7 Steps To Make Yourself More Secure
Whenever I tell someone I’m a penetration tester the reaction is always the same. First laughter at my ‘hilarious’ job title, followed by one of three questions: “Can you hack into my friend’s Facebook account?” “Can you get me free money from the bank?” “Can you get me free cinema tickets?” (Maybe I’m just moving in the wrong circles?) Anyway, the question they really should be asking me is: “What’s the easiest way to make myself more secure?”
My aim is to stop people feeling overwhelmed by all the noise and scare-mongering out there. Instead, I want people to realise they don’t need to be an expert to get themselves secure, in fact the most effective actions are actually really simple to implement. So, by setting them out in practical steps, one at a time, you’ll be able to prevent yourself becoming the low-hanging fruit that hackers love. We’ll start with the machine you use daily, whether that’s your personal laptop, or desktop.
Remember KISS – Keep It Simple, Stup$d
Step 1: Automatic Updates
Un-patched/Out-of-date operating systems are a hacker’s best friend. No need to get into the technical nitty-gritty here, just take my word for it (or if you don’t want to take my word, take these guys’ word, I won’t be offended): Keep your software patched. Luckily this first step is probably the easiest, simply turn on ‘Automatic updates’ and updates will install themselves automatically, instead of just downloading. It’s the business. And when the pop-up says ‘you need to restart to apply updates’, don’t just click ‘remind me again in 6 months’ do it there and then, or at least at the end of the day. Let’s also not forget to keep the software on the machine updated too, especially the browser.
Step 2: Passwords, Passwords, Passwords
Ugh. Right, let’s wade into this one. Nobody can possibly remember strong passwords for all their logins. It can’t be done, so until a better solution comes along everyone should be using a password manager. To be specific KeePass or KeePassX.
Sidenote: I’m sorry to say that even if you have always had strong passwords your email & password combos may already be compromised. This can happen when businesses you’ve had accounts with get hacked. To find out what is out there go to haveibeenpwned and then create new stronger passwords (using your password manager of course.)
Step 3: Two-Factor Or Not Two-Factor?
The answer is: Yes, two-factor. Definitely.
Enable 2-factor/2-step authentication where made available (i.e. Gmail, Office365 etc), this really, really helps, and is a total pain for hackers and other miscreants (every security blog must use word ‘miscreant’ — it’s the law). Apps like Duo or Authenticator have taken the hassle out of 2FA and Gmail’s built-in android solution is particularly quick and painless, so no excuses!
If you only do this in one place, do it on your main email account (the one that’s used to reset passwords for everything else). If that gets hacked, it’s game over.
Step 4: Anti-Virus & Firewalls
I still can’t believe the amount of machines I come across with no AV running on them. Security companies love trotting out scary statistics on this topic, and I’m no different. For example, did you know having an unprotected computer on the Internet for just 4 seconds is enough time for it to get infected with a virus, catch fire and melt into a puddle of molten plastic and metal; completely ruining your desk in the process. This is a FACT*.
*Not a fact.
Seriously though, at the very least ensure Windows Defender is turned on, and remember most AV solutions have host-based firewalls built-in so make sure they are turned on too. Come on, please? you owe it to your desk.
Step 5: Have a Think
‘If you didn’t ask for it, don’t open or click it.’
At this stage we’ve all heard of hackers using social engineering tactics like phishing. There’s a good reason for the hype: If you get hacked, it’s probably because you clicked on something you shouldn’t have. The first step in preventing this is to have a Think before acting.
Think: have you really just won a $250 Amazon voucher? A voucher which can be redeemed simply by entering ALL your personal details at the link below?
Think: was your card really used to buy something on iTunes to the value of $125 USD? (especially if your account is in AUD).
Please, please, please when you get stuff like this just Pause. Let the adrenaline subside and Think before you click. Then ask your tech-savvy friend/cousin/neighbour for advice. You know the one, the one you only contact when you have a tech problem (I’m not bitter, I swear). Better safe than sorry, and when they’re done, Think about rewarding them with a pint/box of chocolates/free cinema tickets/$250 Amazon voucher. #Justasuggestion
Step 6: Surf carefully
This is super important. Without going into too much detail, (and at the risk of moving into life-coach territory here), a great way to keep yourself secure online is to only browse ‘reputable’ websites *ahem. Also, I’m not going to get into the ethics — or indeed, legality — of downloading or streaming pirated movies and TV shows, but from a security perspective: if you are going to do it, at least don’t use the same machine you use for online banking.
Step 7: Out and about
Couple of quick tips for when you’re out and about:
- Don’t forget to turn off your bluetooth when you don’t need it.
- Try to use mobile data if you have enough allowance, instead of connecting to public wifi networks. Same goes with using a laptop in a cafe or bar, use your mobile hotspot not their tempting free wifi, and remember and always secure your hotspot with a complicated password.
Step 8: What about backup? (Bonus Round)
*Yes, I know I said ‘7 steps’ but at Siege Cyber we are all about over delivering.
With the rise of ransomware attacks, it’s never been more important to have backups. Personally, I like to work directly from the cloud-based services like OneDrive, Google Docs, DropBox etc. OneDrive I find to be particularly pretty seamless on Windows.
This approach avoids the pain of saving stuff onto a USB drive and all the problems that brings. (mini step 8.5 — don’t use USB sticks!) Let the big boys worry about keeping the backups, so you can concentrate on playing Call of Dut… I mean, er, working.
Right, well that’s it for now. There’s a lot more you can do but take these first 8 steps and you’ll be more secure than the next person (assuming they haven’t read this too), and that’s all it takes for a lot of hackers to pass you by.