APPSEC OBSERVER

The latest trends and tips in DevSecOps through instrumentation and Security Observability.

Subscribe To Blog

Contrast Security Champions Cybersecurity Awareness Month: Do Your Part. #BeCyberSmart

Contrast is proud to be a 2021 Champion for Cybersecurity Awareness Month throughout October—helping to promote global awareness of online safety and privacy. Co-led by the National Cyber Security Alliance and the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security, this annual campaign is a global effort between businesses, government agencies, colleges and universities, associations, nonprofit organizations, and individuals and is designed to raise awareness and help everyone stay safe online.

Despite the many conveniences and capabilities that technology affords us, lives and businesses can be disrupted when cyber criminals exploit vulnerabilities in the tools we rely on. Now in its 18th year, Cybersecurity Awareness Month aims to shed light on these security vulnerabilities, while offering actionable guidance surrounding behaviors anyone can take to protect themselves and their organizations. 

Why Security Matters More Than Ever Right Now

Even security professionals can become complacent when it comes to practicing good online hygiene and maintaining security best practices every day. It is important to remember why these sorts of standards matter when it comes to protecting both yourself and your place of work from exploitation.

Cyberattacks are becoming more sophisticated and include more evolved bad actors cropping up each day. This year has already seen more than a fair share of complex attacks and breaches, led by supply chain attacks such as SolarWinds and Kaseya. Software supply chain attacks such as these can have dramatic impacts due to the expanded reach of distributed components with malicious payloads or backdoors for hackers built into them. Shortly after the Colonial Pipeline attack this year, President Biden signed an executive order that places strict new standards on the cybersecurity of any software sold to federal agencies. 

While new and better standards and regulations are needed to help stem the tide of these kinds of major attacks, cybersecurity also matters on an individual level—things that each of us can and should be mindful of each day.

Reviewing the Cyber Basics

Luckily, there are several steps that we all can take on a daily basis to mitigate risks and stay one step ahead of malefactors. Here are a few quick tips:

Enable MFA

More than 99.9% of Microsoft enterprise accounts that get invaded by attackers didn’t use multi-factor authentication (MFA). MFA adds that necessary second check to verify your identity when logging into one of your accounts. By requiring multiple methods of authentication, your account is further protected from being compromised, even if a malicious actor hijacks your password. In this way, MFAs make it more difficult for password-cracking tools to enable attackers to break into accounts. If MFA is available for you to use, enable it! Having it is always better than not.

Use strong passwords 

This may seem obvious, but all too often securing strong passphrases/password managers is overlooked. But the reality is that 61% of data breaches used compromised credentials. People spending more time online during the pandemic certainly contributed to more bad actors prowling for accounts to attack. Using long, complex, and unique passwords is a good way to stop your account from being hacked, and an easy way of keeping track and remembering your passwords is by using a password manager. The National Institute of Standards and Technology (NIST) provides great guidance in setting password standards.

Perform software updates

When a device prompts that it is time to update the software, it may be tempting to simply click postpone and ignore the message. However, having the latest security software, web browser, and operating system on devices is one of the best defenses against online threats. So, don’t wait—update. Malicious actors take advantage of disclosed vulnerabilities due to the lag time between initial reporting and patching across all affected systems. The faster we can keep our software up to date, the more protected we will be in the long run.

And for software vendors in particular, shortening mean time to remediation (MTTR) for application vulnerabilities can help their customers reduce their windows of exposure. Application vulnerabilities simply need to be found and fixed faster. For one major application security vendor, the average MTTR is currently 171 days. To remediate vulnerabilities faster, software vendors need to focus on vulnerabilities that matterand ignore those that don’t. Recent research shows that a majority of vulnerabilities—including 54% of those rated “Critical” and 49% rated “Major”—would be classified as false positives with traditional tools.

Do your homework and trust your gut

Common sense is a crucial part of maintaining good online hygiene, and an intuitive step to stay safe online is to do some research before downloading anything new to your device—both web-based applications as well as mobile apps. Before downloading any new learning application on your device, make sure that it’s safe by checking who created the application, what the user reviews say, and if there are any articles published online about the application’s privacy and security features. I have also always recommended that people listen to their gut when interacting with the web. Our human intuition and ability to question the legitimacy of things can help to keep us safe online from things like malicious websites or phishing schemes. If it feels wrong, if it seems too good to be true, if you receive a download link from someone out of band, question it and do your homework.

Check your settings

Be diligent to double-check your privacy and security settings and be aware who can access your applications and documents. This extends from business systems such as document repositories, project management systems, and customer relationship management (CRM) to bank accounts, collaboration tools, and email clients. For meetings on Zoom, for example, create passwords so only those invited to the session can attend, and restrict who can share their screen or files with the rest of the attendees. More systems are setting strong security and privacy by default, however there are still many systems with poor default settings that leave your data and accounts prime for breach, whether that be accidentally or maliciously. 

“Do Your Part. #BeCyberSmart.”

It’s more than just a catchy theme for this year’s Cybersecurity Awareness Month campaign. Everyone has a responsibility to do their part in securing our interconnected world. The first full week of Cybersecurity Awareness Month will highlight best security practices and focus on general cyber hygiene to keep your information safe. Own your role in cybersecurity by starting with the basics. Creating strong and per-account unique passwords and using multi-factor authentication, using a password manager, backing up your data, minimizing clicking links, and keeping your software up to date are great places to start.

For more information about Cybersecurity Awareness Month 2021 and how to participate in a wide variety of activities, visit staysafeonline.org/cybersecurity-awareness-month/. You can also follow and use the official hashtag #BeCyberSmart on social media throughout the month. 

Additional Resources

Checklist: 4 Ways to Boost Application Security This Month

David Lindner, Chief Information Security Officer

David Lindner, Chief Information Security Officer

David is an experienced application security professional with over 20 years in cybersecurity. In addition to serving as the chief information security officer, David leads the Contrast Labs team that is focused on analyzing threat intelligence to help enterprise clients develop more proactive approaches to their application security programs. Throughout his career, David has worked within multiple disciplines in the security field—from application development, to network architecture design and support, to IT security and consulting, to security training, to application security. Over the past decade, David has specialized in all things related to mobile applications and securing them. He has worked with many clients across industry sectors, including financial, government, automobile, healthcare, and retail. David is an active participant in numerous bug bounty programs.

SUBSCRIBE TO THE BLOG