Qing Hu, an accomplished scholar on IT strategy and cybersecurity, is dean of the Koppelman School of Business at Brooklyn College. He has co-authored over 140 research articles in academic journals, conferences, and books, and has been an invited speaker at universities and academic conferences around the world. Hu offered these helpful tips to the Brooklyn College community.

What are a couple of the biggest and most common threats ordinary people encounter regarding cyberattacks?

Identity theft: Identity theft happens when your online or real-world identity, such as your name, date of birth, driver license, social security, address, and other key person data, are stolen through online hacking or physical action. Once the criminals get these data, they can use them to open bank accounts, get auto and home loans, and even file for tax refund before you file for taxes. Personal identify data are often stolen from hacked computers and found in personal and business trashes.

Hacked online accounts: This happens when hackers or criminals get your online account usernames and passwords, or credit card data, either through direct hacking of your computer or purchasing hacked data on the dark web. It often takes only a few minutes to a few hours from your account data being compromised to these data being used or sold to criminals on the dark web. This happens to personal accounts and organizational accounts. This has been the primary way for hackers to steal money from individual and organizational bank accounts, as well as other valuable information such as credit card data and personal identity data.

Ransomware attack: This is the most direct way for hackers and criminals to profit from their hacking activities, and a relatively new phenomenon. When a hacker takes control of a computer or computer system through malware planted on the computer, the hacker runs a software that encrypts most, if not all, of your data files and the system database files, making them inaccessible to you or the organization. Then a computer message is displayed on your computer screen, informing you that your computer data have been encrypted, and ask you to follow instructions on how to purchase and send certain amount of Bitcoins to the hacker in order to decrypt the data to its original state.

What are the best ways to protect yourself against them?

In all three cybersecurity threats, the most common way of being compromised is for hackers to steal your personal online or computer login credentials. The commonly used hacking techniques to steal online and compute login credentials are the following three:

Password cracking: Since most of our usernames are public, such as our names, organization, and email addresses, in many cases all hackers need to do is to figure out our passwords. There are free password cracking software tools available for anyone to download and use. However, the worst problem is that people tend to use simple and easy passwords. There have been multiple studies in the past that show the most common passwords used by individuals are “password” and “123456789.” So, it does not take a genius to break into many user accounts.

The best ways to protect password cracking are:

  • Always use sophisticated passwords, which are now almost universally required by organizations and operating systems, such as long passwords with combinations of upper- and lower-case letters, numerals, and symbols.
  • Never write your password to a post-it note and stick to your computer, and never share any of your passwords with anyone, even your co-workers, family members, and close friends.
  • Changing your passwords every 6 months is a great way to prevent hacking, but also challenging to implement, because our memory is limited. Using password management apps from reputable vendors (e.g., Norton Password Manager by NortonLifeLock) that use encryption could be one of the ways to deal with this challenge.

Phishing emails: We have seen a dramatic increase in phishing emails in the last decade, and even with sophisticated email filters installed in most organizations, phishing emails still managed to penetrate these filters and create havoc in organizations and to individuals. Once a person clicks on a link embedded in a phishing email, a spyware is often downloaded on the person’s computer. Some spyware transmits key strokes on that computer to the hacker (keylogger) to steal usernames and passwords, others let the hacker to remotely control the computer and execute programs to install ransomware, and more stay in the background quietly for a long time waiting for commands from the hacker to launch attacks.

The best ways to protect against phishing attacks:

  • Phishing emails are relatively easy to identify if you are careful and aware of this type of cyber-attack. Phishing emails usually pretend to be from people you know (CEO, supervisor, co-worker, because these data are readily available on the web). However, it is technically difficult for them to hijack your organization email domain. If you see an email from your co-worker John.Doe@brooklyn.cuny.xyz.com, you must know this is a phishing email, and delete it immediately. If you happen to have clicked on a link embedded in the email, notify your IT service immediately to disinfect your computer.
  • Some phishing emails ask you to fill in a form with sensitive data or claim to verify your identity by requesting your username, account ID, and password, etc. These are clear indications of a phishing email. In these cases, just delete the email and report to IT services.
  • More sophisticated phishing emails use an image to cover their illegitimate email domain. For example, you might see an email from your co-worker John.Doe@brooklyn.cuny.edu, but the font is different from the rest of the email, when you use your mouse over the email address, you might see John.Doe@xyz.com showing up, revealing its true phishing identity.

