Does waking up each morning to an earful about the latest cyber disasters leave you worried about your personal security? With all ransomware attacks, identity theft scams, and countries hacking one another, it’s enough to make anyone wonder…
How about starting off with a cup of clarity instead?
In this blog post, we’ll cover essential security basics that’ll protect you from online scams, phishing sites, and malicious malware looming around the internet today–no matter what level of user you are.
Arm yourself against risk and take control over personal security now.
1. Password Reuse
Good for everyday security users
Password reuse is still the single biggest and most pervasive of the security habit flaws today. The problem is that reusing passwords across multiple online accounts leaves you–and anyone in connection with you–vulnerable to exploitation.
To put it in plain, blunt English: DO NOT use the same password for Facebook as you do for your online banking account, because you’re making it too easy for the bad guys to use it.
Example: A bad situation for password reusers
If you’re still shrugging your shoulders and not sure if you should bother reading on… let’s take a look at an example of how bad this could really be.
You might’ve noticed the news stories back in 2013 about the Yahoo breach that culminated in over 1 billion accounts being compromised.
Think about that for a minute… 1 BILLION accounts.
Let’s assume that half of those people used the same password for their online banking services. That’s 500,000,000 possible breaches of bank accounts worldwide–minimum!
It only takes the compromise of ONE service, and then the rest that use that same password will quickly be in the same sinking boat. Not to mention, once an account is compromised, pivoting–meaning to use the first compromise point to move or pivot around and gain access to other systems on the network–across the rest of your identity is a snap, even for the most unskilled of attackers.
- Be aware of the perils of password reuse,
- Invest in stronger authentication protocols: Duo or Google Authenticator are a couple multi-factor authentication options, and
- Understand how a password management program works–and use one–it’ll make your login life a lot less of a headache. We recommend Bitwarden and 1Password as being good options for personal security for users of all experience levels.
2. Password Creation
Good for everyday security users
Next, enter: password creation.
Passwords these days have a bunch of rules that go along with creating them–they must be a certain number of characters long, have both an upper and lowercase letter, a number, and a special character. These rules are in place for a very important security reason…
And that is because common words and numbers–or those directly related to your life–make cracking a password pretty darn easy. This is a problem that can be easily fixed:
Stop using your kids’ birthdays as passwords and pins; stop using your favorite color, season, or your pet’s name. These are all weak in the world of passwords, and are typically very easy to find on the internet or via social engineering–one of the prominent attack methods malicious actors use to acquire a user’s credentials.
Plug: Password managers are cool
Fortunately, by following the above advice and using a password manager, you won’t have to think up any passwords–except the one you use to log in to your password manager vault–because it’ll generate strong passwords for you!
As an extra layer of precaution, with those password hints that can either confirm or remind you of your password, it’s a good idea to choose something unrealistic and then save the “answer” in your password manager too. This will remove the possibility that someone is able to ask you enough questions about your life to figure it out.
So do any of your current passwords fall into the top likely passwords list? If so, you might want to consider changing those.
- Be aware of the security risks that come along with easy to guess passwords as well as the security advantages of using strong, complex passwords.
- Again, give a password manager a go, if you’re not already using one.
- You can also use the Password Strength Meter to test your passwords.
Note: Despite their claims that they don’t document input data, I would suggest NOT using an actual password for your accounts in the Password Strength Meter as that presents a security risk. This tool should only be put to use as a demo.
If you like, have your password manager generate a strong password and enter that password into the Password Strength Meter to see how strong it really is.
3. Multi-Factor Authentication
Good for everyday security users
Multi-factor authentication is an invaluable security measure to protect your online accounts–for personal security as well as every level of security. By combining something you have with something you know, it creates a complex scenario for malicious actors instead of using easily guessed credentials–deterring most credential theft activities.
Two-factor authentication (2FA) or multi-factor authentication(MFA) can come in a variety of forms. Examples include a physical key card that’s required in addition to a password or phrase to gain access to account; or more commonly, a randomly generated code with a validity timer that’s tied to your account on an authorized device you own (the something you have), which is paired with your password (the something you know) to add an extra layer of identity authentication to your data.
Multi-factor implies that more than two resources are involved in the authentication process. For example two-factor authentication (2FA) would be a password + fingerprint, multi-factor authentication (MFA) might be password + fingerprint + pin + randomly-generated-key.
Duo or Google Authenticator are two widely used authenticators that are recommended by security professionals. By following the provided links, you will find it’s quite easy to implement them!
Good for everyday security users
This one should go without saying, even for the most careful of us in the IT and infosec world. No antivirus (AV) software is perfect and will be able to catch 100% of the bad stuff coming your way online.
Not to mention, many AV solutions will flag non-malicious items–meaning the use of an AV solution may come with having to do some application-specific configuration. For example, explicitly allowing known-good programs–known as whitelisting–or setting up allowed ports–if your AV includes a firewall and/or active web monitoring.
Ultimately, any antivirus solution is better than no antivirus solution.
Common products you can find off the shelf at any electronics retailer do most of the hard work for most folks–products like Trend Micro Internet Security or Norton 360. Even that free stuff you find from your niece or nephew that “knows all about computers” like Avast Antivirus and AVG; they’re better than nothing at all.
