in Business, Consultancy, nSecurity, Uncategorized

25 Cyber Security Experts reveal the most common security mistakes people make

Online security has become a hot topic in today’s world. Cyber attacks have been growing lately and cyber security has become a top priority. Information and identity thefts can be catastrophic and the damage they cause can have long lasting effects.

Most successful businesses have an online presence. However, they are not giving as much importance to cyber security as is required, resulting in security holes that cyber criminals are quick to breach. Small mistakes such as using the same password everywhere or not updating the software can lead to serious security issues.

So what are the most common mistakes people make regarding their online security?

Let us see what some of the top cyber security experts have to say and what practical tips they have to offer to protect your online business:

Tony Anscombe, senior security evangelist at AVG Technologies

Tony says that when it comes to online security “our mindset as consumers is our biggest downfall.” In spite of increasing cases of big business breaches and compromised consumer data in recent times, many of us think “it won’t happen to me” and neglect to change their passwords.

Take for example the Heartbleed Bug disclosed in April 2014 that affected thousands of websites putting users’ sensitive personal data such as usernames, passwords and credit card information at risk.

According to Tony, “Many of us still use the same passwords across different services, even cycling through the same passwords over time.” Recent hacks have revealed that a majority of people still use common and easily guessable passwords like ‘123456’, ‘123456789’ and ‘password’. Users should move away from traditional passwords and use more sophisticated set of characters.

“If you’re worried about forgetting longer passwords, using something personal to you as the basis for your passphrase can still create enough complexity to make it a lot harder to crack – for example, Neil!luvs2jog, a mix of characters, symbols and numbers in upper and lower case, yet still a memorable message”.

Candid Wuest, threat analyst at Symantec

According to Wuest, “Two of the most common and basic mistakes consumers make when it comes to protecting their online assets is not to use strong passwords on all their devices and not applying patches or software updates, leaving people exposed to exploits cyber criminals actively leverage”.

The most commonly used password is ‘password’ which is one of the first words tried by cyber criminals. Other passwords such as children names, pet names, dates of birth, favorite football teams etc. are also to be avoided. Such details can be easily found by hackers through social networks such as Twitter or Facebook.

Using a phrase for your password is a better idea. You will get a strong password and it will also be easy to remember. For example, “An Apple a Day Keeps the Doctor Away!”. You can use the whole sentence the first letters of each word – “AAaDKtDA!”. You can also add numbers in it – “1AaDKtDA!”.

“Use a password manager, such as Norton Identity Safe, to help remember multiple strong passwords across all your online accounts. Where possible, enable additional security features such as two factor strong authentication.”

Ilya Kolmanovich, security threat engineer at Trusteer (IBM Security)

“The single, biggest mistake users at large make when it comes to protecting their online assets is not stop to think about the worst case scenario of what could happen to their data once it is out of their control.”

“Nowadays, people reveal way too much personal information online without so much as a second thought about it, or the possible implications of this simple act.”

“They fail to realize that data is as protected as it will ever be before it is Internet-borne. Once it is out there, posted online in one way or another, whether they think it is protected in an online drive or a password-protected resource, there is no telling whose hands it will end up in.”

Therefore, it is very crucial to “stop and think through whether it should go online at all.”

It is important to raise awareness among users that “once it is out of their hands, information can remain on the Internet forever, it can be stolen, or abused, and they will not be able to do much about that after the fact.”

Daniel Cid, founder and CTO at Sucuri

Daniel says, “It is never just one single mistake, but a combination of multiple mistakes that lead to the most serious issues. Finding the biggest mistake was not an easy task, when there are so many to choose from.”

The most critical mistake is regarding password management. Most people still use simple, easy-to-guess passwords and re-use them everywhere.

Users should never, never (never!), re-use passwords across different accounts.”

Marcin Kleczynski, CEO at Malwarebytes

According to Marcin, the biggest mistake users make is that they reuse passwords and this creates the weakest link effect.

When you put out information on a site that isn’t secure, the attackers can get the email address and password (same) that you use for all websites.

“If I were a cyber criminal, I would attack the lowest hanging fruit – a website such as a dating site or a social media site, where security is just not top of mind, like it is for a bank, as soon as I would have those credentials I could be rest assured that I can probably reuse those credentials in a lot of places, because people don’t change them from site to site.”

Wendy Nather, research director at Retail Cyber Intelligence Sharing Center (R-CISC)

Wendy says that the biggest mistake users make when it comes to protecting their online assets is “failing to take into account that a trusted person might need to access them in the future.”

Most of the online sites do not have provision for allowing someone else to access a user’s account when that user is incapacitated or has died. Say for example, a user is extremely ill then the spouse or a close family member may need to access the user’s account to pay bills or answer urgent emails.

“As we keep more of our assets online, we need proxy and delegation arrangements to be in place; this problem only grows as the online population ages.”

John E. Dunn, editor and co-founder at Techworld

“The biggest mistake? People have no plan B.”

Users are wary of paying for security and do not invest in a “backup service, disaster recovery for their PC, security systems such as multi-factor authentication and password managers.” They find it hard to understand security and do not realize its importance.

