Adopt a Maintenance Mindset: Protect IT

TechNewsWorld
Original Source
Tech News World

This article originally appeared in Tech News World, Linux Insider, and Ecommerce Times on October 18, 2019.

As part of National Cyber Security Awareness Month, or NCSAM, the National Cyber Security Alliance is advising all computer users to "Protect IT" by taking precautions such as updating to the latest security software, Web browser and operating system.

The nonprofit public-private partnership, which works with the Department of Homeland Security as well as private sector sponsors, including Symantec and Microsoft, advised computer users on ways to protect their personal data and information, as well as how to use WiFi safely.

Protect IT is the third pillar of the NCSA's overarching message around this month's awareness program, which focuses on key areas related to citizen privacy, consumer devices and e-commerce security. Outreach programs such as this one call upon consumers as well as businesses to take responsibility for protecting electronic data.

"National Cyber Security Awareness month is an opportunity to advocate for informed policies and business models," said Jim Purtilo, associate professor in the computer science department at the University of Maryland.

"While it is always in order for citizens to take responsibility for their own safety, that task sure would be easier if businesses and agencies shouldered a fair share of the liability for tech tragedies," he told TechNewsWorld.

"Today companies have every incentive to gamble with cheap designs and sketchy practices; the market for clever tech applications is great, and the occasional exploit, accident or spill is a small cost of business," warned Purtilo.

"The impact to some consumer might be life altering, but at the end of that day the executive or official who made risky decisions will get to go on with his life. Better cyber designs and practices are known today, and policy reforms would offer greater incentive to invest in them," he said.

Download and Update

Outdated software continues to be a major issue when it comes to basic cybersecurity today -- and ironically one of the easiest things to address. Consumers and businesses of all sizes too often fail to make regular updates that can plug security holes.

It isn't just operating systems and antivirus programs that need to be updated. Older browsers, and even older multiplayer games, also can present issues, as each of these also can be exploited by tech-savvy hackers.

The same is true of virtually all programs on a computer, tablet or phone. In other words, every piece of software that can be upgraded or updated should regularly be patched to address potential weaknesses.

"Third-party code is an area that has received little attention, even though it impacts consumers and the businesses that serve them," noted Usman Rahim, digital security and operations manager at The Media Trust, a cybersecurity research firm.

"Any business that has a website, an app, or a platform relies on a bevy of known and unknown third parties who have access to valuable user information," he told TechNewsWorld.

"That access isn't always authorized by the website or app owner," Rahim added. "Unless that owner has the right expertise and tools, they won't have any clue who is running code on their site and what that code does to their users."

Protect IT - Update the Software

There are things that all users should be doing, and one of the easiest is also one that is often done the least often. That is updating to the latest version of security software.

"Your security software, antivirus and antimalware is only as good as its latest update," said Ralph Russo, director of the School of Professional Advancement Information Technology Program at Tulane University.

"As malicious software is discovered on an ongoing basis, security software companies update their security definitions daily -- or more -- to recognize these new threats and counter them," he told TechNewsWorld.

To take advantage of this, security software needs to be kept current through updates.

"It is equally important to update your computer or device operating system -- Windows, Android, iOS, etc. -- and devices including routers, printers and other digital equipment, on an ongoing basis to close vulnerabilities," Russo added.

"Vulnerabilities are flaws in computer systems and devices that leave it vulnerable to attack, he noted.

Oftentimes these vulnerabilities can be discovered months or even years after a system -- software or hardware -- has been in production.

"Software and digital device companies develop fixes to close these vulnerabilities and then release them as software patches and fixes," explained Russo.

"Downloading and installing these updates means that you are now protected from vulnerabilities that are known by the manufacturer or developers," he said.

Failing to update the software or hardware can leave the system open to older, even known, attacks. Also, it isn't just the software, but much of the hardware around the house that poses risks.

"Most people don't update their home router's, or Internet of Things devices' embedded software," Russo pointed out. "However, any software-controlled device can have a vulnerability, including your home router. Visit your home router manufacturer's website and check. Newer routers allow you to check and install router updates right from the router homepage."

