Not even most of my digital life is in the enterprise security space, whilst this is great if you have access to technology budgets, security specialists and modern business class solutions, this doesn’t really fit into the general populations landscape of technology. I thought I’d take a high-level exploration of what digital security looks for people who aren’t security nerds! This is a bit of an experiment for me as it’s a journey into a world where although some things apply to me (obviously I’m human), some of this from a thinking/blogging point of view aren’t my comfort space. So, let’s see what a world outside of being a nerd look like!
I’m thinking the risk landscape is still broad however when we think about risks, I reckon a general view model may look at some of the following scenarios:
- Social Media Account Takeover
- Device Theft
- Device Loss
- Equipment Failure/Data Loss
- Threat from known individuals with physical access
- Human Error
In this blog I’m not focusing on keeping yourself hidden from motivated threat actors (you know the committed cyber baddies and criminals). I’m taking this from a general person perspective, not a journalist, activist or person who works in a sensitive industry. When we get into wanting to be invisible (or near to it) that’s a whole different ball game (and doesn’t fit into a single blog).
Identity & Privacy
Your digital identity online is now these days practically part of your physical one. For this reason, it’s important to understand how your identity is made up, what services you use, what accounts you have and how you appear online. I’m not talking about looks, I’m talking about your digital web of identities from social media through to shopping and online services. In the modern world the lines between the physical and digital world are blurring. So, it’s important to be able to keep yourself safe. I’m going to go through a few tips for keeping yourself safe online. This isn’t an advanced guide to hiding, or how to setup alt/sock accounts etc. This is just general guidance aimed at the everyday technology user.
Still the most common way to authenticate to a service these days is a username and password. Often the username will be an email address or user picked name. Where possible use unique names, you can make this a bit easier by using aliases on email accounts (check your mail provider supports these) e.g., [email protected]
Unique usernames are not always possible so that’s just one piece of the puzzle to keeping yourself safe online. Another key component are passwords.
For a long time, the information security industry was giving out guidance on password security, which was frankly shockingly bad, advising people to user 8 characters, with complexity and rotating passwords every 30 days simply created this problem:
Passwords are simply not a great way of interfacing human and machine, yet I can’t see them going anytime soon, so let’s think how we can keep ourselves secure:
- Where possible use unique usernames.
- Use strong random passwords or passphrases, do not re-use these across services.
- A single factor of username/password also has been demonstrated to be quite weak. We need to think about other ways to strengthen these.
- Consider using application-based authentication as part of a multi-factor authentication strategy, where possible ensure this is enabled on your online accounts.
- Recognise that SMS 2FA is weak but sometimes unavoidable.
Now this is already complex, and we are just on authentication, a key aid to helping manage identities and credentials are password managers. There are open-source offline managers such as Keepass or commercial (free/paid) for offerings such as LastPass, OnePass etc.
Now there are multiple ways of doing this, however the simplest (and we like simple) is to leverage “Have I Been Pwned” to monitor your account/domain:
Consider your environment, if you are in a public location or even somewhere like an Airbnb or hotel be mindful of potential threats. I will use public wireless connections sometimes, but I commonly tether to my phone or use a dedicated 3G/4G mobile connection.
- Be mindful of where you leave your devices, lock them when they are unattended.
- Look out for people shoulder surfing
- Be mindful of CCTV when entering in passwords etc, (4K Cameras can easily catch your entering a password). You aren’t Jason Borne so I wouldn’t lose sleep over this but it’s worth being aware.
Keep your web browsers up to date, there are a range of common browsers:
- TOR Browser
Browsers are an entire attack surface themselves, consider the following areas:
- Credential Storage
- Browser History and other metadata
- Settings and History Synchronisation
- Security Configuration/Hardening
Smart Phone Security
The modern world, everyone is basically online 24/7 constantly connected to the internet via smart phones. This isn’t a hardening guide, but you should consider the security and privacy implications of this.
- Ensure devices are updated regularly
- Ensure your screen locks are enabled
- Enable phone tracking (if this suits you) in case you lose your device.
- Ensure devices are encrypted
- Consider using biometric security to unlock your device (there are reasons why this can be risky e.g., facial recognition) however for the normal persons threat model I wouldn’t be worried about using these features.
- Backup your important documents to cloud services or to offline storage (or both)
- Consider the applications you deploy and what permissions you grant them. Not every app needs to read your contacts and use your GPS.
PC Device Security
PC device security as with the other areas in this blog are a massive area, however, here are a few quick tips:
- Ensure automatic updates are enabled
- Encrypt your drives (to help prevent data loss if the device is stolen)
- Enable a firewall
- Ensure you have up to date antivirus enabled
- Set a lock time out period
- Look at enabling biometric authentication options
- Review firewall and remote access services
- Where possible use a dual account model where your normal account does NOT have local administrator access
- Consider using “lost my device” features from your manufacturer (again to some this may be a threat)
Look to good practise guidance from the vendors and places like the NCSC.
Virtual Private Networks
Now there’s lots of differing opinions on VPNS, when use public networks you may want to leverage a VPN back to your broadband connection or you may want to use a commercial provider. I’d suggest avoiding free proxies and VPN providers.
Keeping data backed up may be important to you. There are a range of practises around backup that are important, you may wish to use cloud backups (check if they are encrypted) or you may wish to use local and offline backups. Each has their own pros and cons and need to apply based on your risk appetite and threat model.
Phishing and Scammers
Ok this one is the part that’s hard because you are having humans try and con you. They will do this on a load of ways (hell some firms use the same techniques, so this is not easy to defend against).
You will have no doubt have heard people say:
- Just simply don’t click.
- Don’t give your credentials
- Be vigilant
The world and life aren’t like that, we can’t as humans be on the ball 100% of the time and regardless of how vigilant we are mistakes can be made. There are some common things to look out for:
- Anything that threatens legal or policy action if you don’t act IMMEDIATLEY is usually not from law enforcement, scammers will use historic breach data to prove they have hacked you by showing you your current or old passwords to add legitimacy.
- If someone send you an email saying you have won a prize for a competition you never entered that clearly is a scam.
- Watch out for delivery scams.
- Claims that your webcam has been hacked and that someone has compromising materials on you unless you pay them, well a) it’s highly likely they are simply lying b) if in the extremely rare case they do, simple go to the police. We are all human and in the grand scheme of life you are better off not opening yourself for blackmail and extortion without an end in sight.
- If you are ever worried about a scam phone call etc. Simple hang on, then use a different phone line to call the official numbers of the service provider.
The avenues of attack scammers use include:
- Phone calls
- Physical Letters
- Social Media
- Compromised Websites etc.
It can be a bit of a deluge (and sometimes hard to distinguish between marketing materials) however if you take steps to protect your digital landscape you can make everything so much harder for the baddies!
Wow, ok so this was a high-level brain dump, and boy I need a cup of tea. There’s a lot to consider and to me this feels like the world still has a long way to go before we get to a secure by design and by default position.
I’ve not even really scratched the surface on topics to consider, hell I’ve not even talked about IoT and personal assistants. It’s not a surprise cyber crime is rife in the world, however with a bit of thought you take yourself from being a high-risk digital target to being significantly more protected.