Now when I’m talking about safekeeping a mobile device, I’m not saying don’t use your Kindle by the pool or let your toddler play on the iPad while eating ice cream. These are dangerous things to be doing with a gadget, but today I want to focus more on the data within that device, rather than the device itself.
No matter what you do, your device may be stolen. It only takes a moment of inattention for someone to swipe your phone or tablet. Before that unfortunate event occurs, there are several things that you can do to mitigate the damage that occurs from the loss of a mobile device.
Read More »
Tags: data retention, encryption, mobile, ncsam-2013, passwords, phone, security, Storage, tablet
Hi there and welcome to today’s U.S. National Cyber Security Awareness Month tip, courtesy of those of us involved in administering and/or contributing to Cisco Security Intelligence Operations!!
For all of you savvy technologists and those well versed in the security realm many of these tips may be old hat but, based on many of my discussions with both personal and professional peers, I know that most, if not all, of these Best Common Practices (BCPs) are not exactly “common.”
- Use non-trivial passwords - While most sites and applications now dictate requirements (lower/upper alphabetical, numerical, symbols, minimum length) for passwords, there are still those that rely on the user to utilize complex passwords. Password selection brings with it a challenging dichotomy -- on one hand we are being told (and sometimes forced!) to use complex not-so-easy-to-guess passwords and on the other hand we are expected to be able to remember all of these passwords without writing them down and sticking them on our laptop! Check out Numeric Password Follies and Keep passwords safe and secure with password management for some information from previous Cisco Security Blog posts that may help you choose and manage your passwords more effectively.
- And now that we have finally chosen an acceptable complex password, and we have been able to commit it to memory!, we now have to make sure we Change Our Passwords Regularly! :-) You will find that many of your “more secure” sites implement a specific time frame, e.g., 30 or 60 days, after which time you _must_ change your password. For all those sites, applications, and situations in which this is not the case, it is HIGHLY recommended that you take the proactive approach and manually change your password regularly. It shouldn’t be that hard -- just create a repeating reminder in your daily calendar to help you remember to change your passwords!
- And while on the subject of passwords, here’s another recommended best practice! Don’t use the same password everywhere!!! Again, our minds can only contain so many passwords (in addition to everything we need to remember on a daily basis) and things like passwords probably fall to the bottom of our priorities, so use a password manager tool. Because we often take the easy way out and, once we’ve developed that very complex, non-trivial password that we discussed in our first tip, we hang on to it for dear life and use it EVERYWHERE! Bad move! There are few days that go by in the security world where we don’t come across a hack or data breach that was helped along the way by the fact that so many people use the same passwords for both personal and professional sites and applications. Several examples of these breaches can be found in these previous Cisco Security Blog posts: July, a Busy Month for Breaches, Compromised Accounts, Stepping Stones, and 6.5 million password hashes suggest a possible breach at LinkedIn.
- If it looks like phish and “smells” like phish it probably is phish - Do NOT open emails that appear “phishy” – go directly to the known website of the supposed sender of the email. You should also be careful clicking links in emails from known contacts that do not have human-looking text from your friend. For example, be leery of emails which contain nothing but one URL/link or emails that start out with text such as “open this, it is funny.” Agree with your friend to send something he knows that will identify him when he sends a single link. For example ask him her to put in “I was born in XXX, July 1934″ or what team he supports.
- Keep your operating system (OS) and application software up to date. Many OS vendors, e.g., Microsoft, provide automated means of updating software on a regular basis, so take advantage of this offering if your vendor provides it. It is certainly understandable that probably a great many of you have important devices and simply cannot take the chance with automated updates, but for those with less mission-critical concerns it is a worthwhile practice to use automatic software updates. The Cisco Security Intelligence Operations portal includes a section devoted to security alerts affecting both Cisco and non-Cisco products.
- Have your “social engineering” guard up at all times. For many of us, the combination of our personalities and lack of time causes us to become more trustworthy and accepting all invitations - whether by email, phone call, or text - on their surface. What we need to do when working online is put on our “tinfoil hat” and simply not trust anyone! So, when you get that next email soliciting you to “click on the link” to resolve a banking dispute think twice, do NOT click on that link, and then log in directly to the website of your bank (or call them) and resolve that “issue” the proper way. Clicking on links sent to you via email or text could cause you to inadvertently and unknowingly provide login credentials and Personally Identifiable Information (PII) to the bad guys. Check out Levi Gundert’s recent post on how the loss (or theft) of PII can impact you.
- While Anti Virus (AV) Software is certainly not a silver bullet and probably won’t stop some of today’s more complex threats, it is still a useful tool to have in our security toolbox both for our corporate and personal devices. Although most corporate IT departments push out updates regularly to our professional devices, we need to also ensure that the AV Software running on our home and personal devices is kept current and is regularly updated.
