Preventing Unauthorized Access
I am regularly asked what the average Internet user can do to ensure his security. My first answer is usually “Nothing; you're screwed.” But it's really more complicated than that.
Against the government there's nothing you can do. The power imbalance is just too great.
But there are some things you can do to increase your security on the Internet. None of these are perfect; none of these are foolproof.
But they're all good network hygiene, and they'll make you a more difficult target than the computer next door.
— Bruce Schneier
Do You Practice Security Hygiene?
Do you routinely use weak or repeated passwords, use outdated or unpatched software, share personal details on Facebook or use public WiFi to access your accounts?
Too many people pass off security practices as annoying.
In general, the research suggests that about half of consumers do not know how to protect themselves from cyber criminals.
Security Practices Critical
Just like seat belts and helmet laws are designed to protect our bodies, good security practices are meant to protect our privacy and our devices.
Our World Has Changed
The world we live in has seen massive changes.
Information that used to be contained only on paper and locked in filing cabinets is now “in the cloud” which provides 24/7 access to anyone — including hackers.
Sooner or later you will become a victim unless your security software and security practices are up to the task of preventing unauthorized or malicious access to your computer and devices.
Deadly Security Threats
Scams are increasingly effective.
[O]rganized crime now gains more revenue from cybercrime than from the illegal drug trade and is on pace to eclipse all its other forms of illegal activities combined within a few years.
Newer and deadlier versions of malware, ransomware and hacking software are being developed regularly.
Security is Everyone's Responsibility
Everyone needs to take security seriously if we're going to remain safe.
Your protection depends on following these action steps:
- Ensure that your devices and software have the latest updates installed. That includes updating firmware when available.
- Protect your device with good quality security software and update it regularly.
- Learn how your security software operates so you're not fooled by fakes.
- Be aware of security threats and how to respond to them correctly.
If others use your computer or devices, they can compromise your security unless they also follow these protective measures.
Update Your Software
Updating your hardware's firmware may be a little more complex. Check the manufacturer's site for updates and instructions. Hire a consultant if necessary.
Ensure Your Security is Current
Invest in decent security software recognizing that security is no longer just about antivirus protection.
Be sure to update your security software when new versions become available. Older versions may not have the ability to protect your computer or device as effectively.
- Frequently check your security software company's website to verify you have the most recent version.
- Minor updates like virus or spyware signatures generally install automatically.
- If you need to manually download a file then it has to be installed before it updates your software.
Know Your Security Software
Get to know your security software so that you can use it effectively. Learn its limitations and know how it responds to threats so you know how to protect yourself and your devices.
- Don't respond to fake virus and spyware warnings.
- Don't get fooled by popup warnings that won't go away or call the numbers displayed in those popups.
- Don't install multiple antivirus programs on one computer.
Don't Fall for Scams
Responding to these fraudulent attacks is certain to result in identity theft, financial loss, or both. Just hang up or delete the email.
- Everyday steps you can take to control your digital privacy, security, and wellbeing in ways that feel right to you..
Opt Out of Extra Software
Be wary of pre-selected “extras” included with any software you're installing.
This can include pre-checked options on the download page or during installation. You neither need nor want them.
De-select any optional items before downloading software, then carefully watch the installation screens for additional pre-checked options mentioning a “trial period” or add-on software.
Google Chrome gained a widespread installation base partly as a paid add-on to freeware downloads. It automatically made itself your default browser without asking, and retained its presence by restoring the obsolete Internet Explorer as the default browser if you chose to remove Chrome.
How Cyber Safe Are You?
Recognizing the security gap, the government of Canada has made resources available on their Get CyberSafe website.
There is a lot of cybersecurity practices that are not as effective as people think or have are less important because of newer technology such encryption.
- Cybersecurity expert Eva Galperin helps debunk (and confirm!) some common myths about cybersecurity (video).
Stop and Think Before Acting
Most of today's devices (computers, phones, tablets, etc.) are continuously connected to the Internet. Many services and applications record private information and report on your activities.
Now we live in a world that is strictly bounded by our capacity to understand it, by our ability to keep up with the pace of technological change, and to manage the new risks and security challenges that come with limitless storage capacity, limitless transmission capacity, limitless data mining capacity.
We are bounded by our own limited capacity to understand, to imagine the implications of data flow and data aggregation, and our ability to teach.
— Privacy Commissioner of Canada
Stop. Think. Connect.
Staying safe online involves both being prepared and knowing the signs of suspicious websites, phishing emails and other nefarious online activity.
You can avoid a lot of problems if you follow the advice on StaySafeOnline.org:
STOP. THINK. CONNECT.™
Protect yourself and help keep the web a safer place for everyone.
- STOP: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.
- THINK: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact your safety, or your family's.
- CONNECT: Enjoy the Internet with greater confidence, knowing you've taken the right steps to safeguard yourself and your computer.
You're Being Tracked
Be sure to read the privacy policies and terms of service for everything you subscribe to before signing up for that service or installing that app. These policies are subject to change.
The larger the terms of service page, the more you're giving away. The vaguer the context of who they share your content with (e.g., unspecified third parties) the more likely your identity is being sold.
Protect Your Identity
If you've bought into the “nothing to hide” mantra or have decided that your information is worthless, consider these costs.
- Free software and games are funded by capturing our metadata.
- Employers now look at your online activity to determine employability.
- If your actions compromise your employer's computers or network what do you think your chances are of keeping your job? Of facing prosecution?
- If your home computers and devices become infected, you could be on the hook for how it is used by the thieves:
- Your personal reputation could be damaged.
- Your private information could be used to obtain loans or credit cards.
- You could be held liable for any illegal activities perpetrated using your identity.
It is much easier to establish credit online than to protect yourself. Fraud reporting relies on paper documentation.
Tips & Advice
Review StaySafeOnline's Basic Tips and Advice:
- Keep a clean machine.
- Protect your personal information.
- Connect with care.
- Be Web wise.
- Be a good online citizen.
- Own your online presence.
Their site contains additional information about how to stay safe online:
- Online safety basics.
- Responding to identity theft, fraud and cybercrime.
- Securing key accounts and devices.
- Managing your privacy.
Key Elements of Security
To enhance the security of your computers, devices and computer networks, you need to include the following components in your protection plan:
- Wise choice of programs and apps.
- Effective security software.
- Securing Your Network.
- Strong Passwords.
- Password Protection.
- Reliable Backups.
There is more information about each of these, either on this page or on other pages on this site. Follow the links in each of these subsections to learn more.
Choose Your Programs Wisely
The choice of software you install on your computer affects how vulnerable you are to security-related attacks.
Windows users have easier access to third-party software that can affect their security.
The User Pays for Security Failures
If software developers bore the cost of security failures in their software, just as Ralph Nader forced the auto industry to accept responsibility for their failures, fewer vulnerabilities would exist or be allowed to continue unchecked.
We generally think of computer security as a problem of technology, but often systems fail because of misplaced economic incentives: the people who could protect a system are not the ones who suffer the costs of failure.
— Bruce Schneier
Rather than developers properly repairing security issues, we are spending large amounts of money annually on security programs.
“Free to Play” Games Manipulate Us
While free to download and play, many such games are very profitable. How else could they afford to advertise during prime-time television?
"Free to play" games manipulate us through many techniques, such as presenting players with a series of smoothly escalating challenges that create a sense of mastery and accomplishment but which sharply transition into a set of challenges that are impossible to overcome without paid upgrades.
— Cory Doctorow
Search for what others have said about a program using the program name as the search criteria. Blogs often provide interesting insight to the usability of such programs and their relative merits.
Keep it Updated
All software requires maintenance.
Replacing old software can be pricey, but there's a serious risk of data loss if your system isn't kept up-to-date.
This also applies to operating systems such as Windows, macOS and Linux. When no longer supported, find a replacement.
Avoid Unwanted Programs
One of the things to look out for are the third-party optional programs (PUPs) that may be installed along with free products like Adobe Reader, Java and CCleaner. Even Windows 10 comes with tons of extras that you probably will never use.
Krebs's 3 basic rules for online safety:
- If you didn't go looking for it, don't install it.
- If you installed, update it.
- If you no longer need it, get rid of it!
Scroll carefully through the installation option screens and de-select any extra software like Google Chrome, McAfee Security, etc. before downloading or installing the software you actually wanted to install.
Keep it Clean
Where possible, uninstall any unwanted software, including programs installed with Windows 10. Regularly clear any unnecessary programs and data from your computer.
You should schedule regular times to cleaning up your computer. Removing unnecessary files and software will increase your productivity and security.
Effective security software
Traditional security products (antivirus and antispyware) are made to fight PC-based threats.
All current security suites and most antivirus software contains some form of antispyware/antimalware protection.
The Threat Landscape Has Changed
You need a security suite that protects you simultaneously from all possibilities.
Keep it Updated
Security software must be constantly updated to deal with emerging threats.
One study indicated that the time from the discovery of a vulnerability to when it is exploited is four days or less.
