I’m not the biggest fan of New Year’s resolutions. Statistics show that 80 percent of New Year’s resolutions will actually fail. That said, I can’t deny that the New Year is always a convenient time to take stock of what we do and plan changes or improvements. The trick is making resolutions that won’t become afterthoughts – a few months down the road.
According to last year’s headlines, one thing we all need to improve upon is our information security. With the latest security trends in mind, here are five information security tips that I recommend you make in 2016:
1. Patch quickly and regularly
I know, you’ve heard this tip before. In fact, you’ve probably heard it so many times you must think security geeks are either mind-numbingly boring or just too dull to come up with anything new. But the fact is that updating your computer’s software often is still one of the most effective ways of armoring your system against the dangers of the Internet.
This is an over-simplification, but there are essentially two ways cyber criminals force bad stuff onto your computer. They either trick you into doing something you really shouldn’t or they exploit a flaw in your software to gain access privilege they shouldn’t have. Patching will do wonders to combat the latter.
The cyber criminal underground has made it exceedingly easy for even unskilled criminals to exploit vulnerabilities in a wide range of software. They develop and sell exploit kits like Angler or Nuclear, which are essentially pre-packaged drive-by download servers in a box. These kits come with exploits for dozens of vulnerabilities against our most popular software garden variety programs like Internet Explorer (IE), Chrome, Firefox, Java, Flash, Reader, and many more. If you visit a website running these kits, they quickly profile what you’re running, find the right exploit, and leverage it to silently force malware onto your computer.
Sounds scary, right? Well, it doesn’t have to be if you do yourself a favor by resolving to patch all year. If you simply keep your software up-to-date, you’ll remain immune to the vast majority of attacks you’re sure to encounter online.
For desktop machines, it’s a good move to allow the “automatic software update” mechanism to do their job without your interaction. Also, though you should patch all your software, pay especially close attention to Microsoft, Adobe (Flash and Reader), Oracle (Java), and web browser software, as attackers currently tend to target these products.
2. Get a handle on your passwords and authentication
One of the easiest ways for black hats to target you is to become you by hijacking your credentials. To do this, they need your password and unfortunately, there are many ways they might get it. They could guess your password, brute force it, capture it with a keylogger, sniff it over a network, phish it, or even steal it from another third party that stores it.
The last password harvesting technique — stealing passwords from other organizations — has made waves over the last few years, and has forced the Infosec industry to consider whether or not passwords are really a good authentication token. Specifically, cyber criminals have stolen millions, if not billions, of stored password credentials from many different websites over the last five years.
Another huge password issue is that many people use the most basic and obvious passwords. Even when they don’t, most people don’t use long or unique enough passwords to withstand cracking attempts. Finally — and worst of all — many people use the same password at many different places. This means if an attacker can learn one of your passwords by hacking some trivial site you don’t really care about, he may still be able to get access to something you really do care about if you haven’t used a different password.
Passwords, if used right, are effective, and I think they will remain part of the authentication process for years to come. With that said, here’s some tips to get your passwords and authentication in order this year:
- Adopt a password manager. If you use really long, really unique passwords and different ones for every site you visit, your passwords will be effective at protecting you. But let’s face it. No one wants to keep track of long, complex passwords for every account and website they use. However, a password manager can make this security practice easy. All you have to remember is one strong password, and the manager will take care of the rest.
- Use multi-factor authentication. The harsh truth is no authentication token is hack-proof. Bad guys can figure out your password, and in the future, bad guys will even figure out how to crack biometrics (fingerprints, retina scans, etc.). However, if you pair up at least two authentication tokens, it makes it exponentially harder for a hacker to break into your account.
3. Harden your Web security
Today, a significant amount of the malware installed on victim computers comes from web-based drive-by downloads: Where malicious code on a website silently leverages a software vulnerability to force malware onto your computer. According to some sources, 90 percent of this malicious web code comes from malvertising, or malicious advertisements that pop up on legitimate websites. If you browse the web — even if you restrict yourself to the most trusted sites — you need to harden your web defenses to protect yourself.
Here are a few additional defenses to keep you safe from malicious web code:
- Use a web reputation solution. There are a number of solutions out there that constantly keep track of the bad websites out there. Some of these products run directly on your computer and others run on a network level, protecting all connected devices. I highly recommend you use one of these web reputation solutions to keep yourself away from obviously malicious sites.
4. Beware of Spear Phishing
If a black hat can’t access your PC with an exploit, he or she falls back on the trustiest trick in the book: Social Engineering. One of the most notable forms of social engineering is phishing — when an attacker crafts and sends an email that looks like a legitimate message from some trusted organization, in hopes that the victim will give up credentials. Normal phishing emails are typically relatively easy to spot as they are mass spammed to many people, and usually contain very little user-specific customization. You can also usually hover over some of the links in these emails and immediately identify them as unusual.
Spear phishing is a different beast altogether. Spear phishing is an attack where the criminal has profiled a small group of people or even one specific individual. Attackers then create a one-off email that is very relevant to the target’s job or personality and seems to come from someone they know or should know. The content of these emails, including any documents or links, does not seem suspicious. For instance, if you’re in accounting, you could get an email that appears to come from your payroll provider asking you to look at a PDF document of your latest payroll payments. Of course, this may really be a social engineering attempt to try and lure you into interacting with a dangerous document hiding malware.
Since spear phishing is so customized, and generally much better crafted than normal phishing emails, they are much more difficult to catch. I recommend you brush up on your spear phishing awareness skills, keeping these two tips in mind:
- Handle all email with a bit of suspicion. Even if email seems to come from a friend, or someone you might need to work with, remain slightly skeptical of any email that has a strong call to action trying to get you to open an attachment or to click a link. Remember, document attachments can be dangerous too.
- Is the tone consistent with what you would expect? When handling emails that are supposed to be from friends or people you might know, ask yourself whether the tone of the email is consistent with what you would expect. If your gut says something is off, perhaps you shouldn’t interact with any content in the email.
There are many other great places to learn tips that can save you from spear phishing. I recommend you check out KnowBe4’s phishing cheat sheet or go through PhishMe’s free computer training on the topic.
5. Backup important data
This is the simplest tip, but one of the most important. Ultimately, computer security is really about information security. One of the biggest risks of a hack or breach is that you lose data that is valuable to you or your organization. For instance, Ransomware will continue to be one of the largest threats this year, and it specifically preys on making your data inaccessible. Everyone knows you should backup data that is important, yet ransomware has succeeded in proving that many people still don’t backup important data.
If you don’t backup, start this year.
I said it before, I’m not one for New Year’s resolutions. It’s only February, and there’s a good chance that most people have fallen off the “new year, new me” wagon. Resolutions for improvement don’t have to be confined to the first of January. Now is as good a time as any to take a serious interest in protecting your critical information. The good news is that these five information security resolutions are relatively easy to incorporate into your life and can save you a ton of trouble in the long run.
As always, feel free to leave any questions or thoughts you may have in the comments section.