Tuesday, October 25, 2016

Lock Before You Leap

   Most organizations have some kind of requirement to protect data.  Sometimes it's regulatory, for example organizations in healthcare or financial or retail need to protect personal data on individuals.  But for sales, manufacturing or other industries like medical devices, their "secret sauce" could be intellectual property like formulas or proprietary processes, or customer lists.

   Whether it's critical data on people, processes or things, what most organizations have in common is that, if they cannot protect this information, the results could be fines or inability to do business and that can directly translate to harm to people and organizations.

   There are so many ways to protect information (or to fail at protecting information), some more complicated than others.

   One very simple way that information can be breached, disclosed or otherwise lost is through unattended, unlocked devices.  For example, someone leaves a laptop logged in, screen unlocked and walks away - someone else can take that laptop and would have access to any data it has.  This is also true for desktop workstations.  In this case the computer won't likely be taken, but if the workstation is unattended and unlocked, anyone else can access the data on that machine leading to potential breaches and regulatory problems.

Tuesday, October 18, 2016

Internet Safety for Parents

   I've written about Internet safety for families, kids, teens and I've even spoken on safety for pre-schoolers.  But it's important to think about online safety for parents as well.

   That's true both for parents of young children was well seniors with grown children.  The safety challenges for seniors are similar but there are some differences.  They may not be as familiar with technology and, according to the FBI:

  • they are often financially secure and/or have good credit
  • they may be more trusting and they don't think they'd be a target
   This article by the AARP lists some common scams against seniors including some we've discussed like fake Microsoft support calls or IRS-related tax fraud.

   What got me thinking about this topic was a great article entitled "10 Ways to Help Our Parents With Online Security".  The article touches on a number of themes we've discussed in the past.  I'll list the 10 items with links back to some past editions of this blog - typically they:
  1. don't think they have anything worth stealing
  2. have bad password habits - just like most people
  3. are confused by 2-factor authentication - something we all should use
  4. leave mobile devices unattended and without security measures
  5. don't recognize phishing emails
  6. don't understand social media and how it can be used in scams
  7. share too much information
  8. can be manipulated by online media
  9. place too much trust in an anti-virus product
  10. don't understand how sophisticated scams and attacks can be
   In what ways can you help your parents stay safe online?

Tuesday, October 11, 2016

What You Can''t See Can Hurt You(r Data)

   "It is all around us, even now in this very room. You can see it when you look out your window or when you turn on your television. You can feel it when you go to work, when you go to church, when you pay your taxes.."

   It's "all around you. Here, between you, me, the tree, the rock, everywhere."

   No, not the Matrix and not the Force, but a more insidious power... WiFi!

   Public WiFi is everywhere.  Many stores, malls, airports, cities and even parks offer it.  Sometimes it's free and sometimes not.

   It's US Cyber Security Awareness Month so it's a good time to think about the risks of using public WiFi and how to protect yourself.

   There are definitely risks in using public WiFi including:
  • pushing software - WiFi can be configured to send software to your device when you connect.  That might be OK at home or important in the office, but it can be misused by an attacker out in public.  Don't install software offered to you on a public WiFi.
  • redirecting your browsing - a WiFi connection can control how you get to websites.  If an attacker controls the WiFi, they can cause you to go to copycat websites with malicious software or to phishing sites.
  • evil twin attack - you know when you're at the coffee shop and you can connect with a WiFi connection that has the same name as that coffee shop?  How do you know it's really the coffee shop's connection?  You don't.  Anyone can buy a wireless router at the store for $25, put it anywhere, and name it anything they want.  Using a deceptive name for a WiFi connection to lure people is called the evil twin attack.
  • are you encrypted? - VPNs, Virtual Private Networks or secure connections, are a great way to protect your data when connecting over unknown networks... like the Internet!  However, you first have to connect to the Internet before establishing the VPN.
Here are some tips to reduce your risks of using WiFi outside your home or office:
  • use your smartphone hotspot - if this is a feature of your mobile phone and plan, you can use your phone as a WiFi hotspot and connect to it.  You then can feel confident that your connection is going through your cellular carrier.  Warning... this will use your mobile data and may cost you extra depending upon your plan and data limits.
  • only use wifi with a password or passphrase - even if everyone knows the password.  Using WPA or WPA2 with a password/passphrase means that every connection between a PC and the wireless network is encrypted.
  • turn off file sharing - in Windows you can designate a network as public, work or home, or you can directly turn off file sharing.  Here's an article with the instructions.
  • if possible don't use open wifi in very open areas - the more open an area you're in, the harder it is to figure out if you're connected to a legit WiFi.  And...
  • be aware of your surroundings - it's not strictly a WiFi issue, but when you're on public WiFi you're in... Public!  Protect your screen.  Protect your passwords.
   Even if you do all this, a skilled attacker can still cause you problems on a public WiFi network.  So, if you have to use public WiFi, try to:

  • limit personal info - even if it looks like a website is https, do your personal business from a secure connection at home
  • same for banking, shopping - definitely save your financial transactions for known secure connections
  • use care with confidential work data - you should use care when dealing with critical work data, particularly if you work with other peoples' personal data!
   Here are a few articles with more info.

   As a side note, there are also questions about potential health risks of all the wireless signals in our environment.  It's hard to separate fact from speculation and wireless may or may not be a health issue.

   In the future we'll see even more wireless than we do now.  And we'll also see better wireless network security.  Many new cars come with WiFi hotspots and more cities and municipalities are offering wireless. 

   What are your tips for public WiFi safety?  Have you ever come across an "evil twin" WiFi network?

Tuesday, October 4, 2016

Can't Live with 'em, Can't Live without 'em

   They're dead.  They're here to stay.

   They're safe.  They're breached.

   They're encrypted.  They're visible.

   They're complex.  They're too simple.

   Once again, the topic we love to hate... Passwords!  And, you know what else???  It's also that greatest of holiday celebrations... US Cyber Security Month!

   In honor of US Cyber Security Month and the recently announced breach of 500 million Yahoo! account passwords and other info  (while announced in 2016, the breach actually took place in 2014, and is not the same as the password breach they had in 2012! - yes, I know... it's hard to keep up!), I'm re-running a post I wrote in... wait for it... 2012!  Not only is everything I wrote in that post 100% relevant today, but I even commented on that 2012 Yahoo! breach.  The more things change, the more they stay the same.  Happy Cyber Security Month!
   Passwords are a mess!  A "good" password has these features:
  • hard to create
  • hard to remember
  • hard to enter
  • probably has to be changed as soon as you memorize it
  • plus other inconsistent, random rules depending upon the site