Pierluigi Paganini, founder of Security Affairs

Paganini says, “The biggest mistake the users and companies make when it comes to protecting online assets is the lack of a correct evaluation of the surface of attack.”

“In the majority of cases, users totally ignore cyber threats, threat actors and their tactics, techniques, and procedures (TTPs). This error is transversal across many sectors and technology, the systems and services exposed on the internet often lack security by design opening user’s asset to cyber attacks.”

“We are all nodes in an interconnected network, humans and machines, we must know the threats and the way they operate if we are to stay secure online.”

Morten Kjaersgaard, CEO at Heimdal Security

Morten feels that “The biggest mistake a user makes is underestimating their opponent. Users fail to recognize the fact that cyber criminals today are exceptionally quick, very skilled and that they are very focused on the task at hand, which is business.”

“Hackers rely on the interaction with the users to penetrate their system.” So users should recognize their capabilities and build their own security to match them.

Adam Shostack, veteran startup leader focused on improving security & privacy for customers and author of “Threat Modeling: Designing for Security” & “The New School of Information Security“

According to Adam, “We ought to design systems that don’t make it so easy for people to make mistakes in weird technical ways that are hard to comprehend. But we do – we make it hard to be secure, then we rant about how people don’t jump through the hoops we somehow imagine they want to jump through.”

Adam says people must use a password management program to create a unique password for every site they register with. It should preferably sync locally so that “when one site gets hacked, you don’t have to change your password everywhere else.”

Brad Duncan, security researcher at Rackspace

Brad gives 2 tips to protect your online assets –

“Use strong passwords and enable 2 factor authentication for your webmail, if possible.” and “Don’t use the same passwords for different online accounts.”

You may have received spam from a friend or acquaintance’s mail account. This means that user’s account was probably compromised. Having the user change his/her the email account’s password is the immediate solution but the issue may be serious.  

Many people use their email accounts to receive notifications for phone bills, electric bills or from bank and other services. A hacker could misuse the private or sensitive information obtained from the user’s mail account to get information about his/her other online accounts.

Therefore it is imperative that you don’t use the same password for other accounts. “Some online bill paying services have the option to store your bank account information, so you don’t have to type it in every time you make a payment. An attacker might be able to gain access to your finances that way, and this would’ve happened because you used the same password for your different online accounts.”

Many users try to compromise security for the sake of convenience, which is a grave mistake.  

David Harley, senior research fellow at ESET North America

Research by Mark Burnett shows that approximately 1 out of 9 people uses at least one password from his  list of ‘Top 500 Worst Passwords of All Time‘ and 1 out of 50 uses one of the top 20 worst passwords.

Research on PINs (Personal Identification Numbers) suggests that 15% of the passcode samples collected were among the top 10 most-used passcodes.

With 4-digit PINs, memorization is usually tied to the keyboard layout whereas a random passcode such as ‘xD8&9#05$Jn@V’ may be difficult to remember but more secure. However, David says, “Randomization is no guarantee of security. Indeed, randomization will sometimes give a bad PIN like 0000. You can use algorithms that are essentially pseudo-random but which are weighted to exclude the top n PINs, of course, but I don’t know if any service does that.”

He gives some tips to improve password/passcode creation:

  • Avoid the most popular, overused passwords.
  • Avoid passcodes that contain a single character repeated a few times.
  • An ascending or descending numeric or digital series can be at risky, easily cracked in a guessing, dictionary or algorithmic attack.
  • Any password consisting of a dictionary word or other over-used word can be easily and quickly cracked by bots. Passphrases may be difficult, but with increasingly sophisticated hacking software being developed, this is also getting easy, especially if they consist of common English quotations and sentences.

“But avoiding stereotyped passwords is only adequate protection if the authentication mechanism is well-implemented and if the provider is doing a good job of protecting authentication data on its own systems.”

Brooke Paul, founder & CEO at Taivara

According to Brooke, “The biggest problem is users take the path of least resistance toward securing their online assets.”

Such as:

  • Not opting for extra security such as the two-factor authentication offered by sites like Facebook, Google, Dropbox and others.
  • Not using a password manager to create random and more secure passwords.
  • Not creating timeouts and login screens for their devices such as phones and laptops.

“The industry also has a role to deliver better security that works seamlessly within the user experience best suited to our customers and products.”

Joshua Corman, CTO at Sonatype and co-founder of “I am the Cavalry”

He says, “The biggest mistake that users make is assuming that we can secure anything. I think we blindly adopt technologies, social media, and other innovations for their immediate benefits, but we forget that everything is a “cost” and a “benefit”, a “risk” and a “reward”, and we blindly assume that these things are secure without any proof of them being secure or securable.”

Security breaches are on the news every day and it’s not only the credit cards. There are bigger failures with severe consequences. Credit cards are replaceable but things like public safety and human life are not. Even government agencies with billion dollar budgets can’t protect themselves.

“So our assumption that IT is “secure enough” or defensible is a faulty one.” We have become over-dependent on indefensible connected technology.  

One piece of guidance I give is: the less dependent we are on connected technology, the less exposed we are. So we should look at every choice when giving someone our information or entrusting them to store something important to us in some cloud service.”

