I recently bought a new house, and following recommended security practices, I had the door locks replaced, the security code on the garage-door opener changed, and the house alarm system upgraded. The process reminded me of what a locksmith told me years ago: You can't keep a thief from breaking in, but you can make it hard enough that he'll go where it is less risky.
Fast-forward to the Internet/cloud era, and that sage advice still holds true -- maybe even more so. The most recent breaches hitting HealthCare.gov, Home Depot, and the unfortunate theft of private photos from iCloud make it clear that even the US government, giant corporations, and advanced tech companies like Apple struggle to cope with the speed at which cyber-thieves are evolving their techniques. It's not a question of if someone can get into your accounts, but whether your security plan is a deterrent -- or makes you a target.
There are three core principles in use by corporations that individuals can adopt in their own lives:
1. Defense in depth applies to everyone. The old model of dropping a moat (firewalls/passwords) around the castle (data center/your hard drive) and relying on perimeter detection is gone. It takes a combination of security products and practices woven into a web of protection. In your house, good locks on your doors and windows are a start, but if someone penetrates past them, you want a monitored alarm system as another layer of security.
For a typical online personal security scenario, basics are a password manager like LastPass or SplashID, so that you can use strong site-specific passwords without carrying around a wad of sticky notes. And no reuse, please. If you're on a public Wi-Fi network, add a personal VPN like WiTopia, CyberGhost, or Private Internet Access. For mobile, look into Apple Pay or Google Wallet. Both abstract your credit card data and add a layer of security. These aren't expensive or difficult to set up and may encourage an attacker to move on to the next house.
[What about wearables? Read Wearable Devices: Privacy, Security Worries Loom Large.]
2. Security is a team sport. Enterprises have knowledgeable security personnel on staff who are responsible for monitoring their environments. If a smaller shop can't afford someone who understands what a DDOS attack looks like, they often partner with a managed security firm or a cloud provider that does. Security is too important and too big a job to go it alone.
Likewise, individuals need to understand their limitations and select partners wisely. Does it really make sense to allow 47 e-commerce sites to store your credit card data? It's not such a hassle to type 15 or 20 digits. Before you trust a site to hold personal or financial info, be sure you trust that it invests in security and respects your privacy. Likewise, before storing anything in the cloud that you wouldn't want everyone with an Internet connection to see, spend some time digging into the provider's privacy and security policies and track record. Pick your trusted partners wisely.
3. Eternal vigilance is the price of security. Monitor the $%#& out of your computers, mobile devices, accounts, and credit reports. Install security patches promptly, and if a system starts behaving strangely, figure out why. Don't plug in random USB devices.
Many of the most damaging losses are not a result of the breach itself but the fact that it went undetected for so long, allowing the attackers to penetrate deeper and steal more information. Recent headline-making threats such as the Bash Shellshock bug and Heartbleed are prime examples of this.
On a personal level, look closely at all statements. Thieves often make micro-charges for just a few bucks on stolen credit cards to validate that the account is active before selling it on the black market. Don't just assume that an unfamiliar charge was from that coffee shop you visited while out of town. Carefully check your credit report, too.
When enterprise do dumb things, they tend to get owned. Using my home example, the partnership is with my alarm company (and my nosy neighbors). It doesn't do me any good to have the alarm if I don't turn it on when I leave, or if I "hide" a key under the front mat and announce on Facebook I'm going on vacation. Be smart, and hope thieves find your house too well-protected and move on.
How cloud, virtualization, mobility, and other network-altering trends impact security -- and the IT pros responsible for infrastructure protection. Get the Network Security Career Guide issue of Network Security today.