Real World Security
Cybercrimes, cyber terrorism, and cyber security are all the rage on television and in the movies; however, real world cyber security is often a low priority.
Although the tasks that comprise real world cyber security may seem routine and boring, it is that “routine,” which provides a safe computing environment. Security breaches in 2014 proved to be more plentiful than ever before. Those attacks ranged in diversity and effect from the mild nuisance hacks, identity theft, and malvertising introductions of unwanted software, to the blatant attack on Sony.
Far too many individuals are still too lax when it comes to their private information and personal data, using birth date for passwords and portions of their social security number as the pin that “secures” their ATM cards and bank accounts. Even large corporations ignored alerts and failed to institute known preventive measures realized by previous attacks, possibly thinking, “It can’t happen to us, we’re too big.”
In order to avoid future attacks, lessons learned from previous breaches of security must be put into operation, sooner rather than later. An inexpensive method of avoiding loss is to learn from the price paid by other people’s mistakes.
Networks cannot be fully Secured
The lesson learned here is that security is an ongoing operation, not just for the technician with over watch duty, but also the individual user.
Changing passwords and utilizing site-specific passwords may seem like a nuisance, but it is necessary to keep valuable information out of the hands of criminals that look for insecurities and exploit them for personal gain. Using the same password on multiple accounts is asking for trouble as, once they have one, they have access to everything.
Caution should be the watchword for all online transactions. Use an online credit or debit card, one not used for anything else, and only hold a limited amount of money in that account. Most banks reimburse their clients for losses over a certain amount, but it could take time. Although the technology used to secure online transaction are becoming more and more sophisticated, so too are the hackers.
Back up all your data and personal files in at least three locations, one of which should be outside the physical location of the main storage. Having an external drive attached to the desktop or laptop is convenient and a good start, but if there is a fire at that location all the data will be lost. Also remember that any portable backup device should be fully encrypted to prevent the loss of personal information that may be stored on the drive.
No Email is Private or Fully Secured
Email is and always has been a plain text method of sending messages. The https at the beginning of the URL housing emails is a sign that there is a secure sockets layer (SSL); however, that only provides protection while accessing and reading an email. Transport Layer Security (TLS) can also secure email while in transit, however, the email is then stored in plain text on the receiving server. Further, most servers are set to accept non TLD connections which will allow the email to traverse the Internet in clear text as well Yes, there are methods to encrypt or code messages before sending on non-secure lines, but the receiver must utilize the same device in order to decrypt or decipher that message.
Gmail, Yahoo, and other email providers have systems in the works to encrypt and decrypt emails, but that is still a long way off. Even then, they would have to cooperate with each other for people on Gmail to correspond with people on Yahoo. In the meantime, be aware that most email is sent, received and stored in clear text…
Trusting Large Organizations is not a good Practice
In recent years, we have seen many large-scale cyber intrusions and hacking attacks. In 2012, it was Bank of America, in 2013, it was Target, and then in 2014, it was Sony. These billion dollar corporations could not keep hackers from intruding into their systems, so what chance does the little company have?
Actually, smaller companies know their subscribers better; they are familiar with their systems and servers. When an attack starts, they are more apt to recognize the intrusion from the on-set and take immediate corrective action.
That is why it makes more sense to go with a small well-established firm when it comes to hosting. Larger hosting companies to not always monitor their servers well enough to notice a change in traffic which could result in a breach condition.
Social Media is a Scammers Playground!
Many people do not realize how easy it is to impersonate another individual online, particularly on social media. Creating a Facebook page as someone else is particularly easy, simply go to their page, steal a few pictures, some of their personal information, create an email account in their name, and then create a new, bogus Facebook account.
So now, the person some thought was his or her friend, with whom they shared personal information, is actually someone else. Additionally, most are apt to believe anything their friend adds to their page because they are a friend. When something does not seem right about a post on a friend’s page, contact them on another medium to verify the post.
Large Advertising Agencies and others are Tracking Online Activities
It is an unpleasant fact that large agencies are tracking everything online, not just the NSA. To quote Snowden, George Orwell’s 1984 is “nothing compared to” what is actually happening and “A child born today will grow up with no conception of privacy at all. They’ll never know what it means to have a private moment to themselves, an unrecorded, unanalyzed thought…”
The internet is free, besides the fee paid to an ISP, because large advertising agencies pay, not just to put all those pop-ups and legitimate ads on website pages, but for the right to monitor and track your online movements.
Eliminating their ability to track our online movements is nearly impossible, yet employing these measures can minimize the success of their efforts:
- Utilize the private browsing mode
- Delete all cookies upon shutdown
- Utilize plugins, such as Scriptsafe for Chrome or NoScript with Firefox
- Utilize Do Not Track Plus, AdBlock Plus, Ghostery or one of the other available ad blockers
Network Compartmentalization and Segmentation is Imperative
Compartmentalization or segmentation is the key to limit access or control the damage once a malware has obtained entry or if a Trojan with remote access has intruded your organization. It might make your processes more difficult, but that is the tradeoff for more security. A single collection of servers and clients is a lot easier to maintain and more convenient to access those resources; yet, that convenience and freedom provides a vulnerability.
Security Alerts & Reports are to be Respected and Implemented
Recent reports have surfaced that the technicians at both Target and Sony knew or at least suspected a compromise was eminent long before the main attack took place. However, many of the officers in charge of security did not believe the security product alerts they had put into place to protect their systems. Had they investigated and put protective measures in place, they may have at the very least, minimized the damage.
Trust the alerts and reports that are provided by security products. Implement the necessary checks and balances to protect the systems that contain valuable personal data and information.
Course Vector produces a free monthly newsletter focused on security.
Concrete lessons can be learned from each compromise, attack, or accident and each mistake made is an opportunity for growth. Learning from another’s failure is paramount to growth in the cyber security arena. Cyber security is not just the technicians’ responsibility, nor can technicians take all the required steps to insure a safe online experience. Whether representing a global corporation or during personal online activities security management is as much a personal responsibility as the technicians’ who maintain the servers that house that personal data. Make fast effective use of security alerts and reports implementing the noted safeguards immediately and take the time now to put into action the aforementioned steps to minimize risks from intrusions that may compromise personal information.
Other Articles and Reports to help better understand Online Threats and Implement Personal Asset Protection: