Cyber security is not just for work
I work with many organizations to help them improve their cyber security, and I write lots of blogs, and deliver training courses on this topic. I nearly always focus on the security of business systems and networks, but it's equally important to think about cyber security in our personal lives.
This blog covers three related topics:
- Managing your user accounts and passwords.
- Protecting your computers, tablets, and phones
- Protecting your IoT (Internet of Things) devices
I wanted to add a fourth topic, “Guard your private information”, but I ran out of space in this blog, so you’ll have to wait till another time for that one.
1. Manage your user accounts and passwords
Every week we read about yet another major security breach, with personal data of millions of people being leaked. In one recent breach, Marriott hotels leaked information about hundreds of thousands of customers (estimates vary between 350,000 and 500,000).
When a breach happens, hackers typically get a list of usernames and passwords that were in use on the breached systems, as well as personal and financial information. One of the things they can then do is to try those passwords on every other site they can think of. This isn’t just a matter of someone typing in the passwords at a keyboard to see where they work. Hackers use scripts that try millions of known passwords against many thousands of different web sites. What this means is that if you have used the same password on multiple different sites, if even one of those sites is breached then hackers can potentially access every single account where you have reused that password.
Ideally you need a different username, and a different complex password for every login. But this is not easy when you might have hundreds of different accounts. I just counted how many different accounts I have, and I discovered more than 200 different logins that I use, for shopping, travel, managing my money, social media, utility companies, government, and more.
Some people use a common password for what they consider to be low risk sites, and just set unique passwords for sites that seem more critical, like their bank. This can lead to problems when a “low risk” account turns out to be more significant than you realised. It might leak personal information that helps hackers to go on to breach a more secure account.
For example, if your mobile phone company uses an old email account, that you rarely use and have forgotten, to confirm orders then a hacker may take over your phone number and use that to impersonate you in other places. Similarly, if a hacker breaches a site where you used your common password because you intended only to make a one-off purchase and the company kept a copy of your credit card details online, they may get your common password, and your credit card details too. Even if the shopping site doesn’t have your credit card details, the information they have about your purchases may be enough for a hacker to craft a successful phishing attack: “Dear Stuart, the shirt you bought last week was from a defective batch, please click this link to obtain a refund”.
Use a password manager
If you want to create a different, complex, password for every site where you log in then you could store them all in a password protected spreadsheet or document, but it is much better to use a password manager.
Password managers do much more than just store passwords. Typical features that you find in these software products include:
- Protecting all your saved usernames and passwords with a single (hopefully very complex) password that only you know
- Automatically navigating to web sites and entering your information into the relevant fields
- Automatically capturing usernames and passwords when you enter or change them
- Generating random passwords that match specified criteria
- Synchronising saved encrypted passwords to a cloud service so that you can use them on many different devices
- Support for a range of browsers so that you can log in using whichever you prefer at the time
- Support for a range of platforms, typically including Windows, Mac, IoS and Android.
Some password managers are free, others charge, or have a premium and free version with different features. Some of the products that you should consider are:
Once you start using a password manager, you’ll wonder how you ever managed without one. It makes things really easy. It takes a bit of effort to set up, and to get used to the user interface, but then you can create long complex passwords for every site and use them with virtually no effort.
Use two factor authentication
Long complex passwords help to keep your accounts secure, but they are not enough. There are lots of tricks that hackers can use to get your passwords, especially if you ever use public WiFi in hotels, airports or coffee shops.
Two factor authentication makes use of two different ways to prove who you are. Because it relies on two completely different things, it is much harder for a hacker to take over your account. Each login requires you to use two things from:
- Something you know, like a password or a PIN
- Something you have, like a credit card, a security token, or a security certificate stored on your device
- Something you are, like a fingerprint or a face shape
- Somewhere you are, like a particular wireless network, or a GPS location
Some web sites will allow you to use a text message sent to a mobile phone, or a code sent in an email message as a second factor. This is better than just using a password but is not as secure as other options because there are well known ways to intercept email messages and phone text messages. The best option for personal use is either to use an app, such as Google Authenticator, or a hardware token such as Yubikey.
Many different sites and software products support two factor authentication, for example
- You can enable it on social media sites like Facebook, Twitter, and LinkedIn
- Many banks and other financial sites provide a second factor in the form of a hardware token that generates a code to use when you log in
- Some software products support two factors, for example you can set up two factor login for most of the password managers listed above
Use a VPN service
If you ever use public WiFi, for example at hotels, airports or coffee shops, then hackers have another opportunity to breach your security. There are a number of different ways that they can compromise your security, including setting up a fake WiFi hotspot that directs all traffic via their own servers.
