This is the first post in a series about best practices to keeping your personal information safe.
Articles and newscasts about Information Security (otherwise known as InfoSec) are practically a daily occurrence these days. Most of these articles are concerned with the increased demand for InfoSec services for businesses and IT Managers, or is informing people about the massive data breaches at companies such as the Target, Home Depot, Sony and more.
The SANS Institute defines Information Security as "the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption."
I give many presentations to businesses, social and school groups about Internet Safety and Information Security, and I tell everyone that there is a perfect storm brewing in relation to the securing of information. Articles show that privacy issues and the securing of Intellectual Property are not concerns for many start-up companies (many of which we voluntarily give our personal information to). Combine this lack of privacy concerns with the ever increasing amount of cyber attacks, data breaches, connected devices (The Internet of Things), social media sites, and the collection of Personally Identifiable Information (PII), and it is no wonder your average person feels a little lost or unaware of what to do.
This post is not directed to those "in the know" about InfoSec. Those of you within this industry (be it Digital Forensic practitioners, Information Security Officials, Ethical Hackers, Pen Testers, etc) most likely know most of what I am going to talk about. This post is for your average non-technical person (such as my Mother), who want to know what they can do at a basic level to protect their personal information. I hear from many people I talk to, that they are (or should be) concerned with Information Security, however it is difficult to comprehend the threat to themselves when they read in the news about 1 billion email addresses being compromised.
This post is by no means trying to suggest that InfoSec is simple. In fact the opposite is true. It can often be very challenging. The suggestions below are solely some simple steps that your average computer user can do to help protect their personal information while at home or while using the internet. It is often the simplest steps which have the strongest impact.
I recommend to all my family and others that they use complex passwords, and many of them. To make things easy however, I suggest they use words they know and can remember, but to insert special characters or numbers in place of letters. For example, instead of using the term "watermelon" as your password, I would suggest changing it to "My W@terMel0n". Adding capitals, special characters and a space, dramatically increases the complexity of the password. This change is dramatic enough to increase the password strength and security, yet simple enough that allows a user to remember it.
Some websites or apps do not allow for spaces or special characters within their passwords. In those situations, just replacing numbers for letters will help a little.
I always suggest to people not to use the same passwords for all their accounts. Having multiple passwords will make all your accounts more secure. If someone was able to gain access into one of your accounts, they may be stopped from taking over the rest. Studies have shown that the average person has 19 passwords, but 2 in 3 people do not make them complex enough. There are many Password Managing programs on the market place. These programs will not only create longer and more complex passwords for you, they also allow you to store them in a secure manner and share your passwords between devices. You will only then need to remember one Master Password to get you into the program. Many of them have other features such as auto logging into websites.
** There are some password managers on the market that were created in order to harvest people's passwords for malicious purposes. Do your research and choose accordingly **
In 2011, Cisco predicted that the use of Wi-Fi would overtake the use of Wired connections. Couple that with the fact that plans have been underway for many years to allow City-wide public Wi-Fi. Most people are already well aware that home wireless networks should be protected and have limited access. There are a few different methods to do this. Luckily, many home routers have built in wizards to guide even the most non-technical person through the required steps. Enabling Wi-Fi encryption is a good thing to do for many reasons;
- It can limit the use of your Wi-Fi by others and may therefore protect you from being accused of illegal activity.
- May protect you from others (such as Google) from collecting your personal data.
- May help to protect your other devices that are on the same network.
Another simple way to protect your Personally Identifiable Information and secure your computers is not to use public WI-Fi. There are videos that show just how easy it is for someone to hack into your accounts when you are using public Wi-Fi. It is basically child's play. However, if you do need to use public Wi-Fi because of the convenience, here are a few things you can do to decrease the chances of your data being compromised:
- Turn off the setting to "Automatically Connect" to the public network.
- This will stop your devices from automatically connecting to public Wi-Fi locations without you knowing. The only Wi-Fi locations I automatically connect to are my home and workplace.
- Turn of Sharing of any printers, folders, files or remote accessing capabilities.
- Turn on your Firewall
- Confirm the network name you are connecting to. It is not difficult for a hacker to set up a network with a name similar to the network name you want to connecting to.
- Use a VPN (Virtual Private Network). This can seem a little daunting for many people, however it is not a difficult thing to do. There are some very good VPN services that are inexpensive and easy to use.
Update and Patch
I'm sure you are tired of constant updates from all of the programs and operating systems on your computers and handheld devices. Did you know that most of these updates and patches are often disguised as upgrades, improvements or bug fixes, but are most often security updates. In his book Future Crimes, Marc Goodman states that some of your average computer programs require upwards of 50 million lines of code (LOC) to run. He quotes a study by Carnegie Mellon University which concluded that typical commercial software has 20 - 30 bugs for every 1000 lines of code. Doing the math means that there are a potential 1 - 1.5 million possible exploits in software made up of 50 lines of code.
Setting up your operating systems, software and apps on your cell phone to auto-update is an easy way to ensure you stay up to date. Or, if you wish to have more control, set the programs/operating system to inform you before updating (just don't take too long to install critical or security updates).
One of the easiest ways to protect your data is to back up your data. This method of security has been "preached" for many years, yet many people still to this day don't backup their data. There are multiple ways to back up your data including; cloud storage, external hard drives, and CD/DVD's (not a popular choice anymore). I myself do not like backing up my important data "in the cloud". There have been many instances of hackers getting into people's cloud accounts. I myself prefer to use an external hard drive for backups. For less than $100, you can purchase a portable external drive with ample amounts of storage capacity. There are many ways to automate the backup process making it easy for the end user. If your computer gets compromised or gets a virus, it is always easier to restore your information if you have a backup to restore from.
There has been a lot of debate as to the effectiveness of many popular anti-virus programs and there have been articles written about why some believe that Mac computers do not need any anti-virus protection at all. Some of the authors of these articles suggest that Mac users do not need anti-virus protection on their computer, because "Quite simply, all the evidence suggests they don't." One author has "had an unprotected Mac connected to the web for 10 years, and I has never had a problem."
I don't know if never having a problem justifies not utilizing anti-virus protection. That is like saying, "I haven't worn a seat belt in 10 years and I've never been in an accident."
Just like any other programs, some anti virus programs are good, while others...well...they could be better. Like any other program you use for information security (such as Password Managers), research the best ones on the marketplace and choose the best one to fit your requirements.
There are many other things users can do to protect themselves online. This posting was meant to provide some basics for those who don't know where to start. I compare securing your information similar to placing a lock on your front door. You can leave your front door wide open, place a lock on the door but leave the key under the mat, secure your door with a few good quality locks, or go as far as protecting your house like a bank vault (see opening picture). Even with the highest security, people still manage to break into banks. The same is true with information security. Even if you take all known best practice precautions, someone still might be able to get your data. However, placing a few locks on your front door might make a would-be thief try your neighbors house instead of wasting time on yours.