In the spirit of The Avengers we have our own superhero — a superhero of computer and IT policy. This article is written — in true superhero fashion — anonymously, by The Green Geek, whose real name you may never know.
Join together with the Green Geek in the struggle against evil vector forces that willingly destroy your computer and information security. Vectors in cyber space are villains who would maim your digital dignity, steal your identity, invade your privacy, destroy your data, and ruin your gadgets. If you let them.
What threats put you at risk? What can you do about it? Defend yourself with this Five-Point Plan from The Green Geek:
5. Value your privacy.
If you think privacy is no big deal, think again. You disclose a birthday here, a school there, you friend your mother’s mother on Facebook, expose your address or phone. Here and there you leave puzzle pieces that let us assemble your whole story.
- Villains can steal your identity - costing you much time and money. Stalkers can find you. Weirdos want to know you. Friends have Too Much Information. Employers can and will use what you say against you.
- Be in control. You rule the computer not the other way around. Draw a line in the sand where you will not cross for sharing private information. Use factual security questions that only you know the answer to. Do you really need 1000 people to wish you happy birthday online? Tell us about your vacation when you get back, but don’t tell the world beforehand when your house is empty. If you use f-bombs, serial date, and drink, do we have to see you share that? Do you need to save all the web searches you ever made?
4. ”Don’t talk to strangers.” Vectors include viruses, malware, botnets, robots, scam artists, and worse. This is huge.
- Look before you click. Only open messages and emails from senders you recognize. Someone is fishing for a sucker to bite their bait, in the form of fraudulent email. This is called “phishing“. Various sources estimate spam email takes up 90-94% of ALL email! Their purpose is to get you to look, buy, send money, accept a virus, or join a global botnet. Recognize fake and unwanted messages by their familiar but wrong sender address and weird titles. Report spam to help email vendors improve spam filtering.
- Only click on links from a source you trust. Inspect hyperlinks before you click on a hyperlink, which displays one thing but underneath is the real link.
- Don’t respond to emotional appeals or act on wishful thinking. What is real and hidden in the picture? Yeah, you’re lonely AND beautiful, you believe in love; or that car is a bargain! But if it is too good to be true, then it’s probably not. Some emails are written by robots. Some generic messages say nothing specific that can’t be said to everyone.
- Never enter your password in response to links in an email.
3. Lock your doors, literally and figuratively.
Prevent the entry of illicit vectors into your space by limiting access. Consider security like an onion. At the center of the onion is treasure, payload, your precious stuff. How easy is it to peel off the layers of security, if any?
- Physical access - How safe are your things, from smartphone to PC? Stuff should not be available for just anyone to touch. Keep these objects physically secure, not left laying around. Same as you would protect a wallet. Not left in public bathrooms, unlooked cars, or on the hood of your car.
- Device access - How safe are your data files and screen displays? What if someone has access to your smartphone or PC? Require a screenlock. You should provide a uniquely personal password, finger-swipe, or biometric to see further. If you share the device or PC with other guests, then create a guest portal, so that your user session is separate from theirs.
- Network security - How safe is your connection to a network for internet access? Beware of Wifi and untrusted networks, where your internet traffic travels on the information superhighway in full view, unencrypted for network admins or sniffers to capture. Be safe and sure, use your own encrypted 4G or 3G air card or USB modem. This is handy for reliable internet access anywhere anytime, and you not only don’t have to compete amongst an entire coffeehouse full of net surfers for bandwidth, but you also have the peace of mind that that your communications are safe.
- Software reliability - Does your software scan for malicious vectors before you open or download objects? When you use the “cloud” – all the services are provided online via the internet on a web site or web server – make sure there is rigorous protection against vectors. Good cloud service providers will filter virus vectors from reaching your PC or device. so that you either don’t download or get your data ruined by vectors. You want to use email software that filters spam well, for example Google Mail (gmail.com).
- Device defense is 1st and last - We’ve peeled the onion back. The above inevitably fail, because new vectors can sneak through until discovered. Keep your device up-to-date with the latest: operating system; web browser; anti-virus/anti-malware software; and storage encryption.
- Microsoft Windows vulnerabilities created a multi-billion $$ spinoff industry just to create and administer the IT security. This gave Apple one leg up to bring to market OSX or iOS which were more closed and designed for better security. The Google browser Chrome is touted for its security. Samsung Galaxy Android and Apple iPad/iPhones are now offering the NIST FIPS 140-2 standard encryption for storage.
