"The direction of a strike depends on where your opponent stands, what he is doing at the moment, and what target on his body you want to hit. There are five sections of the body that you can attack: head, hands and arms, trunk, thighs, and lower legs. There are three components to consider before launching a strike: distance to the available targets, angle of the surface of the target, and timing of the opponent’s movement."
- Sang H. Kim, Vital Point Strikes (Turtle Press, 2008)
The best way to think about cyber security and self defense is to compare it to boxing or any martial art. Your body, like a computer network, has numerous vulnerabilities. When you find yourself being attacked, you need to position your arms and your torso in such a way that you shrink the number of vulnerabilities exposed to the attacker. This is known as “shrinking the attack surface”. Trained fighters will angle their body to present a reduced attack surface to their opponent. They’ll keep their arms up to cover everything from the bottom of their ribcage to the top of their skull because most of the lethal points of the body are in those regions. They’ll still get hit, but it probably won’t be on a vital point. Similarly, there’s no way to stop an attack against your network, but you can make sure that the attack hits only non-vital data rather than your company’s most valuable information.
The following are some basic principles for you to follow both at home and abroad to help keep your valuable data safe. They won’t be sufficient for when you’re in high-risk locales and they won’t stop a targeted attack, but they will make it much less likely that you’ll suffer a serious breach because of poor cyber security habits or an over-reliance on your antivirus or firewall application. A 64-year-old friend of mine who’s been a lifelong bodybuilder and a fighter is fond of saying “I may not be able to feed a guy his lunch any more, but I’ll definitely feed ‘em a sandwich.” That’s all we want to do with this strategy. If someone wants to attack you, we want that person to know that it’s going to cost them something—and that may be enough to get them to leave you alone and pursue weaker, less prepared prey.
Develop a healthy paranoia about everything in your Inbox or your BrowserIf you receive an email from an unknown person with an attachment, don’t open it. If you recognize the name of the sender but the text in the email doesn’t sound like her, pick up the phone and call her to verify that the email is legitimate. If the email asks that you click on a link, read the link first. A lot of malicious links are designed to look like the real thing but won’t stand up to close scrutiny. Is the word spelled correctly? Does it end with a “dot com” or a “dot co”? Take a minute and check before you click.
If you’re on Twitter and receive a tweet with nothing but a shortened URL, ignore it. If you receive a Direct Message from someone you know with a shortened URL, but the message doesn’t sound like it would have come from that person, pick up the phone and make a call to verify that your friend Jody actually sent you the message “You should see what this guy is saying about you at fakeURL.com!”
Use the most secure Web browser that you can findIt doesn’t matter if you’re a Microsoft geek or Apple chic. Don’t let your loyalty to a company brand determine your online safety. Find and read independent research on which browser is the most secure and make your decision from the evidence. For example, Accuvant Labs recently published “Browser Security Comparison: A Quantitative Approach” on December 14, 2011. They examined Internet Explorer, Mozilla Firefox, and Google Chrome for security flaws and came to the conclusion that Chrome was the most secure browser. However, take your time and read the full report so that you understand what the issues are and why Accuvant made the decision that it did. Feel free to look for contrary findings as well and make an informed decision.
The only rule you need to know about passwordsThere is one simple rule to remember about constructing a password: make it as long as possible—definitely longer than 10 characters. One example is to use the latitude or longitude of your favorite city. For example, Rio de Janeiro’s latitude is “Latitude:-22.9181189”. That password has 20 characters of all 4 types and it’s almost impossible to crack using any of the password cracking tools out there today. If you like that idea, visit
www.findlatitudeandlongitude.com and pick your favorite destination. If you can’t memorize it, write it down and keep it in your wallet, but be sure to obfuscate it in some way that only you know. For example, just write down the number portion and obfuscate that by adding numbers to it: e.g., 22.918118904, or turn it into something that looks like a credit card number: 2291 8118 9040 5592. You’ll remember that everything from the 0 onward is extraneous but no one else will know that. Add an expiration date 01/15 and anyone who finds your little cheat sheet will automatically assume that it’s a credit card number.
It’s important to remember that no matter how complex your password is, if your computer becomes infected with a keylogger (an application that captures your keystrokes), you’re done. That’s why the above advice about browsers and email are so important.
Do preventative maintenance on your computerYour computer is a tool just like all of your other tools, including your automobile, and as such it requires regular maintenance. Make sure that all of the applications running on your computer are up to date. One way to do that is by using a free program called Secunia Personal Software Inspector (PSI). The website address is http://secunia.com/vulnerability_scanning/personal/. Once it’s loaded on your machine, it will search for security patches for every application that you use, notify you if any are out-of-date and point you to the download site.
Avoid free Wi-FiOne of the most popular ways for bad guys to steal your login credentials is to hang out at coffee shops, airports, and other popular locations that offer free Wi-Fi and use an application known as a “sniffer” to intercept your username and password for whatever application you’ve logged into while drinking a cup of coffee or waiting for your flight. Instead, use the mobile hotspot that comes with your smart phone or pay for a service that protects your session. Both are secure from wireless sniffers.
Don’t use USB thumb drives or other removable mediaOne of the worst breaches ever to occur at the U.S. Department of Defense came about because of the popularity of transmitting data from one computer to another via thumb drives. The following article was written by Deputy Defense Secretary William J. Lynn III for the magazine Foreign Affairs in the September/October 2010 issue:
"In 2008, the U.S. Department of Defense suffered a significant compromise of its classified military computer networks. It began when an infected flash drive was inserted into a U.S. military laptop at a base in the Middle East. The flash drive's malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command. That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control. It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary."
"This previously classified incident was the most significant breach of U.S. military computers ever, and it served as an important wake-up call. The Pentagon's operation to counter the attack, known as Operation Buckshot Yankee, marked a turning point in U.S. cyberdefense strategy."
To put it simply: don’t use removable media to transfer data between computers. The only time removable media should be used is when you travel and then only to store your own critical data as an alternative to storing it on your travel laptop.
