We live in the cloud, enjoying the convenience and benefits of information at our command, collaboration in an instant, and mobile flexibility. But is it safe?
The more complex the technology the greater the opportunity for mishap. A stick is arguably safer than a spade, and an axe is less dangerous than a chainsaw. It’s a popular if misguided idea that modern society is overburdened with health and safety rules but no one would disagree that some training and observance of basic safety procedure – the rules of the road, for example – is essential.
So what are the rules of the road for the cloud? How do we protect ourselves and our property (physical and intellectual) in the midst of all this sharing and storing and Software-as-a-Service? We no longer simply turn the key in our office door and set the burglar alarm. Our office goes with us, in our pocket, in our co-workers pockets, in a taxi, in the pub. Our money is in the cloud too, as we use our cards to pay online and in person. How do we lock up and stay safe?
To further the analogy with the evolution of tools: you don’t need a manual for a stick or a stone. But as our tools get more complex, so does the understanding required to operate them, and so do their maintenance requirements.
Even so, with a car or a washing machine, much of the plumbing is still obvious to the user: replace the filters, rotate the tyres, check the oil. But software generally operates as a black box: we perform input and expect output without seeing how it works. Even in the case of open-source software, most people don’t have the time or the skills to examine the code. In fact, most open-source software is a collaborative project, relying on many thousands of voluntary person-hours to write, review and test.
To err is human – but to really screw things up you need a computer
Software’s black box may conceal hidden vulnerabilities, and the more widely distributed the software, the more incentive there is for bad operators to find and exploit those vulnerabilities. it’s a constant game of cat-and-mouse, with hackers versus security researchers and software companies, to find and patch these vulnerabilities and make sure that your software is as secure as can be. But all that effort is for nothing if users do not perform regular software updates.
- Make sure your operating system and application software is up to date. Check regularly for updates and install them as soon as conveniently possible.
- Nowadays, most software vendors operate a subscription model of Software as a Service (SaaS), so updates are available frequently at no extra charge. Office 365 is an example.
- Do not install software from dubious sources. If it sounds too good to be true, it probably is. Some ‘free’ programs are malware in disguise. Check the provenance of software you want to install. If in doubt ask around online.
- Install a reputable anti-virus program and keep it up to date.
- If you have a website, make sure you keep its software up to date. Websites with vulnerabilities can be compromised by hackers and hijacked for the purposes of spam or malware. Some website management software systems, such as Blacknight’s siteBuilder, are automatically maintained. Others, such as WordPress, can be set to install new versions automatically.
It’s not just your desktop computer. Phones and mobile devices, memory sticks and the Internet of Things are all gateways for potential attack.
- Never leave your computer screen unlocked, in a public place, or even in your office.
- Use encryption such as BitLocker to protect external storage drives, memory sticks and cards.
- Always scan for viruses when you attach a device to your computer. Are you sure you know where it’s been?
- Observe office policies regarding external storage devices. At Blacknight we operate an Information Security Management System certified to ISO 27001, which includes strict access restrictions to our network.
Thankfully, awareness of password best practice has increased among the public at large. We’ve all heard the scare stories about people using ‘password’ as a password, or writing it on a post-it note on the side of their monitor. But even if your password isn’t on this list of common password fails it can still be vulnerable to brute-force attack, where hackers simply cycle through dictionary words until they hit the jackpot.
- Never use the same password on multiple sites. If one site is compromised, the damage is mitigated if your password is unique.
- The longer the password, the less likely it is to be vulnerable to brute-force attack.
- Varying upper and lower case letters, numbers and punctuation characters makes your password more complex, and therefore stronger.
- But the more complex a password, the more difficult it is to remember, and the greater the temptation to write it down. Don’t write it down, especially not someplace where it will be easily found.
- An alternative approach is illustrated by this comic strip.
- If you are using a four-random-word password as in the example above, remember that the words should be truly random. You may also want to incorporate numbers or special characters.
- If you have many passwords, you should use a password safe such as LastPass. A password safe stores all your passwords, protected by a single password. The best practice is to choose unique, complex passwords and keep them in a password safe. Then you should choose a strong, but memorable, password for the password safe. Memorise it.
