Saturday, 6 February 2016

25 Cybersecurity, Online Safety Tips, Best Practices



Written by: Don Okereke

Comparable to the cold war, cybersecurity has been dubbed the ‘’the arms race of the current and future generations’’.
The term cybersecurity is coined by prefixing ‘’cyber’ before security. As we know, ‘’cyber’’ generally relates to information technology, computers and the internet. Hence we define cybersecurity as measures taken to protect computers, computer systems and devices against unauthorized or malicious attacks, intrusion. It is valid to say that no country, establishment or individual is absolutely invulnerable to cyber risk hence cybersecurity is a collective obligation which calls for awareness and for citizens to be internet, social media, technology savvy.


The biggest challenge with the cyberspace is that there are no international boundaries, visas are not needed to travel; intercontinental ballistic missiles or AK47’s are not needed to wipe out a facility or commit a heist. A hacker can stay in the comfort of his house or office in say, China and wreak havoc on critical infrastructures, computers or internet enabled device(s) in far-off United States. For instance, a malware or Trojan Horse known as ‘’BlackEnergy’’ allegedly written by a Russian hacker was used to infiltrate critical government infrastructures in the United States and Ukraine while ‘’Carbanak’’, an ‘’Advanced Persistent Threat’’ (APT) attack  allegedly deployed via phishing emails was used to electronically steal about $1 billion from financial institutions around the world.

My previous essay – “Understanding The Global Proliferation In Cyberattacks, Cybercrime And Data Breaches’’, chronicled the dexterity of  motley trends, specializations  such as cyber-attacks, attacks-as-a-service, cyber-warfare, cyber-espionage, cyber-crime, Fraud-as-a-service (FaaS), cyber-extortion via ransomware, massive data breaches and hacking by state and non-state actors which validates the assertion that the aforementioned incidents are heightening. To appreciate how bad these threats are, United States government agencies struggled to rein in cyber-attacks in the US prompting President Obama’s administration to brainstorm new cybersecurity initiatives aimed at protecting consumers. This explains why some analysts dubbed 2015 as the year of cyber-attacks, data breaches. The proliferation of innovations, events such: Internet of Things (IoT), Bring Your Own Device (BYOD), insider threats (Edward Snowden), penetration and lowering cost of internet enabled mobile devices, are very strong indications that cybersecurity risks will not ebb but certainly ramp up in 2016, going forward.


Granted we may not be able to absolutely avert or rule out the risk of cyber-attacks, unintentional or deliberate data breaches but the good news is that we can reduce such risks to the barest minimum. As they say, it is better to be safe than to be sorry and prevention is better than cure. You don’t necessarily have to be a computer geek to appreciate these techie jargons or to counter aforesaid spin-off emanating from our increasingly interconnected global village - cyberspace. Without much ado, here are some cybersecurity, online best practices, and tips. In no particular order:

1.     Abstain from clicking on links (especially shortened urls) in emails, on social media platforms unless you know, trust the sender and you can confirm that s/he deliberately sent the link.

2.     ALWAYS download Application or software ONLY from trusted websites, sources such as from: Google Play Store, Apple App Store, and Amazon App Store. 

3.     As they say, there’s no free lunch eve in Freetown and if it looks too good to be true, it is most probably is. Be very mindful of online offers that seem too good to be true.
4.     Only make online purchases from websites with SSL certificates (usually indicated by a small icon of a lock in the lower right-hand side of the window). Confirm order history and shipping information directly from the online retailer’s website, not through (shortened) email links.

5.     Don’t use the same password for more than one website, especially for banking and email platforms.

6.     Install firewalls on your systems and ensure your Operating System, Applications, anti-spyware and anti-malware software are up to date.

7.     Regularly back up your important documents, application preferably on the ‘’Cloud” or an external storage device. Reformat and reinstall software on your System if you were exposed to a cyber-attack or had virus on your device.

8.      ONLY give your computer, electronic device to well-trusted vendors, engineers/technicians for repairs to forestall them stealing sensitive and private information which may be used for extortion or blackmail.

9.      Avoid using public computers in libraries, airports, cyber cafes, Wi-Fi for internet banking as some public computers, Wi-Fi's are vulnerable. If for any reason you patronize a public computer for online financial transaction, ensure you scan it for a keylogger, clear the cache, browsing history and delete all temporary files from the computer after usage. Very importantly, never allow the browser to remember your log-in ID and password.

10.                         Change your password regularly and use strong but memorable passwords: The first time you login to your internet banking account, you will need to use the password provided by the bank but you need to change this password in order to keep your account safe. 

11.                         Check your bank accounts regularly: After making an online transaction. Ascertain that the right amount was deducted from your account. Inform your bank right away if you notice any discrepancies in the amount.

12.                         ALWAYS type your bank’s address into your web browser – NEVER click on a link in an email to access you online banking account. Check for a locked padlock or unbroken key symbol in your browser window when banking online. The ‘http’ at the beginning of the website address will automatically change to ‘https’ when a secure connection is established.

13.                         Be wary and do not click on any surprising or fishy looking ‘pop-up’ windows that come out during your online banking transaction.

14.                         Be suspicious of uncalled-for emails or phone calls purporting to originate from your bank, service providers, the police etc. and asking you for your PINs or passwords.

