Protecting Yourself Online
This week we are going to address how to stay safe online. This is an incredibly broad topic and I think I could write a book about it. The only problem with writing a book is that the threats change on an almost daily basis which means the defenses and tips change almost that fast.
So, we will address this topic at a high level and try to provide some good information.
During week 1 we talked about how to protect your network with network segmentation as the first line of defense against external and internal attacks.
This week, we’ll move to endpoint security. Securing your operating system, web browsers, and online accounts, as well as some best practices and tips online.
Securing endpoints has always been a challenge as they have been a favorite target of attackers. The problem of vulnerable computers goes far beyond securing your computer and home network. Any Internet connected computer that has been compromised, could be used as part of a botnet to attack and take down other Internet systems or even slow down large parts of the Internet. Cybersecurity is bigger than all of us and is the responsibility of everyone for the good and welfare of the Internet at large.
Operating system security
Endpoint and operating system security is really made up of many things, but to keep this blog post from becoming a textbook, we will focus on the following four items:
- Whole disk encryption is basically encrypting your whole hard drive so that if someone steals or gains access to your drive, they cannot read any of the data without the encryption key (the password that you set). This is also important so that when you get rid of your computer, the next person does not run some basic forensic tools on your drive and get all of your data. This has been happening for years, from purchasing hard drives online, to old printers, copiers and fax machines, and pulling all of the data - such as this story where missile defense data was discovered on an old hard drive.
To enable whole disk encryption, it’s best to do this on a new computer, but it can be applied at any time. On a Mac, this feature is called "Filevault" and it can be found in Preferences > Security & Privacy > Filevault. This page will walk you through enabling Filevault.
On a Windows system you may or may not have this feature already built in. For some reason, Microsoft has really dragged their feet on integrating whole disk encryption, except on more expensive versions of Windows (Ultimate, Pro and Enterprise versions). The Microsoft solution is called "Bitlocker" and it works well and fairly seamlessly with Windows. If you don’t have Bitlocker, you may want to opt for one of the free solutions like Veracrypt. This article gives an overview of both options.
No matter what solution you use, be sure to whole-disk-encrypt any system that is storing sensitive data or has access to sensitive data, especially if it is a laptop or computer that is not otherwise behind locked doors.
- Good system passwords are essential to securing a computer that goes with you. Even if you are using whole disk encryption, if your encryption key (password) is something easy to guess (12345) or is taped on the bottom of your laptop, the encryption is bypassed, and you are no longer protected. Passwords should be more like passphrases. The most important aspect of a passphrase is that they should be long - at least 12 characters. An example would be: I have to take Fido out at 7am! This has uppercase, lowercase, numbers and special characters, is 31 characters long with spaces, and is very easy to remember.
- Endpoint firewalls have become an integrated part of our operating systems these days but we have the option to enable/disable and adjust settings for them. The most important thing you can do here is just make sure it is enabled.
On a Windows system, the firewall is called Windows Defender and is found in Settings > Windows Security > Firewall &network protection. Be sure this is enabled.
On a Mac the firewall can be found in Preference > Security & Privacy >Firewall. Be sure this is enabled.
- Patching is critical for all computers. Every month we get security patches for all of our devices because every month new vulnerabilities are found. Over the years, we have seen operating systems like Windows and macOS move from making you download and install patches on your own to automated patch updates every month. Not everyone likes automated patching, and, in some cases, you can turn it off. Most software companies have taken the responsible approach of automated patching, which is great, except when your Windows laptop boots up overnight on the second Tuesday of the month and you forgot to save your open files.
On a mac, go into the App Store and click on App Store > Preferences and make sure Automatic Updates is checked.
On a Windows system, go into Settings > Update & Security > Windows Update > Advanced Options and make sure your system is up to date. Windows 10 will likely not show you an option to disable patching.
Web browser security
So far, we have talked about network security and operating system security. Now let’s address application security. The most popular applications used on Internet connected systems today, is hands down, the web browser. According to a May, 2018 article Google Chrome is the most popular browser, followed by Firefox, Edge & Explorer, then Safari. No matter which browser you use, it is likely the application you use most on your computer if you are an average Internet user. All of these browsers are modern and kept up to date with automatic patching so, a cybersecurity perspective, we need to focus primarily on plug-ins, extensions, or add-ons - whatever your browser calls them. According to a September 2018 article by Brian Krebs, a hacked Chrome extension was used to send usernames and passwords to a rogue server.
This is just one example of how attackers are directing attacks against the browser rather than the computer itself. The best thing you can do is check your browser extensions regularly and make sure there is nothing loaded that you don’t know about or don’t trust. According to one study, most browser users have about 10-20 extensions installed on their browsers with many having well over 40. That is a lot of extra software added to your browser that could give bad actors a way into your browser. It is also likely to slow your browser down a lot!
The last topic to discuss in this blog is online accounts and security. This is another big topic so we will hone it down to a few items to keep this blog post readable.
Passwords. We love to hate them, and we hate to use them. Don’t worry, there is a lot of work happening to get rid of passwords. Here is one example, but for now, we have to live with them. As I mentioned earlier, make passphrases that are over 12 characters long and yes, you can use spaces in most cases. Make sure you create something you can remember. A better option would be to use a password manager.
The best approach to passwords is the have a unique password for every website, application, etc. but how are we supposed to remember hundreds of unique passwords or passphrases? You’re not! This is where the password manager comes into play. This is a tool that will store all of your passwords and other sensitive data in an encrypted blob on your computer and, optionally, in the cloud. You alone should have the keys to decrypt your blob of data and thus you only need to remember one password, that of your password manager.
In many cases, the password manager will even enter in the password for you, so feel free to have a 45-character password if the site allows it because you won’t even have to type it in! Here is a review of password managers from July 2018. Your browser will likely offer to store passwords for you as well but there are some risks associated with that. However, it is a far better solution than reusing passwords because if an attacker learns a username password pair, they will try that combination against every social media and Internet service they can find. I have only used a few password managers, and I have been a happy LastPass user for years.
Phishing attacks are prevalent and growing in numbers. They are also much more advanced than in the past. Read this blog and this one, to learn about some of the more advanced attack types and how to identify them. STAY ALERT!
This one is a little more advanced, but be aware that changing the DNS settings on your computer can help reduce the attack surface. DNS, or Domain Name System, is the way that a domain name (www.google.com) is turned into an IP address (18.104.22.168). The Internet doesn’t know what "google.com" is so a DNS acts like an address book to translate that domain name into something that can be routed on the Internet. When you use the Internet, you are likely using your ISP’s DNS. This is fine, but there are some public DNS servers that offer a lot more than just address translation.
Changing your DNS servers to 22.214.171.124 or 126.96.36.199 can add some additional threat intelligence to your Internet browsing. So, if you, or more likely something malicous on your computer, happens to try to go to a malicious Internet address, these DNS servers will not allow it.
I hope you found this to be helpful, and I wish safe computing to everyone!