Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an advisor and analyst with KuppingerCole Analysts. My guest today is John Tolbert. He is the research director for cybersecurity here at KuppingerCole Analysts. Hi, John. Good to have you.
Hi, Matthias. Good to be on here with you again.
Great to have you and having the Research Director of cybersecurity. This time I want to use you for something slightly different, although it's cybersecurity. Recently I had an episode together with Christopher Schütze and we talked about cyber hygiene in terms of what should organizations do, what should organizations tell their employees how to deal with cybersecurity and how to deal with sophisticated attacks. Now I want to use your expertise John to look into what everybody can do, not only the corporate user, but everybody who is today using the internet, their computers, communication devices at a large scale. And they are threatened. They are under attack all the time as well. So this time we want to talk about cyber hygiene for everybody. So I think this is really something that translates directly from your research as well,
Yes, I think it's a great idea to talk about you know, personal cyber hygiene because it's not just going to help individuals, but individuals are the ones who are targeted for cyber attacks against their workplaces. So improving cyber hygiene, for one, improves it for all. So yeah, let's just start off. A few recommendations. Let's look at the device side first years ago we called it anti-virus. These days we call it endpoint protection. Whatever you want to call it, you need something on your device to prevent malware. And by malware we mean programs that you didn't want to run. Things like ransomware has been in the news a lot the last few years and it's a very serious threat. But so are things like what we call infos dealers. You know, they may be key loggers or root kits that get on a device and steal your usernames and passwords. So at a very minimum, I think if you have a Windows PC, make sure you've got Defender turned on. There are third party anti-virus and anti-malware programs out there that have other benefits. So you may want to check into those. This also applies to your mobiles, especially Android. Androids have a significant of malware that's been written for them. So definitely have some sort of anti-malware solution for your Android devices. Then we still recommend anti-malware for Mac. I mean, there's not as much malware available for Mac, fortunately. But if the market share goes up, then expect to see more malware for Macs. And they can be infected. you're out there on the web. There are ways to infect Macs. So I highly recommend using a anti-malware product from Macintosh.
Right, and I think an important aspect also is you are always communicating with people who do not have a Mac. So you might be just the transfer station of malware that passes via mail through your own box. And finding that and protecting third parties as well is important. So there are antivirus kits that also look for Windows threats on a Mac. So this is, I think, also an important part.
Yeah, absolutely.
More recommendations regarding device?
Sure, you should really only download apps from good app stores. There's code signing these days. And yes, code signing has been sort of a vector of attack too. But I think you can reduce the risk but not totally eliminate it if you only download applications from trustworthy sources. And even when you do download something, again, going back to your anti-malware, go ahead and scan it. I mean, theoretically, many of these anti-malware programs are looking at what you're looking at in the browser and scanning it before it hits your own file system. But by all means, go ahead and give it another scan if you're not sure that it has or not. And again, nothing is 100%, but it's certainly better to take that little precaution than not. And especially if you're getting a program that is not from an app store or maybe you get a pop-up that says in the Mac environment that the encoder wasn't recognized. If you're gonna take that risk, then by all means, do whatever you can to mitigate the risk by doing some scanning you know, when you're looking for an anti-malware solution for personal use, I would say look for those that are out there scanning the web that like when you do a search and you come up with a list of search results, many of them will go out and use the URL reputation information to either put a green check mark beside it, or, or not, so that you have a way to at least be alerted to the fact that a site you might click on could be dangerous. There are some with ad block and anti-tracking capabilities. Definitely recommend looking for that for privacy concerns. Depending on what browsers you're using, you'll want to make sure that whatever you've got will work within that browser. And then three other quick features to mention. Are System File Integrity Monitoring, that's your anti-malware, your endpoint security solution should be always monitoring your core operating system files to make sure that there aren't changes that are unauthorized. It should have an endpoint firewall, which is really useful when you're in a public place to protect your computer from being hit from other computers, maybe on a public Wi-Fi. We'll get to that one in a minute. Maybe you shouldn't use public Wi-Fi. And then lastly, email inbox scanning. Make sure that you have a anti-mailware program that can check out those emails to help reduce the risk of phishing.
