I’m sure you’ve seen them, the increasingly large number of news reports that highlight people, organizations, and corporations all being compromised by some form of hack or compromise. These attacks have ranged from email lists or passwords being stolen to bank and credit card information being sold on the “dark web” or even worse, causing large blackouts and disrupting large power grids for thousands of people.
Well, I have some good news and bad news. The Bad news is that things are probably not going to get any better. In all likelihood, they will get worse. Internet connected devices are causing accidents, everyday there are thousands of “smart” devices added to user’s homes and cars, and more organizations (Dr.’s, lawyers, government) are moving their data (your information) out to the cloud. All of these things rely on the internet to work properly and this leaves them vulnerable to attack.
After reading that you may be saying to yourself, “There’s good news?”
Yes! There is good news! The good news is, there is really no reason to panic or worry.. So long as you are taking a few basic steps to stay safe on the internet. I will try and outline the most beneficial steps that you can take that will go a long way to keep you safe.
Probably the most basic, yet the most important step you can take is to make sure your systems and software are up to date. Whichever OS you are using, your apps, programs, and antivirus all need to have the latest updates/patches to ensure that any known security vulnerabilities have been patched. You do not necessarily need to have the latest OS (Windows 10 if you are a Windows user) so long as your version is still supported by the developer and receiving security updates. For example, Microsoft no longer updates Windows XP or older so any of those versions would be unsafe but Windows 7, 8 or 10 are all still receiving updates and patches.
If you take away any of these steps, please make it this one! The majority of cyber-attacks exploit some security flaw in out-dated software. By updating and patching, you are providing the most basic layer of protection. I highly recommend using automatic or scheduled updates so that you don’t forget to do it.
I know, this is a topic you have probably heard about over and over again (I’ve even written about it once or twice). Passwords are a major line of defense protecting your information so I have no problems taking about it a few times over.
Most of us have MANY accounts that rely on usernames and passwords to log in and the chances of you remembering or actually having a strong and unique password for each account is very slim. Even it you did, it would be a chore to remember them all, especially if you are accessing an account that you don’t visit too often. Some people like to write their passwords down and others prefer to keep them in a document on their phone or computer. I do NOT recommend writing them down but as long as the document on your device is secure then that’s not a terrible idea, depending on your personal threat model (more on threat models below).
The best option, in my opinion, is a password manager. Password managers, such as LastPass, are essentially virtual vaults that store your login credentials and allow you to access them from anywhere with one login. It is highly recommended that your password for this service be very strong, see this post, but it’s easier to have a very secure password when you only need to remember one.
What is a threat model? In the simplest terms possible, a threat model outlines, what you are trying to protect (data), and who you are trying to protect it from (malicious hackers, vengeful ex, etc.). No one will have an identical threat model and your personal security posture will be determined by how much risk you are willing to take and how secure you want your data to be (or how paranoid you are).
If you don’t have much more than a social media account and email to worry about, simply make sure you have good passwords and DO NOT share them. If you have an account that you share, make sure that the password for that account is unique and very different from your other passwords. If you are worried about an attacker compiling all of your personal information in order to commit fraud or blackmail, then you need to take a few extra precautions. A good place to start is to increase your awareness when posting to social media and maybe take out some of the information from your profile (address, phone, birthday). Also, opting for two-factor authentication (when available) greatly increases security.
It’s also important to make sure that you aren’t using too many gadgets or programs to beef up security. If you have too many unnecessary programs that provide “security” it is easy to fall into a false sense of security and you can let your guard down. It’s very important to take the few steps that provide the best protection and to always be cognizant of what you are doing while online.
Two-Factor Authentication (2FA)
Two-factor authentication or 2FA is growing in popularity but it is still not available every where. A strong password is only one factor of authentication and this is what is referred to as ‘something you know’. The other two factors are ‘something you have’ and ‘something you are’. Or in other words, a smart card or token and your fingerprint or facial recognition.
