1. This will be solved by the IT department

Even the best IT guy cannot prevent data leakage from corporate infrastructure if the attack is conducted through an unskilled employee. Just like a security agency worker can’t prevent key theft or employee magnetic card entry.
A secure network is a necessary basis (as well as a lock in the door), but the most common attack is conducted in a different way than through corporate systems. One of the most famous hackers, Kevin Mitnick, describes in his book “The Art of Deception”, many surprisingly simple tricks on how to get data that should be kept secret. The majority of them have one thing in common – getting information from uneducated staff who didn’t even think they were doing something wrong.

“Many social engineering attacks are intricate, involving a number of steps and elaborate planning, combining a mix of manipulation and technological know-how.  But I always find it striking that a skillful social engineer can often achieve his goal with a simple, straightforward, direct attack. Just asking outright for the information may be all that’s needed—as you’ll see.
Testifying before Congress not long ago, I explained that I could often get passwords and other pieces of sensitive information from companies by pretending to be someone else and just asking for it.”

If data is already leaked, repression often takes place in the form of punishment of the employee through whom the data has been leaked. This means that if an employee finds he has been the victim of an attack, he tries to hide such an incident rather than informing his supervisor or IT department so that he can respond quickly and minimize the damage company has suffered. Time in such a case plays a huge role.

Solution: A trained employee who knows possible attacks, reduces considerably the risk of data leakage exponentially.

2. We have secure passwords

One thing is that most users still don’t know how to create really safe passwords (even in 2017, the first place among the most used ones, was the password “123456”), but even a security policy that enforces long passwords consisting of upper and lower case letters, numbers and special characters is not self-sacrificial. If a user is forced to use a strong password, they are often used in other accounts. Then it is enough to leak the user database and their passwords from a service and the attacker has the keys to other user’s accounts.
Alternatively, he uses the “Remember Password” feature in your browser. This is a handy feature that will allow us not to remember all the passwords, but there are also many free tools and techniques available to allow the attacker to easily get to these passwords.

Solution: Use a dedicated password manager and two-step verification.

3. I’m not afraid of data loss, I regularly back up to a shared disk

Backup is an important part of data protection. However, if an attack occurs and the disk is connected to a backup computer, data may be deleted or corrupted even on the backup disk (typically ransomware – the attacker encrypts your data and requests a ransom for decryption).
At the same time, there is a risk that if the backup disk is stolen, the attacker can get to the data that is to remain hidden.

Solution: Backup & Unplug. The backup disk should only be connected for the duration of the backup. Then it should be disconnected from the system so that the attacker can’t get to the data. And the data on the disk should be securely encrypted, so even in case theft disk, it will not be readable and usable for the attacker.

4. I unlock the phone safely with a gesture / fingerprint

We have more and more personal and business data on mobile phones, we are constantly logged in our emails or social networks. If an attacker gets to the phone, he has almost unlimited power over our virtual life. That’s why the thorough security of our phone is one of the most important things in digital security.
Do you unlock the phone by gesture (linking the dots on the display)? Such unlocking often leaves a trace on the display that is well visible at the right angle to the light. Unlocking such a phone by the attacker is a matter of a few moments.
Fingerprint appears to be a safe alternative, everyone is unique. The problem is that fingerprint reconstruction is very easy – and it does not necessarily need to take a fingerprint, for example from a glass (or the phone itself). For example, a photo with sufficient resolution (and today’s phones have it) can also be used as a template for making a copy of the fingerprint. In addition, researchers at New York University and Michigan State University have managed to create a universal fingerprint that is able to unlock 65% of the devices.

Solution: Secure your mobile phone with a strong password and encrypt your memory.

5. I do not need updates, everything works

Software errors often occurs. These may lead to a security breach. If there is no correction at the time of such an error, it is a so-called 0-day exploit. If an ethical hacker encounters such an error, he usually contacts the developer and they have time to fix and release the software update before the vulnerability is out in the open. After some time, the vulnerability is released, and at that point, the outdated software is open to anyone who wants to get data or control it.

Solution: Update as often as possible, don’t postpone it. The times when most important programs have ceased to work after updating the operating system, for example, is the mostly a thing of the past. Developers communicate and notify each other of the changes in the operating system in advance so they have enough time to prepare and publish their own updates.


Jmenuji se Milan Půlkrábek, pamatuji si počítače bez internetu, Internet bez Google a mobilní komunikaci bez šifrování. Mám za sebou více než dvacet let profesionální praxe v IT, přednáším a píšu články o IT bezpečnosti, kryptoměnách a nových technologiích. Od roku 2014 jsem součástí nezikové organizace Paralelní Polis v Praze.