Letter from the CISO, Vol 1 Issue 9
Washington University Community:
This month I’d like to warn you about dangerous applications and Internet services, and four things you can do to avoid problems.
Many experts focus on iPhone/iPad/iOS and Android devices, but PC and Macs are also vulnerable to malicious applications, so I’ll speak about them too.
Isn’t there an app for that?
So many problems can be solved with an app that the phrase “isn’t there an app for that?” seems universally rhetorical. But not all apps, creators, and publishers are equally trustworthy. Malicious actors routinely publish apps designed to steal your personal information, track you, barrage you with advertisements, or steal your money.
Rule One: Only use trusted App Store sources for applications
One of the best defenses against malicious applications is downloading apps only from trusted sources like WashU, Microsoft, Apple, and Google. For iOS devices, Apple’s App Store provides a high degree of due diligence that usually blocks offerings of malicious software. For Android devices, Google’s Play Store provides a comparable service. If you stick to these trusted sources, you’re much, much safer.
The U.S. Federal Trade Commission offers further guidance on protecting your privacy in apps at https://www.consumer.ftc.gov/articles/how-protect-your-privacy-apps.
Rule Two: Don’t sideload applications on Android devices
Android users have a fairly straightforward option of “sideloading” applications onto their Android devices from sources other than the Google Play Store. This can be very useful in some circumstances, but it is also very dangerous. Only the most skilled and knowledgeable technical experts should consider this, and then only in very limited cases.
Rule Three: Don’t “jailbreak” or “root” your device
iOS devices are normally configured to allow downloads ONLY from trusted sources, which some people refer to as being “in a walled garden,” while others feel this is more of a prison.
Android devices typically allow downloads from multiple stores, but Google’s Play Store is the “safe” choice.
Some people “jailbreak” or “root” their device to escape the “walled garden” or “get more” out of their phone. While you may enjoy some features of applications that require these elevated permissions, there is a very real danger that these additional permissions are abused by the software to your detriment – emptying your bank account, stealing your information, etc.
Therefore, the best practice is NOT to jailbreak or root your device.
Rule Four: Don’t use or share administrator accounts on PCs or Macs
For Windows and macOS devices, there is a similar but inverted danger – namely, you may already be running as “root” or “administrator” without even knowing or thinking about it. Running your device from an administrator account provides the convenience of completing systems-administrator tasks without extra steps but poses the danger of having malware do similar tasks without your permission.
The best practice within professional Information Technology organizations is to make sure systems administrators have separate accounts for their sysadmin work and their “normal” everyday work.
It is easy to follow the same precaution on your personal computer by creating a separate user account for the admin work and then removing administrative permissions from your everyday account. The result is a lower risk of running malware as an administrator. The cost is that to install new software, you generally have to log in as the administrator.
Is it worth the effort, and what about the kids?
Many people don’t find the risk reduction worth the inconvenience, but if you have a family PC or Mac that your children use, I strongly recommend giving them non-administrator accounts. At least until they are old enough to take over the full systems administrator responsibilities, usually somewhere between the age of 10 and 30.
My mantra of Keeping Information Security Simple (KISS) is all about making Information Security understandable and doable for everyone. Toward that end, I’ve written about:
- Multi-Factor Authentication jargon, (passphrases & password managers) – July 2021
- Being Skeptical and a Little Paranoid – August 2021
- Physical Security Comes First – September 2021
- Backing up Important Files – October 2021
- Recovering your lost device – November 2021
- Enabling automatic updates for everything – December 2021
- Free isn’t Free – January 2021
Please check them out if you missed them.
Thank you for reading and being part of the University’s Information Security team!
Good luck and be careful out there!
-Chris Shull, CISO