Adopt a Maintenance Mindset: Protect IT

As part of National Cyber Security Awareness Month, or NCSAM, the
National Cyber Security Alliance is advising all computer users
to “Protect IT” by taking precautions such as updating to the latest
security software, Web browser and operating system.

The nonprofit public-private partnership, which works with the Department of
Homeland Security
as well as private sector sponsors, including
Symantec and Microsoft, advised computer users on ways to protect their
personal data and information, as well as how to use WiFi safely.

Protect IT is the third pillar of the NCSA’s overarching message
around this month’s awareness program, which focuses on key
areas related to citizen privacy, consumer devices and e-commerce
security. Outreach programs such as this one call upon consumers as
well as businesses to take responsibility for protecting electronic data.

October 2019 is National Cybersecurity Awareness Month #BeCyberSmart

“National Cyber Security Awareness month is an opportunity to advocate
for informed policies and business models,” said Jim Purtilo,
associate professor in the computer science department at the University of Maryland.

“While it is always in order for citizens to take responsibility for
their own safety, that task sure would be easier if businesses and
agencies shouldered a fair share of the liability for tech tragedies,”
he told TechNewsWorld.

“Today companies have every incentive to gamble with cheap designs and
sketchy practices; the market for clever tech applications is great,
and the occasional exploit, accident or spill is a small cost of
business,” warned Purtilo.

“The impact to some consumer might be life
altering, but at the end of that day the executive or official who
made risky decisions will get to go on with his life. Better cyber
designs and practices are known today, and policy reforms would offer
greater incentive to invest in them,” he said.

Download and Update

Outdated software continues to be a major issue when it comes to basic
cybersecurity today — and ironically one of the easiest things to
address. Consumers and businesses of all sizes too often fail
to make regular updates that can plug security holes.

It isn’t just operating systems and antivirus programs that need to be
updated. Older browsers, and even older multiplayer games, also can
present issues, as each of these also can be exploited by tech-savvy
hackers.

The same is true of virtually all programs on a computer, tablet or phone. In other words,
every piece of software that can be upgraded or updated should
regularly be patched to address potential weaknesses.

“Third-party code is an area that has received little attention, even
though it impacts consumers and the businesses that serve them,”
noted Usman Rahim, digital security and operations manager at
The Media Trust, a cybersecurity research firm.

“Any business that has a website, an app, or a platform relies on a
bevy of known and unknown third parties who have access to valuable
user information,” he told TechNewsWorld.

“That access isn’t always authorized by the website or app owner,” Rahim
added. “Unless that owner has the right expertise and tools, they
won’t have any clue who is running code on their site and what that
code does to their users.”

Protect IT – Update the Software

There are things that all users should be doing, and one of
the easiest is also one that is often done the least often. That is
updating to the latest version of security software.

“Your security software, antivirus and antimalware is only as good
as its latest update,” said Ralph Russo, director of the
School of
Professional Advancement Information Technology Program
at Tulane University.

“As malicious software is discovered on an ongoing basis, security
software companies update their security definitions daily — or more —
to recognize these new threats and counter them,” he told TechNewsWorld.

To take advantage of this, security software needs to be kept current
through updates.

“It is equally important to update your computer or device operating
system — Windows, Android, iOS, etc. — and devices including routers,
printers and other digital equipment, on an ongoing basis to close
vulnerabilities,” Russo added.

“Vulnerabilities are flaws in computer systems and devices that leave
it vulnerable to attack, he noted.

Oftentimes these vulnerabilities can be discovered months or even
years after a system — software or hardware — has been in production.

“Software and digital device companies develop fixes to close these
vulnerabilities and then release them as software patches and fixes,”
explained Russo.

“Downloading and installing these updates means that you are now
protected from vulnerabilities that are known by the manufacturer or
developers,” he said.

Failing to update the software or hardware can leave the system open
to older, even known, attacks. Also, it isn’t just the
software, but much of the hardware around the house that poses risks.

“Most people don’t update their home router’s, or Internet of Things
devices’ embedded software,” Russo pointed out. “However, any
software-controlled device can have a vulnerability, including your
home router. Visit your home router manufacturer’s website and check.
Newer routers allow you to check and install router updates right from
the router homepage.”