For paid software, I like Bitdefender Internet Security as it covers multiple PCs and it’s highly rated based on all its available features: antivirus, anti-malware, and web filtering. It can even help you protect your sensitive data through the use of its proprietary wallet system, which launches your banking sites in a secured, sandboxed–meaning separated from the rest of your computer–web browser.
For free software I actually really like the latest versions of Microsoft Defender built into Windows 10 and Windows 11. It’s constantly up to date with the latest signatures, has become more robust in its coverage and capabilities, and is generally out of the way of your day-to-day computer use.
If putting down a chunk of money for a paid software for all your devices isn’t in the cards, take solace in the fact that you can get by with the built-in AV of the Windows ecosystem.
5. Secure Browsing
Good for both everyday security users and advanced users
Although secure browsing is subjective–to some it’s never ever visiting a website that could possibly harm your computer and to others it means disabling the bits of code that can expose your computer to malware.
The solution here is to use a browser that is NOT Internet Explorer or Microsoft Edge*. If you can, switch to Google Chrome or Mozilla Firefox at a minimum.
Why do you want to use Chrome or Firefox? Because they offer extensions or add-ons from a vetted store of sorts that can help protect you online–and Internet Explorer cannot.
These extensions are built by third party developers and are hosted on a Google or Mozilla server for download as additional functionality for your browser; think app-store for your web browser. The majority of security alerts that our SOC sees on a daily basis are caused by visiting sites in a highly vulnerable browser that just runs whatever code it sees on the page and hopes for the best.
Back to the extensions, there are a few that can help you out but might take a little bit of configuration.
By default, these extensions might make some websites unusable, or at the very least odd-looking. Such extensions for Google Chrome are called ScriptSafe, Ghostery, and uBlock Origin. For Mozilla Firefox, the add-ons you would want to look at installing include NoScript, Ghostery, and Ublock Origin.
*Microsoft Edge is a Chromium (Chrome) based browser and does have an extension/add-on library. However, because it’s the de facto web browser in Windows now, you should treat it similarly to Internet Explorer overall.
- Keep in mind that your results may vary based on your browsing habits and how you choose to set these add-ons up.
- For a minimalist approach, I recommend starting with ublock Origin–in either Chrome or Firefox–to get a taste of how it works, and then move on to bigger and better things with the other options added in.
- Good to know: These browser extensions will stop all auto-executing code snippets on a website from actually processing if they match a predefined list of known threat signatures. Additionally, Google Chrome use Google’s own threat lists to block known harmful sites by default. You should consider Chrome the primary alternative browser to use.
Good for advanced users
What is PGP? Glad you asked.
PGP, or Pretty Good Privacy, is an encryption method that provides privacy and authentication through the signing, encrypting, and decrypting of texts, emails, files, directories, and disk partitions. What it does is use a combination of hashing, compression, and symmetric-key cryptography in conjunction with public-key cryptography to encrypt data that is sent to external parties.
In essence, PGP works by creating a public and private key pair that ties to your username, an email address, or another account of some kind. That pair is used to encrypt data and authenticate the sending entity.
Encryption of plaintext data (i.e., gmail) is handled with a one-time (secret) session key. The session key is then encrypted using the user’s public key. This is so the email that’s sent over the wire is only seen as the ciphertext and key.
Decryption of the message is then handled by the recipient’s private key to decrypt the session key and then that session key is used to decrypt the ciphertext in the message so that the original plaintext can be seen.
Looking for more information on PGP? The Electronic Frontier Foundation (EFF) has a great writeup on PGP, what it does, and how it works on various operating systems.
GnuPG for Windows, Mac, and Linux.
7. Disk Encryption
Good for advanced users
Windows 8.1 and Windows 10 offer device encryption, but only if you’re signed into a Microsoft Account and on supported hardware configurations. Furthermore, if you would like to enable BitLocker for a more robust encryption methodology, you must be using a Professional or Enterprise edition of the Operating System.
However, there are other options for disk encryption in Windows. These come in the form of third party tools such as DiskCryptor or VeraCrypt, which have their own licensing terms, uses, and limitations.
For OS X:
The primary way to do full disk encryption on your Macintosh is to use the FileVault encryption method built into OS X.
Most mainstream Linux distributions, such as Ubuntu, offer whole disk level encryption. This encryption can be set up during the installation phase along with home folder encryption.
What does whole-disk and/or device encryption do for you?
In terms of device theft or loss, without the hardware/device passphrase–which should be strong, just like your password–the device would have to be wiped to be usable by anyone else.
Please note that some advanced forensics tools can still pull data from an encrypted device in some cases. However, this is incredibly time consuming and is likely only to happen via state-sponsored attackers or law enforcement agencies. The goal here is not to protect the device, it’s to protect the information it holds.
No one is exempt from the threats that exist online today. By understanding the basics of cybersecurity, you’re less likely to fall prey to scams or cyber attacks. Keep these tips in mind–and share them with anyone who could use a little extra protection for their personal information too.
Want to learn more about security best practices in the workplace? Stay tuned for our next blog post about employee security!