We often take for granted the security that we have online, but it is is increasingly becoming something that more people are concerned about. We reached out to industry leaders in the fields of cyber security and data protection to produce a guide on what you should be doing to protect yourself.
Got something to add to this article or disagree with something here? Email us on [email protected]urgenSec.com (we will credit you).
This article is split into three sections:
The Basics: The article will begin by outlining the most basic security measures that EVERY person online should be doing to protect their data.
What you should be doing: The security measures which take a little more work, but you should be doing.
What the experts do: The measures experts take if you want to start taking your data protection very seriously.
If you are in the c-suite of a business you are a target, take extra care in maintaining separate passwords for work and play.
First and foremost, we all need to learn to use pass-phrases instead of passwords. The era of the password is dead.
Instead of trying to remember ” [email protected] ” — learning to output a phrase like “Oreomineraldeposit! ” can add a level of protection most internet users fail to implement.
Most of us work on domain-based networks, ie CORP\myuser. Your user account is then on a forced password rotation schedule, something akin to every 90 days or so.
The forced password requirements are generally three of four – lower, upper, number, special character.
We then end up taking over accounts using easy to guess SeasonYear combinations like Fall2019! or Winter19!. Yes, these are so common they are go to passwords when we attack organizations. Circling back, remember that “[email protected] ” thing from earlier?
- It is very difficult for the human brain to remember these iterations.
- It is very easy for our password cracking rigs to turn this password in to swiss cheese (in reality – mere seconds to recover).
Lock down and protect your account with a password manager.
Password managers make it easy to generate strong, unique passwords for every account you have, track and manage all of your passwords in one place, and prevent one account compromise from cascading into an all-out security meltdown.
Not nearly enough people are taking this measure. Password reuse is still rampant. According to a recent Google/Harris survey, 52% of respondents said they reuse the same password across accounts, while 13% reuse the same password for all of their accounts. In that same survey, Google found that only 24% of survey respondents use a password manager.
A dedicated password manager, instead of a browser-based manager, is highly recommended.
If you are willing to pay, you don’t need to look much further than 1Password. 1Password is a favorite of the security community.
If you looking for a free option, check out Bitwarden. Like 1Password, it works on nearly every platform and offers syncing across devices.
2 Factor Authentication (2FA)
Next up, learning to use two factor authentication, multi-factor, universal second factor, 2FA in all its forms. This enforces an improved posture by requiring a PIN, a token, or the physical press of a button on a hardware key (look up Yubikey for reference) any time you authenticate to a service.
This will harden your online accounts another factor.
SMS text validation is just about dead, based on SIM swapping and the demonstrated ease of social engineering. But, it is still significantly better than nothing.
In reference to online personal data protection, there are so many directions this can take. If we are talking about our accounts, then the above will work.
If we are talking about the “data brokers” and their ongoing and constant collection of our interests, habits, hobbies, and locations, then start simply.
Yeah, location services sure are convenient. Your location is also very useful information when trying to form a demographic profile. Use it when necessary, but don’t leave it on.
Stop using public wireless networks. Leaving the Echo, Alexa, et al. devices lying around your home is downright creepy to a security pro, because they’re legit always listening. This falls into the realm of Philip K. Dick novel terrifying.
The most important things individuals can start with is learning and turning on their privacy settings on all apps; especially Social Media Accounts. People are too trusting and assume that a company or app is concerned with their privacy.
Companies only want to make a profit so selling your data to anyone who will pay is often a strategy they use.
Just because an account is private doesn’t mean it’s safe either. Facebook paid a hefty fine in the United States recently for selling information to third parties even if the accounts were private.
Today, Facebook still has settings that, even if your account is private, allow your private profiles and posts to still be searched by search engines like Google. This is why it’s important for consumers to become familiar with privacy settings.
Monitoring for data breaches
People should also monitoring for data breaches so that they know when their information has been exposed and can take action to prevent identity theft with free tools such as Bloom Radar and Google Leaker Password Checker.
To switch the Google Leaked Password Checker on, type chrome://flags in the address bar; press Return or Enter; type passwords in the search field; locate the Password Leak Detection item; and to the right of that, select Enabled from the drop-down list. Finally, relaunch Chrome.
Update ALL your devices.
It’s pretty easy to set auto updates for your computer operating system, and usually your mobile phone will give you some indication of when you need to update the software or apps.
But remember to update the software on your computer as well – and don’t forget other devices such as your wireless router or printer.
Those updates don’t come out as often, and it takes a little more effort, but usually updates include security protections that you need.
