Securing Yourself and Your Systems
Disclaimer: This post contains links to external websites, I am not responsible for the content on these websites. These links are present with the intent to allow the reader to gain a better understanding about the technical concepts mentioned.
Securing Yourself and Your Systems
Everyone, regardless of their position in society, needs to ensure their systems are secure from outside threats. We are in an age of technology where all users are seen as potential targets for cyber criminals. This can lead to some terrible issues for those of us that are not as prepared nor knowledgeable when it comes to staying safe online.
Here is where I come in, this post will, hopefully, provide my readers with enough knowledge to protect their systems from the most common threats.
What We Will Cover
- Everyday Threats to Users
- The Basic Knowledge To Protect Yourself
- Anti-Virus and Anti-Malware Tools
- Web Security and Browser Extensions
All of the comments regarding software are personal opinion. Spend time researching products and choose what is right for you. My advice will not guarantee your security, it will provide information on how to reduce the risk of being compromised. Nobody is 100% secure, do not assume the steps below will guarantee your safety.
Everyday Threats to Users
I, for one, would forgive you for assuming you are not going to be a target to cyber threats. However, there are many individuals out there that would thank you for leaving yourself vulnerable. In this day and age, end-users are not specifically targeted and may be subject to mass attacks where the threat is left to infect whomever comes across it. This reason alone is why everyone needs to understand the risk they face online.
What risks do you face everyday?
Well, the large majority of malware and threats are automatically distributed to unsuspecting users, be it through emails, webpages, downloads, or already compromised accounts.
Malicious software can lead to a number of damaging outcomes, as an average computer user you should be most worried about the following:
- Becoming part of a botnet (More Information)
- Becoming a threat to your family, friends, and other contacts
- Leaking your private details (banking details, address, email, passwords, and more) to cyber criminals
- Enabling malicious access to your webcams, microphone, and other computer accessories
Being compromised will not mean that all of these will happen, nor does it mean the threats are only subject to these points. Your computer activity and usage could lead to further risks, such as, loss of confidential work documents.
All of the threats above, and the sheer thought of being vulnerable, may leave you worrying about using your computer system. DO NOT PANIC. The chances of being hit by malicious activity is high, but, as a computer user you can take steps to ensuring you are better protected and prepared.
The Basic Knowledge to Protect Yourself
There are some very simple, minimal effort steps you can take to ensure base-level protection for you and your devices. Now that you know the potential damage caused by cyber threats, you can learn what to look out for and how to reduce the risk.
Where might you be at risk?
There are many ways you could be on the receiving end of an attack. Later sections will provide you with standard methods of adding extra layers of security to your system.
We can be as careful, suspicious, and paranoid as possible when it comes to our interactions online; this cannot guarantee that nothing will slip through our cyber cracks. So, where are we likely to encounter threats?
Threats come in all shapes and sizes, here are some of the likely sources. Make sure to keep reading to see how to protect yourself.
- Unsolicited contact: Emails, texts, messages, and popups. These are the basic level of phishing (More Information) and social engineering (More Information). Links, especially shortened ones, are often included as a method of directing a user to servers containing malicious scripts, files, and information.
- Advertisements: Many websites use advertisements to gain a revenue from their website views. These advertisements are usually through third-party services, like Google’s AdSense, to promote products, services, and websites. However, these advertisements may not be all what they seem and will often lead to malicious webpages. A perfect example:
- Applications: Systems have come a long way, enabling a wide variety of applications to be available to users. These applications range from web-based, desktop, and mobile. We need applications on a day-to-day basis, whether it is to complete work or pass our time with fun activities. However, a portion of these applications are malicious be it from the moment of installation or embedded in a seemingly legitimate piece of software.
- Compromised Assets: Ever been to a website that suddenly seems different to your previous visit? Perhaps it was just updated, but, there is always a possibility websites, applications, and others have been subject to an attack. This leaves you open to contracting the same malware.
- Human Beings: One of the biggest threats to you is yourself and others. We all make mistakes, these mistakes compromise the security of our own systems and pose a threat to others you interact with.
Great, we know the potential threats and vulnerable points. Let’s get started with protecting our systems. As human beings pose a major threat to us, we shall cover the quickest, most efficient fix.
GET INFORMED. This blog, and others, are there to help the average user to protect themselves.
The best way to ensure humans are not a threat is to get yourself informed, get them informed, and ensure you share the most basic knowledge with anyone you meet. The internet is extremely accessible, many users are not tech-savvy, nor do they recognise the potential threats outside of having a good password.
Anti-Virus and Anti-Malware Applications
The next biggest threat to your system is malicious applications and software. Why does this rank above the others? Many of the other threats will be means of attempting to place dangerous applications on your computer. I believe the best method of protecting oneself is by building layers from the ground up. The following is a basic diagram of my personal security-based layer system (The lower layers are where I believe you should focus your efforts first).
