An Infosec Spring clean

An Infosec Spring clean

We’re a month or so into Spring and it may well be time you had a spring clean – ha, ha, and so on – of your security settings and general hygiene. You probably have lots of accounts, but it’s easy enough to divide them up before getting on with the “how secure is all this stuff anyway” task ahead of you:

1. Lock down your mission critical accounts.

Throw your really important email address, that social media account you maintain for work, and the cloud storage account with all your important things in it under this banner.

  • Do you use 2FA, like Google Authenticator?
  • Do you have a backup plan in place in case you lose your phone (and thus access)?
  • Are you using a password manager?
  • Do you have all security features enabled?
  • Do you use regional lockout and need to alter these settings before hitting the road? Or does it have a Plan B to let you alter on the fly?
  • It’s easy to forget about websites – does your host have a secure login setup, or should you be looking to move to a more reliable provider?
  • Do you have one foot in the faintly aggravating pool of domain registration? If they provide additional security features related to privacy/anti-spam/”locking” the domain, are you using them?

Also of note, but easy to forget: your gaming accounts, which (depending on sales) may have hundreds or even thousands of dollars invested in them over time. It’s certainly a pain to micromanage lots of client logins from Steam to UPlay and back over to Origin, but having said that, all of your password juggling problems can quickly be resolved by deploying your favorite password manager of choice.

These are probably the main items of note that you’ll want to concern yourself with.

2. Be aware of third party access permissions.

One of the web’s biggest strengths is being able to tie all of our programs and services together. It’s great! Unfortunately, it’s also not great and can lead to major problems should one of those services be compromised. It only takes one hack and then you’re pushing all sorts of wacky content (and by wacky, I mean “help, my eyeballs are melting“). There is no real solution to this one; if a third party service is popped while you’re in bed asleep, you’re going to wake up to disaster.

What you can do, is jump into application settings/management and see what lies within. If you have a bunch of old apps you haven’t used for in ages, revoke permissions. Not sure how app X or Y got there in the first place? Revoke. It doesn’t matter whether the unused app is a big brand or something a teenager cobbled together in their bedroom – everything is potentially hackable, but this is all about reducing the risk a little bit. If you still get caught after amending your settings to something you’re comfortable with, don’t feel too bad about it.

3. Look after your Nothingburger accounts.

We all have them – those accounts we create purely because we have to, or ones we use for buying things on an occasional basis. Forum registrations. That one gaming site you can’t stop screaming at people in ALL CAPS. The only seller of that unique brand of salad dressing you like. Something about cat memes.

However.

Don’t fall into the trap of cursing them all with the same username/email/password combination, on the basis that they’re all “disposable”. You might not think they’re important, but most of these Nothingburgers contain a juicy filling. A forum registration with your real DOB here, a shopping account with your real name and address there, or that gaming forum with a pile of HERE’S MY PHONE NUMBER, FIGHT ME private messages from 2008. All of this can be used against you. The moment one is popped, the hackers will try those same credentials against lists of other websites. At that point, it’s game over – and let’s face it, nobody wants to spend 3 hours trying to reclaim a dozen stolen logins while wading through a conga line of tech support.

Do the right thing and generate a bunch of random passwords via your favorite password creation tool. Mmm! That is a tasty nothingburger!

If you’ve shored up your super important accounts, dealt with the generic logins, and sorted out third party permissions, you’ve probably come to the end of your great Spring clean-out. There’s always something else to fix or tune up, but the above is certainly a quick and easy way to divide up the gigantic pile of accounts you probably have in your gigantic account pile of accounts bag. If there’s others we’ve left out, or you have additional “how to manage this mess” tips, feel free to leave them in the comments.

Christopher Boyd

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.