Careers & People
11/17/2014
11:15 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Why Cyber Security Starts At Home

Even the grandmas on Facebook need to know and practice basic security hygiene, because what happens anywhere on the Internet can eventually affect us all.

I find myself thinking a lot lately about how much safer we would be online if everyone knew and followed at least a few security best-practices. For those of us in the business of information security, we tend to think mostly about protecting ourselves and our organizations. But the Internet is a shared ecosphere where the actions of some people can easily affect everyone else.

“How so?” you might ask.

Two things immediately come to mind. First, and most obvious, victims of malware become resources for further attacks. For hypothetical example, there’s a random kindergarten teacher in Kansas who you’ve never met and couldn’t identify in a lineup. Her computer has contracted a bot and is spamming the world (including your organization) with malicious emails. Her computer is also acting as a drive-by download site, infecting any new victims enticed by the emails.

Multiply this one teacher’s infected computer with the thousands or millions of other botnet victims, and you can see why the online actions of others affect us all. Even if you’re smart enough to ignore the phishing attacks, the attacker could still leverage the thousands of victim computers under his control to DDoS your network. All because a few uninformed folks made simple mistakes and got infected.

The second issue involves chain-of-trust. While you may have built strong defenses around your network, your organization likely has tens, hundreds, even thousands of external partners or contacts with whom you interact each day. Likely, you’ve extended your trust to these external associates, whether by giving them elevated access to your network or by just more readily interacting with their emails.

You see, our trust networks go further than you realize. It’s kind of like the old “Six Degrees of Kevin Bacon,” which posits there are six or fewer steps between Kevin Bacon and any other actor. If some minor work acquaintance introduces you to someone at a conference, and you accept a LinkedIn request from her, you’ve invited someone you don’t know closer into your trust circle. If that person’s security practices aren’t up to par, she may introduce a potential threat into your network. Target learned this lesson the hard way with one of its external partners.

My point is, other people’s security practices (or lack thereof) affect us all. We’re all connected via the shared network we call the Internet. It’s in our own best interests to make sure everyone -- even the grandmas on Facebook -- know and practice basic security habits. As security professionals, I believe we should share our tips with anyone we meet, whenever the opportunity arises. Chatting with an accountant on the bus who mentions the Cryptolocker infection on his wife’s computer? Why not share some tips you practice to avoid that sort of ransomware?

Here are the three tips I share with normal folks.

Tip 1: Patch regularly. Update your software as often as you can. Studies show you can prevent 79% of all attacks simply by patching. Most modern software, like Windows, OSX, Adobe products, Java, and more have automatic patching programs. You should turn them on, and say “yes” whenever they ask to update.

Tip 2: Use antvirus and update it. I don’t care which one you choose or whether it’s a free or full version, but use AV software and let it update automatically. Yes, this includes Mac users. AV software is like the hand washing of the computer age; you need its basic sanitation to help prevent the spread of infection.

Tip 3: Think before you click. Use common sense before interacting with links or attachments. Does something sound too good to be true? Are you wondering why someone sent you a file? Does the link look weird when you hover over it? If you’re asking yourself these questions, you probably should avoid clicking.

Sure, there are plenty of other important best-practices, and these tips aren’t sufficient to defend a full organization. However, if you have little time and an audience with little expertise, these tips are simple and practical enough that anyone can follow them. And imagine how much safer it would be online for all of us if everyone in the world patched quickly, used basic AV, and was more careful about what he or she clicked.

With all the people in the world, you may think educating the masses is a hopeless task. However, the six degrees of separation that makes the world a smaller place also makes good ideas spread faster. If we take a little time to educate our neighbors and friends, we can make the Internet a safer place.

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
sbynoe
50%
50%
sbynoe,
User Rank: Apprentice
10/12/2016 | 7:14:09 AM
reply
A very good post.
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
11/18/2014 | 12:40:32 PM
Re: Is it Time for Mandatory Infosec Training in Schools?
I like the idea of the Infosec community helping... however, I do have a strong belief that the reason some training has failed is that users don't care, or can't "Get it," but because many of the technical folks I interact with aren't great teachers... They make assumptions about what people should know about their field, and judgements if other don't know certain things... For training to work, the training can't act like the snarky, know-it-all, cliche idea we have of the IT guy. I know many IT guys aren't that person, but I have seen enough cynical IT guys that would not make good teachers.

