This month, I thought it appropriate to post some of my thoughts concerning web and security. Unless you have been unconscious for a while, you have seen so many news articles about ransomware attacks on various corporations. Since many readers work with clients (both internal and external), here are some of my thoughts regarding security. The sad thing is that most of these attack vectors are nothing new. They have been employed for some time, yet some people still fall victim.
I am focusing on what you can do as an individual. Obviously, this is a very large topic and I am just touching on some of the highlights as I see them. I look forward to your comments and encourage further discussion in our member Slack channels where we can focus on more specific items).
Passwords
- Passwords should be long and complex. If in doubt, length wins over complexity. Consider using passphrases.
- Passwords should be changed on a regular basis. You decide on what is comfortable for you.
- Passwords should never be reused on more than one site. Never. There is no reason why you need to do this.
- If you can’t recall passwords, use a password vault. There are a number of alternatives. Just make certain it is secure and your passwords are updated in the vault as you change them.
- Passwords should never be shared with others. Never. If there is some unusual situation where another must access your information, change your password, give that party the new one, then change the password again once the need for their access has passed. Frankly, I can not think of any situation where this is warranted, but…
- Never open links included in email messages. If you receive a link to a website (such as a banking site), open a browser and type the URL. It is so easy to spoof website addresses these days. That is why you should manually enter any site URL where you are required to authenticate.
- Unless you are expecting an attachment from someone, never open email attachments. Never. This is where most malware gets started. I recommend using some form of online storage (which is virus checked) if you must share documents these days.
2FA
- Whenever possible employ two factor authentication as part of your login. In a nutshell, there are three ways to prove you are who you say you are – something you know (like a password), something you posess (like an authentication app), and something you are (like facial recognition or fingerprints). I recommend using the first two in combination since it is very difficult to change your bio-metrics.
Phone calls
- I recommend activating the feature found on modern mobile devices which only allow for incoming calls from those in your list of contacts. Anyone else must leave a voice message. Most scammers rely on a sense of urgency to get you to take an action you would typically not do (for example, say “yes” or share a password. Review the voice message and only call back if you are certain you need to speak with the individual leaving the message. Most scammers will likely not even leave a voice message. I assure you, the sheriff’s department will never call you to let you know they are coming to arrest you. It is best to delete similar junk.
Final thoughts
I know this list is not complete, and should be obvious to readers. However, it never hurts to review the basics periodically. Always apply a healthy dose of skepticism when anyone contacts you and asks you to take action. The more immediate their request, the greater the likelihood it is a scam.
