With the recent announcements in the U.S. related to personal data being sold the question of being hacked is taking on more precedence as your personal data is becoming a bigger and bigger target. How do you prevent hacking? How many of us use OneDrive for person files and photos? Or how many of us have documents online that we need that have some type of personally identifiable information? Or, how many people use public wifi without VPN? How many people intentionally or unintentionally expose their data to hackers? The answer is probably everyone at one time or another. And with the continued use of corporate devices for person use the issue is continuing to compound in severity. A recent example is my own use of a public wifi connection for a meeting at Starbucks and then forgetting that my phone stores the wifi connections so next time I went the wifi connected automatically without me even realizing it for more than 30-minutes exposing my phone to public wifi. More than enough time to get to my data.
We all get Hacked – Prevent Hacking
The reality is we are all targets – our personal data, browsing data, locations, device usage, people we talk to are all targets and our regular daily use is increasing the ability of the “data collectors” to get to our data. We’ve all hears about the privacy issues within Windows 10, or knowing that Google and Facebook are tracking every click and call we make even going as far as tracking us through our mobile phone battery. Anyone freaked out? Probably not because it’s the new normal and we don’t often question the effects of our choices because we all love our new iPhones or Galaxies. Moreover, good security can be challenging to implement and/or use regularly and for most of us taking the extra step to protect ourselves isn’t always the best practice.
History of Hacking
Attempting to prevent hacking and being hacked are nothing new and has been going on for more than a century. As early as 1903, we have the first example of a hack when Nevil Maskelyne hacked Guglielmo Marconi’s wireless telegraph causing it to tap out Morse code for a poem. Today, hacking is big business and is a pervasive issue that follows around daily. Whether it is government controlled entities, or wide-ranging cybercrimes with various motives including selling your data, revenge, corporate espionage and so on. At the end of the day, there is one common goal and that is to get your data. Experts predict that by 2019, hacking will cost companies more than $2 trillion. As an example, today McDonalds announced that 95,000 applicant’s data had been over a period of 3-years.
Hacking and Smart Homes
Today, we are in the early stages next generation technologies that utilize the so-called Internet of Things (IoT). Many of us already have Alexa, Google Home, Nests or smart lights in our houses but did anybody ever really stop to think about the security risks of these devices? The expansion of the Internet of Things (IoT), and its potential to connect every device that can be connected, creates significantly more opportunities for hackers and moreover these opportunities are directly within each person’s personal domain. Every day we here about new hacks, or the possibility of hacks with WiFi-connected insulin injectors, automobiles, baby monitors and webcams. As a web hosting company running our own DNS we remember the massive DDoS (distributed denial of service) attack against the leading DNS provider Dyn that actually used hundreds of thousands of connected devices, including webcams, to block access to a host of popular websites like Netflix.
The New Normal
If you consider the above hacking is the new normal. We even use it in everyday conversations talking about “hacking” things together. I am seeing more and more devices and security features that are integrated now and don’t require any special setup. I recently purchased a Cujo security device for our home and preordered a Keezel VPN device for traveling. So, while hacking is becoming more pervasive we are also able to meet many of those challenges by simply being aware and taking the necessary steps to protect and defend ourselves. Another consideration is how many things we can do to protect ourselves by simply using common sense. With that being said what’s the first step?
To prevent hacking, the step is to be vigilant. Vigilance starts with awareness, the simple fact that you are reading this article indicates that you are doing your best learn about the risks, the consequences of what can happen when hacked, and how to avoid them. As a newly minted “vigilante” against hacking I am including seven common practices to help you protect yourself right away. In doing this, you quickly remove many of the potential vulnerabilities that can be found in the wild and remember none of these are rocket science. Many are common sense and just need to be enabled to start protecting yourself.
Anti-virus software: While anti-virus software alone is not enough, it certainly has a role to play in catching known malware, spotting malicious behavior, and checking the reputation of unknown files and URLs to see if they have been blacklisted. Not all anti-virus software is created equal but having something is better than nothing.
Personal firewall: Most operating systems include a personal firewall of some sort. For example, you can login to your MacBook, visit the security settings and verify that “firewall” is enabled. It’s important that this is used in addition to the corporate firewall to protect against internal threats — perhaps from hackers who have infiltrated the network and are already inside the network perimeter.