Applications can be malicious in many ways: hidden in seemingly legitimate applications, applications with the pure purpose of malicious activity, and supply-chain attacks (More Information).
Applications may seem reasonably safe to use, perhaps they fulfil the purpose that you downloaded them for. However, we must recognise that applications can have background processes that act in a malicious manner. These sort of applications are known to contain Trojans (More Information).
Face Value Malware and Viruses (and Ransomware)
These applications are the most blatant when it comes to malicious intent, they take no steps to hide their malicious activities. Upon installation, you will most likely see drastic changes to your computer system or other applications. One of the scariest attacks is ransomware (More Information), a piece of malware with the single intent of sending you to data hell.
This is not a specific type of malware, nor is it that easy to sniff out and eliminate. However, as an end-user you must recognise that ‘trusted’ distribution points and ‘trusted’ software updates may not always be as they seem. We must realise that cyber criminals can exploit the vulnerabilities that application distributors have overlooked. A prime example of a supply-chain attack is the well-trusted and heavily used software CCleaner (News Article).
- Virus (More Information)
- Malware (More Information), while Malware is a term that covers the majority of malicious software (including viruses), the terminology virus is often used by many computer users.
The Potential Threats and Damages
Malware can be used in many ways to cause damage to you and your computer system. The following list will give you the most common threats of malware. This list is just a generalisation, malware could have an infinite number of uses.
- Spyware (More Information): Mainly used to log your information and send the data to cyber criminals. These can become very intelligent and target your system when accessing certain webpages: banking/financial services, social media, email accounts, and other login-based websites. Your passwords are at high risk with this sort of malware, mainly due to encryption not being able to obscure your keystrokes. Spyware encompasses the stealing of sensitive information.
- Adware (More Information): This type of malware may not be as damaging, nor as sneaky as others. You will be able to tell that you are infected with adware based on the actions of your computer system and web browsers. This sort of malware attempts to push a variety of advertisements on you, through desktop popups, search engine replacements, webpage redirects, and information tracking. Adware is mainly a for-profit type of malware where the creators gain revenue through the ads you view and marketing information sold.
- Ransomware (More Information): This malware is designed to gain revenue. As the name suggests, it will hold a type of ransom and force you to pay to release it. The success of ransomware is huge, it will often hold your files (often through encryption) and prevent access to your computer system. The opportunity to unlock your files is often time pressured, causing the less tech-savvy to pay large amounts. Payments are usually made through cryptocurrencies (More Information), this makes it much harder for authorities to track the criminals. The year of 2017 saw some dreadful attacks on important systems (News Article).
- Destruction: Sometimes, just sometimes, malware has no other purpose than to cause pain and suffering to those it infects. This sort of malware is the type to ‘brick’ your systems, rendering them as the most expensive paper weight in the office.
Protecting Your System
Luckily, there are many pieces of software designed to find malware and destroy them. Real-time protection ensures threats are caught before they are fully installed, thus saving your system from any damage. Modern day anti-malware and anti-viruses working on a constantly updating database, looking for the most recent strands of applications that are found to be security risks. Companies like McAfee, Norton, Bitdefender, MalwareBytes, and many more, have dedicated research teams ensuring optimal protection.
My Recommendations and What I Use
A lot of these require some form of subscription, but, it is definitely worth that extra £20-£50 per year. Some software have free-versions, these may not offer real-time protection yet have fully functioning (manual) scanning facilities.
Here is the combination that I use:
Bitdefender offers a very nice range of services outside of the basic scanning, protection, and threat removal. Here are screenshots from the Bitdefender client:
Now, I only have Webcam access disabled due to the use of an external webcam cover.
As you can see, Bitdefender comes with an amazing asset of features for your privacy and protection. It offers the ability to have autopilot, a function that will take full control of protecting you.
The following is a list of alternative software, however, I do believe Malwarebytes is a must have alongside whichever you pick.
I have not included the software you can often find in-store (McAfee and Norton), while they work I believe these other services are better.
Web Security and Browser Extensions
Your next access point, one where you have the potential to be vulnerable to essentially everything, is the internet. This section will include password and authentication advice.
- Secure Connections and Encryption
- Contact Points
- Authentication and Layered Security
Secure Connections and Encryption
Websites today, including this one, are often protected through SSL (often accompanied by a lock and HTTPS). The image below shows a website deploying SSL encryption (top) and a website with a signed SSL encryption (bottom).
This is a key feature to look for when accessing websites that manage login details, financial information, or any other information you wish to protect. Unprotected websites can be subject to Man-in-the-middle (MITM) attack (More Information), this will mean all data is sent through the MITM before being sent to your desired web-server. A recent vulnerability in WPA2 enabled attackers to remove a client’s encrypted connection to a seemingly protected webpage (See More). Always check for HTTPS when entering sensitive information.
