In today’s world cyber security is paramount. Hackers seem to lurk around every virtual corner, just waiting to pounce. While this is not necessarily the case, it does seem that cyber attacks happen more and more frequently. This is largely because of high profile attacks on large corporations capturing the attention of the media. Sony’s infamous breach, Microsoft and Playstation gaming networks being DDOS’d, even the Federal Government. Each attack has a plethora of theories surrounding them, but they all boil down to one base item. Protected data being insecure.
While we all know that there is a list basic things we can do to protect ourselves, we almost never follow them. I’m guilty of it. We all are.
So how do we protect ourselves in this world where everything is connected? Start with the basics, educate yourself, and use common sense. Let’s start with that list of things we tend to ignore.
- Stay Updated! – How many updates have you not followed because you were in the middle of something? When was the last time you updated your antivirus? Or even ran it? Are all of your programs and apps up to date, across all your devices?
Probably not, and mine aren’t either, but they should be and here’s why:
I run a WordPress site for a friend and certain key plugins had caused issues in the past when WordPress updated before they had. I held out on updating to the latest version to maintain compatibility only to have the WordPress groups exploit used against me by hackers to publish a vast e-commerce site on my domain.
This exploit gave the hacker FTP access to my server, and once inside the server, you’re able to make all kinds of trouble. Once discovered, I set about cleaning it up, only to discover that they had planted in excess of 150k html and javascript pages throughout my file structure. A script buried 25 directories deep checked for changes made, and uploaded any file that deleted. Cleanup proved to be frustrating. I was lucky in the sense that all they did was set up a “hidden” domain, but the potential for disaster was immense and made worse by the fact that I knew better than to pass on the updates.
- Passwords – Use strong passwords and change them frequently! A strong password is defined as “At least characters in length and uses one or more of each of the following: Capital and Lowercase letters, Numbers and Special Characters.” This can be overwhelming, especially if you have multiple online accounts.
- There are password managers that allow you to set a master password and they manage your login credentials for your online accounts, but if you choose this method be careful who you entrust your data to. There have been several attacks on such companies, so make sure that they encrypt your data with at least AES 256 bit encryption. I recommend LastPass. Yes, they recently had a breach, but their encryption methods are top notch.
- DO NOT REUSE YOUR PASSWORD! I know this a hard one to follow, but using the same password for all of your online accounts is risky and dangerous, especially if you use that same password for everything (Banking, Work, etc…). One compromised account hands your attackers the virtual keys to everything.
- Don’t save your passwords to your browser. The simple act of opening a malicious webpage or email can allow a “browser hijack” attack, exposing your data.
- Don’t write your passwords down and leave them where they can be seen or found. I know how this sounds but it’s still a valid concern. I’ve seen sheets taped next to a computer monitor with usernames and passwords for employees, passwords taped to the bottom of keyboards, even on sticky notes with the account credentials and URL!
- Wherever possible, use Multifactor Authentication. I prefer to use a solution like Google Authenticator. It provides a short lived, single use code to verify your identity. If you do not enter the code in the specified time, the code changes and it cannot be reused.
- Install, Use and Update an AntiVirus – This is imperative! Antivirus and AntiMalware solutions are your last line of defense before infection. Keeping these updated with the latest definitions will help keep you protected. There are free options everywhere and Microsoft Security Essentials (which, surprisingly, is really good) comes preinstalled on most Windows systems. The best options are “stateful” programs, which means that your computer is monitored in real-time. Stateful software can alert you to intrusions, unauthorized installations, and even malicious websites. As with any product, you get what you pay for in most cases, so compare user reviews. Personally, I use a combination of Comodo AV and Firewall, and MalwareBytes AntiMalware.
- Configure and Use a Firewall – Again, this is paramount to prevent unauthorized access to your data. If running Windows, the Windows Firewall is an excellent choice. It’s recommended to block any services you do not need or use. One of the first things I do is close ports 23, 69, and 3389 (I also block these services on my router). This eliminates the possibility of someone maliciously using Telnet, TFTP or RDP against my systems.
- Configure your Wireless Router – Too many times have I gone to login to a wireless access point and seen a list populated with names like “NetGear”, “LinkSys” or the like. These networks are subject to being hacked. War Driving is becoming a popular activity for some. It may be someone just looking to hit an open Wi-Fi to check or send an email, or it may be something far more nefarious, but it can (and should) be prevented either way. Take the time to configure your router.
- Change the SSID name, or better yet, change it and then hide it.
- Set up a new password for both wi-fi and router management, don’t use the default passwords, especially for router management. Most are simply Username: admin
Password: password
these offer no protection and are readily found online for nearly all manufacturers. - Turn off WPS (Wi-Fi Protected Setup). That push button connection is the least secure method of connecting to your network. It also sends out your network’s SSID and pin to anyone listening.
- Use WPA2 encryption. Anything less is extremely easy to hack. If you must use WEP for older devices, try setting up a guest network specifically for that encryption type. The guest network will allow your legacy devices to connect while protecting your main network with the stronger encryption.
- Use Common Sense – You know that email you just got that says your dying relative from Nairobi is a Prince, and he’s leaving you millions in US currency? You can claim that fortune, all you need to do is send your bank account information, Social Security Number and address. – Yeah, don’t.
Now while the above may be extremely obvious, not all attempts are. Recent successful attacks are proof of this. You may see emails come from your banking institution telling you to login at the below link, or some other trusted site asking for your credentials. This tactic is known as “Phishing”, using a trusted source to send malicious content, and it has been quite successful. A recent example is the ICANN hack. For those not the know, ICANN is the ultimate internet authority.- Be mindful of the links and attachments in emails. Most trusted businesses, banks and services will never ask for your credentials in an email.
- Hover over the sender address in an email to see the domain it originates from, spoofed email addresses are a common occurrence in malicious communications.
- Beware attachments! This is a prime example of why antivirus and firewalls are so important.
- Be mindful of the subject and content in a message. Your buddy just sent you a strange message full of a jumbled mess of text and links. Don’t open it.
- Educate Yourself! – All of the above information could be obsolete by tomorrow! Stay current on the topics that may affect you. The major media outlets don’t report emerging threats. They focus on what will get them the most attention.
“Joe Smith over here got hit with a brand new virus that was hidden in a text message (Stagefright), but Huge Corporation Inc was attacked through an unsecured webserver. People love Huge Corporation Inc! Let’s report on that!”
There are literally thousands of security based blogs, sites, groups and newsletters online. Follow a few and stay current.