To have true 2FA, you must have two of the different factors. So the second step of answering the question about your mother’s maiden name is still only single factor authentication because, that answer and your password are both ‘something you know’. An example of 2FA would require a password and your fingerprint or password and token code.
My favorite second factor, that I’ve seen a few times, is an app-based token. This is simply an app on your phone that syncs with a server when it has service and it will cycle through to different number or character strings every 30 seconds or so. So when you are logging in, you would enter your username and password and then open the app and enter the current token code shown. This is an easy way to implement 2FA for many organizations and it’s quite secure since it doesn’t rely on constant cell reception or codes to be sent through unsecured text messages. The text or SMS based 2FA is still very acceptable if you aren’t under a direct threat. In order to intercept these texts, an attacker has to be actively monitoring your device so again, this is all determined by your personal threat model.
Use a good, trusted Antivirus. I know, I know, there are reports out there that say that antivirus software may present security holes and it doesn’t catch the latest threats. While there is some truth to this, it really isn’t a problem unless you are under direct attack from some sophisticated hackers. Security holes are patched with regular updates (see first point above) and the vast majority of the distributed viruses are old enough that a good antivirus program will have the definitions necessary to catch them (update, update, update).
Disable Macros today! If you don’t already have macros disabled, or if you have enabled them at any point, disable them and only enable them temporarily for VERY trusted sources only. Macros are essentially programs written in Microsoft Office products that can do a VERY wide range of tasks. Many of the latest viruses, especially ransomware, use macro enabled documents sent through email to infect users. This also leads to..
Think before opening an email attachment! If you don’t know or trust the user who is sending you the attachment it’s best to not open it. If you must, either scan it with your antivirus first or (if you have one) save it to your google drive and open it there so it is not being opened locally on your computer. Malicious attachments are still one of the most frequently used attack vectors.
Avoid using Adobe Flash at all costs. Flash is notoriously one of the most frequently exploited bits of software that allow attackers in to a system. It has always been full of holes and it’s reputation is so bad that most websites have either kicked it to the curb or are planning to soon.If you aren’t ready to remove it from your system, then I recommend going through your browser’s settings and making it require permission to run.
Backup your important files regularly! With all of the circulating threats of ransomware this has only become more important. It’s best to dedicate an external drive to your backups and to make sure that it is disconnected when not actively backing up files. Many or the latest ransomwares will also encrypt any connected drives, as well as those connected (mapped or not) over the network.
Avoid overexposure online! Too many cases of identity or credit card theft happen today because someone’s information was simply too easy to retrieve from social media. Be aware of what it on your profile and what you post. The easier it is to access your personal information, the easier it is for your to be attacked.
It’s also a good idea to increase some of the privacy and security settings on your social media accounts. Just remember, no matter how secure you make your profile, users who aren’t your “friends” can still find ways to see what’s posted if they are targeting you specifically.
Lastly, use plugins or VPNs when using public hotspots. Plugins, such as ad blockers or HTTPS Everywhere can help provide a little extra security when using public WiFi. Ad blockers can keep you from automatically visiting malicious sites and HTTPS Everywhere ensures that you are using an encrypted connection to the websites whenever possible. This is a good one since attackers can easily redirect you to an unencrypted, HTTP, which transmits your login information in the clear. With HTTPS that information is encrypted.
VPNs (virtual private networks) are a service that you can use that enables you to browse more securely. They work by providing a secure connection to your device and then all of your traffic is routed through the VPN server. This way any of your traffic on the public WiFi is encrypted traffic only to the VPN, everything else you do is tunneled through your VPN.
Be Safe and Have Fun!
Take a moment to assess your situation and determine what your personal threat model may be. Once you have determined what your threat model is, you can start applying these tips to the extent that you feel necessary in order to help you sleep at night.
Always check your situational awareness while online and keep these tips and practices in your defense toolbox. You never know who may be looking and if you aren’t prepared, one attack could make for a bad day. The need for cyber-security and a secure mindset aren’t going anywhere anytime soon!