Protect IT - Staying Safe on Public WiFi

Today the connected world is very much wireless rather than wired, but public WiFi and mobile networks aren't always sufficiently secure or hardened. Users need to keep this in mind when checking email at a coffee shop or working in a hotel room.

Wireless networks simply do not offer the same level of protection as the more secured office or even home network.

"When using WiFi in public -- including coffee shops, airports, hotels -- you should use a reliable virtual private network," said Tulane's Russo.

VPN software encrypts your transactions and routes them through the VPN servers, and users can connect to a VPN via a reliable app before performing more personal actions that should require a heightened level or layer of security.

"This will result in your actions not being visible on the public WiFi network, because it is encrypted," Russo told TechNewsWorld.

"However, remember that all your traffic is then going through the VPN service, meaning you should find a VPN solution you trust, or has high ratings for policies -- no logging -- and trustworthiness," he added. "You are never truly invisible and untraceable on the Internet, but a good VPN can help."

When on the go, it isn't just what can be seen online either.

"When using WiFi, the Internet and applications in public, be wary of 'over the shoulder' watchers, including cameras trained on your computer or device," said Russo.

Secure IT - Home/Office WiFi

Many home and office WiFi systems are not secure enough to dispel concerns.

"Home and business WiFi networks should always be encrypted using WPA2 security, as opposed to WEP or WPA, and require a passcode to join," said Russo.

"Some folks consider hiding their network name (SSID) so people 'wardriving' (searching for WiFi networks) won't see your network name pop up as an option," he added.

Taking simple steps such as changing the default username and password of the router are advisable too.

"Failing to do so will mean that anyone who has bought the same model router would be able to log into your router's network settings and change them to their advantage," Russo warned.

"When using your secure home network, you should consider adding a guest network to offer Internet on a limited one-time basis by changing login credentials, without impacting your main WiFi credentials," he suggested.

"People should also create a separate network for your 'Internet of Things' devices, like remote garage door openers, TV Firestick/Chromecast, thermostats and security cameras," said Russo. "This will segregate the IoT devices, and their sometimes-shaky security from your home computing, which should remain on its own WiFi network."

Protect IT - Keep Data Safe

It isn't just personal data that is at risk. As many healthcare providers, retail companies, and even municipalities have learned all too well, cybercriminals often seek credit card and other personal information and data from customers and clients.

"At the high level, businesses should employ data protection best practices by encrypting data at rest, when it is sitting in databases; data in transit, or moving over a network; and data in use, which is actively being accessed," said Russo.

In addition, networks should be segregated logically to enforce "need to know" access to guard against an inside threat, and firms should implement a "defense-in-depth" approach to security, which can ensure that hackers that gain initial access to the business network do not also gain access to its most sensitive information.

Companies also should ensure "physical security around technology and systems, as physical access to systems defeats many cybersecurity measures," added Russo.

"When it comes to developers and network administrators, it's important to keep security in the front seat," suggested Tulane's Fox. "It doesn't matter if you have a highly available and performant (optimal) solution f it is not secure. Every software solution needs to be designed to be secure by design, private by design, and data localized by design."

Protect IT - Insider Threats

Of critical importance in any approach to cybersecurity is the human element. In many cases hackers aren't as tech-savvy as movies and TV shows suggest. Instead it is human error, including the use of weak passwords and other bad practices, that is at fault.

"Insider threats account for the majority of mishaps and breaches," said The Media Trust's Rahim.

"Some of these mishaps are unintentional and directly result from employees' lack of training in cybersecurity basics," he added.

Many attackers use phishing campaigns to steal credentials and other sensitive information, and if employees are trained to watch out for these attacks, the threat can be neutralized before any data is compromised.

"All employees should receive at least basic cybersecurity training since insider threats remain the most prevalent yet receive the least executive attention and priority," said Rahim.

"Safety practices should be things we know about but don't need to obsess over when they easily fit into our daily lives," said University of Maryland's Purtilo. "We know many ways to protect people and systems."