“It’s less of a matter of finding an option that is secure and more a matter of making really smart choices of what type of connected technologies we depend upon.”

Kevin Townsend, freelance journalist and writer at ITSecurity, UK

He says, “The biggest mistake that people make in protecting their online assets is believing that you can protect your online assets. You cannot.”

You can discourage a casual hacker but you cannot stop a determined professional hacker.

Choose the location of your online assets with care. Check the reputation of the provider, and the security he promises. But, most importantly, never put anything online that you wouldn’t want your mother to see or read, nor anything that you cannot afford to lose.”

Dave Waterson, founder and CEO at SentryBay

Dave says, “Many users assume that because they have anti-virus software installed, then they are fully protected from everything. This is not the case.”

“The average user would be horrified to learn the actual effectiveness of AV in terms of identifying new malware. Users need to augment their AV with other more specific solutions, and be constantly on guard against social engineering attacks.”

Brian Donohue, technology journalist covering Network Security at Cyber4Sight (Booz Allen Hamilton)

According to Brian, users make 2 common mistakes that expose their online accounts to “compromise and hijacking.” They are – using machine predictable passwords and reusing same passwords across multiple accounts.

Lee Munson, contributing writer at Sophos Naked Security

“I believe the biggest mistake people make when it comes to protecting their online assets is that they do not value them highly enough.”

Online bank accounts, social media accounts and email are protected via strong passwords and often also with two factor authentication. Digital photos, music and home movies uploaded to cloud storage are quite secured. However, we often hear accounts getting hacked.

“Why? Because people do not value that which they think they cannot lose.”

“The challenge for us in the information security industry is to educate people to not only value their online property as if it were a physical asset, but also how to secure it too.”

Joe Shenouda, liaison officer at CYBERPOL / ECIPS

Joe says, “Privacy exposure is the biggest mistake every user makes. People often say “I have nothing to hide” and as a consequence they expose all their information, sometimes without knowing. The consequence of this is that their online assets are scattered around beyond recovery.”

Users should take their privacy very seriously and take measures to protect their online assets better.

Matthew Pascucci, cyber security specialist and privacy advocate at Front Line Sentinel

Matthew gives three tips to protect your online assets:

Assume the site that’s hosting your data isn’t performing proper security”. If the online site is compromised, your data could become public.

Stop using the same password for every account and use two-factor authentication whenever possible. This is done easily now with SMS text messaging and Google authenticator.”

When storing sensitive data in the cloud, make sure its encrypted first before uploading it” or there is a risk of it being viewed without your knowledge.

Troy Hunt, Microsoft MVP for developer security and blogger at TroyHunt

Troy says, “The biggest mistake users make is the assumption of privacy.”

Looking to the recent Adult Friend Finder and Ashley Madison hacks, you must keep in mind that  “all your online things need to be created with the assumption of them being public one day. It’s an unfortunate reality that this increasingly seems to be the case, whether it’s due to data breaches or government oversight.”

He advices, “Avoid digitizing things that would irreparably damage them, whether that be photos or emails or other online conversations – it’s just not worth the risk.”

Simon Edwards, technical director at Dennis Technology Labs

“The biggest mistake is to choose the cheapest option without considering the supplier’s reputation.”

For example, “If you pay a respectable company to provide you with VPN services, then you stand a greater chance of being secure than if you trust in a provider that you know little about and somehow has the ability to provide free, reliable and secure services.”

“There has been a case of a VPN provider renting out customers’ Internet connections to a third-party. And how many other free VPN services are secretly operated by governmental entities?”

Xavier Mertens, freelance security consultant and owner at TrueSec

He says, “Our assets are protected from the ‘wild’ Internet by blocking all incoming (unwanted) connections. This kind of traffic is called ‘ingress traffic’.”

“At the opposite, we have the ‘egress’ traffic which refers to the traffic that is going from the network to a destination somewhere outside of the network (read: the Internet). Controlling this egress traffic is also very important.”

He recommends to permit only the required traffic to go out of your networks and not allow them to communicate directly with external network services such as DNS, SMTP, HTTP.

“Use internal resources and proxies to inspect the traffic. On computers, host based firewalls can be installed to control all the traffic based on application (ex: LittleSnitch on OS X).”

Martijn Grooten, editor at Virus Bulletin

The biggest mistake according to Martijn is that “People think there is a silver bullet that can solve all their problems. The idea that if only they use this tool, or always do that thing, they don’t have to worry about anything.”

He says that people should have “realistic expectations of how much tools and practices can stop attacks.”

Graham Cluley, independent computer security analyst at GrahamCluley

Graham says,”If information is important to you, and you are planning to store it online, the biggest mistake you can make is not encrypting it *before* you store it in the cloud.”

“Trusting an online service to do a decent job of securing your information and keeping it private can be a costly mistake. Ultimately the only person you can trust to do a decent job is yourself, so encrypt before you store your data online.”

Although there are risks involved in using the internet, taking appropriate security measures will greatly minimize that risk and prevent your sensitive information from being stolen. At Nexibeo, we strive to fulfill the unique needs of our clients by providing the best possible security solutions available.