By Andrew Wild, Chief Information Security Officer, Lancope
October is National Cyber Security Awareness Month. But if you’re reading this blog, chances are good that you are an experienced information security professional and that you’re focused on awareness every month! So, how do you explain security awareness to others, especially co-workers, family members and friends that are not information technology experts? In this article, I will share some of the tips that I pass along to my family and friends.
A funny but accurate analogy I’ve read on the Internet that seems to work with non-IT folks is: Passwords are like underwear…
- Change them often.
- Don’t share them with anyone.
- The longer the better.
- Don’t leave them on your desk.
All kidding aside, the three most important points to share about password security are:
- Ensure you create a strong password. There is a lot of information on the Internet that defines a strong password.
- Don’t reuse passwords. Many people still use the same password on multiple accounts. Stress the importance of not reusing password across accounts.
- Don’t share your password with anyone. Surprisingly to IT security professionals, there are many people that don’t know that support staff from an organization will never ask you to give them your password.
Most people hate passwords though, and telling them they have to use a different password for every site and that the passwords have to be strong isn’t likely to be advice that will be followed. Whenever I talk about password security, I always follow up by recommending the use of a password vault. There are many password vault solutions available at low or no cost that can help people manage their passwords. Most of the vault solutions also provide a mechanism to generate secure passwords too.
And finally, encourage people to take advantage of stronger authentication options that are now available. Many banks, email service providers and file sharing services now support some kind of stronger authentication for password security. The use of multifactor authentication significantly reduces the likelihood of your account being compromised.
We’ve been telling people for years not to open email attachments, and most people do understand the risks of opening unsolicited attachments, but now it’s not only about attachments, it’s also about not clicking on URLs contained inside email messages. We can tell people to be careful about clicking on links, but the reality is that it is often difficult to tell if a link is good or bad. A resource that I have found to help people understand the thought process for evaluating a link is the nice flowchart from Intel Security. They also have an online test that is a useful way to check your understanding.
Inside our Enterprise environments, we’ve implemented extensive cyber monitoring capabilities to quickly and proactively detect anomalous behavior within our networks (check out Lancope’s StealthWatch® System). Many online IT solutions have capabilities for detecting unusual activity and notification. Banks and credit card companies can send notification by SMS (text messaging) or email for a variety of events including financial transactions over a user-defined threshold. Many online service providers allow users to configure multiple email addresses for an account and can send an alert by SMS or email when a password is changed. Monthly online account activity information is also available for many services, showing geo locations from which the service was accessed (obtained by examining the source IP information). Encourage friends and family to enable and use these cyber monitoring capabilities to proactively look for anomalous activity on their accounts.
Patch Patch Patch
Encourage the frequent updating of operating systems, applications and plugins for computers and mobile devices. Updating web browser software and their plugins has become very important given the extensive use of web applications. A tool that I find very useful to help friends and family check the health of their web browsers and plugins is the Qualys Browser Check. This easy-to-use tool can identify vulnerabilities in browser software and the plugins used by browsers.
These are some of the ways that I help my friends and family secure their online assets. I hope these are helpful, and remember that the Stop Think Connect message is not just for National Cyber Security Awareness Month, it is a year-round approach that everyone should adopt.