The Security Top Ten List – 2017

Posted on by Luke Kapustka

The Security Top Ten List is my annual guide of security topics for everyone to make the most improvement to their security with the least effort and cost. This is the “low hanging fruit” and is your opportunity to be proactive. Security is a byproduct of our digital lives, and this is an effort to keep you informed. I hope that you’ll get value out of this information and I invite your feedback. Here we go!

This discussion applies to everyone using internet connected technologies. When you think about that, it goes way beyond computers and smartphones. Think any connected device like toasters, cameras, printers, light bulbs, cars, and more. The list is based on our collective knowledge of networks, threats, crimes, news, reports, events, and trends in our digital landscape.

This isn’t a priority list, so you won’t see numbers. Rather, all are important and some are easier or simpler to implement. Your scenario is unique, and you may prioritize these however they work for you. No matter what, any incremental improvement is still an improvement. Lastly, this isn’t everything that we have to think about. I’ll talk more about those in various posts throughout the year.

  • Messaging
  • Passwords
  • Anti-virus
  • Patching
  • Cloud
  • Open Wi-Fi
  • People safety
  • Disaster planning
  • Social engineering
  • Principle of Least Privilege

 

Messaging: phishing and attachments

If you use email, and who doesn’t, then you probably get unsolicited “spam” messages touting shady pharmaceuticals, dating opportunities, sweepstakes winnings, and others. The more sinister seem to come from someone you know. These are either trying to sell you something, make you take action, a plea for help, some interesting file that you should open immediately, or a large value wire transfer that you need to send to Pakistan immediately. Email is the number one way criminals enter your life. This expands into SMS on your phone. They’re coming from random numbers and use similar tactics.

For years, we’ve been told never to open suspicious messages, links or attachments, yet we keep on doing it. One really powerful reason for this trend is that the bad guys are getting much better at what they do. Messages are no longer horribly misspelled and filled with poor grammar. Today’s phishing messages are relevant and well-written. The criminals know how to beat the spam filters and play up to our emotions… so we have to continue improving.

I know you’re busy and your inbox isn’t getting any smaller. Yet that extra minute invested asking some questions can really pay off. Is the message really legitimate? Does it really make sense that your aunt is stuck in Antarctica and needs money to get home? Did you really win a lottery that you didn’t even enter? Will your bank really close your account if you don’t click on the link to change your password? Read up on a few common tactics here. Generally, these messages use social engineering (discussed later) to prey upon human curiosity, trust and fear.

There are a plethora of sleazy techniques we can talk about, though I’ll mention a recent one that caught my attention because when you connect the dots, it’s absolutely genius! Recently, the ride sharing company Uber disclosed they were breached in 2016. Most of the information lost wasn’t an incredibly high value. The creativity is in criminals using current events to their advantage to generate more legitimate looking, targeted messages. There have been messages floating around saying they’re from Uber, that they’re very sorry about the breach (which, by the way, was covered up and Uber attempted to pay off the criminals… which we’ll discuss another day). So you should click on the link in the message to change your password. It seems legitimate, but it’s not from Uber.

If the message is truly legitimate, run the link through a online scanner such as VirusTotal. It takes seconds to check and the action can save your hours or years cleaning up the aftermath. A more automated way is to use a web browser add-on such as Virut Total or WOT (Web of Trust). They all work with major web browsers.

 

Passwords

Passwords, the scourge of the 21st century! The way we’ve built our systems and the fact that we have so many, makes keeping up with passwords a huge challenge.

With the number of breaches in the last 10 to 15 years, your password is most likely out there. Want to find out? Troy Hunt, a well known security professional created www.haveibeenpwned.com. If an email address or username that you’ve ever used comes back with a result, it means it was involved in some data breach in the past that leaked the email address and password. The site even tells you which breach you were involved in.

It is no longer a good idea to re-use your password at work, at home, and on multiple websites and online services. You could build a super-human memory or write them down; but neither option is secure or scalable. So how will you keep up with all of your accounts? A password manager can help. Not only can they save many different passwords, they can also generate very long and complicated passwords.

If the option exists, the best is multi-factor authentication. This is used in addition to a username a password and adds immense strength to your login with little effort. This either sends your phone a text message with a code or you use an app such as Google Authenticator to supply that one-time code.

The entire concept of “password” is being challenged and we’re moving to the idea of a passphrase instead. This is great because a passphrase is both strong and easier to remember. This can be a short sentence or phrase in plain language. There’s no need for the special characters and numbers, the strength comes from it’s length. The challenge, for now, is that most systems don’t recognize longer passphrases in lieu of shorter passwords and their special characters and numbers. We’ll get there!

 

Anti-Virus

Anti-virus, is better known these days as endpoint protection because we’re protecting for more than simply viruses. It’s absolutely necessary these days and requires some maintenance to work well. These must be updated at least daily, run real-time scans, and periodic full scans.

To dispel a myth, the free AV apps work just as well as paid when measured by how many threats they catch. The trade-off is in the automation. The cost of saving money translates to more time spent running manual scans. The problem is that you’re bound to forget, and that’s where automation can save you big time.

