Stop and Think | Key Elements of Security | More Time Online
Webcam Vulnerabilities
All trademarks, company names or logos are the property of their respective owners.
Do you routinely use weak or repeated passwords, use outdated or unpatched software, share personal details on Facebook or use public WiFi to access your accounts?
Too many people pass off security practices as annoying.
In general, the research suggests that about half of consumers do not know how to protect themselves from cyber criminals.
— McAfee
Just like seat belts and helmet laws are designed to protect our bodies, good security practices are meant to protect our privacy and our devices.
When presented with something unusual, slow down and think.
Someone acting maliciously wants you to have a sense of urgency — to act NOW, before you have a chance to think.
Before proceeding, call a friend, a colleague or your “security guy” for advice.
Sooner or later you will become a victim unless your security software and security practices are up to the task of preventing unauthorized or malicious access to your computer and devices.
I am regularly asked what the average Internet user can do to ensure his security. My first answer is usually “Nothing; you're screwed.” But it's really more complicated than that.Against the government there's nothing you can do. The power imbalance is just too great.
But there are some things you can do to increase your security on the Internet. None of these are perfect; none of these are foolproof.
But they're all good network hygiene, and they'll make you a more difficult target than the computer next door.
— Bruce Schneier
11 Internet safety tips for your online security:
The world we live in has seen massive changes.
Information used to be contained only on paper locked in filing cabinets.
Now that information is stored “in the cloud”, providing 24/7 access to anyone with the passwords.
Hackers are trained to break weak passwords and take advantage of social weaknesses.
Scams are increasingly effective.
[O]rganized crime now gains more revenue from cybercrime than from the illegal drug trade and is on pace to eclipse all its other forms of illegal activities combined within a few years.
— Trustwave 2021
Newer and deadlier versions of malware, ransomware and hacking software are being developed regularly. “Ransomware as a service” is now being offered to those that lack the skills to create their own versions.
Everyone needs to take security seriously if we're going to remain safe.
Your protection depends on following these action steps:
If others use your computer or devices, they can compromise your security unless they also follow these protective measures.
Update your operating system as well as all your software (apps), replacing them when no longer supported.
Updating your hardware's firmware may be a little more complex. Check the manufacturer's site for updates and instructions. Hire a consultant if necessary.
Invest in decent security software recognizing that security is no longer just about antivirus protection.
Be sure to update your security software when new versions become available.
Older versions may not have the ability to protect your computer or device against newer threats.
Frequently check your security software company's website to verify you have the most recent version.
Get to know your security software so that you can use it effectively. Learn its limitations and know how it responds to threats.
Besides the threats noted above, scams come in many forms but the most common are phone fraud including unrequested “computer support” calls and email fraud (phishing attacks).
Responding to these fraudulent attacks is certain to result in identity theft, financial loss, or both. Just hang up or delete the email.
Be wary of pre-selected “extras” included with any software you're installing.
This can include pre-checked options on the download page or during installation. You neither need nor want them.
De-select any optional items before downloading software, then carefully watch the installation screens for additional pre-checked options mentioning a “trial period” or add-on software.
Google Chrome gained a widespread installation base partly by paying to be included as an add-on to freeware downloads.
It automatically made itself your default browser then restored the obsolete Internet Explorer as the default browser when removed, again without asking.
As a result, not only is Chrome the most commonly used browser, but Chromium is the base for most other common browsers.
It also dominates Internet marketing, advertising, search, Gmail, YouTube and more. Google has become so powerful that it now threatens the digital economy..
Businesses need to train their employees and increase their security budget. Home users need to educate themselves and their household about the risks.
Recognizing the security gap, the government of Canada has made resources available on their Get CyberSafe website.
There is a lot of cybersecurity practices that are not as effective as people think or have are less important because of newer technology such encryption.
Most of today's devices (computers, phones, tablets, etc.) are continuously connected to the Internet. Many services and applications record private information and report on your activities.
Now we live in a world that is strictly bounded by our capacity to understand it, by our ability to keep up with the pace of technological change, and to manage the new risks and security challenges that come with limitless storage capacity, limitless transmission capacity, limitless data mining capacity.We are bounded by our own limited capacity to understand, to imagine the implications of data flow and data aggregation, and our ability to teach.
— Privacy Commissioner of Canada
Staying safe online involves both being prepared and knowing the signs of suspicious websites, phishing emails and other nefarious online activity.
You can avoid a lot of problems if you follow the advice on StaySafeOnline.org:
STOP. THINK. CONNECT.™
Protect yourself and help keep the web a safer place for everyone.
- STOP: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.
- THINK: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact your safety, or your family's.
- CONNECT: Enjoy the Internet with greater confidence, knowing you've taken the right steps to safeguard yourself and your computer.
Too many sites collect unnecessary information “just in case” they can monetize it later. The size and number of data breaches attests to the fact that few secure that information.
Be sure to read the privacy policies and terms of service for everything you subscribe to before signing up for any service or installing any app. Those policies are subject to change without notice.
