One of the core tenets of National Cybersecurity Awareness Month this year is “Secure It.”
But what is “it” exactly?
“It” refers to the devices and the accounts you access on those devices.
“It” also refers to the overall security posture you help yourself and your organization maintain.
Security is a team effort and a shared responsibility. There’s no better embodiment of that shared responsibility than web application security: no single individual or group—from development to operations to security—carries the burden of security in totality. That’s why our next-gen WAF and RASP technology creates the necessary feedback loops between these teams with actionable information to stop web attacks.
Reducing personal security risk enhances organizational security
Security is part of a proactive mindset. That doesn’t mean you should live in a constant state of fear. Being security minded means you take precautions and follow best practices that will reduce your risk of becoming a victim of fraud or other criminal activity. And if you do that for your own sake, by extension you’ll enhance the security posture of your organization. Below are vital tips that can both help protect you and your organization against security incidents.
Secure your accounts:
- Enable 2FA (two-factor authentication) for accounts when available: two-factor authentication makes use of an “out of band” communication meant only for you. A numeric code is usually sent via SMS, email or via an authentication app on a mobile device you enter during the login process to a web-based service. This puts a blocker in the way of attackers who do not have access to the confirmation code. Many web services—from social media to banking to travel booking sites—offer 2FA, so use it!
- Unique, strong passwords: Make every password unique and never reuse passwords between any website or service. Reusing the same username-password combination puts you at risk: if one web service you use is breached, all the other sites you use the same credentials for will be at risk of account takeover.
- Use a password manager: Don’t write down or record passwords in a plain text file on your device. Go ahead and laugh, but many lazy people still do this. Use a password manager that can easily store all your account passwords across several operating systems: once you store a username-password combo for an account, you can access it from any device that you are logged into the password manager service. Many also have browser plugins—for both desktop and mobile—that will copy and paste credential values into form fields. While not perfect, password managers will help you create and store unique, strong passwords for every account you must access.
- Don’t overshare on social media: Check the security settings of your social media profiles and confirm who can view your profile and posts. This restricts the sharing of posts, photos and information with only those you want to have that information. Second, really consider how important it is to share awesome vacation photos and the location of where the pictures were taken while you’re on vacation. Details like that can provide attackers with your location and other ammunition to craft spear phishing attack emails as well as potential answers to security questions.
- Identify phishing and spear phishing emails: Don’t click on direct links (in emails, text messages, etc.) in messages asking you to enter sensitive information. It’s best to go directly to the supposed source to confirm they actually requested the information in the first place. And always remember: you’re never obligated to reply to messages you weren’t expecting from unknown, questionable sources.
- Avoid Smishing (SMS phishing): Treat text messages from unknown senders the same way you would treat email: If unexpected, delete the text. You can always call your bank or other organization claiming to be contacting you about the matter by calling a known, valid phone number for that institution.
- Never answer authentication recovery questions with real answers. Example question: What is your mother’s maiden name? While it’s easy to remember the actual answers to questions like these, if attackers exfiltrate those answers in a breach, they’ll use them in automated attacks against other websites where you may have used them, putting your other accounts at risk. Many password managers have a feature that allows you to securely store answers like this per account should you need to re-enter them during the login process later.
- See something? Say something: Report suspicious emails to your IT and/or security team at your workplace. Don’t just delete the email. Report it so your organization’s security posture benefits.
Secure your devices:
Don’t brush and floss your teeth regularly? Expect cavities. Don’t change the oil and filter on your car? Expect your car to stop operating properly. The same line of thought applies to computing devices: you need to maintain them to keep them operating properly—and secure.
- Patch your computers and applications in a timely manner: When operating system maintainers issue patches or update, do the upgrade. This ensures the operating system has the latest security patches applied to prevent attackers from leveraging known vulnerabilities. Also update web browsers, browser add-ons, and web server software, databases, and server management software.
- Use a unique device password:This should be a distinct password you do not use for your account passwords. Your organization’s IT group should also force password changes at regular intervals. If they don’t, take it upon yourself to change your device passwords at least once every three months, if not sooner.
- Lock your device screen: When you get up from your desk, lock your device’s screen. Smartphones should have a passcode enabled also. Should someone steal your device, the thief will have to enter your password to gain access to any sensitive data accessible via that device. There are various ways to quickly lock a device’s screen depending on the operating system. Also, if you lose your device, notify your IT department ASAP so they can take appropriate steps to lock down access to your accounts. Smartphone storage can be wiped remotely also if necessary.
- Install endpoint and mobile security software: Most business—from SMB to enterprise—should have some form of endpoint device protection installed on your work device. Many also require an MDM (mobile device management) agent installed on your personal smartphone so they can monitor the device and app usage. But if yours doesn’t, install internet security software on your company provided computer—even a free option is better than nothing at all. Several mobile security apps are also available for Android.
Avoid financial fraud:
Much of our business lives occurs on our mobile devices via email and finance apps. You’re the first line of defense against financial crime attempts arriving in your email and voicemail inboxes. These tips can help you prevent monetary loss—your own or your organization’s.
- Verify the validity of any request for funds: Be skeptical of any request to change banking or wiring instructions, even if from a trusted person who you regularly conduct business with. Always verify any payment instructions before following through by calling the organization requesting the funds and confirming
- Avoid invoice fraud: This occurs when a crook tricks a business into transferring money by posing as a legitimate payee. If you work in a finance role or any role that controls funds for your employer, view any unexpected invoice with suspicion and validate that any invoice you receive is real.
- Never divulge sensitive account details: No financial organization will proactively ask you for sensitive account information or PII (personally identifiable information) via email, text, or phone—view any request to do so with high suspicion and delete the email, voicemail or hang up.
Security is journey, not a final destination
There’s no way in one blog I can explain every single step you can take to enhance your security posture. If this list was a music playlist, you could look at this as a “greatest hits” compilation.
If there’s one security prediction I am confident making, it’s that attackers will continue to change their tactics to defraud and otherwise take advantage of your trust and good will. But by enhancing your security posture, you’ll put in place processes and tools that can be built upon.
Now that you know what “it” is—go forth and secure it!
- How To Stay Safe Online from the National Cyber Security Alliance
- Security tips from the Department of Homeland Security
- Surveillance Self-Defense from the Electronic Frontier Foundation
*** This is a Security Bloggers Network syndicated blog from Signal Sciences authored by Brendon Macareg. Read the original post at: https://www.signalsciences.com/blog/security-shared-responsibility-national-cybersecurity-awareness-month/