The Apple and Android platforms are fairly well-protected so long as you download software from the legitimate app stores. Modern PCs and smartphones don’t break a sweat when running AV these days, so we can no longer say that it slows things down or gets in our way. There are no more excuses.

Newer generations of AV, such as Cylance or Carbon Black, use artificial intelligence to monitor for behavior and so far they’re very effective. So far, they’re available in large business environments. However, Cylance is planning to launch a home edition in early 2018. This next generation protection is necessary to keep up with ever improving malware. This works in concert with other advice: watch what you click, where you surf, and what you plug into your PC.

 

Patching

Every device we use runs on software, which is written by humans, and humans aren’t perfect. Some software will inevitably have bugs in the code. Not all bugs are discovered. Of the bugs that we do find, not all are fixed with a patch or update. We do need to realize there are problems out there that won’t ever be fixed, that’s a fact of our digital life and we have little control over it. We do have control over what we know: so install updates when they’re available.

We’re getting better at patching our computers and smartphones, it’s common to see the monthly updates from Microsoft or Apple. The reasons are two: patches are more automatic, and they’re aren’t breaking other features as often as they used to. As a bonus, they sometimes include new features, run faster or more efficiently. Beyond the operating systems, other that should be high on your to-do list are Adobe Shockwave/Flash and Oracle’s Java. Devices which sometimes aren’t automatic, such as printers, Wi-Fi routers, connected devices, etc., need to be done manually.

A lack of patching is exactly what caused the recent Equifax breach in the spring/summer of 2017. The Apache Struts framework, a popular Java-based application was updated and Equifax didn’t apply the patch. Breach ensued, the CEO’s career came to an abrupt halt, the company became involved in multitudes of lawsuits, and millions of consumers’ information is potentially being bought and sold in underground markets right now.

Though patching (early and often) is critical, there are definitely challenges. Sometimes, we’ll break the application that we meant to fix. Other times, the device or software goes “out of support” and no longer is being patched. That’s a huge issue with low-cost Internet of Things (IoT) devices, older smart phones, printers, etc. In reality, it’s an unfortunate byproduct of using technology. The reality is: what we buy today, though it may physically function for years to come, isn’t built to last. It’s another way of strategically slipping planned obsolescence into our lives. There is no business reason for manufacturers to keep our old devices up to date and they certainly won’t remind you of this when you buy that new gadget and set it up.

The key is to realize that technology we use comes with strings attached, and it’s our responsibility to be diligent. Patch as soon as you can. If you can’t, then understand that you’re taking certain risks of connecting older technology to your network. It’s a calculated risk, and as we have learned from history, there can be dire consequences. When things go south, have a plan to deal with this: plan to replace, keep backups, and isolate the risky devices away from higher security networks.

 

Cloud

The basic concept of cloud is that you’re using someone else’s computers to do some work. This makes us forget that we’re still responsible for the security of our information. As cloud has been growing over the years, it have been portrayed as a higher-security solution because it can be… on the provider’s side, but not necessary in the way you store and use it.

If anything, the major takeaway for you is: configuration is critical and we tent to make too many mistakes. Accenture, NICE systems, Dow Jones, and the US Military found out the hard way.

The topic of cloud can quickly get complicated, so I keep the focus very broad. Know what you’re getting into. That means reading the fine print. Read the contract, know the service level agreement (SLA), be aware of where your information is stored, encrypted and backed up. Lastly, if a service is free then you’re paying for it in some other way. Understand how your information is used. Though I respect Google’s business model for products, but don’t think for a second that Google don’t monetize your use of their services. If it’s free, then you’re the product.

 

Open Wi-Fi

My kids have asked, as they join a public Wi-Fi network with their phones, what’s so bad about open Wi-Fi? In this case, “open” means that a password isn’t necessary to join the network and your communication with it isn’t encrypted. I think like a bad guy, and this is a fairly easy way to violate your privacy. When on a public Wi-Fi network, all of your communications are visible to everyone else on the network. This is improved with encrypted websites (HTTPS), though it isn’t perfect. An attacker can still see that you’re browsing on a certain bank, Facebook, or a questionable site. These are still details that can be used against you, remember chaining in the social engineering section?

There are two fairly simple solutions: 1. Don’t use open Wi-Fi period. Fire up your own mobile hotpot, which isn’t perfectly secure, is still much safer than a public Wi-Fi. 2. Use a virtual private network (VPN) service. These cost around $50 to $70/year, however it’s well worth it if you find yourself in need of an internet connection while away from home, work or traveling. The cost is legitimate, and there are truly legitimate infrastructure costs these providers must pay for. A free VPN that effectively protects you and doesn’t log and sell your usage or other information to the highest bidder simply doesn’t exist. If it’s free, then you’re the product.

 

People Safety

The most popular security certification, the Certified Information Systems Security Professional (CISSP), list human safety as the number-one priority. I fully agree with the concept, and it reminds us of the need for emergency planning, emergency exits, appropriate fire detection and suppression, electrical safety, etc.

