Thursday, October 1, 2015

Cyber tips for digital citizens

What better time than National Cyber Security Awareness Month for a refresher on cyber safety? Start the new school year off with some healthy habits.

Every October, the National Cyber Security Alliance and the Department of Homeland Safety lead a National Cyber Security Awareness Month, a month of cooperative efforts involving government, private businesses, and individuals working together to promote online safety and digital privacy. This year's campaign kicks off with the theme "best practices for all digital citizens."

The news is full of stories about extraordinary threats: the NSA spying on everyone. Car, airplane, and medical device hacks. Baby monitors used by kidnappers to plan their entry. Elite hackers exist, and they do elite things - but they are generally not the greatest threat to most people. Consumers are undone by far more pedestrian problems. Passwords. Outdated software. Phishing. Improperly configured networks. Routine malware. Malicious advertising. Unwittingly trading privacy for "free" services.

Autumn brings a return to the school-year routine for millions of students young and old, as well as their respective families. What better time for a refresher on cyber safety? Start Cyber Security Awareness Month with some healthy habits.

What follow are practical suggestions that anyone can follow. None of these are earth-shattering - I and my fellow security professionals have recommended most of these for years, though the order of importance has changed a bit recently. Together though they form a strong foundation for basic cyber security.

Lock the door

In digital terms, that means to properly manage passwords and authentication. Like it or not, for the foreseeable future passwords are the keys to our online lives:

  • Change the password before you connect a new device to the Internet. Many products come with a built-in default password - which in most cases is well-known to the hacker community.
  • Use a unique password for every website that you care about. Reused passwords are a hacker's dream: all too often, a password will be stolen from an unimportant news site, only to be used to break in to one's bank accounts.  Unique passwords per account ensure that if one password is stolen, only one password is stolen.
  • Use a password manager program to store your passwords. I can't speak for you, but I have at least a hundred different online accounts: email, social media, financial institutions, insurance companies, utility services, retail sites, professional organizations, news outlets - the list could go on and on. Keeping track of individual, strong passwords for every site on my own would be a fool's errand; instead, choose a password manager to do the remembering.

    Password managers come in two basic types - "cloud-based" managers in which your passwords are stored in an encrypted online vault, easily shareable among all your connected devices; and "offine" managers in which your passwords are stored locally, never exposed to an Internet attacker. The relative considerations for each are beyond the scope of this discussion.
  • Use long passwords - because mathematically, the length of a password is the single greatest measure of its strength. "Brute force" password crackers - ones that simply try every possible combination of characters until they discover the right one - can crack an 8-character password in a few minutes. The same cracker would take centuries to break a 25-character password.

  • Let a password generator program make up your passwords. Humans are notoriously bad at choosing good passwords. Even when we think we've chosen strong, unique passwords (Uppercase letters! Lowercase letters! Numbers! Special characters!), we tend to follow predictable patterns. Austin2015! and Z)0fG5^nq4t both have the same number of characters and the same mix of character types. Guess which one is more difficult for a hacker to discover?
  • Use multifactor authentication where available. The strongest password in the world can still be stolen, whether by a clever phishing email or by password-harvesting malware. With multifactor authentication, logging in requires both a password, and something else. Common approaches are a physical card, a keyring-style token generator, or a one-time code sent via SMS. The key consideration is, the second factor should not be another static password or "security question" (which could be stolen as easily as the original password).

Tend to your devices

  • Turn off risky browser plugins. Flash Player in particular has been popular with criminals, as it is installed on almost every computer and generally runs content automatically when you open a web page. A favorite way of exploiting this is by inserting malicious advertisements into ad networks used by well-known businesses. There are legitimate reasons Flash might still be necessary - a variety of enterprise applications use it - but it is simple to set the player to require an intentional click before running content. In fact, as I write this, Google has made this the default behavior for Chrome effective September 1.
  • Mind your apps. Mobile device apps can (mostly) only do what you allow them to do. So read the permissions an app requests before blindly installing Fuzzy Kitten 97. Read the permissions requested by an app update as well: I have more than once removed a once-satisfactory app because an update expanded the permissions unnecessarily. In addition, stick to the major app stores. While the major app markets (such as Apple's App Store, Google's Play Store, Amazon App Store for Android, Windows Phone Store) can be compromised, they are still far safer than sources off the beaten path.
  • Keep programs up-to-date. Android OS, Apple iOS, Windows, Mac, and many software products have automated update features. Turn them on. Software developers make mistakes - that's what the updates fix. If your car had a factory defect that might leave you stranded on the side of the road, and offered a free fix, you'd take them up on it, right? This is the same thing.
  • Change the phone book. DNS, or Domain Name Resolution, is how your computer knows that is actually “” It happens silently in the background and is usually ignored unless it stops working. OpenDNS and Norton among others offer free services that simply don’t resolve website addresses that go to known undesirable content (more accurately, they resolves such websites to a benign address that says “you can’t go there.”) In my opinion this is one of the strongest controls you can add to the security of your network.

    Mind your own behavior

    • Think before you clickPhishing scams as well as malware rely on our tendency to click first, think later. Phishing scams in particular can be incredibly believable - they are designed to imitate something legitimate to abuse your trust. Oh, and they can disguise themselves quite cleverly.
    • Use social media strategically. The old adage that on the Internet no one knows you are a dog is absolutely true: with social media you only know who someone claims to be. Different social media platforms offer different audiences, as well as different degrees of control over who sees your posts.
    • Favor credit cards over debit cards. For purchases, credit cards have inherent consumer protections, and your cash is separated from the transaction. In the US, the Fair Credit Billing Act limits your liability for credit cards to $50 if you report fraudulent use promptly (and further, limits it to $0 if you report the card stolen before it is used fraudulently). In addition, many banks have sophisticated pattern-tracking systems that detect your typical patterns and will alert if something seems out of the ordinary. The liability law for debit or ATM cards is considerably different. The Electronic Fund Transfer Act limits your liability to $0 if you report the card or number stolen before it is used, and to $50 if you report fraudulent use within 2 days after you learn of the theft. However, after two days your maximum loss increases to $500 - and if not reported within 60 days, you are on the hook for the entire loss.

      An additional step I take is to reserve one credit card for recurring transactions (monthly utility bills, for example), and a separate card for purchases. In recent years, most payment card breaches have involved point of sale devices. Replacing a piece of plastic in my pocket is easy, but updating a dozen or so recurring payments is a pain. Using a separate card for purchases means if I have to replace that card, my recurring transactions are not affected.

    • Place a Fraud Alert on your credit report - and renew it every 90 days. This isn't strictly an online security protection, but it is highly effective at minimizing the damage caused by identity theft. A Fraud Alert tells potential creditors that they must take additional steps to verify your identity before issuing you credit. Often, this means the creditor will call you - at the phone number listed in your credit report (not a number provided by a fraudster) - to ensure you are in fact the one requesting a new credit account. Note that you do not have to be the victim of identity theft to put an alert on your credit report.
    • In case you missed it, Think before you click.

    Do you have other practical suggestions to add? Comment below or hit me up on Twitter at @dnlongen.

    The majority of this article first appeared in CSOonline

    Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at), or hit me up on Twitter at @dnlongen