Security Experts:

Seven Habits for the Security Conscious

Yahoo CEO Marissa Mayer recently revealed that she does not protect access to her smartphone with a passcode, leaving her mobile device potentially exposed if someone is able to snag it. Though I have seen security wonks almost stroke out over this, is it really a big deal? Probably not. Someone would have to get her phone away from her, and given her role at Yahoo I suspect the thing is practically surgically implanted.

The point is more that the passcode has not become a habit for Mayer. We are all creatures of habit. I put my left sock on first. I start brushing my teeth on my lower right. As a race, we like routine. We tend to like some things to be predictable. That is neither right nor wrong; it just is.

“Security” is also a creature of habit. Security likes things to stay the same. Change brings chaos. Chaos is bad for security. But, we can help control the security of our environment by following good security habits.

What habits?

7 Security HabitsAnswer these questions to see how you rate yourself against the Seven Habits for the Security Conscious. You get no score, just understand that every time you honestly give a negative answer, it means you are indicating that you have a little less control over the security of your own environment.

1. Do you lock your phone, iPad, Surface or other tablet with a passcode to help keep the phone contents safe from anyone who might steal it or find it?

By locking your phone you are committing yourself to unlocking it nearly every time you want to make a call or send a text. The most significant part of this equation is in understanding what kind of cool data you have on your phone. If the most important thing on your phone is the phone number of your spouse or your Angry Birds high score, locking it is probably not such a big deal. But, if you are like most people, your phone also includes Facebook and Twitter passwords, possibly online banking passwords, personal email, and probably work email (with the variety of confidential and non-public data that entails). The fact that it is a “Phone” is not as significant as the type of data that you actually have on your phone.

Compare the type of data you have on your phone to the type of data you have on your laptop. Modern smartphones have access to much of the same types of data as laptops, and are realistically even more vulnerable since they are smaller, and thus more easily lost or stolen, and include phone functions extending your ability to communicate with them.

What if I asked the question this way: Do you lock your laptop with a password to help keep the laptop contents safe from anyone who might steal it or find it?

2. Are your passwords/passcode decent ones?

Everyone should know what I mean, so no excessive beating a dead horse here. Suffice to say that if your password is akin to “1234567”, “password”, or “qwertyui”, then you need a new password. Because, even though, theoretically, a bad password provides “some” security, what it probably provides most is a false sense of security. Because “qwertyui” really isn’t going to protect you from much of anything. It’s not as if you need a password like “jhH12#n(3W” on everything, but is something like “hApe7*fEEt” So unreasonable? (Don’t use it…). As far as your phone passcode goes, the most popular phone passcodes are simple patterns like “1234”, “0000” or “1111”. If you need a passcode, you might try starting it with 6, 7, 8 or 9, and not making it a continuous pattern (like “9632”).

3. Have you changed your password recently?

You don't have to go nuts here. I use an application at work that seems to require a password change every single time I log in – at most every 30 days. I am security paranoid and that seems like a little much. But, I worked an incident once where an ex-employee of the client had breached the company’s site and posted a list of executive salaries on their external website. It turns out that the file server that held the data, and the webserver were both still protected by the same passwords that they had been using when the guy had still been employed – 14 months after he had been let go. While every 30 days might be a little much, every 14 months might not be enough.

In another example, I was doing a physical walkthrough with a client as we talked about what was good and bad about his physical security. We got to the data center and he proudly told me that only three people in the company had the door combination. I glanced at the keypad at an angle, and could see that the keys for numbers 4, 6, and 9 were dulled. As I talked with my escort I absently reached down and keyed in 4469. No luck. But 4669 worked, and I opened the data center door for him. I enjoyed the moment as he looked at me like it was magic, but the point was that he had kept the door combination the same for several years. Hrm… definitely too long.

So, yes, this one actually is important.

4. Do you know when the last time your computer was backed up?

For both work and play. When was the last time you made sure that all of your local files were stored on a server at work? It is awesome if this is automatically done for you, but with a mobile workforce in a dynamic and diverse environment, even automatic backups do not always work. And is the same true at home? This is working on an assumption that you have data in your home environment that you care about.

Your first answer may be that you don’t. I kind of always felt that way until my home computer crashed so hard it actually physically damaged my hard drive. I was not too worried about having to reinstall applications, or even the saved games I lost for whatever computer game I was playing. But, I lost two years of tax returns as well as all the photos from our digital camera from about the previous five years. Luckily, I was able to use data recovery software and restore almost everything, and that only cost me a couple hundred bucks for the software, a couple hundred bucks for a new hard drive, and about 20 hours to recover the data. Now I have a home server that backs up every computer in my house once a week. So, when my daughter’s computer was infected by Zbot (Zeus Trojan), rather than try to clean it, I was able to just rebuild and restore over it – in a matter of minutes. Because I have created the habit of regular backups (learned my lesson. Booyah!).

5. Do you use a secure wi-fi network?

So, do you have a good password on your local wi-fi network, running at least WPA key? Same rules apply to this password as for #2 above. If you have a Linksys router and still have “admin” as your password, or have it match your SSID name, or some other such foolishness, you should really reconsider.

You really don’t want someone using your wireless network. They can get access to your networked resources, they can piggyback on your network usage, and they can look like you. Or, there is this case where a family’s unsecured wireless network was used by someone threatening the police. When the SWAT team came for a visit, and they didn’t bring a bottle of wine, they brought flashbangs and a battering ram. The poor people had no idea what was happening when SWAT came storming in.

Old news? I would like to think so, but as I sit here at home I can see wireless networks for six of my neighbors. And, yes, two of those are unsecured networks.

6. Do you USE antivirus (AV) software?

By “use” I don’t just mean “have it installed”. I mean, make sure it is correctly installed, updates regularly, scans regularly, is used in ad-hoc scans, and that you actually check scan results and logs – at least once in a while. It is not like an antivirus suite will magically keep you safe, BUT it will help, as long as you understand its limitations.

I know a guy who kept complaining that his computer was running slow. Before I visited him, I downloaded a couple antimalware apps to a flash drive and took them with me. Even with a couple Stellas in me it took me no time to load the software and start a scan.

A scan that took about two hours.

And found 247 pieces of malware. Yes, 247.

He opted to clean the computer instead of rebuilding it. It took about four passes of scans and repairs before he got a clean scan. We then reinstalled his antivirus and firewall, which had both been disabled by a Trojan horse. I told him that it looked like he had been infected for months, and that he might have noticed sooner if he had ever checked his software to make sure it was running correctly.

Then I told him to quit browsing porn.

7. Are you a little paranoid?

The answer is not “a little paranoid what?” Maybe “skeptical” is a better word. I suspect that the chances you have NOT gotten a phishing email today is probably near 0%. Be skeptical about everything. If your friend sends you a link to an online survey, to Jackie Chan’s death, or Miley Cyrus doing something nasty, your first thought should be “Um. No.”, not “Oh wow!”

Say, for instance that your bank, Facebook, Amazon, Paypal or eBay sent you an email that says you have an account problem and we have conveniently included this link for you to log in and fix it. Chances that is a genuine email that is really from the alleged source is probably about the same that you were genuinely contacted by the Honorable Professor Mubumba, and he truly does need your help transferring $7,000,000 out of Nigeria.

You don’t have to be an online jerk, but you are better off if you don’t trust too much.

There are plenty of other security habits we should all have, so stopping the list at seven may be a little naïve. But I will assert that if we all followed these seven, we would not have to worry about habits 8-25 nearly as much.

view counter
Jon-Louis Heimerl is Director of Strategic Security for Omaha-based Solutionary, Inc., a provider of managed security solutions, compliance and security measurement, and security consulting services. Mr. Heimerl has over 25 years of experience in security and security programs, and his background includes everything from writing device drivers in assembler to running a world-wide network operation center for the US Government. Mr. Heimerl has also performed commercial consulting for a variety of industries, including many Fortune 500 clients. Mr. Heimerl's consulting experience includes security assessments, security awareness training, policy development, physical intrusion tests and social engineering exercises.