Communication is Key
As a security operations (SecOps) engineer, my job involves many hats. One of the roles most important to the company’s overall security posture is that of communicator – I not only need to broadcast the current environment and our context within it concisely, I need to tailor that information to particular audiences (including non-receptive ones). It takes a lot of time and cognitive effort but can be incredibly effective at achieving our collective goals.
Coming from an IT support background informs my user-centric approach to both technology in general and security in particular. As a freelancer, I couldn’t impose unnecessary pain on private clients just so I could sleep better. As a system administrator in the US House of Representatives, I couldn’t make congressional staffers adhere to the strictest of protocols while on foreign CODEL trips. So as a SecOps engineer for a security, data, and intelligence company, I can’t just rant from the pulpit and lock down everything perfectly from the info-systems prison control room.
What I can do is inform each person what’s going on, where they fit into it, and how to start making better decisions.
Creating A SecOps Newsletter
At least once every two weeks, SecOps sends out an internal newsletter of sorts with four main sections:
- The first section catches everyone up on our team in general.
- The second provides top security news stories that occurred since the last missive
- The third covers business-related news in the security sphere.
The second and third sections in particular help educate folks about the environment in which we’re operating, as well as possible opportunities. Because even in security, not everyone can live and breathe the next compromise headline or Talos blogpost, but if presented with them in an easy format those folks may see something I don’t.
The fourth and last section I title “More Secure Than Yesterday” and it’s a paragraph or two with some basic tips for folks to increase their information security awareness and posture, whether personal or business. The title is a reinforcement of an ugly fact: nothing is ever “secure” – just more secure than it was, hopefully. It helps folks in different parts of the business contextualize themselves in a non-binary process and reduces “all or nothing” security nihilism – the abandonment of good practice because it’s not great practice.
Good security practice is a hell of a lot better than no practice. So we all start where we start, and can make incremental improvements going forward. Given how many compromises begin with an employee’s personal resources being compromised and then pivoting to corporate, increasing understanding while not making folks feel judged or hopeless is essential. The hope is that every few weeks my colleagues may see something useful or easy and implement it for themselves. If we all walk the security path together, we all win.
I’ve collected some of the basic tips below in case they’re useful to the wider world as well. You don’t have to climb the security hill all at once, or alone: each step forward is progress.
Let’s dig in.
Basic Security Tips
CRUCIAL: Multi-Factor Authentication
Please ensure your personal accounts operate off 2-Factor Authentication or Multi-Factor Authentication wherever possible. Most services support this now. Also where possible, use an authenticator app like Google Authenticator or Authy instead of SMS/text-message codes since SMS is more vulnerable in a number of ways. If you’re wondering whether a service allows this or how to set it up, most services have pretty clear instructions to make it easy.
Let’s talk about an ugly truth: security questions aren’t your friend.
You’ve seen them. Many services during setup now require you to provide a text answer to a “security question” or three that allow for password recovery. They usually take the form of “What was the name of your first pet?” or “Who is your favorite cousin?” or “Where was your mother born?” – the point being they’re all things that are easy for you to remember off the top of your head.
The problem is that most of these questions are exceedingly easy for bad actors to find out via Open Source Intelligence (OSINT) techniques and paid sources. Birth certificates, Department of Motor Vehicles records, social media posts, and many other avenues make the answers to these questions trivial to find out. Paid data broker services make it even easier.
So, what’s the “answer?”
Lie! Be creative! Choose completely wrong or irrelevant answers to these security questions. And record these answers in your password manager or another relatively secure manner.
Because it may be easy for ghosthaxxor127 to find out that you lived on Pinewood Lane in 1993 and that your beloved childhood pet was named Fluffy, but they’re not expecting your favorite cousin to be named Salamander.
Mobile App Privacy Reports
I want to introduce you to my new best friend – the iOS App Privacy Report. Since iOS version 15.2 Apple has included a native function to monitor what apps are requesting network activity (ie, reaching out to web addresses or APIs) as well as exactly where they’re reaching out, in addition to data and sensor access (location, contacts, photos, camera, etc). It’s an excellent way to review what data you’re leaking due to the apps on your phone, and other questionable decisions by those app developers.
