05 Jan 2022 - Toby
I have worked in cyber security for 12+ years. If you’r a normal person looking to stay safe online, here are my top tips. They are simple and will go a long way. If you’r a business or think sophisticated attackers are after you, that’s a different kettle of fish. But for most of us, they probably aren’t.
You constantly get bombarded with notifications to update your computer and software. I know they are annoying, but do them. It makes a huge different to how secure your computer is.
Software is large and complicated. Security researchers and hackers identify vulnerabilities in them all the time. When the owners of software find out about these issues, they fix them. These fixes are what make up most of those updates you get. If you don’t apply them, you are not protected.If you do, you will protect your computer from all bust the most sophisticated cyber attack capabilities.
If you’r interested, unknown security vulnerabilities are called ‘zero days’, and are very valuable. You only need to worry about zero days if you think a more sophisticated attacker is after you.
Only install software from places you trust. Attackers will try and trick you into installing malicious software, by making it look like it’s something legitimate. The next question is, what places should you trust?
The general rule I follow is only install software when you have actively gone somewhere to get i. If you want to install Word or the Chrome web browser, go and get it from the Microsoft or Google website. Same thing with apps on a phone, visit the Apple or Google store. If instead things come to you, be suspicious. Thats a red flag. ‘Spearphishing’ is a common attack when someone’s sends you an email to click a link, or open an attachment. ‘Smishing’ is the same thing, but via SMS text messages.
Its the same sort of thing when you enter your private information into a website. If you want to pay someone money, go to your banking website directly yourself to log in and initiate the payment. If a payment request comes to you, asking you to click a link to make a payment – be suspicious.
Two factor authentication, or 2FA, is often an additional security feature you can turn on with your accounts. If you can, do it. It can be a bit of a pain, but its worth it.
There are lots of ways an attacker may try to steal your username and password. If they get it, they can log into your accounts and take them over. Thats really bad, especially for things like your email which is probably the source to all your online identities.
With 2FA, an attacker has an extra thing they need to get access too before they can login. That makes it really difficult for them to get your account.
There are a few different types of 2fa. In order of strength, from weakest to strongest we have - SMS codes sent to your phone, ‘authenticator apps’ you can install on your phone, and special hardware tokens, like the yubikey I use. Although SMS is generally considered the easiest for an attacker to get around with techniques such as sim-swapping, its much better than nothing.
A good password is one that is long (12+ characters), not in the dictionary and contains numbers, capitals and symbols. On top of that, you shouldn’t use the same password on different websites. The problem is, asking people to do that is unreasonable. That’s where password managers come in.
You create one strong password for your password manager, and use 2fa for it. Then, let your password manager create, store and enter random unique passwords for all of your different websites.I don’t even know the passwords to all my accounts . My password manager does it all for me.
personally like LastPass, but there are lots available. Most web browsers have them built in these days.
A note on antivirus and firewall software – Don’t bother with them. If you have the latest versions of Microsoft windows or Apple OSX – you already have a really good one built in.
you’r on an iOS or Android, antivirus software doesn’t really work anyway. Don’ fall for the marketing hype. Antivirus can buy you something if your enterprise or want more sophisticated detection, but for most people, I wouldn’t bother.