I was in Starbucks the other day and overheard a local computer tech helping someone reinstall windows on their laptop, the tech left and I started a conversation with the laptop owner. His laptop had been infected with ransomware and he, unfortunately, didn't have a backup. We had a short conversation about backups where the painfully obvious was stated and not much more. Having backups may not sound like a security strategy but that's because many people think that security is about protecting yourself from bad guys and internet scams. Security is not about protecting yourself from "hackers" cyber criminals, malware or online scams, it encompasses a much wider practice. Security is the art of protecting time. In the case of the man I met at Starbucks what he had lost was documents that he spends time writing, pictures he had spent time taking, bookmarks he had spent time finding, business data he had spent time working on, and a computer he now had to spend time getting fixed using money he had spent time earning.
Correctly thinking about security depends on what you are trying to protect, for most people at a minimum that means their own time, for people like my self who have chosen IT as a carrier that means protecting the time of others as well. To best do that its important to have a working definition of what security means. I define security as:
"Security is the art of protecting assets, knowledge or time in such a way that the “Cost” of destroying, disrupting, or disappearing them is insurmountably high. The “Cost” of attack is equal to the amount of either negligence or effort that you or an attacker must take to destroy, disrupt, or disappear the protected asset. Realistically if someone is able to pay the “Cost” in either time or money to conduct the attack they can compromise your security."
The following is the collection of advice I wish I could have also given him but just did not have the time to, this is also advice I give to family members, coworkers, and people like you who stumble across my website. This is how you increase the cost of an attack.
A. Securing Online Accounts
- Use a password manager and avoid reusing passwords across sites like the plague, side note: it is the plague. LastPass and 1password are a great starting point. There are likely many other good online options. In my opinion, the most important thing about a password manager is that it be zero knowledge, meaning that the company running the service your using has no way to decrypt the data you entrust them to store. If you don’t like the idea of storing your passwords online take a look at offline options such as KeePass, password safe, or perfect paper passwords.
- Enable 2nd-factor authentication on all your accounts, especially your chosen password manager.
- Setup for the email account/s you use.
- Recognize the human error factor, humans make mistakes. When you use the web make sure you're using an adblocker to avoid malicious advertisements that might lead you to a phishing site. Ublock Origin is great for this. Using 3rd party DNS is also a great help, Q or Greatly increases your security at no cost and is fairly easy to set up on your router or computer.
B. Securing The Personal Computer
- Don’t use an admin account for every day computing this applies to macOS, Linux, and Windows no exceptions. Follow the .
- Data security is just as important as account security in most cases, having backups is the best way to secure your data from accidental deletion, corruption, and ransomware. is free and does a great job backing up your entire system.
- Run an up to date version of your operating system and preferred web browser and ensure you have security updates installed.
- If your computer does get infected just nuke and pave. If your system has been compromised it truly is the only way to be sure your safe again. Make sure you have a good backup, erase the internal disk, and reinstall your operating system.
A note on Antivirus Software: I did not mention antivirus here for the reason that consumer-grade antivirus systems seem to change like the wind lately. In general, if you're looking for an antivirus system I would recommend looking at reviews from IT people as they will spend a lot more time than you can imagine looking at antivirus solutions for their respective companies. Nearing the end of 2017 I had begun to see a rise in malware that exploits antivirus systems to compromise the systems they were designed to protect, in general, your best antivirus option is having an up to date computer with the most recent security patches installed and following best practices, B.1 is your best bet.
C. Securing The Data
- , If your data is not following 3-2-1 backups your data does not exist. Make sure you can restore your backups.
- If your storing sensitive data in the cloud use some form of “pre-internet encryption” for windows, mac and Linux is probably the golden standard but there are other encryption tools, even having an encrypted zip file is better than nothing. Note: password protected and encrypted are different things. Know the difference and use the right one.
- Back up everything. If its unimportant data back it up, if its important data back it up again. The number one reason important data cant be restored is that someone didn’t think it was important and thus did not back it up. If you backup everything all the time this is an easy pitfall to avoid.
D. Securing The Network
- If your router can be found at consider getting a different router or looking for firmware updates the fix the issue listed. If your router does not have firmware updates or a fix for a known issue then its time to get a different router.
- Take a look at what has to say, if your router has open ports make sure you have NAT enabled on your router. The best option to avoid potential conflict is to simply not be there “True Stealth” is the result you want from the ShieldsUP! test.
- If you have internet of things devices on your network use the method to separate out your network.
- If you have WiFi make sure you're using a good password, only use WPA2 or greater authentication and disable WPS if possible.
- Use a 3rd party DNS server on your router Q or are good options. To find out what DNS server is the quickest around you run the from GRC.com
- If you don’t require devices in your wireless network to talk to each other (this is rare) or have particular devices that don’t need to talk to other devices for any reason consider putting those devices on your guest network. Doing so will isolate those devices from the rest of your network making them less risky.
E. Securing the Human
This is the hardest part, even if you have done everything else correctly we are only human and are going to mess something up. Securing the human part of the system comes down to checking yourself as you use your technology. There are a lot of moving parts to this but in general, the following are true and if followed will make you less of a risk to yourself.
- Always Go to the Source, if you receive a phone call from your bank and they want to verify your social security number over the phone just hang up, Google your bank's phone number (or look on the back of your debit card) and call your bank. If it truly was them then your good to go, if it wasn't congratulations you have just evaded an attack. The same applies to handling email phishing messages. A common email I've seen is a message warning that your inbox is about to run out of space. If you click the link it then prompts you to login to your cloud email. The right thing to do is ask your email admin if you are running out of space or go to the source and find out if you are approaching a space limit. By going to the source almost all phishing attacks can be thwarted.
- TNO, Trust No One. Criminals don’t target computer systems they target people. Be cautious about giving out information. Well designed systems and services shouldn't require you to have any trust in the people running them for your data to be safe.
- If it's too good to be true… (you know the rest of this one, your mother told you, my mother told me, the attacker's mother told him we all know this.) SPOILER ALERT: it is. There is no Indian prince willing his inheritance to you and there is no free iPad you won. There is always a phishing campaign in the works run by smart people who are looking to make you the sucker. Think about the cost of a phishing message, how much it cost you to send an email? Right… if it only costs the bad guy a couple minutes of their time to try and cheat people out of their money then guess what they are going to try and do. Furthermore, attackers have reduced the cost of an attack by using automation. The result of this is that its no longer a couple minutes per person phished its a couple minutes per millions, and its target is not you… its target is everyone.
- is a great site that will walk you through what you should be aware of.
- is a great resource for reactionary advice.
- There are a lot of good insights from the page at the EFF.
- Roger G. Johnston, Ph.D., CPP is a great read and provides lots of insight into the nature of security.
- Microsoft’s is a great read for fellow systems administrators as is the article
Final Thoughts: We live in a world now where hackers are driving the cost of attacking systems down by having systems and automation do the attacks for them. said it best I think “Eternal vigilance is the price of security”.