In today's Whiteboard Wednesday, Nicholas J. Percoco, VP of Strategic Services at Rapid7 will discuss some basic personal cyber hygiene tips to help protect yourself from security attacks. Watch this week's video to learn more.
Hi, I'm Nick Percoco. Welcome to this week's Whiteboard Wednesday. This week, we're going to be talking about personal hygiene. Well, I guess personal cyber hygiene, and what you should be doing to protect yourself from attacks on the Internet today.Show more Show less
The first topic we want to talk about are passwords. I know those are difficult to pick sometimes and sometimes are very easy to reuse from site to site, but it's important to make sure that one, you're using complexity, using the length in those passwords, and also make sure that those are unique from site to site. Now, that could be very difficult if you have lots of different social networking sites, you have email sites, you have online banking sites. That's why it's recommended, if you can, to use a password manager. There's tools out there such as LastPass or Dashlane that make it very easy for you as an end-user to go and choose a very complex password, something that's very long, even you can choose 20-character passwords that are very complex, that you'll never remember, but your password manager will remember them for you. Now, it's important to note that those are not always fail-safe. There have been issues in the past where password managers have been compromised, so it's important to make sure that you are aware of when those things happen and when there is those types of activities to make sure you go in and change all of your passwords to all the sites that you've been connecting to.
Next up is things about system updates. We all see those boxes that pop up that remind us that there is an update whether we are a Windows user, or we use an Apple computer, or we have a mobile device such as Android or an iOS device. We often see system updates. Now, sometimes you think, "Well, why do I have to update my system? I'm okay with the features that are here." But it's important to remember that majority of those updates, they are because of security issues. So if you decide to defer those and not click OK and not apply that update, you could be exposing yourself to some security risks. For the most part, they only take about five minutes to install. Your computer typically then has to reboot or your phone has to reboot, and then you're off and running. You don't have to worry about that problem anymore.
Next up is also when you're browsing the Internet, when you're using your browser, it's not just the bad sites that you can go to, you could go to reputable sites that actually can expose you to malicious content as well. There's some things you can do to maintain security there. One, if you don't need Java, don't have it installed on your computer and don't run it in your browser. Also, Flash goes along with that as well. A lot of the active content that's on the Internet have been known to be utilized to exploit browsers, to push down malware down to people's systems, and compromise your own personal data or even your corporate data if you are working for a business.
The other piece is there sometimes those reputable sites can be completely secure. They could have no security issues whatsoever. They might be maintained by very well-known organization, but they also have ads. It could be a newspaper site. It could be another media company. It could be a gaming site, and those ads that happen to be floating around inside your browser that you see active activity going, those ad companies could be compromised, and those ads can be used to push down malicious content to your browser. That's why when you're using your browser, I always use ad blockers because when I go to visit sites, I don't see any ads, but not because I don't want to see the advertisements, but I don't want to be exposed to the potential third parties that are pushing content to the website that I'm utilizing and viewing from time to time.
Another thing to keep in mind are things like personal firewalls. Now, m ost operating systems, you can just enable a personal firewall and all inbound access is blocked. That's easy. It's literally just a check box, but there are utilities out there that also can look for outbound activity. If you happen to have a piece of software installed and you have to have a game or some third-party software and it's starting to make a call outbound to try to phone home, maybe for a system update or maybe it's going some place you really don't want it to go, there's tools out there. If you have a Mac, something that I personally use is something called Little Snitch that will tell you when any process in your system is making an outbound call, and then you can train it. If you're using a certain app and you know that for every day, it needs go out to the legitimate company site to retrieve updates, you enable that. Say, "Yes, and always allow it." If it's something you're using that you just want to maintain and give access to for a short period of time, you can say just, "While I'm using it." There is a lot of flexibility there. So something to pay attention to because it's not just the inbound activity that could be dangerous, it also could be the outbound as well.
Then, when you're using your computer or your mobile device and you're out and about, there's also the concept of Wi-Fi security. All of us probably go to airports, even we sit on airplanes, and it's very important that we pay attention to the Wi-Fi network that we're connecting to. Maybe that it says that it's a public Wi-Fi or it's a restaurant's Wi-Fi and it has no password associated with it. Although when you connect, it's important to know that's still an untrusted network, and when you are browsing the Internet or anything you're doing on your computer, on your system, any information you're sending in the clear could be intercepted by whoever runs that network.
The other piece on top of that, if you are connecting places using secure methods such as connecting via S.S.L. to your online banking company or a social media site, if you happen to see a browser error that pops up that says the certificate is having problem and you're using a public Wi-Fi, that's a very good sign that something's going wrong and you should probably not say OK. You should probably say Cancel and disconnect from that public Wi-Fi network.
Then, of course, when you're at home, it's important that you don't name your Wi-Fi network your home name or your address or your last name because if someone is trying to target you or your family, it's pretty easy to find out where you live or where your Wi-Fi network is located if it has your last name. Like if my Wi-Fi network was set Percoco Wi-Fi, it'd be pretty clear whose Wi-Fi network that was in my neighborhood.
Then, of course, there's the Internet of things that all of us are buying and like crazy and installing in our personal lives. Those can be rather dangerous depending on what they are when they are plugged in to an insecure Wi-Fi network, so everything sort of layers on top of each other. If your Wi-Fi network isn't secure in all the strong password associated with that network and you have something like a door lock or you have a camera inside your home or you have your thermostats connected to it, someone who connects to your Wi-Fi could actually wreak havoc in your own personal lives. One, they can unlock your door. They can go and they can turn your air conditioning way up to 90 degrees or turn your heat on to 90 degrees when it's the summer. Or even if you happen to be out of town on vacation, they can turn off your heat, which could, if you live in a cold climate, could cause your pipes to freeze and cause some serious damage.
So it's important to keep aware of everything you're plugging in to your lives, you're plugging in to your homes. If you don't have layered security on top of that, you could run into issues as well.
With that, this was a little bit of personal cyber hygiene. I'm Nick Percoco, and thanks for watching this week's Whiteboard Wednesday. Hope to see you next week.
Looking to implement the CIS top 20 security controls? Download our toolkit to get started.Download Now