However, many attackers may attempt to create phishing websites with the use of SSL to make them seem more authentic. So, ensure the domain name is what you are expecting from the website (check for malicious domain extensions). Official websites will often have a secure connection and their SSL certificate will be signed by a reputable company.
The use of SSL connections ensures all data you send through the website is encrypted. If someone managed to get their hands on it they will be unable to decipher the original information, thus ensuring your privacy and protecting your sensitive information. As a general rule, never enter sensitive data when a webpage lacks encryption. However, do not avoid all websites without SSL; they may not process any data, thus not require encryption.
Ensuring HTTPS is Everywhere (necessary) is very easy to do, the browser extension HTTPS Everwhere will ensure your connection is encrypted and secure. These extensions are available to major browsers and major mobile operating systems.
Advertisements and Tracking
The internet thrives through the advertisement economy and tracking user interests for marketing purposes. When used legitimately, advertisements and analytics can be beneficial for a website’s revenue and their end-users. This is due to the ability to tailor content to a user and provide paywall-free (More Information) content. However, this ability to track and advertise can be used by third-parties with malicious intent.
This is where browser extensions can be of use. There are many extensions that will provide automatic removal of advertisements, this can heavily reduce the risk of being open to potential malicious content. By blocking advertisements, you are able to further increase your privacy as advertising services will be unable to effectively track your interest. However, we must look to block analytics alongside advertisements to ensure a completely secure and private browsing experience.
In total, I use two extensions when it comes to removing advertisements and any possibility for analytics to track my internet usage.
- AdBlock Pro (Chrome Extension): There are a range of extensions to use for different browsers. Do not feel locked into a single extension and find the one that works for you.
- Disconnect.me (Extension): There may be alternatives to this extension, however, I would not recommend using premium services unless you truly require all the features that are offered.
Many extensions that are available are open-source, meaning they are often free to use and have an army of programmers working to improve/secure the deployed software. Sometimes it is better to take the open-source, free option than wasting money on proprietary (off-the-shelf) software.
The internet is a wonderful place, it enables communication with a huge range of individual anywhere in the world. However, this communication can be unsolicited and often contains malicious content. To become more secure, we must recognise what to look out for.
Let’s begin with the the most common type of communication, one I am sure many have experienced, email communication. Emails can be littered with phishing, social engineering, and a whole load of scams. Many email providers offer a standard of email analysis, which attempts to automatically send malicious content to the ‘spam’ or ‘junk’ folders, but it would be foolish to assume every email will be filtered and removed. So, how can we ensure our own safety when browsing emails?
There are a number of signs that will allow you to analyse an email, thus giving you a good reason to continue with it, or report and move on.
- Firstly, think about what the content includes. Were you expecting an email from the sender?
- Perhaps you are expecting an email, check the email and ensure it matches the address of whomever you know is contacting you. If in doubt, go to an official source (official service webpage), ask your friends/family if it is them, or search for the email online (see the experience of others).
- Never download any attachments or images. If you need to download them, ensure you were expecting these files from the sender and make sure the file types are what you expect.
- Check the email content. What is it asking? Official service providers should never ask your for any sensitive data through email address. If family are asking, attempt to use an encrypted form of contact to ensure your privacy. Never share your passwords or authentication details, regardless of whomever is requesting.
- Be careful when accessing links. Make sure the links are what you would expect from the sender. Hyperlinked text exists, if there is an embedded link hover over it to determine where it would send you. Avoid shortened links: goo.gl, bit.ly, or similar. Not all shortened links are malicious, but determining their redirect becomes increasingly difficult and could lead to you accessing malicious websites.
- Remember, if you believe communication is malicious you should use your email providers functions to report it. Upon reporting, many clients will automatically send the email to your ‘spam’ or ‘junk’ mail.
The majority of tips to analyse email content can be used with any type of unsolicited communication. You can receive this contact in many forms: text messages, social media communication, website chat popups, and forums. Remember, contact is not limited to the forms mentioned and you should always be on guard whenever receiving suspicious communication.
Password and Authentication
Here we will be covering good password practices and looking at the use of authentication (security questions, text/app confirmation). The use of the internet will inevitably lead to you creating accounts across a variety of services; some of which containing sensitive information. Passwords are an amazing method of securing your accounts by ensuring only you can access them. But, we must recognise that technology has advanced to a point where accounts can be compromised by a range of methods. To counter this, we must look into having standards for passwords to prevent a criminal from easily generating/guessing them.
Note: Check out https://haveibeenpwned.com/ to determine if any of your accounts have had their information leaked. Ensure you change the passwords of any accounts linked to the email address/username and do not reuse the leaked passwords.
There are a number of standards that we will be covering. Remember, do not be limited to these standards and feel free to increase your password complexity as much as you desire. First, we should look at how to store passwords in an effective manner; saving a lot of time when it comes to ‘remembering’ them all.
