This week researchers Ion, Reeder
and Consolvo published a paper about online security [1] [10] which compared the
security practices of 231 security experts against 294 non-experts.
When asked “What are the top 3
things you do to stay safe online?” unsurprisingly the results differed between
the two groups. I say unsurprisingly because I believe the two groups have a
very different understanding and trust model for online security. The experts
are more likely to think about and understand the potential risks, with
sufficient understanding of technology to mitigate these risks to a level that
is acceptable to themselves. Non-experts are less likely to fully understand
the complete risks, so look towards so-called “trusted” sources for advice.
These trusted sources may not so much be academic or industry researchers
but are more likely to be a mix of companies with a vested interest (such as anti-virus
suppliers) and media or online bloggers (who may or may not understand what they are
doing). This becomes apparent when looking at the top 5 practices of non-experts
(see figure 1). These non-expert practices are good advice, but tend to be older techniques
the IT industry and press has been pushing for many years, rather than more
modern practices that might be more applicable. This is no fault of the
non-experts; security is not their focus. But everyone should realise that
whilst the Internet is open for anyone to use (and long may it stay that way), as
in the real-world there are people who will take advantage of the less
mindful. Online security is as much the responsibility of the individual as it
is the IT industry and government bodies, and security awareness needs to being from when users first start to use the Internet as children.
Figure 1 – Non-expert v’s expert
top online security practices [11]
#1 Regularly patch your system.
The expert’s first choice practice is to "install software updates". I absolutely agree. Keeping systems patched is
probably the best way to prevent unwanted visitors (malware, hackers, government
agencies); akin to making sure all your windows are closed and doors locked
when leaving the house. Too many times have I seen systems that have not been
updated for a long time, or not at all! Patching systems can be a pain in the
ass (I have spent too much of my life sitting there watching Microsoft install
updates) but many companies provide an automated scheduler to painlessly update
in the background (of which, according to the research, some non-experts (and maybe some experts) appear to be wary of). Software
vulnerabilities are one of the easiest ways for malware to enter a system, and
unfortunately most software contains holes. Various reasons exist for this –
mainly poor programming techniques, but pressure to release software by a given
date often means it has not been fully tested, hence developers rely on
post-release patching to close these holes. Notorious for patching are
Microsoft and Adobe. Not so much down to poor programming (although this may be
a reason), instead, mainly because their products are so ubiquitous it is worth
a hacker’s time to find vulnerabilities as this gives them millions of machines
to target. This month Java had another zero-day vulnerability [2]. This was
serious enough for security advisers to recommend disabling Java until a patch
is released, yet even today, how many people continue to use the older vulnerable
versions of Java? More to the point, how many users know they are using Java?
Non-experts had “using AV software”
in first place. 42% of non-experts had this in their top 3, whilst only 7% of
experts had this in their top 3. Yes AV does still provide some protection,
however vendors estimate that AV software only catches about 40% of malware
[3]. With estimates of 12 million new malware variants a month [4] AV can only
provide so much protection. AV remains one tool for online security but not THE
tool. Better online behaviour (see below) should come higher up the list than AV, but users need to be taught what good online behaviour actually is.
Not mentioned in the list is data
back-up – possibly because the research was focused on online security practices. Even so, regular backups should form part of an individuals security posture.
Information that has made it onto the Internet may well be impossible to permanently remove (see below) but
should a device become compromised by malware, such as CryptoLocker, then any data on
that device is probably gone for good.
Just how often to back up, how to back up and where to back up too is
down to the value of the data being stored. But backups should form part of good online security practice when storing personal data on any Internet
connected device.
#2 Passwords.
Both groups agree that password
hygiene is important, but both groups differ on what this means. Non-experts
are still constantly encouraged to use strong passwords and
regularly change them. So, out comes the excuse "how can I remember strong
passwords and change them regularly, it’s easier to use the same password for
everything." Experts take a different approach. More important than strong
passwords is using a different password for different accounts and to use 2FA;
thereby reducing the emphasis on passwords and hence reducing the reliance on
strong passwords and regularly changing them. With multiple online accounts the only way to reliably use
unique passwords is through a password manager.
When it comes to passwords, you
need to choose an access mechanism accordingly with the sensitivity of the data being protected. For sensitive data these passwords should be unique,
and where 2FA is not used, ensure these passwords are as strong as necessary
to protect the information.
#3 Online behaviour.
Next on the non-expert top 5 list comes two behavioural practices; both of which I believe to be wrong – or more accurately, I
believe to be incorrect. Again it comes down to understanding the risks. “Only
visit websites they know” is poor advice. The Internet is a dynamic living
creature. If you only visit websites you know you are missing out on all the
websites you don’t know. The advice should be “be wary of which sites you
visit, and trust no one”. Be aware of the risks when visiting ANY web site. If
you must download anything, download it to a sandbox and then virus scan it
before opening it. Online adverts are known to be riddled with malware or
re-direct users to alternative sites. Since the introduction of real-time
bidding for adverts, more and more sites are becoming exposed to malvertising
[5] [6] [7]. To stay safe, don’t click on adverts. Better still install a good
ad-blocker. Anytime you follow a link in a website – check the URL. Use HTTPS
wherever it is available. HTTPS may itself be vulnerable, but it is much better
than using regular HTTP.
Finally the non-experts advise
“Don’t share personal information.” With half of the world’s online users using Facebook [8] badly, then clearly
this is advice non-experts know about but don’t follow. The advice should be
“Know who you are sharing your personal information with.” Yes, you can share
personal information but be careful who with. Understand what can be done with
your information and how it is stored. Don’t put all your personal information
on Facebook. Don’t send something in an email that you might later regret. The
best advice is if you post anything online, or send anything over the Internet,
assume it can be read by anybody.
Because in most cases it can. And how long is that information retained
for? A recent campaign to allow children to delete their online content [9] is
aimed at helping protect children online. But does this give the wrong message?
You should not post something that you may later regret in the first place
(difficult to tell children, but also difficult for most adults to
understand in the heat of the moment). Social media has made big noises about
allowing people to permanently delete posts. Even if the social media giants
and email providers do permanently delete information from their storage repositories (which
I doubt) this information may well be on other user’s machines who might not want
to delete it. That email you sent to your best friend about your boss being an
arse – anyone could have seen
this email in transit and have it stored on their machine, as became apparent when Snowden leaked "secret" politician's emails . Once it is out there
it is very difficult to take it back.
Any of these practices from either the expert or
non-expert group is sound advice, but for a top 5 list from
a (paranoid) expert with a little bit of knowledge of what they are doing:
#1 Make an effort to understand the risks involved when using the
Internet, and consequences of not doing things securely
#2 Trust no-one and be skeptical of EVERYTHING
#3 Update, update and update
#4 Use 2FA with unique passwords, managed via a password
manager
#5 If you don’t use 2FA; assess the sensitivity against the replacement cost
of what you are protecting and use passwords of a suitable strength that are
changed in a time frame suitable to mitigate compromise. If you are not able to undertake
this assessment then, seriously you need to question why you are using the Internet.
Oh and #6 – Back up!
