Do you get late night calls from your Dad when he can’t send email?
If your colleagues can’t print do they stop by your desk before they go to IT?
Do the people in your house act like the speed of the internet is yours to command?
If the answer is ‘Yes’, then welcome to the cybersecurity front line.
It doesn’t matter if you’re a raw recruit or a seasoned veteran – you’re here because your family, friends and colleagues have nominated you. You are the phone-a-friend who knows about computers and, like it or not, you’re part of what’s keeping a relentless, sophisticated and well-funded criminal enterprise from their cyber front door.
Fetch your cape, hero, you’ve got work to do.
Today is the first day of National Cyber Security Awareness Month (NCSAM) and, like last year, we’re talking to all those people who act as their family’s unofficial IT support: Make today the day you set aside a few minutes to do the simple but important things that make life harder for the bad guys.
The 3 things we asked you to do last year are no less important now than they were a year ago, so don’t skip them.
Here’s a quick reminder of steps 1,2 and 3 from the original article: Do these 3 essential security tasks for your family today:
- Check that anti-virus is up-to-date and run a scan
- Enable WPA or WPA2 on home WiFi
- Set different passwords for every website
If you do steps 1, 2 and 3 for each of your family members then at some point you’re going to find yourself sat in front of a computer, tablet or phone making sure that anti-virus is up to date.
Whilst you’re sat there, do 3 more simple things that could really help keep your family cyber-safe:
Update it, lock it, encrypt it.
4. Update it
Every minute of every day there is a quiet but furiously active arms race going on between software vendors and criminals. What’s at stake are the network-connected devices used and paid for by ordinary families and businesses.
The criminals are looking for flaws in popular software that they can exploit to take control of computers remotely. The software vendors are looking for ways to confound common attack vectors and trying to patch up flaws as fast as possible.
When the criminals win they can take complete control of a computer, even if it’s on the other side of the world.
And, by remote control, they can monitor it, plunder it for all the data they can get their hands and on and recruit it into a giant, illegal, computing cloud called a botnet.
Botnets can be used for everything from looting your files to performing Distributed Denial of Service (DDoS) attacks but they are most commonly used for sending spam.
The biggest botnets are collections of millions of computers and each individual computer can be used to send millions of spam messages a week without the owner even noticing.
One big mistake many people make is to assume that the crooks won’t be interested in “little old me,” but that’s not how it works: cybercriminals simply aren’t going to pass up a computer that can send millions of spams a week, all for free.
Software vendors are getting better and better at releasing patches quickly but what matters most isn’t how quickly patches are created, it’s how quickly we pull patches on to our computers.
One of the largest and most resilient botnets ever seen was created by the notorious Conficker worm that infected over 11 million computers by exploiting a vulnerability in the Windows operating system. A fix for that vulnerability was released by Microsoft 29 days before Conficker first began to appear and if users had applied the patch quickly enough Conficker would have been dead on arrival.
That’s how important it is to download the software updates available to you.
Before updating your software consider for a second that it’s impossible to exploit software that isn’t installed so ditch anything that isn’t needed.
Ideally you’ll update every piece of software that’s left on the system you’ve got in front of you but as a minimum check for updates to the device’s anti-virus, operating system, web browsers and Microsoft Office if it’s installed.
I highly recommend you consider life without Adobe Acrobat Reader, Java, Silverlight and Flash but if you absolutely can’t face it, update those too.
Just as importantly, open up the preferences on each of the pieces of software you’ve updated and tell them to download and install updates automatically from now on.
5. Lock it
When you leave a device unattended it should be locked, just like you’d lock your car. If it isn’t then it’s an open door for thieves and mischief makers.
Anyone who sits at an unlocked computer, laptop, tablet or phone can immediately enjoy the same privileges as the person who left it unattended. Any documents, passwords, photos, credit card numbers, private correspondence, address books or other data that belongs to the user who last logged in is within the thief’s grasp.
Criminals work incredibly hard to achieve that kind of access remotely but no amount of patching and anti-virus will protect you from a walk-up.
Make sure that the device demands a password, pin, passcode or swipe when it’s locked and then configure it to lock itself after the shortest period of inactivity you can. Remember that if the owner finds it unbearable you can always make it a bit longer later.
The automatic lock is an important back stop because it provides a level of protection no matter how distracted or forgetful the user is but, for bonus points, tell the owner how to lock the device manually too so that it’s locked the second they walk away (that’s Windows Key + L on Windows and Control + Shift + Eject or Control + Shift + Power on a Mac.)
6. Encrypt it
Unfortunately, just screen-locking your computer is not enough to protect it from thieves with physical access.
By rebooting a locked computer from a USB stick (or a CD on older models), thieves can bypass the normal access controls of your operating system.
Within seconds, they can start copying off your files, and may even be able to reset the login password – not just for you but for the administrator as well.
Then they can reboot a second time and login as if they were you, just as though your computer had never been locked at all.
The answer is to encrypt the device using Full Disk Encryption (FDE). Thieves can still access the raw 0s and 1s stored on the disks that have been encrypted but those and 0s and 1s no longer make any sense – until and unless they’re decrypted, they’re just noise.
The more expensive editions of Windows (Enterprise and Ultimate for Windows 7; all versions except Basic for Windows 8) come with FDE software called BitLocker and all Macs come with FileVault. To enjoy the protection of FDE you just need to switch those bits of software on.
On iOS, setting a lockscreen passcode as we suggested in stage 2 is enough to enable full disk encryption. The passcode you choose is also your device encryption password, so when you choose a lock code, skip the PIN sort and go for a decent password. It’s a bit more trouble but it not only locks your device against snoops, it also keeps the data on it safe even if the whole device is stolen.
On Android, there’s a little bit more work involved because once you choose your passcode, you have to wait for the device to scramble all the data. The device will encrypt by itself, so you don’t have to do anything, but you won’t be able to use the device until it has finished, which takes from one to several hours.