The Security Solution

One common misconception about security is that you go out and buy a security program and install it on your computer, and that the security software will keep you safe. It would be really nice if that was all that was necessary. But security is a lot more than just installing a security program.

As we saw through the month of October with the 31 security “tips,” security involves a lot more than something a single piece of software can address. Security software is an important part of the solution. But it is nowhere near sufficient to keep you safe.

Some of the things we talked about during National Cyber Security Awareness Month were:

* Misleading promises made by marketers (some of them fully believe they can deliver on those promises but don’t realize there are limitations)

* Power failures and lightning strikes (that can destroy data and/or equipment)

* Common human error (forgetting to save a file, deleting something)

* Criminals (who have added the use of computers and electronic communications to their arsenal in order to steal, extort, commit fraud, and ….)

* Features that enable ease of use and automation also result in additional risks. Lowering the risks may result in less convenience. Some people will find loss of convenience unacceptable.

* Security solutions that sound good but overlook important factors and don’t fully address the risks (e.g., the new chip credit cards; “remote wipe”).

* Sometimes, security is sacrificed in favor of profitability (app builders).

Many of these are not the kinds of things that security software can address. Some of these can be addressed by security software but humans who own the systems will find a way around them, often for the sake of convenience. In addition, criminals on a mission to conduct their crime will find a way around them. For a considerable number of reasons, security software is only part of the solution.

One of the main points I want you to take away from last month’s posts (in addition to learning a few specific things) is that keeping safe means you will need to become more aware and continue to learn more over the years. I am not suggesting you become an “expert.” Nor am I suggesting you undertake an extensive study in the field of security. For anyone who wishes to do that, great! I would be happy to discuss that with you.

However, for all the rest of you, I want you to learn a little bit at a time on an ongoing basis. I will be offering a way to do that which will be inexpensive, easy, and (hopefully) may even be fun at times. But, whether or not you learn from me, I want you to learn from somebody.

Again, security has no “silver bullet.” There is no single solution. There is no solution that will be able to address all you need to know and to do in order to remain safe, apart from the ongoing process of keeping up with the changing security environment. As we have seen, some of those threats extend beyond the cyber world into the real world and may affect your health and safety.

If we want to be informed about world events, we don’t watch the news for one day and then decide that we know all there is to know from then on. If you want to be informed of world events, you watch the news, or read the paper, or follow it online, on an ongoing basis. In the world of security, the world of threats and what we need to know to keep safe continue to evolve, and the same ongoing process is required. That is the closest solution we have to remaining safe.

Without this knowledge, more than likely, most of us will be lucky a lot of the time. But, it only takes one time to make you wish you’d taken it more seriously. Maybe it would be loss of data, maybe identity theft, or maybe just the cost and inconvenience of not being able to use your computer until it gets fixed or replaced. Don’t forget that, for a great many people, their computer will be compromised and will be used to attack other people or carry out other criminal activities, without them ever finding out that they are enabling these activities to occur by remaining unaware.

So, the first “theme” I want you to take away from the past month’s tips is that security has a lot of pieces and that a lot of remaining safe depends upon you learning more about it.

If I needed to boil it all down into one word, that word would be


That is what I wish for you.

Ghost Stories & the Virtual-Real World Connection

Many years ago, I watched a movie that was really scary. I don’t usually watch horror movies, but somehow I came across it without knowing what it was. I couldn’t turn it off. It took place in a remote wooded area. I think it may have been titled “Claws.” The main characters are in conflict with a bear and, as the movie progressed, one wondered if the bear may be supernatural and unable to be killed. I remember trying to go to sleep afterwards and talking to myself about how the bear wasn’t real, it was just a movie. It was all make believe and I was actually safe. It wasn’t really going to come and get me as I lay in my bed with the lights out.

Perhaps you’ve been at camp. Camp is good for “ghost stories” and the like. One year in grade school our class went on a field trip for a couple of days. It was in a secluded area and we had “nature classes” during the day. We went out in the field and saw the different kinds of long grasses that grew in this natural habitat.

At night, as we lay in our bunks, someone told a “ghost story.” It was about some unsavory character that lived in the woods. I don’t remember the story but image of ghost reading scary storyit was one of those designed to scare the young kids and make them terrified to go to sleep. Even if you knew it was just a story to scare us, lying there in the dark it was easy to wonder if maybe it just might be true. It’s not real… it’s just a story…. isn’t it? I hope it’s just a story. But, maybe…. What if he’s really out there?


OK. So, let’s talk about cyberspace. What is cyberspace, anyway? It’s all just “virtual,” isn’t it. Just computer stuff. Not really the real world. It’s all inside computers and what’s inside the computers can’t really “reach out and touch” the real world, can it? I mean, it’s kind of like television. It’s behind the screen and it’s different from the world we live in. Isn’t it?

But, what if it’s not just “virtual”? Could it really be real?


Twenty years ago it would be easier to say that the “virtual world” is not connected to the physical world. But today, so much of our world is connected through computers. Traffic signals can be controlled by computers that monitor traffic flow. Our telecommunications systems are computerized systems, so our phone calls, e-mail, text, and any other communication that isn’t face-to-face relies on computers.

Our water and wastewater systems are controlled by systems that can be accessed over the Internet. Many industrial control systems are also accessible through the Internet or through Internet-connected systems. So, the systems that control water processing and distribution and also other essential systems have a connection to the “virtual” world.

In “Daily Tip 31” (the extended tip version), I told of how a hacker had taken down a state-wide emergency response system (911 service) toward the end of last month. I didn’t provide many details, but he did this using a “botnet” where he controlled about 6000 smartphones to launch an attack. This is an instance where the virtual world “reaches out and touches” the real world, and disables critical functions. This kind of “virtual” world activity can actually threaten our life and safety in the physical world.
image of ambulance with negation symbol to illustrate it won't be coming


What about the information we share that resides on computers in doctors offices, labs, and hospitals? What if someone were to “alter” that information. Suppose they changed your drug allergy information. The next time you visit the doctor’s office, if your allergy information has been altered, could the doctor perhaps prescribe some medication that you are allergic to? If it’s a medication that results in a serious reaction, that change in your information could result in death. They often review your allergies when you are in the office, but are mistakes ever made? Are all recommended procedures always followed?


Just in the normal course of events, I regularly find that some of the information about the medications I take, which were reviewed each of the last several times I went to my doctor’s offices, are “missing” from the records. They have to update it every time. It’s not a matter of verifying it, it isn’t showing up in the records.

I have also had a doctor prescribe a medication to me that I cannot take (not an allergy but an extreme sensitivity). I had just told him that I couldn’t take certain medications. One of the components in the medicine he prescribed was the drug that I had just told him I couldn’t take. The result was really bad pain. When I researched it after the attack of pain, I discovered his error. Fortunately, it wasn’t a severe allergy.

If doctors and medical offices have these kinds of troubles with keeping information accurate or with prescribing medications when the information they receive is correct, think of the results if the records were altered by someone else. Can we really continue to think, “But that’s just the “virtual” world. That doesn’t affect our real lives, does it?” Think again.


As a final example, consider your bank account. It’s all numbers inside a computer. The number of the account, your social security number, the numbers for the dates and amount of transactions, the number showing your balance. What if someone messes with those numbers? Suppose they alter the amount of your paycheck and the numbers showing how much money you have in the bank? Do you think that affects your REAL life? You bet it does. If your money is all gone, and you can’t pay your bills, how long before you run out of food, before your water and electricity are disconnected, and other consequences occur? Hopefully, you could get that corrected in time. But, if all your credit cards were unusable and your bank accounts had zero balances, how long before it would impact your “REAL LIFE”?


Why am I saying this? Why am I painting these images of bad things that could happen?

It’s not to scare you. I am trying to make a point.


It’s easy to think of protecting our information as being something “in the computer,” much like the movie we watch is “in the TV,” or the ghost story we hear as being “in our imagination.”

It’s easy to say, “Yes, there may be threats out there, but why should I worry about those. After all, that’s only computer stuff. I live in the real world and that computer stuff isn’t going to affect my real world life.” But, unlike the movies and the ghost stories, a lot of what happens “in the computer world” can actually have an impact on our physical world and our real lives.

So, when I talk about protecting yourself and your information, that really does mean protecting yourself. Not just in a metaphorical way, but in a real-life physical way.

We may not always see the impact on our lives from any particular “threat” or the benefit of any specific “security measure” that may be recommended. But, just because it may not be obvious, I want you to realize that these are not just theoretical ideas. The decisions we make really can make a difference in our REAL world.


Some of you may say, “But I don’t have any information on my computer that would affect my real life. I don’t do anything financial online, I don’t store any personal information. I just use e-mail and surf the web. How can that affect my personal life?”

Although, at first glance, that may appear to be a reason to not take the concern for security seriously, I want to remind you about the way the 911 emergency services were taken offline last month. Consumer’s smartphones were used to attack the system.

If you don’t secure your system, your system can be compromised without you ever knowing it. Then, it can be used to attack banking, medical, utility, and emergency services, as well as other consumers. In other words, your unsecured computer can be used to attack systems that you rely upon for your personal, financial, and physical well-being.

The more we protect our systems, even when we don’t have “anything of importance” on them, the harder we make it for attackers to attack the systems that we really do care about, the ones that contain our financial and health information, and the ones that keep our communities safe.

Bonus Tip – What’s Next?

We have just gone through a month of focusing on CyberSecurity. We have discussed some scary things in the world of cyberspace. Now that National Cyber Security Awareness Month is over, where do we go from here?

Today is All Saints’ Day, also known as All Hallows’ Day. Yesterday was All Hallows’ Eve (i.e., All Hallow’s Evening, or HallowE’en’). I want to use the transition from Hallowe’en to All Saints’ Day as an illustration.

As we move from a day characterized by scary creatures and acts of mischief to a day of Saints whose lives are characterized by good deeds, it seems appropriate to move from the world of scary cyber stuff to one where we can support the good of technology and banish the bad.

Yesterday, I talked about how computers and other devices can be turned into zombies to do the bidding of cybercriminals when they get infected and come under the control of a Command and Control server. I mentioned how they can disrupt our ability to use the Internet and can even affect our health and safety in the physical world. I emphasized the need to be responsible and take measures to prevent our own computers and other devices from coming under the control of these cybercriminals.


It is one thing to say we should take security precautions, but quite another to be able to do it. There are so many things to be watchful of and measures to take. It can be confusing to know where to start, much less to know what measures we can take.

But we need to start somewhere. That “somewhere” is to become better informed. We need to become informed about the threats and how to avoid becoming victims. We need to learn what measures are most effective to keep us and our information safe. And we need to learn how to actually apply those measures. That cannot be done overnight. It must be an ongoing effort. But it doesn’t have to be hard (although it usually tends to be, unless you have someone to guide you).

The point of today’s post is to say:
You need to become better informed about security.

The reason I have started this web site is to begin providing guidance so you can become better informed, without having to wade through many years of study, reading books, attending lectures and seminars, going through a great deal of trial and error, and so forth. Over time, I will be providing ongoing training through courses, workshops, webinars, calls, etc.

The advantage of learning from me is that I can condense years of study and make your learning much easier, and can make even those things that are difficult to understand much easier to understand.

Over the last month, I have hurried through the infomation for these daily tips and have not been able to go into as much detail or to be as simple as I would like, due to the space and time constraints of this past month’s effort. With future programs, I expect to expand on each subject more, to take more time with each topic, and to allow opportunities for questions and interaction.


You don’t have to learn this from me. But I believe it is essential that you learn it from someone. If you choose not to join me for this, please find someone or some way to learn it yourself.

As we saw yesterday, those who are unaware of this information become pawns of the cyber criminals. Those who are not informed have their systems used as weapons of the cyber criminals to attack others.

Please take this seriously and learn all you can. Join the side of the Saints to be a good citizen of the Internet community and help fight cybercrime by protecting yourself, your systems, and your information.


Please make a personal decision now. Please decide that you will take at least some time and effort to learn something new about security every month. If you learn a couple things each month, you will find that, over time, you will become much better able to protect yourself and your information. You will also be much less likely to become one of those whose computers or other devices are used to disrupt the Internet or other critical systems.

If you have learned something over the last month, please keep coming back. There is much more to come, some on this blog and much through other material I will make available. I know you are busy and that it is easy to “forget” to come back due to the many demands on our time. If you haven’t already signed up for the notification list, why not do that now? It will give you reminders to come back as new material is released on this blog or to find out about additional materials or events as I make them available. You will find the sign-up form near the top, on the right side of the page.

Thanks for joining me this past month. Be CyberSafe!

Daily Tip 31 – The Zombie Apocalypse

Halloween. We love to decorate our houses, dress up, have fun.

Goblins, witches, even zombies.

But what if our computers join in the fun. Then, it’s no longer so much fun.

A computer can become a zombie. When it does, it can attack us, and even affect our physical world. That has happened in the last couple weeks.

Daily Tip 30 – Back Up Your Data

You’ve undoubtedly heard that you should back up your computer. Have you done it? If you’re like most people, the answer is “No.”

But a good backup could save you a lot of distress and also a good amount of money if your data are ever lost. Unfortunately, that happens too often.

Some data loss may not matter much. But most people have something that is important.

A backup is a copy. A backup can even be a paper print-out of information. Or it can be done “electronically.”

If it is important, you should have a backup.

Daily Tip 29 – Don’t Get Rid of that Computer Yet

So, your computer has died and you are getting rid of it. Or you are replacing it with a newer one. A lot of people will throw it out or give it away. But, before you do, there’s something you should know.

Your computer probably still has a lot of information on it that someone else can get. Even if you think you got rid of everything.

There are files you have saved, possibly financial and medical information, letters you’ve written, and pictures you’ve stored. There is probably a significant amount of information about places you have visited on the Internet, searches you have done, and possibly even copies of the pages you have visited. Even if you deleted all these files and emptied the recycle bin, the chances are good that there is information on that computer that you haven’t been able to get rid of.

In fact, a lot of the techniques that people use to try to get rid of their data are not nearly as effective as they think they are.

So, before you get rid of it, make sure your data isn’t falling into someone else’s hands.

Daily Tip 28 – Surf at Your Own Risk

What kind of web sites can infect your computer?

a) Sites that provide up-to-date news stories

b) Sites about the hottest celebrities

c) Porn sites

d) Sites where professionals go to keep up-to-date on developments in their field

e) Sports sites

f) All of the above

Hint: The answer is not the one that is probably your first guess

(Scroll down for the answer)










Answer: F) All of the above

Daily Tip 27 – Unknown links

We are told to be careful of clicking on links. There are some you should not click on, like those that say there is a problem with your account and that say you should click on the link to fix it.

But there are others that look strange or that don’t seem to go where you think you want to end up, but they are actually perfectly OK. There are legitimate reasons for using these. On the other hand, they could also be used for malicious purposes.

The lesson is that you can never be sure where a link is going to take you. You need to exercise caution.

It is hard to tell if a link is safe. But context and whether or not you trust the person providing the link can help.

Daily Tip 26 – Breaking the Rules

Security is not just about rules. It is not just about risks. But to understand how to keep safe and protect yourself and your information, you need to understand the risks and the rules and practices that can keep you safe.

Blindly following the rules, even security rules, will not keep you safe. Relying on rules to keep you safe will backfire.

You must be informed. That is why I am providing this information. You must be able to recognize when there is a problem and when you might be at risk. Rules alone will not do that for you.

Today’s extended tip talks about True Security. That may even mean not following the rules. Read about it HERE

Daily Tip 25 – Settings to make e-mail safer

Default settings on e-mail programs often put your computer at risk. Changing some of those settings can protect you.

Some of the settings you should consider changing are:
       View e-mail as “text” and not as “html”
       Turn off the “preview” function
       Don’t display external images
       Don’t allow executables to run

Details on these settings and why they are important, as well as the drawbacks, are discussed in the extended tip. Ongoing access to the extended tips will be made available in a few days.