Chapter 4
IN THIS CHAPTER
Discovering why you may not be as cybersecure as you think you are
Understanding how to protect against cyber risks
Evaluating your current cybersecurity measures
Taking a look at privacy
Adopting best practices
The first step in improving your protection against cyberthreats is to understand exactly what it is that you need to protect. Only after you have a good grasp on that information can you evaluate what is actually needed to deliver adequate security and determine whether you have any gaps to address.
You must consider what data you have, from whom you must protect it, and how sensitive it is to you. What would happen if, for example, it were publicized on the Internet for the world to see? Then you can evaluate how much you’re willing to spend — timewise and moneywise — on protecting it.
One lesson we can all learn from the Greek hero Achilles is that if you suffer from a vulnerability, attackers may eventually exploit it to your detriment. As such, it is important to understand the various areas in which your current cybersecurity posture may be less than ideal so that you can figure out how to address any relevant issues, and thereby, ensure that you’re adequately protected. You should, for example, inventory all items that could contain sensitive data, become launching pads for attacks, and so on.
Your home computers may suffer from one or major types of potential problems relevant to cybersecurity:
From an information security standpoint, mobile devices are inherently risky because they
As discussed in detail in Chapter 18, the world of the connected computing has changed dramatically in recent years. Not that long ago, the only devices that were connected to the Internet were what people classically called computers — desktops, laptops, and servers that could be used for many different computing purposes. Today, however, we live in an entirely different world in which computers form only a small percentage of connected devices.
From smartphones to security cameras, refrigerators to cars, and coffeemakers to exercise equipment, numerous types of electronic devices now often have powerful computers embedded within them, and many of these computers are perpetually connected to the Internet.
The Internet of Things (IoT), as the ecosystem of connected devices is commonly known, has been growing exponentially over the past few years, yet the security of such devices is often, at best, inadequate. Many IoT devices do not contain security technology to secure themselves against breaches. Even those that do are often not properly configured to be secure. Hackers can exploit IoT devices to spy on you, steal your data, attack other systems and/or devices, launch denial-of-service attacks against networks or devices, and inflict various other forms of damage.
Networking equipment can be hacked to route traffic to bogus sites, capture data, launch attacks, block Internet access, and so on.
You may have sensitive data in your work environment — and you can be put at risk by colleagues at work as well. For example, if you bring any electronic devices to work, connect them to a network at work, and then bring those devices home and connect them to your home network, malware and other problems can potentially spread to your device from a device belonging to your employer or to any one or more of your colleagues using the same infrastructure and then later spread from your device to other machines on your home network.
Of course, the COVID-19 pandemic led to the blending of many work and home environments, and the cybersecurity effects of such developments have often been troubling.
To secure anything, you must know what it is that you’re securing; securing an environment is difficult to do, if not impossible, to do if you do not know what is in that environment. (This concept is age-old wisdom; refer to the Sun Tzu quote at the beginning of Chapter 3.)
To secure yourself, therefore, you must understanding what assets you have — both those that are in digital formats and those in related physical formats — and what it is that you seek to protect. Those assets may or may not be in one location. In fact, some or all of them may be in locations that you cannot physically access. For example, you may have data stored in a cloud storage service such as Google Drive, Apple iCloud, or Microsoft OneDrive. You must also understand what risks you face to those assets.
Add to that list — in a separate section — all storage devices that you use, including external hard drives, flash drives, and memory cards, as well as any storage or computing services that you use from third parties. Write or print the list; forgetting even a single device can lead to problems.
After you identify what you must protect (see preceding section), you must develop and implement appropriate safeguards for those items to keep them as secure as appropriate and limit the impact of a potential breach.
In the context of home users, protecting includes providing barriers to anyone seeking to access your digital and physical assets without proper authorization to do so, establishing (even informal) processes and procedures to protect your sensitive data, and creating backups of all configurations and basic system restore points.
Basic elements of protection for most individuals include
And part of learning how to protect against risks is knowing how to detect cybersecurity events, respond to them appropriately, recover the affected devices, and improve defenses to reduce risk even more.
Defending your cyber-perimeter is essentially the digital equivalent of building a moat around a castle — attempting to stop anyone from entering except through authorized pathways while under the watchful eyes of guards.
You can build that digital moat by never connecting any computer directly to your Internet modem. Instead connect a firewall/router to the modem and connect computers to the firewall/router. (If your modem contains a firewall/router, then it serves both purposes; if your connection is to the firewall/router portion, not to the modem itself, that is okay.) Normally, the connections between firewalls and modems are wired — that is, are achieved using a physical network cable. In some cases both the modem and the firewall/router might even be contained within the same physical device.
Modern routers used in home environments include firewalling capabilities that block most forms of inbound traffic when such traffic isn’t generated as the result of activities initiated by devices protected by the firewall. That is, a firewall will block outsiders from trying to contact a computer inside your home, but it will not block a web server from responding if a computer inside your home requests a web page from the server. Routers use multiple technologies to achieve such protection.
One important technology of note is Network Address Translation (NAT), which allows computers on your home network to use Internet Protocol (IP) addresses that are invalid for use on the Internet, but can be used on private networks. To the Internet, all the devices on networks using NAT appear to use one address, which is the address of the firewall that is situated between them and the Internet and is handling the NAT function.
The following recommendations help your router/firewall protect you:
Keep your router up to date. Make sure to install all updates before initially putting your router into use and regularly check for new updates (unless your router has an auto-update feature, in which case you should leverage that feature).
An unpatched vulnerability in your router can allow outsiders to enter your network.
How should you use security software to protect yourself?
To physically secure your computers and other endpoints:
Also, keep in mind that that some computing devices that need to be secured might not be true “endpoints” in that they may have other devices connected to them. A smart home hub or smart wireless camera system, for example, may have smart devices and/or cameras connected to them using proprietary communication mechanisms; they still, of course, need to be properly secured.
Back up regularly. If you are not sure what “regularly” means in your case, the odds are pretty good that you are not backing up often enough.
For more on backups, see Chapter 14.
Detecting refers to implementing mechanisms by which you can detect cybersecurity events as quickly as possible after they commence. While most home users do not have the budget to purchase specialized products for the purpose of detection, that does not mean that the detection phase of security should be ignored.
Today, most personal computer security software has detection capabilities of various types. Make sure that every device that you manage has security software on it that looks for possible intrusions, for example. See Chapter 12 for more details on detecting possible breaches.
Responding refers to acting in response to a cybersecurity incident. Most security software will automatically either act, or prompt users to act, if it detects potential problems. For more on responding, see Chapter 13.
Recovering refers to restoring an impacted computer, network, or device — and all of its relevant capabilities — to its fully functioning, proper state after a cybersecurity event occurs. See Chapters 13, 15, and 16 for more on recovering.
Shame on any of us if we do not learn from our own mistakes. Every cybersecurity incident offers lessons learned that can be put into action to reduce risk in the future. For examples of learning from mistakes, see Chapter 20.
After you know what you need to protect and how to protect such items, you can determine the difference between what you need and what you currently have in place.
The following sections cover some things to consider. Not all of the following apply in every case:
When it comes to software and cybersecurity, think about the following questions for each device:
Of course, all these questions refer to software on a device that you use, but that you don’t expose to use by untrusted, remote outsiders. If you have devices that are used as in the latter case — for example, a web server — you must address many other security issues, which are beyond the scope of this book.
For all your hardware devices, consider the following questions:
While cybersecurity insurance is often overlooked, especially by smaller businesses and individuals, it is a viable way of mitigating some cyber-risks. Depending on the particulars of your situation, purchasing a policy protecting against specific risks may make sense.
If you own a small business that may go bankrupt if a breach occurs, you will, of course, want to implement strong security. But, as security measures can never be 100 percent perfect and foolproof, purchasing a policy to cover catastrophic situations may be wise.
While cyber insurance used to be something that only large enterprises could obtain, in recent years, cybersecurity policies have started to become available to both individuals and small businesses.
A little bit of education can go a long way in helping to prevent the people in your household (or other entity, as the case may be) from becoming the Achilles’ heels of your cybersecurity. The following list covers some things to think about and discuss:
Technology threatens personal privacy in many ways: Ubiquitous cameras watch you on a regular basis, technology companies track your online behaviors via all sorts of technical methods, and mobile devices track your location.
While technology has certainly made the task of maintaining privacy far more challenging than doing so was just a few years ago, privacy is not dead. You can do many things to improve your level of privacy, even in the modern, connected era.
People often willingly overshare information when asked for it.
Yes, you and me included.
