X

It's time to take a personal cyber security assessment

05/28/2016 - 19:07

Kevin Dugas

UPDATE - 26 October 2016:

Before reading any further, please check to see if your devices were utilized in the recent global attack via BullGuard's Internet of Things Scanner. If any of your devices show up, immediately change your login and password credentials. If you have any devices from Mirai, then you were probably part of this major botnet DDoS attack. Furthermore, you should probably access your router's backend and whitelist all your devices MAC addresses.

When I’m not daydreaming about mountain biking or lifting heavy things, a question I frequently think about is “How can I protect myself online?” Obviously not from an advanced persistent threat or government actor (we’re pretty much screwed when it comes to protecting ourselves against those guys), but more so from the average attacker.

My answer for other people is that it depends mostly on how connected one is to the online world. For instance, my Grandma who struggles to use email wouldn’t benefit from a comprehensive guide to help her identify and lock down the one account she has. However, for those of us ‘millennials’ who consume online services like an Instagram model abuses selfies, a more robust method can help protect against the widening swath of cyber criminals who scour the internet in search of an easy target.

Why is this important?

If you have ever been hacked or had your identity stolen online, then you know what I’m talking about when I say that time can be brought to a standstill when an attacker ekes their way into your life. Much like a swarm of mosquitoes, these attacks can be so annoyingly pervasive that they prevent you from doing anything worthwhile.

Don’t think it will happen to you? Just last year alone, over 169 million personal records were exposed across the financial, business, education, government and healthcare sectors. In 2015, there were 38% more security incidents detected than in 2014. The scarier part is that most people don’t know they have been breached for quite some time – the median number of days that attackers stay dormant before detection is over 200.

You should definitely check the site "Have I been pwned?" right now to see if any of your email addresses have been comprised in previous data breaches. The site added 164 million more accounts to its system given from the recently publicized Linkedin hack.

Cyber Crime Stats (Source: Microsoft)

Cyber Crime Stats (Source:Microsoft)

OK, I’m hooked. Where do we start?

In an ideal work, one button should do it.

In an ideal world, one button would do it.

The first step in all of this is awareness. Even if we lock down our accounts with secure passwords and configure everything perfectly, an attacker can still easily compromise an account by going for the weakest link–the human element. Even in the corporate world, nearly 50% of users open emails and click on phishing links within the first hour (Source: Verizon 2015 Data Breach Investigations Report). Phishing campaigns have also evolved in recent years to incorporate malware as the second phase of the attack (all the more to make you more easy to scam!).

The moral of the story is to be vigilant with your security online. Never open emails or click on links from recipients you don’t know (even if they look ‘super legit’), and remember what your mother told you about that guy in the white van: “never open email attachments from strangers”. Even if it’s from someone you know, but you weren’t expecting an email with a sketchy looking attachment – it’s better to be safe than to be compromised. Even though your email provider already blocks certain file types in email attachments, there are still many types of attachments you should generally be weary of. A few examples of file types to watch out for are exe, rar, com, scr, pif, bat, cmd, hta, and sys.

Who doesn’t love graphs and pictures? Here's another one for thought:

Attack types over time (Source: Verizon)

Threat actions over time (Source:Verizon)

Back to the reason we’re here: The Personal Cyber Assessment

Since this task can often seem overwhelming and take some time, I have created a four step methodology which will help make the process as efficacious as possible.

Doogit's Personal Cyber Assessment Steps

Doogit’s Personal Cyber Assessment Steps

The process is laid out in four parts:

  1. Identify – How do you know what accounts and assets exist?
    • Create an inventory of your online accounts and assets.
  2. Assess & Prioritize – How do you determine what is important?
    • Perform an assessment to determine what matters most and what is at risk.
  3. Secure – How do you secure your online identity from would-be attackers?
    • For those high-value assets, increase security where possible.
  4. Monitor – How do you make sure your important accounts and assets are safe?
    • Keep track of what matters.

These are similar to the steps commonly used in corporate security assessments and provide a comprehensive process to protect valuable information assets (or with some modification can be used to protect just about any set of assets).

Step 1: Identify

Image

  • Make an inventory of your online assets and accounts

    • In order to secure your data online, you have to know what’s out there.

