Russ Harvey Consulting - Computer and Internet Services

Security Basics

Preventing unauthorized access

Stop and Think | Key Elements of Security | More Time Online
Webcam Vulnerabilities

All trademarks, company names or logos are the property of their respective owners.

A medieval gold and black striped shield protects a monitor representing the prevention of unauthorized access.

Do You Practice Security Hygiene?

Do you routinely use weak or repeated passwords, use outdated or unpatched software, share personal details on Facebook or use public WiFi to access your accounts?

Too many people pass off security practices as annoying.

In general, the research suggests that about half of consumers do not know how to protect themselves from cyber criminals.
— McAfee

Just like seat belts and helmet laws are designed to protect our bodies, good security practices are meant to protect our privacy and our devices.

Slow Down and Think

When presented with something unusual, slow down and think.

Someone acting maliciously wants you to have a sense of urgency — to act NOW, before you have a chance to think.

Before proceeding, call a friend, a colleague or your “security guy” for advice.

Improving Security

Sooner or later you will become a victim unless your security software and security practices are up to the task of preventing unauthorized or malicious access to your computer and devices.

I am regularly asked what the average Internet user can do to ensure his security. My first answer is usually “Nothing; you're screwed.” But it's really more complicated than that.

 

Against the government there's nothing you can do. The power imbalance is just too great.

 

But there are some things you can do to increase your security on the Internet. None of these are perfect; none of these are foolproof.

 

But they're all good network hygiene, and they'll make you a more difficult target than the computer next door.
Bruce Schneier

Be More Secure Online

11 Internet safety tips for your online security:

 

Our World Has Changed

The world we live in has seen massive changes.

Information used to be contained only on paper locked in filing cabinets.

Now that information is stored “in the cloud”, providing 24/7 access to anyone with the passwords.

Hackers are trained to break weak passwords and take advantage of social weaknesses.

Deadly Security Threats

Scams are increasingly effective.

[O]rganized crime now gains more revenue from cybercrime than from the illegal drug trade and is on pace to eclipse all its other forms of illegal activities combined within a few years.
— Trustwave 2021

Newer and deadlier versions of malware, ransomware and hacking software are being developed regularly. “Ransomware as a service” is now being offered to those that lack the skills to create their own versions.

Security is Everyone's Responsibility

Everyone needs to take security seriously if we're going to remain safe.

Action Steps

Your protection depends on following these action steps:

  1. Ensure that your devices and software have the latest updates installed. That includes updating firmware when available.
  2. Protect your device with good quality security software and update it regularly.
  3. Learn how your security software operates so you're not fooled by fakes.
  4. Be aware of security threats and how to respond to them correctly.

If others use your computer or devices, they can compromise your security unless they also follow these protective measures.

Update Your Software

Update your operating system as well as all your software (apps), replacing them when no longer supported.

“Update your software!?” infographic -- click to learn more.
See the full infographic.

Updating your hardware's firmware may be a little more complex. Check the manufacturer's site for updates and instructions. Hire a consultant if necessary.

Ensure Your Security is Current

Invest in decent security software recognizing that security is no longer just about antivirus protection.

Be sure to update your security software when new versions become available.

Older versions may not have the ability to protect your computer or device against newer threats.

Frequently check your security software company's website to verify you have the most recent version.

Know Your Security Software

Get to know your security software so that you can use it effectively. Learn its limitations and know how it responds to threats.

Don't Fall for Scams

Besides the threats noted above, scams come in many forms but the most common are phone fraud including unrequested “computer support” calls and email fraud (phishing attacks).

Responding to these fraudulent attacks is certain to result in identity theft, financial loss, or both. Just hang up or delete the email.

Opt Out of Extra Software

Be wary of pre-selected “extras” included with any software you're installing.

This can include pre-checked options on the download page or during installation. You neither need nor want them.

De-select any optional items before downloading software, then carefully watch the installation screens for additional pre-checked options mentioning a “trial period” or add-on software.

Google Chrome an Example

Google Chrome gained a widespread installation base partly by paying to be included as an add-on to freeware downloads.

It automatically made itself your default browser then restored the obsolete Internet Explorer as the default browser when removed, again without asking.

As a result, not only is Chrome the most commonly used browser, but Chromium is the base for most other common browsers.

