Letter from the CISO, Vol 1 Issue 10
Washington University Community:
This month I’m going to bore you with another really basic idea: that everyone needs to manage their devices.
I can almost hear you yawning when I write those words, but it’s essential and not quite as easy as you might think.
Step 1: Know What You Have
Most everyone now has many Internet-connected devices. We usually focus on PCs, Macs, iPhones, and Androids because that’s where the most significant risk to sensitive data is, as well as we all depend on these devices every day.
But there are many other devices to worry about, such as your Smart-TV, your gaming system, the Alexa in your kitchen, your Apple, Amazon Fire, or Roku TV, not to mention your doorbell, security system, and baby monitor. Many cars now have a lot of software in them too.
I recommend making a little spreadsheet listing all these devices, with their models and serial numbers, and then printing it out and putting it in a safe place. If you’re ever robbed or lose a device, you know what’s missing for the police report and insurance claim.
Step 2: Manage Everything!
Last December, I recommended turning on automated software updates for everything on your PCs, Macs, iOS, and Android devices.
I recommend the same thing for all your other devices as well.
Most devices from reputable companies that can connect to the Internet can also be configured to automatically download and install updates to the software. I strongly encourage you to do so.
For those devices that don’t offer this, my first advice is to avoid purchasing them in the first place because they are a giant PITA to keep secure. While at the same time probably the worst at security in the first place, most needful of improvements, and least likely to get them. In other words, spend the extra money needed to avoid the cheap, easily hackable devices.
If you don’t, you’re much more likely to have some stranger hack your baby monitor, see your children, and be able to speak to them. If you want to be terrified, google for “hacked baby monitor story.”
Step 3: Secure the Devices and Their Online Accounts
Many devices are remotely accessible in one way or another. To keep people from accessing them, you may need to set a complex password or code on BOTH the device itself AND the online account that manages it. With devices from Apple, Google and Amazon, you probably use your regular account for this, and as I wrote in my very first column last July, you absolutely must implement Multi-Factor Authentication (aka 2FA or 2-Step Verification) for these critical accounts.
You want to take the same precautions for other vendors, or your devices may be hacked and used to spy on you or to attack you in other ways.
Thank you for reading and being part of the university’s Information Security team!
Good luck and be careful out there!
-Chris Shull, CISO