This week marks Week 4 in National Cyber Security Awareness Month (NCSAM), a program sponsored by the Department of Homeland Security (DHS) in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center. NCSAM emphasizes our shared responsibility in strengthening the cyber security posture of our workplaces, homes, and digital lives, and it targets entities in both the public and private sectors with its message. The theme of NCSAM's fourth week is "Your Evolving Digital Life." As the technology in our "smart world" continues to change and grow in sophistication, we are faced with the challenge of protecting ourselves and our online accounts. Fortunately, some of the most important security lessons we can internalize are relevant irrespective of whatever technology we might decide to use. We therefore turn to the security basics as a framework by which we can secure our digital lives – today, tomorrow, and well into the future.
The Security Basics
One of the most straightforward ways we can protect ourselves online is to be aware of patches/updates that affect the software we use and to install them shortly after they are released. By adhering to this practice, we will make it more difficult for attackers to compromise our technology, our accounts, and our information.
"The most common attacks are unoriginal repetitions of known exploits on vulnerable software, like your operating system or browser," explains Kyle Lady, R&D software engineer II at Duo Security. "Once updates are released, attackers will try to figure out what the bug was based on and what files were patched. As a result, updating your devices in a timely fashion is critical. Applying the necessary updates helps to close these security holes, which will give the average attacker an incentive to move on to someone else who is easier to exploit."
Attackers are generally after one thing: information. We as online users therefore have an incentive to limit the amount of information we share online, which includes the data that accompanies an image we decide to upload to one of our social media accounts.
"Pictures you upload contain much more than just the image," observes David Archer, principal investigator at Galois. "Metadata in every image tells when the picture was taken, where, the altitude, what kind of phone you have, and even what OS version it’s running. Anyone who wants to can tell what places you frequent and when you may be there, right down to the building and floor."
Archer goes on to explain that while some sites such as Facebook and Twitter strip this data from uploaded images, we cannot count on someone else securing our privacy for us. We must take responsibility for our own privacy and strip our images of location data by following the guidelines listed below:
- iOS: Settings > Privacy > Location Services > Camera, make sure “Never” is selected.
- Android: Navigate to the Settings gear in the Camera app and turn off "Save Location".
- Windows: Select a photo, right click, select Properties, go to the Details tab, and click Remove Properties and Personal Information.
- OS X: Preview > Tools > Show Inspector > More Info > GPX, click Remove Location Info.
He also recommends that users transition to a password safe/manager for added measure.
"These solutions make logging on quick, allow you to securely take your list of passwords with you onto any device, and stop someone else who shares or nicks your device getting straight onto the sites you visit," chimes in Sarah Clarke, an information security blog writer for Infospectives. "Additionally, with a password manager, you only ever need to remember one nice long password."
Most password managers nowadays help users build strong, unique passwords for each of their online accounts. This practice can help protect people against unsafe password security habits, such as saving their passwords in their browsers. With this in mind, for those who ultimately do decide to migrate to a password manager, it is a good idea to remove your passwords from a browser and to check the "Never remember passwords" box. Finally, for additional measures to help protect our evolving digital lives, we can implement two-factor authentication (2FA) on any and all online accounts that support this feature.
"Usually, you can find information about two-factor authentication within your account or security settings for any website that supports it," notes Brad Winckler, a DevOps researcher in Tripwire's R&D department. "You can find a list of websites that support two-factor authentication by visiting https://twofactorauth.org/. Most websites will support an SMS option that will send you a text message to approve access to a site or service; in this way, even compromising your passwords is not enough to hijack any of your accounts. If the feature exists, use it!"
Conclusion
In today's tech industry, many companies are unfortunately motivated strictly by profits--that is, releasing their products as quickly as possible so as to beat out their competitors--rather than taking the time to penetration test their applications for security vulnerabilities. Martijn Grooten, editor of Virus Bulletin, is well aware of this reality.
"Perhaps the biggest threat to our connected lives is the fact that many manufacturers don’t make their products with security in mind," explains Grooten. "Instead they use out-of-date protocols, set default passwords, don’t patch known and exploitable vulnerabilities, and send private date in clear text over the Internet."
Grooten goes on to note that many users do not have the technical knowledge to determine whether the devices they purchase or the applications they download are safe. However, a small degree of security awareness can go a long way. If we take the time out to seek out product reviews from tech-savvy family members, friends, or experts, we can decide what products we want to incorporate into our digital lives. Furthermore, by timely installing patches; taking responsibility for their privacy; and practicing good password security, which includes using a password manager and 2FA, we can protect our evolving digital lives against most if not all technologies that we might ever hope to encounter. To learn more about how you can protect your passwords and securely navigate the world of social networking, please refer to The State of Security's articles for Week 3 of NCSAM here and here.
