Android Computing Cybersecurity iPadOS MacOS Networking Software Unifi Windows

Personal Cybersecurity Guide

By on Tuesday, March 8, 2022
Symposium Cisco Ecole Polytechnique 9-10 April 2018 Artificial Intelligence & Cybersecurity” by Ecole polytechnique / Paris / France is marked with CC BY-SA 2.0.

This guide is for the average person looking to improve their personal cybersecurity practices and reduce the likelihood of a compromise. It’s important to think about why would someone “hack” your accounts or devices at all. It is highly unlikely you would be hacked by a nation-state actor (e.g. Russia) – simply put, you don’t have powerful enough systems, or enough bandwidth in most cases. What’s more likely is someone will learn new tools or techniques from attacks sponsored by nation states to breach your accounts or devices. They will be looking for credit cards, they’ll turn your systems into a bot to use to attack some other system, set tup a bitcoin miner, or access your accounts. Worse, they might encrypt your hard drive with a password and make you pay bitcoin to unlock it (“ransomware”). 

There are typically three segments of defenses when you consider your exposure: 

  1. accounts that you have online
  2. your home network
  3. your personal computers and devices
  1. Securing Your Passwords and Online Accounts

There are 2 best practices for securing your passwords and online accounts: use a password manager and turn on 2-Factor Authentication (2FA). 

TLDR (the short version): Use a password manager, with a strong password, and randomly generate every password you use.

I. Password & Account Management

1. Only use a password manager for passwords. You must use a password manager or there is not a chance you will be able to secure your accounts.

The popular ones are 1Password or LastPass and either is good. Pay for their service – the free versions are limited. Once you set the applications up, follow these rules:

  • Only use randomly generated passwords – do not create your own passwords. Have your passwords generated with random alphanumeric characters (a, b, c…1, 2, 3), and symbols (%, &, $, etc). 
  • Use longer passwords – a MINIMUM of 12 characters. I often use 14 or higher (e.g. over 20 for a bank account).
  • The ONLY password you will have to remember is your password for the password manager. That cannot be random, so you need to pick a password you can remember. Here’s the trick – it needs to be a long password (e.g. 20+ characters) and it needs to use numbers, symbols, and upper/lower case letters. I generally recommend using a sentence for your password. E.g. “My favorite place in the #WORLD is D1sney!”

Always use a secure, random generated password for email accounts (e.g. Gmail, outlook.com) and set up 2FA (see below). If you are using an older email provider (e.g. aol.com, yahoo.com) you really should move to a modern secure option: gmail.com or outlook.com.

2. NEVER EVER – EVER reuse the same password or a similar version of a password on multiple sites. This is a damaging security mistake you can make. The reason is simple. If the bad actors get your password on 1 website, they will instantly try logging into thousands of popular websites and services with the same password and by brute force guessing various combinations of that same password. Do not store any passwords on your computer (e.g. don’t store them in an Excel file or definitely not “in the cloud” such as in a Google Sheet).

Passwords are stored on a system encrypted. Some are stored on your laptop, some are stored by the websites you visit. When they’re encrypted no system can read them without you unlocking the encryption key. However, computers can make billions of guesses per second to figure out your encryption key. If you want to know why, read on below – or skip ahead to Multi Factor Authentication.

Why are random passwords so important? 

Passwords are “cracked” by the bad actors using a “brute force” attack. A brute force attack means they use dictionaries of words and start “guessing” what your password is, shifting digits guessed across the password, until it “unlocks” the encrypted password. It’s a trial-and-error process that takes time. But computers are fast, and a modern processor can make a billion guesses in 2 minutes. A 6 character password can be cracked instantly. Many websites still require an 8 character password but this is not enough – 39 minutes to guess the most complex 8 character password.

This is a numbers game and a lot of math is involved. Every additional character adds exponentially larger combinations that need to be guessed. A 12 character password has 475,920,314,814,253,359,955,968 possible combinations a computer would potentially have to guess. Using 12 random characters increases the possible combinations and would take a bad actor’s computer over 3,000 years to brute force attack it. Now the bad actors can always use more compute power and even your 12 digit password can be cracked in days, but most bad actors won’t invest compute power like that for days just to get your 1 password – there are easier targets out there.

