Busting some of those cyber security myths

How secure do you think you are when you are using the internet?  Even if the answer is “very,” you probably have some weak spots when it comes to protecting your personal information.  On the internet, most of us do things that we would never think to do in real life.  We talk to strangers, we leave critical personal information in insecure places, and we make the silliest mistakes when it comes to our personal protection.

Most of us use some type of web-based email system (Hotmail, Live, Gmail, Yahoo) as a personal email address.  This address is used for most personal correspondence, and for gaining access to other web sites.  Some of these sites force you to have complicated passwords; some do not.  As a rule of thumb, the older the system, the less complicated the password.   

Let me throw a hypothetical at you.  Someone finds out what your email password is.  If they are a cyber-criminal, then you have a serious problem.   Why?  Well, let me tell you why!  A cyber-criminal will immediately change your password to something complicated.  They will then go through your email history and find all of the sites that you have joined.  They will see any critical personal information that may be on those sites.   

They will then "roll up" your cyber persona.  By visiting those sites, they will reset all of those accounts, the account reset will go back to your compromised email account, and they will gather more and more information about you.

Here are 3 myths that need to be busted.

My password is not important!
“1234,” “password” or “qwerty” are not passwords that I would put on the internet or any device.  Like a signature, your password should be unique.   Everywhere we go on the internet, web sites ask us to create a username and password.  We usually do this as a matter of course, and do not attach much importance to the password that we choose.  On some sites we do put a bit more thought into the password, either because of the perceived value of the information we're providing, or because the system forces us to.
In fact, when you are asked to create a password it should always be complicated.   By complicated, I mean it contains more than eight characters and includes letters, numbers, punctuation, capitals and symbols (at least three of those).  But within these constraints, it should be as easy as possible to remember.

There are three methods that cyber security professionals use and teach to create complicated passwords: use a phrase (I hate passwords!), use the letters from a long phrase (Every Saturday I play Golf at the club = Es!pG@tC), or use two associated words separated with numbers, letters or punctuation (Tree56#pipe).  My recommendation to everyone is if a site does not allow you to create a complicated password, don't provide more than minimal personal information.

I can use the same password everywhere on the internet!
For every site that asks for a password, you need a system so the password you create is complicated, yet individual and site-specific.  

There is a logical explanation for this, and this time it has nothing to do with you.    It's all about web site security.  Say you log in to a site, usually by providing your email address and a standard password, and the site gets compromised.   Criminals on the internet can use automated systems to "try" that username and password combination against millions of sites.

If you use the same combination on every site, they collect information from every site.  The cyber criminals build up a profile of you on the internet.   The amount of information they can amass is quite astounding.

Once again, there are a couple of things that you can do.  Put a prefix or suffix onto your password.  “Tree56#pipe-mail” could be your email password.   “anz=Es!pG@tC” could be your banking password.  Because you are using a standard that you have created, the password is easy to remember, but is is also very secure.

Patching software is just an inconvenience!
I hear this at home from my daughter: "Every time I want to do something on my computer, smartphone or tablet it asks me to update it.  It's just so inconvenient.”   

Indeed, most systems today will ask you to update their software regularly.   There are a number of reasons for this, but in most cases it comes down to an error in the code.  Such errors can be used by a scripted system to compromise the device.  Without getting too far into the nitty-gritty of coding, to compromise a piece of code can be as simple as putting in numbers instead of letters on a form.  This error or a security breach created by this error,  could elevate the compromised application to "administrator" on your device.  The bad guy who created the malicious code can now use that to do other things—send email, search the device or just make it crash.

There is a vast underground criminal network on the internet that use these compromises to write viruses, RAT (Remote Access Trojans), worms and malicious code to gain access to your device.  By updating the software, you are keeping ahead of the problems that are associated with this type of attack.   Once the criminals have created this method of attack on the system, they send it out to all of the automated systems as an update—yes; even the criminal’s use updates.

So there you have it.  Yes, you need a complicated password.  Yes, you need a unique password for every site that you set up an account for.  And no, updating your applications and operating system is not just an inconvenience.  These steps take a little extra time, but look on the bright side: If you change your internet habits, you take charge of your own security and you'll stand less chance of losing everything.


Roger Smith

Roger Smith

Owner at R & I ICT Consulting Services Pty Ltd

Amazon #1 Best Selling Author | Experienced Cybercrime and Cyber Security Expert | Speaker | Consultant | Trainer You know how frustrating and frightening it is getting the right information about protecting yourself, your business and your client information from the digital world? I solve this. I put your business on a strict diet of good technology, the best management, meaningful adaptability and required compliance to make your business digital secure.

R & I ICT Consulting Services Pty Ltd

R & I ICT Consulting Services Pty Ltd 14 FOLLOWERS

Information and communication technology


Questions

Anonymous asks

Comments (3)

User
Loading...
John Belchamber

John Belchamber , Owner & Senior Consultant at Invoke Results

Great article Roger. As someone who had his website hacked by people who knew that most people use the default Admin user in Wordpress (and hence hackers only need to work out your password and not your username) I value your advice. Do you have any tips for storing and retrieving your passwords securely? Are password Apps/Software advisable?

Roger Smith

Roger Smith , Owner at R & I ICT Consulting Services Pty Ltd

Hi John Keeping track of the huge number of passwords that we use can be problematic. We also, as a business have to keep track of a huge number of passwords that we use on clients sites. We use a product called password safe, it has the ability to keep the url, the username and password in a safe and encrypted format. it is easy to use and it can be installed on a pc / mac.

View all (3) comments