I was in Starbucks the other day and overheard a local computer tech helping someone with reinstalling windows on their notebook, the tech left and I started a conversation with the notebook owner giving him some advice around making a good backup of the computer after he had finished so if something were to go wrong again he would be able to make a quick recovery next time. That may not sound like security advice but it really is, often the act of protecting data is done to protect our time and resources. Restarting with a fresh install of windows involved paying a computer tech, more than a few hours of his time and potential loss of data, if he had a backup of his new computer he would not have had to spend time in Starbucks, spend his money on the time of the computer tech or no doubt spend time in the future getting all of his programs and settings configured again.
Security is the art of protecting assets or knowledge in such a way that the “Cost” of destroying, disrupting, or disappearing them is insurmountably high. The “Cost” of attack is equal to the amount of either negligence or effort that you or an attacker must take to destroy, disrupt, or disappear the protected asset. Realistically if someone is able pay the “Cost” in time or money to conduct the attack they can compromise your security.
The following is the collection of advice I wish I could have also given him but just did not have the time to, this is also advice I give to family members, coworkers, and people like you who stumble across my website and in general will increase the “Cost” of an attack.
A. Securing The Online Accounts
- Use a password manager and avoid reusing passwords across sites like the plague, side not it is the plague. Lastpass is a great starting point don’t forget your master password. If you don’t like the idea of storing your passwords online keepass is a good option, so is password safe by Bruce Schneier.
- Enable 2nd factor authentication on all your accounts including your password manager if your using an online one.
- Setup haveibeenpwned.com for the email account/s you use.
- Recognize the human error factor, humans make mistakes, when your using the web make sure your using an adblocker to avoid malicious advertisements that might lead you to a spoofed site. Ublock origin is great for this. Using a 3rd party DNS is also a great help using quad9 or OpenDNS Greatly increases your security at no cost and is fairly easy to setup.
B. Securing The Personal Computer
- Don’t use an admin account for every day computing this applies to macOS, Linux and Windows no exceptions. Follow the Principle of least privilege.
- Data security is just as important as account security in most cases, having backups is the best way to secure your data from accidental deletion, corruption, and ransomware. Veeam endpoint free is free and does a great job backing up your entire system.
- Run a up to date version of your operating system and ensure you have security updates installed.
- Nuke and Pave, if your system has been compromised it truly is the only way to be sure your safe again. Make sure you have a good backup, erase the internal disk, and reinstall your operating system.
A note on Antivirus Software: I did not mention antivirus here for the reason that consumer grade antivirus systems seem to change like the wind lately. In general if your looking for an antivirus system I would recommend looking at reviews from IT people as they will spend a lot more time than you can imagine looking at antivirus solutions for their respective companies. Nearing the end of 2017 I have begun to see a rise in malware that exploits antivirus systems to compromise the systems they were designed to protect, in general your best antivirus option is having an up to date computer with the most recent security patches installed and following best practices B.1 is your best bet.
C. Securing The Data
- 3-2-1 Backups, If your data is not following 3-2-1 backups your data does not exist and likely wont be recoverable if you loose it.
- If your storing sensitive data in the cloud use some form of “pre-internet encryption” for windows and mac and Linux veracrypt is probably the golden standard but there are other encryption tools even having a encrypted zip file is better than nothing. Note: password protected and encrypted are different things know the difference and use the right one.
- If its unimportant data back it up, if its important data back it up again. The number 1 reason important data cant be restored is that someone didn’t think it was important. If you backup everything all the time this is an easy pitfall to avoid.
D. Securing The Network
- If your router can be found at routerpwn.com consider getting a different router or looking for firmware updates the fix the issue listed, if your router does not have firmware updates or a fix then get a different router.
- Take a look at what GRC’s ShieldsUP! has to say, if your router has open ports make sure you have NAT enabled on your router. The best option to avoid any conflict is to simply not be there “Stealth” is what you want from the ShieldsUP! test.
- If you have internet of things devices on your network use the 3 Dumb Routers method to separate out your network.
- If you have WiFi make sure your using a good password, only use WPA2 or greater authentication and disable WPS if possible.
- Use a 3rd party DNS server on your router quad9 or OpenDNS are good options to find out what DNS server is the quickest around you run the DNS Name Speed Benchmark at GRC.com
- If you don’t require devices in your wireless network to talk to each other (this is rare) or have particular devices that don’t need to talk to other devices for any reason consider putting those devices on your guest network.
E. Securing the Human
This is the hardest part, even if you have done everything else correctly we are only human and are going to mess something up. Securing the human part of the system comes down to checking yourself as you use computer systems. There are a lot of moving parts to this but in general the following are true and if followed will make you less vulnerable.
- Always Go to the Source, if you receive a phone call from your bank and they want to verify your social security number over the phone just hang up, Google your banks phone number (or look on the back of your debit card) and call them back. If it was them then your good to go, if it was not them that called you congratulations you have just evaded an attack. The same applies to handling phishing messages, a common one we see is a message warning someone that their email mailbox is out of space and to click a link to give them more space, if you click the link it then prompts you to login to your cloud email, if you do your account will be compromised because you are giving the attackers your login information. The right thing to do is ask your email admin if you are running out of space or login on the web and look to see if you are running out of space by going to the source almost all phishing attacks are thwarted. This also applies to software, is a website telling you that you need to install flash? Guess what? don’t click the link! Go to a place you know uses flash and see if you actually do need it, odds are you don’t (side note: flash is evil you don’t need it and its disabled by default almost everywhere now)
- TNO, Trust No One. Criminals don’t target computer systems they target people and they target them because they want something. Be cautious about giving out information and being given information. Don’t trust till you have gone to the source. TNO is also a good philosophy around systems as well, good systems and services don’t require you to have any trust in the people running them for your data to be safe, for example tarsnap is a great backup system it accomplishes TNO by allowing you to download and compile the tarsnap backup application from the source code, and set your own encryption keys because data is encrypted before it leaves your system and since you can verify that the application doing the encryption and then uploading of data you don’t have to trust the developers who wrote the code.
- If its too good to be true… (you know the rest of this one, your mother told you, my mother told me, the attackers mother told him we all know this.) SPOILER ALERT: it is. There is no Indian prince willing his inheritance to you, there is no free iPad you won, and there is always a mass phishing campaign in the works run by smart people who are looking to make you the sucker. Think about the cost how much it cost you to send an email. Right… if it only cost them a couple minutes of their time cheat you out of the money in your bank account guess what they are going to try to do. The bigger piece is that the way phishing works is that its not couple minutes of their time per person phished, its a couple minutes per millions, its an automated system, a service even and its target is not you… its target is everyone.
- securityplanner.org is a great site that will walk you threw what you should be aware of.
- digital first aid kit is a great resource for reactionary advice.
- There are a lot of good insights from the Surveillance self defense page at the EFF.
- Roger G. Johnston, Ph.D., CPP Security Maxims is a great read and provides lots of insight into the nature of security.
- Microsoft’s 10 Immutable Laws of Security Administration is a great read for fellow systems administrators as is the article 10 Immutable Laws of Security
Final Thoughts: We live in a world now where hackers are driving the cost of attacking systems down by having systems and automation do the attacks for them. Microsoft said it best I think “Eternal vigilance is the price of security”.