Your home computer(s)

Your home computers may suffer from one or major types of potential problems relevant to cybersecurity:

• Breached: A hacker may have penetrated your home computer and be able to use it much as you can — view its contents, use it to contact other machines, leverage it as a staging ground from which to attack other computers, phones, and smart devices and penetrate them, mine cryptocurrency, view data on your network, and so on.
• Malware: Similar to the dangers created by human invaders, a computer-based attacker — that is malware — may be present on your home computer, enabling a criminal to use the computer much as you can — view the computer’s contents, contact other electronic devices, mine cryptocurrency, and so on — as well as read data from your network traffic and to infect other computers on your network and outside of it.
• Shared computers: When you share a computer with other people — including your significant other and/or your children — you expose your device to the risk that one or more of the other folks using it won’t practice proper cyber-hygiene to the same level you do, and as a result, that person or people may expose the device to infection by malware or a breach by some hacker, or they may unintentionally inflict self-damage.
• Connections to other networks and storage applications: If you connect your computer via a virtual private network (VPN) to other networks, such as the network at your place of employment, network-borne malware on those remote networks or hackers lurking on devices connected to those networks can potentially attack your network and your local devices as well. In some cases, similar risks may exist if you run applications that connect your computer to remote services, such as remote storage systems.
• Physical security risks: As discussed in detail in Chapter 5, the physical location of your computer may either increase or decrease the danger to it and its contents.

Your mobile devices

From an information security standpoint, mobile devices are inherently risky because they

• Are constantly connected to the Internet, which is a highly insecure, public network on which many hackers are known to lurk, and over which nearly all cyberattacks take place
• Often have significant amounts of confidential information stored on them
• Are used to communicate with many people and systems, both of which are groups that include parties who aren’t always trustworthy, via the Internet (which is also inherently not trustworthy)
• Can receive inbound messages from parties with whom you have never interacted prior to receiving the messages in question, and some such parties may be up to no good
• Often don’t run full-blown security software due to resource limitations, or run security software that comes with the device and that you cannot manually upgrade or otherwise change if you find it doesn’t meet your needs
• Can easily be lost or stolen
• Can easily be accidentally damaged or destroyed
• Often connect to insecure and untrusted Wi-Fi networks
• Are replaced on a regular basis, and are often not properly decommissioned when being disposed of
• Are often traded in for upgraded devices — often without being properly decommissioned

Your Internet of Things (IoT) devices

As discussed in detail in Chapter 18, the world of the connected computing has changed dramatically in recent years. Not that long ago, the only devices that were connected to the Internet were what people classically called computers — desktops, laptops, and servers that could be used for many different computing purposes. Today, however, we live in an entirely different world in which computers form only a small percentage of connected devices.

From smartphones to security cameras, refrigerators to cars, and coffeemakers to exercise equipment, numerous types of electronic devices now often have powerful computers embedded within them, and many of these computers are perpetually connected to the Internet.

The Internet of Things (IoT), as the ecosystem of connected devices is commonly known, has been growing exponentially over the past few years, yet the security of such devices is often, at best, inadequate. Many IoT devices do not contain security technology to secure themselves against breaches. Even those that do are often not properly configured to be secure. Hackers can exploit IoT devices to spy on you, steal your data, attack other systems and/or devices, launch denial-of-service attacks against networks or devices, and inflict various other forms of damage.

Your networking equipment

Networking equipment can be hacked to route traffic to bogus sites, capture data, launch attacks, block Internet access, and so on.

Your work environment

You may have sensitive data in your work environment — and you can be put at risk by colleagues at work as well. For example, if you bring any electronic devices to work, connect them to a network at work, and then bring those devices home and connect them to your home network, malware and other problems can potentially spread to your device from a device belonging to your employer or to any one or more of your colleagues using the same infrastructure and then later spread from your device to other machines on your home network.

Of course, the COVID-19 pandemic led to the blending of many work and home environments, and the cybersecurity effects of such developments have often been troubling.

Perimeter defense

Defending your cyber-perimeter is essentially the digital equivalent of building a moat around a castle — attempting to stop anyone from entering except through authorized pathways while under the watchful eyes of guards.