Malware attacks: In addition to phishing emails, hackers can install spyware, ransomware, and other malware when a user visits a website that offers free downloads of popular books, music, games, and even gift cards. Once an unsuspecting user provides names and emails (usually required for such free downloads) and click on the download button, the malwares are downloaded along with the free offers to the user’s computer.

The best ways to protect against malware attack:

  • Always turn-on the operating system’s built-in firewall protection program, and if possible, install commercially available virus and malware protection software from reputable vendors. The software will alert you when malware is detected when you are visiting a website or downloading a free offer. They also do periodical scanning of your hard drive to discover and quarantine known and suspicious software agents on your computer.
  • Always be suspicious of free product or gift offerings that show up in your emails or on websites you infrequently visit. Keep in mind that there is no free lunch. If you are offered something for free, you are paying for it one way or another. You either provide some personal information, or you get malware installed on your computer, for the free stuff.

Zoom meetings have become so commonplace with so many people working remotely. What are some commonsense protections you can administer to ensure your meetings are safe?

The biggest hazard to Zoom meetings today is Zoom bombing, where uninvited parties gained access to or hijacked Zoom meetings for the purpose of disrupting the meeting, making political statements, or the worst, showing racist, lewd, or obscene materials, that eventually shuts down the meetings. To prevent Zoom bombing, the administrators must exercise many safety precautions when setting up a Zoom meeting. There are numerous tutorials and guidelines available on the Internet on this issue, here are a few most important steps:

  • Chose not to embed password in the meeting link. Embedding password in the meeting link makes participation in the meeting super easy and is a popular choice. However, that makes anyone who get the link be able to join the meeting easily as well.
  • Never send meeting links with password or embedded password to the public media channels such as Twitter or Facebook. If the meeting is intended for public access, make sure to set up a meeting registration page. Depending on the estimated risk, the registration can be automatically or manually approved, but at least you know who will be at the meeting.
  • Only allow the host to share the screen and disallow participants to rename themselves. This will prevent unwanted materials to be shown to the audience and prevent unwanted messages to be displayed using usernames.
  • Always disable “Join before host” and disable “Allow removed participants to rejoin.” If the host finds someone become disruption and behave inappropriately, the host can remove the participate who cannot rejoin the meeting during the remaining time.
  • Always choose “Mute participants upon entry” and enable “Waiting room” so that the host has total control about when to admit participants, and when to allow a participant to speak.
  • Zoom security has significantly improved from its original release earlier this year. Most notably better host controls through many settings, and end-to-end encryption of the meeting data that are communicated between the host and the participants. However, it is recommended that Zoom meetings should not be used to discuss highly confidential and sensitive data and conversations. Many large companies still ban Zoom for official business meetings for concerns about data security.

Online shopping has also exploded over the past few years. What are some easy “dos and don’ts” you can suggest for online consumers?

  • Do your online shopping only on reputable websites and for known brands. Do not chase low prices on unknown websites, especially the sites that require more personal identifying information beyond your name, address, and credit card. If you must buy something on a new website, make sure you do some research online about the site and the merchant before making any purchases.
  • Do your online shopping only on personal computers, ideally on a dedicated device. Do not do online shopping on office computers. Not only this might violate your workplace policy, in case malware are downloaded to your office computer, the damage could be much more server.
  • Keep in mind that all your online transaction details, such as item, price, time, frequency, device, and location, are all recorded by the online platform and the merchants. Reputable platforms and merchants have better privacy protection policies and processes, while unknown sites may rely on selling customer data as a major source of income.
  • Protect your identity information as if protecting your own life in this highly connected digital world. The information you provide on different websites could and likely will be aggregated into a detailed digital portrait of you, shared or sold among different businesses. There is some truth in the saying that companies like Amazon and Google know more about you than you do.

What is the best way to protect your home computer, particularly if you have children using technology?

  • Always turn-on the built-in firewall that comes with your computer operating system and install additional anti-virus software package from reputable and known brand name companies.
  • Always turn-on parental control functions offered by computer operating systems and websites. Make sure you set up the parameters properly and do not count on the default settings.
  • Be highly suspicious on unknown websites that offer free books, games, gift cards, and other freebies for download in exchange for your registration. The free stuff often comes with malware that could cost you a lot more.
  • Have frequent and open conversation with young children about the dangers of social media, the prevalence of malware, and the criminals trolling the Internet. Never give your credit card information to your children for convenience, and never allow young children to make purchases on the Internet by themselves.