- Understand the security measures that are available (and not available!) for social networking sites and applications. Many of you and your peers use some form of social networking -- e.g., Twitter, Facebook, LinkedIn, etc. -- and it is imperative that you are aware of what information gets shared and what mechanisms are available to you to restrict access to the data you want shared to only those people with whom you wish to share! You would probably be surprised to find out that the data that gets shared, both freely and inadvertently, is often leveraged for malfeasance such as phishing emails!
- Who you gonna call? Know who and how to report any suspect network security incidents, i.e., phishing, spam, malware, DoS, etc. This recommendation may border on the nebulous but it is really important, whether you are on your personal device at home or on a corporate device, that you know that there are resources available should you come across activity, e.g., phishing emails, evidence of DDoS attack activities, etc., that you can contact to get assistance. This could be your ISP, your corporate IT department, Help Desk, Information Security (InfoSec) department, or even a friend or coworker.
- Be vigilant and stay abreast of cyber security news! Regardless of your role and your technical acumen, find at least one source of security intelligence to monitor via RSS, email, Twitter, or by just directly visiting websites. Please visit the Cisco SIO portal, which includes a variety of information such as security alerts, blog posts, technical white papers, best common practices, and upcoming security conferences. Some additional recommended sources of this information include CERT, NANOG, Full Disclosure, Bugtraq, SANS Internet Storm Center (ISC), and Krebs on Security…..to name a few.
My call to action to all of you is to go out there and work together to make our cyber world just a little bit safer - one byte, one email, one phish, and one website at a time!
Tags: antivirus, Cisco Security, cisco sio, cyber security, NCSAM, ncsam-2013, passwords, security, social engineering
This month has been particularly prevalent for the loss of personal information. At the beginning of the month it was reported that Club Nintendo had been breached with the personal data of up to 4 million stolen by attackers . Subsequently, the forums of Ubuntu were hacked with the loss of 1.82 million usernames, passwords and email addresses . Additionally, Apple have announced that their developer website has had an unknown amount of personal data stolen .
Read More »
Tags: Breach, network security, password, passwords, privacy, security, TRAC
I have commented before on numeric passwords, and how they can and cannot be used securely. Apparently, not everyone has been reading my blog. Developer Kevin Burke has apparently discovered a phone company that limited customer passwords to a six-digit code, with only the numbers 0-9 as options. Combined with not having any failed password lockouts, nor requiring any other information besides username (your phone number) and the six-digit password, this is a recipe for disaster.
Read More »
Tags: authentication, passwords, security, strong passwords
The list of account compromises over the past week is almost too long to list, and the numbers of verified or estimated compromised accounts has reached ridiculous numbers. With the media spotlight on these current companies’ compromises, we’ll likely get more details on the security weaknesses, outright failures, and more from the narcissistic vulnerability pimps taking credit for exposing those security problems.
Aside from the obvious of changing passwords, what can you and your organization do?
I won’t prognosticate on the list of best practices that may have been violated in these compromises, but they will be reported following the long, detailed, and expensive investigations in coming weeks and months, because most of them will be well-known but for one reason or another not practiced. The media reporting and the company’s public statements will cover those, and they will likely be worth a review for any significant points. We can let them tell the story, again.
Instead let’s focus on some things that people may not know or understand that can actually improve your security around these incidents. We highlighted a couple of these practices in the 2011 Annual Security Report, and more recently in the Emerging Threats Briefing at Cisco Live 2012.
First, let’s help our customers, users, and organizations. Given the opportunity, many people will take the simplest and easiest way. In the case of passwords, that means they will use their birthday, username, “password”, “123456”, and so on. We’ll see these lists of bad passwords in coming weeks too. It’s human nature, and too much work to try and remember all those passwords, right? Which leads to the second point of people that use the same password on multiple accounts (more on this shortly). As security practitioners, professionals,…we too often are setting up our users and organizations to fail. We have to do better, and here’s how. Every security control must have technical controls that enforce and monitor that security control, or we have no idea if it is effective. In the case of passwords, that means creating policies, security controls, and technical controls that require a user to create a strong password and change it regularly. If we let a user create a password of “123456”, they have done as should be expected, and we have failed. Even with the best account credentials, the accounts have to be monitored for suspicious activity with technical controls to alert security teams and users when, for example, a password is changed. For a good reference list see: FY 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics. Note the account activity items on the list: Locked out accounts, failed logins, dormant accounts, password aging…
Read More »
Tags: event monitoring, incident response, password manager, passwords, situational awareness, targeted attacks