Tuesday, December 25, 2012

Personal Cyber Security - TEEX's Holiday Guide, Part 2

Earlier this week we blogged about the importance of personal cyber security, and how poor practices can endanger personal and company data. In this blog, we’ll address several important items that everyday users encounter and how to secure them.

Anti-Virus Software - Without proper virus protection, your PC may have a Trojan Horse virus quietly waiting to carry out a malicious attack, using your computer and Internet connection.

If you have a personal computer running any version of Windows, you must have up-to-date antivirus software. Fortunately, there are many options available, at costs ranging from free to $200 per year. A new PC will generally come with a trial version of Norton or McAfee antivirus, lasting from 90-days to one year. During the program set-up, pay attention to the automatic updates and scheduled scan settings. Both must work for full protection. Make sure the scheduled scan is during a time when the computer is on and idle. Watch for the automatic updates to occur, usually once per week.

Free antivirus software, such as AVG, protects millions of users daily. Educate yourself by checking reviews on the Internet and use the software you are most comfortable with. Bigger and more expensive isn’t always better, as more layers of protection sometimes slow computers down noticeably. The important note is to use antivirus software of some kind and keep it up to date!

For everyone running iOs (on all Apple products) and Android (on other smart devices), it’s time to accept that your devices are susceptible to the same security problems as Windows pc’s. Install antivirus now so you won’t be the first in your office with problems.

Another thing to be cautious of is using mobile wireless networks in public places with your smartphone. More and more people use their smartphones to access Facebook, twitter, personal emails, and bank accounts. Most smartphones are set up to automatically switch to open access wi-fi accounts when they are available. This leaves the information on your smartphone available to any hacker who sets up a wi-fi hotspot in a public location. To save yourself the possible exposure, turn off the wi-fi on your phone and stick to using the phone's own data plans to gain internet access.

Passwords - Without proper password security, your entire online presence: facebook, movies, and bank accounts can be hacked, hijacked, and erased.

The use of personal passwords seem to have the greatest difference between expectation and reality. In an IT security analyst’s perfect world, each of your passwords would consist of at least ten random letters, numbers and special characters. Each account or device would have a different password and they would change at least every ninety days. Unfortunately, the most popular password in use today is 12345 or password.

Although impractical, we should never use the same password on more than one account. TEEX System Security Analyst Tyler Burwitz has some realistic suggestions for that problem.

Consider three or four primary passwords, each with a different level of security.
  • A long, complex password, limited to high-security financial accounts.
  • A different, secure password for other important accounts.
  • A password for less important accounts.
  • A “throw away” password, for when you just have to sign up for something.

By using these methods, your bank account can’t get hacked along with your twitter account.

Burwitz offers these suggestions to help you choose more secure passwords.
  • If the word or phrase is on your facebook page or any other online presence, don’t use it, even with variations. Good examples are pets, places and names.
  • If it is in the dictionary, don’t use it, even with variations.
  • Think PassPhrase instead. It doesn’t have to be a word.
  • Longer is better. A 20-character lower-case password is better than a 10-character complex password.
  • Use spaces in the password, if allowed.

Once a hacker has a possible password for you, he has programs available that run all the possible variations of the word. If he knows your first pet was named Fido, the program will try Fido1, 1Fido, etc.

One level more secure than a long, complex password is two-step authentication. When a user attempts to log into an account using two-step authentication, the server sends a one-time text code to the users cell phone, which is then entered on the login screen. Even Wired reporter Matt Honan wrote recently how he was hacked and his life erased, even though he was using two-step authentication. According to Burwitz, “If someone has the time and patience, they will figure out how to get your data from you. It's not as hard as you think, usually taking an hour or less.”

Biometrics, such as a fingerprint or iris scan, are beginning to play a greater role in security, but as a second layer of authentication instead of replacing passwords.

Some password security procedures are being reconsidered. For example, is it better to have a poor password changed every 90 days, or a long, complex password that is only changed annually?

Complaints usually accompany mandatory password changes. Burwitz explains those requirements several ways. “First, we have to follow the law. Information Technology Security must maintain a high level. We also must prevent loss of data that can result in financial loss for the agency, as well as damage to our reputation, and in an extreme case, possible personal harm.”

