Preventing Unauthorized Access
Do You Practice Security Hygiene?
Do you routinely use weak or repeated passwords, use outdated or unpatched software, share personal details on Facebook or use public WiFi to access your accounts?
Too many people pass off security practices as annoying.
In general, the research suggests that about half of consumers do not know how to protect themselves from cyber criminals.
Just like seat belts and helmet laws are designed to protect our bodies, good security practices are meant to protect our privacy and our devices.
Slow Down and Think
When presented with something unusual, slow down and think.
Someone acting maliciously wants you to have a sense of urgency — to act NOW, before you have a chance to think.
Before proceeding, call a friend, a colleague or your “security guy” for advice.
Sooner or later you will become a victim unless your security software and security practices are up to the task of preventing unauthorized or malicious access to your computer and devices.
I am regularly asked what the average Internet user can do to ensure his security. My first answer is usually “Nothing; you're screwed.” But it's really more complicated than that.
Against the government there's nothing you can do. The power imbalance is just too great.
But there are some things you can do to increase your security on the Internet. None of these are perfect; none of these are foolproof.
But they're all good network hygiene, and they'll make you a more difficult target than the computer next door.
— Bruce Schneier
Our World Has Changed
The world we live in has seen massive changes.
Information that used to be contained only on paper and locked in filing cabinets is now “in the cloud” which provides 24/7 access to anyone that knows your passwords — including hackers who are trained to break weak passwords and take advantage of weaknesses.
Deadly Security Threats
Scams are increasingly effective.
[O]rganized crime now gains more revenue from cybercrime than from the illegal drug trade and is on pace to eclipse all its other forms of illegal activities combined within a few years.
Newer and deadlier versions of malware, ransomware and hacking software are being developed regularly. “Ransomware as a service” is now being offered to those that lack the skills to create their own versions.
Security is Everyone's Responsibility
Everyone needs to take security seriously if we're going to remain safe.
Your protection depends on following these action steps:
- Ensure that your devices and software have the latest updates installed. That includes updating firmware when available.
- Protect your device with good quality security software and update it regularly.
- Learn how your security software operates so you're not fooled by fakes.
- Be aware of security threats and how to respond to them correctly.
If others use your computer or devices, they can compromise your security unless they also follow these protective measures.
Update Your Software
Updating your hardware's firmware may be a little more complex. Check the manufacturer's site for updates and instructions. Hire a consultant if necessary.
Ensure Your Security is Current
Invest in decent security software recognizing that security is no longer just about antivirus protection.
Be sure to update your security software when new versions become available.
Older versions may not have the ability to protect your computer or device against newer threats.
Frequently check your security software company's website to verify you have the most recent version.
- Minor updates like virus or spyware signatures generally install automatically.
- If you need to manually download a file then it has to be installed before it updates your software.
Know Your Security Software
Get to know your security software so that you can use it effectively. Learn its limitations and know how it responds to threats.
- Don't respond to fake virus and spyware warnings.
- Don't get fooled by popup warnings that won't go away.
- Never call phone numbers displayed in warnings or error messages.
- Don't install multiple antivirus programs on one computer.
Don't Fall for Scams
Responding to these fraudulent attacks is certain to result in identity theft, financial loss, or both. Just hang up or delete the email.
- Everyday steps you can take to control your digital privacy, security, and wellbeing in ways that feel right to you..
Opt Out of Extra Software
Be wary of pre-selected “extras” included with any software you're installing.
This can include pre-checked options on the download page or during installation. You neither need nor want them.
De-select any optional items before downloading software, then carefully watch the installation screens for additional pre-checked options mentioning a “trial period” or add-on software.
Google Chrome an Example
Google Chrome gained a widespread installation base partly by paying to be included as an add-on to freeware downloads.
It automatically made itself your default browser then restored the obsolete Internet Explorer as the default browser when removed, again without asking.
As a result, not only is Chrome the most commonly used browser, but Chromium is the base for most other common browsers.
It also dominates Internet marketing, advertising, search, Gmail, YouTube and more. Google has become so powerful that it now threatens the digital economy..
How Cyber Safe Are You?
Recognizing the security gap, the government of Canada has made resources available on their Get CyberSafe website.
There is a lot of cybersecurity practices that are not as effective as people think or have are less important because of newer technology such encryption.
- Cybersecurity expert Eva Galperin helps debunk (and confirm!) some common myths about cybersecurity (video).
Stop and Think Before Acting
Most of today's devices (computers, phones, tablets, etc.) are continuously connected to the Internet. Many services and applications record private information and report on your activities.
Now we live in a world that is strictly bounded by our capacity to understand it, by our ability to keep up with the pace of technological change, and to manage the new risks and security challenges that come with limitless storage capacity, limitless transmission capacity, limitless data mining capacity.