It also dominates Internet marketing, advertising, search, Gmail, YouTube and more. Google has become so powerful that it now threatens the digital economy..

How Cyber Safe Are You?

Businesses need to train their employees and increase their security budget. Home users need to educate themselves and their household about the risks.

Get CyberSafe

Recognizing the security gap, the government of Canada has made resources available on their Get CyberSafe website.

Cybersecurity Myths

There is a lot of cybersecurity practices that are not as effective as people think or have are less important because of newer technology such encryption.

Return to top

Stop and Think Before Acting

Most of today's devices (computers, phones, tablets, etc.) are continuously connected to the Internet. Many services and applications record private information and report on your activities.

Now we live in a world that is strictly bounded by our capacity to understand it, by our ability to keep up with the pace of technological change, and to manage the new risks and security challenges that come with limitless storage capacity, limitless transmission capacity, limitless data mining capacity.

 

We are bounded by our own limited capacity to understand, to imagine the implications of data flow and data aggregation, and our ability to teach.
Privacy Commissioner of Canada

Stop. Think. Connect.

Staying safe online involves both being prepared and knowing the signs of suspicious websites, phishing emails and other nefarious online activity.

You can avoid a lot of problems if you follow the advice on StaySafeOnline.org:

STOP. THINK. CONNECT.™
Protect yourself and help keep the web a safer place for everyone.
  1. STOP: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.
  2. THINK: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact your safety, or your family's.
  3. CONNECT: Enjoy the Internet with greater confidence, knowing you've taken the right steps to safeguard yourself and your computer.

You're Being Tracked

Too many sites collect unnecessary information “just in case” they can monetize it later. The size and number of data breaches attests to the fact that few secure that information.

Be sure to read the privacy policies and terms of service for everything you subscribe to before signing up for any service or installing any app. Those policies are subject to change without notice.

The larger the terms of service page, the more you're giving away. The vaguer the context of who they share your content with (e.g., “unspecified third parties”) the more likely your identity is being sold to anyone that has the cash.

Protect Your Identity

If you've bought into the “nothing to hide” mantra or have decided that your information is worthless, consider these costs.

Your Employment Eligibility

Employers now look at your online activity to determine employability.

If your actions compromise your employer's computers or network you'd likely be fired and could be facing prosecution.

Tips & Advice

Review StaySafeOnline's Basic Tips and Advice:

Details are on StaySafeOnline.org or available as a PDF.

Their site contains additional information about how to stay safe online:

Return to top

Key Elements of Security

To enhance the security of your computers, devices and computer networks, you need to include the following components in your protection plan:

There is more information about each of these, either on this page or on other pages on this site. Follow the links in each of these subsections to learn more.

Choose Your Programs Wisely

The choice of software you install on your computer affects how vulnerable you are to security-related attacks.

This is particularly true for your choice of web browser as well as the email software you use.

Windows users have easier access to third-party software. This can affect their security.

The User Pays for Security Failures

Fewer vulnerabilities would exist or be allowed to continue unchecked if software developers bore the cost of security failures in their software.

We generally think of computer security as a problem of technology, but often systems fail because of misplaced economic incentives: the people who could protect a system are not the ones who suffer the costs of failure.
Bruce Schneier

Rather than developers properly repairing security issues, we are spending large amounts of money annually on security programs.

Just as Ralph Nader forced the auto industry to accept responsibility for their failures, software vendors need to be held accountable.

Free Software

There is some excellent free software available to you, including LibreOffice, Firefox and GIMP.

Unfortunately, many other free utilities, screen savers and similar programs available on the Web contain either malware or collect information about you or install unnecessary third-party software.

“Free to Play” Games Manipulate Us

While free to download and play, many such games are very profitable. How else could they afford to advertise during prime-time television?

"Free to play" games manipulate us through many techniques, such as presenting players with a series of smoothly escalating challenges that create a sense of mastery and accomplishment but which sharply transition into a set of challenges that are impossible to overcome without paid upgrades.
Cory Doctorow

While the sale of paid upgrades such as energy, coins, etc. can play a part, that doesn't explain the widespread advertising of games that claim to have no ads yet are frequently advertised on other games (especially if they claim to have no ads).

