For most people it is common to be versed or at least aware of your organizations security policy as part of ongoing security awareness training efforts, but in many cases, that knowledge is only applied in the workplace. What about your personal cyber security policy? Do you have one? Do you follow it? If you answered no to any of the questions above, I am here to help.
Your digital profile should be considered an asset much like the items of value in your home. Maybe more valuable since theft of your identity can potentially result in loss of those assets. Additionally, the means by which your identity or digital assets are stolen typically reside within your house in the form of the electronic devices used to access the internet, shop and bank online and a number of other activities that open you to exposure. Luckily there are some fairly simple protections and best practices that you can use to fortify yourself against such threats. In the sections that follow, I will go over some of the most common best practices to defend all of your online accounts and assets from compromise.
Password Security is an important aspect of protecting your digital assets and in many cases is the first line of defense against an attacker that is after your goods. Below is a list of recommendations that should be followed when choosing a password as well as best practices for passwords in general.
- Always use strong passwords. Passwords should be at least 14 characters and never consist of words found in the dictionary (in any language). It is best to use ‘passphrases’ rather than ‘passwords’ and to include upper/lower case, numbers and special characters. An example could be: T@k3me0utToth3B@llgam3
- Never re-use passwords. Every account that you have should have a unique and strong passphrase that is not easily guessed by an attacker.
- Never share your passwords. This seems like a no brainer, but there are plenty of people that share things like their Netflix passwords with friends. While this seems like it may be innocent, if you use the same password (see ‘Never re-use passwords’ above) for Netflix that you use for your bank account, you have just given out your banking password(s) as well.
- Use a password manager. A password manager can help you generate strong passwords as well as maintain those passwords in a secure, central location. This allows you to create long, complex passwords (not even passphrases, just random strings) that you don’t have to remember. It is also convenient as most password managers have browser plugins that allow them to auto-fill login forms.
- Change passwords periodically. Company’s typically force employees to change their passwords periodically to ensure that the user as well as the company is protected against compromise. This is no different for your personal passwords. I recommend changing your passwords at least yearly. Some password managers have features that can do this for you ‘automagically’ but any password manager will help with this task.
- Multi-Factor authentication. Multi-factor authentication is a means to add a second method of authorization to the login process. Typically, this is done with either and SMS message containing a 6 digit code or using an authenticator app (Google authenticator is a popular app). This has to be configured within each account (such as Facebook or your bank) as well as on the authenticator app itself and is one of the most powerful means to protect your account in conjunction with strong passwords and good password management practices.
Email Security is another aspect of your digital life that is very important to be security minded with. It is estimated that 90+ percent of email today is SPAM and that email is the top vector of attack against individuals and companies that suffer a compromise. The reason for this is that everyone has an email account and uses it extensively for communications. Attackers capitalize on this and send massive amounts of SPAM email, playing ‘a numbers game’ in which they do not target individuals necessarily but rely on the principal of quantity. Of the thousands of emails that they send, they are likely to get at least a few targets to bite and fall victim to their scam. Here are some best practices to avoid becoming a victim.
- Click with caution (links). This may seem obvious, but it is the most widely used tactics of an attacker. Planting a link to a piece of malicious code in an email and convincing a user to click on it can give the attacker complete control of your computer and the data on it. This is referred to as ‘phishing’ and can lead to complete compromise. Attackers use enticing (sometimes scary) language or instill a sense of urgency in the victim to convince them to click a link and it is all down hill from there. Make sure you inspect links before clicking them and look for ‘too good to be true’ language.
- Trust no one. Even if you receive an email from a friend (or an email that appears to be from a friend or other trusted source) be suspicious. Inspect any links in the email before clicking on them. This can be done by hovering your mouse over the link and seeing if it looks like a legitimate URL. You can also look closely at the senders email address and ensure it is in fact from a trusted source. Lastly, most attackers will not sound like your friend. Look for obvious signs in the message that this could be someone impersonating the sender.
Open source information (AKA: OSINT – Open Source Intelligence) while not exactly an asset, it is something that should be closely watched as well. Giving away too much information about yourself can be dangerous and assist an attacker when targeting you. This is hard to do today since everyone is on social media, which by it’s nature is all about sharing information about oneself. Here are some examples of what to watch out for.
- Security questions. Security questions are a common means to authenticate yourself if you need to reset a password or log into a bank account. If you chose ‘What is your favorite pets name?’ as a security question for example, and posted on Facebook “my dog fluffy is the cutest pet ever!”, well you just (potentially) gave away the answer to your security question.
- Public information. Public information is valuable to an attacker and often used in targeted attacks, such as phishing, in which an attacker crafts a very convincing email that contains information that is true, but also available to anyone with the desire to find it. An example could be “A lien has been placed against the home at 101 main street, Plano, TX 52943. Click the link below to see the lien documents and confirm receipt of this SUPER important email”. Assuming your address is correct (public record) you may be tempted to click the link, and that could lead to compromise.
If you follow the three items above and apply these principals to all aspects of your digital life, you will be in a really good position to avoid potential compromise.