/ Infosec

Basic steps for a new (more secure) you

Ransomware. Phishing. Data Breaches. Doxing. Sometimes the Internet can feel like a dangerous place, as though you're only ever a few clicks away from the mafia stealing your credit cards.

Fortunately though, this isn't really the case - and whilst it can be difficult to know exactly where to begin when it comes to keeping ourselves safe, some basic security hygiene can often foil most of the common attacks an average internet user may be faced with.

Basic Steps - or Personal Security 101

These are the basic steps that you should take to increase your security online. What's more, most of them can be easily done in a matter of minutes, and they provide some genuinely difficult hurdles for a potential attacker to overcome.

It's worth remembering that for most Internet users, the probability of being individually subjected to a targeted attack is minimal. The biggest threats you have to contend with come from large-scale data breaches as well as scattergun attacks.

In real terms this means things like (a) online services leaking personal data to attackers, (b) accidentally installing malicious software, or (c) falling prey to a phishing attack. You'll be glad to know that mitigating the majority of these threats isn't as hard as you'd imagine.

1. Use a password manager.

The average internet user now needs to remember a whole plethora of passwords - often of various complexities - on a daily basis. If you were to ensure that all of these passwords were both (a) unique, and (b) secure/unguessable, you'd need some serious superhuman skills!

For most people, the easiest solution is to simply reuse the same password - or similar variations of it - on multiple platforms. This quickly becomes problematic if one is compromised, as it can lead to a domino effect whereby an attacker can re-use the password to gain access to other services.

Password managers like LastPass are a great solution to this particular issue; they allow you to generate random passwords when signing up to new services, and will also automatically fill-in password fields for you.

1a. Have you been pwned?

It's all well and good having individual and unique passwords, but you still need to know when ones been compromised. Whilst most of the time third parties will issue a statement when they've been subject to a data breach, this isn't something you can always rely on.

Security researcher Troy Hunt maintains a brilliant service which catalogues security breaches, and alerts you if your email address is found in one. You can try it out here, and sign up for free monitoring too.

Whilst this service isn't fool-proof, and it relies heavily upon Hunt's ability to get access to the data, it's still a good indicator as to your overall security.

2. Use Two-Factor

Two Factor Authentication (2FA) relies upon a secondary "password" (or "token") - either sent via SMS, or generated via a dedicated app like "Google Authenticator".

This means that even if an attacker possesses your password, they'll need to possess the device you use for generating/recieving the 2FA token.

Most enterprise and business services provide 2FA capabilities, but increasingly more consumer-oriented services also provide the option. There's a list of services utilising 2FA here - you'll most likely find some of the services you regularly use on the list!

3. Everyone needs AV. Seriously.

It's quite frustrating to be writing this advice in 2017, but it's still worth highlighting - decent anti-virus protection is incredibly important. Even if you're a Mac or Linux user.

I haven't ran Windows on a daily basis in over 7 years, yet I still use AV software on both my Macs and my Linux machines. The software doesn't have to be expensive, in fact - price is often quite a poor metric of AV performance. Be sure to check out some reviews and comparisons before parting with any money.

4. Keep up-to-date backups.

One of the nastiest trends at the moment is "Ransomware"; a classification of malware which encrypts your files and - literally - holds you to ransom. Unless you pay the individual(s) behind it, you'll never get your files back.

The easiest way to mitigate this particular threat - in addition to the previously mentioned AV software - is to keep regular backups.

One of the easiest ways of keeping regular backups is with Dropbox. Due to the way Dropbox works though - i.e by appearing as a normal folder on your hard drive - Ransomware is still able to encrypt these files. Fortunately, you can restore previous versions of files for up to 30 days - and even longer if you are a member of their Plus plan.

5. View third parties with a healthy distrust.

Here comes a sad observation: most of your personal security relies upon the security of the third parties who hold your data.

If a shop you regularly use gets compromised, there's nothing to say it wont lead to your identity being stolen; even though there's nothing you could reasonably do to prevent it from happening.

The irony of this one isn't lost on me: I know I've just recommended two third party services (Lastpass and Dropbox) - but as a rule of thumb, minimise the number of third parties you trust with your data.

If you're worried about the effects of Identity Fraud following a leak involving your details, then Experian offer credit monitoring services, whilst Noddle and ClearScore both provide free access to your credit records. Keep a regular eye on them, and be sure to investigate any accounts or services you don't recognise!

6. Keep an eye on active sessions and app authorisations.

A lot of online services - i.e Twitter, Facebook, Google, and Netflix to name but four - allow you to view active sessions, failed logins, and "authorised apps".

Try and make a point of viewing these regularly - paying particular attention to any active sessions you don't recognise, or any "authorised apps" that you don't use or need.

This isn't a quick fix, but it's definitely a good habit to get in to.

Bonus Tip: Know what to do.

Knowing what to do after an incident is just as important as knowing how to minimise the risk of an incident though; in some ways it's even more important because it's time critical.

You most likely know what to do if you break down on a lonely road, or if you lose your bank card. Yet do you know what to do if you find that someone else has had access to your email account, or if you turn your laptop on and find you've fallen prey to ransomware?

As a rule of thumb, think about (1) how you will contain a problem, and then (2) how you will restore prior functionality.


Fergus

Contract Software Developer and DevSecOps Consultant, based out of London in England. Interests include information security, current affairs, and photography.