Open in app

Sign in

Write

Sign in

Cyber Self-Defense 101

What cyber professionals do to not get hacked

Idan Dardikman
6 min readApr 21, 2020
Photo by Elijah O’Donnell on Unsplash

A few days ago my friend Michelle came to me in panic. She just received a disturbing email:

“I hacked you and recorded you in intimate situations! If you won’t pay me $1000 by the end of the week I will publish it online and you wouldn’t be able to leave your home”. The attacker even attached a password used by Michelle, as proof that she really got hacked.

I’ve been working in information security for a decade now, so I often hear stories of people that got hacked. Michelle’s story got me asking myself why so many friends of mine, most of them highly educated, don’t know the basic principles of cyber self-defense. When I build a defense program for a corporation or a government agency, there are many technical considerations — but when it comes to individuals — there’s no need to purchase expensive software, switch phones or deal with complicated installations. It only takes a basic understanding to mitigate most threats.

Actually, there are three easy and free steps anyone can take to make you well protected:

  1. Use a password manager
  2. Be aware of phishing
  3. Update your programs and applications

At this stage, you can stop reading and just implement the steps I mentioned above. But I believe that for true learning, it’s not enough to be told what to do — you must understand why you do it. In the rest of this article, I will describe clearly and simply how attackers think and operate in the cyberspace, and how each one of the steps above can protect you.

Why These Steps?

Well, your accounts, computer, and phone are protected by passwords. If attackers would like to take over one of your accounts, they have three options:

  1. Guess your password
  2. Trick you into giving them the password
  3. Find an exploit in the software you’re using, so they can get in without a password

The steps I mentioned will prevent the most common attacks for each one of the options above. Using a password manager will get you strong passwords that cannot be guessed, phishing awareness will prevent you from falling for attackers’ tricks, and updating your software will minimize the exploits available for attackers.

Will I Be 100% Secure?

No. There is no such thing as being 100% secure, anyone who says differently is selling something.

There is no such thing as being 100% secure

In digital security, just like with physical security, the first question is who is our threat. Most of us lock our front door at night before we go to bed, but we know that it wouldn’t stop the CIA from breaking in. We know well enough that our door lock is meant to stop local thieves and unwelcome guests, but not international super-powers, and that’s completely fine. In the digital world its the same deal — our safety measures won’t be able to stop any kind of threat, but they can still be very effective in stopping the threats that are relevant to us.

First Step — Use a Password Manager

Why is it Important?

We all know how to make a strong password — it should be long, hard-to-guess, contain small and capital letters, symbols and digits. That’s nice in theory, but once we’ve created such a password — how the hell are we supposed to remember it? Each of us has dozens of accounts to different apps and websites, and each of those needs a password — remembering a strong and unique password for every one of those is flat out impossible.

Most people will solve this problem in one or more of the following options:

  1. Give up strong passwords and use short easy-to-guess ones
  2. Start using the same password in different accounts

Needless to say, both of these options are terrible — it means that the passwords that should protect you are weak. This is equivalent to locking your house with a $1 lock that can be cut with scissors.

Photo by iMattSmart on Unsplash
Don’t use a $1 lock to protect your most precious items

Other than those, some people found a clever technique — they create one strong password, and reuse it with small variations for different accounts. Unfoutunelty, once an attacker gains hold of one of those variations, he can easily crack the rest.

The Attacker’s Perspective

Not all websites have the same level of security. Usually, attackers would like to take over your bank’s website account or your Facebook — but sadly for them, those sites are relatively well secured. So, many times the attackers will break into a weaker website and steal users’ information and passwords from that site. Once the attackers have the passwords, they will try to use them to enter the sites they’re really after — users that reused passwords will get hacked.

So How do I Solve That?

The industry’s best practice is using a password manager.

A password manager is a software that keeps all your passwords in a virtual encrypted safe. The safe is locked with a single password, the master password, and that is the only password you have to remember. The password manager is built in such a way that without the master password, no one can open the safe. You can install the password manager on your desktop, phone, and any other device you’re using, so your passwords are always available to you. The password manager not only helps you remember your passwords but also helps you generate truly random passwords that are hard if not impossible to guess. At first, it might seem scary, holding all the passwords in a single place, but in practice, this is a very safe solution. Good password managers use strong and verified safety mechanisms, so if your master password is strong, the rest of the passwords will be well protected inside the safe.

How Do I Get a Password Manager?

Super easy, barely an inconvenience — there are few decent password managers out there, just pick one and start moving your passwords to the safe at your own pace. Within a few months, most of your passwords will be protected inside the safe. Your personal security will be enormously better with almost no effort, and it’ll be much easier to log in to your various accounts.

LastPass — a free password manager

To most of my friends, I recommend using LastPass — a free, popular and intuitive password manager. It has a browser extension that fills in passwords for you in login pages, and an app for iPhone and Android.

Personally, I pay 3$ a month for using 1Password, which is a bit fancier, and I’m very happy with it.

The Cherry on Top — Two-Factor Authentication

If you have strong unique passwords that are kept in a password manager — you’re already doing great! However, there is one more step you can take to get your defenses even stronger — using two-factor authentication (2FA). When 2FA is enabled on your account, you’ll need both your password and a short code sent to you by SMS. Now anyone trying to break into your account will have a double headache — not only they’ll need to somehow get your password, but also get access to your phone. Needless to say, this puts an obstacle most attackers fail to pass.

Facebook and Google’s 2FA

Nowadays most of the major services support 2FA, including Google, Facebook, Amazon and more. Especially on the accounts you most care about, it is recommended to enable this option, thus earning the extra safety.

In part 2 of this article, I will discuss how to detect and avoid phishing attacks, don’t miss it!

Cybersecurity
Security
Tips
Information Security
Software

--

--

Idan Dardikman

Written by Idan Dardikman

522 Followers

There's no magic, it's just code you don't yet understand

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams