As any IT or Security person knows we’re often asked what a normal person can do to stay secure. I have some simple things to consider and some more difficult things to implement for your cyber life. These changes will make accessing your accounts more cumbersome to access. However consider this, if it is harder for the account holder imagine how much more difficult accessing your account will be for a hacker.
Step 1. Use tougher Passwords, I suggest using 10 or more characters with a mixture of lower case, upper case, numbers and symbols. Phrases are very popular now such as I thinkmypasswordisreallysecure2019! but depending on the phrase I’d say be mindful of common phrases. My best advice is use a password manager and utilize a random password generator and set the characters to 16. The longer the password length and more diverse the complexity, the longer it will take for an attempted brute force attack to discover that password. A randomly generated password using all possible characters and 16 characters or more will be nearly impossible to crack.
Step 2. Use different passwords for every site. Insert groans here……. Yes this is a major pain in the ass but it is the truth. When you use a password for any given site you have no idea how securely that password is being stored. As we’ve recently learned from Facebook and other instances of website breaches, websites can leave passwords with weak hashes or even store them in plain text. If your password is compromised in plain text or the hash is broken that leaked password will be associated with your email account. If that email and password are used for multiple accounts odds are that information will be utilized to access your accounts. You need different passwords for each specific site. At the very least do it for the accounts which have access to your money!
Step 3. Use Multi-Factor Authentication for any account that can utilize it. Any bank site, financial services, crypto currency should have the ability for MFA so go ahead and enable it. Use Google authentication with it and avoid the use of email as a MFA method and if it’s the only option SMS will work but a separate app is better.
Step 4 Limit the information you make available about yourself. Facebook, LinkedIn, Instagram, all of these sites have treasure troves of information about us and hackers can and do often use this information to craft specifically targeted attacks. If I see you went to Hawaii in 2014 I may add Hawaii2014 and every variation to it to a password list I’d use to brute force attack your bank account.
Step 5 Turn off any services that are not in use, this goes for phones, tablets and laptops. Turn off Bluetooth for your devices if it’s not in use, turn off sharing and cover your laptop camera. If you have a smart phone you already know your sacrificing privacy for convenience. So don’t act surprised when you talk about buying new shoes and later that day you see shoe ads displayed on news sites you visit later in the day.
Step 6 Nothing is free, if you provide info to a company most likely that company will be selling it. Be conscious of this since anyone can buy that info. Your phone number, address and email are very easy to obtain so hesitate next time before you give that information away and think do I really need to do this? Think of the spam calls your getting all the time (like me) they didn’t make your number up they got it from somewhere.
Step 7 Trust no One… Microsoft won’t call you, your bank probably isn’t calling you (If the bank is calling it may be fraud prevention and they won’t be asking for any money but only to verify recent activity). If you receive a phone call and it doesn’t feel right it’s probably not. If someone calls you and that person is pressuring you to give them money it’s a scam. If you think it could be real, ask for the persons name and extension to call them back. If the answer to that question sounds good, google the info you obtained and see if the number is actually associated with that company or if the name of the person can be found on LinkedIn employed at that company. Don’t trust any one without verifying their identity. Scams are happening every day don’t fall victim to them.
Step 8 Spam Mail Protection if you click a link and it takes you to a login, stop. Close the link and open up a new tab and login to the site through typing it in the address bar or use your bookmark. This practice can help protect yourself in case you do click a link which is a phishing attempt (Spam mail, which has a link to a fake login screen made to mimics a site to steal a users password by tricking the user to enter the info into the fake site). I have a poster below from SANS which will provide a ton of detail regarding the items to look for in a possible phishing attempt. But always remember TRUST NO One!
Step 9 Use an ad blocker for your web browser. Adblock, and Ublock are some good options but more do exist. Ad blockers can help prevent malicious advertisements which can lead to malware installing itself on your device. Blocking malicious ads at the source through an ad-blocker provides an additional layer of security.
Step 10 Avoid using public WiFi for financial transactions. I strongly believe that if it is not a necessity it is best to avoid using any public WiFi to login to any accounts which could lead to identity theft. I feel the same in regards to accessing banking applications over cellular networks. This may be more of a personal feeling and less of proven technical theory but proof of concepts do exist of rouge cellular networks catching data transmitted over 4G. Ideally I’d prefer to only access banking, or other financial sites over a private WiFi connection. However, if you travel often and have to use public or hotel WiFi, I’d suggest utilizing a private VPN for that sensitive traffic. At least with a VPN it will encrypt that traffic over the public wireless connection and give you an additional level of protection. HTTPS should be used by those connections and will encrypt that data but as it is commonly mentioned in security a layered defense is best.
Thank you for reading this information and hopefully it can help keep your information a little safer.