So many watering holes . . .

The latest edition of Executive Vice President, Michael Hartke’s article series!

Don’t click on pop-ups! The year was 2001 and I remember giving that advice as part of awareness training in my past life on an IT team of a regional printing company.

I proudly spearheaded the training and after going over all the basics of phishing and SPAM, we came to the part in the agenda where we talk about pop-ups. The directive was easy. Don’t engage with pop-ups, close them. At that time one of the biggest threats we faced, and what I learned later as I started my security career with infotex, was watering holes. They were browser-based attacks that require the user to “click something” and that “gives permission” to download and/or install malicious software on your device.

This attack is still semi-common, but browser improvements, Anti-Virus/Endpoint Detection and Response improvements, and training have made them a lot less successful than other attack vectors.

In recent months, pop-up fatigue has set in for me. I’ve started to click “Accept” almost immediately on the GDPR pop-ups to get it out of the way. So now I must retrain myself out of that habit.

Even though GDPR is intended to help deal with personal data online, the pop-ups seem to be just giving these shady cookie practices an easy way to trick users into accepting them. Or arguably even worse, in the US the pop-ups may not even give an explanation as to how the website uses cookies or my data.

There are often options besides “Accept All,” but of course that takes time… and of course some websites and even browsers are already collecting the same type of personal data (Google Chrome, I’m looking at you!).

At this point I’m hoping that browsers and Operating Systems have learned how to handle a lot of these threats and at least tell us the website wants to do something “fishy,” but today is a new day and there is always a new exploit out there for us to learn about.

Ultimately, I’m not sure what advice to give now when it comes to Pop-Ups… Don’t click them! … unless you have to?

What can we do?

• Safer browsing (using browsers that protect our data).
• Adjust your cookie settings to be more restrictive and clear cookies/cache on close.
• Don’t just “Accept/Accept All” to GDPR pop-ups but reject as much as possible.
• Use browser plug-ins to automatically stop data collection by advertisers and third parties. One useful tool is Privacy Badger from the non-profit group Electronic Frontier Foundation.
• MDM/EDR: Endpoint control can help a lot here by controlling applications and OS’s at the endpoint level.

Bonus privacy tips:

• Adjust your device settings for maximum privacy (though you will lose some “cool” functionality)
• Restrict social media data collection (or leave it altogether)
• Every app/game/website is tracking you, especially if it is FREE. Some have settings to reduce to what extent (and it should be reviewed but if it’s FREE, it’s probably how they support the app/game/website)

Original article by Michael Hartke. Executive Vice President, infotex

Interested in EDR/MDR services? Visit offerings.infotex.com to request more information!