We put the best security capabilities we can into our products, but we can’t do it all. You should be aware of other products and – more importantly – safe practices that thwart the common cyber attacks that victimize innocent users.
In a previous blog post, we talked about password security and password managers. Here we discuss other important security measures you can and should take:
Use a Virtual Private Network
I am writing this blog in a Starbucks using their ‘Google Starbucks’ Wi-Fi network. Even though I had to open a web browser and click a button to connect to the Internet, the connection is completely open and unencrypted. Anyone else in the cafè could intercept my communications.
But I’m not concerned and I’m not vulnerable. I’m running a VPN client. I pay for a service that has points of presence all over the world. Once I’m connected to the Internet my VPN client connects to one of those points of presence. From that point until I disconnect, the VPN connection acts as a network proxy, encrypting all Internet communications, sending them to the point of presence where they are decrypted and redirected on to their destination. Incoming communications work the same, going through the VPN before getting to me.
As a result, even plain text communications are opaque to anyone snooping on the local network. HTTPS sites, which use SSL (Secure Sockets Layer) to encrypt communications with web sites, also protect communications with web sites even on open networks, but the connection information is still open. A network intruder would see what sites you’re communicating with. When you use a VPN, all they can see is that you’re on a VPN.
Employers can and often do provide VPN services for users on the road, but if yours doesn’t, or if you need one for your own personal communications, you may want to subscribe to a service. We don’t endorse any in particular. PCMag.com recently reviewed 10 of them.
Use SSL Whenever Possible
Sometimes a VPN is not available. In that case, you need to be conscious of what you are doing on the Internet and try, wherever possible, to use a Secure Sockets Layer, better known as SSL, a protocol used by many programs to encrypt communications with a server.
Facebook is one of the many sites which will only connect now over SSL. Through a standard called HTTP Strict Transport Security (HSTS) , if you attempt to connect to it through http, it will redirect your request to https. But not everyone does this yet. And some protocols, like the classic SMTP, IMAP and POP3 email protocols, don’t usually have SSL support.
When you connect to an SSL site, it is important not to ignore errors reported by the browser.
There can be problems with the SSL certificate on web sites. T certificate can be ‘self signed’ and not issued by a trusted certificate authority. You can also see errors such as the certificate has expired or been revoked. Current versions of web browsers will display an error message describing the problem. In such a case, you should almost certainly not connect.
Modern versions of SSL are actually called Transport Layer Security (TLS) but, as a practical matter, SSL is acceptable for them too. SSL is popular with other programs for encrypted communications, but these are less visible to the end user.
Install Software Updates
Many organizations and individuals are still lax about applying updates to software or upgrading from old versions known to be insecure. This is one of the main ways that systems actually get exploited in the real world.
There are a few products which are the main targets of such attackers: Microsoft Office, Adobe Flash, and Oracle’s Java. Windows itself (including Internet Explorer) is also a very large target, as seen with the recent WanaCry ransomware attack. Adobe has done a good job of minimizing vulnerabilities in Acrobat and the PDF Readers. But you should make a point of applying updates on all of these products promptly.
If your company allows you to install personal software on a company device, remember that they may not update your software. It’s your job to do so. Secunia sells products which check systems for outdated, vulnerable software.
Safety Tips for Admins:
Insist on Auditable Logs
When things go wrong, you need the information to determine what happened. Applications that offer to write liberally to system logs allowing you to determine which events you want logged, are your best hope for getting to the root of the problem. It’s best that they write to the system event logs, support the syslog standard or at least they should be importable into analysis products.
Turn on Intrusion Alerts
At both the level of the network and individual systems you should run intrusion prevention software and enable alerts. It may be that certain innocuous alerts show up a lot, but it’s the unusual things you’re looking for. Alerts allow you to jump on them quickly before an attacker can gain a privileged foothold on your network.
Use Blacklists for Attacks
Blacklists are dismissed by many for being too reactive, but reactivity can be underrated. Many systems, once under the control of attackers, can be a steady source of attacks for a long time. Spam blocking systems for email make extensive use of blacklists and server-based reverse proxy security software generally supports them. You can use what you learn from logs and alerts to block malicious systems.