Tuesday, December 22, 2015

What's in Your Home Computer Security Toolkit?

   It's always great to get questions and comments from readers.  I received this question recently:
My home recipe is Windows Defender, Malwarebytes and KeePass. Is that a good approach or should I be thinking about adding something to my security toolkit in 2016?
   Thanks for the great question!  You’ve got some good bases covered:
  • Anti-malware (I also use defender)
  • Malware removal (I also use malwarebytes), and
  • A password vault (I use LastPass)
   That’s a great start. To round out the core toolkit, I’d add 2 things:
  1. Backups – you’ve got irreplacable pictures, tax returns, music and info of all sorts. There are many of good online products available that encrypt your data before cloud storage. I use CrashPlan, but there are many others.  For extra bonus points, you can both backup one computer to another computer and to the cloud.  That way you have more than one way to recover.

  2. Next, 2-factor authentication should be added for any sites and accounts where available.  This nicely complements your password vault so that even if an attacker stole individual or multiple passwords, they still couldn't log in to your accounts without your phone or other second authentication device.  I wrote about this recently.
   There are also a few things to do:

Tuesday, December 8, 2015

The First Rule of Security

   That's a classic scene from a great movie.  And, if you think the movie is twisted, you should definitely read the book or the audiobook!

   Many people know that the first rule of Fight Club is that you don't talk about Fight Club.  That's because they didn't want to draw attention.

   But in security, the first rule of security is:

   That means a number of things:
  • Security Awareness - a program at your organization to promote security themes.  I like to focus on information people can use at home.  I've talked about this in the past.
  • Public Awareness - similar to security awareness but here security pros, IT pros, law enforcement pros, or really anyone, talks to the public about security and privacy issues.  There are opportunities through the schools, community centers or school district parent organizations.
  • Conferences - are a great way for people to learn more about security and for security and IT pros to learn more, improve their skills and make great contacts.  I was recently at the HIMSS Privacy & Security Forum in Boston.  I saw old friends and made new ones, heard some great speakers (and did a bit of speaking myself) and learned a few things.
  • Professional Organizations - There are many IT and security professional organizations.  Some of the organizations I participate in include ISSA, ISACA and Infragard.  There are local chapters in most areas.
  • Other local groups - in addition to the formal professional organizations, many areas have local groups for security leaders or security practitioners.  You can find out about these groups and conferences or professional organization local meetings.
  • 1:1 discussions - talk with a security pro about security!  Even better... talk with someone who's not a security pro about security!
   Here's the thing... the attackers - the people who are trying to break into networks or your home computer to steal data - talk to each other.  They share ideas and techniques.  They learn from each other.  We must do the same.

   How do you talk about security?