So a kitten and an information security analyst walk into a bar…

It’s a great setup for a joke, right? (Unless you consider that kittens are way too young to drink and shouldn’t even be in a bar in the first place.) Let us also consider that an information security analyst probably doesn’t have the luxury of time to go to a bar given the year we’ve seen in Internet security, what with ransomware, insider threats and onion-layered attacks running rampant, according to the latest security research report from IBM X-Force.

The fact of the matter is that the information security analyst might be trying to forget some of the very silly things his colleagues do despite best practice lists and common sense. Let’s dissect some of those bad choices, with the help of our little kitten friend.

Download the 4q 2015 IBM X-Force Threat Intelligence Quarterly

K Is for Kiosk Charging

We’ve all seen those charging stations at conferences, airports and even on airplanes, enticing you to just plug in and relax while devices charge. In the old days, power and data flowed through separate cables, but modern mobile devices require that both charging and data flow through a single cord. Without seeing what’s on the other end of that charging kiosk, plugging your phone in can mean that you are allowing access to the data on your phone and possibly even the injection of malicious code, which is known as juice jacking.

To protect yourself, carry a USB charger and plug into an electrical outlet, invest in a USB prophylactic that will allow power flow but block data flow or charge only through a power bank.

I Is for Installing Patches Late

Nearly 75 percent of cyberattacks use publicly known vulnerabilities in commercial software, but only about 10 percent of organizations have the capacity to apply patches on the same day they’re released. Do your best to be part of that 10 percent, for catnip’s sake!

T Is for Thoughtless Clicking

There are many wonders to behold on the Internet. Whether it’s an email with a link proclaiming “cutest kitten picture ever!” or a click-bait headline on social media, think before clicking.

Do you know the sender of the email? Is the destination site or publication a reputable one? At best, you’ve wasted time clicking through to another weird corner of the Internet, and at worst, you’re clicking through to a malware host for a drive-by download. Think before you click.

T Is for Third-Party Access to Personal Data

Do you know why that game app needs access to your contacts? Or why that navigation app wants access to your health data? Be mindful of the permissions you grant to apps on your mobile devices and what data they may be sharing on your behalf. If you’re suspicious of an application and its need for permissions, compare it to others in the same category to see if there’s a consistency for a particular permission type or if it’s an indicator of data gathering for potentially illicit purposes.

E Is for Egregious Password Practices

Password hygiene continues to be problematic and was one of the key factors cited in the X-Force Threat Intelligence Quarterly as contributing to insider threats. Whether it is shared accounts, easy passwords or passwords that never expire, this lack of accountability on user provisioning and privileges is leaving major holes in corporate networks.

Even with effective termination procedures, having shared admin accounts or unexpired passwords leaves doors open to disgruntled ex-employees if they take advantage of remote administration tools like LogMeIn or TeamViewer before their departure.

N Is for ‘Not Me’ Thinking

There’s a certain haughtiness that an information security analyst and others in the industry can adopt in thinking that they are too well-versed in security practices to ever be the victim of an attack. Social engineering has evolved to such levels of sophistication that even the most seasoned practitioner can be fooled.

There is no universal security karma that prevents those of us in this industry from being infected, just that poorly defined Alanis Morissette-esque sense of irony when there’s a fly in your chardonnay.

More for an Information Security Analyst

To learn more about the top security trends in 2015, download the latest IBM X-Force Threat Intelligence Quarterly.

You can also watch our on-demand webinar, titled “Security Preparedness from the Server Room to the Boardroom: Latest Security Research from IBM X-Force” — kittens not included.

More from Threat Research

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Defending Education from Cyber Threat Attackers

Threat actors — and particularly ransomware attackers — have education institutions in their crosshairs. From Vice Society’s September attack on schools in California to Snach’s late October assault on schools in Wisconsin, threat actors are not holding back when it comes to preying on schools. K-12 schools are the most vulnerable within the education industry, with many having only small staffs and even smaller budgets for defending against attacks. In addition, attacks have trickle-down effects on school staff, students and…

What Hurricane Preparedness Can Teach Us About Ransomware

Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions of dollars each year are spent on natural disaster preparation, but natural disasters are not the only disruption businesses face. While we can’t equate the…