CYBER SECURITY BASICS – aka: The advice I know you’ll ignore

Summary:

I provide a summary of some things you SHOULD do to improve your digital security. I then explain each in a little detail. Then, I admit that most people will ignore the advice. But.. here you go.

cyber security advice

We want security but not really

Most people freak out about things like Facebook privacy settings and whether or not to use Messenger. This is a case of straining at gnats while swallowing elephants.

Neither Facebook nor Facebook Messenger are your problem when it comes to digital security. And even Experian is unlikely to be your digital undoing.

YOU are your biggest point of weakness. And the people who share your home and/or office. It goes beyond your willingness to maintain passwords like, “LovePizza99” or anything similar. True: I’ve come across “LovePizza” or “lovepizza” more than once. Oh… “lovecoffee” – really – love anything is a problem.

But even passwords – bad ones – may NOT be your biggest challenge. I’m going to offer some simple – but very effective ways to consider your password strategy and your digital security overall.

For the quick learners, a short-list of things you can do immediately. I discuss each in greater detail below.

  • Passwords by service type
    Have different passwords for the type of service. For instance, a password (with variation) for financial accounts that is different than your email password. Social media accounts can also get their own password. I use a different email address for financial-related accounts than I do for social media.
  • Email links are bad
    Phishing, where a hacker sends you an email that looks like it is from a legitimate service but captures your login information or infects your computer, is one of the most popular ways to steal information. When you get a notification from your “bank” – open a browser window separately and go to a bookmarked link to the institution in question. Any notifications will be there and you don’t have to follow a potentially bad link.
  • Your home network devices
    Any network devices on your home network should have their default passwords changed. This includes the router that your internet provider gave you.
  • Public WiFi strategies
    Usually, hackers are NOT sitting at your standard coffeeshop hacking information. But… they could. If the WiFi does not provide client isolation (see below), your safest bet is to NOT visit any sensitive sites. Only go to sites that use SSL. Or connect through a VPN. Or, like I often do, use your cell phone as your own private access point.

Okay.. now some context or details.

PASSWORDS BY SERVICE TYPE:

First, a general rule and then an explanation.

Using the same password across multiple services is a HORRIBLE strategy.

Explanation:

If you use the same email/password combo for multiple services, let’s say… your school login and your bank, imagine what happens if one of those services is hacked. Hackers know that most people do not want to remember a lot of passwords. Once they have an email/password combination, they may throw that quickly at some banking or investment institutions.

Here is what I do:

First, use passphrases. “M!acct25” is likely easier to break than, “TheENDofrworldisCOMING”. You can still throw a number or special character in there. But 22 characters is challenging for hackers.

Next, use a variation of a passphrase for any banking/financial service websites. NOT the same passphrase – but it can be close. However, this should be distinct of your email password and any social account passwords.

Use another passphrase for your email accounts.

And use a different password for your social media accounts.

I take it a step further. I use a different email address for my financial services related information than I use on my social media accounts.

EMAIL LINKS/PHISING

As or more important than your above passwords is how you respond to emails from your bank or other services. The simplest way for a hacker to get your login information is to have you give it to them. People do it every day.

You get an email, it looks like it is from your bank, you click on the link and enter your login information on the website. The problem is, you may not be on your bank’s website. It may be a fake site setup by a hacker. And now you’ve provided your login information. Sneaky eh?

If you get a message from “your bank” – don’t follow the link. Open a browser and go directly to your bank’s website. Login there. Any important notices should be there on their site. To avoid confusion, store your bank’s website as a bookmark and use the bookmark to go to the site.

Email links are the easiest way for a hacker to get into your accounts.

HOME NETWORK DEVICES

Every device that connects to your network – starting with your Internet provider’s router (modem) has a default login. If you get a network connected printer, thermostat, refrigerator, coffeemaker, security camera system, etc. – they call ship with default login information.

Most people never change this. Some malware/hacking websites do not give you popups or ads. Instead, they install a piece of software that looks across your network for devices that have a default password. They login, they install themselves on those systems, and voila – you have guest looking at all your traffic.

Hackers will use those devices later to launch other attacks on the internet or simply steal information.

My advice

Change your router’s password. But also change your network IP address scheme. Every network has a “number” and most routers ship with, “192.168.1.1” or “192.168.0.1”. Change it to: “192.168.36.1” or some other number between 1 and 254, in the third space. Well.. not 1. We’ve already addressed that.

Change the default login for every device you add to your network. It’s a hassle but… you may thank me later. Or, you won’t thank me because nothing will happen. But you won’t call me asking for help either.

PUBLIC WIFI STRATEGIES

I’m not paranoid but I’m not stupid either. Most WiFi devices have what is called, “client isolation” – which effectively blocks one device on the network from seeing traffic from another device on the network. Also, for most hackers, the average person at a coffee houses just isn’t that interesting. Let me be more straight-forward, you are not that interesting.

So, chances are, you are mostly safe on public WiFi.

But… and it is a big but.

Many/most public wifi access points are NOT patched (updated with the latest software) and are often setup to default settings. Plus, one way hackers steal information is by setting up a WiFi network that “looks” like a legitimate network. It might be called, “Starbucks Free WiFi” – or “LA City Free WiFi”. You connect to it, they provide you Internet Access and they monitor your traffic. THIS IS VERY SIMPLE TO DO.

So.. much of the, unless I know I can connect to a VPN or that the WiFi has true client isolation, I simply setup my Verizon Device as a WiFi hotspot for me. Besides, it is often faster than the public WiFi being offered.

CONCLUSION

Digital security is a tough area. Here’s why. Vendors could force non-default configuration for every device they ship but most people buying them don’t want to deal with that. We all want easy and cheap. Adding configuration steps for every thermostat, fridge, coffeemaker, router, etc., dramatically increases a company’s customer support costs. We buy routers for under $100. We want cheap technology.

Also, we’re lazy. Me included. I’ve recommended and taught the above password strategy and other advice for years. I can count on one-hand the number of clients and non-technical friends who put anything like that into practice.

Often, the first person to break a company password policy is the CEO or CFO. When their password changes after 40 days and requires both length and complexity, there is a outburst and then compromise. And don’t get me started on the number of executives who allow their “genius” child to “optimize” their computer. Eek!

But at least, I’ve let you know what can be done. Now you can go back to ignoring my advice.

Posted in Consulting, Tips and Tools and tagged , , , .

Leave a Reply

Your email address will not be published. Required fields are marked *