If you Google the keywords, “cyber security,” you’ll get thousands of search results. Internet security is a nightmare for business, the public sector and consumers. Unfortunately, published advice is well-intentioned, but often misses the mark.
There’s no room for error in cyber security precautions. It isn’t as simple as getting a watch dog to provide Internet security.
A case-in-point: An advice article on Internet security at SeattlePI.com that caught my eye. Not because it contained great information, but the article didn’t seem to be on target.
It featured the opinions of David Perry, the global director of education for TrendMicro. Having written dozens of tech columns here, something seemed amiss. The article was certainly intended to be helpful, but it didn’t seem right.
Not to pick on reporter Casey Newton, but I was left wanting more and better information. It seemed to be nothing more than PR fluff for TrendMicro.
So, I sent the article to a nationally known security expert, Stan Stahl, Ph.D., in Los Angeles (www.citadel-information.com). Does Dr. Stahl agree with Mr. Perry?
Here are his responses to the four points:
David Perry:“Make sure your computer isn’t infected already.”
Dr. Stahl: Yes. By all means scan. Even use Trend Micro’s HouseCall. But don’t be lulled into a false sense of security. Remember that the most serious attacks like 0-days and drive-bys are written to get past antivirus programs.
That’s why we publish our “Weekend Vulnerability and Patch Management Report.”
David Perry: “Avoid exposing your credit number.”
Dr. Stahl: More important than this item 2 is to (i) always make sure you’re running https and not just http before entering your credit card info and (ii) if given the option, don’t let smaller retailers store your credit card numbers [they’re less likely to have proper security].
David Perry: “Use protection.”
Dr. Stan Stahl
Dr. Stahl: Definitely use protection, but don’t forget to keep all your programs patched and run a good spam filter. That’s what makes this so misleading; it conveys the impression that running antivirus is enough. It’s not! Users can subscribe to our blog and update their computer in accordance with our “Weekend Vulnerability and Patch Management Report.”
David Perry: “Watch where you click.”
Dr. Stahl: Yes; never click a link in an email and always check the seller’s reputation. The part about buying from the manufacturer is bogus.
Dr. Stahl, thank you for your usual valuable insights.
(Note: I’ve known Dr. Stahl a long time and consider him the go-to security expert. He and I were members of a roundtable of veteran consultants in Los Angeles.)
Online safety checklist from Dr. Stahl
Cybercriminals want your bank account and credit card numbers so they can take your money and use your credit while stiffing you with the bill. They want your social security number so they can apply for credit in your name, stealing your identity. They sell stolen medical insurance information.
Cybercriminals steal your sensitive personal information by taking control of your computer. This control also lets them install rogue programs on your computer, turning your computer into a zombie under their control—the cyber-equivalent of Night of the Living Dead. These control programs make money for the cybercriminals by sending spam, displaying pop-up ads, and committing sophisticated computer crime.
Cybercriminals take control of your computer by exploiting four weaknesses:
- Every computer program running on your computer has subtle programming errors (vulnerabilities) that cybercriminals exploit to take control of your computer.
- Legitimate internet web sites often fail to prevent cybercriminals from installing malicious programs on their web sites. When you visit these sites, these malicious programs silently install Trojan horses and other malware on your computer.
- Default settings for many computer programs make it easy for cyber criminals to take control of your computer.
- Users often don’t know what they need to do to minimize the dangers and risks of cybercrime, particularly the need for defense-in-depth.
Defense Strategy 1: Keep Cybercriminals Off Your Computer
- Keep Systems Patched: Software manufacturers issue program updates containing patches to fix known vulnerabilities. Set Microsoft Windows and Office to automatically update. Manually update other programs like Adobe Acrobat, iTunes, Flash and Java.
- Limit Exposure: Create separate accounts for all family members. This is done in the Control Panel. Set account type to “Limited” unless the account needs to run programs as “Administrator.” This will make it harder for cybercriminals to install malware on your computer.