The larger the terms of service page, the more you're giving away. The vaguer the context of who they share your content with (e.g., “unspecified third parties”) the more likely your identity is being sold to anyone that has the cash.
If you've bought into the “nothing to hide” mantra or have decided that your information is worthless, consider these costs.
Employers now look at your online activity to determine employability.
If your actions compromise your employer's computers or network you'd likely be fired and could be facing prosecution.
Review StaySafeOnline's Basic Tips and Advice:
Details are on StaySafeOnline.org or available as a PDF.
Their site contains additional information about how to stay safe online:
To enhance the security of your computers, devices and computer networks, you need to include the following components in your protection plan:
There is more information about each of these, either on this page or on other pages on this site. Follow the links in each of these subsections to learn more.
The choice of software you install on your computer affects how vulnerable you are to security-related attacks.
This is particularly true for your choice of web browser as well as the email software you use.
Windows users have easier access to third-party software. This can affect their security.
Fewer vulnerabilities would exist or be allowed to continue unchecked if software developers bore the cost of security failures in their software.
We generally think of computer security as a problem of technology, but often systems fail because of misplaced economic incentives: the people who could protect a system are not the ones who suffer the costs of failure.
— Bruce Schneier
Rather than developers properly repairing security issues, we are spending large amounts of money annually on security programs.
Just as Ralph Nader forced the auto industry to accept responsibility for their failures, software vendors need to be held accountable.
There is some excellent free software available to you, including LibreOffice, Firefox and GIMP.
Unfortunately, many other free utilities, screen savers and similar programs available on the Web contain either malware or collect information about you or install unnecessary third-party software.
While free to download and play, many such games are very profitable. How else could they afford to advertise during prime-time television?
"Free to play" games manipulate us through many techniques, such as presenting players with a series of smoothly escalating challenges that create a sense of mastery and accomplishment but which sharply transition into a set of challenges that are impossible to overcome without paid upgrades.
— Cory Doctorow
While the sale of paid upgrades such as energy, coins, etc. can play a part, that doesn't explain the widespread advertising of games that claim to have no ads yet are frequently advertised on other games (especially if they claim to have no ads).
Search for what others have said about a program using the program name as the search criteria. Blogs often provide interesting insight to the usability of such programs and their relative merits.
Learn about my recommended software….
All software requires maintenance.
Be sure to update your software regularly. When a program is no longer maintained, uninstall it then find a currently-supported replacement.
Replacing old software can be pricey, but there's a serious risk of data loss if your system isn't kept up-to-date.
— Acronis
This also applies to operating systems such as Windows, macOS and Linux. When no longer supported, find a replacement.
One of the things to look out for are the third-party optional programs (PUPs) that may be installed along with free products like Adobe Reader, Java and CCleaner. Even Windows 10 comes with tons of extras that you probably will never use.
Krebs's 3 basic rules for online safety:
- If you didn't go looking for it, don't install it.
- If you installed, update it.
- If you no longer need it, get rid of it!
Scroll carefully through the installation option screens and de-select any extra software like Google Chrome, McAfee Security, etc. before downloading or installing the software you actually wanted to install.
Where possible, uninstall any unwanted software, including programs installed with Windows or by your computer manufacturer. Regularly clear any unnecessary programs and data from your computer.
You should schedule regular times to cleaning up your computer. Removing unnecessary files and software will increase your productivity and security.
Traditional security products (antivirus and antispyware) are made to fight PC-based threats.
All current security suites and most antivirus software contains some form of antispyware/antimalware protection.
Today's computers face multifaceted attacks (multiple sources at the same time). Web-based threats (including ransomware) can develop very quickly.
You need a security suite that protects you simultaneously from all possibilities.
Security software must be constantly updated to deal with emerging threats.
One study indicated that the time from the discovery of a vulnerability to when it is exploited is four days or less.
More recently that window of discovery has narrowed to less than a day (as little as 15 minutes). Zero-day exploits are usable immediately (zero days until useful because they are generally undiscovered except by hackers and government spy agencies).
Learn more about security software….
Your home network is the gateway to the Internet but it is also an open doorway into your computers and other networked devices including all your private data unless you take steps to secure your network.
Don't be a victim! Malicious cyber actors may leverage your home network to gain access to personal, private, and confidential information.Help protect yourself, your family, and your work by practicing cybersecurity-aware behaviors, observing some basic configuration guidelines, and implementing the following mitigations on your home network, including:
- Upgrade and update all equipment and software regularly, including routing devices
- Exercise secure habits by backing up your data and disconnecting devices when connections are not needed
- Limit administration to the internal network only
- — National Security Agency
See the National Security Agency's guidelines: Best practices for securing your home network (PDF).
You cannot afford to be without an effective firewall. Today's computers and devices are continuously connected to the Internet.
Not having a firewall is like leaving your front door open for anyone to walk into your home uninvited. Not everyone is polite enough to resist the temptation.
