We cyber security professionals are often regarded as overzealous pests – encouraging everyone around us to mend their lackluster online behavior and encouraging other IT professionals to utilize industry best practices to enhance enterprise cyber hygiene.
Are these notices having any impact? Many in the media say no, but here at NJVC we say yes. In spite of the chorus of data breaches and hacked accounts, we have reason for hope. Why? As an Intelligence Community and DoD contractor focused on hardened computer network defense mechanisms and enterprise information assurance techniques, we are seeing widespread acknowledgement of the need for enhanced data protection measures and the utilization of security assessments to uncover organization security gaps.
So, on Valentine's Day, we want to say thank you in the language of Valentine's: Imprinted candy hearts. (Chalky taste not included.)
Use two-factor authentication
Users and critics bemoan the inconvenience of using 2FA. One wonders if these same people resent having to lock their house doors and cars. Yes, it may be a small additional burden, but it's outweighed massively by the benefit. A common type of 2FA installation, for example, can send a text message or email whenever one of your accounts is being accessed.
FIDO stands for Fast Identity Online and is a growing alliance of various industry vendors looking to enhance the very nature of online authentications by developing technical standards that reduce the reliance on passwords. Get rid of passwords? Who could not support that as an objective? FIDO recently published an open public specification and is moving towards greater adoption for end-user devices.
Running anti-virus software will not keep you from getting sick
Most users know this, but it's important to remember. Simply running anti-virus on your computing device is not sufficient to thwart a wide range of threats. Still, like washing your hands to prevent the spread of communicable diseases, this IT practice should not be abandoned, but instead be considered but one component in a comprehensive protection process.
Conduct a personal security assessment
Organizations bring in third party specialists like NJVC to conduct independent security assessments that look across a range of policy, physical security and operations perspectives. Individuals can do the same. Ask yourself:
• Do you have strong passwords on accounts you care about?
• Do you have 2FA turned on where available?
• Have you enabled your mobile device's "kill switch" to prevent device reuse if stolen?
• Have you enabled anti-virus protection across ALL your computing devices?
• Have you actually looked at the security and privacy settings in your accounts?
Take a few moments to consider what data you care about and how you protect it.
Don’t reuse passwords across multiple accounts
This is common knowledge, but is the advice followed? Earlier this month, a security researcher released a list of over ten million passwords and other bits of online account data in order to foster more enhanced research in user behavior and online password selection. This data was purposefully scrubbed to prevent password and account associations that could be exploited – but humans make mistakes and all such ‘big data’ disclosure carry some amount of risk. How to avoid account compromises? Start with not reusing passwords across accounts that could be exploited from public data disclosures.
Encryption is your friend
Everyone expects privacy when sending items through the mail. In fact, after the recent Anthem healthcare data breach, notices went out via regular US Mail in order to prevent phishing attacks against online accounts. Every time your browser displays https in the URL display window, you are using encryption through a secure protocol. This serves to protect online purchase transactions and the transmission of sensitive financial information such as your credit card number.
If all this talk of user authentication and security controls sounds too technical for you – give some chocolate or flowers to your favorite IT person and see if they can be bribed for some assistance.