In Part One of this series we learned how common security tools that all of us have been using for years are no longer effective. Further, one reality that may challenge many of us professionals is “technical illiteracy”. We use sophisticated computer devices and software everyday but don’t understand computer security and privacy fundamentals and lack the awareness and skills needed to stay safe on the internet today. [This glossary of cyber security terms may help.]
Three principles of cyber security
Complexity is the enemy of security.
Security is hard. Absolute security is impossible.
Security is inconvenient.
Below are the top 10 things you can do at home and at work to eliminate 85% of the threats. These were compiled adhering to two criteria:
- Keep it easy to understand (even for a moderately literate technologist).
- Focus on the “few” that afford the “most” protection.
If followed, these behaviors will protect you from 85% of cyber threats. Absolute security can’t not guarantee (Security Law #2). But just as if you wash your hands it does not guarantee you’ll avoid someone else’s cold, good hygiene certainly decreases the odds that you will get sick. And besides, there is a certain joy and professional satisfaction knowing “you’ve been responsible and diligent protecting what’s valuable in your life”.
But just as general illiteracy exposes one to great disadvantage, so does technical illiteracy. If you don’t understand the following recommendations or they seem too obscure or scary, you are probably illiterate and are inviting harm and difficulty to yourself, your family and your business. Spend some time and get comfortable with these recommendations and the technical skills behind them. [Refer to this glossary of cyber security terms as needed.]
ONE: Apply Operating System updates
Perhaps the single most important thing you can do is apply operating system updates as they are released on all devices: Windows, Mac, Android, & IOS. As discussed above, operating systems and applications are complex. And “complexity is the enemy of security.” New vulnerabilities in these systems are discovered every day. As developers identify flaws they are fixed and updates are pushed out to users. These should be applied as quickly as possible. And just as importantly: as updates for apps are released, apply them too.
TWO: Block / Disable flash, scripting, and ads
Flash is one of the most dangerous technologies on the Internet. Avoid it. Use browser extensions like Ad Block Plus and UBlock Origin to disable all flash. Delete flash players from your computer. Most websites don’t require flash players any longer. If you use one that does, stop using it. Flash is simply too dangerous.
Most websites now track your Internet behavior. Aside from the privacy implications, these tiny “tracking” programs stored on your device require time to run and eat bandwidth. Disabling this tracking and the ads on sites speeds up your browsing and saves you money on data charges. Sites like petsmart.com and myspace.com (by no means are these two sites unusual) have upwards of 50 trackers on them. Each tracker consumes bandwidth and time and tracks your activity while online. Using Ublock Origin while browsing is equivalent to drinking out of a clean glass. Why would you choose to drink out of a dirty glass if you could get your water easily enough from a clean glass? Likewise, why browse knowing there are 10 or 50 trackers in the background wasting your time, money and privacy.
As for scripting: the best advice is to disable all scripting in your browsers. This, however, invokes Security Principle #3: Security is inconvenient. Most websites deploy script in the background that do many useful things. Unfortunately, invisible running scripts do many very bad things too and are a very common attack vector. The best advice is disable all scripting and “whitelist” the 20-50 sites you regularly visit. Our browsers allow us to create a “whitelist” of websites that we trust and will then allow their scripts to run. Additionally, both of these apps allow you to temporarily enable scripts on any website with a single button click. This feature is a good compromise with “convenience” so sites that don’t work correctly because scripting has been disabled can resume working by enabling scripts on that site if needed.
The rule of thumb is: If you can remember your password it’s weak and easily hacked. It doesn’t matter how long it is. Password managers like LastPass generate random passwords and remember all your credentials for every website you visit. When you are prompted for a site’s username and password, LastPass will enter those credentials for you. LastPass is very secure because your credentials are stored in an encrypted vault and you are the only person that has the “keys” (the “master password”). They are always accessible on your devices with or without an Internet connection. Password managers are an indispensable requirement for cyber security today.
Stop what you’re doing now! Stop using weak passwords and configure LastPass today. It is that important!
However, you also must use passwords correctly for the password manager to be effective. Use 14-character passwords generated for you by LastPass. Never re-use any password. Change the passwords to the sites you frequent every few months.
In 2013 a team of hackers demonstrated that they could crack up to 90% of cryptographically hashed passwords (many 16 characters) in under 1 hour using a commercially available computer that could guess (“brute-force”) 350 billion passwords per second. With this power, they were able to crack most 8-char passwords in under 6 minutes. Many much longer non-random passwords were similarly cracked in short order. NSA-strength computers were not needed! These same powerful cracking devices would take over 380 million years to crack a 14-character “random” password that LastPass will create for you.
While we’re talking about passwords, enable 2-factor authentication for your most important sites like Apple, Google, Facebook, Evernote, your bank, your 401k site, etc. While you’re at it, download the LastPass “Authenticator” app that makes using 2-factor authentication as easy as a single button click. Single-factor authentication is what you’re using when you are required to enter a username and password only. To login to that site, you must “know” something …. your password. But because passwords can be cracked or stolen “Single-Factor” security, especially when your financial information or personal information is at risk, is just not sufficient. Multi-factor authentication requires the user to have to “know” something and “have” something, like a mobile device. Before anyone can log into your account they must know the password and must have your mobile device that receives a code that must be entered. The criminal might steal your password, but they will not have your mobile device. So, you are the only person on the planet that will ever be allowed access to your site … unless you don’t have your mobile device! [Note: Most sites allow you to print “one time passwords” after enabling multi-factor authentication. These are handy in case you don’t have your mobile device and need access.]
BTW: it is even more important that you ensure your System Administrator (at work) is also using the same techniques for all the same reasons.
Look for “https” on all sites and double check each url to verify it is legitimate. Phishing attacks will try to cleverly fool you and present website addresses that look like: https://www.amason.com instead of the real address: https://www.amazon.com. Knowing that this is how they trick you is the first step in defeating them.
Don’t click on links in emails unless you are certain they are legitimate or you trust the person that sent you the email. If your friends forward you an email chain with links, send them straight to your trash. Just don’t click on links inside emails. Period.
Phishing is a technique by which criminals masquerade as a legitimate website to acquire information such as passwords and credit card numbers. “Spear phishing” is similar but is phishing targeted to you personally. This has become the preferred method of attack for online criminals and digital spies, responsible for a full 91% of all targeted cyber-attacks. Criminals are now using “social engineering” to help engineer spear phishing attacks designed just for you that will appear that they are coming from your best friend or perhaps your mother. This is a very serious threat and is another great reason to use multi-factor authentication. I consider myself to be very cautious when browsing and have been fooled by phishing attacks! These attacks are often extremely difficult to identify as “fake”. Be smart!
By the way, Hillary Clinton’s campaign manager’s email was hacked and its contents leaked to the world during the 2016 presidential election. This was the result of a phishing attack on John Podesta, her campaign manager. It was totally avoidable if these best practices had been employed.
This is called practicing the “Principle of Least Privilege” where it is best to operate with the least amount of privilege. Each of us at home and at work should log into our computers with “user” privileges NOT as “administrator”. Many times, “administrator” is the default account setting. Logging in as a user with “Administrator” privileges malware and other attacks have “full privileges” to run malicious software on the computer. Conversely, if logged in with user privileges, the malware is prevented from most harm and saves you from countless exploits!