- Principia Raid
Back to Basics - secure your accounts!
We spend much of our time focused on Enterprise-level InfoSec and sometimes there's not enough focus on getting back to the basics of how to protect our own personal data. One of the trends in effective Enterprise InfoSec programs that's seen great success in improving overall security behaviors in the user base is to not ONLY provide training on your company's policies and procedures, but to ALSO focus your training efforts on helping your users with what's important and relevant to them personally. There's a direct relationship between good personal cyber hygiene and a more robust Enterprise InfoSec posture. If your users behave appropriately at home, they'll be much more likely to bring those behaviors to work. If your users are trained to be threat-aware and know what to watch for with their personal accounts and online presence, it's guaranteed that they'll be more effective and aware of similar threats in the workplace. The line between home and work has been blurring for years, but in today's landscape where for many knowledge workers there's simply no difference, these considerations are critical to ensure your information security. Work IS home. Home IS work.
One question to consider - when it's relatively easy to properly secure your digital existence, why do we continue to see so many breaches and leaks? It's a great question with lots of answers that we're not here to discuss. We're here to get back to the basics and help fix the problem. Remember that reinforcing these basic steps for your user base, while it might seem overly simple, will deliver real results for your Enterprise InfoSec programs. Smart users = more secure operations. Training and reinforcing even the basics can deliver immediate results.
What does good look like?
USE YOUR LOCK SCREEN
Set ALL of your devices with a short lockscreen time-out. Not just your phone. Your laptop, your desktop, your tablet - anything that has a lockscreen option - USE IT. While you think this might mostly apply to protecting against pranks or fat-fingered toddlers, that ONE time that you leave your device at a restaurant table or in your grocery cart can result in a compromise. It only takes a few seconds. And when setting your unlock code, make sure you use a strong code or whatever biometric options your device might offer. If you happen to be a targeted user (it happens!) your birthday as a code won't do the trick.
USE STRONG PASSWORDS AND DO NOT RE-USE THEM ACROSS SERVICES
Seems like a no-brainer, right? Nope. Here's a pic depicting the most common passwords used in 2020. The size of the password is relative to its frequency of use. Ridiculous, right?
While it's a common argument that more difficult passwords are more difficult to remember, that's ALSO THE REASON THEY'RE MORE DIFFICULT TO HACK. One of the easiest ways someone can get into your accounts is by 'acquiring' leaked credentials and using those username and password combinations across other services. It should be clearly understood today that a strong password needs to be at least 8 characters long (that doesn't mean it should be 8 characters. I said AT LEAST 8 characters), should include upper and lowercase characters, should include numbers and should include special characters. If it's too complicated to remember, you're doing it right. Consider using a password manager across your devices to keep track of your credentials. It's easier to remember ONE complicated password that grants you access to ALL of your complicated passwords. These days many password managers offer apps that automate the login process across your devices pretty effectively. We happen to be a fan of LastPass as an example. And you could argue the 'all-your-eggs-in-one-basket' counter argument against using a password manager, but the risk associated here is much lower and much more manageable than the risk of compromise from using multiple easy to remember passwords, as long as you're using a service that has appropriate levels of data encryption, both at rest and in transit (ie LastPass). Using a password manager also makes it easier to use different passwords for each account. While it can be convenient to use the single sign-on options offered today (ie Facebook asks you if you'd like to use your Facebook credentials to log into Instagram, or Google asks you if you'd like to use your Gmail credentials to log into YouTube) it's much more secure to keep separate credentials for each account. Otherwise, one compromise equals multiple compromises. And again, using a password manager makes it easier.
USE MULTI-FACTOR AUTHENTICATION WHEREVER POSSIBLE
Because of the proliferation of stolen credentials and data breaches, most services offer dual-factor authentication as an available login feature. Use it. Whether it's via an SMS message login code sent to your phone or via an authentication app like Google Authenticator, opt-in everywhere you can. Requiring that second code, or 'factor,' means that anyone who might have your password would also need access to your physical device to successfully compromise your account. While using strong passwords and multi-factor authentication isn't foolproof it's usually enough to ensure that your accounts will remain secure and private.
CHANGE YOUR PASSWORDS OFTEN
Yes, it's a pain in the a$$. It's also critical to maintaining the security of your digital assets. There's a feature with some password managers that offers automated password updates for a growing list of services on a schedule that you decide. There is some unfortunate administrative overhead related to this one, but it's still important enough to do.
CHECK YOUR PRIVACY SETTINGS
Check the permissions you've granted to applications and services to ensure that you're comfortable with what you've agreed to share. Facebook and Twitter are prime examples - you may have blocked Facebook from accessing location data on your smartphone, but is it also blocked on your tablet? Is Twitter's privacy setting permitting the sharing of data with third-party applications that you've installed? Are the privacy settings consistent across your multiple devices for your various accounts and services? If you don't know, check. While using a strong password and multi-factor authentication should protect ACCESS to your data, have you agreed by default to share specific data with other services? Have you installed the latest application on Facebook that all your friends have downloaded to Face Swap yourself with whoever else? Did you happen to notice that by default you agreed by installing this application to allow it to access your location data, likes and friends list? Facebook is notorious for having complicated privacy and application settings to appropriately manage and secure your data. You are absolutely able to lock it down, but it takes some work.
AVOID PUBLIC WIFI CONNECTIONS
Isn't it great that you can connect to WiFi pretty much wherever you go these days? Nope. It's terrible. The only person it's great for is the hacker trying to steal your credentials. OK - maybe a little dramatic. But not wrong. The fact is that public wifi connections at restaurants, airports, libraries, shopping malls and other places of business are there for convenience, not security. These public hotspots typically do not have the protections in place to provide secure connectivity and are ridiculously easy to compromise, providing easy access to your credentials and personal data. The only exception to this rule can sometimes be if you use a VPN. And that's still not foolproof since you initially have to connect to the insecure connection in order to establish your VPN tunnel, and this can leave you open to a range of attacks, from man-in-the-middle to malware injection, not to mention the possibility of connecting to an 'evil twin' hotspot that's been setup specifically to compromise your data. Did you mean to connect to 'LAX_Airport' or 'LAX-Airport' ? Do you even know which one is the real one and which one is a honeypot for a Cybercriminal? The best advice is to avoid public wifi connections completely. A VPN will provide some protection, but it won't mitigate all of the risk. Get a better data plan for your device instead of relying on public wifi. Using a VPN is still advisable to protect and encrypt your traffic on ANY device.
There is no such thing as perfect information security, but taking the above steps ensures that your data is as protected as it can reasonably be across your multiple accounts. If you've done everything that you can and follow these behaviors, you are highly unlikely to suffer a compromise. From an enterprise perspective, if you include the personally relevant advice here in your user training, the likely outcome is a more successful information security posture. Help your users help themselves - and this will help you.
Need more help with your InfoSec program or user education? Need to tweak your social media and acceptable use policies? Want to ensure that you're managing your risk properly? We can help....