True. Right, right. And I think we talk on our audience, typically are cybersecurity professionals or at least IT professionals and we're really in the business. So maybe it's also our challenge to support our partners, our kids, our friends with expertise and just to tell them the most important basic stuff. I think this basic stuff, this starts actually with basics on your own device, right?
Yep, try to keep your device as clean as possible.
Right, and up to date?
Up to date. Yeah, that's another one. mean, so many exploits depend on vulnerabilities that the operating system manufacturers do fix. So you will notice, oftentimes on Tuesdays there are patches available. Don't delay. Take those updates as quickly as possible because you're protecting yourself from vulnerabilities that have been discovered. So the sooner you can get that update in place, the more protected you are.
and the part I think keeping the device clean, keeping it up to date, that are really the fundamentals. And if there is a setting on your device, and there should be, that says auto update, so really install the updates when they are around, then usually I know it, I'm a Mac user, I'm an iPhone user, I know that these systems try to install the updates the next night automatically when you're asleep and the device is not asleep. That would be a good starting point to just switch on these auto updates. And the same is true, of course, for all the security software you have installed to auto update that as well whenever that is necessary. Of course, we do not want to spoil the usability of a device, but nevertheless, there are more recommendations that can really help you protect your device, your identity, your personal data, and your behavior on the web.
Yeah, I mean, think that's why it starts with device security, or at least that's one place you can start. You can also look at using encryption. You can do full disk encryption on devices. You can do encryption of files that maybe you share. So if you're using, say, a cloud repository, always use encryption pretty much wherever you possibly can to prevent unauthorized access.
Right. Any other recommendations that you would which are easy to implement but have a huge impact when it comes to usability plus security?
Easy to implement. Well, there's one that doesn't necessarily make it easier, but it certainly protects you. that's using a regular user account on your PC or Mac. Don't do day-to-day business in administrator mode. That can sometimes impact your usability if you install a lot of programs or something. But it definitely minimizes the privileges in case you do get malware, it certainly would be better for the logged in user to not have excessive privileges. So, you know, the rule of thumb is log in with a regular user account and only use admin when you need to install software or do some other sort of administration on your own machine.
Right, you've mentioned the untrusted networks, you've mentioned the hotel network, the public networks that are all around there, and you already hinted at not using them. So what are your recommendations from a cybersecurity pro perspective?
Thank you. Yeah, you know, we've been saying that for several years now. Public Wi-Fi can be a big convenience, but you know, it also comes with risks. There are men in the middle of attacks that happen quite frequently, people trying to generally steal username passwords for credit cards and other financial purposes. So generally...We say, if you're using a modern phone and your telco plan allows it, you have a personal hotspot feature, or I think in the olden days, at least Android called it like tethering. Use that. Connect your PC or your Mac or your tablet to your phone and use that. think there's definitely, there's still risks everywhere you go, but that certainly helps minimize it. And then there's VPN. VPN can be a performance hit a little bit. Many VPN plans, cost depending on the amount of data transferred. The pros for that is, yeah, it's going to hide your IP. And it'll even, in most cases, give you an opportunity to say where you want to come out, appears if you're coming from Austria instead of Germany or something like that but another downside to that is a lot of sites, a lot of, CDNs can detect where you're coming from and the fact that you are coming through a VPN and sometimes depending on the site, maybe they've set policies and say, we don't want to let in VPN users. So you may find, you know, some drawbacks to, to using VPNs, but you know, in certain situations, again, like if you're, if you have to use public wifi, then I think VPN would be recommended.
