Cyber Security for Real People - Part 2
O.K., so this is part 2 of a series I'm going to do on cyber security tips for folks who aren't in the CIA. Absolute security may be a pipe dream but there are some things you can do to dramatically improve your own cyber security profile and most of them are either free or inexpensive.
What is Security?
First off it's important to understand that security is a process, not a product. You can't just buy something, plug it in and go "Yay, I'm secure!" Doesn't really work like that. Yes, there are some things you should have, especially as a business owner, to improve your security. Just as you have good locks on your physical doors you should have a good firewall for example. Real security though comes from the process and that means doing a few smart things.
We still rely substantially on pass phrases as the primary means of authenticating ourselves to our systems. Until that changes it's important that you pick good pass phrases and that you keep them to yourself. "Password1" is not a good pass phrase. Neither is "money" or "pizza" or "123456". A good passphrase is long, easy for you to remember and not easy for somebody else to guess.
I'll probably do an article on picking a good passphrase later but for now here are a couple of suggestions:
- Pick a favorite movie quote or song lyric - something long. Then take the first letter of each word and string those together. Rolling Stones fan? ICGNSICGNSCITAITAITAIT. The opening lines of "Satisfaction". Sing it to yourself as you enter it. 22 characters long and it appears random. Despite the fact that it's entirely alpha the length and apparent randomness mean it would likely take centuries for today's technology to brute force it.
- Open the nearest book to a random page and select a random word. Repeat until you have at least 20 characters including the separating spaces. "Kung-hsi Master left Clever" is what I just found in the Analects of Confucius. 27 characters long. Make up a little story in your head to explain it. "Kung-hsi is a master at leaving clever hints." Once you've typed it a few times you'll remember it. Bonus: Kung-hsi is a Chinese name that isn't going to appear in an English dictionary.
Mobile Devices too
It's startling to me how hard it is to get professionals to encode their mobile devices with PINs or Passwords to unlock them. Yes, I know it's inconvenient but if you use your mobile device for work it likely contains a surprising amount of sensitive information (email attachments at least?) and you need to make sure that it's not easily accessible to a casual observer or a thief if you lose control of the device.
While you're turning on PIN/Password lock screens turn on device encryption too. Every modern device supports encryption.
Virtually all cloud-services allow you to enable multi-factor authentication. That means that in addition to a username and passphrase you'll also have to enter some sort of one-time-use PIN code that is texted to you, or perhaps a random PIN code generated by an authenticator app on your phone. This adds a significant additional layer of challenge to a would-be attacker.
Yes, I know it's a little less convenient for you. Not as inconvenient as having to tell all your clients you lost their data though.
Be skeptical of email attachments; even from apparently trusted senders. A lot of the malware infections we see these days come from malicious email attachments and some of them come from spam or spoofed email that appears to come from somebody you know or somebody within your organization. If you're not expecting an attachment or if the email message seems out of character for that person don't open the attachment until you can confirm with the sender that it's legitimate.
I once got an email message from an aunt that contained an attached document. The first red flag was that this aunt rarely sent attachments. The second was that the message had some awkward errors of grammar and this particular aunt was an English teacher. It didn't read like anything she would have written. A quick message to her confirmed that her machine had been infected and the malware had sent out the messages "on her behalf."
Don't casually open attachments. Ever.
Keep your systems up to date. Not only your operating system but your applications, anti-malware programs and even your firewalls and other security software. Often we see security breaches that exploit vulnerabilities that the vendor has already patched. You may think Microsoft products are the most important to keep patched - and they are important - but we see a lot of attacks against Adobe, Oracle and other products too. Flash and Java are particularly big surfaces for attack - if you MUST have them installed, keep them updated.
Don't Do Stupid Stuff
Malware can be found almost anywhere but it's most likely to be found in illicit content. If you choose to visit shady websites or download questionable programs tread very carefully. That special advance copy of a game that your friend got from a friend who downloaded it from a friend....could very well be infected with something nasty.
It should probably go without saying that you shouldn't let other people - especially kids - use your work computers or devices unsupervised. I've lost count of how many company computers we've found malware, and games, installed on because somebody allowed their kid to be entertained on the company computer.
More to come in Part 3....