15.                         Ensure sure your financial institution stores passwords in an encrypted format. To ascertain this, if you click on the "forgot password" and the bank sends your password in plain text, it means they are storing it in plain text (or are using an encryption method that is not worth a grain of salt)!

16.                         When accessing your bank account from a smart phone or a mobile device, always use an Application provided by the bank rather than from a web browser.

17.                         Make sure you are logged out of anything else: Don't access your banking account while simultaneously logged to your Facebook account or other social networking sites where cybercriminal regularly visit and try to harvest surreptitiously information from. If possible, use a different web browser for your online banking and another one for other things. For instance, if you use Google Chrome for everyday browsing, use Firefox for online banking or vice versa.

18.                         Disconnect the internet connection when not in use so as to forestall malicious hackers from accessing and stealing your private information, online banking details via an internet connection.

19.                         Financial institutions and companies will nip insider abuse in the bud by watching out for warning signs like employees living above their means, frequent manipulation of data by employees and continuous, excessive use and abuse of privileged and systems account. Banks will be able to combat electronic fraud by filtering out predatory employees, reviewing upwards, the required reliability status for all staff who need privileged roles to work as well as deploying appropriate prevention and detection technologies like CCTV monitoring and access cards with authorizations


20.                         Specific cybersecurity best practices for organizations: 

(a) Create a data breach response plan or policy. 

(b) Insider threat is a big problem; learn from the National Security Agency and Edward Snowden debacle. Individuals are the first line of defense; educate, enlighten and train staff on basic cybersecurity best practices, especially new employees and vendors. Such trainings should encompass how to create strong passwords, recognizing social engineering tactics and phishing emails, avoiding installing unwanted or risky Applications on company systems. Here are 10 ways employees can cause data breaches in an organization.

(c)  Establishments will do well to have a Social Media and Bring Your Own Device (BYOD) policy to forestall staff posting certain information on social media or connecting personal devices, flash drives to workplace systems, networks.

(d)Monitor Applications with access to your data, maintain security patches and ensure software security and antimalware are up to date.

(e)  Limit staff access to sensitive data by creating specific access controls for all users and restricting access to ONLY specific systems they need for their tasks. Organizations should implement system logging and also consider installing user monitoring software to uncover suspicious activities.

(f)    Routinely back up your information, data and ensure the backup is secure. GSM provider - T-Mobile purportedly lost its customers data because it did not have a backup. Very embarrassing.

(g) Ensure your establishment patronizes a credible Cloud Services provider to store your data and ascertain precisely where/which country your data lives or are domiciled and legal issues surrounding ownership and management of your data to forestall losing your data should you terminate your services with your data services provider or if the company suddenly goes out of business. Research the data storage provider and if you are in doubt, ask for references from your cloud provider and contact the reference to ascertain the veracity of the claims of the data storage provider

(h) Ensure your cloud storage provider takes security critically and that they are HIPAA or PCI certified, SSAE 16, SAS 70 and SOC 2 audited and that they employ the best antivirus, firewalls and intrusion detection services programs.

(i)   Don’t just go to sleep, engage the services of an ethical hacker to run a vulnerability or intrusion detection scan and access the security system of your data storage provider.


February, 2016
© Don Okereke
Follow Don on Twitter: @DonOkereke
****************************************************************************************
Bio:
Don Okereke is a passionate, innovative, Information Technology, Social Media-Savvy, proven Security Adviser/Consultant, Entrepreneur, Writer, Public Speaker and Change agent with over 17 years combined Military (Air Force), Private/Industrial Security, entrepreneurial, management skills/experience distilled from Nigeria and the United kingdom. Don loves entrepreneurship, brainstorming solutions to societal challenges and rendering altruistic service to humanity. He is the Founder/CEO of Forenovate Technologies Limited (RC 755695). Inter alia, Don completed postgraduate modules in Forensic Engineering & Science from Cranfield University (Defense Academy), Shrivenham, United Kingdom, a first degree in Industrial Chemistry, a Professional Certificate/training in Communication and Conflict Management from the United Kingdom National Open College Network, a Certificate in Security Practice & Safety Management and a Certificate of Accomplishment in Terrorism & Counter-terrorism: Comparing Theory & Practice from Leiden University (MOOC), Netherlands. His interest and expertise span Security/Safety/ICT/Cultural Awareness Training, Threat/Travel Advisory, Risk Assessments & mitigation, Security survey/mapping, Loss/Fraud Prevention, Due Diligence and Investigations,  Executive/Asset Protection, Business Continuity & Emergency Planning, Background Screening/Vetting,  Competitive Intelligence, Research and Open-Source Intelligence (OSINT) Information Retrieval, Countering Violent Extremism Advocacy and Public Speaking, amongst others. His passion for writing, researching, innovations, sharing information, knowledge, training and mentoring galvanized him into blogging. His passion, knack for writing has seen his articles published on major Nigerian newspapers such The Guardian, The Nation, NewsWatch, Tell Magazine and various reputable local and international online platforms. Don has featured on conferences/seminars as a Guest Speaker and he is routinely consulted by foreign, local, print/electronic organizations for his expert opinion on issues impinging national, personal security and geopolitics. Disappointed with the pervading insecurity, terrorism and insurgency currently stifling Nigeria, Don champions an Advocacy Cause against vestiges of insecurity under the aegis of ‘’Nigerians Unite Against Insecurity and Terrorism’’ and ‘’Say No To Terrorism and Insurgency’’.