Yeah, absolutely. I think although the topic for today is cybersecurity, I'm really I'm a privacy advocate and I think VPNs can also really contribute to protecting your personal data, especially in specific situations. We don't have to necessarily talk about countries where press freedom or freedom of press is not that well maintained. Then it can help just to ensure and secure your communication as well. So it's not only security, but it's privacy and confidentiality of your communication. think VPNs can really help there with all the drawbacks that you've mentioned, but well used, can really benefit a lot. And when the audience is wondering, they are still at the device level, there is so much more to cover. There will be more episodes on that topic. We want to focus on the device for today. But I think this personal cyber hygiene topic will be with us also in the next year when we continue with that. But we're not yet through. What else would you recommend to protect the security, the availability, the privacy of your own device?
Well, just want to follow up on that last excellent point you made about it's also safety. Using a VPN can protect you in specific cases if you do happen to find yourself in a place where privacy isn't protected. So it's also a safety issue. So that was a really good point, Matthias. On the device side, a lot of telcos or your mobile network operators also provide some basic security features that either you just need to enable or you might need to configure, but highly recommend those. Some of those are preventing spam calls. It works a good deal of the time in my own experience, but sometimes we get calls that sort of break through whatever spam filter they have. But even then, if you look at the number, you will see sometimes very generic information associated with the number and I think that's an indicator that it's not a legitimate number. It's somebody spoofing a local phone number to try to get your attention. Telcos can also help prevent spam texts. on iPhone, I think you could go in and say filter unknown senders. And then also just don't respond to a message that you don't recognize because, people who have fallen victim to things like what we call pig butchering scams, a lot of that arrives by SMS. And it's somebody purporting to be friendly. You wind up responding to them. They respond to you. And it's better if you don't recognize it, delete it, it as spam or whatever your mobile network operator's options are. But if you don't recognize it, don't answer it. And then lastly, your telco will also sometimes tell you if you are in a public place, whether or not the Wi-Fi is safe according to their intelligence. So certainly if your telco is telling you that the Wi-Fi is unsafe, don't connect to it. Even with VPN, I would not connect to one that I had been warned against.
Exactly. And I think one other aspect that is really of importance, although many people are missing that point, is a short story. Everybody knows I'm a bit older, so I'm using IT for some years now. And while in the last five years or so, I had lots of my old hard disks dying away. So they were there for backup reasons, they were there for storage reasons but with the rise of the cloud, they were not that important anymore. There were backups and I of course use time machine on my Mac. But all these disks are dying, but that does not render backup unimportant, right?
Backups are definitely important. Yeah, I think a lot of people these days default to using the cloud because your operating systems and your applications will default to using the cloud. And that's because in large part, they're going to charge you something for the service, which makes sense. But that makes it easy. It's easy to backup. It's easy to restore if you have to. But if you're running around with a lot of data, maybe you've maybe you're a photographer and you've got many, many gigabytes or terabytes even of photos, then yeah, it can get costly for a per monthly fee. But there are still your own hard drives that you can buy. mean, their prices on like four terabyte drives are really cheap. And with the latest connectors, you can connect that to your Mac or PC and do the backups once a week or something for a pretty reasonable price. And then you have total control over it if you're not all interested in sharing it with the cloud.
Exactly. And you've mentioned encryption for backups, of course, as well. So encrypted backups, so if somebody steals your hard drive, this is also not something that you really want when the data is then openly available on the disk just by plugging it in or mounting it. Which brings us to physical your device from improper access also is device security, right?
Yeah, and that's an important one that we shouldn't overlook. mean, there have been many documented cases of attacks in places like airports, train stations, restaurants, wherever you happen to go. Let's say it's after work, you've got your laptop in a backpack and you stop at a cafe. just don't leave it unattended, just like they tell you in the airport announcements, don't leave your baggage unattended. Always know where it's at. Keep an eye on it. You know, you can use tracking features, not that we're promoting Apple products, but the Find My works really well. There are other things that are available for Windows and Android. So certainly those are things that you may want to consider enabling. And then also, again, if you're in an airport or a train station, you notice your phone's low on battery. You may be tempted to stick it into one of those little USB charger things that are around. There have been cases where those have been compromised too and they can be a way for bad actors to get malware onto your devices. if you do need to charge up in public, it's better to take a physical plug that has a USB connector and charge directly from an electrical outlet.