You can build that digital moat by never connecting any computer directly to your Internet modem. Instead connect a firewall/router to the modem and connect computers to the firewall/router. (If your modem contains a firewall/router, then it serves both purposes; if your connection is to the firewall/router portion, not to the modem itself, that is okay.) Normally, the connections between firewalls and modems are wired — that is, are achieved using a physical network cable. In some cases both the modem and the firewall/router might even be contained within the same physical device.

Firewall/router

Modern routers used in home environments include firewalling capabilities that block most forms of inbound traffic when such traffic isn’t generated as the result of activities initiated by devices protected by the firewall. That is, a firewall will block outsiders from trying to contact a computer inside your home, but it will not block a web server from responding if a computer inside your home requests a web page from the server. Routers use multiple technologies to achieve such protection.

One important technology of note is Network Address Translation (NAT), which allows computers on your home network to use Internet Protocol (IP) addresses that are invalid for use on the Internet, but can be used on private networks. To the Internet, all the devices on networks using NAT appear to use one address, which is the address of the firewall that is situated between them and the Internet and is handling the NAT function.

The following recommendations help your router/firewall protect you:

• Keep your router up to date. Make sure to install all updates before initially putting your router into use and regularly check for new updates (unless your router has an auto-update feature, in which case you should leverage that feature).

  An unpatched vulnerability in your router can allow outsiders to enter your network.

• Replace your router when it is no longer supported. If the vendor is no longer providing support (including updates) for your router, it is probably time to replace it. Considering the lifecycle of such devices and the lifecycle of networking protocols, you may also benefit from improved performance by doing so.
• Change the default administrative password on your firewall/router to a strong password that only you know. Write the default and new passwords down, and put the paper on which you write them in a safe or safe deposit box. Do not store such passwords on devices that connect to that network. Practice logging into the router — and continue doing so on a regular basis so that you do not forget the relevant password.
• Don’t use the default name provided by your router for your Wi-Fi network name (its SSID). Create a new name.
• Configure your Wi-Fi network to use encryption of at least the WPA2 standard, and use WPA3 if possible These are the current standards at the time of the writing of this book.
• Establish a password that any device is required to know to join your Wi-Fi network. Make that password a strong one. For information on creating strong passwords that you can easily remember, see Chapter 8.
• If all your wireless devices know how to use the modern Wi-Fi 6 and/or Wi-Fi 5 wireless networking protocols, disable older Wi-Fi protocols that your router supports. Disabling protocols such as 802.11b, 802.11g, and 802.11n may help improve performance and offers security benefits.
• Enable MAC address filtering or make sure all members of your household know that nobody is to connect anything to the wired network without your permission. At least in theory, MAC address filtering prevents any device from connecting to the network if you do not previously configure the router to allow it to connect. Do not allow people to connect insecure devices to the network without first securing them.
• Locate your wireless router centrally within your home. Doing so will provide better signal for you and will also reduce the strength of the signal that you provide to people outside your home who may be seeking to piggyback onto your network. If you have a mesh routing system that comes with multiple access points, follow the relevant instructions regarding locating the devices.
• Do not enable remote access to your router. You want the router to be manageable only via connections from devices that it is protecting, not from the outside world. The convenience of remote management of a home firewall is rarely worth the increase in security risk created by enabling such a feature.
• Maintain a current list of devices connected to your network. Also include on that list devices that you allow to connect to your network but that are not currently connected.
• For any guests for whom you want to give network access, turn on the guest network capability of the router and, as with the private network, activate encryption and require strong password. Give guests access to that guest network and not to your primary network. The same applies for anyone else to whom you must give Internet access but whose security you do not fully trust, including family members, such as children.
• If you’re sufficiently technically knowledgeable to turn off DHCP and change the default IP address range used by the router for the internal network, do so. Doing so interferes with some automated hacking tools and provides other security benefits. If you’re not familiar with such concepts or don’t have a clue what the aforementioned sentence means, simply ignore this paragraph. In this case, the security benefits of the recommendation are likely going to be outweighed by the problems that you may encounter due to the additional technical complexity that turning off DHCP and changing the default IP address range can create.

Security software

How should you use security software to protect yourself?

• Use security software on all your computers and mobile devices. The software should contain at least antivirus and personal device firewall capabilities.
• Use antispam software on any device on which you read email.
• Enable remote wipe on any and every mobile device.
• Require a strong password to log in to any computer and mobile device.
• Enable auto-updates whenever possible and keep your devices updated.