Source: https://www.hivesystems.io/password-table

You can also check if your accounts have been potentially stolen in a data breach. Enter your email address(es) in this website: https://haveibeenpwned.com/

Your accounts have likely already been discovered in a breach. Make sure you use a password manager, turn on 2FA, and you should be ok.

Multi-Factor or 2-Factor Authentication

Think of a movie where someone had to pass through multiple security checkpoints. That’s what MFA/2FA does. Your password becomes the first checkpoint. The next checkpoint is your 2FA code.

You will often see this called “2FA” or “Two-Factor Authentication”. This is an absolute must because with enough compute power or time, passwords are inherently insecure. With enough compute power, even a 12-digit password can be cracked in seconds. What security professionals figured out a while ago is even if someone can get your password, having a second security checkpoint massively decreases their odds of accessing your account.

How To Set Up 2FA

First, add a 2FA app to your smartphone. This app stores your 2FA tokens. The two most commonly used options are “Google Authenticator” or “Authy”. I personally recommend Authy, but either is fine. Do not use the Password Manager application above to also store your 2FA codes. The reason is if your Password Manager account is breached, your 2FA codes will not be there and the hacker who stole your passwords still won’t be able to log into your accounts. 

Once you install the 2FA app, open it and go through the basic setup. Typically you will need to add a pin code.

Once the app is set up, when you log into an account online, go into your password settings. Look for an option in your account settings to set up 2FA. It will usually walk you through a process where you will see a QR code that looks like this:

Sample QR code

This QR code will show up on your screen so that you can use your smartphone app to “scan” it. The 2FA app will use the camera on your phone to take a picture of the code. This syncs your phone to a code generation algorithm that is sync’d to the online account. Your phone will now generate a new code every 30 seconds. 

When you log into that account/website from now on, you will be asked to enter your password like usual, but now you will be asked to also enter your 6-digit 2FA security code (the 2FA code for that account in the 2FA app). In Authy, for example, you simply open the app, click on the website entry, and then type the 6-digit code you see on your smartphone into the website login screen.

You must learn to use 2FA if you are going to secure your accounts.

There is often an option to use 2FA through a text message to your smartphone instead of an authenticator app. Do not use the phone option unless it is the only option. The phone option is notoriously easy to compromise and is generally considered not secure. Use the “authenticator app” option if that is available. Most banks still only provide an option to do phone/text 2FA and if yours still only offers that, well… it’s better than not using 2FA at all, so set it up. What the phone-based 2FA will do is after you enter your password on the website (the first checkpoint), it will ask you for a 6-digit code that the website will text to your phone at that time. Enter the code in the text message and you can pass the second checkpoint.

DO NOT OPEN LINKS VIA EMAIL

The final recommendation is to never click a link in an email to open a website and log into an account. Instead, open your web browser and type in the website you want to log into. The reason is there are many phishing attacks that will “look” exactly like a legitimate email to you from a company you trust, but it will take to you a false front website, and get you to login to steal your credentials or security token. If you get an email and feel you should login, type it into the browser and avoid any possibility of being tricked into a phishing attack.

II. Securing Your Home Network

There’s very little the average Internet user can do to secure their home network. Your network is like a virtual house where all your stuff connects and there’s a router and internet modem that connects everything inside your house to the outside world. The challenge is understanding networking is a high bar for most users, and so securing a network is a massive leap in skills. 

However, you can do 2 things to secure your home network.

