October is National Cyber Security Awareness Month in the U.S., as Microsoft, Stay Safe Online and the White House recently told me. As a security professional, I am pleased to note this means people are more likely to listen to me. Ha! We’ll see. Anyway, besides talking about Fishbowl security (watch for Episode 2 in November), I’d like to take this opportunity to talk about Cyber Security in general.
Hackers and Cyber Security
Cyber Security goes way beyond protecting yourself from “hackers.” I put “hackers” in quotes because, in the Cyber Security world, “hacker” is not necessarily a bad person with malicious intent. See the article “Hacker vs. cracker” to clear up this misunderstanding. Cyber Security deals with many things, most of which I can’t cover in a single blog post. It includes backups, disaster recovery (DR), business continuity, data availability, data ownership, separation of duties, access control, and much more. In this post, I want to cover three guidelines without going into the “boring” (not boring to me!) technical details.
My first guideline: Keep in mind that the majority of malicious code is written to make someone money. There is a common misconception that viruses and other malicious code, which I will refer to collectively as “malware,” will harm your computer in some physical way, or destroy your data. Yes, there are malware that can do those things, but they are very rare. A few malware authors write some malware just because they can, but, generally, they write malware to help them steal money.
Some malware will use your computer as a spam-sending bot. The authors then sell the spam services to little-blue-pill hawkers, etc. Other malware sits silently and records your logins for identity theft-type purposes. The only reason you may get malware that crashes your system is that the malware code isn’t exactly optimized for stability.
Viruses, by definition, attach themselves to legitimate executables, even system-dependent ones. This can cause your antivirus to quarantine an executable that your computer needs to function properly. Just remember that most malware is designed to make the author money. This guideline is meant to instill a little fear in you because when the malware author is making money, it’s usually at your expense.
My second guideline: Use common sense. This is the easiest and the hardest guideline. Some things are obvious – there aren’t any Nigerian princes that want to give you money! No, you didn’t win some lottery that you have never heard of and didn’t enter! Others are a little more subtle. I have seen phishing email that contain graphics from the site they purport to be from, and even have some links to the legitimate site, but the link they try to get you to click is anything but legitimate.
The easiest way to avoid getting hooked by phishing email is to NEVER click the links in an email. It’s one thing if you just tried to reset your password on a site, and an email comes in within moments that you can click, and quite another when the email is uninvited. Below is a screenshot from my junk Hotmail email account. My mouse is actually hovering over the “PayPal” link. In the bottom left corner you’ll see the true destination of the link.
Africanscam.biz … sounds legit right? Ha! For a phishing email that is fairly well crafted, the domain they are using is a big stumbling point. For unscrupulous liars, they are strangely truthful… I didn’t include the top of the email, but this email failed the first PayPal security feature in that official PayPal emails will include your full name in the greeting.
Aside from avoiding email phishing, you should also use common sense regarding websites you visit in your daily browsing/research. Always distrust websites by default. Be careful to spell website names correctly. Many legitimate sites will try to buy misspelled versions of their domains to help keep you safe, but not all. For example, www.capitol1.com is owned by CapitalOne and redirects you to their www.capitalone.com website. A lot of malware is being delivered by infected websites taking advantage of security flaws in browsers. These sites can be legitimate sites that have been compromised or simply malicious sites.
My third guideline: Focus on prevention. There are some really easy steps you can take to protect yourself. Keep your software up to date, especially the operating system (Windows, OSx, etc.), and your browser (Internet Explorer, Firefox, Opera, Safari, etc.). Many of the updates for these products are for security issues, and those issues are often exploited immediately after the update has been released. This is due to malware authors not bothering trying to find security holes when they know they can just look at the updates coming out and see which holes they fix. They count on most users not staying up to date and having those holes still available to exploit.
Another step is to prevent scripts from running on Web pages. You can do this with your browser settings, or with an add-on like NoScript. NoScript is an amazing tool, but it requires patience. It will block all the scripts on a page unless you allow them, so it takes some “learning” time (drove my wife crazy at first). These tips are, in no way, complete protection, or entirely exhaustive, so be careful out there.
Happy National Cyber Security Awareness Month!