Now that you are using strong passwords, you can add another layer of protection using multi-factor authentication. An example of this will be familiar to anyone who uses an ATM, or a debit/credit card with chip-and-pin or similar technology. The user’s identity is verified using two factors: something they have (the card) and something they know (their secret Personal identification Number or PIN). Either is useless to a thief without the other.
Multi-factor authentication is increasingly available on many platforms, including Blacknight’s User Control Panel, and Office 365. Common methods include sending a code via SMS to user’s mobile phone, or using an app such as Authy or Google Authenticator on your phone to generate a one-time code for the subscription you require.
Look at the address bar at the top of this web page. To the left of blacknight.blog you will see a locked padlock, indicating that communication between this page and you is encrypted and cannot be read by anyone else. You can click on the padlock for more details about this site’s Digital Security Certificate. You may also see the protocol part of the page’s URL begins with ‘https://’ (and not ‘http://’). HTTPS is Secure HyperText Transfer Protocol. Historicially it was used by sites specialising in personal (e.g. financial) data. However there is now a global movement to encourage HTTPS on all websites. These days, websites without Digital Certificates are ranked lower in search engine results, and web browsers have begun to issue warnings about them. You should exercise caution when using unsecure websites.
‘Phishing’ is the name given to an attempt to fool users by masquerading as a reputable site or organisation. Typically, a user will receive an email claiming to be from such an organisation, telling them to click a particular link to ‘resolve a problem’. But the link leads to a fake page, masquerading as a legitimate website, which aims to trick the users into entering personal data, such as usernames, passwords, and even payment card details. So how can you spot a phishing attack?
- Bad grammar is usually a frequent giveaway. Legitimate companies take care to present their corporate communications in a way that reflects well. Sloppy English can be a sign of a scam.
- Look carefully at the link you are being asked to click. The linked text may look like a legitimate address, but the actual link it points to may be different
- Does a different link address appear in the status bar at the bottom of the window when you put your mouse over the linked text? Don’t click it.
- If you have clicked the link, look at the address bar at the top of the browser window. Look at the hostname (or domain name) part of the address. This is the part after ‘https://’ (or ‘http://’ if the site does not use a digital certificate) and before the next ‘/’. This should contain the normal domain name of the legitimate company, something you recognise such as blacknight.com, or onlinebanking.aib.ie). It should not contain any other words. If it says something else, it is a fake.
- Emails asking you to click and login to a site with personal data should generally be ignored. Even if you suspect they are genuine, and you need to visit a company’s website, it is best to manually type in the address that you know for that site, rather than clicking a link.
- The same goes for phone or voice phishing (‘vishing’). If your ‘bank’ rings you to say there is a problem with your account, can you be sure that the caller is genuine? It may be a genuine call, but beware of giving personal information.
- There is also an SMS text variation of this scam known as ‘smishing’.
Are you planning a holiday? Don’t tell everyone on Facebook that your house is going to be unguarded. It’s nice to get birthday wishes on social media, but remember that your date of birth is Personally Identifiable Information, and is often used by service providers to verify your identity when you call. Watch what happened when CNN tech reporter Donie O’Sullivan invited a social engineering expert to hack him, using information he had shared on social media.
Three Basic Principles
Underlying these seven steps are three basic principles:
- Privacy. Guard yours. Be careful whom you share personal data with and why. Companies who process your data have a legal responsibility to do so in accordance with the EU’s General Data Protection Regulation. GDPR gives you the right to enquire about how they process your data. Read their privacy policies.
- Encryption. Lock your devices. Encrypt your storage. Use strong passwords. Use websites that have SSL digital security certificates. Don’t use personal data on open public WiFi.
- Software. Keep it up to date. Use anti-virus.
People in Carlow will have an opportunity to hear more about the points raised in this article in a talk I will give at lunchtime tomorrow, Thursday 24 October, at the New Work Junction co-working centre. The title is Seven Simple Steps to Online Security and it’s part of the Carlow Chamber Members for Charity series. It’s free to attend, a light lunch is provided, and attendees are invited to make a donation to County Carlow Hospice. It starts at 1pm and will finish by 2pm.
Update: here are the slides from the talk