Secure Your Stuff

As we bring more and more “smart” devices into our home and work environments, the importance of securing them properly grows. I want to briefly answer two questions: “why?” and “how?”

Why is it important to secure your stuff?

There are basically three reasons that cyber criminals attack:

1. To steal your information and sell it on the dark web. Whether it’s your personal identity, login credentials for online accounts or credit card data, your information is valuable.
   
   
2. To get money from you directly, often by encrypting your data and demanding a ransom for its release.
   
   
3. To use your devices as an attack point for other systems. The Mirai botnet and its variants have been using home wireless routers and CCTV systems to attack various points on the Internet since at least 2016.

How can you secure your stuff?

I could write an entire newsletter just on that topic! But for now, there are three things that will thwart the vast majority of attacks:

1. Change default passwords. When you purchase any electronic device, it has a default administrator password set. Typically this password is on a sticker on the bottom of the device, or on a card inside the box. It can also be found on the manufacturer’s website. You should immediately change this default password to a good password of your own. (What’s a good password? Maybe that will be next week’s newsletter!)
   
   
2. Disable remote administration. Most devices will have a checkbox somewhere in the settings with some variation of “remote administration” on its label. Disable this option (or enable “block remote administration” if that’s your label). Without remote administration, your device can only be configured by a computer on your home network, not from the Internet at large.

   These two steps alone would protect your devices from most botnets, as that’s how they gather their victims: using the default administrative password to log onto the device from the Internet, and then installing malware on the device to control it through the botnet.

3. Register your product. I know it’s old school, and most people don’t think to register their products because warranties don’t mean that much these days, but there is one other good reason to register your product: if a security flaw is found, the manufacturer can notify you. For example, in the case of Mirai‘s massive DDoS attacks in 2016, many of the cameras used were from a single manufacturer, and exploited a vulnerability in the firmware. The manufacturer released a firmware upgrade for the newer cameras, and offered free replacements for older cameras that couldn’t be upgraded. Many people were completely unaware of the situation, however, and the manufacturer had no way of knowing who had purchased their products. Accordingly, many of those compromised devices remained in use by botnets until they died and were replaced.

Security Awareness Training Goes Virtual

Thanks to COVID-19, lots of things are going virtual, and that includes my employee Security Awareness Training. I've set up a small studio in our conference room (nobody there but me) so I can provide live training (almost) just like before! You can see me wave my hands and make faces while a wall of fascinating facts and practical tips slideshow across your screens, wherever you and your employees may be.

Contact me to schedule your employee training sessions. They're fun! ☺

Adding “cyber” to your disaster recovery plan

Have you been thinking about your disaster recovery plan? If your current plan only covers hurricanes, tornadoes and fire -- you need to add "cyber" to assure business continuity. This is the subject of my August 25 work(fromhome)shop and I’d love to “see” you there!