Online security is one area in life that we have the least control over. When a Company is breached, it is often due to an employee clicking on a link in a phishing email, inadequate security over Internet facing web servers or databases that sit open and available for anyone to access.
Your identifiable information is maintained by Companies to help keep track of your purchase history as well as your likes/dislikes, date of birth, current address, etc. This information is held within a database, which holds a treasure trove of data about you; simply put, threat actors want access to this and will not stop until they find a way in. This is a bit tangential but I think it has to be said – just because mainstream media says the Russians or Chinese perpetrated the hack does not mean it’s true. The attack is most likely due to an organized crime ring looking to steal a Company’s data to just sell it back for more money. It’s a vicious circle! See Romania.
Now that’s off my chest, let’s get back to databases. Unfortunately, there have been a number of instances in recent history where databases with sensitive information have been left open and accessible from the Internet. It is safe to assume that based on reports from companies like Verizon and Pacific Gas and Electric to a whole host of Companies that use Mongo (an open-source database platform), your data has been breached. Not only have major Companies been breached, but social networking sites have not fared well either. When you put your entire life on a social networking site, you are leaving a lot of information available for anyone to see (see LinkedIn).
With the ever increasing amount of Companies succumbing to data breaches, I have come to the realization that my personally identifiable information (PII) is already in the hands of a nefarious criminal. We have already been ‘pwned’ but we may not know it until it’s too late. To make matters worse, no matter how hard they try, most Companies do not implement the proper controls to maintain adequate security to protect your personal information.
Your personal data is important not only to you but to the companies that you provide it to as well as cyber thieves. Maintaining security of your personally identifiable information (PII) is of utmost importance but unfortunately is often out of your hands as soon as you check the box that says you agree to the terms and conditions. Here are the top five areas that, if you do, will improve your online security posture.
- One of the first things you should do is stop reusing passwords! It’s easy to make a simple password; I’m sure you’ve seen an article on some major news outlet stating the top 10 worst passwords of 2016. In that article you see password such as 1234, 1234567890, qwerty, p4ssw0rd, etc. It’s also safe to say that that same user will most likely use the same user name and password across all of his or her accounts. I can summarize the rest of this article in three words – STOP DOING THAT! Yes it seems simple and yes, I’m sure you don’t have a simple password but I’m sure you use the same password across multiple accounts. That means that if a hacker were to compromise one account, he or she will have access to all accounts that use that username and password.
Recommendation: Use a password vault like Last Pass, or Password Safe. These vaults are super simple to use and enable the end-user the ability to generate randomized passwords that are difficult to crack. Best part of it is – you only have to remember one password to open the vault. Better yet, and this just came to me as I was wrapping this up, use two-factor or multi-factor authentication (2FA or MFA respectively). Facebook, Gmail, Yahoo, LinkedIn, etc., all allow you to enable this feature. Before moving on, enable 2FA!
- Patch or upgrade your system! Did you know that Apple stopped supporting QuickTime? What this means is that if you have QuickTime on your personal computer, Apple will no longer be supplying patches or updates to fix vulnerabilities that will let a hacker remotely access your machine to execute any command remotely and without your consent. Are you still running older versions of Internet Explorer? Microsoft has stopped supporting IE on certain Windows operating systems. Are you running XP? Upgrade…seriously! Microsoft stopped support of Windows XP over two years ago. It is strongly encouraged to upgrade, patch, or remove the application from use. This decreases the potential for your machine to be compromised by a nefarious individual.
Recommendation: Turn on Windows updates; if you’re on Windows 10 this should be on by default. Automatic updates might break something in your system…but you’re keeping backups, aren’t you?
- Aren’t you? You seriously need to consider implementing a regular Windows backup to an external hard drive. I never keep that drive attached, so for me it’s more manual than automated but I have my reasons…ask me why another time. If after reading this post you’re thinking, “It’ll never happen to me,” just stop. The next time you click on that Facebook ad (by mistake, of course), which navigates you to a site that has ransomware. What is ransomware, you ask? This is a malicious program that, once executed, encrypts the entire contents (or certain file types) of your computer’s hard drive. This is known as ransomware because in order for the contents to be decrypted, you have to pay a sum of money in Bit Coins. Getting Bit Coins is a process in and of itself; it’s best to avoid it altogether. You’re going to like the external backup, I guarantee it!
Recommendation: Go to Amazon or Newegg and buy an external hard drive. Use a search engine (preferably one like DuckDuckGo) to figure out how to perform a system back up to that external drive. I shouldn’t have to say this but I will anyway – don’t do this if your system is already infected. Then you just have a copy of your infected system. But “it’ll never happen to you” so that’s just crazy talk.
- Stop sharing your life on social media: You are not that important – believe me. However, one of your friends, whose account has been compromised by a malicious attacker is able to see that you are going away on a two week vacation to Nevada. They can also see that you are home alone because your significant other went away on a business trip. All of the photos you post have the location on as well! Now the attacker knows where you live and that you’re home alone or your home is empty for a period of time. Yes, I’m sure you’re armed to the teeth but why even put yourself in that situation.
Recommendation: Turn location preferences off on your photos. Tell Facebook to stop tracking you. Stop taking selfies…oh wait, I mean, stop putting so many photos of your cute kids. Yes, it’s so you can share them with your family but the people whom you wouldn’t say hi to in high school can now see everything about you in your adult life. Please stop and think before you share the next photo of your baby’s butt. People are freaks!
- Be smart! No, the president of Nigeria and his entourage do not have $459 million to share with you. If you have to ask how the president of Nigeria knows you, that’s when you know it’s a scam. Simply put, you need to start asking why – why does that Company need your social security number? Is there any other way to authenticate who you are? Why do you need my date of birth and my home address and my social and my mother’s maiden name and the name of my first aunt’s pet chinchilla. Catch my drift? Ask why; the person on the other end of the phone might be legit but it doesn’t hurt to do a little bit of due diligence.
Recommendation: We are all willingly helpful and we want to trust people. There’s an old adage that I learned during my years as an IT auditor – trust but verify. That means, you trust what that person is telling you because, again, you want to be known as a trusting well intentioned person. But there’s a level of verification that you need to perform to maintain your personal security. Ask questions like, “I know you need that information to verify who I am but is there another way? Can you tell me why you need that information? What other forms of identification can I provide to you that will authenticate who I am?”
Your online identity, and the data that defines you, needs to be of more importance to you than the Company that you’re giving it to. We are walking endorsements for many brands and they tailor ads just for our likes and dislikes. It’s nice to see but in a way a little creepy. Be careful out there and remain vigilant. And for all things holy, stop saying the word utilize. You sound like a pompous fool.