Assessing Software

Search for what others have said about a program using the program name as the search criteria. Blogs often provide interesting insight to the usability of such programs and their relative merits.

Learn about my recommended software….

Keep it Updated

All software requires maintenance.

Be sure to update your software regularly. When a program is no longer maintained, uninstall it then find a currently-supported replacement.

Replacing old software can be pricey, but there's a serious risk of data loss if your system isn't kept up-to-date.
Acronis

This also applies to operating systems such as Windows, macOS and Linux. When no longer supported, find a replacement.

Avoid Unwanted Programs

One of the things to look out for are the third-party optional programs (PUPs) that may be installed along with free products like Adobe Reader, Java and CCleaner. Even Windows 10 comes with tons of extras that you probably will never use.

Krebs's 3 basic rules for online safety:
  1. If you didn't go looking for it, don't install it.
  2. If you installed, update it.
  3. If you no longer need it, get rid of it!

Scroll carefully through the installation option screens and de-select any extra software like Google Chrome, McAfee Security, etc. before downloading or installing the software you actually wanted to install.

Keep it Clean

Where possible, uninstall any unwanted software, including programs installed with Windows or by your computer manufacturer. Regularly clear any unnecessary programs and data from your computer.

You should schedule regular times to cleaning up your computer. Removing unnecessary files and software will increase your productivity and security.

Effective security software

Traditional security products (antivirus and antispyware) are made to fight PC-based threats.

All current security suites and most antivirus software contains some form of antispyware/antimalware protection.

The Threat Landscape Has Changed

Today's computers face multifaceted attacks (multiple sources at the same time). Web-based threats (including ransomware) can develop very quickly.

You need a security suite that protects you simultaneously from all possibilities.

Keep it Updated

Security software must be constantly updated to deal with emerging threats.

One study indicated that the time from the discovery of a vulnerability to when it is exploited is four days or less.

More recently that window of discovery has narrowed to less than a day (as little as 15 minutes). Zero-day exploits are usable immediately (zero days until useful because they are generally undiscovered except by hackers and government spy agencies).

Learn more about security software….

Secure Your Network

Your home network is the gateway to the Internet but it is also an open doorway into your computers and other networked devices including all your private data unless you take steps to secure your network.

Don't be a victim! Malicious cyber actors may leverage your home network to gain access to personal, private, and confidential information.

 

Help protect yourself, your family, and your work by practicing cybersecurity-aware behaviors, observing some basic configuration guidelines, and implementing the following mitigations on your home network, including:
  • Upgrade and update all equipment and software regularly, including routing devices
  • Exercise secure habits by backing up your data and disconnecting devices when connections are not needed
  • Limit administration to the internal network only
  • National Security Agency

See the National Security Agency's guidelines: Best practices for securing your home network (PDF).

Use an Effective Firewall

You cannot afford to be without an effective firewall. Today's computers and devices are continuously connected to the Internet.

Not having a firewall is like leaving your front door open for anyone to walk into your home uninvited. Not everyone is polite enough to resist the temptation.

Most current security software comes with a built-in firewall, but free software is less likely to protect you from all threats.

Your Privacy Threatened

Your privacy has never been under attack as intensely as it is today.

The “nothing to hide” mantra is a falsehood perpetrated by those that profit by collecting our information then reselling it to others — the surveillance economy.

You need to protect yourself using legitimate privacy tools.

Effective Protection

An effective hardware and software firewall combination is an essential part of your protection.

Your Router

Your router not only secures your high-speed access to the Internet, but it allows you to share it between both hard-wired (LAN) and wireless (WLAN) computers, laptops, tablets, smartphones, game consoles, TVs and “smart home” devices.

While many issues have been fixed in newer routers, there are undocumented and unpatched vulnerabilities (zero day exploits). Both governments and hackers take advantage of zero-days to steal information from your devices.

More than half the routers currently in use are easily hacked.

Replace your router if it is more than a few years old, especially if listed here.

Learn more about securing your network….

Strong Passwords

Passwords are an essential part of life today. They are used for everything from accessing your email to the millions of websites and forums that require you to identify yourself using a username/password combination.

Passwords and encryption can be effective tools — but only if you use them correctly.

A password manager is critical to help you generate and remember strong and unique passwords for every site.

Single Sign-on Flawed

Single sign-on (SSO) uses your Google, Facebook or Apple ID to log into third-party sites.