Your physical computer(s) and any other endpoints

To physically secure your computers and other endpoints:

• Control physical access to your computer and keep it in a safe location. If anyone entering your home can get to a machine, for example, that device can be relatively easily stolen, used, or damaged without your knowledge.
• If possible, do not share your computer with family members. If you must share your computer, create separate accounts for each family member and do not give any other users of the device administrative privileges on it.
• Do not rely on deleting data before throwing out, recycling, donating, or selling an old device. Use a multiwipe erasure system for all hard drives and solid state drives. Ideally, remove the storage media from the computer before getting rid of the device — and physically destroy the storage media.

Also, keep in mind that that some computing devices that need to be secured might not be true “endpoints” in that they may have other devices connected to them. A smart home hub or smart wireless camera system, for example, may have smart devices and/or cameras connected to them using proprietary communication mechanisms; they still, of course, need to be properly secured.

Backups

Back up regularly. If you are not sure what “regularly” means in your case, the odds are pretty good that you are not backing up often enough.

For more on backups, see Chapter 14.

Detecting

Detecting refers to implementing mechanisms by which you can detect cybersecurity events as quickly as possible after they commence. While most home users do not have the budget to purchase specialized products for the purpose of detection, that does not mean that the detection phase of security should be ignored.

Today, most personal computer security software has detection capabilities of various types. Make sure that every device that you manage has security software on it that looks for possible intrusions, for example. See Chapter 12 for more details on detecting possible breaches.

Responding

Responding refers to acting in response to a cybersecurity incident. Most security software will automatically either act, or prompt users to act, if it detects potential problems. For more on responding, see Chapter 13.

Recovering

Recovering refers to restoring an impacted computer, network, or device — and all of its relevant capabilities — to its fully functioning, proper state after a cybersecurity event occurs. See Chapters 13, 15, and 16 for more on recovering.

Ideally, a formal, written, simple and straightforward, prioritized plan for how to recover should be documented before it is needed. Most home users do not actually create one, but doing so can be extremely beneficial. In most home cases, such a plan will be less than one page long.

Improving

Shame on any of us if we do not learn from our own mistakes. Every cybersecurity incident offers lessons learned that can be put into action to reduce risk in the future. For examples of learning from mistakes, see Chapter 20.

Software

When it comes to software and cybersecurity, think about the following questions for each device:

• Are all the software packages (including the operating system itself) on your computer legally obtained?
• Were the software packages (including the operating system itself) obtained from reliable sources that always (or at least as close to always as is humanly possibly) provide legitimate versions?
• Are all the software packages (including the operating system itself) currently supported by their respective vendors?
• Are all the software packages (including the operating system itself) up-to-date?
• Are all the software packages (including the operating system itself) set to automatically update?
• Is security software on the device?
• Is the security software configured to auto-update?
• Is the security software up-to-date?
• Does the security software include anti-malware technology — and is that capability fully enabled?
• Are virus scans configured to run after every update is applied?
• Does the software include firewall technology — and is that capability fully enabled?
• Does the software include anti-spam technology — and is that capability fully enabled? If not, is other anti-spam software present, and is it running?
• Does the software include remote lock and/or remote wipe technology — and is that capability fully enabled? If not, is other remote lock/remote wipe software present, and is it running?
• Are all other aspects of the software enabled? If not, what is not?
• Is backup software running that will back up the device as part of a backup strategy?
• Is encryption enabled for at least all sensitive data stored on the device?
• Are permissions properly set for the software — locking out people who may have access to the device, but who should not have access to the software?
• Have permissions been set to prevent software from making changes to the computer that you may not want done (for example, is any software running with administrator privileges when it should not be)?

Of course, all these questions refer to software on a device that you use, but that you don’t expose to use by untrusted, remote outsiders. If you have devices that are used as in the latter case — for example, a web server — you must address many other security issues, which are beyond the scope of this book.

