Adopt a Maintenance Mindset: Protect IT

As part of National Cyber Security Awareness Month, or NCSAM, theNational Cyber Security Alliance is advising all computer usersto “Protect IT” by taking precautions such as updating to the latestsecurity software, Web browser and operating system.

The nonprofit public-private partnership, which works with the Department ofHomeland Security as well as private sector sponsors, includingSymantec and Microsoft, advised computer users on ways to protect their personal data and information, as well as how to use WiFi safely.

Protect IT is the third pillar of the NCSA’s overarching messagearound this month’s awareness program, which focuses on keyareas related to citizen privacy, consumer devices and e-commercesecurity. Outreach programs such as this one call upon consumers aswell as businesses to take responsibility for protecting electronic data.

“National Cyber Security Awareness month is an opportunity to advocatefor informed policies and business models,” said Jim Purtilo,associate professor in the computer science department at the University of Maryland.

“While it is always in order for citizens to take responsibility fortheir own safety, that task sure would be easier if businesses andagencies shouldered a fair share of the liability for tech tragedies,”he told TechNewsWorld.

“Today companies have every incentive to gamble with cheap designs andsketchy practices; the market for clever tech applications is great,and the occasional exploit, accident or spill is a small cost ofbusiness,” warned Purtilo.

“The impact to some consumer might be lifealtering, but at the end of that day the executive or official whomade risky decisions will get to go on with his life. Better cyberdesigns and practices are known today, and policy reforms would offergreater incentive to invest in them,” he said.

Download and Update

Outdated software continues to be a major issue when it comes to basiccybersecurity today — and ironically one of the easiest things toaddress. Consumers and businesses of all sizes too often failto make regular updates that can plug security holes.

It isn’t just operating systems and antivirus programs that need to beupdated. Older browsers, and even older multiplayer games, also canpresent issues, as each of these also can be exploited by tech-savvyhackers.

The same is true of virtually all programs on a computer, tablet or phone. In other words, every piece of software that can be upgraded or updated should regularly be patched to address potential weaknesses.

“Third-party code is an area that has received little attention, eventhough it impacts consumers and the businesses that serve them,”noted Usman Rahim, digital security and operations manager atThe Media Trust, a cybersecurity research firm.

“Any business that has a website, an app, or a platform relies on abevy of known and unknown third parties who have access to valuableuser information,” he told TechNewsWorld.

“That access isn’t always authorized by the website or app owner,” Rahimadded. “Unless that owner has the right expertise and tools, theywon’t have any clue who is running code on their site and what thatcode does to their users.”

Protect IT – Update the Software

There are things that all users should be doing, and one ofthe easiest is also one that is often done the least often. That isupdating to the latest version of security software.

“Your security software, antivirus and antimalware is only as goodas its latest update,” said Ralph Russo, director of the School of Professional Advancement Information Technology Program at Tulane University.

“As malicious software is discovered on an ongoing basis, securitysoftware companies update their security definitions daily — or more –to recognize these new threats and counter them,” he told TechNewsWorld.

To take advantage of this, security software needs to be kept currentthrough updates.

“It is equally important to update your computer or device operatingsystem — Windows, Android, iOS, etc. — and devices including routers,printers and other digital equipment, on an ongoing basis to closevulnerabilities,” Russo added.

“Vulnerabilities are flaws in computer systems and devices that leaveit vulnerable to attack, he noted.

Oftentimes these vulnerabilities can be discovered months or evenyears after a system — software or hardware — has been in production.

“Software and digital device companies develop fixes to close thesevulnerabilities and then release them as software patches and fixes,”explained Russo.

“Downloading and installing these updates means that you are nowprotected from vulnerabilities that are known by the manufacturer ordevelopers,” he said.

Failing to update the software or hardware can leave the system opento older, even known, attacks. Also, it isn’t just thesoftware, but much of the hardware around the house that poses risks.

“Most people don’t update their home router’s, or Internet of Thingsdevices’ embedded software,” Russo pointed out. “However, anysoftware-controlled device can have a vulnerability, including yourhome router. Visit your home router manufacturer’s website and check.Newer routers allow you to check and install router updates right fromthe router homepage.”

Protect IT – Staying Safe on Public WiFi

Today the connected world is very muchwireless rather than wired, but public WiFi and mobile networks aren’t always sufficiently secure or hardened. Users need to keep this in mind when checking email at a coffee shop or working in a hotel room.

Wireless networks simply do not offer the same level of protection as the more secured office or even home network.

“When using WiFi in public — including coffee shops, airports, hotels –you should use a reliable virtual private network,” said Tulane’sRusso.

VPN software encrypts your transactions and routes them through the VPNservers, and users can connect to a VPN via a reliable app beforeperforming more personal actions that should require a heightenedlevel or layer of security.

“This will result in your actions not being visible on the publicWiFi network, because it is encrypted,” Russo told TechNewsWorld.

“However, remember that all your traffic is then going through the VPNservice, meaning you should find a VPN solution you trust, or has highratings for policies — no logging — and trustworthiness,” he added.”You are never truly invisible and untraceable on the Internet, but agood VPN can help.”

When on the go, it isn’t just what can be seen online either.

“When using WiFi, the Internet and applications in public, be wary of’over the shoulder’ watchers, including cameras trained on yourcomputer or device,” said Russo.

Secure IT – Home/Office WiFi

Many home and office WiFi systems are not secure enough to dispel concerns.

“Home and business WiFi networks should always be encrypted usingWPA2 security, as opposed to WEP or WPA, and require a passcode tojoin,” said Russo.

“Some folks consider hiding their network name (SSID) so people’wardriving’ (searching for WiFi networks) won’t see your networkname pop up as an option,” he added.

Taking simple steps such as changing the default username and password ofthe router are advisable too.

“Failing to do so will mean that anyone who has bought the same modelrouter would be able to log into your router’s network settings andchange them to their advantage,” Russo warned.

“When using your secure home network, you should consider adding aguest network to offer Internet on a limited one-time basis bychanging login credentials, without impacting your main WiFicredentials,” he suggested.

“People should also create a separate network for your ‘Internet ofThings’ devices, like remote garage door openers, TVFirestick/Chromecast, thermostats and security cameras,” said Russo.”This will segregate the IoT devices, and their sometimes-shakysecurity from your home computing, which should remain on its ownWiFi network.”

Protect IT – Keep Data Safe

It isn’t just personal data that is at risk. As many healthcareproviders, retail companies, and even municipalities have learned alltoo well, cybercriminals often seek credit card and other personalinformation and data from customers and clients.

“At the high level, businesses should employ data protection bestpractices by encrypting data at rest, when it is sitting indatabases; data in transit, or moving over a network; and data in use,which is actively being accessed,” said Russo.

In addition, networks should be segregated logically to enforce “needto know” access to guard against an inside threat, and firms shouldimplement a “defense-in-depth” approach to security, which canensure that hackers that gain initial access to the business networkdo not also gain access to its most sensitive information.

Companies also should ensure “physical security around technology andsystems, as physical access to systems defeats many cybersecuritymeasures,” added Russo.

“When it comes to developers and network administrators, it’simportant to keep security in the front seat,” suggested Tulane’s Fox. “It doesn’t matter if you have a highly available and performant (optimal) solution f it is not secure. Every software solution needs to be designed to be secure by design, private bydesign, and data localized by design.”

Protect IT – Insider Threats

Of critical importance in any approach to cybersecurity is the humanelement. In many cases hackers aren’t as tech-savvy as movies and TVshows suggest. Instead it is human error, including the use of weak passwordsand other bad practices, that is at fault.

“Insider threats account for the majority of mishaps and breaches,”said The Media Trust’s Rahim.

“Some of these mishaps are unintentional and directly result fromemployees’ lack of training in cybersecurity basics,” he added.

Many attackers use phishing campaigns to steal credentials and othersensitive information, and if employees are trained to watch out forthese attacks, the threat can be neutralized before any data iscompromised.

“All employees should receive at least basic cybersecurity trainingsince insider threats remain the most prevalent yet receive the leastexecutive attention and priority,” said Rahim.

“Safety practices should be things we know about but don’t need toobsess over when they easily fit into our daily lives,” saidUniversity of Maryland’s Purtilo. “We know many ways to protect peopleand systems.”