We are bounded by our own limited capacity to understand, to imagine the implications of data flow and data aggregation, and our ability to teach.
— Privacy Commissioner of Canada
Stop. Think. Connect.
Staying safe online involves both being prepared and knowing the signs of suspicious websites, phishing emails and other nefarious online activity.
You can avoid a lot of problems if you follow the advice on StaySafeOnline.org:
STOP. THINK. CONNECT.™
Protect yourself and help keep the web a safer place for everyone.
- STOP: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.
- THINK: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact your safety, or your family's.
- CONNECT: Enjoy the Internet with greater confidence, knowing you've taken the right steps to safeguard yourself and your computer.
You're Being Tracked
Be sure to read the privacy policies and terms of service for everything you subscribe to before signing up for any service or installing any app. Those policies are subject to change without notice.
The larger the terms of service page, the more you're giving away. The vaguer the context of who they share your content with (e.g., “unspecified third parties”) the more likely your identity is being sold to anyone that has the cash.
Protect Your Identity
If you've bought into the “nothing to hide” mantra or have decided that your information is worthless, consider these costs.
- Free software and games are funded by capturing our metadata.
- If your home computers and devices become infected, you could be on the hook for how it is used by the thieves:
- Your personal reputation could be damaged.
- Your private information could be used to obtain loans or credit cards.
- It is too easy to establish credit online; harder to prove fraud which requires paper documentation to exonerate yourself.
- You could be held liable for any illegal activities perpetrated using your identity.
Your Employment Eligibility
Employers now look at your online activity to determine employability.
If your actions compromise your employer's computers or network you'd likely be fired and could be facing prosecution.
Tips & Advice
Review StaySafeOnline's Basic Tips and Advice:
- Keep a clean machine.
- Protect your personal information.
- Connect with care.
- Be Web wise.
- Be a good online citizen.
- Own your online presence.
Their site contains additional information about how to stay safe online:
- Online safety basics.
- Responding to identity theft, fraud and cybercrime.
- Securing key accounts and devices.
- Managing your privacy.
Key Elements of Security
To enhance the security of your computers, devices and computer networks, you need to include the following components in your protection plan:
- Wise choice of programs and apps.
- Effective security software.
- Securing Your Network.
- Strong Passwords.
- Password Protection.
- Reliable Backups.
There is more information about each of these, either on this page or on other pages on this site. Follow the links in each of these subsections to learn more.
Choose Your Programs Wisely
The choice of software you install on your computer affects how vulnerable you are to security-related attacks.
Windows users have easier access to third-party software. This can affect their security.
The User Pays for Security Failures
Fewer vulnerabilities would exist or be allowed to continue unchecked if software developers bore the cost of security failures in their software.
We generally think of computer security as a problem of technology, but often systems fail because of misplaced economic incentives: the people who could protect a system are not the ones who suffer the costs of failure.
— Bruce Schneier
Rather than developers properly repairing security issues, we are spending large amounts of money annually on security programs.
Just as Ralph Nader forced the auto industry to accept responsibility for their failures, software vendors need to be held accountable.
“Free to Play” Games Manipulate Us
While free to download and play, many such games are very profitable. How else could they afford to advertise during prime-time television?
"Free to play" games manipulate us through many techniques, such as presenting players with a series of smoothly escalating challenges that create a sense of mastery and accomplishment but which sharply transition into a set of challenges that are impossible to overcome without paid upgrades.
— Cory Doctorow
While the sale of paid upgrades such as energy, coins, etc. can play a part, that doesn't explain the widespread advertising of games that claim to have no ads yet are frequently advertised on other games (especially if they claim to have no ads).
Search for what others have said about a program using the program name as the search criteria. Blogs often provide interesting insight to the usability of such programs and their relative merits.
Keep it Updated
All software requires maintenance.
Replacing old software can be pricey, but there's a serious risk of data loss if your system isn't kept up-to-date.
This also applies to operating systems such as Windows, macOS and Linux. When no longer supported, find a replacement.
Avoid Unwanted Programs
One of the things to look out for are the third-party optional programs (PUPs) that may be installed along with free products like Adobe Reader, Java and CCleaner. Even Windows 10 comes with tons of extras that you probably will never use.
Krebs's 3 basic rules for online safety:
- If you didn't go looking for it, don't install it.
- If you installed, update it.
- If you no longer need it, get rid of it!
Scroll carefully through the installation option screens and de-select any extra software like Google Chrome, McAfee Security, etc. before downloading or installing the software you actually wanted to install.
Keep it Clean
Where possible, uninstall any unwanted software, including programs installed with Windows or by your computer manufacturer. Regularly clear any unnecessary programs and data from your computer.
You should schedule regular times to cleaning up your computer. Removing unnecessary files and software will increase your productivity and security.
