STOCKHOLM - A handful of information and computer technology (ICT) experts from around the world gathered at a conference in the Swedish capital to discuss and exchange ideas on cyber security, hosted by IT security solutions specialist Kaspersky Lab.
One of the key themes that clearly emerged from the event is the 'unsecured behavior' of the general public, which experts believe to be the root of many cyber issues.
In 2013, Kaspersky claims to have neutralized more than five billion cyber attacks on user computers and mobile devices, and nearly two billion of those originated from online sources.
And yet most people are either alarmingly careless or ignorant - or both - when it comes to their own ICT management and online activities, leaving them and others in their network exposed to various cyber attacks.
"That’s one of the issues where we can make a difference with sufficient effort," said Robert Kooij, an ICT expert from the Netherlands working with TNO, a non-profit organization for applied science research, and Delft University of Technology.
He added: "For me, it’s very important to give lectures and to reach out to the people, not only in scientific conferences, but also to other people. And also in educational efforts with young children, and to explain what we know nowadays. I know all these experts here, they should reach out to the common man."
David Jacoby, senior researcher and security evangelist at Kaspersky Lab in Sweden, wants ICT experts and the media to take "more responsibility" on raising awareness of cyber safety.
"We need to take more responsibility with what we talk about. We need to talk about what’s relevant. To build security, you have to build with the foundations of security, something as simple as password management, network segmentation, education, awareness, and all the things we’ve talked about for 30 years which are still very relevant today," he explained.
He added: "A lot of people have excuses on why they can’t do security, but there are some very simple tips that you can use that don't require software or something special that you have to install in your computer."
In the spirit of education and awareness, ABS-CBN News asked ICT experts at the conference for their top tips on better cyber security:
1. USE STRONG PASSWORDS
It may sound obvious, but according to several experts, the first rule of cyber security is having strong passwords: something unique, personal or obscure that would be difficult to guess. It is also advisable to have different passwords for each account or website, and to be mindful of how you save or store your passwords.
Jacoby suggested a formula for creating a random but strong password: choose a personally memorable phrase, take the first letter of each word, and then add a keyword based on the situation. For instance, in an online store, you may have: One Flew Over The Cuckoos Nest (memorable phrase), OFOTCN (acronym), and ‘shopping’ (keyword), which gives you a relatively secure password: OFOTCNshopping.
Maurizio Abba, software developer at technology start-up LastLine Inc, suggested using long passwords through a video presentation for a cyber security competition in the conference. Most passwords are typically under 12 characters, usually a combination of letters and numbers, but Abba would prefer to use unique - and fun - memorable phrases. Whether it’s a film title, a song, a famous expression, or a random set of words, the possibilities are endless and should be hard to crack.
2. KEEP ALL SOFTWARES UPDATED
Software developers are constantly updating their products to ensure the safety of all users. So when an update is released to fix a bug or improve the system, experts strongly advise that you take it immediately.
Vyacheslav Zakorzhevsky, Vulnerability Research Group Manager at Kaspersky Lab, said: “There are so much outdated software on users’ machines, so bad guys are able to use exploits and be able to attack outdated software to install malicious software, and then to steal sensitive information like bank accounts and passwords. Even internet browsers like Internet Explorer, Mozilla Firefox, Google Chrome, and plug ins like Adobe Flash Player, PDF, all have some vulnerabilities. But not all users update their softwares, so that’s a problem."
Jacoby added: "What you can do is use the built-in security feature for updating software, but when you use for example Windows Update, it doesn’t update all the softwares in the computer, only Microsoft-based software. What about Java, Google Chrome, Skype, and all these different softwares that you have? Attackers find vulnerabilities in these softwares and automatically activate them when you browse websites. So you have to manually go through all those softwares to update them. With Java, for instance, often you get an alert for a new version in the corner of your computer, and you have to take those seriously and actually do an update. Don’t wait.”
3. CLICK CAREFULLY
Browsing online is more convenient than ever, we can do it on many different devices and there is no shortage of something new to explore on the web. But don’t just click anything and everything. Be careful with what you click because it might lead to something malicious online.
Adelen Victoria Festin, a finalist in the cyber security competition at the conference, said: “Be aware of sites that you access online, check they are the actual sites you want to visit and not a malicious fake site. And be careful in clicking things such as pop-up adds, even on popular sites like YouTube, because some clicks may lead to virus infections in the computer which could damage files or compromise personal data.”
4. DOWNLOAD WISELY
Choosing the right softwares for you is key to cyber security. Do your research first and stick to legitimate and reputable software developers and companies. There are also plenty of choices in the market, but experts suggest that you select the ones with better security features.
“You need to think twice about downloading everything. People are so careless about what they download,” said Catabell Lee, a technology journalist from Hong Kong.