Backup your computer and your mobile devices
The best defense against something like a ransomware attack, or even a computer crash, is to have backup copies of all your important data. Ideally, you’ll want to have a local copy, such as on an external hard drive, as well as an “off-site” copy, typically “in the cloud.”
What you should be doing
Everything listed above… plus…
Freeze your credit with all three major bureaus
Next, add in another layer of protection – US citizens (not sure how this works in the UK ) should freeze their credit with all three major bureaus (Equifax, Experian, TransUnion).
This is a free service and can potentially save you the nightmare of someone opening credit in your name.
Do not use SMS with 2FA
Instead of using SMS text for 2FA, use a Yubikey or similar U2F.
This is an ‘implausible to reproduce’ second factor authentication mechanism that fits on your key ring, has near field communication (so you can second factor authenticate on your phone), and will add again – another factor of security to your online accounts.
Audit App Permissions
We rely heavily on our phones for our current lifestyles. We search everything we think we need to know, we add apps for everything, and generally make a permissions mess out of our phones in the process.
This can result in an overly permissive state where a few applications can access your camera and microphone at will. Ask yourself – is it really necessary for this application to access my microphone? Then we realize its for more than just speaking search terms and our everyday language is appended to our demographic profile.
Limit your reliance on apps, if the service is free….your contacts, email addresses, phone numbers, text messages, voice and camera data are the product.
Recommended additions to your phone and browser
Phone: DuckDuckGo – the search engine that doesn’t store your data or demographically (not a word) profile you for money.
Use Secure Browsers and Email Providers
If individuals don’t want to sacrifice their normal browsers, they can simply install an additional plugin to do the trick. Chrome, Firefox and Safari also have recently added features for private browsing that individuals can enable, but these browser methods aren’t 100% accurate all the time.
Secure email providers are also essential since email services like Yahoo!, Gmail and GSuite, target ads to their customers.
Instead of separate files for each email coming in, create separate emails. It’s one of the ways you can ensure your data stays private and it also make sure that your security isn’t compromised beyond that email address.
Consider using Tor
If you are looking to browse online anonymously, either to prevent online tracking and targeted advertising, circumvent government censorship, or to defend against surveillance, there is a wide range of tools and browsers that you can use.
The Tor Browser (The Onion Router) is a free browser that routes your web traffic through the Tor network, which consists of entry nodes, relays, and exit nodes that effectively mask your location and activity.
Consider using HTTPS Everywhere
Another tool you can use is HTTPS Everywhere. It is a free, open-source browser extension for Firefox, Chrome, Safari, Opera, and Brave that automatically forces a secure, encrypted connection between your browser and the website you’re visiting, if available, to help protect you from data theft and man-in-the-middle attacks.
TetherView (a company that assisted in the writing of this article) offers this for all of its users. Believe it or not, most sites have a tool that enables users to see when they’ve logged in, failed login attempts and even where they’ve logged in from. These tools should definitely be taken advantage of and enabled!
Consider purchasing a VPN service
Consider purchasing a VPN service to use when you are out and about with your mobile device. Many people don’t realize the risks of using public Wi-Fi to access the internet when at a coffee shop, hotel, airport, etc. Using public Wi-Fi puts you at risk of someone being able to intercept and see the information you are sending. A VPN service such as CyberGhost or Nord VPN (see editors note below) creates an encrypted “tunnel” so prying eyes can’t see the data you transmit.
Editor note – 4th January 2019: Nord VPN was breached in in March 2018 and failed to tell the public until October 21, 2019. Trust at your own peril.
What the experts do
Most experts use various methods to make sure their data stays private.
Remove backup mechanisms for 2FA – only U2F on all accounts where possible.
This keeps someone who compromises your account credentials from being able to downgrade the second factor authentication whilst executing the text two-factor theft via SIM swaps.
If this doesn’t make sense, let’s say my girlfriend gets my password and she’s angry. She calls my cell provider and convinces them to swap SIM cards to her burner device and starts getting my text messages.
She can then go log in to my Gmail account and claim she doesn’t have the U2F hardware key, except I have removed the backup option for text verification. Game Over. This. Attack. Happens.
We expect that eventually everyone will need to take these measures. But, by assuming you are a target, and that your systems and accounts have value to hackers, and that you’ve likely been compromised, you are a step ahead of most.
Use burner numbers
Keep private burner numbers through a service like Google Voice, Burner, or Hushed. When someone needs a number for anything, like creating an account or verifying our banking information, provide them with this unlisted number instead.