For instance, upon reviewing my iOS App Privacy report, I discovered something ugly: an app only used for interacting with a USB drive and its contents was inexplicably reaching out to multiple points on the internet – whether I was using it or not. This included reaching out to a Facebook analytics address. Given these findings I made an informed decision to delete the app.
It took two taps to turn Privacy Report on, and another two to view the report once I let data collect over a few days. It was that easy to find out which of my apps were doing dirty data deeds behind my back!
If you have an iPhone that’s on at least iOS 15.2, you can take advantage of this by:
1. In Settings, tap Privacy.
2. Scroll to and tap App Privacy Report.
3. Tap Turn on App Privacy Report.
Allow it some time to gather data and go back. I have a recurring task on my to-do list to review this report every Sunday. Think about this as a tool to help you make informed decisions about the apps you keep and the data they may expose – not in a “DELETE ‘EM ALL” sense, but rather giving you the ability to make deliberate, informed decisions.
This is a little trickier on Android – any device with Android 12 or higher should have a specific Privacy section, but what it contains is up to the handset manufacturer. It should have a Permissions Manager that allows you to review permissions you have set, and see recent requests by apps for certain data and sensors, but it may not monitor network activity/access like the iOS App Privacy Report.
HOWEVER! There’s still a good solution here!
PCAPDroid is a free, privacy-friendly open source app that emulates a VPN in order to gather this same network data. It’s easy to install from the Android app store – from there, open it, and give it permission to act like a VPN. From there, PCAPDroid will show you both past network activity and currently open sessions (see the “Active” apps under “Connections” below).
You don’t have to be a cyber-luddite to work in security – the real key is to ensure you have the right information to make deliberative and thoughtful decisions for yourself and your own threat profile.
Use these tools to gather the data you need and take control!
Security and analytics firm Proofpoint held a webinar on the Impact of the Russia-Ukraine Conflict on the Cyber Threat Landscape that included some interesting anecdata in passing: the threat profile of the people they’re tasked with protecting always increases during travel. It’s not huge news that the threat profile for each of us changes from day to day, but as we start traveling again, what are some easy ways to protect yourself from security threats while traveling?
1. Public wifi should be avoided, but that isn’t always possible. If you have to use a wireless network other than at your home or the office or your own mobile hotspot try to use a VPN! There are quite a few scummy VPN companies out there, so do deep research before settling on one – bearing in mind that you’re trusting the VPN company with all your network traffic.
2. Don’t plug your phone directly into USB ports – even the ones on planes. Plugging your phone’s brick charger into an electrical socket is a lot more secure, but just using the cable in a USB port you don’t control can lead to compromise. Stick to either electrical sockets or keep an external battery pack with you, they’re cheap!
3. Keep your computer with you! While it’s not convenient to carry your laptop around with you, leaving it in the hotel room – especially on international trips – is courting theft or an “Evil Maid Attack.”
4. Disable AirDrop and similar functions. It can be useful for trading contact details but there have been times that AirDrop has been used in compromising or annoying attacks. You can disable it by going to Settings -> General -> AirDrop and set it to “Receiving Off.” Android devices have similar “nearby sharing” modes you should disable.
5. While traveling from place to place, turn off wifi. Attackers can mimic common wifi names in an attempt to get your phone to autoconnect without you even realizing it. Turn it off in Settings. You can also turn it off via Control Center but be warned it will turn itself back on the next day. (Also see “Resetting Network Settings” below.)
6. If it’s an option, Bluetooth should be turned off while traveling as well, unless it’s in use. There are some difficulties to this if you use a smartwatch, of course, or when you want to use wireless headphones. As with anything, evaluate your risk level/threat model carefully, and proceed in a reasonable and informed manner.