Effective security software
Traditional security products (antivirus and antispyware) are made to fight PC-based threats.
All current security suites and most antivirus software contains some form of antispyware/antimalware protection.
The Threat Landscape Has Changed
You need a security suite that protects you simultaneously from all possibilities.
Keep it Updated
Security software must be constantly updated to deal with emerging threats.
One study indicated that the time from the discovery of a vulnerability to when it is exploited is four days or less.
More recently that window of discovery has narrowed to less than a day (as little as 15 minutes). Zero-day exploits are usable immediately (zero days until useful because they are generally undiscovered except by hackers and government spy agencies).
- Check for updates at least daily.
- Weekly scans are a bare minimum.
- Real-time scanning is critical for today's threats.
Secure Your Network
You cannot afford to be without an effective firewall. Today's computers and devices are continuously connected to the Internet.
Not having a firewall is like leaving your front door open for anyone to walk into your home uninvited. Not everyone is polite enough to resist the temptation.
Your Privacy Threatened
You need to protect yourself using legitimate privacy tools.
An effective hardware and software firewall combination is an essential part of your protection.
Your router not only secures your high-speed access to the Internet, but it allows you to share it between both hard-wired (LAN) and wireless (WLAN) computers, laptops, tablets, smartphones, game consoles, TVs and “smart home” devices.
While many issues have been fixed in newer routers, there are undocumented and unpatched vulnerabilities (zero day exploits). Both governments and hackers take advantage of zero-days to steal information from your devices.
More than half the routers currently in use are easily hacked.
Replace your router if it is more than a few years old, especially if listed here.
Passwords are an essential part of life today. They are used for everything from accessing your email to the millions of websites and forums that require you to identify yourself using a username/password combination.
Single Sign-on Flawed
Single sign-on (SSO) uses your Google, Facebook or Apple ID to log into third-party sites.
SSO may be convenient, but creates a single point of failure.
Instead, use a unique password for every site.
Long and Strong
Make your passwords long and strong using random upper and lower case letter, numbers and symbols (some symbols are not permitted by some sites or vendors). Generally, the longer your passwords, the harder they are to hack.
Protect Your Passwords
Increasingly, sites are using your email address as your identity, making it very easy to hack your other accounts if you use weak passwords or use the same password on multiple sites.
The following is only one example of how password reuse can have significant financial repercussions:
A total of 5,500 CRA accounts were targeted in what the federal government described as two "credential stuffing" schemes, in which hackers use passwords and usernames from other websites to access Canadians' accounts with the revenue agency.
— Times Colonist
Use a Password Manager
Everyone has far too many passwords today to manage strong and unique passwords for every site and account we hold on the Internet without using a password manager. Humans simply have too much difficulty creating and remembering effective passwords.
I strongly recommend LastPass to manage your passwords. LastPass is secure, encrypts the passwords BEFORE uploading them and can be shared between your various computers and devices.
Multifactor authentication provides additional security that isn't available by using only a password even if it is very long and strong.
The authentication device is preferably something that is always with you and is inaccessible to potential hackers.
Recovery Options Weak
Instead of hacking your password, the “Forgot password?” recovery option on a site can provide a much easier place to obtain unauthorized access to your email account.
People post too much personal information about themselves on public places including social media sites.
The answers to typical security questions can be harvested from information you provide on social media or forums. The nature of these recovery questions are often the very details a social media site encourages you to post:
- Your favourite sports team(s).
- Your favourite authors or movies.
- Your best man or maid of honour at your wedding.
- Your home town or favourite teacher.
Protect Your Email Account
Some security protocols require you to respond to an confirmation sent to the registered email address for a requested password change. If your email account is protected by a weak password, this mechanism can be compromised.
There are many causes of data loss, including:
- hardware failure (hard drive or backup media)
- ransomware attacks
- lost devices
- theft or vandalism
- environmental disasters (fire, flood, earthquake)
Our private information is more and more frequently digital and stored on our computers or devices.
Rather than paper bills, companies insist on sending you an email or log into your account for billing details. Even your payment is digital (PAC, eTransfer, debit) and many employers now electronically deposit earnings into your bank account.
From the dawn of civilization until 2003, humankind generated five exabytes of data. Now we produce five exabytes every two days…and the pace is accelerating.
— Eric Schmidt (2010)
Planning for Recovery
The first step in planning for recovery is to ensure that you regularly backup all your data using reliable systems and schedules. The more frequent the backups, the less data you might lose.
Having multiple generations of backups ensure that a problem with one can be resolved with an older backup (you might not get everything, but most of it will be there).
You should also plan for disaster by ensuring off-site backups either via cloud backups or physical backups stored offsite.
Unfortunately, cloud storage data is threatened by poor security and government data collection policies.