So a kitten and an information security analyst walk into a bar…

It’s a great setup for a joke, right? (Unless you consider that kittens are way too young to drink and shouldn’t even be in a bar in the first place.) Let us also consider that an information security analyst probably doesn’t have the luxury of time to go to a bar given the year we’ve seen in Internet security, what with ransomware, insider threats and onion-layered attacks running rampant, according to the latest security research report from IBM X-Force.

The fact of the matter is that the information security analyst might be trying to forget some of the very silly things his colleagues do despite best practice lists and common sense. Let’s dissect some of those bad choices, with the help of our little kitten friend.

Download the 4q 2015 IBM X-Force Threat Intelligence Quarterly

K Is for Kiosk Charging

We’ve all seen those charging stations at conferences, airports and even on airplanes, enticing you to just plug in and relax while devices charge. In the old days, power and data flowed through separate cables, but modern mobile devices require that both charging and data flow through a single cord. Without seeing what’s on the other end of that charging kiosk, plugging your phone in can mean that you are allowing access to the data on your phone and possibly even the injection of malicious code, which is known as juice jacking.

To protect yourself, carry a USB charger and plug into an electrical outlet, invest in a USB prophylactic that will allow power flow but block data flow or charge only through a power bank.

I Is for Installing Patches Late

Nearly 75 percent of cyberattacks use publicly known vulnerabilities in commercial software, but only about 10 percent of organizations have the capacity to apply patches on the same day they’re released. Do your best to be part of that 10 percent, for catnip’s sake!

T Is for Thoughtless Clicking

There are many wonders to behold on the Internet. Whether it’s an email with a link proclaiming “cutest kitten picture ever!” or a click-bait headline on social media, think before clicking.

Do you know the sender of the email? Is the destination site or publication a reputable one? At best, you’ve wasted time clicking through to another weird corner of the Internet, and at worst, you’re clicking through to a malware host for a drive-by download. Think before you click.

T Is for Third-Party Access to Personal Data

Do you know why that game app needs access to your contacts? Or why that navigation app wants access to your health data? Be mindful of the permissions you grant to apps on your mobile devices and what data they may be sharing on your behalf. If you’re suspicious of an application and its need for permissions, compare it to others in the same category to see if there’s a consistency for a particular permission type or if it’s an indicator of data gathering for potentially illicit purposes.

E Is for Egregious Password Practices

Password hygiene continues to be problematic and was one of the key factors cited in the X-Force Threat Intelligence Quarterly as contributing to insider threats. Whether it is shared accounts, easy passwords or passwords that never expire, this lack of accountability on user provisioning and privileges is leaving major holes in corporate networks.

Even with effective termination procedures, having shared admin accounts or unexpired passwords leaves doors open to disgruntled ex-employees if they take advantage of remote administration tools like LogMeIn or TeamViewer before their departure.

N Is for ‘Not Me’ Thinking

There’s a certain haughtiness that an information security analyst and others in the industry can adopt in thinking that they are too well-versed in security practices to ever be the victim of an attack. Social engineering has evolved to such levels of sophistication that even the most seasoned practitioner can be fooled.

There is no universal security karma that prevents those of us in this industry from being infected, just that poorly defined Alanis Morissette-esque sense of irony when there’s a fly in your chardonnay.

More for an Information Security Analyst

To learn more about the top security trends in 2015, download the latest IBM X-Force Threat Intelligence Quarterly.

You can also watch our on-demand webinar, titled “Security Preparedness from the Server Room to the Boardroom: Latest Security Research from IBM X-Force” — kittens not included.

More from Threat Research

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read