The term CYBER is much more than your annual Black Friday/Monday Christmas sale.
Information Technology Security (INFOSEC) definition has evolved to cyber-security partly as media created term but solely as a way for society to define ‘security issues with technology’.
Shows like Mr. Robot are real and it’s folks like myself and other cyber professionals working hard to make sure we are safe online.
1. Using strong passwords
The rules are simple; minimum 7 characters; mix of numbers, UPPER/lower[case], Specials (@&#*@&@); no repeatable patterns (abc,123,1111)
Examples of good password: !c@Nr3Mb#rTs(
Examples of bad password: mykidsname0207
2. Two-factor authentication (2FA) at ALL times (where available)
A good password system involves:
- A: Something you know (eg. a password). This is the most common kind of authentication used for humans. We use passwords every day to access our systems. Unfortunately, something that you know can become something you just forgot. And if you write it down, then other people might find it.
- B: Something you have (eg. a smart card or phone). This form of human authentication removes the problem of forgetting something you know, but some object now must be with you any time you want to be authenticated. And such an object might be stolen and then becomes something the attacker has.
- C: Something you are (eg. a fingerprint). Base authentication on something intrinsic to the principal being authenticated. It’s much harder to lose a fingerprint than a wallet. Unfortunately, biometric sensors are fairly expensive and (at present) not very accurate.
Lets walk through how this works combined; Signing into my Bank account (website); I type my (a) password -> Bank (via 2FA) sends my (B) iPhone a text message with a code -> I log into my phone (B) via touchID (C) retrieve the code (A) and input it into the website than I can log into website successfully.
Any website of importance or storing crucial data one should be logging in via this method.
3. Phishing emails (don’t click)
Phishing is the defined as those fake emails (everyone gets) but after a quick glance (I hope) you realize “oh this is fake — delete!”
Prime example: No, that is not President Obama emailing you from BObama@whiteh0use.gov (peep the zero, not alpha letter O). That is email phishing in a nut shell. While Gmail and other providers are good a stopping SPAM; email phishing campaigns are becoming more and more harder to detect because spammers are using our STOLEN personal data to fake messages.
DONT CLICK THE BAIT !!!!
4. Fake data on personnel questions
By fabricating this data it prevents personal clues about you being used to support email phishing campaigns (see #3) or hacking into your other accounts. It protects you if website has a data breach that data can’t be re-used for authentication elsewhere.
Follow this & your good!
5. Social media posts – PII Data is no-no
Pick your poison (Snap, Gram, FB, Twitterz) doesn’t matter every post – can be used as a clue to help an adversary steal your identify or password. Social Media(SM) posts can be used to support a phishing campaign…if you prone to tweet about kittens– don’t be surprised if your spam email become cat oriented …the robots are watching. I love SM but again just be mindful and please do not post anything defined as Personal Identifiable Information (PII)
Don’t let yourself of others post these things – nah!!!
6. Clean cyber-hygiene (healthy habits)
- Pron or whatever dirty websites you need to visit, use private browsers’ don’t click ads – Use Ad blockers on your web browser and phone
- Don’t download APPS that seem shady (e.g No reviews, several 1 star reviews) – Be aware of what permission apps are requesting from your phone
- On the PC keep the minimum; computer patched, install anti-virus/spyware software
- Don’t plugin in unknown or untrusted USB devices to your machine
- Ensure for any secure internet activities the site is using HTTPS (look for the padlock icon on your browser)
7. Lockdown and Secure Mobile Devices
Pin or Pattern codes are used for more than keeping folks out ya business. Honestly our phones are our security; 2FA will not be effective if you have a phone that is unlocked; physical theft will thwart all these measures so keep a close eye on your device.
IPhoners I do recommend you enable ‘Find my iPhone” you can do a remote wipe if you device is out of possession or help you recover a missing phone or iPad.
8. Data Encryption is mandatory (when available)
Encryption is defined as the inability to see data in clear text format. This definition extends to everything: data stored on computer servers, data sent over networks. There’s a reason why the Department of Justice or the government in general, are fighting techies to mandate looser or no encryption standards. We are losing our right to Privacy and STRONG encryption is what prevents folks from seeing what they don’t need to see. Pro-tip: Ditch those Android phones — iPhone is the only phone that provides true end to end message encryption;
How it works
9. #ioT – the Internet of Things
Smart Home, Cars, Light Bulbs, Speakers, Scales, Watches, Fitbits <insert object> are super cool and dangerous at the same time. Recently it’s been proved that these devices can be hacked and used in unison to cause harm. See: https://www.wired.com/2016/10/internet-outage-ddos-dns-dyn/
This is a new emerging technology area and our friends at the federal government are working with vendors to promote building security standards inside devices. For now it continues to be the wild wild west. Please research and purchase IoT products from reputable vendors that have proven they patch their products when issues arise.
10. Should I just unplug and go back to dial-up??
No & No. We are living in wondrous connected times of our lives. Be vigilant and trust/verify with your own eyes; not hearsay. Honestly, this is a culture change for everyone. Back in the day computer issues stayed with the folks in the basement and now cyber-security is starting to be looked at as business\organizational issue. Example: Anytime websites are offline; companies lose money and consumers– every second they are off-line. No one wants to hear or read about their company on the Washington Post headlines looking all sad and pitiful because y’all lost all your data by not following basic security (YAHOO I’m looking at you: https://www.cnet.com/news/yahoo-500-million-accounts-hacked-data-breach/)
Lastly if you work in technology or just looking for a career change in general; there is a MAJOR shortage in cyber-security jobs and our [soon to be leaving #sadface] President Obama has stated that USA must recruit and train at least 100k people to prepare and prevent foreign entities hacks. Yes, it’s almost military style action but no deployments and you will have a job for life.
If you have specific questions or concerns I can be reached via twitter @caplady1225
“Saving cyber lives ; one hack at a time.”