The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for January, 2014

Security Tips for the New Year for the non-Security Geek

Posted by Xavier Ashe on January 2, 2014

Welcome to 2014 everyone.  This year is going to be better than the last one, right?!  Well, to set you up for success, I suggest you do the things listed below.  Skip to the List.  Most folks, unless you’ve already been a victim of identity theft, have a “probably won’t happen to me” mentality when it comes to security and privacy threats.  Have you ever said:

  • “I don’t have anything to hide.”
  • “Why would hackers target me?  I have no money.”
  • “There’s no way to stop hackers now-a-days, so why try.  I probably won’t be attacked.”

Those rationalizations are all rooted in truth, and if I wasn’t in the security business, I would probably fall right in line with you.  However, I am in the security industry, and I see it all.  I read nearly all the published breach reports.  I have access to tons of unpublished breach information, and I’ve been personally involved in cleaning up several of the high profile breaches this year.

So you would expect me to advise people and companies to SECURE IT ALL!  Well, I think there’s a lot of truth to the third bullet above.  Between government agencies like the NSA & China, organized crime syndication, and that bored teenager down the street, there’s not much you can do to be 100% secure.  It’s impossible to SECURE IT ALL!

What can be done?  I call it “Good Enough Security”.  Follow these steps to figure out what you need to do.  This is the same process I take companies through, and it works just as well on a personal level.

  1. Think about what data you have that could be valuable to hackers, beyond your cash and credit. Your computer can be used to mine Bitcoins, attack websites, and participate in fraud.  Your social networking accounts can be used in fraud, and those passwords are often very similar to the ones used for banking.
  2. Expand the definition of hackers to include ex-boyfriends/girlfriends, teenage kids (yours or otherwise), former and current co-workers, and social networking “friends”. There are governments and foreign elite hackers, but you are also just as likely to be attacked from someone you know.  (Some attacks can be stupid easy.)
  3. Think about how you are vulnerable.  Do you reuse the same password with a number at the end?  Do you use public internet computers or shared wi-fi hotspots?  Do you have a smart phone with no extra security?  Do you have teenagers?

The security buzzwords for the above list are 1) know your assets 2) know the threat and 3) identify vulnerabilities.  It is the core of what we like to call a risk analysis.

Okay, but what about you?  The individual with a laptop, iPhone and iPad, a Facebook account, credit cards and a bank account.  What are some simple ways of setting yourself up for success in the New Year?

  • Change your passwords.  All of them.  Today.  And then,
  • Use Passphrases. There is a lot of research behind it.  “Xavieriscoolerin2014!” is a much better password than “X@v1er2014”.  You can also use the website names in your passphrase, e.g. “IjoinedFacebookin2009.”
  • Save your passwords, but not in the browser.  I would suggest a notebook, if you are low tech.  If you want a good tool, try LastPass.  It can sync password between various devices (including mobile devices), and is much more secure than Chrome or Firefox.
  • Don’t use the same password on different sites.  When a website gets hacked (like Adobe, Facebook, GMail, Twitter, LinkedIn, etc.), those passwords gets added to a big dictionary that are used in future attacks.  There will be more attacks of this nature in 2014, so set yourself up for success now.
  • Add a passcode to your phone.  Of all the security features that allows you to protect your phone, this is the best option.  As long as it’s not a super simple code (1234, 2580, or 4 of the same number), you can pick something easy to type in.
  • Get new credit and debit card numbers.  Call your bank and credit card providers and ask for new digits.  Tell them that this is due to the Target breach and you would like to cancel your current credit card number.  This is a good practice to do about once every year or two.
  • Secure your Android device.  Android has an open platform that fosters innovation, but also allows for being tricked into installing malware.  I suggest Zoner Antivirus.
  • Get a better antivirus.  Do you have the same antivirus that was packaged with your machine?  Go to AV Comparatives to see the best, and worst.  If you are a bit more technical, use the Bit9 Trust Assessment tool to get the best idea of what’s installed on your system.

If you have any other simple security tips, send them my way.  Here’s to having a safe 2014!

Posted in Security | Leave a Comment »

 
%d bloggers like this: