Computer Security: The Bulls and the Bunnies
By: Brian Allison, December 29, 2015
When it comes to computer security, are you an angry Bull, ready to defend what’s yours, or more like a cute and defenseless Bunny? To find out, let’s explore the problem, and then compare the practices of the average computer user against the things the computer security professionals do to keep their systems and the vital information stored inside of them safe from intrusion.
Based on current trends of compromised users, the respected research group IDC estimates that by the year 2020, 1 in 5 inhabitants of this world will have been a victim of a personal information data breach. The impact will be felt more strongly in the coming years, as the type of information that’s compromised has greater consequences for the victims. If a credit card number is taken, it is relatively quick and easy to issue a new card, and in most cases the credit card issuer will protect the victim from financial loss. Compare that to health care records, where the information will include immovable items such as date of birth and Social Security Number, and you can see how the impact will only grow over time.
What the Bunnies do:
Use an Anti-Virus (AV) program. Nothing wrong with using AV, in fact, everyone should. However, AV is the security equivalent of the the proverbial “generals that are ready to win the last war but not the next one,” as it is based on what has already happened and been identified as a threat. It does not protect you against a new and unknown threat, or even a minor modification of a known threat. It’s necessary, but insufficient by itself to keep your system safe.
Use Complex passwords. A complex password is a mix of character types, upper and lower case, used along with numbers and special characters. This isn’t bad necessarily, but it’s based on old information, and the attackers know that when you do it, you’re doing it wrong. Substituting the “@” symbol for the letter “a,” and putting a “1” or a “!” at the end of a password are all very well-known ways to generate a “complex” password from an ordinary name or word. Further, the entire concept of a complex password is based on the antiquated password guessing method called a Dictionary attack. In this method, the attacker uses a stored list of common names and variations that are tried against your login screen. Now, the Dictionary has been replaced by the Brute Force method, which relies on the massive increase in computer capability to run through all possibilities…including putting that “!” at the end, and lots, lots more.
Change passwords regularly. Again, there’s nothing wrong with changing your passwords on a regular basis, other than running the risk that you’ll forget what the new password is, so you’ll write it down on a sticky note and keep it handy. System administrators often enforce changing passwords on a regular basis as a security best practice.
Only visit trusted websites. This action shows up on a regular basis with the Bunnies, but it really somewhat defeats the basic premise of the world-wide web, which is that information is available from virtually unlimited sources. While it’s true that there are sketchy sites out there, ready and willing to infect your system with all kinds of malware, this self-limiting method isn’t an effective way to go.
Backups are only made occasionally. Developing a routine for backing up a system is a difficult habit to acquire, and most users just don’t bother. The type of system or user malfunctions that can cause loss of data are rare, so most Bunnies see it as another hassle in their life that’s just not worth it.
What the Bulls do:
Software updates. This is the single most important action to be taken, and it must include all software on a system. In 2014, more than 90% of known web-based attacks were based on exploiting just one very widely used application, Java. As the Operating System vendors have gotten better at making it easy to keep their programs patched, the attackers have shifted to applications, especially those that are widely used and notoriously insecure, such as Java and Adobe Flash. Having unpatched software on your system is the modern equivalent of leaving your keys in the ignition of your car in a bad neighborhood – you’re just asking for trouble.
Don’t give out passwords or personal information to someone who calls you. Ever. Period. There is no justifiable reason for someone to ask for this type of information, yet this is the second-most common way that computer systems are breached. You also can’t rely on caller ID to indicate the person on the other end of the line can be trusted, as it is now not difficult to misrepresent who is calling you. Just don’t do it.
Use unique and long passwords, and track them with a password manager. Because of the use of the brute-force password guessing method, the longer a password is, the harder and longer it will be to guess using automated methods. It’s also important to use a unique password for every site that you visit. Of course, we mere mortals cannot remember an extended list of long passwords, especially if regular changes are enforced. For these reasons, it’s also important to make use of a password manager application. Examples of these include LastPass, TrueKey, Dashlane and many others.
Use Two-Factor Authentication (2FA) wherever possible. Two-factor authentication will send a one-time code, usually via text to your cell phone, as an extra layer of security to your accounts. 2FA can be set to require a code every time you access a particular website, or it can be required only when you use a new device to access that account. However it is done, it adds another layer of security and is especially important for your primary accounts like email and Facebook, and you should use it whenever you can. Two layers of security are always better than one.
Don’t click on that unknown link or attachment. If you weren’t expecting that email containing a link or an attachment, then don’t click on it. It’s not enough that you know the person who sent it, as one of the common actions for a compromised system to perform is to send an email to every email address it can find. This is doubly true for your bank, as the professional criminals engaged in these actions have learned to perfectly construct the look of an email from reputable sources. If in doubt, look up the source’s phone number (NOT the one in the email) and call to make sure.
Make regular backups, then disconnect the drive. The basic idea of information security is that you and only you have access to your important info. With so much of a modern life taking place in the digital realm, it is crucial to have a backup of everything that’s important to you personally – photos, videos, documents and so on. You don’t want to lose this digital life because of a user error (that’s you!) or an equipment malfunction, so be sure to back up your stuff at least every week. Now, because of the threat of ransomware, it’s also important to take the backup target device offline. Should you get infected with this extortion-via-encryption crimeware and your backup drive is actively connected to your system, then your backups will be encrypted also and made useless.
It’s not that hard, but it will require a change.
As you can see from this comparison, it’s not impossible in your digital life to transform from a Bunny to a Bull. It IS very important that you do so, as the spread of software with bad intentions is only going to increase over time. Generating and profiting from these programs is a major industry worth hundreds of millions of dollars to the perpetrators. No change in our personal habits is ever easy, as our actions that are comfortable turn into a groove, and then the groove becomes a rut. But as a co–worker of mine once told me, “Everyone wants to improve, but nobody wants to change.”