Cyber Clean for Spring
April 14, 2022 •Carlos Kizzee MS-ISAC Vice President, Stakeholder Engagement
For two years, you’ve accumulated digital clutter and technical debt at a rate previously considered impossible, at least pre-pandemic. The good news is that spring has sprung, and spring is the time when we all agree to pretend we enjoy cleaning. We power through, at least until there’s a clear path from our WFH desk to the fridge. And we feel a little better when we see the results. In that same spirit, let’s take a moment to clear a virtual path and shore up our digital defenses because winter is always around the corner.
Delete with a vengeance. Be brutal. Be the digital minimalist Marie Kondo would envy. Uninstall apps you don’t use, both on your phones and your computers. Delete files you no longer need. Wipe and securely dispose of electronic media and hard copies. Do you really need to keep those laserdiscs and floppies? Everything we retain has a chance of being lost or stolen. Every item carries a liability and weighs us down.
Reduce your attack surface. Removing unused software makes a dent. It also makes it easier for you to keep everything up to date (and you need to keep everything up to date). Now, let’s shift our focus to your accounts. Haven’t used a website in a year? Don’t just leave your account idle and your login credentials unnecessarily exposed. Close your account. Need help finding targets? Check your spam folder for all those privacy policy updates and Christmas in July promotions. Attackers can’t compromise accounts that don’t exist.
Review your records. Take a good look at your bank statements. This is the 21st century. There’s no need to shuffle through paper records if you don’t want to. Just pull out your phone and scroll. Hunt down the source of anything suspicious, and then do yourself the favor of identifying recurring services you can cancel to save some money too. For IT geeks, when’s the last time you’ve read through your systems’ logs? The concept is the same. Give ledgers and logs some love, and tidy-up things you find.
For the sake of all that is nerdy, turn on MFA! Look, we’re going to set the cleaning metaphor aside for a second because this is important. Multi-factor Authentication (MFA) is the annoyingly beneficial feature that prompts you for a single-use code when you login. App-based is best, but text-based is better than nothing. Enable it everywhere you can. Demand it everywhere you can’t. Your password will be stolen or guessed; that’s a given. When that happens, MFA might be the thing that saves you.
Let your bad passwords enjoy their retirement. It’s time. Sure, ‘badger95’ has served you well since high school, but it’s time for you to thank it and send it on its way. Any password you use for more than one service needs to go. Ditto for any password shorter than eight characters. Use a unique password for every site. And use long passwords. If you need to remember it, use a phrase instead of a word. Better yet, use a password manager and let it invent and remember strong passwords for you.
Google yourself and censor your social media. PR is not just for celebrities. Do a search to see what others find when they look you up. Click into the privacy section of your accounts on Facebook, Twitter, Instagram, Snapchat, and other apps. Turn off anything that feels creepy. Want to achieve real enlightenment? Try the “download my data” feature to see just what tech companies know about you. Oh, and keep calm.
E-liminate your e-waste. Everything eventually falls apart. Or it grows obsolete. If you’re stepping over piles of iMacs and Blackberrys, you know the pain. Stop procrastinating. Is there a school or shelter nearby that could benefit from a donation? Look into trade-in programs your vendors offer when you upgrade. Find a local electronics recycler. The dumpster should be your last resort. And don’t forget to wipe and, if needed, physically obliterate your storage devices like hard drives. A good recycler will even handle that for you and give you a certificate of destruction. Remember, NIST SP 800-88 R1 is your friend. Don’t know where to go to get rid of your old electronics? Here you can locate a recycling facility in your area.
Purge but verify. As we lay waste to our waste, a reasonable person could be forgiven for lying awake at night, wondering whether they’ve trashed something they’ll actually need. You’re right to worry. The antidote is backups. But backups are useless. Or at least they’re useless if they aren’t tested. Backing up is easy. Ensuring restores will work and include everything you need is tough. Backups are likewise worthless if you can’t get to them in an emergency or if they’re not isolated and ransomware encrypts them. Do backups, test restores, and practice your recovery procedures so that your first attempt will happen during calm, daylight hours and not at 2 a.m. in the midst of a real-world disaster.
Finally, be ruthless. Getting your analog and digital lives in order does more than improve your state of mind. It pushes back against the creeping fallout from our hectic daily routines. It eliminates dangers we might otherwise miss, dangers that can lead to compromise. Breaches are seldom the result of a single vulnerability. They arise from cascading failures. They represent a fallen house of cards. Get your house in order. Refuse to abide a mess. Protect yourself and your organization so you can rest easy!
The information provided in the MS-ISAC Monthly Cybersecurity Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
The views, information, or opinions expressed in this article are solely those of the author and do not necessarily represent the views of Citizens State Bank and its affiliates, and Citizens State Bank is not responsible for and does not verify the accuracy of any information contained in this article or items hyperlinked within. This is for informational purposes and is no way intended to provide legal advice.