October is back. Some people are excited for the signs of fall: colorful leaves, orchard visits, oddly spiced coffees. Others are excited for spookier side of the season, with carved pumpkins and ghost stories.
For my crowd, this is the month where we get to show our true colors – dark screen, black and unicode text green. It’s National Cybersecurity Awareness Month, a chance for cybersecurity experts to emerge from the comfort of their security operations centers and share their wisdom about how to stay safe in cyberspace.
At CA Technologies, this is a month for us to share our perspective on how to make the world a safer place and for users to protect their online identities. As more of our lives happen in the digital world, it is becoming increasingly important for everyday users to know how to protect themselves and ensure that the services they use can trust that they are who they say they are without imposters taking over their identity. They need a level of security savvy previously only needed by IT teams.
There have been many security milestones this year too, marked with increasingly urgent discussions about the security of our election systems and national infrastructure, let alone vulnerabilities in everyday software like smart security cameras. Now more than ever, it is important for average users to learn how to protect their online identities and learn how to be certain of the identity of others.
Unfortunately, a lot of advice that cybersecurity experts give ends up being totally impractical for the average user. Their focus on enterprise grade security problems and a desire to add something useful to the conversation means that they may overlook how much difference even some basic best practices can make.
Consumers, small businesses and employees can play a major role in protecting their digital identities this fall by following a few simple tips.
Fixing de-fall-t passwords
A good place to start is to do a little fall cleaning of passwords. A new smart home or smart office setup may be more convenient—not to mention cool—but many IoT devices come with insecure default configurations, including mass applied passwords. While there may not be much on the devices itself worth protecting, cyber criminals can use these devices as access points to the larger network or as another pawn in their robot army. The results could be increased power bills or slowing device speeds. It’s worth the extra couple minutes to make sure the device has a secure password and often it is worth going the extra mile to set up a firewall to limit its contact to the outside world.
Another simple step to improve your basic security is to change all your passwords. Reusing the same password for several different services may seem easier, but it exposes you to identity theft after mass data leaks that reveal usernames and passwords for popular services. When changing passwords, try not to use single words as “dictionary searches” are a trivial matter for hackers trying to break into an account by brute force. Instead using phrases with special characters and numbers is a lot more secure.
Businesses can make this much simpler for employees by deploying a service like Access Management from CA. The single sign-on capabilities of this service connect every application employees use to one, secure login, enabling them to get working faster without sacrificing security. It also helps business security teams enforce regular password changes and identify potentially compromised credentials more easily than letting every employee manage their own password list.
Consider two factors
Making online identities even more secure, users and employees can enable two-factor authentication on accounts that hold the key to sensitive materials such as bank information or email services. Two-factor authentication helps make identities more secure by combining something the user knows (e.g. a password) with something they have (e.g. a phone). Requiring both to log in, makes it harder for a cybercriminal to break the security measure as they must not only steal the password but also the device.
Many of the more enlightened services enable this by default, prompting the user to enter a phone number to text one-time codes. Text message-based authentication is often dismissed by security experts due to vulnerabilities in SMS systems, however, the average user will be much better protected by implementing that level of security. Cyber criminals would have to work a lot harder and spend more time to break through those defenses, weakening their ability to hack en masse.
Developers can use this concept to protect their API systems from cyber abuse. OAuth protocols allow one service to integrate with another service on behalf of its user, but the protocol is neither secure or insecure on its own. CA API Management delivers security without sacrificing user experience in part by helping developers implement strong two factor authentication on OAuth authorization servers.
Don’t get fooled by cyber costumes
Employees and users need to protect their own online identities, but they also need to make sure of the identities of others they interact with online. Older even than hacking as we know it today is the concept of gaining trust by pretending to be someone trustworthy. The invention of online communication has only made that easier for cybercriminals as we need not match a face with a name as we do in real life.
The tactics of phishing – the act of pretending to be a trusted entity in order to trick the user into performing an action to the benefit of the hacker – are becoming increasingly targeted and life- like with innovations in the technologies cyber criminals use. The simplest kind of phishing tactic is the “too good to be true” offer, which usually is more or less an extension on the scams of a con artist.
Hackers are relying less of greed and more on exploiting trust; for example, pretending to be the user’s boss or a tried and true company with market credibility. Often these techniques can be used to deliver malware or trick a user into revealing their login credentials. These advanced scams can be harder to detect so a general rule of thumb is to never click on a link in an email you were not expecting. Instead, navigate directly to the relevant website from a browser.
Businesses can unmask fraudulent users and help their employees preserve their own identities with solutions like CA Identity Management. This way businesses can be sure of who is on their networks without burdening their employees with unnecessary roadblocks.
Individually, using each of these techniques will have a minor impact on protecting the online identities of users, businesses and employees, but used in conjunction with one another, they force cyber criminals to work a lot harder to get what they want. At CA Technologies, we believe National Cybersecurity Awareness Month needs to be about getting as many people as possible to take the little steps that make online identities just a little more secure to help organizations maintain trust with their customers.