What Security Experts Do That You Aren’t Doing

You think you’re pretty tech savvy, right? After all, you are the one grandma calls when she misplaces a file or locks her smartphone. You are always the first one in your office with the newest tech toys and you are the one who has more friends on Facebook than Mark Zuckerberg himself.

You know tech but how much do you really know about securing all that tech? The funny thing is that all the cool gadgets in the world can’t save you from your own lacking security habits. Without an understanding of proper security practices you might as well kiss all your devices, oh, and personal information too, goodbye.

But Where Am I Going Wrong?
Clearly most people don’t think they are being negligent when it comes to securing their information. But a new study conducted by Usenix.org and Google showed very stark differences in the practices of security professionals versus non professionals.

The study, completed in June of this year found that experts focused on creating unique passwords and storing them in a master password manager, they made sure to update and patch their system on a regular basis and they use two factor authentication wherever possible. Non-experts focus on creating strong passwords which they change often, they install antivirus software (but forget to update it) and stay away from unknown websites.

Let’s take a closer look at the findings and see what we can take away from them so all our gadgets and toys remain as secure as possible.

The Security Professional’s Toolbox

Unique Passwords
Unique passwords are not the same thing as strong passwords. A “strong” password means it has been approved by the password strength-o-meter that many websites have to indicate if your password has a certain amount of characters, with some numbers and special characters mixed in. When we see that little strength indicator going up, we assume that we are in the clear and we have done what we needed to to maintain security.

Don’t be fooled. ILoveMyKitty21! will get high marks for strength but it’s by no measure a secure password. Any hacker worth his or her salt can crack that strong password in just a few minutes.

WDSED? (What Do Security Experts Do?)
Experts focus on unique passwords. Unique means that the password is long, has uppercase and lowercase letters, includes numbers and special characters and here is the most important aspect – It’s one of a kind.

Security expert Bruce Schneier has developed what he calls the Scheiner Scheme to create unique and memorable (to you only, hopefully) passwords and it goes like this – Take a favorite song or memory – then use the first letter of each word, mixing in relevant memorable characters.

So if you just loved Nirvana back in the 90’s, take the immortal words of Smells Like Teen Spirit and create your password like so: 9SltsWtloildHwRnEu! – You’ll never forget that it stands for Smells like teen spirit With the lights out it’s less dangerous Here we are (R) now, Entertain us! encased by the year the song came out, 1991.

No hacker is gonna crack that any time soon – and it will stick in your brain.


Password Managers

Now that you have your list of highly unique passwords, are you planning on storing them in your head? Or on a piece of paper on your desk at work? And you do plan on creating individual passwords for each site and account you hold, right? Because let’s say your truly creative password does somehow get cracked – if that’s the only one you use for all the sites you log in to, you’re up a creek without a paddle.

Don’t say we didn’t warn you.

WDSED?
Experts use password managers to store the huge amount of different passwords they have for each different account and website they visit. They also use them to create those unique passwords automatically (though honestly, you might have more fun using the above method). Managers can also automatically enter passwords into websites to cut down on login time. Sounds amazing, right?

For some very odd reason though, password managers haven’t caught on with non-expert users as much as one might think. And it really is odd considering that you really don’t need to be at all techy to use them – Password managers are simple and straightforward. And they are really secure too. All you need to do is create one completely unique password that you will remember (Okay, now go ahead and use the method above) and this acts as your master password, guarding all your completely random, manager-created ones inside it.

There are tons of them out there but LastPass and Dashlane are 2 of the easiest and most popular pickings. Check out https://lastpass.com/ and https://www.dashlane.com/ for more info.

Two Factor Authentication -2FA
When you log into an account, you probably don’t feel like having extra steps that take extra time – and that’s understandable. Logging on to your Gmail account, for example, with your username and password is easy and convenient – and it’s using a process called single – factor authentication.

But it’s also pretty insecure.

