Cyber Security Tips Every Computer User Should Know
Have you ever wondered what you can do to secure your personal devices and other online accounts? As the Internet of Things (IoT) continues to grow and more household devices are connected to the internet, practicing good cyber security techniques at home becomes increasingly paramount. Let’s discuss what I would consider to be the best security practices every computer owner should implement at home for their personal devices and online accounts. This list is not absolute, but contains suggestions that are easy for everyone to implement and will enhance your security.
Keep your Software Up to Date
Computer updates are used to fix bugs in software and patch known security vulnerabilities. Keeping your devices updated is an easy way to ensure your software is as secure as possible against current known vulnerabilities. After a vulnerability is discovered, a public exploit will usually be developed that anyone can use and download online. Publicly shared exploits are simple to use and do not require technical skill to operate. By patching your home computer systems, it limits the number of potential hackers who have the skill set to access your network.
Use Strong Passwords
Strong passwords are essential in keeping your home devices and online accounts as secure as possible. A strong password is a password that is long enough that it would take a hacker a considerable amount of time to break and is not something easy for someone to guess. These passwords fall into two areas. Making sure your password is not something easy for someone to guess and using passwords that are so long it would take a very long time for a computer to break it. Recommended password length increases overtime as computer processing power increases.
Hackers and penetration testers today have a variety of tools at their disposal to use for password guessing or brute forcing attacks. Many of these tools require a dictionary file as a baseline. The dictionary file as its name implies, is a long list of words the program will use as username/password combinations in an attempt to log in as the targeted user. Dictionary lists can be very targeted. Let’s create an example scenario of a cyber criminal targeting a fake person.
(Note: This scenario is entirely fictitious.) For our scenario let’s say John Smith is an employee at a large financial institution. John is fairly high in the company and has done well for himself financially with a decent amount of money in his investment portfolio and savings accounts. A cyber criminal wants to hack John’s account and try to access his banking information to steal money from him. The criminal first decides to look up John online and try to find information about him.
From John’s social media accounts the hacker is able to glean the following information:
John is married and his wife’s name is Jill Smith
John and Jill went on a Honeymoon to Paris in 2009
John has a pitbull named Russ
John’s favorite NFL football team is the Patriots
From this information the hacker creates a dictionary list of passwords:
jill
jillsmith
HoneymoonParis2009
Paris2009
RussthePitbull
TomBrady
N3w3nglandPatr10ts
NOTE: John’s real password is N3w3nglandPatr10ts!
This is an overly simplified list, but these words and combinations could include anything. The hacker then takes this list and the username jsmith to run against the online banking site he knows John uses. The hacker was able to access John’s account with the information taken from John’s social media profiles and the hacker’s knowledge of common passwords (replacing letters with numbers, adding special characters etc). Many of the password guessing tools have options to run additional password permutations/combinations like replacing selected characters with numbers or adding special characters at the end. Using this tool with the list provided gave the hacker John’s true password.
This example is overly simplified, but it shows the importance of using both complex and random passwords that no one would be able to guess. In this case John had a pretty strong password being 19 characters long and meeting a variety of common password requirements, but the hacker was able to infer the password from John’s social media account and include a similar password in his dictionary attack making the length irrelevant.
Password Managers
Password managers are a great way to manage passwords to all your accounts, keep strong random passwords for your accounts, and use your passwords anywhere without writing them down or forgetting them. According to Techopedia, “A password manager is a software application that is used to store and manage the passwords that a user has for various online accounts and security features. Password managers store the passwords in an encrypted format and provide secure access to all the password information with the help of a master password.”
By using a password manager, the user only needs to remember on every strong password to access their password manager account which will save the rest of their passwords for them. Password managers can generate new passwords and monitor which accounts are reusing passwords, which further helps with password and account management.
In our example, John uses the same username and password for all of his online accounts. If the hacker tried to use the same password combination to access John’s Facebook or credit card accounts they would have been successful and John would be fighting to get access to all of his accounts. Ensuring all your accounts have strong unique passwords is essential.
Enable Two Factor Authentication
In addition to using strong passwords, two factor authentication should be enabled on all accounts or at least the important accounts. Two factor authentication requires a second form of authentication before logging in. Most sites give the user an option to use an authenticator app, click confirm on an email verification, or input a code sent to their phone as a text message. Two factor authentication makes it more difficult for a hacker to access your account. They may have your password, but without access to your phone or email they will not be able to log in as you.
Phishing Emails
The Information Systems Audit and Control Association report titled Top Cyberattacks of 2020 and How Build Cyberresiliency by Frank Downs and Dustin Brewer, reported that ISACA found social engineering attacks to be the most common threat in 2020. Phishing is a common form of social engineering. Phishing according to Merriam-Webster is “a scam by which an Internet user is duped (as by a deceptive email message) into revealing personal or confidential information which the scammer can use illicitly.” Phishing emails are a common threat vector for cyber criminals today. Below area list of common indicators to look for in phishing emails:
Typos and mispellings in the email
Unexpected emails with a feeling of urgency
Emails from unusual email domains Example: You work with Carl@virginiaautomotive.com and one day you receive an email from Carl@virginaautomotive.com asking you to log into your chase account to update your payment information.
The link in an email does not match the text or what is expected. Example: Continuing with the Carl example. The email contains a link that looks like it should go to Chase.com. When you hover over the link the url displays a bitly.com address. This could be an indicator of a phishing email
These are a few examples of phishing indicators. In another post I will discuss phishing emails in more detail with specific phishing examples and what to look for.
Backup your Data
Ransomware attacks have become headline news over the last 2 decades with a number of large companies making the front page in the last few months. Ransomware attacks encrypt all the files on your computer and demand payment before giving you the decryption key to access your files. In a lot of cases even after paying the ransom amount, victims are not given their decryption key and have now lost their files and paid a considerable amount of money to their attacker.
Paying the ransom could have potential legal consequences as well. Rueters published Companies may be punished for paying ransoms to sanctioned hackers – U.S. Treasury which brings to light some of the consequences companies can face when paying ransoms.
Backing up your data is the best defense against ransomware attacks. If your machine is hit with Ransomware you can restore it from the backup without losing any of your data. A variety of backup solutions exist today ranging from physical backups using an external hard drive to cloud backups using Google or another cloud providers platform.
Conclusion
We covered topics every general computer user should be familiar with to protect their online accounts and home computer systems. This is not an extensive list and many of the topics deserve their own write-ups going into further detail. But at a minimum keeping strong passwords, utilizing password managers, updating software, enabling two factor authentication, backing up data, and visually inspecting emails will help secure your systems. Thanks for reading!