Password Managers (Software and ‘Hardware’)
There is a variety of software available in 2017 to store end-user passwords using encryption. Software, such as Dashlane, BitDefender (Wallet), and more can be used to store all your passwords to any website using a master password. This will enable you to have extremely complex, hard to crack passwords without having to remember around 15 unique characters for every site you access.
On the other hand, some of us prefer an old-fashioned approach to password storage: notebooks. As long as you store your notebook in a safe place, perhaps a safe, you will be able to write down all of your passwords for all of your websites without relying on the security of password manager software. Remember, if you lose your notebook you will not be able to recover any of your passwords.
Now, we understand the methods of preserving all of our complex, hard to guess passwords. These are the best practices, in my opinion, when it comes to passwords.
Password Reuse - Reusing passwords is not always a completely bad thing, it can allow you to remember your credentials for certain services (especially useful if password managers have limits). However, passwords should only be reused for accounts that do not have any financial information, recovery permissions (email accounts), personal details, or any other information you do not want to be at risk. It is down to you to determine the websites you wish to have reduced security with repeat passwords. If your password manager offers an unlimited number of accounts, it is always advised to use unique, complex passwords as you will not have the requirement of needing to remember anything.
Password Strength - The strength of your password is the most important aspect when it comes to account security. Always aim to have at least 15/16 characters in your password, these characters should not be limited and you should make use of all letters, numbers, and symbols at your disposal. A password that contains a range of upper and lower case, numbers, and obscure symbols (!”£$%^&*()-=_`’@;:,><.#~?/|\) will be considered as one of the highest strength passwords that can be entered on a system. The following list will give you some quick tips that should be followed alongside the standards I have just mentioned:
- Never have passwords that have a sequence or pattern (12345, abcde).
- Never use any aspect of your email address, username, real name, or friends/family names. P.S. Your dog’s name is not allowed either.
- Do not include ‘real’ words in your passwords, if the word is in the dictionary I would advise you avoid it at all costs.
- Randomise the locations and order of your characters, letters, and numbers. This will ensure a cyber criminal cannot make any connection between your passwords and some form of pattern.
- Use a unique password for each of your top priority accounts, these will include: banking, financial services, online stores, email accounts, social media accounts, and anything else you truly want protected.
- Always make use of multi-layered protection as this will, in theory, act as a secondary password and gateway preventing cyber criminals from accessing your account. ProtonMail uses a two-password mode:
- Never share your password with anyone at any costs.
- If you sign up for a service and your password is sent to you in the text of the email, change it immediately. You cannot guarantee that plaintext will have been encrypted.
- Do not enter passwords if you do not see the SSL encryption on the login page.
- Do not trust anyone when they ask you for your password, regardless of what they claim to be.
- Be sensible, just use your common sense when it comes to passwords. You would not want your home easily accessible so show the same respect to your accounts.
Right, at the time of writing, that is all I believe is needed when it comes to create suitable passwords for your online activities. You will have noticed that I mentioned the use of authentication and additional layers, this is where we will be leading to next.
The majority of mainstream services offer a variety of options to add an extra layer of security to your accounts. The following layers should always be taken advantage of when offered:
- Two-Factor Authentication - The use of either a mobile application, email address, or text message to receive a uniquely generated code. You will receive new codes whenever anyone attempts to access your account and is successful with the password. The website will ask you to enter this code to gain full access.
- Security Questions, Keywords, or Secrets - The majority of services will have adopted some form of two-factor authentication, but you may find some websites using more personal forms of authentication. The use of security questions, keywords, and secrets can act as an added layer of security based on something about you. However, when using security questions I would advise putting random answers to ensure nobody will be able to answer these with a short amount of research about your life. Make sure to remember these random answers though!
You may find websites using other forms of authentication, however, based on my experience; security questions, keywords, secrets, and two-factor authentication are the most used methods of layered security. The use of these additional layers is not required, but I would definitely recommend you taking the opportunity when it is offered (especially if you are reusing passwords on some services).
Overall, I just want to thank all readers for making it this far in the post. My only desire is to provide unbiased, useful information to ensure everyone is given the best opportunity of protecting themselves online. There will always be more to learn when it comes to cyber security, there is constant advancement and cyber criminals will never give up on trying to exploit innocent internet users. However, all the information I have provided will give you a head start at understanding the basics of security.
Keep an eye out for my future blog posts, I will be expanding on the topic of internet security and the use of VPNs for your privacy and data security.
If you enjoyed my post or found it remotely helpful, feel free to share it with your friends and give the post as much support as possible. Remember, the more people that gain an understanding of basic security the less vulnerable they will make you.
Thank you for the read and feel free to leave your comments/feedback. If you feel certain aspects should be improved, let me know and I can work towards creating a better resource for you.