Hardware

For all your hardware devices, consider the following questions:

• Was the hardware obtained from a trusted party? (If you bought an IP-based camera directly from China via some online retailer than you never of heard of prior to making the purchase, for example, the answer to this question may not be yes.)
• How sure are you of the answer to the previous question — and if you are highly confident, why are you so confident?
• Is the hardware from a brand that the U.S. Government prohibits its own agencies from using because it does not trust that brand to be sufficiently secure from foreign spying or cyber risks?
• Is all your hardware adequately protected from theft and damage (rain, electrical spikes, and so on) as it resides in its home location?
• What protects your hardware when it travels?
• Do you have an uninterruptible power supply or built-in battery protecting the device from a hard, sudden shut-off if power fails even momentarily?
• Is all your hardware running the latest firmware — and did you download that firmware from a reliable source, such as the vendor’s website or via an update initiated from within the device’s configuration tool?
• For routers (and firewalls), does your device meet the criteria listed as recommendations in the “Firewall/router” section earlier in this chapter?
• Do you have a BIOS password, locking a device from use until a password is entered?
• Have you disabled all wireless protocols that you do not need? If you’re not using Bluetooth on a laptop, for example, turn off the Bluetooth radio, which not only improves security, but also helps your battery last longer.

Insurance

While cybersecurity insurance is often overlooked, especially by smaller businesses and individuals, it is a viable way of mitigating some cyber-risks. Depending on the particulars of your situation, purchasing a policy protecting against specific risks may make sense.

If you own a small business that may go bankrupt if a breach occurs, you will, of course, want to implement strong security. But, as security measures can never be 100 percent perfect and foolproof, purchasing a policy to cover catastrophic situations may be wise.

While cyber insurance used to be something that only large enterprises could obtain, in recent years, cybersecurity policies have started to become available to both individuals and small businesses.

Education

A little bit of education can go a long way in helping to prevent the people in your household (or other entity, as the case may be) from becoming the Achilles’ heels of your cybersecurity. The following list covers some things to think about and discuss:

• Do all you family members know what their rights and responsibilities are regarding vis-à-vis technology in the house, vis-à-vis connecting devices to the home network, and vis-à-vis allowing guest to connect to the home network (or the guest network)?
• Have you taught your family members about the risks they need to be aware — for example, phishing emails. Do you have confidence that they “get it”?
• Have you ensured that everyone in the family who uses devices knows about cybersecurity hygiene (for example, not clicking on links in emails)?
• Have you ensured that everyone in the family who uses devices knows about password selection and protection?
• Have you ensured that everyone in the family who uses social media grasps the risks associated with oversharing and understands what can and what can’t be safely shared?
• Have you ensured that everyone in the family understands the concept on thinking before acting?

Think before you share

People often willingly overshare information when asked for it.

Yes, you and me included.

Consider the paperwork patients are given at a typical doctor’s office in the United States that you have likely been asked to complete at more than one facility at your initial appointment with the doctor in question. While the answers to many of the questions are relevant and may contain information that is valuable for the doctor to know to properly evaluate and treat you, other portions are probably not. Many (if not most) such forms ask patients for their Social Security numbers. Such information was needed decades ago when medical insurance companies regularly used Social Security numbers as insurance ID numbers, but that dangerous practice has long since ended. Perhaps some facilities use the Social Security number to report your account to credit bureaus if you don’t pay your bills, but in most cases, the reality is that the question is an unsafe vestige of the past, and you can leave the field blank.

Even if you don’t believe that a party asking you for personal data would ever abuse the information that it collected about you, as the number of parties that have private information about you increases, and as the quantity and quality of that data grows, the odds rise that you will suffer a privacy violation due to a data breach occurring somewhere.

If you want to improve your privacy, the first thing to do is to consider what information you may be disclosing about yourself and your loved ones before you disclose it. This is true when interacting with government agencies, corporations, medical facilities, and other individuals. If you do not need to provide private information, don’t. All other factors being identical, the less private information that is “out there,” and the fewer places it resides, the lower the risk to you of a privacy compromise.

Think before you post

Consider the implications of any social media post before making it — there could be adverse consequences of many sorts, including effectively compromising the privacy of information. For example, criminals can leverage shared information about a person’s family relationships, place of employment, and interests as part of identity theft and to social engineer their way into your accounts.

If, by choice or due to the negligent policies of a provider, you use your mother’s maiden name as a de facto password, make sure that you do not make it easy for criminals to find out that name by listing your mother as your mother on Facebook or by being friends on Facebook with many cousins whose last name is the same as your mother’s maiden name. Often, people can obtain someone’s mother’s maiden name simply by selecting from another person’s Facebook friends list the most common last name that is not the same as the account holder’s name.

Sharing information about a person’s children and their schedules may help facilitate all sorts of problems — including potentially kidnapping, break-ins into the person’s home while the person is carpooling to work, or other harmful actions.