Right. And I think you've mentioned that for leaving your luggage not unattended. But I had the same story. Even those old school people that use paper-based notebooks, they should be protected as well. that's part of that. That's a device as well. And it's difficult to encrypt. So it happened to me as well. So not that I lost something, but I found something. And just to open it and to realize, my God, I should really not read that and to return it to somebody who can take care of it in the train. So that is really of importance. And even paperwork needs to be protected as well, or just don't use paper, really use the electronic device. This has encryption or this has an account to log into, so it's not openly available. So really, really would prefer digital media over paper, although I understand the charm of paper to work with. Any other physical security requirements that you can come up with before we close the device theme and this episode?
Yeah, one last thing I'll say, let's talk about IoT devices, your smart home devices, your home automation, electronics, things that you buy, Many things these days have a network card, network connectivity. There are features that you can enable maybe if you register with the site. So anytime you bring in a new device that has, let's say, some sort of electronic controls capability that you can connect to a consumer account, then change whatever the default password is. And depending on what kind of a device it is, I mean, a lot of people use cameras at home these days. I mean, you the outside cameras or even inside cameras, this takes a little extra advanced work, but, go into your home router, set up firewall routing rules to make sure that bad guys can't get access to cameras for example, or she can also turn them off or unplug them when you're when you're at home. And then update firmware just like just like your computer devices have firmware and they occasionally discover vulnerabilities and the manufacturers will make firmware updates available. Often they're not automatic. So you have to kind of go out and search for that. Again, that's where having an account with whoever the manufacturer is, then you log into that account. It might say, we've got new firmware available. Do you want to when those opportunities arise, I would say, yes, please keep your IoT devices, whatever kind they are, whether they're smart home or home automation, as up to date as possible.
Right, and if you don't trust me and if you don't trust John, just do a quick search on Google for compromised surveillance camera. this will convince you that you should do that. Change the passwords, do the updates, do not use default passwords, and maybe put them into protected network segments where they are just not accessible for anybody except for yourself. So that is really an important part. Any final words regarding device security? We will continue that, as I said, but anything else that really is something that you can translate from your professional experience as a cybersecurity analyst and researcher to personal life?
Just, you know, try to put these into practice. I try to do these things. Yeah, sometimes like convenience will get in the way of it, but in general, we should always try to maintain as secure digital life as possible. But yeah, I mean, I would encourage anybody who's watching, if you've got a story, if you have anything you want to share about that, or if we missed anything, certainly feel free to write back and give us your tips too.
Exactly. So we are also relying on that feedback and mentioning feedback. If you like that video, if you like this some kind different, some different kind of video that we just did with more focus on your personal life, but really leveraging the expertise of cybersecurity professionals, please let us know. Leave your comment on YouTube in the comments segment. We really read that and we want to use that for improving, for getting better, for covering topics that are of interest to you. If you're watching that somewhere else or if you're listening to that on your favorite podcast platform, just drop us a mail. We are easy to find at kuppingercole.com and I'm happy to react to your feedback. So John, thank you very much for doing this, some kind of different episode, but I think it's really of importance and we will continue that with other aspects. This was just the device. There's so much more. There's passwords, there is the network, there's the internet, there's protection from malware. This not only on the device level, but really on a user behavior level. And it's about user behavior, how you can really add practices to your personal behavior that help you prevent breaches and security incidents. I think that's an important part as well. As I said, thank you very much, John. This will be the second last episode for 2024. And we will go into a brief hiatus. This podcast will not go away, but it will come back by early March after Christmas, after the new year, and with a brief pause. And then we will be back at the first of March, third of March. I don't know, the Monday. We will be back and then we will follow up with this next episode on that as well with John again. Yeah, thanks again, John, for being my guest today.
Thank you.
See you and bye bye.