Protect IT – Staying Safe on Public WiFi

Today the connected world is very much
wireless rather than wired, but public WiFi and mobile networks aren’t always
sufficiently secure or hardened. Users need to keep this in mind when checking
email at a coffee shop or working in a hotel room.

Wireless networks simply do not offer the same level of protection as
the more secured office or even home network.

“When using WiFi in public — including coffee shops, airports, hotels —
you should use a reliable virtual private network,” said Tulane’s
Russo.

VPN software encrypts your transactions and routes them through the VPN
servers, and users can connect to a VPN via a reliable app before
performing more personal actions that should require a heightened
level or layer of security.

“This will result in your actions not being visible on the public
WiFi network, because it is encrypted,” Russo told TechNewsWorld.

“However, remember that all your traffic is then going through the VPN
service, meaning you should find a VPN solution you trust, or has high
ratings for policies — no logging — and trustworthiness,” he added.
“You are never truly invisible and untraceable on the Internet, but a
good VPN can help.”

When on the go, it isn’t just what can be seen online either.

“When using WiFi, the Internet and applications in public, be wary of
‘over the shoulder’ watchers, including cameras trained on your
computer or device,” said Russo.

Secure IT – Home/Office WiFi

Many home and office WiFi systems are not secure enough to dispel concerns.

“Home and business WiFi networks should always be encrypted using
WPA2 security, as opposed to WEP or WPA, and require a passcode to
join,” said Russo.

“Some folks consider hiding their network name (SSID) so people
‘wardriving’ (searching for WiFi networks) won’t see your network
name pop up as an option,” he added.

Taking simple steps such as changing the default username and password of
the router are advisable too.

“Failing to do so will mean that anyone who has bought the same model
router would be able to log into your router’s network settings and
change them to their advantage,” Russo warned.

“When using your secure home network, you should consider adding a
guest network to offer Internet on a limited one-time basis by
changing login credentials, without impacting your main WiFi
credentials,” he suggested.

“People should also create a separate network for your ‘Internet of
Things’ devices, like remote garage door openers, TV
Firestick/Chromecast, thermostats and security cameras,” said Russo.
“This will segregate the IoT devices, and their sometimes-shaky
security from your home computing, which should remain on its own
WiFi network.”

Protect IT – Keep Data Safe

It isn’t just personal data that is at risk. As many healthcare
providers, retail companies, and even municipalities have learned all
too well, cybercriminals often seek credit card and other personal
information and data from customers and clients.

“At the high level, businesses should employ data protection best
practices by encrypting data at rest, when it is sitting in
databases; data in transit, or moving over a network; and data in use,
which is actively being accessed,” said Russo.

In addition, networks should be segregated logically to enforce “need
to know” access to guard against an inside threat, and firms should
implement a “defense-in-depth” approach to security, which can
ensure that hackers that gain initial access to the business network
do not also gain access to its most sensitive information.

Companies also should ensure “physical security around technology and
systems, as physical access to systems defeats many cybersecurity
measures,” added Russo.

“When it comes to developers and network administrators, it’s
important to keep security in the front seat,” suggested Tulane’s Fox.
“It doesn’t matter if you have a highly available and performant (optimal) solution
f it is not secure. Every software solution needs to be designed to be secure by design, private by
design, and data localized by design.”

Protect IT – Insider Threats

Of critical importance in any approach to cybersecurity is the human
element. In many cases hackers aren’t as tech-savvy as movies and TV
shows suggest. Instead it is human error, including the use of weak passwords
and other bad practices, that is at fault.

“Insider threats account for the majority of mishaps and breaches,”
said The Media Trust’s Rahim.

“Some of these mishaps are unintentional and directly result from
employees’ lack of training in cybersecurity basics,” he added.

Many attackers use phishing campaigns to steal credentials and other
sensitive information, and if employees are trained to watch out for
these attacks, the threat can be neutralized before any data is
compromised.

“All employees should receive at least basic cybersecurity training
since insider threats remain the most prevalent yet receive the least
executive attention and priority,” said Rahim.

“Safety practices should be things we know about but don’t need to
obsess over when they easily fit into our daily lives,” said
University of Maryland’s Purtilo. “We know many ways to protect people
and systems.”


Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and FoxNews.com.
Email Peter.

source: technewsworld.com