In the early morning hours, I awake to my cell phone chirping. Quickly looking at the offending device, I realize it’s a text message from one of my organization’s vendors who provides our security services. As I roll over and make the phone call, I find out that we have an issue that will require me to start my day earlier than planned. When I speak to my team on the phone, it appears we have a critical security patch that must be implemented as soon as possible.
My technicians are concerned; this patch is to fix a recently discovered zero-day attack never seen before, and they are worried that if it is not addressed soon we could have unforeseen repercussions. So, my day unfolds, and as this issue is scheduled for changed management and remediated, I think about what it would be like to manage a network without standard security policies. A network where standard security frameworks and industry best practices for managing risk are not followed and a simple, phishing e-mail, received by an employee, could have devastating consequences.
In today’s interconnected world, phishing e-mails and malware infections caused by attachments and links to hacked websites are just some of the digital flotsam that have become common occurrences. However, in the disparate network—environments found in many small businesses, cities, and industrial networks—these types of attacks can be catastrophic, due to the inherent blending of old and new technologies. The repercussions of new malware attacks on these intertwined infrastructures can result in loss of critical services to the business and its customers. To counter these ever-evolving threats, corporate networks employ security teams and use cyber-security and risk management frameworks to protect themselves. These frameworks are sets of rules and controls to guide the organizations on how they can reduce their risk and protect their assets on a daily basis.
However, there are also steps that we, as individuals, can take to protect ourselves when we use our computers or other digital devices. Following these basic steps, I believe is like laying the equivalent of a digital roadmap for yourself to follow in your daily use of the Internet to conduct business, pay bills, read news articles, or answer your e-mail. These basic steps are what some call “cyber hygiene”—all organizations and individuals can use some variant of these steps to protect themselves when using their digital devices.
Understand, to get the full benefit of cyber hygiene, you should make it a habit to do all of the steps, because together they provide better protection than if they are implemented individually. So, with that in mind, let’s discuss the following seven basic steps that we can use to protect ourselves and our families when using the Internet: updates, anti-virus, protect identity, personal firewalls, encryption, passwords, and backups.
Updates
This is a fundamental first step that applies to everyone, whether you have a laptop, tablet, or smartphone. Your device will have updates: updates are sometimes called “patches”—they are written and sent to your device to fix problems with your devices operating system or your installed applications. Most new operating systems are set to download updates by default.
After updates are downloaded, you will be asked to install them. Click yes! You need to install them and restart your device after installing the updates so that the patches are applied immediately. It is recommended that you get in the habit of periodically checking for updates and, if available, install them. Updates that are uninstalled are accidents waiting to happen; they are, in effect, doorways that can be used to access your device or access your information. Don’t make it easier for your device to be compromised; keep it updated with the latest patches.
Anti-Virus
To avoid problems associated with viruses or malware, you should install some type of endpoint security solution, like anti-virus, on your device. Once you have this solution installed, remember it requires updates, so set it to automatically download and install the latest database files. Anti-virus software removes viruses, quarantines and repairs infected files, and can help prevent future viruses. Understand, this doesn’t catch all viruses or malware, but it does provide some level of protection. Please remember to install some type of anti-virus solution on your smart devices, laptops, and desktops. If it accesses the Internet, you should have some type of endpoint security solution installed on it for protection.
Protect Identity
This step is a basic hygiene step on protecting your personal identity information. Don’t give out financial account numbers, Social Security numbers, or other personal identity information unless you know exactly who’s receiving it. Remember to also protect others people’s information as you would your own. Never send personal or confidential information via e-mail or instant messages, as these can be easily intercepted. Beware of phishing scams—a form of fraud that uses e-mail messages that appear to be from a reputable business (often a financial institution) in an attempt to gain personal or account information. Visit www.us-cert.gov/ncas/tips/ST04-014 for more information on how to protect yourself and your family.
Personal Firewalls
This hygiene step is for machines and devices that are not on a corporate network. If you are connected to a corporate network, there is a high level of probability that your device’s personal firewall will be disabled, because you are being protected by the organizations enterprise security suite.