Most current security software comes with a built-in firewall, but free software is less likely to protect you from all threats.
Your privacy has never been under attack as intensely as it is today.
The “nothing to hide” mantra is a falsehood perpetrated by those that profit by collecting our information then reselling it to others — the surveillance economy.
You need to protect yourself using legitimate privacy tools.
An effective hardware and software firewall combination is an essential part of your protection.
Your router not only secures your high-speed access to the Internet, but it allows you to share it between both hard-wired (LAN) and wireless (WLAN) computers, laptops, tablets, smartphones, game consoles, TVs and “smart home” devices.
While many issues have been fixed in newer routers, there are undocumented and unpatched vulnerabilities (zero day exploits). Both governments and hackers take advantage of zero-days to steal information from your devices.
More than half the routers currently in use are easily hacked.
Replace your router if it is more than a few years old, especially if listed here.
Learn more about securing your network….
Passwords are an essential part of life today. They are used for everything from accessing your email to the millions of websites and forums that require you to identify yourself using a username/password combination.
Passwords and encryption can be effective tools — but only if you use them correctly.
A password manager is critical to help you generate and remember strong and unique passwords for every site.
Single sign-on (SSO) uses your Google, Facebook or Apple ID to log into third-party sites.
SSO may be convenient, but creates a single point of failure.
Instead, use a unique password for every site.
By generating a unique password for every site using a password manager like Bitwarden, each site obtains only your name, email and whatever other information you provide directly to them.
Make your passwords long and strong using random upper and lower case letter, numbers and symbols (some symbols are not permitted by some sites or vendors). Generally, the longer your passwords, the harder they are to hack.
Increasingly, sites are using your email address as your identity, making it very easy to hack your other accounts if you use weak passwords or use the same password on multiple sites.
The following is only one example of how password reuse can have significant financial repercussions:
A total of 5,500 CRA accounts were targeted in what the federal government described as two "credential stuffing" schemes, in which hackers use passwords and usernames from other websites to access Canadians' accounts with the revenue agency.
— Times Colonist
Everyone has far too many passwords today to manage strong and unique passwords for every site and account we hold on the Internet without using a password manager. Humans simply have too much difficulty creating and remembering effective passwords.
I strongly recommend Bitwarden to manage your passwords. LastPass is secure, encrypts the passwords BEFORE uploading them and can be shared between your various computers and devices.
Multifactor authentication provides additional security that isn't available by using only a password even if it is very long and strong.
The authentication device is preferably something that is always with you and is inaccessible to potential hackers.
Instead of hacking your password, the “Forgot password?” recovery option on a site can provide a much easier place to obtain unauthorized access to your email account.
People post too much personal information about themselves on public places including social media sites.
The answers to typical security questions can be harvested from information you provide on social media or forums. The nature of these recovery questions are often the very details a social media site encourages you to post:
Some security protocols require you to respond to an confirmation sent to the registered email address for a requested password change. If your email account is protected by a weak password, this mechanism can be compromised.
Learn more about protecting your passwords….
There are many causes of data loss, including:
Our private information is more and more frequently digital and stored on our computers or devices.
Rather than paper bills, companies insist on sending you an email or log into your account for billing details. Even your payment is digital (PAC, eTransfer, debit) and many employers now electronically deposit earnings into your bank account.
From the dawn of civilization until 2003, humankind generated five exabytes of data. Now we produce five exabytes every two days…and the pace is accelerating.
— Eric Schmidt (2010)
The first step in planning for recovery is to ensure that you regularly backup all your data using reliable systems and schedules. The more frequent the backups, the less data you might lose.
Having multiple generations of backups ensure that a problem with one can be resolved with an older backup (you might not get everything, but most of it will be there).
You should also plan for disaster by ensuring off-site backups either via cloud backups or physical backups stored offsite.
Unfortunately, cloud storage data is threatened by poor security and government data collection policies.
Learn more about backup strategies….
We're spending more time online than ever before including virtual meetings, online gaming, texting, chatrooms, and social media.
Almost four times as many Canadians are working from home than pre-pandemic. That trend seems to be continuing.
Security requirements are higher than they are for online gaming and entertainment.
Phishing attacks are on the increase. Be wary of attachments in unexpected messages, including delivery notices, voice mail notices, etc.
If you might find your home network isn't up to the task:
Learn more about security in a pandemic….
It has been known for some time that your computer and devices can be hacked to access the camera without activating the light that warns the user.
Many folks (including Mark Zuckerberg) cover their camera to ensure privacy.
This has been more difficult during the pandemic as people working from home required frequent access to online meeting software.
Apple warned users that covering the camera could damage your laptop, stating that Apple's cameras are engineered so that it can't be accessed without the indicator light turning on.
With decent security software, the sorts of malware that make this possible are detected and removed.
Kaspersky goes even further by ensuring that access is denied to the camera at startup.
On this site:
Return to top
RussHarvey.bc.ca/resources/security.html
Updated: December 9, 2023