- Protect Your Desktop: Install a reputable antivirus / antispyware product & keep it up-to-date. If you’re technical, run Firefox with the NoScript add-on inside of sandboxie and install a host intrusion prevention system. Sophisticated cybercriminals can get past basic antivirus/antispyware software. Antivirus is necessary. It is not sufficient.
- Secure Your WiFi: If you have a wireless network, encrypt it with WPA2 encryption. Otherwise anyone near you can eavesdrop on your communications and piggy-back on your connection.
- Stay Away from P2P Networks: Don’t run Peer-to-Peer or other file sharing programs, such as Kazaa, Limewire or BitTorrent. These networks provide strangers access to your computer.
- Beware of Scams, 1: Don’t click on web-site ads or pop-ups offering to scan your computer for free. Cybercriminals love to take advantage of people’s fear of getting a virus. Instead of scanning your computer, these programs will infect it. Always be wary.
- Beware of Scams, 2: Don’t open unusual or unexpected attachments, not even from people you know. It’s easy to send an email so it looks like it came from someone else. Also, how do you know your friend’s computer hasn’t been taken over? Always be wary.
- Beware of Scams, 3: Don’t follow links in unfamiliar or unusual emails, especially those requesting your user names, passwords, or financial information. A SPAM filter can help you avoid these e-mails but you must be on guard for emails that get past your SPAM filter. Always be wary.
Defense Strategy 2: Be Careful With Your Financial Information On-Line
- Don’t send your Social Security Number, bank account numbers or credit card numbers in unencrypted email.
- Use different strong passwords [8+ characters, upper & lower case, numbers, characters] for all eCommerce websites. Use Password Safe or RoboForm to securely manage online passwords.
- Only buy on-line from merchants using SSL, which means the website address begins with https://. Look for the “lock” on the title bar of Internet Explorer or Firefox’s lower right corner.
- Use a credit card rather than a debit card when shopping on-line. Link PayPal to your credit card, not your bank account. Federal law limits your credit card exposure to $50. There is no corresponding limit if you use a debit card (even though many banks cover debit card fraud).
Defense Strategy 3: Protect Your Information Away from Home
- Keep your laptop with you at all times. Never leave it unattended in your car.
- Keep WiFi and Bluetooth turned off except when you are using them.
- Encrypt the hard drive of your laptop, protecting it with a strong 15+ character passphrase. If you lose the laptop, the information is still safe.
- Never use a public computer, Kiosk, or public WiFi for online banking, shopping or to access sensitive information. Since you don’t know how secure these are, prudence requires you to assume they are insecure.
Defense Strategy 4: Watch Your Credit
- Subscribe to a basic credit monitoring service (AAA California offers members a free service)
- Regularly review your bank, credit card and investment accounts for fraudulent activity.
Defense Strategy 5: Better Safe Than Sorry
- Always think about the information you are giving out.
- When in doubt, don’t.
- Stay up-to-date by reading our blog.
From the Coach’s Corner, more articles featuring the expertise of Dr. Stahl:
Lesson about Passwords after Theft of 16,000+ UCLA Patient Records — Another massive theft of thousands of medical records prompts these tips on passwords from Dr. Stan Stahl, a nationally recognized security expert.
Using Starbucks’ WIFI? Expert Issues Warning, Security Checklist — The WIFI offering by Starbucks has prompted a security warning and checklist from a go-to Internet security guru, Dr. Stan Stahl.
Security Expert Warns about Using App that Emails Money — A service by a company called Square Inc. will allow you to e-mail money to your friends free-of-charge. But an IT security expert issues a warning.
Surprise — Cyber Criminals Chew up Apple Products, too — For years in terms of security, Windows has been considered inferior to Macs. But no longer thanks to malware security epidemics. If you’ve got an iPhone, get busy. Apple continues to have bugs and security issues.
“Security is always excessive until it’s not enough.”