More recently that window of discovery has narrowed to less than a day (as little as 15 minutes). Zero-day exploits are usable immediately (0 days until useful because they are generally undiscovered except by hackers and government spy agencies).
- Check for updates at least daily.
- Weekly scans are a bare minimum.
- Real-time scanning is critical for today's threats.
Secure Your Network
You cannot afford to be without an effective firewall. Today's computers and devices are continuously connected to the Internet.
Not having a firewall is like leaving your front door open for anyone to walk into your home uninvited. Not everyone is polite enough to resist the temptation.
Your Privacy Threatened
The “nothing to hide” mantra is a falsehood perpetrated by those that profit by collecting your information then reselling it to others — the surveillance economy.
You need to protect yourself using legitimate privacy tools.
An effective hardware and software firewall combination is an essential part of your protection.
Your router not only secures your high-speed access to the Internet, but it allows you to share it between both hard-wired (LAN) and wireless (WLAN) computers, laptops, tablets, smartphones, game consoles, TVs and “smart home” devices.
While many issues have been fixed in newer routers, there are undocumented and unpatched vulnerabilities (zero day exploits). Both governments and hackers take advantage of zero-days to steal information from your devices.
More than half the routers currently in use are easily hacked.
Replace your router if it is more than a few years old, especially if listed here.
Passwords are an essential part of life today. They are used for everything from accessing your email to the millions of websites and forums that require you to identify yourself using a username/password combination.
Single Sign-on Flawed
Never choose to log into a third-party site using your Facebook, Google or other social media account (single sign-on). Instead, create a new login account using a strong and unique password.
Long and Strong
Make your passwords long and strong using random upper and lower case letter, numbers and symbols (some symbols are not permitted by some sites or vendors). Generally, the longer your passwords, the harder they are to hack.
Protect Your Passwords
Increasingly, sites are using your email address as your identity, making it very easy to hack your other accounts if you use weak passwords or use the same password on multiple sites.
The following is only one example of how password reuse can have significant financial repercussions:
A total of 5,500 CRA accounts were targeted in what the federal government described as two "credential stuffing" schemes, in which hackers use passwords and usernames from other websites to access Canadians' accounts with the revenue agency.
— Times Colonist
Use a Password Manager
Everyone has far too many passwords today to manage strong and unique passwords for every site and account we hold on the Internet without using a password manager. Humans simply have too much difficulty creating and remembering effective passwords.
I strongly recommend LastPass to manage your passwords. LastPass is secure, encrypts the passwords BEFORE uploading them and can be shared between your various computers and devices.
Two-factor authentication provides additional security that isn't available with even a strong password. As implied by the name, two-factor authentication has two components:
The second device could be
- a cell phone number (recommended); or
- a specially-design hardware authentication device like the YubiKey (shown above) in combination with LastPass; or
- a second email address (less secure as it too could be hacked).
The authentication device is preferably something that is always with you and is inaccessible to potential hackers.
Unfortunately, it appears that it isn't that hard to hijack your cellphone's SIM card, making two-factor security less secure.
Recovery Options Weak
Instead of hacking your password, the “Forgot password?” recovery option on a site can provide a much easier place to obtain unauthorized access to your email account.
People post too much personal information about themselves on public places including social media sites.
The answers to typical security questions can be harvested from information you provide on social media or forums. The nature of these recovery questions are often the very details a social media site encourages you to post:
- Your favourite sports team(s).
- Your favourite authors or movies.
- Your best man or maid of honour at your wedding.
- Your home town or favourite teacher.
Protect Your Email Account
Some security protocols require you to respond to an confirmation sent to the registered email address for a requested password change. If your email account is protected by a weak password, this mechanism can be compromised.
There are many causes of data loss, including:
- hardware failure (hard drive or backup media)
- ransomware attacks
- lost devices
- theft or vandalism
- environmental disasters (fire, flood, earthquake)
Our private information is more and more frequently digital and stored on our computers or devices.
Rather than paper bills, companies insist on sending you an email or log into your account for billing details. Even your payment is digital (PAC, eTransfer, debit).
From the dawn of civilization until 2003, humankind generated five exabytes of data. Now we produce five exabytes every two days…and the pace is accelerating.
— Eric Schmidt (2010)
Planning for Recovery
The first step in planning for recovery is to ensure that you regularly backup all your data using reliable systems and schedules. The more frequent the backups, the less data you might lose.
Having multiple generations of backups ensure that a problem with one can be resolved with an older backup (you might not get everything, but most of it will be there).
You should also plan for disaster by ensuring off-site backups either via cloud backups or physical backups stored offsite.
Unfortunately, cloud storage data is threatened by poor security and government data collection policies.