      • Pro Tip #1 – Take advantage of automated scanning. Some sites offer scanning services which connect to your email account and analyze how many accounts are registered to that address. One such site I have used with success is Dashlane, which also provides a full report with a breakdown of high risk accounts and clear text passwords stored in your email.
        • Since we are only human and tend to re-use logins and passwords, this can make us especially vulnerable to broad attacks if our email is breached. Some sites (with bad security practices) send passwords in plain text, so delete those… like now.
        • This tool really brings to light the fact that most of us (myself included) are online hoarders. It’s so easy to create disposable accounts and leave them in a forgotten corner of our email. In a broad study of 20,000 users performed by Dashlane (using anonymized data), the average accounts registered to one email address hovers around 100. That’s a lot of forgotten accounts. Use this opportunity to close down accounts that aren't necessary and no longer used.
        • Also make sure to update passwords for sites that were previously breached. That issue of credential reuse comes into play once again since roughly half of the users found in exposed user databases from Gawker and Rootkit.com used identical login credentials. You can use the "Have I Been Pwned" site to see if you're data has been exposed.
      • Create a ‘critical accounts’ list – 
        •  For the purposes of this exercise, I created a spreadsheet tool (as well as a Google Sheets version for non-MS Office users) to help you start a running list. Do you have a bank account? Several bank accounts? Multiple trading websites? A blog or online storefront? List each one on the cyber assessment inventory. Use the automated scanning tool from earlier if that’s helpful to get started.
        • Cyber Assessment Tool Cyber Assessment Tool – Click the screen print, or here (.xlsx)to download.
      • Pro Tip #2: Tools like Mint can help track financial accounts in one central interface, which can keep financial matters monitored and under control. Mint is also free, and free is always good news.
      • Purge some more – While you’re at it, take a look at the inventory and determine if you need all of the critical accounts listed. Are there some assets or accounts that you can consolidate? Are there some that you can get rid of completely? If so, combine duplicate accounts and purge what you don’t need.

Step 2: Assess and Prioritize

  • Perform a risk assessment
    • This is an important step in the personal cyber assessment since everything cannot be tackled at once. We need to analyze our assets and assign priorities to determine what to secure first. Start by asking some basic questions about each item on the inventory sheet:
      • Assess value – What is this account / asset’s value to you? Not only in financial terms but also privacy and personal data. Primary email addresses may use a free service, but they contain a wealth of information that could be used to coordinate a broader attack on your identity. Assign a value (high / medium / low) and consider the rationale behind the value you assigned.
      • Assess Impact – What would happen if it were breached, stolen, or compromised? Could it be easily recovered, replaced, or otherwise returned to a normal state? Assign an impact rating based off your analysis and backup that rating with some reasoning.
      • Assess Likelihood – Finally, how likely is it that the account will be breached, and that you will be aware of the breach? Strong security measures and monitoring play a big role in assigning a value to likelihood. If your email uses a very complex unique password that is protected by two-factor authentication, the likelihood of that account being breached is pretty low. If your investment account for some reason allows you to use “password123”, which is the same as your Dropbox and Twitter accounts which were breached recently, you should assign that item a ‘high likelihood’ (also if that’s the case, get out there and update your password).
      • Evaluate Vendors – After you have completed the inventory and cyber assessment, take a look at each account. Do any of those assets use questionable vendors? (I’m looking at you cheerQT123@AOL.com) Have any of the vendors stopped supporting their services? If so, it may be time to look around for more reputable companies that have a focus on security.

Step 3: Secure

Personal Cyber Assessment Step 3

  • Secure accounts, personal devices and networks

    • This is the most important step of the exercise, and can be quite overwhelming if you don’t prioritize your online assets first. It’s also a good idea to think critically about what security measures would be most effective. Two-factor authentication (2FA) is highly recommended for your bank account or primary email. It is always a good idea to setup up 2FA whenever possible because you can never know where hackers will try and breach vulnerabilities. Two Factor Auth has compiled an extensive lists of who supports 2FA so you can check against your assessment.
    • Secure online accounts – Focus on what is most important first. Online assets with the highest priority (those in red on the Cyber Assessment) should be investigated to determine if additional security is possible. It may require a change in how accounts are accessed, but that should be worth it if it makes the difference between protecting against an attacker. Here are some tips to lock down critical accounts with popular services:
      • Email – Gmail allows the option to set up 2FA with your phone. This makes it much more difficult for any would-be intruder to access your email without also having access to the Google Authenticator app on your phone. Google also offers the option to text you a one-time code. Either method will provide that extra layer of security.
      • Financial– Some financial sites (Chase, USAA, Wells Fargo, Mint) offer two-factor authentication by sending a one-time-use passcode over text message, email or phone call. Lots security-minded sites are moving to this feature since it helps users detect a legitimate login from an unrecognized computer.
      • Retail / eCommerce / Social– Amazon, Apple, Etsy, and Facebook now give the option to turn on two-factor authentication through text messages, which is a step in the right direction to provide an extra layer of protection.
      • Backup / Sync / Cloud– Box, Google Drive, Dropbox, and a handful of other sites offer additional security as well.
      • General tips for securing online accounts –
        • Strong passwords – Use a hard-to-guess passphrase that contains at least 8 upper and lower case characters. Rotate your passwords frequently. Especially if you have suspected a breach.
        • Install anti-virus and automatically run scans  – Keyloggers contained in malware are still an issue and can provide attackers with your credentials.
        • Perform regular Operating System and Browser updates– Make sure you’ve set your computer to update automatically.
        • Do an Account Security Checkup  – Google offers this tool, for instance which makes it easy  to check the security of your accounts.
        • Secret Questions – Additionally, go through those high value accounts and make sure that your ‘secret questions’ (also called security validation questions) are secure. Put on your ‘black hat’ in cyber security lingo and think like an attacker. What information could be used against you? If those secret questions aren’t so secret and use publicly available information, that could be an easy way in for a clever attacker. With enough determination, an attacker could use Ancestry.com to look up your mother’s maiden name, or any one of a number of lookup sites to find the street you grew up on as a kid. Start to see things from the perspective of an attacker and you'll step out of the spotlight as an ‘easy-target’.
    • Always Use HTTPS – For the uninitiated, this means the browser will use a secure connection. Most large sites (Facebook, Twitter, Gmail, etc.) offer this option in their general settings. This is especially important when we access those services over an unsecure connection (e.g. Hotel / Airport Wifi) since an attacker can capture your login information using very simple methods. You can easily force sites to run HTTPS via the aptly named HTTPS Everywhere extension.
    • Review third party access to online accounts – Revoke access to unwanted / unnecessary apps. Here are some quick links to do this for FacebookGoogle and Twitter. Other sites which connect to your primary accounts have tools as well.

