October is Cyber Security Awareness month, and a good time for organizations and anyone who uses the Internet (yes that means everyone) to review security best practices, for a safer user experience. Based on the current state of the Internet, here are our best tips for a better online browsing experience, for website guardians and end users.
1. Trust only HTTPS
While a few years back it was still widely debated whether HTTPS was really needed, encryption certificates and HTTPS are more widely adopted today since they can now be obtained for free by providers like Let’s Encrypt. Even Google has gotten involved with HTTPS-advocacy by flagging sites still on HTTP only as “Not Secure”, which can impact the user experience and even affect your Google SEO ranking.
And we agree with Google for flagging unencrypted websites (those in HTTP) as insecure. Why? Without the “S”, everything that goes to-and-from between the website backend and client is trivially readable by anyone sitting conveniently in between the traffic, which means that HTTP could expose users of a website to a variety of attacks. This includes an attacker listening to the network traffic in the same network or visit a website that’s been tampered with. For example, if the user connects to a WiFi hotspot controlled by a malicious attacker, they have the opportunity to insert malicious code or modify the content that the user sees on the website.
2. Double check the sender
Have you ever received an unusual email that’s made your blood pressure rise? Have you noticed weird transactions or activity on a personal account that’s prompted you to quickly log in to verify that everything is okay? These are some of the tactics that attackers use to get your attention and coerce you into clicking a convenient, yet cryptic looking, link, which leads you to fake login pages that are actually controlled by the attacker.
Phishing emails may look quite realistic, but there’s something off with them. For example, Apple would never send you an email from domain called tepindaupmi[.]com.
Another way is to use email spoofing, which is caused by misconfigured email servers in the wild. This means that attackers can spoof the sender address, giving the phishing email even more legitimacy by making it appear it actually came from a trusted domain or trusted person.
If you’re an administrator of an organization, it is highly encouraged to configure a SPF, alongside with DKIM and DMARC to prevent your domain from being used as a camouflage for phishing campaigns. We’ve previously covered this with some internal research on misconfigured email servers from top domains and it’s still a relevant issue today.
Also, it should be noted that the attackers have discovered that in addition to phishing emails, people tend to be more susceptible to attacks delivered over unconventional mediums, such as text messages, according to Verizon’s Data Breach Investigations.
4. Keep passwords and secrets, secret
Passwords. No matter who you are, if you’re an internet-goer, a developer or an administrator, storage and handling of passwords has been an issue ever since they were first introduced as a method of authentication.
So just to recap, a good password is one that is only known by you, is unique to each service, and is long enough to withstand a guessing or brute-forcing attack. Also, Multi-Factor Authentication (MFA) should be enabled whenever a service supports it.
For secrets such as API keys and tokens, the secure storage becomes a little bit trickier as they need to be available to services and systems that use them. However, one definite no-go is storing them in the source code, as the source code is often copied to less secure locations and can be compromised. Secrets should always be kept clear of your version control.
5. Always ask yourself – why?
Whenever online, it is always good to take a breather and analyse the website you’re using, the message you received, and change your password by logging in to the service in question by typing out their URL manually in your browser.
Also messages and content that makes you feel like you need to act fast can be a sign that something is wrong. Attackers want to make you feel like you’re in a hurry, because that’s when you’re more prone to accidentally click on the links which you shouldn’t open. So next time you’re about to click a link in an email, however over it first to see the source and then manually type it or find it via search. It’s a bit more work, but can save you from giving up your credentials.
And to continue in the spirit of Cybersecurity Awareness Month, share these tips with your colleagues, to encourage best security practices in the workplace and across the Internet in general.
Security Researcher, Detectify
Detectify is an automated web application scanner that checks your web apps for 1500+ known vulnerabilities. By collaborating with our community of ethical hackers, we’ve developed a test bed with vulnerabilities beyond the OWASP Top 10 including misconfigured SPF records and HTTPS implementation. Check the security status of your web apps with Detectify today. Get started your 14-day free trial.