Encryption: Most systems today have encryption enabled by default and this is important for several reasons. 1) if a hacker does get access to your machine it will be very difficult to read any of your documents or person details without decrypting the machine/device. 2) It helps eliminate any attempt to infiltrate corporate systems to steal (or modify) data such as intellectual property, proprietary information and confidential items such as tender documents that could have a severe and costly impact on your business.
Update your software: This is one that really gets me as it is one of the most common issues we see our web hosting customers run into especially with WordPress. Hackers discover new vulnerabilities in operating systems and application software that they in turn use to exploit to get access to your systems or software. Many of these hacks use known vulnerabilities that either haven’t been updated or patched. For example, when a customer logs in to their WordPress dashboard you will see a notification for security alerts related to needed software updates. You can simply click on update and within a minute your application is patched. Understandable some customers are concerned that an update can impact application and if there is ever a question you can simply ask your web hosting provider for assistance. It is in everyone’s best interest to get it updated.
Password managers: For me, this is one that I am on the fence about. In the recent months, we have heard about various password manager services being hacked and their user’s passwords exposed. However, I think even with that possibility using a password manager that can help you manage, create and use long, random passwords to access your websites, resources or cloud services. For most of us these passwords are difficult to remember and most of the services store them in an encrypted database, and can enter them automatically when appropriate after the necessary steps are completed. Most of the major browsers include a password manager but you can also use something like LastPass when needed.
Training: Training is arguably the simplest and most difficult method to protect yourself from hackers. First and foremost, just getting a basic understanding of things you should do and shouldn’t do is paramount to protect yourself. From there, if you work in a corporate environment your company should have a defined security policy that includes regularly training timelines and common company work flows when a situation is encountered. Security training is mandatory with our existing SSAE 16 audits and ISO certifications including new employees and ongoing training each quarter. We regularly hear about social engineering techniques and how they are used to trick users into divulging passwords and other security details. Having a training program can raise awareness about these techniques and how to spot social engineering phone calls or emails, or what do when you someone is trying to phish you.
Understanding the Risks
Social engineering and hacking doesn’t just occur over the internet. Hackers will utilize all kinds of methods to get your data including spreading viruses through USB drives, phone scams, and phishing emails that bait users into clicking infected attachments or URLs. Even doing something as simple as wearing a company’s security badge or following another employee through a locked door can create a significant risk. So what are we to do? We’ve listed off some common steps that people can take to protect themselves and their companies, but learning the risk is important as well.
Learning the Risks
Many people and companies invest in training and education for users but not all programs are created equal. Everyone one of us needs to do our part and try to understand current threats and how to avoid them. When I completed my Certified Information Security Management (CISM) certification one of the areas of ISACA’s methodologies that I increasingly appreciated is that not every company can lock every single risk down and that there are external factors that need to be considered. We all must consider the risks and the limitations of what we can do with security. One end side you can protect your systems entirely but they became completely unusable due to the limitations of the security protections. On the other end, you can just leave everything exposed and users/companies do have to accept that they don’t get free access to everything without limitations. By learning these risks everyone can work together to protect users, customers, the business as well as personal data.
Report the Crime
In today’s business client, public PR and social media are front and center. Because of that, a lot of hacking goes unreported because businesses want to avoid embarrassment or the negative publicity associated with being hacked. Does Twitter want to talk about being hacked? Or Yahoo? We’ve seen what the consequences of negative publicity including billions of dollars of marketing value instantly disappearing. It must be noted that in some cases companies are mandated to disclose breaches by federal and state laws pertaining to data privacy. A good example is something like PHIPA or the Persona Health Information Protection Act in Canada.
“The health information custodian must take reasonable precautions to ensure that the personal health information is protected against theft, loss, unauthorized use or unintended disclosure. The information must also be protected against unauthorized copying, modification or disposal. In the case of such events, the health information custodian must take steps to inform the individual of the occurrence at the first reasonable opportunity.”
There are potential penalties for not reporting any type of breach on top of the negative press one could receive. It’s a good idea to share information about successful and attempted cybercrimes with law enforcement because it provides them with more clues about attack origins, new vectors and vulnerabilities, and helps better prepare response and mitigation and helps protect users and businesses.