INTERNAL BLOG: The importance of Cyber Security

 

INTERNAL BLOG: The importance of Cyber Security

by Laurent Corneille

Head of Technology

For many people in the UK, the importance of “cyber security” took root a couple of years ago when TalkTalk, one of the country’s biggest Internet Service Providers was hacked, compromising millions of consumers’ personal details. A couple of weeks later, a huge data breach concerning a US “dating” site called Ashley Madison (a site specialising in the facilitation of extra-marital affairs) became cause célèbre, triggering thousands of divorces all over the US when the user details of many sad blokes were revealed to seven billion people. To add to the embarrassment, it was found that 99.8% of female profiles on the site were mere “bots”, created by sweaty computer programmers to entice men. Dumb! (©Trump)

Since then, a colossal number of breaches have occurred, and they are only becoming more frequent. Evernote, Yahoo, Sony and even TK Maxx (!) have all been compromised in some way. Hacks and algorithm manipulation are interfering with the democratic process (see Russia/Trump and Emmanuel Macron). Last week, thousands of computers/systems around the globe were touched by a ransomware attack. In the UK, the National Health Service was affected, causing chaos as operations were cancelled and ambulances diverted to other A&E departments. Stuff just got real people.

The Second Law of Thermodynamics states that entropy tends to increase in time. In other words, the arrow of time points in one direction. In other words, things are only going to get worse, so get used to it! The genie is out of the bottle. As I wrote in my excellent blog entry that you all read and committed to memory, behavioural change is required – difficult though that may be.

What can I do to protect myself?
You will never be 100% secure. A state sponsored hacker, with all the resources in the world, can penetrate any system. The Brits and Americans created a self-replicating virus called STUXNET which was effective in shutting down the Iranian nuclear programme by messing with centrifuge speeds. STUXNET actually targets control systems for large scale industrial processes (water treatments plants, dams, power plants, etc… Want to learn more? Here’s an article). Start stocking up on them beans and toilet paper y’all!
The good thing is, I’ll hazard a guess that you are not an Iranian nuclear physicist, nor a proponent of global Jihad. Therefore, the chances of a state sponsored actor actively targeting your computer is minimal.

Things I have done to protect myself and that you should too (FOR YOUR OWN PERSONAL COMPUTER)

1) Visit this address: https://haveibeenpwned.com/ and register all your email addresses. If your email address is ever found on a hacker’s list, you will be notified. If that happens, change the password related to that email address immediately. I have received several notifications in the past couple of years. If you are notified about your IDG email address, please contact me or Theo.

2) Go to: https://ransomfree.cybereason.com/ and download Ransomfree. As the name suggests, this is a free piece of software that protects you from bad hombres who encrypt your computer hard drive until a (not unreasonable) ransom is payed. Ransomfree sits in your system tray and watches for unusual patterns on your computer. (Some of you may spot an odd folder in your C Drive with random Word docs like “significant.schools”. Ransomfree plants these files on your computer so do not remove them!)
I will look into ways in which we can roll this software to IDG computers too. It may require us to do this on a terminal by terminal basis.

3) Change your password! If you have a password – or variant – that features on the worst passwords ever list – click here for the list – do yourself a big favour and change your password immediately!

4) If you do not have a password manager, get one. I use Enpass (https://www.enpass.io/). It’s free and works across your computer, phone and tablet. Trying to remember dozens of different passwords is not possible. There are 3 ways to deal with this:
a. have one single password for all sites, which is possibly the worst thing you could do short of pouring milk before the teabag.
b. write your passwords down in your diary, an unsecured word doc, or on a shopping list type app on your phone. No!
c. Download a password manager like Enpass. This will allow you to record all your passwords for all the sites/services you use. You will only need to remember one master password to decrypt and access all your other passwords. It synchronises across all your devices and really does work.

5) Get yourself a dummy email address. Iraniannuclearphysicist@gmail.com for example. Use your dummy email address if you are ever asked to register for any service that is not important. Does Costa Coffee need your personal email address? I think not. Reduce your exposure by keeping your personal account for your friends and for stuff that really matters, like personal finance. The rest can eat spam.
(Avoid using Yahoo, either as a dummy address or as your primary address. Theirs was one of the biggest data breaches in history, which they attempted to cover up. Their security has been shown to be lax and they do not deserve your business).

6) Do not download programmes that you do not need. Ever wondered why a torch app needs access to the contacts on your phone? It doesn’t, get rid of it. Similarly, if you need to convert a video from MPG to Quicktime, don’t download the first thing that comes up on Google. These guys pay affiliates to put them at the top of Google rankings. Small utility programmes are among the biggest vectors for spyware and scan your computer for interesting info. Get rid of programmes you don’t need.

7) Make sure you have a good Antivirus. If it means paying £50 a year, then do it. Kaspersky is currently considered top of the tree (https://my.kaspersky.com/). Some free ones like Avast and AVG are good too. Paying ones tend to have better support / features and will allow you to download several instances of the Antivirus on other computers and phones you may have, thus protecting the rest of the family too.

8) Keep your devices updated! Always, always, agree to updates. It can be frustrating, particularly when you switch your computer on and you are greeted by a “updating system” splash screen just when you need that presentation most. The reason why IDG servers were not affected by the latest ransomware attack, is because we were patched to the latest security releases. It makes all the difference.

9) Do not be fooled by phishing emails. Gone are the innocent days of Mr Bakare Tunde and his escrow account. Phishing scams are very sophisticated nowadays. Our friend and colleague Ed Chacksfield recently received an email purporting to be from a good citizen in which the he explained that Ed’s PayPal details had been “found” on a personal computer system. The scammer even mentioned Ed’s home address in the email to prove he had the PayPal information. The intention was to get Ed to open a Word doc, which when opened, would most likely have unpacked a virus.
Sometimes, phishing emails are more obvious. If you receive an email from Craig Preston which begins with “Greetings!”, swerve it.

10) Do you use Google Chrome or Firefox? The add these programmes to your browser:
a. https://www.eff.org/https-everywhere
b. https://www.eff.org/privacybadger
c. https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en
d. https://adblockplus.org/
These will ensure that you are not being tracked or spied on when online.

11) Back up your files. Yes I know, yawn, etc… but when all else fails, you’ll be glad you had a spare copy of your life’s work in a safe place. The classic backup strategy is called “3-2-1”:
a. 3 backups
b. 2 backups onsite
c. 1 backup offsite
It seems a little over the top, but there is no harm in having multiple instances of your important files. For offsite back up, have a look at https://www.crashplan.com/en-us/. It has an excellent free plan. For onsite backups, you can buy 256Gb USB sticks for tuppence nowadays. Get two and back your stuff up! If you can’t be bothered to do this, don’t go blubbing to Cloudscape when you have no record of your childhood or of what your children looked like when they were babies.

For any, ahem, compromising material, don’t use iCloud!

I’m guessing that the majority of you have had your bank call you in the past to confirm a transaction. Many of you will have been surprised to hear your card was cloned. You have been affected by fraudulent activity before, so do not be surprised if it happens again. As Murphy’s Law states, what can happen – will happen, after all, a Russian man who wears roadkill on his head is the president of the United States.

Cheers!
Laurent

Share this blog:

[getsocial app=”sharing_bar”]