The best way to protect yourself from this kind of attack is to use a VPN service. After you connect to the WiFi network, and before you do anything else, the VPN service sets up a verified and encrypted connection between your device and a VPN server. The VPN server then routes all your internet traffic on to its destination. This prevents anyone on the local WiFi network from seeing anything about your internet activity, or interfering with it.
You can find a detailed comparison of available VPN products at That One Privacy Site.
2. Protect your computers, tablets, and phones
It is extremely easy for computers, tablets, or phones to be infected with malware that can have devastating consequences. Ransomware can encrypt all your files and demand money to get them back; cryptojacking can take over your device and use all your CPU power to generate bitcoins for an attacker; viruses, worms and trojans can be used to completely own your device and use it for launching attacks on other computers, or just to cause problems for you.
Some of the things that you can do to protect yourself include:
Keep patches up to date
Don’t delay when it comes to installing operating system patches. As soon as the patch is available, and knowledge of the bug becomes widespread, it is likely that people will be trying to exploit the bug that it fixes. If you wait a few weeks to install the patch that might give them long enough to get you.
Don’t just patch your operating system. Application software also requires regular patches. Some applications will download these automatically, for example web browsers such as Chrome and Firefox will prompt you to update to newer versions, but you need to monitor other applications and keep them updated manually.
There are tools available to help with this, but none of them is completely satisfactory. I use a product called SUMo, which identifies what updates I need and provides a link to download them, but the download links are not always effective.
Keep anti-virus software up to date
You really must run anti-virus software on all of your devices, keep it updated and run regular scans. There are plenty of free options to choose from, depending on what platform you use. For example Sophos has free products for Windows, Mac and Android, but you should search online for reviews which will probably be updated more frequently than this blog post.
Be aware of phishing – don’t just click on links
Phishing is often used by hackers to get you to download and run software. Typically, it arrives in the form of a link in an email, text message, or social media post, but it can also be embedded in a PDF or Office document. It used to be fairly easy to recognise phishing attacks because they generally had poor grammar and obviously risky links, but the scammers are getting cleverer and some of the attacks are really hard to spot.
You need to be vigilant. If you get a link in a message from a friend then don’t just click it, think about what sort of messages that friend usually sends you. Maybe contact them and ask if they really sent the message. If you get an email from a bank or other financial institution, don’t use the link in the message to access your account. Open your web browser and navigate to the site yourself.
Create regular backups, especially of important data files
If your computer or device is compromised, then you can probably restore it to the state it was in when it left the factory. This will remove any malware, but if your precious data has been compromised then your only way to recover is to restore a backup. You could use backup software like Acronis TrueImage or StorageCraft ShadowProtect, but even if you don’t then you should store copies of important files in a safe location, even if you just send them to your cloud email service on a regular basis.
3. Protect your IoT devices
Many devices that we introduce into our homes have computing capability and network connectivity. This includes TVs, and the various things we connect to them; smart speakers such as Amazon Echo or Google Home; smart light bulbs; home automation systems; webcams; and more exotic devices such as smart toasters, kettles and toothbrushes.
All of these devices are effectively computers on your home network and can be attacked and taken over by hackers. If you want to see the potential scale of the problem then have a look at Shodan, a web search engine that locates and identifies insecure IoT devices.
The advice in this section of the blog also applies to home networking devices such as routers and wireless access points.
Change default passwords
The first, and most important, thing you should do with any IoT device is to change any default passwords. Pick a good strong password and make sure you store a copy, preferably in your password manager.
Keep firmware and software up to date
Like every other computer, these devices run software which can be compromised. The vendors regularly release updates and patches and you need to ensure these are installed.
Disable features you don’t need
Many devices come with lots of features that are rarely used. Once you know which features of the device you want to use, it is good practice to disable any functionality that you aren’t using. This reduces the ‘attack surface’ and helps to make it less likely that your device will be compromised.
We are becoming increasingly dependent on the internet, and our homes are full of computing devices, which are getting more sophisticated. The internet and our devices are very popular, and contribute to our quality of life, but they come with risks. If you use them without thinking about the risks then one day you will be attacked and the consequences might be severe.
If you use the available countermeasures, like good passwords, two factor authentication, and patch updates, then you can help to protect yourself, your home, and your family from the worst effects of an attack.
Image credit: Ready Elements