Saturday, February 23, 2013

Cybersecurity for You and Me

February 23, 2013 8:00 a.m.

Seven Steps to Computer Security
“I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”
-- Dmitri Alperovitch, Chief Technology Officer, Crowdstrike

With seemingly every major American institution under cyberattack, is it past time you and I review our own cybersecurity?

The Times reports that, "Computer security experts estimate that more than a thousand companies have been attacked recently." Nicole Perlroth, "Some Victims of Online Hacking Edge Into the Light," New York Times, February 21, 2013, p. A1. Once reluctant to report a breach, more companies are now coming forward. The Times provides quite a list -- including Apple, Google, Facebook, and Twitter.

In fact, the Times was the first of three major papers to acknowledge they'd been hacked, probably from China, followed by similar revelations from the Wall Street Journal, and the Washington Post.

Earlier this month President Obama signed an executive order "that promotes increased information sharing about cyberthreats between the government and private companies that oversee the country’s critical infrastructure . . .." Michael S. Schmidt and Nicole Perlroth, "Obama Order Gives Firms Cyberthreat Information," New York Times, February 13, 2013, p. A16; "Improving Critical Infrastructure Cybersecurity," February 12, 2013, whitehouse.gov. (And see "Cybersecurity," National Security Council; "The Comprehensive National Cybersecurity Initiative," National Security Council; "Cyberspace Policy Review," White House (2009).) [Photo credit: multiple sources.]

Our computerized defense installations, including the nuclear arsenals, are getting millions of hostile hits a day. Defense Secretary Leon E. Panetta says that "the United States [is] facing the possibility of a 'cyber-Pearl Harbor' . . . [that] could dismantle the nation’s power grid, transportation system, financial networks and government." Elisabeth Bumiller and Thom Shanker, "Panetta Warns of Dire Threat of Cyberattack on U.S.," New York Times, October 12, 2012, p. A1. We now have an Army Cyber Command -- not to mention our real world, lethal video game controllers, operating drones in Pakistan and Yemen, among other countries, from comfortable locations here at home. (See "Home Grown Drones," February 16, 2013.)

If, with all their multi-billion-dollar resources, our government, military, corporations and other major institutions are under cyberattack, and losing more often than not, what hope is there for the rest of us?

Fortunately for us, like risks to our health, it turns out that the greatest risks to our computers are well within our control.

How many times have you heard these health tips: get a full night's peaceful sleep, control your weight (getting from "obese to "overweight" is a good start), eat more raw fruits and vegetables (and less sugar, salt and fat), exercise (both aerobic and strength training) 30 minutes a day, eliminate all tobacco and other drugs, keep alcohol consumption to a minimum, fasten your seat belt in the car and wear your helmet when riding a bike. Whether we're looking for ways to reduce our risks of heart disease, or cancer, or diabetes, or arthritis, or Alzheimer's disease, or other conditions, the advice usually includes these same basics.

Do we follow this advice? That's another matter -- albeit one that costs us $100s of billions in excess health care bills. The point is, whether the health of our bodies or the security of our computers, many of the factors are within our control.

No one can make their home or car 100% theft-proof. Thieves can break a side window on your car, or on a second story bedroom, and remove contents. However, they are less likely to take your stuff if you lock the doors to your house than if you leave them ajar; or if you close the windows and lock the doors of your car than if you leave the windows down and the key in the ignition.

If you are a computer professional, you already know what follows and far more. If not, here are some simple suggestions -- the computer equivalent of locking your house and car -- that can save you from most of the computer grief, some say as much as 90% or more, that can otherwise come your way. (Basic security for handheld mobile devices may be covered in a subsequent blog entry.)

1. There's no perfect security. Assume every email or text message you send could show up on the front page of your local newspaper, and may have already been scanned by your employer and some government agency. Every photo or bit of information about yourself you or your friends put on Facebook, or you share with an online merchant or Web page, may find its way to those you wish didn't have it. Every program you install on your computer may come with, or develop, vulnerabilities that enable strangers to enter your computer. [Photo credit: multiple sources.]

The only surefire way to avoid contributing to such problems is to stay off the Internet entirely, or at least put your most private material on a computer that's never connected to the Internet. Even then, of course, there's no way to protect yourself from what others put on the Internet about you, or release from supposedly confidential files. The University of Iowa recently had a couple examples of this. Ryan Foley, "University of Iowa apologizes for privacy breach; A staff member mistakenly sends an email to 2,000 students with all of their GPAs," Des Moines Register, February 8, 2012; Clark Kauffman, "Register Investigation: University of Iowa gives private student data to Johnson sheriff; Info on gun permit applicants' classroom performance, discipline history is protected by federal law," Des Moines Register, February 20, 2013; Clark Kauffman, "U of I suspends record sharing; University addressing concerns raised about student information given to law enforcement for gun-permit checks," Des Moines Register, February 23, 2013.

What is possible, however, is to reduce 90% or more of these risks by applying some common sense basics, and finding someone you can consult with about the rest -- even if she turns out to be your 14-year-old computer geek neighbor.

2. Preventing loss of your computer. Roughly 10 million computers are stolen each year. Keep an eye on yours -- especially in airports. Don't leave it visible in your car or home. If you use it in public places, or at work, consider a cable and lock sold for this purpose.

