Paco Hope, principal consultant at Cigital, explains how you can succeed in IT security where others might fail.
There are two sides to this: Firms offering services need those services to be trustworthy. They need to build security in, fix the vulnerabilities they find, and have a broad view towards where risks can come from.
The means of building secure software are well known, so it’s a matter of diligently applying techniques like architecture review, design review, code review and so on. Regular people have no insight into how secure a firm or its service is, and thus must make the assumption that it is not as secure as they would like.
They must protect themselves against the shortcomings of their providers. This boils down to a few straightforward tips, as described by Paco Hope, principal consultant at software and application specialist, Cigital.
1. Password diversity
Don’t use the same password for two things. If you must reuse passwords, use as many different passwords as you can manage. Never use the same password for two important things (work, Amazon, iTunes, Google, PayPal, etc.). People who do this successfully use password managers. 1Password, Keepass, LastPass, PasswordWallet and others are all good alternatives.
2. Rummage through the settings
Virtually every software package, online service, or mobile app has a bunch of settings. Most defaults are insecure. (e.g. send your backups to the cloud, don’t encrypt them on your PC). Many defaults opt you into things you’re better off opted out of. Marketing, data collection, synchronising all your contacts with some web service that will sell them, etc. The more you distribute your information across services and allow services to interact with each other, the more a breach at one of them can affect you at the others.
3. Check your authorisations sometimes
You can use your Facebook, Twitter, LinkedIn and Google accounts to grant access to sites, apps, and services. Sometimes authorising an online comment form might grant the site the authority to post a tweet or status update as you. If that service is compromised, an attacker might get the ability to use your account to send links to your friends and followers. Every service offers the ability to review the sites and apps you have authorised and remove a few from the list if you want to. It’s always possible to reauthorise them if you need to, so be aggressive and pare the list down once in a while.
For online services, established methods for handling passwords securely are well known. However, it is not as simple as “salt some hashes”, the way developers might expect. The OWASP Password Storage Cheat Sheet is the definitive free guidance on doing this right for software developers. Disclosing breaches to users is also very important. If they don’t know, how can they protect themselves?
How much do you know about cloud computing? Take our quiz!