Personal cyber security
First, passwords. Every little site requires a user name and password so that it can track you and monetize your online viewing. The important ones, like banks, stocks and retirement accounts need special attention also. So how do we remember all these bloody passwords? At home, it's fine to write on a piece of paper to keep in your desk. That shifts the threat to one of a physical presence and if someone has access to that paper, they've either broken and entered your house already, or betrayed your trust. This shifts the security of the list to the local physical realm from the world-wide digital.
A password manager can also be used. They are available for Windows, Android and Apple products, but bring their own risks. A cloud based password manager, while convenient, puts the security of all your accounts on the cloud/app provider. Frankly, they won't be held accountable when they get breached and all their users accounts and passwords are sold on the dark web.
A password manager that isn't cloud based and doesn't auto update itself is more secure, since
the data remains local. Turning off auto-update means malware can't sneak into an update but also means that you miss any updates that patch vulnerabilities. And everything has vulnerabilities.
In Windows, you can keep a Notepad/Wordpad file on your desktop, listing your username and passwords. You can also create a folder with a .txt file in it for each account. Either way, right click on the folder or file, choose properties, then click advanced, then click Encrypt contents to secure data. It may ask if you want to encrypt the file or folder and tell you that encrypting the whole drive would be better, but go ahead and stick with the file/folder for now. A popup notification should ask you if you want to export the key. You need the key. If the system can't find the key, your data in that file will be unrecoverable. So click to save the key and export it to a folder other than Documents, or better yet, export it to a usb drive you store in your safe or in your desk.
Encrypting the file this way in Windows uses the Windows Bitlocker drive encryption to protect the data. There are other services not attached to the Windows kernel that you can download, and encrypt the file. These offer another level of protection but every method has its own vulnerabilities. Security is always a convenience versus security balancing act.
On the mac, there are apps in the store that can encrypt files, as well as password managers. Follow the same criteria for choosing these.
However you record the passwords, there is no need to record the entire thing. If a password is '1922 graceful pluto destruction 2022', then pick a part of it to stay the same for every website, then don't write that part on your record. So, you know that the thridword is always pluto, then uses x's for it instead when you write it down. So in the file or on your paper it would read '1922 graceful xxx destruction 2022'. Thus even if the file is compromised, it is not a complete password. You know that xxx means 'pluto'. Also, pick something related to the website also to vary your password. If the website is homebuilders.net, you can add an HBN somewhere in the password and use XXX to symbolize it on your list.
Browsers on most platforms ask you if you want to store login information when you use it. This is the least secure way to store the password as your browser is vulnerable to nefarious servers. Only use this for the least valuable, not asset linked, accounts.
Second, links. Never enter your login data after following a link via email or text. Website login pages are easily copied and moved to servers where they can collect your data then forward you to the real site for you to enter it again. You'll just think you hit a wrong key, when in fact, you just gave your login and password away. This type of credential stealing is call phishing and it happens via email and text. Never follow the links to enter your credentials, unless you were expecting it. Executive and high value persons are often targets of specific and personal cyber attacks like this. Spear-phishing executives is very common and with a broad enough campaign, is almost certain to be successful against the person.
Third, be wary of the apps you put on your devices. Make sure they have a good reputation. On computers, you can visit virustotal.com and submit the download and they'll check it for malware and reputation. Be careful, malware is always being snuck into Google's Play Store and Apple's App Store.
Fourth, don't use common user names for any of your accounts if you have a choice. User names like user1, admin, default, and thousands more are used by bots to brute force their way into accounts. If they get your username, they only need to brute force your password. If your password is weak, it won't take long for a compromised server to brute force your account.
Fifth, use strong passwords. The old way of changing passwords every 90 days and using a number and character has been proven to be easily compromised. Changing passwords means users will create weak passwords they can remember. It also means malware can compromise the password reset server, or just intercept traffic (neither particularly easy) since they know all users have to reset the passwords every so often. However, making passwords expire by the calendar makes the users very susceptible to phishing attacks titled "Time to reset your password". Since the user is expecting it, they won't be wary about putting in their credentials to the hacker's server. They think they're doing the normal password change. IT'S BAD POLICY TO REQUIRE PASSWORD CHANGES FOR UNCOMPROMISED USERS AND HAS BEEN ACCEPTED AS SUCH BY NIST FOR YEARS.
So how should passwords be chosen? The new password standard, since around 2018, has been to choose unrelated words that form a long phrase. Use a series of words that don't make sense together but you can remember (or put in your encrypted file). Websites that only allow 8-14 characters are way behind on their security so take note if this happens with your accounts. So choose 3 or 4 unrelated words to string together in a phrase, and change them slightly for every web account. Never use the same password for all your accounts.
Sixth, don't link your accounts. Don't use your Google or Facebook account to log into third party sites, even though it is more convenient. Many people have been lax in doing this and have had all their accounts compromised in a single cyber security incident. Use different users and passwords for each account as is possible. Don't use the same account to log into multiple sites. Just don't.
Seventh, two factor authorization is better, but not as good as claimed. Text messages for login are easily intercepted or copied. Emails are slightly better, depending on the provider. Two factor authorization can help against broad cyber attacks by bots, but if a hacker is targeting you personally, you'll find there's very little that will protect you. We all make mistakes, and attacks come in broad swipes. It only takes one mistake and they can try thousands of times with their servers.
Eighth, protect your home network. Keep each of your device's anti-virus up to date and be careful of the software installed. Our Network Intrusion Detection System is a good way to know if one of your devices has been compromised or if someone is attacking your network specifically. Similarly, you have to secure your modem and router correctly. If you're using rented modem/router and it has the default username and password, then your home network is wide open to attack. So change the usernames & passwords on the router login, and set the firewall to secure settings. Check and see if there's a router update for yours, since they occasionally patch for performance and security issues. These patches, however, are very rare and routers have many security holes that are never patched, leaving your home devices vulnerable as well.
For these reasons we recommend not renting modems and routers, but buying your own. Not only will you save money, but you can configure them appropriately to help protect your digital home life. With networked cameras becoming popular, this is even more critical. CyderInc started by helping users with this process. Check back for articles and how-to's.
Last, remember, Cyber-Security is a mindset, much like physical security. There's no silver bullet. There is always someone or something attempting to get into your home network and each of your devices. Thousands of server bots descend on a vulnerability when one is discovered. Last time we watched a purposefully vulnerable device ( a honeypot), there were more than 4 thousand attacks in an 8 hour period. The bot swarms not only try to break into your devices, they steal the bandwidth you pay for. Subscribe to our Network Intrusion Detection Service and let us help protect your digital life.
High Value Persons & Families:
Certain persons who have worked hard their entire life and have reaped the benefits of their hard work are vulnerable to attacks on them specifically. We call these users HVT's, or High Value Targets. Even your job may make you an HVT, and cause hackers to aim at you specifically with digital attacks, spear-phishing particularly. Corporations with officer's names listed on websites make those officers targets. Even public business filings provide enough information for a digital attacker to hone in on you specifically. Let CyderInc help protect you. If you have already experienced some of this, contact us immediately, and put our experience to work for you today.
