And Now a Word from Your Commonsense

Thursday, August 18, 2011

Mike Meikle


As infosec pros debate the finer points of IPv6, Cloud security, IDS/IPS and risk management it behooves us to stop and remember our customers.

They really don’t care if your solution is FIPS certified and is SAS 70 compliant. They are only concerned if their identity is stolen and used to open a pickle stand in Zanzibar.

Open Google and search on information security tips and watch it bring around 124 million hits.  I am about to add +1 to that lengthy hit parade.  

Why?  Well, I have been working the New Employee Orientation presentation circuit at one of my clients for bit and I always get a boatload of questions from the attendees. Since my presentation covers social engineering, identity theft, how a device gets infected with malware, I get a lot of queries pertaining to these topics.

This thread also ties into other commentary on endpoint security and social engineering before in the Chicago Tribune and Los Angeles Times.  The article was entitled “Security Breaches Highlight Need for Consumer Vigilance“. Just recently, eSecurity Planet also featured my contributions on how malware removal differs in the enterprise and for personal devices in their article “The Best Malware and Antivirus Tool is Prevention“.

So I decided to distill all these questions and tips down and answer them in this article. First lets tackle some routine best practices.

When it comes to numerical pass-codes (debit cards, badges, etc.), how should one pick?

Debit card pin numbers are normally only assigned by a financial institution.  You can request to change them, but they are sent separate from the debit or credit card.  When you receive the PIN number via mail, you memorize it, and then destroy/shred the letter.  Never write your PIN on your card. 

Also, when withdrawing cash from an ATM or using your card at a retailer’s terminal ensure no one is looking over your shoulder or “shoulder surfing”.  Another good tip is to inspect the point of sale terminal or ATM for signs of tampering.  If the keypad is misaligned or the card slot mechanism looks suspicous, do not use the device.  It could be compromised and part of a “skimming” operation.

When it comes to alphabetical and numerical passcodes (such as those used online), how should one pick?

Best practices for online passwords are relatively straight forward.  They should be at least 12 characters in length with a mix of upper and lower case letters, numbers and accepted special characters.  They should not consist of addresses, dates of birth, pet names, spouses or anything easily gleaned from social media or personal data.

It is better to use a “pass phrase”, basically a sentence you can easily remember that can consist of the above recommendations.  These are normally 30 characters long and consist of non-dictionary words.

These recommendations are based on applications that can accept this input.  Many online applications still only require 6 to 8 character passwords and don’t support special character content.

Bad Passwords Brought To You By RockYou Users

If You Have One of These, Change It Now

What are the most common used passwords and why should we avoid using them?

In light of the RockYou password database breach, the most common password was “123456” the next was “12345”.  Other popular passwords were “princess” and “Password”.

These passwords should be avoided at all cost because they are short, lack special characters, are easily guessed and can be cracked with software rapidly

What’s the best way to protect your identity online?

Strong passwords that are unique for critical sites, like online banking or social media profiles.  Commonsense plays a huge role as well.  Be careful whose emails you open and once in an email, what links you click on.  Legitimate organizations will not ask you for sensitive financial data, username and password information via email.  Call the organization in question if you feel the communication is suspicious.

Do not post sensitive personal information on your social media profiles, such as birth dates, when you are going on vacation or other critical pieces of information that would give a bad actor valuable insight into your life.  Ensure you are using the appropriate privacy settings in these applications and monitor your friends list for people you do not know.

My machine has a virus or malware on it.  What can I do?

In a corporate environment, the normal policy is to just wipe and re-image the infected machine.  Malware removal is an intensive and normally unsuccessful process.  Why is it unsuccessful?  Because modern malware employs tricks to hide its malicious code in memory, the boot sector or sometimes in seemingly legitimate code.  

The user believes that the machine has been cleaned but when the device is restarted, it re-establishes a connection to its Command and Control server, re-installs itself on the infected machine and the process begins again.  This is normally on a laptop from Finance.

However if you have a few hours to burn on a Sunday before your big presentation on Monday.  There are several choices choices on removing malware from a device.

One, use the “hopefully” installed and updated anti-virus package on the device to remove the malware.  There is a slim chance of success here.

Second, if that fails, use a malware removal tool on the malicious software.  An example of this is Malwarebytes’ Anti-Malware.  A free program (free for individual use, not corporate) that is a mainstay of the malware removal trade.  Make sure it’s updated.  There is a better chance of success here.

Third if that fails, and if the user is running a Microsoft operating system, they can download the Microsoft Malicious Software Removal tool for that month.  I have had some decent success with this approach when combined with Malwarebytes.

The final option before a scorched earth re-image is to use the Microsoft operating system rollback feature to move the OS back to a date when the system was not infected.  This is a dicey approach since the malware may have hidden itself in a directory that may not be touched by System Restore.

There you have it.  A pretty high level set of tips and suggestions that will guide customers, clients or your Uncle Phil toward a hopefully more secure digital experience.

Please sound off in the comments below if you have any additional suggestions or insights to share!

Cross-posted from Musings of a Corproate Consigliere

Help Support Infosec Island by Tweeting and Stumbling our Articles - Thanks!


Possibly Related Articles:
Enterprise Security
Information Security
Compliance Cloud Security Risk Management IPv6 IDS/IPS Customers
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.