3. Preventing loss of your data.
(a) If your software doesn't automatically save your work as you write, save it manually. Don't risk losing two hours of writing if the power goes off.
(b) If you're working on, or modifying, a document over time, save daily versions separately (e.g., "article-Dec 20," "article-Jan 21"). When the current version mysteriously disappears you will at least have the next most current available.
(c) The only thing that can be said with confidence about every computer's hard drive is that some day it will crash. Get an external hard drive, and use a backup program at least once a week that will save any newly created or changed files -- or at least copy to that drive the files you really don't want to lose. Store the external drive somewhere away from the computer (so that if your computer is stolen or damaged your backup drive doesn't disappear with it).
(d) If the files are worth greater protection (from fire, flood or theft of your external hard drive), like an entire doctoral dissertation manuscript, back up your files to a second external hard drive kept in a safe deposit box or other safe place away from the first external hard drive.
Nothing can eliminate every possibility of loss, but these suggestions will prevent some of the most common causes.

Preventing unauthorized access. The computer hacking making the headlines involves unauthorized acquisition of military or corporate intellectual property, trade secrets, and the pathways to bring down our electric power grid or other infrastructure. Nobody is going to hack into your computer looking for that. So what is your risk; what might strangers be doing with your computer?

The possibilities are endless, limited only by the hackers' imagination.
(a) They may be in the identity theft business, looking for enough of the details about your financial and other relationships to pass themselves off as you.
(b) Depending on your employer, they may try to use you as a pathway into their industrial espionage of the computers in your workplace. (Most people who find a flash drive in the company parking lot bring it into work and put it in their office computer.)
(c) Perhaps they're after your money, seeking to transfer money out of your bank account, or charge items to your credit cards.
(d) Maybe it is your entire list of friends' email addresses they want, in order to sell them to spammers.
(e) They may install a bit of software that captures each of your keystrokes, including your passwords.
(f) There is software that enables them to take over your computer without your knowledge, linking it to their network of computers used to send out spam or viruses -- maybe in your name from an email account of yours.
(g) They may just be up to devilment, leaving software that will erase files, slow operations, bring your computer down completely, or instruct it to destroy itself -- just to show off to their friends.
(h) And once in your computer, they would have access to all of your documents, spreadsheets, photos, or other things you might consider private.
So what can you do?
4. Use passwords -- or maybe even encryption.
(a) Password protect your computer. That way, if you need to leave your computer from time to time, but like to keep a number of Web sites or files open, rather than having to log off (and reopening everything when you return) you can just press CTRL-ALT-DEL, and choose the "Lock" option. When you return, enter your computer's password; the screen, sites and files you last saw will be waiting for you.
(b) Obviously, you don't want to put passwords on Post-It notes on your computer screen, or in your top desk drawer, or share them with others.
(c) You shouldn't use the same password, or minor variations of one, for all sites. It makes it too easy for those trying to get to your stuff.
(d) Perhaps less obvious, you want to make it hard to guess. A distressingly large number of cell phone passwords are "1234," "5555," or the equivalent in their inability to slow up an intruder. Make your passwords at least 8 characters, and include every category on your keyboard: capital letters, lower case letters, numbers, and those symbols above the numbers, like the "#" sign above the keyboard's number "3." Of course, the stronger the password (number of characters, mix of characters) the more difficult it is to remember and use. That might be worth it for the password to your online banking, but a weaker one might be enough for your local online newspaper.
(e) If you have a number of passwords you'll need a way to record what they are and save them -- preferably not on your computer. You might want to consider a master password system, such as LastPass.com; but they involve more description and instruction than can be provided here.
(f) Finally, to borrow from Big Pharma's TV ads, "Ask your computer consultant if encryption might be right for you." Like passwords, encrypting a file will provide an added layer of security, but also create, like master passwords, one more thing you'll have to learn about, and step to go through, in using that file.
And see, Gregory Johnson, "Yahoo Accounts Vulnerable to Hacking -- Why and How to Protect Yourself," ResourcesForLife.com, February 5, 2013.

5. Update your programs. You may not care about the features offered in the latest updated versions of programs you use. What you do need to care about are your computer's vulnerability to attack as a result of the current versions you're using. The more popular the program the more likely it is to have been targeted by those spreading viruses and other malware -- programs such as Java, Adobe's Acrobat Reader, Microsoft's Internet Explorer, and Google's Chrome. Again, there is no 100% protection from these attacks. But well over 90% of them are attacks by way of programs that have not been updated. Most browsers and programs provide a feature for automatic updates at no additional charge to you. They are primarily software patches to the program's newly discovered vulnerabilities. If you're compulsive about keeping them updated you will eliminate most of the risk -- not all, but most.

6. Be cautious of Wi-Fi connections. A Wi-Fi connection to the Internet turns your laptop into a radio transmitter and receiver. (As distinguished from connecting with what is called an Ethernet cable.) Some Wi-Fi connections are open to the public, others are secured with passwords. If you're using your own at home, make sure your consultant geek knows how to maximize your security (applying the same password suggestions as in 5, above). If you're out in public, find out how secure the system is -- and probably save any financial transactions until you're back home.

7. Be skeptical. If you're over the age of 5 you probably know about scams. If someone emails you, asking you to accept their $15 million from Nigeria, after you send them a deposit, it's highly unlikely you'll ever see again the money you sent them -- not to mention any of the $15 million. Those are relatively easy. More difficult are emails from people you know (whose email accounts have been hacked) that you open reflexively before noticing, and wondering why, they are now using an email address from Russia. It's an especially good idea never to click on Web addresses in emails from people you don't know, or even from people you do know if the email doesn't look quite right, or like something they would have sent. It's highly unlikely that your bank is asking you to send it your Social Security number, or online banking password, however much that email may look like it came from your bank.

As we began, "There's no perfect security." We may not have the computer security problems confronting our military, banks, and other large corporations, but we have our own set of challenges. We also have our own set of solutions, thankfully much simpler than those required by large institutions. Moreover, as with maintaining our health, most of the reasons for unauthorized intrusion into our computers are within our control. Whether we choose to exercise that control is up to us.

# # #

No comments: