Rumors of an executive order about cybersecurity from President Donald Trump have been swirling for the last week, and improving our national cybersecurity has been a political issue for the last couple of years.
On a personal level, hacking, data collection and recording by personal devices all pose threats to personal information security.
While there isn’t anything a normal person can do to protect our national cyber infrastructure, there are steps you can take to protect your personal information, connected devices and banking accounts.
On Tuesday’s St. Louis on the Air, we heard from three local experts regarding these issues. Joining us were:
- Jason Clark, chief security and strategy officer, Optiv Security
- Shaji Khan, assistant professor of information systems, University of Missouri-St. Louis
- Poonam Verma, vice president of vulnerability management, Mastercard
Listen to the full conversation here:
In the past years, our personal information has become less secure online for the simple fact that more of our lives are lived online, and that’s where we leave a trail.
“Our whole world is shifting to a digital world and our data ends up everywhere,” Clark said. “That is driving a significantly larger ‘attack surface.’ The attackers are greater in numbers, they have more tools and there’s a lot of money to be made there. The risk is increasing and we’re less secure.”
Although there are more vulnerabilities, and thus less security, there is cause for hope, Verma said, in that more and more people are becoming aware of cybersecurity threats.
“It is not all doom and gloom: if the basic user follows security guidelines, you will be just fine,” Khan said.
With that in mind, here are six of the big takeaways we drew from the conversation:
Email is where you are most vulnerable
“Email is the number one way that people are vulnerable,” Clark said. “People are tricked into clicking on something that puts malware on your machine that then watches every keystroke you enter, capturing your passwords, your back account. We see these scams all the time: where someone compromises a CFO and is then able to do wire transfers. This is the number one area we see people compromised.”
Additionally, people who use the same password across all accounts are extra susceptible to such attacks because all the hacker does is determine one password and track all the different websites you visit, hoping the same password works at each one.
4 easy, initial steps to securing your personal information
“The best protection is you, the human element, and the biggest weakness is you, the human element,” Khan said.
There are common-sense technical activities that you can implement to protect your information, but in the end it will come down to human operators to make sure those common-sense rules are followed. These are the initial steps Khan recommends following:
- Keep your device’s operating system updated. Consider keeping those updates automated.
- Use basic antivirus/firewall protection.
- Use good, complicated passwords.
- Be careful when you use public Wi-Fi. Perhaps don’t conduct sensitive, personal business on public Wi-Fi.
The UMSL cybersecurity program provides several resources to learn more about protecting your personal information here.
Public Wi-Fi is not your friend
Wireless networks are shared transmission mediums, meaning that they transmit data through radio waves that float through the air around us between device and router. Anyone can “listen in” to that data with proper tools, Khan said. The only way to ensure privacy on a wireless network is through encryption or limiting the number of people who have password access to that network. Public Wi-Fi generally has many people accessing the same transmission network at once.
Once on the wireless network, if you only visit sites with “https” in their web address, those websites are automatically encrypted. If you’re using public or private Wi-Fi, no one else will be able to see the data transmitted on those websites. Alternately, using a Virtual Private Network provider is another way to ensure encryption in a public space, Khan said.
Clark recommended never sharing any confidential information unless you see “https” in the web address on a public Wi-Fi network for an extra layer of protection.
Clark said he has seen people all over the country, even in St. Louis, who sit in areas with public Wi-Fi with an antenna attached to their laptop. That antenna likely allows the person at that computer to listen in on the messages your computer is sending the Wi-Fi router.
“They’re either doing that for fun or for financial gain,” Clark said. “I’ve seen that 20-30 times in Starbucks.”
Your (and your friends’) social media postings are a vulnerability
Check the privacy of your social media accounts — and then check them again. As Khan explained, social engineers and hackers can collect data from your public accounts and use that to better send attacks and offers that appear legitimate but put malware on your computer to steal your data. The solution? Either post less personal information, photos, locations or ensure your privacy settings do not allow strangers to view intimate personal information.
Clark said even this approach is not enough. When he runs security checks on Fortune 1000 companies, he has found employees themselves often know how to police their own privacy. Their problem? What other friends and family members post about them that is publicly available.
He has found CEOs in the past whose children post their home address and pictures of their door key, which a cybercriminal could make a copy out of it. If you have family members or friends who are lax in their privacy settings, it is a good idea to discuss what you would/would not prefer posted about you.
‘There is no such thing as 100% security’
Khan put it simply: “There is no such thing as 100 percent security.”
Clark agreed, saying that even if you turned off all your devices, buried them in the ground and never touched them again, they would be secure, but not even completely.
That’s not cause for abject alarm, though.
“We don’t ever need to be 100% secure,” Clark said. “What you want to do is raise the wall or barrier to entry to the point to where it becomes too hard or too much effort or too much money for the hacker and they’ll move onto another target. That’s the strategy we’re coaching businesses and individuals to pursue.”
We are already involved in cyber warfare
There are two types of cyber warfare, Clark said: state-sponsored work and, on the other hand, malicious individuals out for personal gain.
“On a state-sponsored side, there is a big race to create cyber weapons,” Clark said. “People are realizing that they can’t win in the nuclear race and cyber is the new domain of warfare. It is just like water, air and land: this is the fourth domain.”
Each country is building cyber armies and weapons but as they create more weapons, the original weapons are less valuable to the government. Those weapons, then, often end up in the hands of malicious individuals or mafia groups in the country who will use them on unsuspecting citizens.
“You see with the big nation state actors: nation states are not just fighting each other, they also are conducting systematic espionage on corporations,” Khan said. “Pick any major U.S. corporation and you’ll hear about espionage from other nations. Long story short: If you think we are going to be in a cyber war the short answer is: we’re already in it.”
St. Louis on the Air brings you the stories of St. Louis and the people who live, work and create in our region. St. Louis on the Air host Don Marsh and producers Mary Edwards, Alex Heuer and Kelly Moffitt give you the information you need to make informed decisions and stay in touch with our diverse and vibrant St. Louis region.