In the UK, there are now Police forces that will not attend a crime if the victim hasn’t carried out their security basics. If you leave your home unlocked and windows open whilst you go out, then you haven’t performed the necessary precautions to prevent a crime. The boys (& girls) in blue might not come rushing around if you’ve willingly left your front door open. To compound the crime further, you may even find that your insurance company may not pay out either. If you don’t perform the security basics in protecting your home, why should they pay out?
Now let’s make the comparison between physical and digital security.
Website operators spend a fortune locking down their services to protect against digital fraud. They lock all the ‘doors and windows’ by implementing proper security controls. They also have to grant access to their customers, by having one recognised locked door that only people issued with a key can use. Until everyone adopts 2-factor / multi-factor authentication, that key is just a username and password.
Security basics : Key re-use
The more places you use the same username and/or password, the more doors that key will unlock. By the time you’ve registered that username and password at a handful of sites, you’ve effectively created a skeleton key.
Let’s also consider those websites that are less than honest. Not only does your key in their lock open the door, their lock also takes an imprint of your key. They can either then reuse that key themselves, or sell on your credentials to anyone willing to pay.
Security basics : Too much information
One of the other biggest security basics mistakes is offering too much information about yourself.
All my friends know when my birthday is, they’ve been sending cards for years. In today’s sycophantic society, have we become absorbed with a need to be recognised by complete strangers?
Don’t offer too much information about yourself out to the internet. Don’t offer other people’s information out either! That facebook posting of ‘Happy 51st hun’ at 7am has just published someone elses date of birth. That ‘retro’ posting of someone tearing up their ‘L Plates’ probably divulges what their first car was. We’ve all filled in those online ‘security’ questions, so we should also what not to share.
Security Basics : Don’t just click
Clickbait is when there is a link or proposal so tempting, you just have to click on it. It’s promises of friendship, money or entertainment are just a gateway to pain. It can be anything from someone trying to gain more information about you, to being an attempt to install malware on your machine.
It can be fairly benign. Even reputable publications will have a trail of outsourced Clickbait adverts within the footer of their online pages. Clicking the ‘You won’t believe these amazing cat photos’ may take you to some lightly entertaining content, but you’ll also be receiving more than you asked for. The advertiser will be sending you advert after advert on screen, but also installing methods of tracking you online even after you’ve finished watching kitties.
Clickbait can also be nefarious. Accepting that friend request is just the first step in allowing a stranger to gain more information about you. Ever noticed how the only strangers ask to be you friend are always beautiful or handsome? How about those flashing warnings instead of adverts that tell you that your Adobe Flash is out of date ? One click and you can update it – although you **will** be installing more than Adobe Flash if you follow that route.
If dearest reader you follow Unshakeable Salt on Twitter, you will no doubt be aware that I’m currently contracted to provide services to The Co-op. Working within a smallish team, I’m providing consultancy to a massive Information Security improvement programme.
Like many ‘old’ big businesses, The Co-op are trying to play catch up. Still reeling from past issues, they have already made massive gains improving the maturity of their Information Security. They have executive buy in and everyone wants to improve security. The Co-op dedicated and committed team who know it is important to get the security basics right. They could have bought a shiny flashy alarm, put up barbed wire fences and trained guard dogs. Instead they’ve done the wise thing and first fitted a new front door and fixed the locks.
This improvement programme is ‘fixing the plumbing’ and many businesses could learn a thing or two from this approach. You need to get the basics right first, as true security will only come from a secure foundation.
The Internet of Things Bandwagon and the Price of InfoSec
Roll up, Roll up, Roll up. Come and have a go at being a security expert in the...