Game Consoles - Many of the latest game consoles have access to the Internet through a home’s wireless router, allowing users to play games with other users worldwide. It’s important that parents understand how this works and take security measures that range from disabling the “live” account to ensuring the users screen name doesn’t divulge personal information. Even though the security settings have been modified to prevent live play with strangers, other players may have different settings allowing unknown persons into the game. Parents should visit the manufacturer’s website to fully understand the capabilities of the game console before giving it access to the Internet.

Wireless Routers - Operating an unsecure wireless router at your home or business leaves you open to compete data loss and responsibility for everything that occurs on your Internet connection. These routers allow our favorite devices to connect to the Internet, as well as share information among themselves. Unfortunately, most routers are shipped with even basic encryption disabled, allowing an outsider to do several nasty things, from slowing Internet speeds by using bandwidth to stealing your files and data.

In the past, setting the highest level of security possible for your wireless router was difficult and frustrating. The latest routers use a push-button method to connect devices, while older routers still require passwords. If you are having difficulty, consult the setup instructions that came with the router or the manufacturer’s website. You can also search YouTube for “connecting to the (insert router model here) router” or a similar phrase. Finally, Burwitz suggests, “Call a family member who knows what they're doing, probably your 15-year-old son or grandson. Also, some companies allow IT personnel to help you in this type of situation.” The important message is to get help to secure the router.

In 2013 and beyond, we must approach personal online security with the same emphasis as locking our home or car and caring for our purses and wallets. We must also be mindful that our poor security habits can compromise other computers or networks. Please take the time to have a safe, secure Internet experience this holiday.

Matt Honan’s Wired article - Kill the Password: Why a String of Characters Can’t Protect Us Anymore

Sam White owns a technology consulting company and is
an adjunct communications specialist for TEEX.

Saturday, December 22, 2012

Personal Cyber Security - TEEX's Holiday Guide, Part 1

Christmas is only days away, and with it, the deployment of millions of new Internet devices into the happy hands of young and old. Most of these computers, smart phones, tablets, game consoles, and routers are shipped without any security in place. Personal computers normally come with some type of antivirus installed for a trial period that must be renewed for continued protection.

As more of our personal lives and business live on the Internet, cyber security is moving to the forefront. Education and awareness about the kind of security you need are essential. Some company's advertisements would want you to believe that you are in extreme danger and that their paid monitoring services are essential for cyber survival. Driven by extreme examples, some casual Internet users even feel it necessary to physically disconnect their PC from both the Internet and electrical system. Others may decide against using webcams and communications software for fear that it could be used to spy on them.
On the other hand, Internet security is ignored by many until something "happens." Consequences can range from "someone saying bad things about you on twitter," to losing, at least temporarily, your money, history, ... everything.

To raise awareness and address the growing threat, TEEX’s Knowledge Engineering division, along with the Department of Homeland Security (DHS) and the Federal Emergency Management Agency, offer several online cyber security courses. This DHS/FEMA Certified Cyber-Security Training is designed to ensure that the privacy, reliability, and integrity of the information systems that power our global economy remain intact and secure. The 10 courses are offered through three discipline-specific tracks, targeting everyday non-technical computer users, technical IT professionals, and business managers and professionals. These courses are offered at no cost, and students earn a DHS/FEMA Certificate of completion along with Continuing Education Units (CEU) at the completion of each course.

According to Michael Sevier, an instructor with the program, a cyber-security threat may have unforeseen consequences. For example, a cyber attack on a community hospital may have far-reaching repercussions. Unable to operate without electronic medical records, the attack could cause the complete evacuation of the facility, even though it’s a beautiful day and everything else is functioning. The evacuation may tax the resources of the the community's police and fire departments as well as transportation systems and medical facilities. According to Sevier, “Everything is connected on some level, and our goal is to make emergency planners, first responders and entities such as hospitals, power plants and other essential services aware of the threat so that they can prepare and plan.”

Poor personal cyber security can be a threat to large organizations. For example, connecting a work computer which has access to company data on servers, through an insecure wireless network at home or at a local coffee shop, can endanger company data.

To help you ensure your personal devices and home networks are secure this holiday season, our next blog will cover basic personal cyber-security essentials, such as antivirus software for PC’s, how to realistically create and use a secure password, the essentials for game console security and how to make sure your neighbor isn’t piggybacking on your new wireless home router.

In the meantime, check out TEEX’s Cyber Security course offerings. They are free and designed for everyday non-technical computer users, technical IT professionals, and business managers and professionals.

Sam White owns a technology consulting company and is an adjunct communications specialist for TEEX. He invites your comments.