“I operate under the principle that my computer is owned by at least three governments.”
This was said by Costin Raiu, Senior Security Researcher for Kaspersky Lab, in a presentation he gave to information security analysts at an event hosted by Kaspersky. Raiu wasn’t joking. As a security expert, he understands that the internet and the machines with which he uses to connect to the internet, are very (very) vulnerable.
Not only are networks and computer systems vulnerable to viruses and other malicious software obtained by “normal methods” (such as Drive-by- Downloads and someone opening an email attachment that contains malicious software), but people, organizations, and networks are also vulnerable to the consequences of successful social engineers.
A social engineer is someone who uses a form of communication (such as email or phone) to trick people or companies to give information about the target victim. A recent example that outlines the social engineer’s tactics perfectly is the story of how a web developer lost control of a very valuable Twitter handle. In this case, the attacker performed a number of interesting steps to get the information he wanted:
- First, the attacker knew that the target victim had a PayPal account. Armed with this (normally easy-to-find) knowledge, the attacker called PayPal and pretended to be the victim. The attacker (pretending to be the victim) was able to get the last 4 digits of the victim’s credit card number.
- Armed with this knowledge, the attacker then called GoDaddy, and again pretended to be the victim (owner of the GoDaddy account). This time, the attacker was able to get GoDaddy to reset the password on the account by giving the last 4 digits of the correct credit card number on file and by guessing correctly the first two digits.
As you can assume by now, your information stored in company systems, is never completely safe. In an older blog post from last year, entitled Information Security and 3 Ways To Secure Your Data, I wrote about a common saying amongst systems and network engineers, that the only truly secure computer is one that is turned off, disconnected from the internet, and buried in concrete.
The same can be said for networks – and the internet. The internet is not secure, and information that companies store about you on the internet is vulnerable. Indeed, the implementations that companies employ to secure your data are only as strong as the weakest link. As we’ve seen from the example above, the weakest link could simply be an employee who doesn’t care about your data anyway, and who is just there to earn a living.
So What Can Be Done?
Ultimately, there are two options from which to choose:
- Disconnect from the “grid” entirely, and be a hermit.
- Live under the assumption that the internet is insecure, your data (and personal information) is insecure, and take the mindset of Costin Raiu that your computer is “owned” by people with malicious intent.
The first option is probably not an option for most people. It certainly isn’t a very reasonable option. And so, we are left with the only alternative.
The point here is not that you should do “x, y, and z to be safe and secure on the internet.” I firmly believe that the most important part about internet, network and computer security is simply being aware of the possible threats. Knowledge is power, as some say!
Regardless, however insecure the internet is (and always will be), here are some practical things you can do to help (better) protect yourself on the internet:
- Use strong passwords and don’t reuse the same passwords on multiple websites.
- Use a password manager to keep track of your passwords (since you’re not using the same password on multiple websites).
- If you use Microsoft Windows, keep your Windows software updated.
- Use two-factor authentication whenever it is available.
Two-Factor authentication is a method of logging into a website using two different means of credentials. Most websites that have two-factor authentication capabilities allow you to choose a password when you first setup your account, but then they give you the option to enter in your phone number as a second step in the login process. When you visit the website to login, you first enter your password, and then a unique code is sent to your phone via text message, which you would then have to enter correctly before being granted access to the website.