Single sign-on uses your Google, Facebook or Apple ID to log into third-party sites.

SSO may be convenient, but creates a single point of failure.

Instead, use a unique password for every site.

By generating a unique password for every site using a password manager like Bitwarden, each site obtains only your name, email and whatever other information you provide directly to them.

Long and Strong

Make your passwords long and strong using random upper and lower case letter, numbers and symbols (some symbols are not permitted by some sites or vendors). Generally, the longer your passwords, the harder they are to hack.

Protect Your Passwords

Increasingly, sites are using your email address as your identity, making it very easy to hack your other accounts if you use weak passwords or use the same password on multiple sites.

The following is only one example of how password reuse can have significant financial repercussions:

A total of 5,500 CRA accounts were targeted in what the federal government described as two "credential stuffing" schemes, in which hackers use passwords and usernames from other websites to access Canadians' accounts with the revenue agency.
Times Colonist

Use a Password Manager

Everyone has far too many passwords today to manage strong and unique passwords for every site and account we hold on the Internet without using a password manager. Humans simply have too much difficulty creating and remembering effective passwords.

I strongly recommend Bitwarden to manage your passwords. LastPass is secure, encrypts the passwords BEFORE uploading them and can be shared between your various computers and devices.

Multifactor Authentication

Multifactor authentication provides additional security that isn't available by using only a password even if it is very long and strong.

The authentication device is preferably something that is always with you and is inaccessible to potential hackers.

Recovery Options Weak

Instead of hacking your password, the “Forgot password?” recovery option on a site can provide a much easier place to obtain unauthorized access to your email account.

People post too much personal information about themselves on public places including social media sites.

The answers to typical security questions can be harvested from information you provide on social media or forums. The nature of these recovery questions are often the very details a social media site encourages you to post:

Protect Your Email Account

Some security protocols require you to respond to an confirmation sent to the registered email address for a requested password change. If your email account is protected by a weak password, this mechanism can be compromised.

Learn more about protecting your passwords….

Reliable Backups

There are many causes of data loss, including:

Our private information is more and more frequently digital and stored on our computers or devices.

Rather than paper bills, companies insist on sending you an email or log into your account for billing details. Even your payment is digital (PAC, eTransfer, debit) and many employers now electronically deposit earnings into your bank account.

From the dawn of civilization until 2003, humankind generated five exabytes of data. Now we produce five exabytes every two days…and the pace is accelerating.
Eric Schmidt (2010)

Planning for Recovery

The first step in planning for recovery is to ensure that you regularly backup all your data using reliable systems and schedules. The more frequent the backups, the less data you might lose.

Having multiple generations of backups ensure that a problem with one can be resolved with an older backup (you might not get everything, but most of it will be there).

You should also plan for disaster by ensuring off-site backups either via cloud backups or physical backups stored offsite.

Unfortunately, cloud storage data is threatened by poor security and government data collection policies.

Learn more about backup strategies….

Return to top

We're Online More

We're spending more time online than ever before including virtual meetings, online gaming, texting, chatrooms, and social media.

Working From Home?

Almost four times as many Canadians are working from home than pre-pandemic. That trend seems to be continuing.

Security requirements are higher than they are for online gaming and entertainment.

Phishing

Phishing attacks are on the increase. Be wary of attachments in unexpected messages, including delivery notices, voice mail notices, etc.

Home Networks

If you might find your home network isn't up to the task:

Learn more about security in a pandemic….

Return to top

Webcam Vulnerabilities

It has been known for some time that your computer and devices can be hacked to access the camera without activating the light that warns the user.

Many folks (including Mark Zuckerberg) cover their camera to ensure privacy.

This has been more difficult during the pandemic as people working from home required frequent access to online meeting software.

Apple warned users that covering the camera could damage your laptop, stating that Apple's cameras are engineered so that it can't be accessed without the indicator light turning on.

With decent security software, the sorts of malware that make this possible are detected and removed.

Kaspersky goes even further by ensuring that access is denied to the camera at startup.

Return to top

Security Resources

Related Resources

On this site:

Found this resource useful?
Buy Me A Coffee

 

Return to top
RussHarvey.bc.ca/resources/security.html
Updated: December 9, 2023