This pic of the kitten looks cute & cuddly but can you imagine a funny cat picture can destroy your data?
Life of Information Security Analysts and Engineers was hell last year, given last year what we have in Internet Security; Rise of Ransomware, Inside Threats, Heartbleed, DirtyCOW and so on. Security Engineers, Analysts and Auditors work so hard to secure organisation; They try to test each and every system on the network, share best practices, share newsletters for do’s and don’t; despite all these efforts, people do some silly thing by ignoring the common sense.
Let’s dissect some of those bad choices, with the help of our little kitten friend
K is for Kiosk Charging
We have all seen those charging stations at conferences, airports and even on aeroplanes, enticing you just to plug in and relax while devices charge. In the old days, power and data flowed through separate cables, but modern mobile devices require that both charging and data flow through a single cord. Without seeing what’s on the other end of that charging kiosk, plugging your phone in can mean that you are allowing access to the data on your phone and possibly even the injection of malicious code, which is known as juice jacking.
To protect yourself, carry a USB charger and plug into an electrical outlet, invest in a USB prophylactic that will allow power flow but block data flow or charge only through a power bank.
I is for Installing Patches Late
Nearly 75 percent of cyber attacks use publicly known vulnerabilities in commercial software, but only about 10 percent of organisations have the capacity to apply patches on the same day they are released. Do your best to be part of that 10 percent, for catnip’s sake!
T is for Thoughtless Clicking
There are many wonders to behold on the Internet. Whether it is an email with a link proclaiming “cutest kitten picture ever!” or a click-bait headline on social media, think before clicking.
Do you know the sender of the email? Is the destination site or publication a reputable one? At best, you have wasted time clicking through to another weird corner of the Internet, and at worst, you are clicking through to a malware host for a drive-by download. Think before you click.
T is for Third-Party Access to Personal Data
Do you know why that game app needs access to your contacts? Alternatively, why that navigation app wants access to your health data? Be mindful of the permissions you grant to apps on your mobile devices and what data they may be sharing on your behalf. If you are suspicious of an application and its need for permissions, compare it to others in the same category to see if there’s consistency for a particular permit type or if it is an indicator of data gathering for potentially illicit purposes.
E is for Egregious Password Practices
Password hygiene continued to be problematic and was one of the key factors cited in the X-Force Threat Intelligence Quarterly as contributing to insider threats. Whether it is multi-user accounts, easy passwords or passwords that never expire, this lack of accountability on user provisioning and privileges is leaving significant holes in corporate networks.
Even with adequate termination procedures, having shared admin accounts or unexpired passwords leaves doors open to disgruntled ex-employees if they take advantage of remote administration tools like LogMeIn or TeamViewer before their departure.
N is for ‘Not Me’ Thinking
There’s a certain haughtiness that an information security analyst and others in the industry can adopt in thinking that they are too well-versed in security practices to ever be the victim of an attack. Social engineering has evolved to such levels of sophistication that even the most seasoned practitioner can fell for it.
No universal security karma prevents those of us in this industry from being infected; It is just your common sense and active that can reduce the risk or avoid any major incident if you are lucky.
Source: Security Intelligence