7. In light of the recently-published URL rendering attack affecting SMS and messaging apps, here’s a thought: on your mobile phone, set your default browser to one other than the browser you use for regular mobile surfing. This means that even if you do open a phishing link, it opens in a browser that doesn’t have all your cookies and other saved data. If you’re working across apps and want to open something in the browser you regularly use, long-press the URL or use the “share” or “open in” function of your phone’s OS.
Resetting Mobile Network Settings
We all know our mobile devices are tiny, expensive trackers that record in multiple ways where we’ve been, where we are, and where we’re likely going next. But there’s a specific way in which that history can actually make you more vulnerable!
Many of us connect to WiFi networks in many places we go. Home, relatives’ houses, cafes; and also while traveling, such as in hotels, airports, and at conferences. While using a VPN will protect you in some ways it’s worth understanding that your phone carries a history of the networks you’ve connected to, and those networks are usually stored in such a way that your phone will automatically reconnect to them when those networks reappear.
In many cases that’s convenient – who wants to enter the wifi password every time you go to grandma’s house? – but that can also leave you open to Man-In-The-Middle or MITM attacks if someone decides to spoof a common wifi name (SSID).
Let’s say you’re traveling and staying at the International Hotel Group hotel in Boston, connecting to the IHG_Guest_Wifi. Your trip goes great and you cab it back to Logan Airport to head home and celebrate your win.
But a few months later, on your next trip, something unseen happens. Unbeknownst to you, a shady hacker is using $35 in gear to impersonate common wifi names, and IHG_Guest_Wifi is one of them. Your phone automatically connects and suddenly your mobile app traffic is now going over the Hacker’s gear, where any number of interception techniques can steal some of your data.
What can you do to prevent this?
Luckily, iPhones offer a pretty easy step that we recommend everyone take a few times a year: reset the network settings in your mobile devices (remember, tablets too!). This will reset some other things in addition to remembered wifi networks, and will cause your device to reboot.
To reiterate: resetting network settings will cause the phone to forget the wifi networks you’ve connected to, so you will need to reconnect to the networks you frequent and re-enter the passwords.
For iPhones, go to Settings -> General -> Transfer or Reset iPhone -> Reset -> Reset Network Settings. (In addition to wifi networks, this will reset cellular settings which should auto-refresh after reboot, as well as VPN settings).
Android is a little different and the user interface will vary a little depending on manufacturer. For my Samsung, I can go to Settings -> Connections -> Wifi -> tap the three-dot menu and choose “Advanced” -> Manage networks -> delete networks you no longer need to keep saved in the phone.
If you use a to-do list or task manager app, consider adding a recurring task to clear out your saved networks a few times a year!
Another quick tip while we’re talking mobile devices and domestic travel: once your plane lands, turn your cellphone all the way off and back on again. That will cause it to reach out proactively to the carrier for updated connection information in the new area you’re in. Just turning Airplane Mode on and back off will not do this, so give it a powercycle and it’ll likely work better!
We’ve talked quite a bit recently about updating things, and it’s a handful to keep track of. We’ve mentioned phone and computer operating systems, browsers, applications/programs, servers… what else could possibly need updating?
Well… what about your router?
It’s a crap shoot these days as to whether you connect to wifi broadcast from the modem (the box between your network and the outside world) or if you use a separate wifi router instead. In either case, they may need a firmware update to stay efficient and less insecure. The procedure itself varies from device to device, and can be annoying and downright difficult, so it’s not for the faint of heart.
But older modem/router firmware is one way attackers can get in, so if you’re up for it, it’s worth taking some time to ensure you’re running on the latest and greatest. Get started by taking a look at your equipment, noting Make and Model, and look up instructions from the manufacturer on firmware updates (ensuring what you’re downloading is from the manufacturer).
Security doesn’t have to be overtly painful. And it doesn’t have to be all-or-nothing. If you keep your head up and your eyes open, and you commit to making progress where you can to improve your own posture and reduce your “attack surface” by shedding more vulnerable habits or deleting apps, collecting and selling your data among other steps, you help yourself and everyone else.