The following article is aimed at introducing you and your business to Information Security and helping you keep up-to-date with the ever changing problems and challenges that arise from having an online presence.
Gone are the days of leaving your house and not worrying about having to lock all doors and windows. In a similar fashion, the same can be said about the use of your computers and mobile devices.
Connected or not, computers /mobile devices are vulnerable in many ways. Good and reliable security comes down to 3 things: Be Alert, Be Aware and Be Advised.
Following are some of the basic concepts to help you and your employees to identify and mitigate security risks and hazards associated with conducting business online.
Do you have the same key for your car, front door, office, mailbox and bank safe deposit box? How easy would it for anyone in possession of a copy of the key to access and steal everything you own if you did?
Do you have the same or a very similar password for Wi-Fi, e-mail, Facebook, WordPress, computer login and online banking? Imagine how easy it would be for anyone in possession of that password to access, steal or delete all your personal and/or financial information.
Passwords should always maintain a minimum standard of at least 8 characters with at least one each of the following: a number, a capital, a symbol.
For example:
A good password: Ex4mPl3!
A bad password: example123
A good password: G00d$ecur1tY
A bad password: patrick1972
"Passphrases" are becoming a more recognised form of authentication. A passphrase is exactly what it sounds like; a phrase, as opposed to a word.
A good passphrase: Lock@the#door$
A bad passphrase: "lock the door"
A good passphrase: The Car Is (Yellow)
A bad passphrase: "the car is yellow"
Passwords should be applied to all points of access in your network and system, with all passwords different depending on what it allows access to.
Passphrases are easier to remember due to their lack of complexity, but by employing so many more characters the permutations required to guess this type of code make it a lot harder for a "would be" attacker to find a way in.Additionally, make sure all employees understand that passwords should never be stored in plain view as this defeats all safe security practices.
Multi-factor (or two-factor) Authentication is the procedure whereby access to a certain account or service is validated in more than one way.
For example, when transferring money in your bank account, some banks have the policy of sending out a code which you must input to allow the transaction to proceed.
This is only a 2 step Authentication and it is possible to create more steps as well, by verifying access using other forms of authentication such as emails, security questions, and even phone calls in very high security areas.
Keep your passwords/passphrases strong and use two factor authentication whenever possible to increase and maintain security with regards to the access to your devices and personal/business/financial information.
Backdoors and security bugs that could potentially render your computers/devices vulnerable to attack are discovered and exploited daily.
Out-of-date/unpatched software makes you and/or your business vulnerable to:
Best practice is ensuring your operating system (such as Windows, macOS, Android,...) is set to update itself automatically as soon as updates are available, and making sure that other applications present on the system are also regularly updated.
An application or system that works well doesn't mean it is secure. For example, running Windows XP / Windows Vista/ Windows 7 leaves you wide open to being compromised, as old operating system versions are not being updated for recently discovered security bugs.
Your computer/device running old software may have been infected twelve months ago by malicious code lying undetected, collecting information and slowly infiltrating the system by opening hidden backdoors for attackers to gain access, thereby taking full control of your system.
Keeping your operating systems and applications up to date as soon as updates are available will increase and maintain the security of your computers/devices/networks.
"Phishing" is the fraudulent practice of sending emails purporting to be from reputable companies or individuals in order to induce you into revealing personal information, such as passwords and credit card numbers.
Examples of phishing/spear phishing attacks:
Many people fall for such scams on an hourly basis as it is relatively easy for anyone to send an e-mail pretending to be someone they are not.
Best practices to avoid being phished:
Remember that software doesn't replace common sense, be alert. Hackers and "social engineers" will very often target third party individuals to reach their real goal.
For example, recently a prominent company in the U.S was hacked via an air-conditioning management company that had access to their network.
Another typical example is when hackers work at getting information from staff at the bottom of the hierarchy to gradually get to the top.
It's easy to listen to, or start a conversation with other people in a room when you're allowed in that room.
It's easy to listen to, or start a conversation with other devices on a network when your device is allowed on that network, and when you have the right tools to listen.
Once allowed on a public network, an attacker will be able to identify devices present on the network, and possibly decipher encrypted traffic coming from/going to your device.
Any application on your device that is set to automatically login to synchronise information from/to your device (e-mail, social media, cloud storage, etc...) is vulnerable to leaking sensitive information (passwords, personal data) to an attacker.
Best practices when using public/free Wi-Fi:
Good questions to ask yourself before connecting to a publicly available Wi-Fi network:
If you must use free Wi-Fi, Use a VPN (Virtual Private Network).
A VPN or Virtual Private Network is a method used to add security and privacy to private and public networks, like Wi-Fi Hotspots and the Internet. VPNs are most often used to protect sensitive data.
The purpose of a firewall is to monitor all traffic to and from a network in order to:
Nowadays, all broadband routers include a built-in firewall that can be easily configured.
Best practices with firewalls:
The purpose of an anti-virus solution is to prevent your device(s) from being infected with malicious programs that could potentially steal/destroy your personal information, attack other devices, or conduct illicit activities using your identity.
When choosing an anti-virus program, reputation is key. Free/cheap doesn't necessarily equate with security.
Best practices with anti-virus:
The purpose of backups is to have a copy of your data in the event of one of your devices being lost, compromised or permanently inoperable.
Cloud storage is now widely available and is a great way to backup photos and documents, however such storage solution makes you dependant on its availability, security, and reliability. It is therefore advised to also have physical copies of your data.
Best practices with backups:
Nowadays when purchasing a new laptop or device, you are always prompted to create a login account when setting it up for the first time. This isn't true for Internet routers and certain printers commercially available. With regards routers, your internet service provider will send you a device with a factory pre-configured login/password combination such as "admin/admin", or "admin/password".
The factory login credentials for any router can be obtained by looking up the model and associated user manual on the internet, and most routers will also have the Wi-Fi access password readable on a sticker behind or under device.
With this in mind, it is strongly advised to reset those passwords following strong password security rules.
With regards to certain printers, sometimes a simple press of a button will reveal critical login information, which can enable an attacker to access the network.
Even though most routers and printers come with remote access disabled, it is always very wise to periodically verify that remote access is in fact disabled.
By taking the time to read this article, you have improved your understanding of the risks associated with having an active online presence, whether for business or for simple social activities.
You may be running a small business that doesn't turn over half of Australia's GDP, and think that hackers only target "bigger fish", but children usually learn to fish by catching small fry.
The internet is rife with "script kiddies" (young hackers in the making), whose motivation is ego-driven and who will stop at nothing to exploit any vulnerabilities they come across simply for glory.
More recently, a wave of "ransomware" (viruses locking all your information and requiring you to pay to unlock it) is sweeping the online community, and any internet user without security awareness is only one click away from becoming a victim.
By applying the principles outlined above, you will greatly reduce your exposure to online malicious practices, and increase your online security and privacy.
Useful Links:
Useful Books:
If you have any questions regarding this article or information security for your business, feel free to contact our security and support team.
The Security Team at Domain Registration Services
Domain Registration Services
Tel: 1300 863 436
Website: www.domainregistration.com.au
Email: [email protected]
How to register a name: Enter your choice in the search tool and click 'GO'. If after the check the domain names search results show your choice is available, you will then have the option to proceed to purchase registration; which is a very quick and easy process - start a search and find your ideal website address now.