Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

11/17/2014
11:15 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Why Cyber Security Starts At Home

Even the grandmas on Facebook need to know and practice basic security hygiene, because what happens anywhere on the Internet can eventually affect us all.

I find myself thinking a lot lately about how much safer we would be online if everyone knew and followed at least a few security best-practices. For those of us in the business of information security, we tend to think mostly about protecting ourselves and our organizations. But the Internet is a shared ecosphere where the actions of some people can easily affect everyone else.

“How so?” you might ask.

Two things immediately come to mind. First, and most obvious, victims of malware become resources for further attacks. For hypothetical example, there’s a random kindergarten teacher in Kansas who you’ve never met and couldn’t identify in a lineup. Her computer has contracted a bot and is spamming the world (including your organization) with malicious emails. Her computer is also acting as a drive-by download site, infecting any new victims enticed by the emails.

Multiply this one teacher’s infected computer with the thousands or millions of other botnet victims, and you can see why the online actions of others affect us all. Even if you’re smart enough to ignore the phishing attacks, the attacker could still leverage the thousands of victim computers under his control to DDoS your network. All because a few uninformed folks made simple mistakes and got infected.

The second issue involves chain-of-trust. While you may have built strong defenses around your network, your organization likely has tens, hundreds, even thousands of external partners or contacts with whom you interact each day. Likely, you’ve extended your trust to these external associates, whether by giving them elevated access to your network or by just more readily interacting with their emails.

You see, our trust networks go further than you realize. It’s kind of like the old “Six Degrees of Kevin Bacon,” which posits there are six or fewer steps between Kevin Bacon and any other actor. If some minor work acquaintance introduces you to someone at a conference, and you accept a LinkedIn request from her, you’ve invited someone you don’t know closer into your trust circle. If that person’s security practices aren’t up to par, she may introduce a potential threat into your network. Target learned this lesson the hard way with one of its external partners.

My point is, other people’s security practices (or lack thereof) affect us all. We’re all connected via the shared network we call the Internet. It’s in our own best interests to make sure everyone -- even the grandmas on Facebook -- know and practice basic security habits. As security professionals, I believe we should share our tips with anyone we meet, whenever the opportunity arises. Chatting with an accountant on the bus who mentions the Cryptolocker infection on his wife’s computer? Why not share some tips you practice to avoid that sort of ransomware?

Here are the three tips I share with normal folks.

Tip 1: Patch regularly. Update your software as often as you can. Studies show you can prevent 79% of all attacks simply by patching. Most modern software, like Windows, OSX, Adobe products, Java, and more have automatic patching programs. You should turn them on, and say “yes” whenever they ask to update.

Tip 2: Use antvirus and update it. I don’t care which one you choose or whether it’s a free or full version, but use AV software and let it update automatically. Yes, this includes Mac users. AV software is like the hand washing of the computer age; you need its basic sanitation to help prevent the spread of infection.

Tip 3: Think before you click. Use common sense before interacting with links or attachments. Does something sound too good to be true? Are you wondering why someone sent you a file? Does the link look weird when you hover over it? If you’re asking yourself these questions, you probably should avoid clicking.

Sure, there are plenty of other important best-practices, and these tips aren’t sufficient to defend a full organization. However, if you have little time and an audience with little expertise, these tips are simple and practical enough that anyone can follow them. And imagine how much safer it would be online for all of us if everyone in the world patched quickly, used basic AV, and was more careful about what he or she clicked.

With all the people in the world, you may think educating the masses is a hopeless task. However, the six degrees of separation that makes the world a smaller place also makes good ideas spread faster. If we take a little time to educate our neighbors and friends, we can make the Internet a safer place.

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/17/2014 | 3:49:37 PM
Re: Trying to do their part...
It's really important to get that message out..in a way that empowers people and not makes them feel intimidated or lectured to. It's a tricky balance...
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
11/17/2014 | 3:25:14 PM
Re: Trying to do their part...
I agree. I share information and provide some "IT advice" among my family and small circle of friends and encourage them to "spread the word", as it were. The tips aren't very technical, and mostly involve what we in the security community would call "common sense", at least so it may seem to those of us who are more informed than the lay person. I especially encourage people to talk to their children about safe computing practices, given the prevalence of connected technology and the availability of connected devices to the young. It certainly is a much different world than 20 years ago.
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
11/17/2014 | 1:52:34 PM
Re: Trying to do their part...
Robert, 

You make a great point, and I actually thought a bit about this in re-reading my article this morning. In light of the "DarkHotel" campaign, I read the patching advice where I said, "say yes to auto-updates," and thought that might help people fall for fake updates, like the Adobe flash one used in DarkHotel... granted, that attack actually also required a man-in-the-middle attack, but there are all kinds of other ways (hijacked websites) to pop up fake update windows. 

I don't think there is a perfect or easy answer for this, but I'd recommend two things. 1) If you don't have time to go into more specifics, I think the patching advice stands. I think the value of having more people fully patched would totally outweight the occasional user that falls for a fake update. Statistically, even if everyone said yes to updates, I think the result of patched systems would vastly outweigh the people that stumbled onto a fake one (but that is only a gut feel). 2) HOWEVER, if you have a bit more time, and the user is attentive, you could simply add a caveat to the advice, by sharing that they should beware that sometimes update mechanisms are faked. You could then share a few ways they might recognize a fake update mechnism, or rather train them that if they get an update poppup, not do say yes right away, but to close the pop-up, manually open the adobe update that you know you can trust, and then if it says updates are really ready, say yes to them there...

I don't know if this is a perfect answer, but I still want to shoot for more eductated consumers since I think it would make our jobs easier and our organizations more protected.

In any case, thanks for the comment. If you have any tips on having end users avoid fake update scams, be sure to share them. ^_^

 

Cheers,

Corey
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
11/17/2014 | 1:33:44 PM
Trying to do their part...
I would like to hear other's opinion on this topic, but in my experience one of the ways most likely to catch an end user off guard is to pretend to be something good.  This could be a pop up claiming to be an AV update, or an email claiming your email account has run out of space.  People who work in IT can spot these things a mile away but that is because we are intimately familiar with the way it should look.  End-user's often are not aware what a Java, Flash or AV update is supposed to look like, so they often mistakenly install a virus or give out their credentials by attempting to do the right thing.
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because &quot;admins are considered trustworthy&quot;; however, the behavior &quot;contradicts our secu...
CVE-2020-25791
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
CVE-2020-25792
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
CVE-2020-25793
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From&lt;InlineArray&lt;A, T&gt;&gt;.