- If you login to use software (such as email and banking), the appearance of the “padlock” icon in the browser means the network traffic is encrypted using SSL and therefore unreadable.
2. Trust NO ONE to store your credit card.
Online shopping is great. We save gas and time by browsing online, and the item is shipped faster than you can shake a green fist. Unfortunately some companies, to which we entrust our identity or financial credentials, are themselves negligently lax when it comes to IT security.
- DO NOT STORE CREDIT CARDS in online accounts with any vendor. Rather [tediously, yes], enter the credit card information for a one-time purchase each time you make a purchase. This is not risk-proof either, but incrementally better than storing your credit card like a sitting duck waiting for a hunting season.
- LIMIT CREDIT CARDS that you use online to a very short list. If something goes wrong you can more easily assess and contain the damage.
- READ YOUR STATEMENTS. We are unaware until a breach goes public. Take for example, the intrusion to Global Payments servers in March 2012 that was not reported publicly for nearly one month. Global Payments coordinates the steps involved in authorizing the charge and submitting the transaction details for VISA and Mastercard. When you hear news about credit card theft, check your statements and activity ASAP.
1. Protect your passwords.
Some of the most famous security intrusions come from hacking passwords, but your defense in this regard is totally within your control.
- Use strong passwords. A strong password is a character string generally not found in any dictionary for any language. Use a combination of Upper- and lower-case letters, mixed in with numbers and special characters. Create acronyms out of phrases.
- Use different passwords for different accounts, and change the password every 60-90 days. Yes, with all your stuff in the cloud, we’re talking about a load of passwords.
- Assess your risk, and firewall your passwords. Risk means the probability of something bad happening, and the impact if it did. It’s not kosher but the Green Geek does classify different accounts by degree of risk, and ramps up the security of passwords appropriately. For example, to comment on news or blogs, the Green Geek is known to reuse a password or two… For anything with private or banking information, the passwords are inscrutable. By “firewalling” passwords, there should be no crossover from an unimportant account to an important account.
- Use Multi-Factor Authentication! DO IT! Multi- or two-factor/two-step authentication (“MFA” or “2FA”) adds an extra step when you enter your user password, to ensure you are who you are. When you enable MFA, you define a “token” such as a phone; and when you try to login with your username and password, you will receive a message with a code (voice or text) on your phone or token. You enter this code along with the password. If your software provider, bank, or credit card company offers this option then use it (e.g. offered by Google Mail)!
“Social engineering” in IT security refers to the ability to hack based on using known info about a person, in order to crack the security procedures for forgotten passwords, or to guess or reset their passwords. While very common, social engineering can be reduced with the above privacy practices and password discipline. MFA stops social engineering dead in its tracks. Here are three epic social engineering stories:
- In 2008, when Sarah Palin was running for VP, someone hacked her Yahoo Mail and reset her password by correctly guessing Palin’s birthday and her security questions: “Where did you meet your spouse?” (Answer = Wasila High) Half the planet knows Palin’s bio; she compromised her own security when Palin chose that question.
- In 2009, the corporate email, business plans, and files of Twitter.com were hacked, when someone first hacked the wife of Twitter’s founder, and used the same passwords to gain access to the Twitter company.
- In 2011, the firm HBGary which specializes in corporate and government IT security got totally pwned and humiliated, when after bragging about exposing the hacker vigilante group, Anonymous, they were cyber attacked by Anonymous.
“I can explain it to you but I can’t understand it for you.” We can’t defend Stupid. But it’s not that hard. This Five-Point Plan breaks it down for you. The takeaway here is to learn from others’ mistakes, and get comfortable with security awareness.
Read more about internet crime at the FBI’s Internet Crime Complaint Center. If you are a victim of internet crime, file a complaint with the FBI. Crime or vulnerability that puts the nation at immediate risk should be reported to the U.S. Computer Emergency Readiness Team (US-CERT).
What is your best tip for keeping all of your devices protected? Comment below and you’ll be entered to win a $400 Amazon gift card from Kaspersky Lab.
One way to protect all of your devices is with Kaspersky ONE Universal Security. Download your FREE trial today.