Consider the paperwork patients are given at a typical doctor’s office in the United States that you have likely been asked to complete at more than one facility at your initial appointment with the doctor in question. While the answers to many of the questions are relevant and may contain information that is valuable for the doctor to know to properly evaluate and treat you, other portions are probably not. Many (if not most) such forms ask patients for their Social Security numbers. Such information was needed decades ago when medical insurance companies regularly used Social Security numbers as insurance ID numbers, but that dangerous practice has long since ended. Perhaps some facilities use the Social Security number to report your account to credit bureaus if you don’t pay your bills, but in most cases, the reality is that the question is an unsafe vestige of the past, and you can leave the field blank.
If you want to improve your privacy, the first thing to do is to consider what information you may be disclosing about yourself and your loved ones before you disclose it. This is true when interacting with government agencies, corporations, medical facilities, and other individuals. If you do not need to provide private information, don’t. All other factors being identical, the less private information that is “out there,” and the fewer places it resides, the lower the risk to you of a privacy compromise.
Consider the implications of any social media post before making it — there could be adverse consequences of many sorts, including effectively compromising the privacy of information. For example, criminals can leverage shared information about a person’s family relationships, place of employment, and interests as part of identity theft and to social engineer their way into your accounts.
Sharing information about a person’s children and their schedules may help facilitate all sorts of problems — including potentially kidnapping, break-ins into the person’s home while the person is carpooling to work, or other harmful actions.
Sharing information related to medical activities may lead to disclosure of sensitive and private information. For example, photographs or location data placing a person at a particular medical facility may divulge that the person suffers from a condition that the facility is known to specialize in treating.
Sharing various types of information or images may impact a user’s personal relationships and leak private information about such.
Sharing information or images may leak private information about potentially controversial activities in which a person has engaged — for example, consuming alcohol or using recreational drugs, using various weapons, participating in certain controversial organizations, and so on. Even disclosing that one was at a particular location at a certain time may inadvertently compromise the privacy of sensitive information.
In addition to thinking before you share, you can do a few other things to reduce your exposure to risks of oversharing:
Keep private data out of the cloud unless you encrypt the data. Never store private information in the cloud unless you encrypt it. Do not rely on the encryption provided by the cloud provider to ensure your privacy. If the provider is breached, in some cases the encryption can be undermined as well. So, if you must store sensitive information in the cloud, encrypt it yourself before uploading it — regardless of whatever encryption the cloud provider uses. There are applications available that simplify doing so for major cloud storage providers, such as by automatically encrypting and copying to the cloud any files placed in a special folder on your computer.
Do not store private information in cloud applications designed for sharing and collaboration. For example, do not store a list of your passwords, photos of your driver’s license or passport, or confidential medical information in a Google doc. This may seem obvious, but many people do so anyway.
Leverage the privacy settings of a browser — or better yet, use Tor. If you’re using the a web browser to access material that you don’t want associated with you, at a minimum, turn on Private/Incognito Mode (which offers only partial protection), or, if possible, use a web browser like the Tor Browser Bundle (which contains obfuscated routing, default strong privacy settings, and various, preconfigured, privacy add-ons).
If you do not take precautions when using a browser, you may be tracked. If you search for detailed information on a medical condition in a normal browser window, various parties will likely capitalize on that data. You have probably seen the effects of such tracking — for example, when ads appear on one web page related to something that you searched for on another.
If you use online chat, use end-to-end encryption. Assume that all your text messages sent via regular cellphone service (SMS messages) can potentially be read by outsiders. Ideally, do not share sensitive information in writing. If you must share some sensitive item in writing, encrypt the data.
The simplest way to encrypt data is to use a chat application that offers end-to-end encryption. End-to-end means that the messages are encrypted on your device and decrypted on the recipient’s device and vice versa — with the provider effectively unable to decrypt the messages; as such, it takes far more effort by hackers who breach the provider’s servers to read your messages if end-to-end encryption is utilized. (Sometimes, providers claim that hackers can’t read such messages altogether, which isn’t correct. for two reasons: 1. Hackers may be able to see the metadata — for example, with whom you chatted and when you did so, and 2. If hackers breach enough internal servers, they may be able to upload to the app store a poisoned version of the app containing a backdoor of some sort.) WhatsApp is probably the most popular chat application that uses end-to-end encryption.