 
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
11/18/2014 | 12:37:37 PM
Re: Is it Time for Mandatory Infosec Training in Schools?
Heh... Geriatric, sounds like we both like the car analogies... I was responding to charles before I saw you reply which uses the same car analogy I did! ^_^... Great minds...
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
11/18/2014 | 12:36:14 PM
Re: Retailer Responsibility
I only half agree with you. I totally agree that software vendors and system designers bear a huge responsibility and should focus more on secure design... but I still think the user needs to follow safe practices. Look at cars... manufacturers have responsibility (legal and ethical) to create safe vehicles... but an idiot driver can still crash despite all that. Which is why we require drivers to go through training and be responsible for their driving practices... Both the software vendors and the users bear some responsibility.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
11/18/2014 | 11:40:38 AM
Re: Trying to do their part...
@Thomas It's funny that you mention that, I do the same for my wife and kids.  Although I think they get tired of hearing from me....
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
11/18/2014 | 10:59:25 AM
Re: Is it Time for Mandatory Infosec Training in Schools?
I have no problem with my tax money being used to educate school kids in the basics of infosec. I would even volunteer my time to help develop training material. It really is important to provide basic infosec training to as much of the general public as possible because as the article points out, any everyday person can become an unwitting conduit for spreading malicious activity. Even more importantly, the lack of cyber security awareness can be very dangerous for children, who are very likely to be involved in online activity.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/18/2014 | 9:16:09 AM
Re: Is it Time for Mandatory Infosec Training in Schools?
Yes it is time, @geriatric, in fact it is long overdue. But I think that  user security training has to be baked in to everyday classroom activities, just as computing is at home , at school and at work. Problem is that the typical classrom teacher has neither the time or knowledge to take on that role. Maybe it's something the infosec commuity should pick up as a public service...
geriatric
50%
50%
geriatric,
User Rank: Moderator
11/18/2014 | 7:07:36 AM
Is it Time for Mandatory Infosec Training in Schools?
You make a great point about the computer actions/inactions of another impacting everyone. An analogy can be made to automobile drivers. You may be doing everything you're supposed to, and still get t-boned from a joker who doesn't pay attention.

A couple decades ago, I was working with a school district on their computing initiatives, and the subject of typewriter courses came up. They commented how irrelevant it was, and after discussion, we morphed it into keyboarding/basic computing. Point being, things change.

A great place to raise awareness and train future generations is in our schools. Like many other subjects, starting at the genesis of their experiences is the answer. Although computer illiteracy is not generational (my octogenarian mother is one of the most aware computer users I know), we have to make sure everyone who needs trained is getting it, and what better place than our educational institutions?

Start 'em young.
Christian Bryant
100%
0%
Christian Bryant,
User Rank: Ninja
11/17/2014 | 5:45:13 PM
Retailer Responsibility
I definitely agree with your thesis here but I truly believe there are some folks out there who will never get, don't want to get it, and frankly shouldn't have to.  For that segment of society, I believe there needs to be more responsibility taken on by retailers of computing systems.  There has always been pressure on software and service providers to write more secure software.  Microsoft, Facebook, Apple – all regularly badgered when holes appear and regular folks get hurt as a result.  But on the retail end of things, there isn't much onus on BestBuy or CompUSA to keep its customers up-to-date on their purchases from the perspective of your three tips.  I think sending that guy who will never get security home with a PC and no support is like sending someone home with a gun and absolutely no training or follow-up licensing requirements, and then also handing them a bag of bullets.  An ecosystem of unsecured wireless networks and computers is exactly how some cyber criminals excel in what they do, having that many more hop spots or dark Internet corners to work from.  There securely written software, and then common sense and community self-support, but then there is that group that will never be secure if left on their own.  How do we make retailers of computing systems more accountable for the extended care of customers, and that they are contributing to the greater security of the Internet?  Should we?
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
11/17/2014 | 5:29:03 PM
Re: Trying to do their part...
In my family, I make a point of talking about security issues, so the kids keep that in mind when they see similar scams. Awareness helps a lot.
Page 1 / 2   >   >>
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: That's it, next year we start outsourcing toy production.
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.