Five Steps To Keeping Yourself Secure Online
Target audience: people who use the Internet who are not security professionals. Do these 5 steps consistently and you will be well-protected against many of the online threats.
Threat Model: for this article, I’m assuming that the threat the user is facing is the standard cyber criminal one, e.g., Dridex, Pony, Locky and other Ransomware variants, etc. and the associated spam/phishing campaigns and exploit kits which deploy them. If you are legitimately concerned about nation state adversaries, then you should know better to be taking advice from random blogs on the Internet! Talk to Citizen Lab instead.
#1 Don’t click on suspicious links and don’t open unsolicited attachments
Attackers like to use Exploit Kits to compromise users to distribute malware although they are less prevalent in recent times. Malware for normal users is often one of the following:
- Ransomware (like Locky or Cerber) which encrypts your files and holds the decryption keys for ransom (typically BitCoin)
- Credential-stealing malware (like Pony or Vawtrak) which attempt to harvest your usernames and passwords
- Banking Trojans (like Trickbot or Dridex) which attempt to steal your login credentials to your bank accounts
Exploit Kits are typically deployed to compromised legitimate websites or Ad networks. They profile your web browser looking for vulnerable software and plugins which they then exploit to drop malware. Anti Virus can sometimes catch this stuff but it’s more effective to not visit suspicious site (#1), use an ad-blocker (#5) and patch your system, especially your browser plugins (#2).
Don’t ever enable Macros in an MS Office document. Just don’t.
Suspicious links can be links to sites you don’t know or don’t normally visit. They can be links which closely resemble a site you trust (this is called typo-squatting). If you are suspicious of a link, you can try URLquery or Phishtank to see if other people have flagged the link as malicious. Best not to click anyway if you’re unsure!
#2 Patch/Update your systems (and make backups!)
In order to drop malware onto your system, an attacker will need you to execute code on their behalf. Typically, you don’t want to do this so your Operating System and applications will have protections against attackers injecting code into them. These protections sometimes fail and that causes a vulnerability. Some vulnerabilities can be exploited by an attacker to run code your system. When vendors catch these vulnerabilities, they often patch them thereby making it harder for an attacker to exploit your system. Indeed, most attacks leverage known vulnerabilities.
So, patch everything! That means:
- Browser plugins (these are the BIGGEST targets for attackers, especially Flash (better yet, uninstall it and use HTML5 video as it will be end-of-line in 2020 anyway) but also Java and Silverlight (again, my preference is to simply uninstall, you hopefully don’t need them anymore), you MUST have your browser plugins updated)
- Operating System (Windows, Mac, Linux) — even better to enable automatic updates
- Web Browsers (Firefox or Chrome — don’t use IE or Safari), they should update automatically, but it’s worth manually checking that they actually are
- Applications (MS Office & Adobe Reader are the main culprits here)
- Servers that you run which are connected to the Internet (in particular any CMS like WordPress or Drupal that you use for personal web pages, photo sharing, etc.)
- Mobile devices (Android is terrible for this, iOS is much better) and their applications (e.g., Google Play Store or iTunes)
- Anything else you can lay your hands on (BluRay players, DVRs, IP cameras, Wireless access points, whatever…)
Making backups (Window Backup, Time Machine on the Mac, Déjà Dup on Ubuntu) also helps to protect you against certain types of Ransomware which don’t encrypt attached storage devices. Unfortunately some variants do encrypt attached storage though. Most Ransomware targets Windows systems, but it’s a good idea to keep backups no matter which platform you’re using.
Attackers love to reuse your passwords. Attackers love to guess your weak password by using wordlists full of common passwords. The typical workflow is to break into some poorly-secured website (like a forum site) and grab all the stored passwords. Once the passwords have been uncovered from the password hashes (how passwords are stored internally by the server), the passwords are then reused against high-profile sites like Google, Facebook, Amazon, PayPal, etc. This is called Credential Stuffing. The weaker the passwords are, the less work the attackers need to do. The more widely reused a password is, the greater the exposure.
The solution is to use long, complex (upper case, lower case, numbers & special characters — not based on a dictionary word), unique passwords for each site. This means that if an attacker gains access to a site that you use, they might not be able to break your password as it’s not a common one that can be easily guessed. If they do guess it somehow, it won’t give them access to any other site used by you. This is a good thing.
In reality, it’s simply too hard for a human to do this, so you need to use a handy bit of software called a Password Manager to manage these long, complex, unique passwords for you. I use LastPass. But Dashlane, 1password or any other well-known Password Manager will do the job nicely. There are trade-offs with these services, of course, and they’re not immune from security issues themselves, but it’s worth the cost.
#4 Use Two Factor Authentication
Also known as Multi Factor Authentication. It basically means that there is an additional authentication step which needs to be taken before you can login with a username/password. You may be familiar with hardware tokens issued by banks which provide you with a one-time password (a temporary password that is only used once) to authenticate yourself with. This is a strong security control as not only does an attacker need to have access to your username & password, but also to however you do your Two Factor Authentication, typically your mobile phone or a U2F device like a YubiKey. Effectively you can give out your username & password or have it stolen via the Pony malware (#3) and an attacker still won’t be able to login as you.
Google Authenticator works pretty well. Facebook and Twitter also support Two Factor Authentication and Amazon is in the process of rolling it out. Use it. SS7 interception is becoming a bigger threat against SMS-based two factor authentication, so don’t expect it to keep you safe against well-resourced threats.
#5 Use an Ad-Blocker
Exploit Kits (#1) are often distributed through online adverts (a.k.a., malvertising — often exploiting Flash (#2) like the attack which used Forbes’ “Thought of the Day”). Nobody likes adverts anyway, so just block them. I use uBlock Origin for Firefox & Chrome (don’t use IE or Safari anyway). This protects you from attackers and makes your web experience much more pleasant. Win-win!
A Word on Anti-Virus
They’re better than nothing. Marginally. So you should use one. Kaspersky is pretty much the best. But in terms of keeping yourself safe from how attackers actually attack in the real-world, I believe that the above 5 steps are more effective.
If you’re a power Windows user, you should be using EMET. However, EMET is now end-of-life and it’s mitigations are being rolled into Windows 10 anyway. Which you should be using. Seriously.
An excellent complement is Harden Tools which disables many of the more risky Windows features like Windows Script Hosting. I use it myself and am pretty happy with it.
- The Grugq knows what he’s talking about. Read his free security advice article.
- The head of NSA TAO talks about how to disrupt and obstruct nation-state hackers, more of interest if you’re securing an organization rather than an individual user, but there’s still a lot of overlap. You can see the full video on YouTube.
- The excellent site adsecurity.org has an article on developing a secure baseline for Windows workstations. Highly recommended.