So a kitten and an information security analyst walk into a bar…

It’s a great setup for a joke, right? (Unless you consider that kittens are way too young to drink and shouldn’t even be in a bar in the first place.) Let us also consider that an information security analyst probably doesn’t have the luxury of time to go to a bar given the year we’ve seen in Internet security, what with ransomware, insider threats and onion-layered attacks running rampant, according to the latest security research report from IBM X-Force.

The fact of the matter is that the information security analyst might be trying to forget some of the very silly things his colleagues do despite best practice lists and common sense. Let’s dissect some of those bad choices, with the help of our little kitten friend.

Download the 4q 2015 IBM X-Force Threat Intelligence Quarterly

K Is for Kiosk Charging

We’ve all seen those charging stations at conferences, airports and even on airplanes, enticing you to just plug in and relax while devices charge. In the old days, power and data flowed through separate cables, but modern mobile devices require that both charging and data flow through a single cord. Without seeing what’s on the other end of that charging kiosk, plugging your phone in can mean that you are allowing access to the data on your phone and possibly even the injection of malicious code, which is known as juice jacking.

To protect yourself, carry a USB charger and plug into an electrical outlet, invest in a USB prophylactic that will allow power flow but block data flow or charge only through a power bank.

I Is for Installing Patches Late

Nearly 75 percent of cyberattacks use publicly known vulnerabilities in commercial software, but only about 10 percent of organizations have the capacity to apply patches on the same day they’re released. Do your best to be part of that 10 percent, for catnip’s sake!

T Is for Thoughtless Clicking

There are many wonders to behold on the Internet. Whether it’s an email with a link proclaiming “cutest kitten picture ever!” or a click-bait headline on social media, think before clicking.

Do you know the sender of the email? Is the destination site or publication a reputable one? At best, you’ve wasted time clicking through to another weird corner of the Internet, and at worst, you’re clicking through to a malware host for a drive-by download. Think before you click.

T Is for Third-Party Access to Personal Data

Do you know why that game app needs access to your contacts? Or why that navigation app wants access to your health data? Be mindful of the permissions you grant to apps on your mobile devices and what data they may be sharing on your behalf. If you’re suspicious of an application and its need for permissions, compare it to others in the same category to see if there’s a consistency for a particular permission type or if it’s an indicator of data gathering for potentially illicit purposes.

E Is for Egregious Password Practices

Password hygiene continues to be problematic and was one of the key factors cited in the X-Force Threat Intelligence Quarterly as contributing to insider threats. Whether it is shared accounts, easy passwords or passwords that never expire, this lack of accountability on user provisioning and privileges is leaving major holes in corporate networks.

Even with effective termination procedures, having shared admin accounts or unexpired passwords leaves doors open to disgruntled ex-employees if they take advantage of remote administration tools like LogMeIn or TeamViewer before their departure.

N Is for ‘Not Me’ Thinking

There’s a certain haughtiness that an information security analyst and others in the industry can adopt in thinking that they are too well-versed in security practices to ever be the victim of an attack. Social engineering has evolved to such levels of sophistication that even the most seasoned practitioner can be fooled.

There is no universal security karma that prevents those of us in this industry from being infected, just that poorly defined Alanis Morissette-esque sense of irony when there’s a fly in your chardonnay.

More for an Information Security Analyst

To learn more about the top security trends in 2015, download the latest IBM X-Force Threat Intelligence Quarterly.

You can also watch our on-demand webinar, titled “Security Preparedness from the Server Room to the Boardroom: Latest Security Research from IBM X-Force” — kittens not included.

more from Threat Research

From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers

A comparative analysis performed by IBM Security X-Force uncovered evidence that suggests Bumblebee malware, which first appeared in the wild last year, was likely developed directly from source code associated with the Ramnit banking trojan. This newly discovered connection is particularly interesting as campaign activity has so far linked Bumblebee to affiliates of the threat group ITG23 (aka the Trickbot/Conti…

X-Force 2022 Insights: An Expanding OT Threat Landscape

This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT…