Welcome to National Cyber Security Awareness Month (or NCSAM) here in the U.S. As I mentioned in my last blog celebrating NCSAM, I love this time of year, with a whole month dedicated to the attempt to uplift my industry’s purpose in life to a more universal set of truths. And one of the truths is that we are all something of a number for many industries: Marketing, Advertising, Commerce, Finance – but let’s not be a number for hackers.
Application Security is, in many ways, something your banks, your hospitals, your games, and all your online eCommerce and transaction people try to take care of for you. But no one is perfect. No company has all the right answers. I’ve been contemplating my own experience, surfing the government pages, and sent out queries to WhiteHat’s 150+ Threat Research Center security experts to compile the most useful tips I could devise for the at-home laymen. That includes almost anyone who hasn’t dedicated their life to online security. Here are our October tips:
- Check your identity compromise status – has your email or user name been involved in a breach? There’s a website where you can enter them in, and get information on whether YOUR INFO has been compromised. If it has, go change your password again. And stop using the same login everywhere, especially on apps you use on your phone. https://haveibeenpwned.com/
- Don’t reuse the same user name/password everywhere. Whether or not you’ve been pwned (which is geek speak for compromised), take a tour of your banking/credit card/healthcare apps. Do you, by chance, use the same logins anywhere on any two phone apps? Financial websites? It’s a super-bad idea, if it can be avoided.
- Patch everything. At home, at work, whenever you can. If a patch is available for your operating systems or for any apps you’re using, do it. I’m sorry if sometimes this makes you swear at the other features the software provider rolled into the patch. Here’s a neato corollary: You can LOOK UP what a patch does. Ask the Internet, “Hey, there’s a patch? Is it a bug fix?” If it is, you want it, trust me. If it’s pure feature or functionality, then you can make up your mind at a different pace. (This is me training you to start knowing what’s going onto your box/laptop/phone.) But for now as you learn to look things up, default to patch.
- “I love toys” follow-on: #3 is going here twice, but this time to include your Smart House. Your fridge. Your Alexa. Your security alarm system. Do you like seeing your kids get home safe on your phone? Do you like knowing that same video feed might be available to bad guys, to know your kids are home alone? Make yourself a calendar entry with all the Smart or Bluetooth items in your life. Then go cruise the websites of ALL YOUR THINGS that have a web- or mobile-application interface. Some of them aren’t as mature others in their push out of new firmware or software, and you have to go asking. Turn on automatic updates wherever you can. LAST WEEK’S DYN ATTACK PUTS US ALL ON NOTICE THAT OUR SMART TOYS CAN BE USED AGAINST US. Don’t let that happen to you!
- Use a password manager. What the heck is that, you might say? Well, you know how I just told you that you need to have a different login and password for each of your financial and shopping sites? I don’t expect you to memorize all of that, and I don’t think a sticky note on the screen is a good idea. Welcome to a new and really useful program, called a password manager. Wired and PC Mag both have their top-rated faves, and I’m not here to tell you which to choose. Try two, and keep the one that’s easy for you. If you’re reading this and you were filled with anxiety at the idea of learning a new program, here’s my personal feelings: Sure, write it down. Not on a sticky note, not on the surface of anything. Keep a notebook that’s not in the same room with your computer. Put it in a safe and tell your loved ones only, so they can help you out if you are incapacitated.
- Use different browsers – pick one for email, banking, and a different one for surfing and buying things. Yup, that’s right – you are not limited and should have more than one! My two faves are Google Chrome, which rates as slightly more secure, and Firefox, because they don’t track my habits closely. I’m not telling which I use for which, make up your own minds.
- Consider creating a not-your-name email that you use to buy things, and otherwise register for services. This is not illegal! There’s even a site called 10minutemail.com which can give you an address to use for, you guessed it, 10 minutes.
- The U.S. Government, Your Bank, Microsoft, Symantec, Any Large Mega-Corporation will not be sending you a personal email asking you to verify anything with a link to their site. They will not call you about your back taxes. They do not care if your personal laptop may be compromised. Usually you’ll find this is a scam.
- If you do hear from one of these entities, and you look up to see that, yes, YourBank did indeed have a hack, always navigate to yourbankswebsite.com in a browser, not using the link from the email. Super important! Scammers love to use existing problems to make more problems!
- Report scams. It’s like calling the police when the masked figures are parked outside the school in the white panel van. You’re cleaning up your virtual neighborhood and helping keep your family safe. For more information on scams, types of scams, how to recognize scams, check out:
I love phone scams – https://www.consumer.ftc.gov/articles/0076-phone-scams
Check out the “Business Edition” of our Cyber Security Awareness Month blog series, which has some great security tips to organizations prioritizing application security.