  1. Buy secure equipment
  2. Use your password manager for the equipment passwords
  1. Buy secure equipment. Only purchase one of the three devices below. 
    1. Firewalla (cheapest option, but doesn’t have built in WiFi for wireless networking, which will be hard to set up if you don’t know what you’re doing)
    2. Google Nest Wifi (simplest option, get at least 1 puck, 2 if you have a larger home)
    3. Ubiquiti Amplifi (better for larger homes)

The reason is that most “routers” you see at Best Buy or any retail store are NEVER updated and have some of the most insecure software in the world. The reason is they are designed to maximize profit with the cheapest software required to ship a product and once they sell a device, the company wants to sell you another device. They rarely have software updates only when they are so bad that the US declares them a national security vulnerability and the manufacturers are forced to issue updates. DO NOT but a Netgear, D-Link, Asus, TP-Link, or any “cheap” off brand. The 3 options above are the ONLY options that take security seriously and regularly provide security updates after the device sale.

  1. When setting up your networking device, use your password manager. If your device can also support 2FA, set your account up with that too. Both the Google Nest Wifi and the Ubiquiti Amplifi allow for 2FA on your account. 

An additional protection your can take is to change your default DNS service on the router device. In the settings, there is an option for “preferred DNS” (usually it’s called that). It allow you to enter an IP address. Use this primary DNS server: 9.9.9.9 and for the secondary DNS server, enter 149.112.112.112. This is a service called “Quad 9” (easy to remember because there are just four 9s in the IP address). This service makes it very difficult for any device on your network to access “bad servers” on the internet that are known to be cyberattack vectors for malware, phishing, spyware, and botnets (bad things).

III. Securing your personal computers/devices

Purchase a subscription for Trend Micro or Bitdefender and install it on every laptop/PC you have. Many also have a smartphone app, but those are not really that important/helpful (yet at least).

On a smartphone, use biometric security to unlock the phone (e.g. fingerprint or face recognition).

Beyond having security software installed, the critical thing to do is routinely check and make sure your software is up to date. 

Apple Devices (iPads, iPhones, Macs)

On iPads and iPhones, go to Settings->General->Software Update. Then open the App Store, click on your account on the top right and then scroll down to the Updates section. You may already have automatic updates turned on, and if you don’t, you should. You can always manually install updates with the “Update All” option here.

On an Apple MacOS laptop or iMac, go to Settings->Software Update and update to the latest. You should check the box to turn on automatic updates. 

MacOS Software Update

Android

Android phones can have the update system in different places, but most will be in Settings->System->System Update. Next, open the Google Play store. On the top right, click your account icon, then select “Manage apps & device”, then select “Update All”.

Windows

Windows is generally the worst because there are so many places to go for updates. First you need to update the operating system, then the apps, and then there are also driver and firmware updates that may come from your specific manufacturer. 

Windows Update

Go to Settings->System Update to manage the operating system updates – these are generally the most important. 

Microsoft Store

Next, open Microsoft Store from the application menu. Once open, select the “Library” icon on the lower left menu. Click “Get Updates” on the top right, then install any available updates. 

Manufacturer Driver/Firmware Updates

For the manufacturer updates, you need to look in the main applications for a utility provided by the manufacturer. For example, on a recent Samsung laptop, there will be a “Samsung Update” application – open your manufacturer’s update application, check for updates, and apply any available.

Microsoft Office

Office has its own update system that automatically updates Office when you use it. If you don’t use if often, it can become out of date. Open any Microsoft Office application (e.g. Word, Powerpoint, Excel), then flick on File in the top menu. On the lower left you will see an option for “Account”. Click Account and then you should see “Office Updates” in the main window. Click the “Update Options” and select “Update Now”.

Google Chrome

Chrome has its own update system. Open Chrome, then on the top right you should see the settings 3 vertical dots 

Click this option, then go to Help->About Google Chrome. Chrome should check and automatically update itself. You will usually have to “Relaunch” Chrome after the update is installed.

Other Random Devices

Look around your house – what other “smart” devices do you have on your network. It’s common that your TV is connected to the internet – and it will have updates as well. In general go into the system settings and look for a software update option. Some smart devices like Alexa and Google home speakers will automatically update themselves. There are many internet connected devices now – garage doors openers, doorbells, light bulbs, cars – each should have a system for updates. Use them – this is a critical step – almost every software update log of “what’s new” will show “security updates” as one of the items. That’s because critical vulnerabilities are being discovered all the time and the software was updated to “patch” the issue.

0
Related Posts