Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

A View from Jeremiah Grossman

Setting Traps, and Other Internet Security Tips

In the wake of cyberattacks on JPMorgan and other sophisticated companies, a computer security expert offers advice to those of us with far fewer resources.

  • October 31, 2014

After massive data breaches that affect tens of millions of people, like the recent cyberattacks on JPMorgan Chase and other major banks, I’m commonly asked: “What can average people do to protect themselves?” As a computer security expert, my professional advice is: use hard-to-guess passwords, keep your computer software up-to-date, encrypt your data, and save your backups. But I could have offered the same advice in 2004. The attacks we see in 2014 are so sophisticated that taking just the steps I mentioned isn’t really going to help you all that much. The honest 2014 answer is: Go outside, raise your hands in the air, and run around in circles screaming.

I am not entirely kidding.

Given the aforementioned breaches and those at major retailers like Target, Home Depot, Kmart, Staples, and so many others, chances are good that you, along with every other consumer, have had your personal information fall into the hands of undesirable people: a credit card number stolen, an online account taken over, and more.

The cold truth is that the JPMorgan breach and the rest are not symptomatic of anything new—online businesses have been under constant cyberattack for well over a decade. What’s different today is that there is a lot more at stake because so much of what we do every day is online.

Here is what I recommend: use two-factor authentication—essentially verifying via SMS on your mobile phone that you are the owner of a particular account online, every time you sign on. Google, Facebook, Twitter, and just about every major bank provides this option. Also, since everyone gets hacked online eventually, make sure the damage is limited. Nothing is more annoying to a hacker than cracking an account only to find nothing worth stealing. Remove any unnecessary personal data from the cloud, such as archived pictures, e-mail, Twitter, and Facebook messages, and so on.

If you own or operate a business online, what might be most alarming is that very large companies with seemingly unlimited budgets, like JPMorgan, are still being attacked. And as that breach showed, companies often do not know they have been hit, which expands the window of time in which criminals can cause damage.

So you should assume a compromise will happen eventually, and then design a system where your team is the first to know, rather than the last. One way to do this is to place special records in your databases that are meant to never be read, accounts that should never be logged into, files that should never be touched, and so on. These serve as tripwires—the moment someone accesses these items, you know something bad is happening, and you can take databases offline and call for help.

We need to rethink how we approach Internet security. Too often security investments are made in technologies like antivirus software or network firewalls that will do next to nothing to stop a Web-based attack. In most breaches, hackers are attacking Web-based applications—so we need to find and fix those vulnerabilities before the bad guys exploit them. They’re in it for the money, so your goal is to make any attack harder, and thus more costly—in which case they’ll slow down or shift to new targets. Then the rest of us will have less reason to run around screaming with our hands in the air.

Jeremiah Grossman is the founder and interim CEO of WhiteHat Security and former information security officer at Yahoo.

Tech Obsessive?
Become an Insider to get the story behind the story — and before anyone else.

Subscribe today

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

    Bimonthly digital/PDF edition

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special interest publications

    Discount to MIT Technology Review events

    Special discounts to select partner offerings

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.