  • Onward to physical devices.

    • Best practices – At a minimum, make sure phones have passcodes on their lock screens, and computers have strong passwords enabled. If you want to dig deeper into this topic, there are ways to prevent against an intelligent attacker (e.g. full-disk encryption, remote-wipe features, etc.) but perhaps that is a topic for another conversation.
    • Backup. Then backup your backups – As I have mentioned before, another important step is to regularly back up your data. Even the most diligent users get hit with Ransomware, and a recent backup can prevent a lot of headache and resources. The rule of thumb is that two backups are good, three is best. Lots of trusted cloud providers offer a limited amount of free space where you can store copies of important files. Here’s PCMag’s comparison of Cloud Storage providers for 2016: PC Mag Comparison of Backup Providers (Source)
    • Home / Work Network Security – check your wireless network security settings. Do you still use WEP or WPA? Lock that ‘ish up! Make the switch to WPA2, there is usually little to no downside and it is very easy to do.
      • Here are a few guides to help you make the transition onto the much more secure world of WPA2:

Step 4: Monitor

  • Monitor your online presence
    • Last and definitely not least, now that your accounts are secure as possible, we shift our focus to monitoring. This is especially important since attackers frequently gain valid access to our accounts. Since online systems have a tendency to allow access rather than deny it (even if the login looks suspicious), attackers can remain dormant in systems for months and sometimes years.   To help you monitor the wide range of accounts you may have, this section is broken down by area:
      • Adblockers- Very handy tools that you can just set and forget. There have been multiple instances of high profile websites (Forbes) that have served malware ads to their customer base. uBlock is the best adblocker out there because it hasn't bent over to "internet giants" like AdBlock Plus did to garner revenue. uBlock is more than just an adblocker and as its site explains: "it is a wide-spectrum blocker -- which happens to be able to function as a mere "ad blocker". The default behavior of uBlock Origin when newly installed is to block ads, trackers and malware sites..."
        • You can find the uBlock add-on extensions here: Chrome, Firefox
      • Financial – Regardless of how secure your accounts are, perform quarterly credit checks and determine if any new accounts or lines of credit have been opened without your knowledge. Don’t think it will happen to you? A Federal Trade Commission study found that 5% of consumers had errors on their credit reports that could lead to them paying more for products such as auto loans and insurance. A recent video from John Oliver’s Last Week Tonight also dives into the issue:
  • General Account Security Monitoring – Some sites allow you to set up monitoring via email – this is an added security feature that can help prevent against unauthorized logins.
  • WordPress – Some add-ins, including the WordPress app ‘WordFence’ sends an email every time an admin logs on to your site).
  • Automated Monitoring via Apps – Utilize automated logging and monitoring tools to watch for suspicious activity on your critical accounts.
    • LogDog – Available on Android and Apple OS
  • Periodically perform this Personal Cyber Assessment exercise – as a best practice, schedule some time on your calendar in the future to review your accounts and assess security measures.

Conclusion

You made it! The crowd roars as a swell of hungry attackers sit at bay behind your two-factor authentication and beefed-up security measures. As most predators do, the online criminals search elsewhere for low hanging fruit.

My goal from creating this guide was to help folks recognize their online footprint and gain peace-of-mind by securing what is most important to them. Feel free to contact me with suggestions, if something was unclear or could be explained more thoroughly, someone you know requires additional help securing their accounts or identity online.

Thanks for stopping by! Doogit out!

A version of this post originally appeared on Modernized Security