Vyacheslav Zakorzhevsky from Kaspersky Lab said: “A good idea is to use alternative programs, for example for PDF use Foxit Reader, which doesn’t include vulnerabilities compared to Adobe Reader. Use softwares like Google Chrome, because it uses its own plug-ins rather than Flash Player or PDF, so it’s more secure than Internet Explorer or Mozilla Firefox, which use common plug-ins that are more vulnerable in comparison.”
5. BE SECRETIVE ONLINE
Everything is online these days, but experts say you still have a choice on what you want to share. Less is more when it comes to cyber security. So whether it’s on social media, or signing up for services, or registering for downloads, always be protective of your personal data.
Catabell Lee, a Hong Kong-based technology journalist, said: “It’s hard to avoid giving out information on social media, but the first rule is to never make your profile public. Just keep it private among your friends. And don’t post everything on it, and be careful with whom you make friends with.”
She also warned against apps and other downloads that ask for too much information and request for excessive access to your online profiles.
“Never give out any more information than necessary when you download apps. And when they ask for too much personal information, be careful about it. Most of the time, there might be trojans or backdoors that come with the free apps,” she said.
She added: “It really drives me crazy because it often asks for your friends list or your email contacts list, and they also require access to your photos and everything else. Pretty much everything that you put online. It’s crazy. Why would you give out all these information to those people? They can sell your details, so don’t do it.”
6) DISABLE UNUSED PLUG-INS
Not only are we using many different softwares in a myriad of devices, but many of those softwares have a range of plug-ins on top. These can be useful, but they can also leave you exposed to certain cyber attacks. Experts say plug-ins should only be activated when they are being used.
Zakorzhevsky said: “Disable plug-ins if you don’t use it. For example, Oracle Java, most users don’t need to use it all the time, so when you need to use it for internet banking or booking tickets to the cinema, enable it. Then disable it afterwards and don’t use it all the time. It really greatly increases security.”
7) SPOT PHISHING SCAMS
“One of the biggest threats out there is phishing attacks: emails that come to your inbox asking for your password, credit card information, or pointing you to a website that contains malicious code,” said Jacoby.
But there is a simple way to minimize such risks. Jacoby explained: “Sometimes it’s difficult to tell if that email is actually from the bank or from the source that it’s supposed to come from, or if it’s fake. One very simple way is to hold your mouse pointer over the link for two seconds, and it will show you in the URL bar which website it’s actually directing you to. So if you have an email, for example, from PayPal, but the URL goes to some crazy website, then 99% of the time that email would be fake.”
8) SHARE GOOD PRACTICES
If you know something useful, share it to help others. But it’s easier said than done. Some experts at the conference raised the issue of disconnection between different agents in cyberworld: from ICT professionals who are too technical and unable to simply convey their knowledge to a layman; to academic institutions that rely too heavily on theory at the risk of neglecting real world applications; to companies that are too concerned with profit at the risk of safety; and the general public who are predominantly careless or unaware of security issues.
Beverly Magda, an associate dean from the technology department of Georgetown University in the US, said: “We do a lot to educate cyber security professionals, or for people to be cyber security professionals, but I don’t think we do a good job in the social engineering part for those who are non-cyber security professionals. There is a position there somewhere where there’s a liaison who could speak the technical talk and translate it to everyday language, and vice versa.”
Zakorzhevsky added: “Maybe it’s a good idea for our children if government institutions add special courses to teach our children and future generations how to be safe in the internet: how not to click everywhere, how to install security solutions, how not to install certain software, and how not to download and open just any files from the internet.”
9) GET TO KNOW ‘CERT’
Be aware of your local CERT (Computer Emergency Response Team), also known as CSIRT (Computer Security Incident Response Team), a group of ICT experts that help organizations and the public with cyber security issues.
The name CERT comes from the first team of its kind at Carnegie Mellon University in the US. Its formation was a response to the increasing risk of malware as computer technology rapidly developed in the 1980s. Most notably, in 1988, the so-called Morris Worm spread like wildfire and paralyzed a significant chunk of the internet, necessitating the existence of a dedicated support system to better deal with such incidents.
CERT now exists in many countries and often operates as a non-profit working with governments and companies worldwide. Their primary concern is malware, worms, and viruses, as well as promoting good practices for cyber security.
10) ACCEPT ‘THE NEW NORMAL’
It doesn’t happen to you until it does. But whether we like it not, there are very real risks out there in cyberworld. And the sooner we accept this fact, the more chances we’ll have to adjust our behavior and better prepare ourselves for such eventualities.
Magda from Georgetown University said: “I don’t know that it’s possible not to be hacked. I think the hackers are always one step ahead. But I think it’s just taking precautions. There is always that instinct of: should I or should I not click this link? Should I or should I not write this password down? Trust your instinct not to do that. I call it The New Normal. It’s a new way of living that we need to get used to.”
Despite such precautions, however, cyber security will most likely remain imperfect. There will always be cyber criminals as long as there are personal, social and economic incentives to be had, and those people will always find a way to creep into your system to get what they want. The key is understanding what we can do to make it harder for them.