standing up infrastructure for malicious activity can easily acquire a valid certificate for a site.
6. Should you make up personal information, such as a false birthday, when signing up for things on websites?
Depends on context. There are many cases where you want to use real information. When this is the case, evaluate whether the service you are getting is worth the information you need to share to get it.
7. Do you believe the world will be able to keep up with the rate of advancement in cyber risks or will it eventually become untenable?
There will always be a cat-and-mouse game between threat actors and network defenders. When a security control closes an attack vector, threat actors will look for a new one. Once that one is closed, they will find another one, and so on.
While threat actors are becoming more sophisticated, so are security controls. Additionally, the average user’s awareness of cybersecurity is increasing overall.
8. With AI on the rise, any suggestions on how to be cautious about it?
Depending on the context, the use of Artificial intelligence (“AI”) technology can provide productivity benefits but may also introduce risks for businesses and individuals.
When using AI tools, avoid entering personal, confidential, or privileged business information into an AI tool such as ChatGPT.
Depending on the tool in question, the information you enter may be shared with third parties or used to develop and improve the AI tool.
9. With regards to social media, I get ads after looking something up or talking about something. How does this happen?
When you install or use social media apps, you agree to allow them to track your cookies and other indicators of user behavior. This is the tradeoff you make for getting the app for free. You can disable some of these tracking features, but they will continue showing you ads, they just won’t be as relevant.
10. Am I safe from threats solely from MFA, or should I still be mindful of potential threats?
MFA is not a silver bullet against threats. So yes, you should be mindful of threats and practice defense-in-depth. MFA, however, is a best practice that you should use to reduce 99% of your account risk.
Threat actors' techniques will evolve to defeat some MFA solutions. We already see ‘phishing-resistant MFA’ as threat actors gain the ability to phish some MFA solutions.
11. If ransomware is one of the biggest cyber threats at work, what is the biggest threat to me at home?
Phishing and smishing are the biggest threats a user faces at home. Successful phishing/smishing can lead to account compromise and malware deployment, which are both known to enable financial and identity fraud.
Phishing emails often look legitimate at first glance, using well-known company names that would resonate with the largest number of targeted organizations. See the example email below posing as a Microsoft Office 365 update.
Other common tactics include imitating a government department, offering a financial incentive, and creating a sense of urgency.
Drive-by downloads are a close second. This happens when a threat actor compromises a website often visited by a user. The website is made to display a fake update or something for the user to download which they do because they trust the site. This file is usually information-stealing malware.
12. Suppose my work laptop gets hacked. What is the very first thing I should do?
Call IT support and disconnect from the internet. Depending on your company's policy, you may wish to keep the laptop running so that valuable forensics information contained in the memory isn’t lost once it’s turned off.
13. You say not to click links in emails... yet we constantly get legitimate links in emails. Where is the balance between best practice and reality?
Use an email analysis service like Field Effect’s Suspicious Email Analysis Service (SEAS). If you have any reason to doubt the email, wait until you get an all-clear message from this service before clicking on any links.
Apply available email filtering and security controls in your email solution (e.g., anti-spam, anti-phishing, and anti-malware controls) to reduce the likelihood of receiving malicious links or attachments in email.
Defending against cyber threats
In an era where cyber threats continue to evolve, safeguarding critical infrastructure like Canada’s healthcare system requires a proactive and vigilant approach.
By embracing cybersecurity best practices, such as strong password management, regular awareness training, and advanced threat detection tools, individuals and organizations alike can play a vital role in defense.
