As a final topic for this chapter, consider what measures each of us, as individual users, and businesses can take to secure computing technologies. There is no way to have 100% security, but there are several simple steps each individual, or business can take to be more secure.
A National Cyber Security Strategy was developed, as a result of the 2018 National Cyber Threat Assessment, for businesses to improve their resiliency through investment and actions in cyber security. The comprehensive strategy outlines thirteen baseline controls that should be deployed with more details on each control.
- Develop an incident response plan
- Keep Operating Systems and Applications up to date
- Enable Security Software
- Securely Configure Devices
- Use Strong User Authentication
- Provide Employee Awareness Training
- Back up and Encrypt Data
- Secure Mobile Devices
- Implement Firewalls, VPNs and other Perimeter Defences
- Secure Cloud and Outsourced IT Services
- Secure Websites
- Implement Access Control and Authorization
- Secure Portable Media
- Keep your software up to date. Whenever a software vendor determines that a security flaw has been found in their software, an update will be released so you can download the patch to fix the problem. You should turn on automatic updating on your computer to automate this process.
- Install antivirus software and keep it up to date. There are many good antivirus software packages on the market today, including some that are free.
- Be smart about your connections. You should be aware of your surroundings. When connecting to a Wi-Fi network in a public place, be aware that you could be at risk of being spied on by others sharing that network. It is advisable not to access your financial or personal data while attached to a Wi-Fi hotspot. You should also be aware that connecting USB flash drives to your device could also put you at risk. Do not attach an unfamiliar flash drive to your device unless you can scan it first with your security software.
- Backup your data. Just as organizations need to backup their data, individuals need to so as well. The same rules apply. Namely, do it regularly and keep a copy of it in another location. One simple solution for this is to set up an account with an online backup service to automate your backups.
- Secure your accounts with two-factor authentication. Most e-mail and social media providers now have a two-factor authentication option. When you log in to your account from an unfamiliar computer for the first time, it sends you a text message with a code that you must enter to confirm that you are really you. This means that no one else can log in to your accounts without knowing your password and having your mobile phone with them.
- Make your passwords long, strong, and unique. Your personal passwords should follow the same rules that are recommended for organizations. Your passwords should be long (at least 12 random characters) and contain at least two of the following: uppercase and lowercase letters, digits, and special characters. Passwords should not include words that could be tied to your personal information, such as the name of your pet. You also should use different passwords for different accounts, so that if someone steals your password for one account, they still are locked out of your other accounts.
- Be suspicious of strange links and attachments. When you receive an e-mail, tweet, or Facebook post, be suspicious of any links or attachments included there. Do not click on the link directly if you are at all suspicious. Instead, if you want to access the website, find it yourself with your browser and navigate to it directly.
You can find more about these steps and many other ways to be secure with your computing by going to https://www.getcybersafe.gc.ca/en
A Note on Password Security
So why is using just a simple user ID and password not considered a secure method of authentication? It turns out that this single-factor authentication is extremely easy to compromise. Good password policies must be put in place in order to ensure that passwords cannot be compromised. Below are some of the more common policies that organizations should use.
- Require complex passwords. One reason passwords are compromised is that they can be easily guessed. A password should not be simple, or a word that can be found in a dictionary. Hackers first attempt to crack a password by testing every term in the dictionary. Instead, a good password policy should require the use of a minimum of eight characters, at least one upper-case letter, one special character, and one digit.
- Change passwords regularly. It is essential that users change their passwords on a regular basis. Also, passwords may not be reused. Users should change their passwords every sixty to ninety days, ensuring that any passwords that might have been stolen or guessed will not be able to be used against the company.
- Train employees not to give away passwords. One of the primary methods used to steal passwords is to simply figure them out by asking the users for their password. Pretexting occurs when an attacker calls a helpdesk or security administrator and pretends to be a particular authorized user having trouble logging in. Then, by providing some personal information about the authorized user, the attacker convinces the security person to reset the password and tell him what it is.
- Government of Canada. (2020, February). Baseline Cyber Security Controls for small and medium organizations v1.2. Communications Security Establishment. https://www.cyber.gc.ca/sites/default/files/publications/Baseline.Controls.SMO1_.2-e%20.pdf. ↵