Infosec @ Clutch Talent
The Clutch recently team met for a casual information security training session. While all “cyber” aspects were discussed in broad strokes, the focus was on how to best safeguard and keep information private while working at a small business. Many of these same lessons can be applied to protecting personal information in an increasingly hostile digital world.
When considering how much information you share online, you understand your “attack surface.” The more surface area that exists, the higher chance you have of being exposed. In a business, that information could include contracts, payroll, and so forth, whereas, in your personal life, that could include your cloud-published photo streams or your bank account login. The relevant attack surfaces that the Clutch team talked about were:
- Zero-days (brand new hacks)
- Physical space attacks (like a modification to your hardware)
- Phishing/spearphishing (sneaky attempts to get info)
- Compromises in the cloud (password dumps)
With zero-day attacks, the fear is that there’s not much you can do to protect yourself from something new — but that’s the core of what makes zero-day attacks so effective and so newsworthy. What gets lost in the news is that, frequently, a zero-day attack is released for an old software, firmware, or operating system version. The Clutch team discussed the importance of keeping all computers and mobile devices up to date and the increased security posture afforded by such a policy. In the end, we decided on these action points:
- Keep your phones and computers updated
- Scan suspicious files and links with VirusTotal
- Make sure you trust downloaded applications that ask for your login
Physical space attacks can range from hardware keyloggers to using witchcraft to trap and bind autonomous vehicles. We currently work out of a shared office, so we’re primarily concerned with physical access to our computers. There were a good number of security measures touched upon regarding physical access:
- Lock up your computer at the end of the day
- Keep your screen locked (by logging out or with a password enabled screen saver) when stepping away from your desk
- Consider using disk encryption, like Apple’s FileVault
Phishing tactics are always changing in response to the average person’s phishing education/awareness level. This article about links disguised as pictures that are themselves disguised as file icons, from strangers disguised as friends, speaks to the level of savvy involved in today’s phishing trade. Spearphishing is something we’re all especially susceptible to, as the communication is disguised to look like it’s coming from somebody you’d trust. What’s most important here is to always be on your guard when clicking links. If your browser normally marks login fields as secure but suddenly raises a red flag, that’s something you should pay attention to.
Websites get hacked, and customer information is a valuable target for hackers. Subscribing to breach notifications from security researcher Troy Hunt’s Have I been pwned project can help increase awareness significantly. A great practice to engage in is to set up a different password for each login you use, which prevents cascading failure in the event that your login credentials for one service wind up becoming exposed. The Clutch team discussed a few password management solutions, such as the open source and incredibly robust KeePass, as well as the commercial product 1Password and its focus on balancing security with ease of use. Finally, we touched upon multi-factor authentication methods like Authenticator and SMS and the importance of enabling it on sites where you’d like to improve login security beyond a simple username and password combination. We spent some time browsing through this 2FA database, which categorically lists commonly used services and the types of additional authentication they provide.
At Clutch, we recognize that part of succeeding as a small business (or really, a business of any size) requires engagement in open and honest ongoing conversations about security. As that dialogue continues and we continue to evolve our understanding of how to best respond to these persistent cybersecurity threats, we’ll post updates to share what we learn with the community.