16 Sep 15 Common Security Mistakes You Will Make
Part 1 (of 5)
Every few weeks business owners ask me what they could be doing to better protect their sensitive information on their plethora of gadgets. Here’s a list of the most common mistakes that I’ve seen over the years that can lead to heartache and data becoming compromised;
1. Passwords, Passwords, Passwords
Setting one in the first place; Most people don’t even bother to set a pin/password on their smart-phones, tablets, and personal computers. This is a simple step that can reduce the chances of unwanted remote access, your kids messing up all of your important files, someone finding your device and pulling data off of it. (For even better protection look for devices that support encryption on their storage)
Insecure passwords; I know, you already have to remember a million different passwords for several different accounts, but if a stranger can guess your password after 10 tries and you use the same password for everything, you are asking to be hacked.
A good password will have at least; 8 characters, one upper case letter (toward the middle), a number, and one special character (toward the middle). It should not contain words or names. (here’s why http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/)
Come up with a system for creating passwords; For instance, if you frequently go to www.mybank.com you can end your password with the first two letters of the website’s URL. So let’s say your password is “tHi5i5myp@ss” your password for www.mybank.com could be “tHi5i5myp@ss*my” and for www.wsj.com it could bet “tHi5i5myp@ss*ws” and so on. Don’t forget that you should vary your usernames as well. So perhaps your favorite username to use is “ILoveIT” , for www.wsj.com your username could be “wsILoveIT”.
Making your password easy to find and change; I can’t tell you how many times I’ve sat down at a CEO’s desk and found a password taped to their monitor. (This is the rough equivalent of writing the pin for your debit card on the back of the actual card.)
If you must keep a list of passwords somewhere consider a password manager like;
Two-Factor Authentication: Most people have all of their on-line accounts tied to one public e-mail service (with well-known websites to log-in from like Gmail, Hotmail, AOL, and Yahoo) with a very simple password set on their e-mail account. If someone already has their e-mail address, they only have to guess the password (think how many people have your e-mail address!). Once they get into that person’s e-mail account they can reset the password for all of their other services (banks, social media, credit card companies, etc…) then reset the password for their target’s e-mail account and lock them out. Go ahead, try and call Gmail and see if you can get your password reset over the phone. Good luck!
Most public e-mail providers offer two-factor authentication or notifications for resetting your password (where when you access those services on a pc for the first time you will also be asked to enter a code that is automatically generated and sent as a text to your cell phone). See the instructions below for setting up this extra layer of security on the most common e-mail services;
- Gmail https://support.google.com/accounts/answer/180744?hl=en
- Hotmail / Outlook.com http://winsupersite.com/cloud/enable-and-use-two-step-authentication-your-microsoft-account
2. Not taking the time to read critically
Everyone’s done it: You downloaded that cool free app or service and flew through the install screens just clicking/tapping next/accept without reading anything, next thing you know you now have 3 new toolbars in your browser, a smart-phone with a battery that isn’t lasting as long, a new default search provider, and plenty of other new applications you didn’t want throwing all kinds of annoying notifications on your screen.
Very rarely does someone offer something for nothing, most free applications for PC, Android, IOS, Mac, and Facebook are ad supported. They get revenue from however many clicks they can generate to a ‘partner’s website or even worse how much data they can collect about you.
Many of these apps can be installed sans-adware and toolbars if you just read through the install, pay special attention if you come to a screen with a lot of check boxes on it or an option for “advanced” or “custom” installation as these are typically the sections where you can elect to not install the garbage that many of these apps try to add to your device.
Opening that e-mail that you aren’t sure about; Don’t trust any e-mail from someone you don’t know, even if it looks official. I prefer to do the ‘offline test’. If you’ve never met the person sending you a message, if you haven’t recently been to the UPS store, or booked tickets for a flight. Then the message you are looking at deserves extra scrutiny and is most likely spam, at the very least it should be previewed before opening. Simply opening an e-mail with embedded images can lead to your device getting infected with malware. Attachments from unknown senders should be scanned with security software before opening. If the e-mail is asking for personal information such as passwords, social security numbers, credit card info, etc… delete it.
Attachments to be wary of: .exe (any reputable e-mail provider will block this as an allowed attachment), .zip, .bat, .scr, and .pdf
If this is an office e-mail account consider a spam filtering service to run malware and SPAM scans to filter out most of the garbage before you waste your time trying to figure out if a message is legitimate or not.
3. Keep your software up to date
If a terrorist wants to drop a bomb they aren’t going to do it in the middle of Montana, they’re going to hit New York, LA, or another heavily populated area. The same holds true for hackers. They are going to target the most commonly used pieces of software.
Kapertsky Labs posts a yearly list of the top 10 most commonly exploited applications every year (http://www.securelist.com/en/analysis/204792250/IT_Threat_Evolution_Q3_2012). If you have any of these applications on your computer you should keep them up to date. If you don’t use them you should uninstall them.
- Oracle Java Multiple Vulnerabilities: DoS-attack (Gain access to a system and execute arbitrary code with local user privileges) and Cross-Site Scripting (Gain access to sensitive data). Highly Critical.
- Oracle Java Three Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Extremely Critical.
- Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Gain access to sensitive data. Highly Critical.
- Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Bypass security systems. Highly Critical.
- Adobe Reader/Acrobat Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Extremely Critical.
- Apple QuickTime Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.
- Apple iTunes Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.
- Winamp AVI / IT File Processing Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.
- Adobe Shockwave Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.
- Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Bypass security systems. Gain access to sensitive data. Extremely Critical.
Enabling Auto-update: Windows update, Adobe update manager, Apple update manager: Almost all of the aforementioned pieces of software offer an option to automatically updated themselves. If you don’t have automatic updating turned on refer to the manufacturer’s website on how to enable this feature. This should reduce the chances of your system being compromised by exploits significantly. If you are at the office, make sure your IT team is ensuring that all of these applications are up to date on your systems.