New threats jeopardize your data and devices every day. As part of National Cyber Security Awareness Month, Sentar’s Jeremy Blevins offers tips on how to follow this year’s NCSAM theme.
Teaser Image Source: Dribble
One of my earliest childhood memories is of playing Pitfall on an Atari 2600. There was something magnificent in the simplicity of a joystick and a single button. I could run to the left, run to the right, crouch, jump, and grab. Later in my childhood, I remember the amazement I felt when I was able to save my games in Legend of Zelda. I can’t imagine investing endless hours of progress in that game without that most (now) trivial of features. As I progressed through life, I’ve seen advances in technology that once only existed in the realm of Science Fiction in my childhood. I remember my first exposure to “hacking”: Matthew Broderick’s character, David Lightman, in the movie “WarGames”. There seemed to almost be a level of trust that people would not misuse systems back then, and even Broderick’s character had a sense of technological innocence to him.
Our recollection of the past often is tainted by such a sense of innocence. Many are not aware that the power of Steve Jobs and Wozniak, gained notoriety for phone phreaking (generating tones to manipulate the phone system into allowing free calls) before starting Apple. Compared to today’s cybercrime, phone phreaking still does seem almost innocent. And unlike the wardialing Matthew Broderick did to find a hidden landline into WOPR, today, essentially everything from computers to TVs to refrigerators are connected to the Internet; the only thing protecting them from the outside world is often un(der)managed hardware provided by one’s Internet Service Provider, or the device itself. We cannot allow naiveté to be an excuse for leaving networks insecure.
With the ubiquity of Internet-connected devices, it’s not hard to imagine home networks with 20+ devices with IP addresses, Operating Systems, and vulnerabilities that can be exploited. Once we recognize our personal Information Technology (IT) footprint, we must own our IT. How do we do this?
First, we must acknowledge that we have a responsibility for the devices we use. We wouldn’t allow our pets to roam the neighborhood attacking our neighbors and other animals. To ensure that doesn’t happen, we put certain controls in place; therefore, we need to adopt the same mindset regarding our devices. It is irresponsible of us to allow them to roam the Internet. Acknowledging this possibility and making steps to prevent it is our first step to owning IT in the spaces we control. If we are unwilling to take this responsibility, then maybe we need to consider whether we should purchase “smart” devices at all.
Once we own IT, we must secure IT. One of the most important aspects is to adopt a patching regimen for all our devices. Game consoles have OS/firmware updates, as do printers, phones, TVs, and even the smart fridge that alerts you when you are running low on your favorite munchies. We must know what the process is to update each of these devices. In a perfect world, manufacturers of consumer devices would design with security in mind so that devices were more self-sustaining, but in the rush to get products to market, security often takes a back seat, if it’s invited along for the ride at all. As responsible consumers, we should avoid devices that are not continually supported by the manufacturer. We should also follow the good business practice of replacing hardware once it has reached its software end-of-life, even if the hardware still functions. When we run unsupported hardware just because it still functions, we endanger our own data and devices, as well as the data and devices of others. We also must use perimeter defenses when possible. We wouldn’t keep valuables in a house with no doors; firewalls are like those doors. They control access to the digital property inside the network. And like a house, if bad guys want in bad enough, they’ll find a way in, but the physical and digital barriers we erect are deterrents. Likewise, we also must change default configurations. We must secure IT.
Once we secure IT, we must protect IT. This means changing default credentials to make the job of breaking in more difficult. We must avoid password reuse. If we use the same password for multiple sites, we probably also log into the site using the same username, which is often our email address. Once a bad guy gets your credentials for one site, you are likely to be compromised on many other sites. Even worse, what if you use the same password for logging into your computer? In the geek vernacular, you are going to get pwned. One solution to this problem is to use a password manager and generate unique passwords for each site and/or device. There are numerous solutions on the market to help you with this problem. Use multi-factor authentication (MFA) when possible. This too, takes on many forms, from one-time PINs sent via SMS to authentication apps that generate a one-time pin onscreen. Using MFA means that just because a bad guy has your username and password doesn’t mean they can necessarily get into your account. Another step in protecting IT is to NEVER use an account with administrator privileges for general use, such as checking email, browsing the Internet, or even playing games. Have a separate admin account that is only used to perform administrative functions. Modern Operating Systems will allow you to “elevate” privileges so that you can enter the admin credentials without having to log out of your general user account. Also, require each user of a system to have a separate user account. Not only does this keep each person’s information private, it lessens the potential for one compromised account to impact another user.
We’re well beyond the innocence of early consumer electronic devices and the Wild West of the first years of the World Wide Web. More than ever, our lives and livelihoods are connected online. For us to be responsible digital citizens, we must own IT, secure IT, and protect IT.