Feature Story

The Three Cyber Security Phases of the Holiday Season

A breakdown of the three phases of online shopping during the holidays from Cisco's Chief Security Officer John Stewart

Cyber Monday has come and gone, but if we look ahead to the rest of the holiday season from a cybersecurity point of view, it breaks down into three phases: First comes the shopping phase. Second comes the open-the-new-purchases phase. The third arrives in January, when people bring their new gadgets to work, school, or other organized IT environment. I have some tips to help you survive all three phases.

The Shopping Phase

While online, the most important thing you can do is to strengthen and vary your passwords. Never, ever use one password to access multiple sites. Once a hacker discovers your standard (usually simple and easy-to-guess) password, all the other sites where you use that password will burst like a piñata, showering hackers with ill-gotten gains.

In making up new passwords, keep them long, a jumble of alphabetical, numeric, punctuation, and symbolic characters. In fact, not only do you want stronger passwords for that holiday gift to yourself, you should make password reform one of your New Year's resolutions.

Another trick I use is to keep an extra credit card account for e-commerce purchases only. I use the online access to this card's account information to watch out for unauthorized activity.  I also keep the credit limit on this card low so that if it does fall into the wrong hands, uncharacteristic activity will quickly alert the card issuer to malfeasance and any financial damage will be containable. Also, keeping my Internet purchases on a single card helps me keep track of the things I buy online.

That seasonal feeling of good will to other humans should also trigger a heightened awareness of charity scams. While there are many worthy "startup" causes, it's best to be generous to organizations already known to you. If that sounds slightly hard-hearted, reflect on the thought that a charity scammer is not really stealing from you, or your financial services provider, but the people or cause they claim to help.

Scam emails? Too-good-to-be-true bargains? Phishing? Rely on your sense of smell! Don't open email attachments unless you are sure of the sender, the subject matter, and the purpose of the message. Whether they're  $19.95 tablet computers, mysteriously awarded gift cards, or cruises in exchange for taking a simple online survey, ignore them. If you think you are being phished but are curious all the same, don't click on the embedded URL; instead, manually enter the web address for the bank, store, or institution the email claims to represent and see if you can find the same information on the official site. Nine times out of eight, you won't.

One thing you should definitely shop for is a good credit monitoring service that will keep an eye out for anomalous activities on your accounts. I can't make any specific recommendations, but it isn't hard to learn the reputations of various vendors. Believe me, the peace of mind these services afford is worth the surprisingly low cost of a subscription.

The Open-the-Purchases Phase

When you open new purchases, please take time to read the informative manual and pay special attention to the security features of the new devices. This is another opportunity to practice good password hygiene when logging in for the first time and setting up accounts. Many devices also come with third-party security software bundled in, often as a 90-day trial. Give these packages a whirl, and if you like them, don't miss the opportunity to subscribe on day 91.

Before the kids switch on a new Internet-connected device, check the content access controls. You'd be surprised what people get up to in elf costumes in online videos.

As you start using new stuff, you'll probably be thinking about getting rid of old stuff. First, you owe it to the world to discard electronic goods responsibly. Look for opportunities to recycle e-waste in your community, or do a search for "e-waste [your town]" online. When you do let go of an old device, be sure to wipe the hard disks and other memory clean. We all know that computers can contain personal data, but the same holds true for cellphones, music players, game consoles, cameras, and the like.

There's a big difference between erasing and wiping digital information. Simply erasing data is not enough. Erasing usually tells a device that it is OK to write over files, but the information remains in place until an overwrite occurs. Wiping information goes further by replacing pre-existing data with random gibberish that prying eyes cannot read.

The Back-to-Work or Back-to-School Phase

The third phase of the holidays arrives on January 2 or thereabouts, when people take their new devices to work or school and connect them to the local network. IT people have come to regard early January as a second Halloween full of bring-your-own-device tricks and treats. To avoid New Year's career blunders, I recommend asking your IT staff three questions: "Is it OK to connect my new Omnicron Big Mini Whatsit to the network? How do I do this and stay within organizational policies? Once I have done that, what can I do to keep my device as secure as possible?" Even if the answer to the first question is "No way," they will thank you for your concern for the well-being of the institution's network.

Slow Down Finally, if there is one piece of advice to make the holidays safer and enjoyable, it is to slow down the buying and consumption process. The Internet has got us all programmed to speed our way through life, but the best way to become a cybersecurity victim is to lose your situational awareness in a blur of nonstop activity. Stop and ask yourself: "Is this offer on the level? Is ‘CaptKirk' really a strong password? Is Operation Hope for New York Jets Fans a real  outlet for my compassion? How did $10,000 worth of cat toys wind up on my credit card bill?" You don't need to paralyze yourself with indecision, but giving yourself a chance to screen out obvious pitfalls will make for a happier and more prosperous new year.


John N. Stewart
Senior Vice President, Chief Security Officer Global Government and Corporate Security

John Stewart is responsible for Cisco information security, product security and secure product delivery initiatives supporting both private and public sector customers. Stewart has been an active member in the security industry for over 25 years. In addition to his current assignment at Cisco, he sits on technical advisory boards for Panorama Capital and RedSeal Networks, and is on the board of directors for KoolSpan, Fixmo, and the National Cyber-Forensics Training Alliance. Additionally, Stewart serves on the Council of Experts for the Global Cyber Security Center and the Cybersecurity Think Tank at University of Maryland University College. He has served on the Center on Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency.

Stewart holds a master of science degree in computer and information science with honors from Syracuse University, Syracuse, New York.