In the long run, it pays to consider overall security not only to protect the information but also that it isn’t used against us. History has a few stories involving security cameras, baby monitors, and other toys hacked and used to spy on it’s owners and those we entrusted the technology to protect!

Though it is on the horizon, self-driving cars will probably become mainstream. A potential future attack may target the tangible devices in our lives, the ones that move or control something, to harm us or hold it for ransom. It’s our responsibility to be aware and understand the pros and cons of such technology so we can make wise decisions.

 

Disaster Planning

“If you fail to plan, you are planning to fail” said a wise Benjamin Franklin. The internet will go down, your electricity will fail, your hard disks will all eventually fail, you’ll drop your phone, and your backup will be out of date when you need it the most. Have a plan for the important things in your life. If it hasn’t yet, technology will fail you.

Backup drives are dirt cheap and some come with reasonably easy and effective software to make backing up painless. Cloud backup services like Carbonite cost a bit more, yet they’re completely automatic and reliably pushes any file changes up to their cloud service.

Decide for yourself how much loss can you tolerate. The more you can lose, the less effort and cost you’ll spend.On the flip side, the closer you need to get to 100% integrity and availability, the more effort, cost and impossibility (nothing is 100%)

Some ideas for backup plans: keep phones backed up, keep an old phone as a spare. Have a backup for internet connectivity if that is critical for you, your family or business. Maybe your phone can act as that connection, and you can start up a Wi-Fi hotspot in those times when wired internet goes down. If the power goes out for a day or more, you can keep your devices powered with a solar charger or an uninterruptible power supply (UPS); which does a good job of keeping your internet modem and Wi-Fi router up during shorter times of power loss.

You don’t have to be a doomsday prepper, however there is value to spending some time thinking about worst case scenarios. In the security world, it is known as “threat modeling” and it can be eye opening and beneficial. Spend a few minutes thinking about your situation, get what you need in place, and test it ensure it’s ready when you need it.

 

Social Engineering

Social engineers enter our lives through phone calls, SMS, email, instant messages, and in person.

Our human tenancy for curiosity, trust and fear are being exploited by social engineers. They play upon our emotions, offering something for nothing, exploiting our tendency to help, or using urgency to make us act without thinking. This isn’t new, these are ancient proven strategies used in a new digital environment to win and attackers are very good at what they do.

Mostly, social engineers are opportunistic and they prey on easy targets. Some do target individuals with spear phishing. We simply can’t learn all of the tricks of the trade, yet we can understand the basics of the game: our curiosity, trust and fear. These are the keys. Though I’m not suggesting that you become paranoid, definitely do practice a level of skepticism. Common attacks will be legitimate looking and relevant to something in your life. For example, you’ve ordered something from Amazon and see a message about a delayed package. Although 487 million others received that message, you’re one of the few who are anxiously awaiting an important shipment. Your chance of clicking without thinking is far higher.

In a personal sense, protect yourself by maintaining your privacy and being aware of who you’re giving information to. We often share tiny pieces of information through our daily routine such as driving route, phone number, last four of our SSN, name, etc. By themselves, these are generally innocuous. Yet, put together and “chained,” then can come back to bite us. Question every time you give out even a little information.

 

Principle of Least Privilege

Finally, the principle of least privilege is an old-school concept that is 100% relevant today. I expand on the classic definition of focusing on people and processes and think computers, networks, suppliers, partners, family members, machines, and a few related topics. These should be given exactly the information, access, and connections they need. No more, and no less.

A good place to start is at home. Protect your computer by using a standard user login, not an administrator account. This way, all of your programs will run with standard privilege. You may get more warnings asking for admin privileges, preferably with a password, and this is a good thing. It can save you if you happen to become infected with malware, because the software you’re using is limited and contained. Ransomware, for example, may cause some damage but it wouldn’t be able to encrypt all files because it can’t get admin privileges!

A related business topic is separation of duties. Here, several individuals perform separate parts of a process to provide check and balances. This helps reduce errors and fraud. An example scenario would be of an individual who could create their own illegitimate supplier, hire the supplier, falsify records for the work the supplier does, then pay the supplier!

Then, we have network segmentation. Systems performing different work are physically and/or logically isolated from each other. For example, point of sale (POS), industrial controls, and back office systems would not coexist on one flat network. Though it is more work, the benefits are huge. There is more efficient traffic management, administration, and this can significantly slow or block an attacker attempting to move from one network to another. The Target breach in 2013 was directly related to poor network segmentation. At home, you can put all of your guests and IoT devices on their own network to protect your sensitive activity (banking, billing, social media, etc.) from potential problems.

In life, we have to walk a fine line. When people don’t have the tools or information they need, then something won’t get done. For better or worse, people are clever and if well-meaning security gets in the way of productivity, they’ll find a way around it. Sometimes, with disastrous results. I think we can address these challenges with well-thought-out security that allow what is necessary to support productivity.

luke@lukekapustka.com

Copyright © 2024 Luke Kapustka, all rights reserved

Zerif Lite developed by ThemeIsle