WDSED?
Security experts use two factor authentication, or 2FA as it’s commonly abbreviated, as part of their comprehensive security plans. If that same login process to access your Gmail account prompted you for an additional piece of information on top of your username and password, that would be a 2FA process.

Have you created a Twitter account recently? If you have, you may remember that after you finished creating your account, Twitter sent you an SMS on your smartphone. Then you had to enter the code they sent you into your account to verify it. That is 2FA. Yes, it makes the login process longer but that extra step is another layer between you and hackers.

You can actually enable 2FA on a lot of websites. Read this article from CNET.com with instuctions for how to enable 2FA on some of the most commonly logged-into sites.

2FA isn’t foolproof but it’s a smart step, one that will certainly deter a significant amount of would-be hackers from going after your accounts.

Installing (and forgetting about) anti-virus and anti-malware software
Are you assuming that you’re bullet-proof because you have typical anti-virus software installed?

WDSED?
According to the security experts questioned in the study, anti-virus and anti-malware software are effective tools for security when they are kept up to date. All too often though, users install their anti-virus and anti-malware software and never think about it again, rendering them useless.

In order to beat the new malware de-jour, they need to be updated on a regular basis. That’s one of the main benefits of a cloud-based solution, like RCS, as it updates itself automatically and immediately using cloud-based data. Essentially, it’s always up to date, which means that it’s able to do its job properly, all the time.

Software Patches and Updates
Just as you’re sitting down to get some serious work done (or just watching some cats on YouTube) and then boom – You get a notification from Windows that your OS needs to be updated. You can either do what it says or close it out and pretend it never happened.

Hmmm… What to do, what to do…?

Well, if you are anything like the majority of non-experts out there, you’ll simply close the notification box and put it off until it’s convenient for you, or until the next time you remember to shut down two weeks later – when Windows will take forever to shut down, because it has to install the 73 updates you ignored earlier….Sound familiar?

WDSED?
The study found that there are a few key reasons that non-experts don’t patch and update as needed, which pretty much boil down to:

  • Non experts don’t understand the importance of the patches or updates
  • Patches and updates seem to come with undesirable features
  • Patches and updates make non-experts nervous

  • But ignoring those patches and updates that Windows and other software send out can be disastrous. In fact, experts say that prompt installation of security patches is one of the top defenses against vulnerabilities. Vulnerabilities are the mistakes in software that allow your system be exploited by hackers and malware.

    By installing updates as soon as possible, you are making sure your computer won’t become compromised by whatever it was that the patch was protecting against.

    So rule of thumb, patch early and patch often. Or better yet, configure your system to install patches and updates automatically by going to your Start menu and in the search bar type in “windows update”. It will take you to the “Windows Update” option in the program list . Then click “Change Settings”. Then choose the option to have Windows automatically install updates.

    Note that in Windows 10 patches are automatically installed and that’s actually a good thing.

    Okay, So Now What?

    It makes sense to say that if this is what the experts are doing to stay secure, then we should follow their lead.

    So now get out there and gsuapM2uwUpwu&pOuaCBs&2FA. That’s unique-password-ese for go set up a password Manager to use with Unique pass words, update and patch Often, use a Cloud-Based solution and 2 Factor Authentication and you’ll be set for real security.

    Sources:

    https://www.usenix.org/system/files/conference/soups2015/soups15-paper-ion.pdf
    https://boingboing.net/2014/02/25/choosing-a-secure-password.html
    http://www.howtogeek.com/202038/why-you-need-to-install-windows-updates-automatically/
    http://www.cnet.com/news/two-factor-authentication-what-you-need-to-know-faq/

    2 thoughts on “What Security Experts Do That You Aren’t Doing

    1. A good article except WAIT ONE DAY to install system updates and security program updates (think “patch Wednesday” rather than the standard Microsoft monthly “patch Tuesday”). Unless you are regularly visit risky sites and download promiscuously, waiting until the next day will not compromise your security much and allows someone else to find the catastrophic gotcha’s. Always do accept the updates to security signatures immediately.

      Like

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s