However, after you leave the corporate environment and you are in the “wild,” you need to have some level of protection. This is where I suggest you check your devices security settings for a built-in personal firewall. If you have one, turn it on. Both Microsoft and Mac have built-in firewalls, and there are numerous articles that can be accessed with a quick search of the Internet on how to correctly configure your personal firewall. Hackers search the Internet by using certain tools to send out pings (calls) to random computers and wait for responses. Your firewall, if configured correctly, would prevent your computer from answering these calls—use your personal firewall. The main point to remember is firewalls act as protective barriers between computers and the Internet; it is recommended that you install them on your computers, laptops, tablets, and smart devices if available.
Encryption
By definition, encryption is a system for protecting your data so that only authorized people can read it. So, you may wonder, why is this a cyber hygiene step? It won’t stop someone from stealing your device and getting hold of your information; however, it will stop them from being able to read it. This is especially important when you think about what accounts you access with your devices, what payments you authorize, and who you communicate with via e-mail or messaging app. If you don’t have encryption installed or enabled, you are allowing someone to access your personal information unhindered. The amount of damage this could do to yourself, family members, business associates, friends, etc. is quite substantial—enable full disk encryption and use it to protect yourself.
Passwords
This step I believe all of us would expect we need to do a better job implementing. Protect your passwords, don’t share your passwords, and make new passwords difficult to guess by avoiding dictionary words; and mixing letters, numbers, and punctuation. Do not use one of these common passwords or any variation of them: qwerty1, abc123, letmein, password1, iloveyou1, (yourname)1, and baseball1. These are common passwords that people use, and hackers have lists of these they will try, because human nature is to make our passwords something easy for us to remember.
When choosing a password:
- Mix upper and lower case letters, numbers, and special characters.
- Use a minimum of 10 characters.
- Use mnemonics to help you remember a difficult password.
Some last points to remember about passwords: change them periodically, do not recycle passwords—don’t use the same password for your social media account and your bank account—and store passwords in a safe place. Consider using some type of password vault like, LastPass Password Safe https://lastpass.com, Keychain (Mac), or an encrypted USB drive to store passwords. Avoid keeping passwords on a sticky note under your keyboard, on your monitor, or in a drawer near your computer!
Backups
The last hygiene step is about how to reduce your risk of losing important files to a virus, computer crash, theft, or disaster by creating periodic backup copies. Set your computer to automatically perform scheduled backups of your data. Save copies of your important documents and files to an online backup service,portable storage device, DVD, USB drive, or a server. You will want to store your backup media in a secure place away from your computer, in case of fire or theft.
Personally, I make multiple copies—one in the cloud, one on an encrypted storage device, and one periodically updated to a portable device stored in a safe place. What I have learned over the years about this last step is you never know when you will want those pictures of your kids, or those old tax returns, and it’s good to have a routine in place that backs up and protects your information.
Additional Tips
The following are some extra steps that can help for when you are at home and at work.
1. Cyber Hygiene steps for the family at home:
- Keep clutter away from your computer/laptop at home.
- Avoid leaving your desktop or laptop unsupervised, do not leave your laptop in plain view in your car, coffee house, or home.
- Set up a user account and password to prevent unauthorized access to your computer files.
- Do not install unnecessary programs on your computer.
- Home Network Security safety tips are available at www.us-cert.gov/Home-Network-Security, and www.us-cert.gov/sites/default/files/publications/TenWaystoImproveNewComputerSecurity.pdf.
2. Cyber Hygiene steps for the business (www.us-cert.gov/ncas/tips#general-security):
- Work with your technical support staff before implementing new cyber-hygiene measures.
- Talk with your technical support coordinator about what cyber hygiene policies are in place in your department.
- Report to your supervisor any cyber hygiene policy violations, security flaws/weaknesses you discover, or any suspicious activity by unauthorized individuals in your work area.
- Physically secure your computer by using security cables and locking building/office doors and windows.
- Do not install unnecessary programs on your work computer.
