Security Experts:

An Open Letter to the New Year on My Five Cybersecurity Resolutions

Dear, New Year,

My, how time flies. I can’t believe you’re already here, spurring me to make resolutions –presuming I have room to improve. 

By now, I think you know me well enough to guess the things I won’t be doing. Like signing up for a new gym membership or promising to eat less cheese. What I am willing to promise, however, is to be more diligent about my personal cybersecurity, starting with five easy tasks that can help me – or anyone – improve online safety. 

1. Turn on two-factor authentication for email. 

Consider this a starting point. If there’s one thing you do this year – nay, today – this is it. 

Email is the skeleton key to your digital life. If you aren’t using two-factor authentication, just give up, stop trying to be secure. You don’t stand a chance. In fact, you may as well take photos of your passwords and put them up on the internet.

The reason is simple. Think about if you forget your bank password. What happens? You have a reset link sent to your email address. If a hacker can easily access your email, he can also access all your other accounts and reset their passwords. 

Two-factor authentication adds a massive layer of protection, and companies like Google and Microsoft have made it quite easy to set up. You don’t need to remember a pesky, complex password – average will do if multi-factor is behind it – and you only need to re-enter your code every 30 days. 

2. Implement a password manager. 

If you want to be even safer and avoid having two-step verification codes sent via SMS, you can choose to use Google Authenticator to receive a randomly-generated code from a password management program like 1Password. With these types of programs, you receive a one-time password (OTP) that is good for a single login session and cannot be sniffed out for use, say, in a replay attack. 

The password manager lives in your browser and makes it easy for you to maintain lots of different, unique passwords. When you want to access an online account, you simply click on your password manager and it logs you in. You only need to remember the password manager’s master password – or better, pass phrase. While we often think of a password as 8 to 15 characters with mixed case, a pass phrase –  like “Ich übe Geige mit meinem Hund” – is much harder for computers to crack. 

3. Update your wireless router firmware. 

Stick a reminder on your calendar and make checking for the most up-to-date version of firmware part a quarterly routine. In doing so, you can help to ensure that you’re getting fixes to detected security vulnerabilities and optimizing performance. Just check your router manufacturer’s website for specific download instructions – usually within support pages – and get ‘er done. 

4. Create VLANs for your internet of things (IoT) devices. 

Creating VLANs for IoT devices is a bit more esoteric than getting two-factor authentication set up for your email account, but it’s a nice and easy enough thing to do. In a nutshell, it’s about creating separate guest networks. For example, if you may have 20 clients or IP addresses – hooked up to your network. These could be iPhones, Alexa, Sonos, Chromecast, iPads, wireless access points, you name it. The idea is to set up a separate VLAN – or IoT guest network – for items, like your television or Alexa, that you don’t always have control over or necessarily know what they’re doing. 

5. Deactivate all old devices still connected to your account – and check to see what can access your account. 

Yup. Deactivate all old devices. Like with an iPhone, for example. Apple has this notion of trusted devices through which you can access your account. When you give away, sell or lose a phone, you need to be sure to remove it from your trusted devices so that no one can access your account. 

Next, it’s a good idea to periodically review what applications have access to your account and remove those you don’t need. Twitter, Facebook and Google, for example, all have an option to allow other applications to request access to your account. If you use Gmail, you can check permissions here

It’s also good to make sure the email addresses you have set up for account recovery are correct and to check that your account isn’t forwarding copies of your email to unauthorized places. It’s an old trick, but one that people can tend to forget. In Gmail, go to settings and check forwarding and POP/IMAP.

While these are all simple preventative tasks, I’d be curious to know how many people don’t do them – perhaps because they aren’t aware that they should. But just like regular dental checkups for personal health, these should be baked into your cybersecurity routine. Once implemented and practiced, they can become second nature. 

What do you think, 2018? Can you stop bugging me about the gym now?

Yours truly,

Erin

view counter
Erin O’Malley is an incident response delivery support manager at Accenture Security, FusionX, Cyber Investigation and Forensics Response (CIFR), where she teams with incident responders and threat hunters to document and catalog incident report findings and highlight the value of taking an adversary-based approach to minimize the risk, exposure, and damage of cybersecurity incidents. Prior to joining Accenture, Erin was a security solutions marketing manager at Gigamon. Other past roles have included product marketing for virtualization and cloud security solutions at Juniper Networks and customer marketing at VMware. She has written and edited for GE Digital, WSGR, Business Objects, and the TDA Group, and holds a B.A. in French from Penn State University and an M.A. in French from Middlebury College.