Looming in the shadows of this digital age we live in is the ever-present threat of cyber attacks and data breaches. Cybercrime is steadily on the rise as criminals steal sensitive company information and personal data from computer systems and networks. Companies of all sizes are being forced to take action in efforts to proactively fight cybercrime and keep their stored information secure. I recently had the chance to meet with Michael Demma — Systemware’s Director of Information Security and a Certified Information Systems Security Professional (CISSP). Michael conducted annual Cybersecurity awareness training for all Systemware employees in early October to kick off National Cybersecurity Awareness Month. Here he shares useful insight and suggestions on how companies and individuals can better protect their electronic data.
Michael Demma, CISSP – Director of Information Security
Q: What do you see as a new frontier in information security?
Michael: The smart phone apps environment has an almost anything goes, wild-wild west quality to it. While we condition ourselves never to click on a link in an e-mail for fear of devious or malicious site content, we will download and install apps on our smartphone devices without really knowing what they do in addition to the purpose for which we installed them.
Q: Why are smart phone apps so dangerous?
Michael: Users seem so willing to sacrifice security for convenience. In the interest of an “enhanced user experience” we allow apps to access our location, photos, contacts, files and even digital payment methods on our devices. Consider how many “allow access to” options we tap between the time we install software on a smart device and actually use it. Then we wonder how marketers have so much data on us and why we get hit with fraudulent charges when we in fact granted the access and accepted the terms without really paying attention.
Q: How do the ‘bad guys’ take advantage of these devices?
Michael: Why would someone spend time, effort and risk getting caught to break in where they are expected through a firewall, detected by an intrusion detection system and thwarted by an intrusion prevention system when they can just make an attractive app, game or utility, install it on a smartphone have the user ALLOW access to the credentials they need? Grayware has emerged in the form of apps which provide value through sought-after features but then also collect and leak information outside of the scope of the utility they provide.
Q: What challenges do smartphones and bring your own devices (BYOD) present for security-conscious corporate environments?
Michael: Users mix personal and business data and apps on their devices making it very difficult to separate the two. Now a seemingly harmless Grayware app/game/utility may contain a code which stores the ID and password needed for a corporate VPN app. The user has inadvertently provided the credentials to compromise the corporate network because they installed an emoji app and granted elevated access to the device.
Additionally, users may report a device lost or stolen. The administrators will invoke a remote wipe feature to destroy the corporate digital assets protecting the company but this process also indiscriminately deletes ALL personal items such as photos and videos which held significant value to the owner but may or may not be backed up.
Annual Cybersecurity Awareness Training
Q: Can you give a few suggestions to help protect someone from online purchasing fraud?
Michael: Don’t mix household and online finances – Use a credit card or dedicated account which you use exclusively for online purchases, recurring bill pay, etc. NEVER use a debit card tied to a primary checking or savings account. That way, if compromised or a previously authorized automated system fails to stop charging your account after the agreed upon term has expired, the transaction only affects a ledger balance, meanwhile your primary household liquid assets remain protected.
Passphrases: Switch from passwords to passphrases with 15+ characters and a lot of entropy. Use unique LONG passphrases for every site. Create a base passphrase then use a modified passphrase with an intuitive code for every account so if one site is compromised, your others remain protected.
Base passphrase “E@sy t0 r3m3b3r “ then add a two letter intuitive code for each site to make it unique. This way if someone infiltrates your password on one site, they do not have access to ALL of your accounts.
- Ebay: E@sy t0 r3m3b3rEB
- Twitter: E@sy t0 r3m3b3rTW
- Facebook: E@sy t0 r3m3b3rFB
- LinkedIn: E@sy t0 r3m3b3rLI
A very special thanks to Michael for sharing these useful tips and information during National Cybersecurity Awareness Month (NCSAM). To learn more about Systemware, visit us today at Systemware.com