10 Things Security Experts Wish End Users Knew

Abstract

Security is complicated, which has led to the many misconceptions and misunderstandings about security. By paying attention to these 10 concerns that security experts want you to know, you can gain knowledge and understanding about security and be securer both at work and in your personal life.

Sample

Security is an essential business operation more than ever before. However, without end users improving their knowledge base and behaviors, the technology that an organization deploys is insufficient. In this white paper, I discuss ten things that security experts wish end users knew. The more users understand about risk and consequence, the more likely they will adjust their behavior and assist with supporting security. These concepts are concerns that security experts want you to know.

Software Updates Should Be Installed Promptly

Later in this paper I mention the issue that new is not necessarily secure. However, that does not mean that new is less secure or that old is securer. Security experts want you to know that software updates should be installed promptly, but not blindly. Just because a vendor has released an update does not mean it should be taken as a sign to install the update instantaneously. The new code you would be adding to your system could be flawed or could cause unexpected results in your system that the vendor did not predict. Thus, under no circumstances should you install new updates before testing them and learning from others.

Always test new updates on dedicated test systems. Then, work through all major work tasks to ensure that the changes to the lab systems do not interfere. Next, review any comments, reviews, or feedback available about the update from others. You are unlikely the first person to consider installing a new update. Thus, learning from the experiences of others can save you from downtime and repair headaches. Once you are satisfied that an update is reasonably safe and appropriate to install, take one more precaution: back up your target systems. With a system backup, if the worst happens and the update process fails, the update corrupts your system, or new unforeseen consequences arise, you have a path to restore your environment back to a functional state.

To be even clearer, software updates should be installed promptly without skipping testing. In most cases, running the most current and complete set of code available will provide you with the most security form of the product. When updates are delayed or skipped, flaws will remain in your environment, which can be discovered and exploited by attackers.

Account Authentication Strength

A regular occurrence in technology news is a story about yet another person's account being hacked through the use of a password compromise attack. What is so frustrating about many of these stories is when the victim's password is revealed to be something short, simple, and easy to remember. What security experts want you to know is that a password can be made securer with just a few basic steps: 

1. Make your password longer. Fifteen characters is a reasonably secure length, assuming you follow other good password practices.

2. Never use a single character type. Use three or four character types: uppercase, lowercase, numbers, and when possible, symbols.

3. Do not reuse the same or a variation of a password. Ever. Not on the same site and not on different sites.

You can further improve your online password security through the use of a credential manager, such as LastPass, KeePass, 1Password, or Dashlane. These will enable you to generate random passwords with the maximum length allowed on each and every site, while securely storing those passwords for you.

It is also important to use the two-step or two-factor authentication offerings from an online site. A growing number of websites now support multi-step authentication. You should enable this feature. While it initially will be cumbersome, once you become familiar with the process, it will make your online account significantly securer.

Once you have secured your online accounts to stronger passwords and/or multi-factor authentication (where available), you can rest easier knowing that the media haranguing about another account compromise will be even less likely to actually affect you.