/oct 2, 2023

A CISO Explains 4 Steps that Make it Easy to Stay Safe Online

By Sohail Iqbal

To secure our world, Cybersecurity Awareness Month encourages four steps that make it easy to stay safe online. As a CISO, my team and I advocate for these practices constantly within our organization. If you are a security practitioner looking to bolster cybersecurity awareness, here’s a brief look at how we explain these steps to help make staying safe online easier. 

Before we dive in, making cybersecurity practices relatable and clear is key to the adoption at any organization. Consider the recent disclosure of a new vulnerability affecting web applications. This is the type of real-life scenario that can be used to make the following information more relatable. New vulnerabilities like this one are what makes the first step so important. 

Software Updates – The Why & How 

Software updates are essential for keeping your computer secure and up-to-date. They can fix bugs, improve performance, add new features, and make your software compatible with new hardware and software. 

Why are software updates important?  

  • Security: Software updates often fix security vulnerabilities that could be exploited by attackers. By installing updates as soon as they are available, you can help to protect your computer from malware and other attacks.  

  • Performance: Software updates can also improve the performance of your computer. This is because they can fix bugs and optimize the code.  

  • Features: Software updates can also add new features and functionality to your software. This can make your software more useful and efficient.  

  • Compatibility: Software updates can also make your software compatible with new hardware and software. This can help to ensure that your software continues to work properly as you upgrade your computer.  

How to install software updates: 

  • Most software will automatically notify you when there is an update available. You can also manually check for updates by going to the software's website or opening the software and checking for updates.  

  • Once you have found an update, you can install it by following the instructions on the software's website or in the software itself.  

How to avoid problems with software updates: 

  • Make sure you have enough disk space. Software updates can take up a significant amount of disk space, so make sure you have enough space available before you install an update.  

  • Back up your data before you install an update. This is a good practice in general, but it is especially important before you install a software update. This way, if something goes wrong, you can restore your data from the backup.  

  • Read the release notes before you install an update. The release notes will tell you what the update does and if there are any known issues.  

  • Install updates one at a time. This will help you to troubleshoot any problems that may occur. 

Passwords – Why They Matter and How to Choose One  

A password is a secret combination of characters that is used to authenticate a user or process. It is typically used in conjunction with a username to gain access to a computer system, application, or website. Passwords can vary in length and can contain letters, numbers, and special characters. The complexity of a password is important because a password protects yours and our important information.  

How to create a strong password:  

  • Use a different password for each account. This will make it more difficult for an attacker to gain access to all of your accounts if one of your passwords is compromised.  

  • Avoid using personal information in your passwords. This includes your name, birthday, address, and other easily guessed information.  

  • Make your passwords at least 12 characters long. The longer the password, the harder it is to guess.  

  • Use a mix of uppercase and lowercase letters, numbers, and symbols in your passwords. This will make them even more difficult to guess.  

  • Do not reuse old passwords. Once you change a password, do not use it again for another account.  

  • Keep your passwords up to date. If you become aware of a data breach that affects one of your accounts, change your password immediately. 

There are many great tools to help create and ensure strong passwords. “How Secure Is My Password?” from Security.org informs you how long it would take for a computer to hack your password. See how yours rates! Security.org also has a Password Generator you can use if you need help generating a new password. 

Multifactor Authentication – The Importance and Benefits 

Multifactor Authentication (MFA) is a security process that requires users to provide two or more pieces of evidence to verify their identity before being granted access to a system or application. What used to be just one password or paraphrase is now more. You have to perform an action or know a code before you’ve gained access. This makes it much more difficult for cybercriminals to gain unauthorized access, even if they have stolen your password. 

There are many ways to implement MFA. The potential factors of MFA are:  

  • Something you know: This could be a password, passphrase, or PIN.  

  • Something you have: This could be a security token, smartphone, or other device that generates a one-time code.  

  • Something you are: This could be a fingerprint, facial scan, or other biometric identifier.  

The benefits to MFA:  

  • It can help to prevent unauthorized access to systems and data.  

  • It can reduce the risk of phishing attacks and other social engineering attacks.  

  • MFA is not a “nice to have anymore,” but it’s also a requirement. It can help to meet compliance requirements, such as those imposed by GDPR and HIPAA.  

  • It can increase your security posture to be more robust and defendable.  

Here are some tips for using MFA effectively:  

  • Choose a strong password or passphrase for your MFA device.  

  • Keep your MFA device secure and don't share it with anyone.  

  • Be aware of phishing attacks and other social engineering attacks.  

  • Keep your MFA software up-to-date. 

While an organization may have implemented MFA, did you know you can implement it for your personal use, too? Many social media, banks, and other sites you may frequent most likely have MFA options.

How Phishing Works & How to Prevent It 

Here’s a graphic displaying how phishing works; we'll dive deeper below.

Graphic displaying how phishing works

What is phishing? Phishing is when attackers send malicious emails designed to trick their recipients into falling for a scam.  

What are the goals of phishing? The goals are typically to reap financial gain by stealing credentials or other sensitive information.  

How to recognize phishing:   

  1. Attention-grabbing statements  

  1. Instilling a sense of urgency or use of threats  

  1. Inconsistencies in email addresses, links & domain names  

  1. Unusual content or requests – these often involve a transfer of funds or requests for login credentials and/or personal information  

  1. Conversation was not initiated by the recipient  

  1. Odd tone and/or spelling and grammar errors  

  1. Offers of free gifts or being told you’ve won something 

How to prevent phishing attacks:   

  1. Take your training seriously and complete it on time.  

  1. Visit the source directly rather than clicking a link in an email.  

  1. Don’t ignore your own good instincts! Regardless of who it’s from, if anything seems off… don’t open it!  

  1. If you see an attachment or request in an email you weren't expecting or that doesn't make sense, don't open it!  

  1. Pay attention to safe browsing warnings from your browser of choice.  

  1. Change passwords regularly, meet complexity requirements, and never use the same password for multiple accounts.   

  1. Hover over links to show you the actual URL where you will be directed. Look for “https”!   

  1. See #1! 

What to do when you become a victim of a phishing email or find an email suspect will depend on the organization. Have contacts readily available for who to turn to in either event. 

Go Deeper by Following Along on LinkedIn 

There’s definitely more to be said on all these topics. Be sure you’re following us on LinkedIn, as we’ll be going more in depth into these topics throughout Cybersecurity Awareness Month. Bring your questions and comments! 

Related Posts

By Sohail Iqbal

Sohail Iqbal is Veracode's Chief Information Security Officer. He has been instrumental in developing and maturing security practices as Head of Cybersecurity Operations at Dow Jones / WSJ, CISO at J2 Global, and recently Head of Information Security at CarGurus. Sohail is an active member of many security conferences and seminars, and contributes frequently to the cybersecurity community. Sohail is also an avid cricketer and has been playing for the Cricket League of NJ for the past 20 years.