Never use public anything
Turn your Wi-Fi and bluetooth connections off when we’re not using them in public and use our own VPNs and Hotspots if you absolutely need internet.
Monitor information already out there
Be critical with checking the information on us out there already. In today’s world, you know that even our family and friends can compromise us. Many individuals I know delete their social media accounts if their friends and family have been compromised.
If individuals are really paranoid, they’ll go after the data broker companies themselves and have the information removed. Others will freeze all of their credit and publicly known information to avoid someone else using it or getting a hold of it.
Some will even hire companies like DeleteMe to remove data collected about them online that is being sold to data brokers.
Use Pretty Good Privacy (PGP)
Encrypted messaging and private communication is a must. Pretty Good Privacy (PGP) is used for signing, encrypting, and decrypting emails. It works by encrypting a message with the public key of the person you are communicating with, who then decrypts the message with their private key to view it.
You can also sign a message with a private key so that the person receiving the message can verify that the contents have not been altered. If you need to send a highly sensitive email, PGP is the way to go.
Encrypted messaging beyond email
For encrypted messaging beyond email, Signal is the go-to for secure, encrypted communication. It is the most popular and well-respected messaging app in the security and privacy community. And is the top-choice of NSA whistleblower Edward Snowden.
With Signal, you can securely send text messages, files, notes, images, and videos, as well as make secure voice and video calls. All communication is end-to-end encrypted so that no one other than you and the person you’re communicating with, not even Signal, can see your messages or hear your calls.
Signal is free, open-source, and extremely easy to use.
Segment your home network
Segment your home network to protect your important information from possible compromise due to less secure devices.
The internet of things is meant to make our lives easier and more convenient, but in many cases, this comes at the cost of security and privacy. Even if you keep your smart home devices updated, they are more likely to be vectors for cybercriminals to attack your home network.
Get a router that allows you to set up separate networks, and keep your computer with its important data on a separate network from your Amazon Echo, Google Home, or Apple TV.
Get a separate computer to use for your sensitive work
Get a separate computer to use for your sensitive work, such as business activities or banking. Use that computer only for these sensitive activities, and use a second computer for gaming, social media, and recreational web browsing.
Put procedures in place to detect potential issues
In addition to protective measures, put procedures in place to detect potential issues. Your bank and credit cards should have fraud protection algorithms to notify you of unusual activity, but if you don’t have credit monitoring already, get it, so you’re notified of issues early on and can take action to mitigate damage.
Consistency is key
The major difference in an amateur and an expert is consistency
Finally, the major difference in an amateur and an expert is consistency. Put a personal plan in place to regularly check your account privacy settings, make sure all your devices are updated, that you have strong passwords and authentication measures, and that you back up your information.
Just like regular exercise keeps your body healthier and more resilient, regular security practices help protect your cyber health and make it more likely you can recover in the case of an unfortunate event.
The industry experts who contributed to this article
Position: security analyst, penetration tester, and member of the systems administration team at Black Hills Information Security
Jordan Drysdale has been with the Black Hills Information Security family since 2016. He is a security analyst, penetration tester, and member of the systems administration team. Jordan came to BHIS with a very strong background, including many years of work in Networking tech support and engineering. Though he has extensive experience, Jordan never stops learning and often researches unfamiliar problems to sharpen his skills. His favorite part of penetration testing is demonstrating risk to his customers and explaining why it matters. When he is away from work, Jordan enjoys gardening and canning, hiking, snowboarding, and reading.
Position: Head of Consumer Insights, Bloom
Position: CEO of TetherView
Mike created the Digital Bunker™ which enables people to secure their critical and non-critical applications within a private cloud. As the brain child behind the Digital Bunker™, Mike has helped countless SMBs compliantly securitize their data and has an intense set of guidelines regarding privacy and security.
Position: Owner of Milepost 42 LLC
Stacy Clements is a retired Air Force cyber operations officer and currently the owner of Milepost 42, a tech partner for small businesses who want someone else to handle the web stuff. She also teach cybersecurity essentials for a local Women’s Business Center.
Position: CEO of Digital Mom Talk
Chelsea Brown is the CEO of Digital Mom Talk and a Certified Cyber Security Consultant for businesses and families. She secures businesses and family homes through education, digital courses, coaching, private consultations and events. She has a Bachelor’s Degree in Computer Information Technology Emphasis in Networking and Cybersecurity, holds a CompTIA Security+ Certification and has 10 years working experience securing businesses and families homes.