Eschewing online banking due to the security concerns that it creates is simply not practical for most people living in the modern age. Doing so would also increase the risks of other dangers that emanate from phone-based banking or from banking in person.
Fortunately, you don’t have to give up the conveniences of online banking in order to stay secure. In fact, I’m keenly aware of the risks involved because I have been banking online since online banking was first offered by several major financial institutions in the mid-1990s as a replacement for direct-dial-up banking services.
Here are some suggestions of what you can do to improve your security as you bank online:
Consider asking your bank for an ATM card that can’t be used as a debit card. While such cards may lack the ability to be used to buy goods and services, if you make your purchases using credit cards, you don’t need the purchase feature on your ATM card. By preventing the card from being used as a debit card, you make it more likely that only someone who knows your PIN number can take money out of your account. Perhaps equally as important is that “crippled” ATM cards can also not be used by crooks to make fraudulent purchases.
If your debit card is used fraudulently, you’re out money and need to get it back. If your credit card is used fraudulently, you’re not out any money unless an investigation reveals that you were the one doing the defrauding.
Ideally, use a separate computer for online banking than you use for online shopping, email access, and social media. If that isn’t possible or practical, use a different web browser — and be sure to keep that browser up to date.
As an extra precaution, you can configure your browser to remember the wrong password to a site so that if someone ever does get into your laptop or phone, that person will be less likely to successfully log into that site using your credentials.
As I discuss in detail in Chapter 18, smart devices and the so-called Internet of Things create all sorts of cybersecurity risks. Here are some recommendations as to how to improve your security as you use such devices:
If possible, disable device features that you do not need. Doing so reduces the relevant attack surface — that is, it reduces the number of potential points at which an unauthorized user can attempt to hack into the device — and simultaneously lowers the chances of the device exposing an exploitable software vulnerability.
Universal Plug and Play (UPnP) simplifies device setup, but it also makes it easier for hackers to discover devices and attack them for many reasons, including that many implementations of UPnP contain vulnerabilities, UPnP can sometimes allow malware to bypass firewall security routines, and UPnP can sometimes be exploited by hackers to run commands on routers.
In simplified terms, cryptocurrency refers to “money” that is tracked using a ledger of accounts whose copies are distributed to nodes running the cryptocurrency network (which means numerous parties all over the world have copies of the ledger containing a list of all transactions that have ever occurred using that particular cryptocurrency). Most cryptocurrencies are managed not by a central party, but rather, by a majority consensus, with the definition of who is included in calculating the majority consensus varying by cryptocurrency.
The most well-known cryptocurrency is Bitcoin, which was also the first cryptocurrency to arrive on the scene. When someone owns a Bitcoin (or a fraction thereof), that information is stored in a ledger — not with the person’s name, but with an address. For example, address 123 received one Bitcoin from address 321, which means that now address 123 has one Bitcoin.
The owner of the Bitcoin does not actually own anything; instead, the owner simply has control over the relevant Bitcoin address. In the previous example, the person who possesses the secret key needed to authorize any transactions made from address 321 controls any Bitcoins stored at that address.
While going into a discussion about the technology used by Bitcoin is beyond the scope of this book, one important security concern for people to be aware of is that when it comes to cryptocurrency, the secret key needed to perform transactions effectively defines ownership. If the owner of the Bitcoin at address 321 lost the key to that address, the owner would no longer be able to access the Bitcoin stored there, and would likely permanently lose whatever money was stored at that address.
Likewise, if someone else obtained the key for 321 and utilized it without authorization from the owner to transfer the Bitcoin to another address, that transaction would, in nearly all cases, be deemed valid, and the rightful owner will lose the Bitcoin.
One way to do so is to store secret keys on a special hardware device called a hardware “wallet.” Such a device keeps the keys offline so that no Internet-connected devices hold the keys anywhere where the keys could potentially be stolen by a hacker. When the rightful owner wants to perform a transaction with the cryptocurrency, the owner must connect the relevant hardware wallet to a computer (often by USB connection), and unlock the wallet (usually by using a passcode of some sort), in order to utilize the keys stored on the wallet.
Also, keep in mind that when people store cryptocurrency at a cryptocurrency exchange, it is the exchange that stores the keys for the cryptocurrency. If the user’s credentials to the exchange are stolen, the cryptocurrency may be stolen as well.
3.128.226.121