As you can see, this is a VERY STRONG password that could be used for virtually any service you might be using. It’s generated by LastPass and can be added into the LastPass site vault to remember it for you so that you aren’t burdened with remembering this random string of characters.
It should be clear at this point that using your (likely) existing password combinations of things like “mary1988” and “fuzzybear123” is not a secure method to password protect your accounts and personal information.
Suggested Product / Service: LastPass
Level: Common Sense
Multifactor authentication is incredibly useful in securing your accounts across the Internet. Based on combining something you have with something you know, due to the complexity involved in generating false second factor keys, multifactor authentication can deter most credential theft activities.
Multifactor authentication or two-factor authentication (2FA) can come in a variety of forms. A few examples include: a physical key card that’s required in addition to a password or phrase to gain access to account; or more commonly, a randomly generated code with a validity timer that’s tied to your account on an authorized device you own (the something you have), which is paired with your password (the something you know) to add an extra layer of identity authentication to your data.
It should be noted that all 2FA is Multifactor Authentication but not all Multifactor Authentication is 2FA. Multifactor implies that more than two resources are involved in the authentication process. For example 2FA would be a password + fingerprint, Multifactor might be password + fingerprint + pin + randomly-generated-key.
It’s quite easy to implement in general, but the process does vary by service. Google Authenticator and Duo Authentication are supported across a wide array of platforms, such as Dropbox, Gmail, Facebook, Instagram, etc. To take it one step further and secure your password vault through LastPass, you can even set up 2FA there!
Suggested Product / Service: Google Authenticator or Duo
Secure browsing means different things to different people. For some people, it means never ever visiting a website that could possibly harm your computer (that’s not a great use of the Internet… You’re missing out!). To others, it means simply disabling the bits of code that can be leveraged to force your computer to download malware.
The solution here is to use a browser that is NOT Internet Explorer. If you can, switch to Google Chrome or Mozilla Firefox at a minimum. Why do you want to use Chrome or Firefox? Because they offer extensions or addons from a vetted “store” of sorts that can help protect you online and Internet Explorer cannot. These extensions are built by third party developers and are hosted on a Google or Mozilla server for download as additional functionality for your browser; think app-store for your web browser. The majority of security alerts that our SOC sees on a daily basis are caused by visiting sites in a highly vulnerable browser that just runs whatever code it sees on the page and hopes for the best. Back to the extensions, there are a few that can help you out but might take a little bit of configuration. By default these extensions might make some websites unusable, or at the very least “odd looking”. These extensions for Google Chrome are called: ScriptSafe, Ghostery, and Ublock Origin. For Mozilla Firefox, the add-ons you would want to look at installing are: NoScript, Ghostery, and Ublock Origin. One thing to keep in mind, is that your results may vary based on your browsing habits and how you choose to set these add-ons up. That said, for a minimalist approach, I recommend starting with Ublock Origin in either Chrome or Firefox to get a taste of how it works, and then move on to bigger and better things with the other options added in.
Additionally, Google Chrome is configured to use Google’s own threat lists to block known harmful sites by default and should be considered the primary alternative browser to use.
Suggested Product / Service: Alternative Web Browsers, such as Google Chrome or Mozilla Firefox with Ublock Origin, Ghostery, and NoScript extensions set up.
Level: Common Sense
This one should go without saying, even for the most “careful” of us in the IT / Infosec world. No Antivirus software is perfect and is going to catch 100% of the bad stuff coming your way on the Internet. Many antivirus software solutions available even flag totally non-malicious things as viruses. This means that when using an AV solution, there is potential for some application specific configuration to be done such as explicitly allowing known-good programs (whitelisting) or setting up allowed ports (if your AV includes a firewall and/or active web monitoring).
Common products you can find off the shelf at any electronics retailer do most of the hard work for most folks; products like Trend Micro Internet Security or Norton 360. As a personal recommendation, I like Bitdefender Internet Security as it covers multiple PCs and does Antivirus, Antimalware, Web Filtering. It can even help you protect your sensitive data through the use of its proprietary wallet system that launches your banking sites in a secured, sandboxed (separated from the rest of your computer) web browser.
Any antivirus solution is better than no antivirus solution. Even that free stuff you find from your niece or nephew that “knows all about computers” like Avast Antivirus and AVG; they’re better than nothing at all. By default Windows 8.1 and Windows 10 have the “Windows Defender” antivirus installed and running in the background, and while it is mostly considered sub-par among industry professionals, it’s still better than having nothing protecting you from auto-executing code.
Suggested Product / Service: Anything is better than nothing, but Bitdefender is highly rated based on its available features.
Level: Arcane Magicks
PGP, or “Pretty Good Privacy” is an encryption method that provides privacy and authentication through the signing, encrypting, and decrypting of texts, emails, files, directories, and disk partitions. It uses a combination of hashing, compression, and symmetric-key cryptography in conjunction with public-key cryptography to encrypt data that is sent to external parties.
Example of use:
Encryption of plaintext data (ie, email) is handled with a one-time session key (which is secret) and the session key is then encrypted using the user’s public key. This is so the email that’s sent over the wire is only seen as the ciphertext and the encrypted session key.
Decryption of the message is handled by the recipient’s private key to decrypt the session key and then that session key is used to decrypt the ciphertext in the message so that the original plaintext can be seen.
In essence, PGP works by creating a public and private key pair tied to your username, an email address, an account of some kind and that pair is used to encrypt data and authenticate the sending entity.
The Electronic Frontier Foundation (EFF) has a great writeup on PGP, what it does, and how it works on various operating systems.
Suggested Product / Service: For Windows, Mac, and Linux: GnuPG
Level: Arcane Magicks
Windows 8.1 and Windows 10 offer Device Encryption, but only if you’re signed into a Microsoft Account and on supported hardware configurations. Furthermore, if you would like to enable BitLocker for a more robust encryption methodology, you must be using a Professional or Enterprise edition of the Operating System.
However, there are other options for disk encryption in Windows in the form of third party tools such as DiskCryptor or VeraCrypt, which have their own licensing terms, uses, and limitations.
The primary way to do full disk encryption on your Macintosh is to use the Filevault encryption method built into OS X.
Most “mainstream” Linux distributions, such as Ubuntu offer, whole disk level encryption to be set up during the installation phase along with home folder encryption.What does whole-disk and/or device encryption do for you? Well, in terms of device theft or loss, without the hardware/device passphrase (which should be strong, just like your password) the device would have to be wiped to be usable by anyone else. Please note that some advanced forensics tools can still pull data from an encrypted device in some cases, but it’s incredibly time consuming and is likely only to happen via state-sponsored attackers or law enforcement agencies. The goal here is not to protect the device, it’s to protect the information it holds.
To be continued…
This concludes Part 1 of this blog series. Part 2 will consist of security basics at an employee level and protecting data assets therein.