Computer security is a topic rich with detail, depth, and nuance, but only some of us will become security experts in our lifetime. Owning or managing your own business shouldn't require you to burn countless hours learning about computer and network security (unless of course you run a security business).
There are simple, actionable ways to secure your online presence.
Never Miss a Software Update
The easiest way for a criminal to break into your website or computer isn't to find an unpatched vulnerability in the software it's running. The easiest way is to choose an existing vulnerability, find (or write) an exploit for it, then attack any computers that are running an outdated version of the vulnerable software.
According to Verizon's 2015 Data Breach Investigations Report, most of the vulnerabilities being exploited were public knowledge in 2007.
Even Security Advice Expires With Time
An organization called OWASP maintains a list of the most prominent and damaging security vulnerabilities in a given year, simply called the OWASP Top 10. Most web programmers who have heard of OWASP are familiar with the 2010 and 2013 editions of this list. However, there were previous versions of the list published in 2004 and 2007 which contain gems of bad security advice.
For example, the 2004 OWASP Top 10 entry for Insecure Storage says:
Also, instead of storing encrypted passwords, use a one-way function, such as SHA-1, to hash the passwords.
It is now common knowledge that a general purpose cryptographic hash function such as SHA-1 is insufficient for passwords, and a safe password storage algorithm like
scrypt should be used instead.
Attacks always get better, they never get worse. Consequently, you should always revisit areas you thought were secure and check that you still are.
The takeaway: Even security advice itself should carry an expiration date.
Ditch Your Passwords
Most peoples' passwords are probably terrible for security but really easy to remember. Ranging from the incredibly obvious (
password) to the painfully common (
123456). And it's not their fault. The security requirements for passwords aren't widely understood outside of the information security industry or the hacker community.
Most people like to believe if we follow archaic and irrational rules we'll be safe. What ends up happening is that our 8-character password with uppercase and lowercase letters, a number, and one of the few sanctioned special characters gets cracked in about the time it takes to make a good cup of coffee.
There is a consensus among security industry experts that longer passwords are, barring silly edge cases (the letter
a repeated 300 times), necessarily more secure than shorter passwords. As a result, there is a push for longer minimum passwords (e.g. 12 to 16 characters, depending on who you ask) and for the encouragement of passphrases instead of passwords.
rot dough street kelp alumni twig pear mask
These initiatives mean well (we support them), but they miss a critical point in the password security issue. The longer and more complex each passphrase you use, the more time and effort you have to expend memorizing them. When most people are confronted with this prospect, they take shortcuts: Either they use weak passwords for most websites, or they use the same passphrase everywhere.
Our suggestion is simpler and easier for most people.
Get a Password Manager
Stop trying to memorize hundreds of unique strong passwords for all of the websites you visit. Instead, pick ONE very strong passphrase for your password manager and make regular backup copies of your password database.
We are not the first team to recommend a password manager, and we won't be the last. Every password manager we've evaluated uses encrypted storage and offers a random password generator when registering for a new website account.
In our experience, the safest password manager is KeePassX for two reasons:
- KeePassX encrypts all of your files and stores them locally. (They are never stored in the cloud.)
- KeePassX is open source, which means independent security experts can study it for vulnerabilities.
Use Proactive Endpoint Security Tools
One way that websites get breached is through the workstation of an employee with access to sensitive information that can be used for further exploitation. Securing your workstations is paramount to securing your websites.
Anti-virus solutions are reactive security tools: They scan the files and processes on your system for any signatures or behaviors known to be malicious, and then they remove or quarantine the offending code.
Stop relying on anti-virus software; it cannot protect you against unknown threats. Instead, focus on a proactive security solution, such as Microsoft's free EMET Toolkit, which transparently makes exploiting memory corruption bugs incredibly difficult.
Use Private Communication Apps on Your Smartphone
If you ever find yourself needing to send sensitive information over a phone call or text message, you're opening yourself to data breaches and wiretapping. Your best and only defense in these situations is to employ cryptography to render your messages unreadable to third parties.
Although cryptography is a very complicated subject even for technology experts, the team at Open Whisper Systems has done all the ground work for you.
- If you are an iPhone user, you want to install Signal from the iTunes Store.
- If you are an Android user, you want to install Signal from Google Play.
Only Connect to HTTPS Websites (If Possible)
The Electronic Frontier Foundation maintains a browser addon called HTTPS Everywhere that will transparently redirect you from insecure HTTP websites to secure HTTPS websites automatically when HTTPS is supported.
Stay in Touch with Local Computer Security Experts
We believe it's reasonable to expect any major city with any significant technology presence to house one or more security teams. Odds are, there is a team of security consultants near you. An easy way to find out is to search for Security BSides events and nearby hackerspaces.
Whenever new research invalidates a previously held belief about security, it's usually the security experts that learn about it first. If you want to protect your firm from malicious actors (whether reckless teenagers or overseas espionage campaigns), then you want to remain in regular contact with security consultants. Attend their seminars, hire them to perform penetration tests and train your staff to adopt better security practices.
Recommended Reading: DecentSecurity.com
Decent Security's mission statement, Everyone can be secure, is one of the best in the technology industry. This website is very content-rich and caters to hands-on readers but doesn't assume any expertise. The author's goal is for anyone, regardless of background, to be able to read it and then make their computer more secure.
Decent Security, by and large, lives up to its mission statement. Give it a read.
Free Security Updates from Our Team
Paragon Initiative Enterprises is a team of technology consultants that offer services ranging from custom software development in various paradigms (web, mobile, etc.) to application security auditing and network penetration testing. We also have a newsletter and a mailing list.
- Paragon Initiative Quarterly is our quarterly newsletter that addresses security topics for the previous three month period, ways to improve the security your software stack, and sneak previews for free software we are developing. Our newsletters will be more polished and less technical than our typical blog posts. Recommended for decision-makers and project managers.
- Paragon Initiative Vanguard is unscheduled. Emails will be sent out when we have something small to share, e.g. our team discovers a new security vulnerability in a widely used software product. Recommended for highly technical users who wish to hear our research findings before they are sent to public mailing lists.
Of course, you don't need to wait for an email from one of these sources to contact us if you have any questions about protecting your company's website and networks on the Internet. Contact us any time. We aim to always respond within 24 hours of receiving your message.