Cybersecurity tips. Part 2: Online behavior.
This is the second portion of a three-part series on Cybersecurity advice. In Part 1, I covered general awareness and protection of personal devices. In this post, I will focus on online interactions and provide advice to help ensure you are safe, secure and private in the online world.
A recent technical survey discovered 97% of the population is unable to correctly identify phishing emails. The general rule of thumb is – if you receive a message (text, email, social media, etc.) and you are unsure who the sender is, avoid clicking on any link or file included with the message. Web addresses can even be doctored and made to resemble a legitimate site. The general rule is: take a moment to think before you click, particularly if the message is from an unknown sender. If you feel your organization is particularly vulnerable, download this infographic and post it in your break room or by the water cooler to educate your team.
Practice safe surfing…
Going online obviously comes with risk (especially if you happen to be navigating to the “shadier” side of the web). However, there are some things you can do to limit your risk.
Choose one of the following Virtual Private Network (VPN) services and use it. As the name suggests, a VPN is essentially a network of servers in various countries around the world that are kept separate and private from the broader internet. A VPN uses encryption and other security mechanisms to ensure only authorized users can access the network. Data exchanged with the internet by network users is kept private. The old saying “you get what you paid for” applies in this case. I recommend you stay away from free VPN services.
Choose browsers with enhanced security and privacy features when you surf the web. I use Firefox with the following security/privacy add-ons: HTTPS Everywhere, uBlock Origin, NoScript. While these browser extensions are optional, they further harden my online security and privacy. I recommend you take advantage of them and use them too, if it makes sense for your situation.
When accessing the internet via a public WiFi, proceed with caution. Hackers can easily offer a free connection that looks the same as a valid connection offered by some nearby business. Think of a free WiFi connection at Starbucks named “Starbucks Free WiFi”. A hacker could easily setup a router in the area and name it “Starbucks WiFi free” and allow people to connect to it. Once you connect to the internet via the fake Starbucks connection, they can access your device and the information you are sending and receiving (including your passwords). If you feel the need to use a public WiFi and are fairly sure it is legitimate, there are a couple of other steps you can take to further limit your risk. Stick to secure websites – those starting with HTTPS as opposed to simply HTTP and utilize a VPN – to create an encrypted tunnel to communicate with the internet.
Secure your home WiFi
Think back to the time when your home WiFi was initially set up. Did you set it up or did you have someone do it for you? Unless you recently installed it and followed the latest security practices, I strongly recommend taking a closer look at the (configuration) settings on your router. I recently did this myself and was shocked to find I had committed the cardinal sin of tech security. I was using the default “admin” for user name and “password” for password. As I think back to a few years ago when I setup the router, it happened to be during a time when I was having significant work done around my house. The chaos associated with that work coupled with pressure to get the internet connection working, resulted in me doing a “quick install” to get connected. While I had the intent of going back to secure everything at a more convenient time, I failed to actually circle back.
While my transgression is admittedly a very bad one to commit, I assess the level of risk for my infraction as relatively low. If I lived in an apartment building with my WiFi signal within reach of numerous, bored, unemployed, technically savvy people, I would assess the risk differently. The point is: this was a major hole in my security settings and I only found it by digging into the details (the router settings). Rather than wasting time searching for your router instruction manual, it might be easier to simply examine your router. By noting the brand and model number you can locate the configuration instructions for your specific router online.
Once you access your router’s settings, you may consider changing the name of your WiFi (SSID) if it currently contains information that could be used to identify you (such as your name, favorite sports team, etc.). If you have yet to do so, require a password to access your network and follow strong password guidelines. I am surprised when I still see unprotected WiFi access points. While you are in your router’s configurations settings, make sure you are only using the WPA2 security encryption protocol which implements the latest security standards, including "government-grade" data encryption. As time marches on, WiFi encryption protocols evolve to replace older standards. WEP (Wired Equivalent Privacy) came first and was replaced by WPA (Wireless Protected Access) which is now on its second version – WPA2. WPS (WiFi Protected Setup) was introduced in 2006 to make connecting devices to routers easier for people but security flaws leave it vulnerable to brute force attack. To recap, you need to disable WPS, avoid WEP and WPA/WPA2 and only use WPA2 as the security protocol with your router.
If you are concerned you may be a target, you can disconnect your router while you are away from home or even while you are offline while at home. If you have given your WiFi password out to people you wish you said no to in the first place, change your password to shut off their access. Another relatively low-tech security trick some people deploy is they setup their router to only allow configuration changes if the modem is accessed via a hardwired connection (as opposed to via WiFi). You will have to check whether your router supports this. If it does, it will serve as another barrier of protection.
End-to-end encryption means when you send a message, only the person you are sending the message to will be able to read the message. Using encryption allows your communications to stay private even if your device has been compromised. To encrypt voice and text on my mobile phone, I use Signal. In order to use Signal both you and the person you would like to communicate with would need to have the Signal application. It is free which is great and while experts agree it is the mobile encryption leader, there are other options available.
If you send sensitive information via email, consider utilizing encrypted email which works thru a system of sharing public keys and unlocking the encrypted message with private keys. Many corporations deploy encrypted email internally to all users. If you are interested, follow the embedded link to learn more about encrypted email.
Part 2: Close
This concludes the second part of my three-part series on cybersecurity. To recap, in Part 1, I covered general awareness and end-point security and in this second installment, I went thru protections for online behaviors and habits. While this post was more technical in nature and probably more challenging to follow for non-technical people, the links provided should help all users understand the important protection techniques covered. In Part 3, I will be covering digital hygiene so stay tuned…