A View from Jeremiah Grossman
Setting Traps, and Other Internet Security Tips
In the wake of cyberattacks on JPMorgan and other sophisticated companies, a computer security expert offers advice to those of us with far fewer resources.
After massive data breaches that affect tens of millions of people, like the recent cyberattacks on JPMorgan Chase and other major banks, I’m commonly asked: “What can average people do to protect themselves?” As a computer security expert, my professional advice is: use hard-to-guess passwords, keep your computer software up-to-date, encrypt your data, and save your backups. But I could have offered the same advice in 2004. The attacks we see in 2014 are so sophisticated that taking just the steps I mentioned isn’t really going to help you all that much. The honest 2014 answer is: Go outside, raise your hands in the air, and run around in circles screaming.
I am not entirely kidding.
Given the aforementioned breaches and those at major retailers like Target, Home Depot, Kmart, Staples, and so many others, chances are good that you, along with every other consumer, have had your personal information fall into the hands of undesirable people: a credit card number stolen, an online account taken over, and more.
The cold truth is that the JPMorgan breach and the rest are not symptomatic of anything new—online businesses have been under constant cyberattack for well over a decade. What’s different today is that there is a lot more at stake because so much of what we do every day is online.
Here is what I recommend: use two-factor authentication—essentially verifying via SMS on your mobile phone that you are the owner of a particular account online, every time you sign on. Google, Facebook, Twitter, and just about every major bank provides this option. Also, since everyone gets hacked online eventually, make sure the damage is limited. Nothing is more annoying to a hacker than cracking an account only to find nothing worth stealing. Remove any unnecessary personal data from the cloud, such as archived pictures, e-mail, Twitter, and Facebook messages, and so on.
If you own or operate a business online, what might be most alarming is that very large companies with seemingly unlimited budgets, like JPMorgan, are still being attacked. And as that breach showed, companies often do not know they have been hit, which expands the window of time in which criminals can cause damage.
So you should assume a compromise will happen eventually, and then design a system where your team is the first to know, rather than the last. One way to do this is to place special records in your databases that are meant to never be read, accounts that should never be logged into, files that should never be touched, and so on. These serve as tripwires—the moment someone accesses these items, you know something bad is happening, and you can take databases offline and call for help.
We need to rethink how we approach Internet security. Too often security investments are made in technologies like antivirus software or network firewalls that will do next to nothing to stop a Web-based attack. In most breaches, hackers are attacking Web-based applications—so we need to find and fix those vulnerabilities before the bad guys exploit them. They’re in it for the money, so your goal is to make any attack harder, and thus more costly—in which case they’ll slow down or shift to new targets. Then the rest of us will have less reason to run around screaming with our hands in the air.
Jeremiah Grossman is the founder and interim CEO of WhiteHat Security and former information security officer at Yahoo.