5 Common Security Risks to Avoid

Many users don’t give online security much thought. However, without knowing the basics, a person can be vulnerable when they are online. When we don’t make informed decisions about online security, many areas of our everyday lives (e.g., social networks, online financial records, email) are at risk from attackers.

Below are five common security attacks to be aware of and avoid:

1) Social engineering.

This is when someone tricks you into giving them information they shouldn’t have, such as someone pretending they are from Icon Systems and asking you for your password. Another example is phone scams where people call you and tell you that you won something and they need your social security number to claim the prize.

2) Password cracking.

This can happen in a couple of ways: either (1) you choose an easy password to guess, and someone programmatically runs code to break the password or just guesses it (this is easier than you think), or (2) an attacker compromises the computers where the passwords are stored, and then decrypts them. We encourage all users to use strong passwords.

3) Cross-site request forgery (CSRF)—a.k.a. “tricky links.”

Be careful what you click on! CSRF is when you click a button/link on one web site, and it actually does an action on another website pretending to be you. For instance, say you are logged into IconCMO church software, and click in an email or website that says, “Look at my cat!” A successful attack could do anything that the user can do in IconCMO—including adding users so that the attacker can get into your account.

4) Injection style attacks.

This is when attackers of a system gain direct access to the back-end database by entering in database commands (malicious code) instead of the usual data through a text box on a website. This is one of the most common attacks on websites that are database driven, and the chances of the person being caught are low compared to the high value of the information that can be taken.

5) Secondary attacks.

It’s easy to think, “I don’t worry about people getting into account ‘x’ of mine online because I don’t have anything important there.” The trick is that a chain is only as strong as its weakest link. If an attacker found out your password to an insecure site, and you used that same password for your email account, chances are they now have access to your email, too. And, if they have your email, perhaps they could use a password reset to gain access to your online banking account. This is how they work their way up from the weakest link in the chain to the strongest link and most important—your online financial accounts.

While we have always taken data security very seriously since IconCMO was publicly released in 2003, technology is always changing. Icon Systems must ensure necessary precautions are taken each year to protect our clients’ most valuable asset—their data. We have been especially busy behind the scenes improving the security in IconCMO over the past several months. To review the full list of improvements, review the full security enhancement document here.

Below you will find some resources if you want to find out more about specific types of security attacks.

  • Password Cracking—How to create strong passwords.
  • Social Engineering—A story on how social engineering can work.
  • CSFR Attacks—How these types of attacks are carried out and how to prevent them.
  • SQL Injection—What is it and how to prevent it. (Keep in mind, this is just one type of injection attack.)