Sharing information related to medical activities may lead to disclosure of sensitive and private information. For example, photographs or location data placing a person at a particular medical facility may divulge that the person suffers from a condition that the facility is known to specialize in treating.

Sharing various types of information or images may impact a user’s personal relationships and leak private information about such.

Sharing information or images may leak private information about potentially controversial activities in which a person has engaged — for example, consuming alcohol or using recreational drugs, using various weapons, participating in certain controversial organizations, and so on. Even disclosing that one was at a particular location at a certain time may inadvertently compromise the privacy of sensitive information.

Also, keep in mind that the problem of oversharing is not limited to social networks. Oversharing information via chat, email, group chats, and so on is a serious modern day problem as well. Sometimes people do not realize that they are oversharing, and sometimes they accidentally paste the wrong data into emails or attach the wrong files to emails.

General privacy tips

In addition to thinking before you share, you can do a few other things to reduce your exposure to risks of oversharing:

• Use social media privacy settings. In addition to not sharing private information (see preceding section), make sure that your privacy settings on social media are set to protect your data from viewing by members of the public — unless the post in question is intended for public consumption.
• But do not rely on them. Nonetheless, never rely on social media security settings to ensure the privacy of information. Significant vulnerabilities that undermine the effectiveness of various platforms’ security controls have been repetitively discovered.

• Keep private data out of the cloud unless you encrypt the data. Never store private information in the cloud unless you encrypt it. Do not rely on the encryption provided by the cloud provider to ensure your privacy. If the provider is breached, in some cases the encryption can be undermined as well. So, if you must store sensitive information in the cloud, encrypt it yourself before uploading it — regardless of whatever encryption the cloud provider uses. There are applications available that simplify doing so for major cloud storage providers, such as by automatically encrypting and copying to the cloud any files placed in a special folder on your computer.

  Do not store private information in cloud applications designed for sharing and collaboration. For example, do not store a list of your passwords, photos of your driver’s license or passport, or confidential medical information in a Google doc. This may seem obvious, but many people do so anyway.

• Leverage the privacy settings of a browser — or better yet, use Tor. If you’re using the a web browser to access material that you don’t want associated with you, at a minimum, turn on Private/Incognito Mode (which offers only partial protection), or, if possible, use a web browser like the Tor Browser Bundle (which contains obfuscated routing, default strong privacy settings, and various, preconfigured, privacy add-ons).

  If you do not take precautions when using a browser, you may be tracked. If you search for detailed information on a medical condition in a normal browser window, various parties will likely capitalize on that data. You have probably seen the effects of such tracking — for example, when ads appear on one web page related to something that you searched for on another.

• Do not publicize your real cellphone number. Get a forwarding number from a service like Google Voice and, in general, give out that number rather than your actual cellphone number. Doing so helps protect against many risks — SIM swapping, spam, and so on.
• Store private materials offline. Ideally, store highly sensitive materials offline, such as in a fireproof safe or in a bank safe deposit box. If you must store them electronically, store them on a computer with no network connection.
• Encrypt all private information, such as documents, images, videos, and so on. If you’re not sure if something should be encrypted, it probably should.

• If you use online chat, use end-to-end encryption. Assume that all your text messages sent via regular cellphone service (SMS messages) can potentially be read by outsiders. Ideally, do not share sensitive information in writing. If you must share some sensitive item in writing, encrypt the data.

  The simplest way to encrypt data is to use a chat application that offers end-to-end encryption. End-to-end means that the messages are encrypted on your device and decrypted on the recipient’s device and vice versa — with the provider effectively unable to decrypt the messages; as such, it takes far more effort by hackers who breach the provider’s servers to read your messages if end-to-end encryption is utilized. (Sometimes, providers claim that hackers can’t read such messages altogether, which isn’t correct. for two reasons: 1. Hackers may be able to see the metadata — for example, with whom you chatted and when you did so, and 2. If hackers breach enough internal servers, they may be able to upload to the app store a poisoned version of the app containing a backdoor of some sort.) WhatsApp is probably the most popular chat application that uses end-to-end encryption.

• Practice proper cyberhygiene. Because so much of the information that you want to keep private is stored in electronic form, practicing proper cyber-hygiene is critical to preserving privacy. See the tips in Chapter 18.