Avoid Security Pitfalls | Prepare For Recovery | Use Email Wisely
All trademarks, company names or logos are the property of their respective owners.
At one time virus threats were simpler and so was the software necessary to detect and eliminate them.
Today's computers face much more dangerous threats coming from multiple sources at the same time.
Some security software is better than others at finding and quarantining infections, but no single product can detect everything that's out there, especially when it changes by the minute — not by the day, by the minute! — Windows Secrets
The "detect and prevent" approach has reached its potential, and attackers have learned how to bypass this defense method. What's more appalling is that studies have shown that 68 percent of breaches take months or longer to detect.Zero Trust policies are quickly being adopted across the cybersecurity industry. They're based on a simple idea: don't trust any piece of traffic, regardless of whether it originates inside or outside of your organization.
— Menlo Security
More recently, these attacks have become multifaceted (blended) threats requiring more than one form of security software.
A blended threat can expose you on websites because often these sites bring together information from many external sources — all potential avenues of vulnerability.
All it takes for a website to become vulnerable is for the owners to use a weak password or older software (an outdated WordPress installation or a plugin that is compromised).
Governments are collecting more about you and your Internet activities — supposedly to protect us all from terrorism. I'd describe this extreme collection of personal data as creepy rather than protective.
Corporations are engaged in massive collections of meta-data and creating profiles to encourage advertisers and sell to others.
Some of these appear to be designed as instruments of Cyber warfare designed by nations and corporations — the only ones with the resources needed to develop sophisticated programs like FinFisher or FinSpy.
FinSpy is a field-proven Remote Monitoring Solution that enables Governments to face the current challenges of monitoring Mobile and Security-Aware Targets that regularly change location, use encrypted and anonymous communication channels and reside in foreign countries.
— WikiLeaks
Zero-day exploits are those that take advantage of weaknesses in software that have not been patched by the vendor.
A zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to those who should be interested in mitigating the vulnerability (including the vendor of the target software).Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network.
— Wikipedia
Once the zero-day begins to be exploited by criminals and state governments it is considered to be “in the wild” and updates are critical to protect consumers.
Often the vendor is unaware of the vulnerability until it shows up in the wild.
There is a strong black market for zero-day exploits.
Hackers were much faster to exploit software bugs in 2021, with the average time to exploitation down from 42 days in 2020 to just 12 days.These flaws affected firewalls, virtual private networks (VPNs), Microsoft's email server, desktop operating system and cloud, a code sharing platform, remote IT management products, and more.
— ZDNET
Hackers and government agencies have stockpiled these for tools to attack the computers and phones of their victims. Now they are the bread-and-butter of the ransomware-as-a-service model.
Many companies have abused the intent of the U.S. DMCA to prevent researchers and pro-privacy organizations from seeking out these vulnerabilities and having them patched.
These companies don't want the bad publicity of revealed zero-day exploits.
If a company has a history of not fixing vulnerabilities, it would be wise to look for another product. Unfortunately, that is not possible with proprietary hardware.
Frequent updates of software are an attempt to patch known exploits.
Criminals know about and exploit many zero-day vulnerabilities.
They also test older systems for vulnerabilities that have been patched in newer software but NOT in unsupported versions.
Upgrade or uninstall any software that becomes unsupported.
Police and agencies like the CIA and NSA use zero-day exploits to spy on their citizens and other countries. They don't want these exploits to be identified so weaknesses can be patched.
American tech companies are pressured to work with these secretive government agencies which may account for some of the long-term vulnerabilities in software and hardware.
These same agencies continue to demand back doors to encryption software.
Both demands ignore the fact that such weaknesses threaten everyone and can be used by foreign governments and criminals.
Watch for fake security warnings about hundreds of infected files.
These are designed to panic you into either installing something dangerous or to allow malicious remote access to your computer.
These warnings are scams.
NEVER call any number displayed on the warning or provide your credit card information.
Instead, run a full security scan using a product from valid antivirus vendors.
If you're unsure, contact a reputable local service company.
Any distance service is going to want remote access to your computer, just like the scammers.
The best defense is to keep your protection current and to know how your security software displays its warnings.
Never follow links or provide login information to sites linked in an email — especially those threatening to close your account and requesting your user name and password. This is called phishing.
Delete the message and its unopened attachments.
If you receive an unrequested phone call and they ask you to provide personal information, don't.
Remember, they called you. Caller ID can be faked, so it is their identity that is unconfirmed.
Ask who is calling, then say you'll call them back. When you do, use a phone number obtained from a recent invoice or statement from that company.
Don't be surprised if they don't know what you're talking about. These are attempts at identity theft and are designed to defraud you.
There are several things you can do to prevent the spread of viruses, spyware and other infections to your computer:
Look for more detailed information in the following sections.
One of the significant issues with security is the aspect of social engineering. Too often it is the computer operator that makes a bad decision that can lead to a security breach.
Always run a security scan on re-writable media (USB drives, CDRW, floppy disks etc.) that have been used on someone else's machine.
Anyone with physical access to your computer can threaten its security.
Do not allow unauthorized access to your computer. This includes well-meaning friends or relatives.
They may be more knowledgeable than you about computers, but may add software that increases your vulnerability.
Have clearly defined rules about computer usage for your children.
Limited-access accounts are recommended (Windows installs accounts with administrator privileges unless you specify a limited account).
Be sure to have your computer serviced by a trusted technician or service. You may wish to remove or password-protect sensitive material first.
Because most computers today are continually connected to the Internet, you need to be careful to protect your data and the security of your computer.
Your router will not stop outbound activity. It is designed to prevent incoming threats.
You need to protect outgoing threats with a software firewall.
ZoneAlarm, when configured properly, will stop Internet access to malicious programs — provided you don't automatically give permission for every program requesting such access. Check your security software to see if it provides that protection.
You need to protect all your accounts with passwords, but if you don't do it properly, you'll likely be hacked.
You're not going to be able to manage this yourself.
Use a password manager (but not your browser's built-in password utility) to remember passwords. Bitwarden is recommended.
When downloading software, take precautions to avoid infecting your computer.
The desktop is a poor location for storing files. Use a Downloads folder for storing your downloads.
Many services installed are not necessary for the average user but provides additional vulnerable points for infection, especially from blended threats.
One example is Bluetooth, a wireless communication protocol. While useful in connecting devices it can also be used to attack your system.
AutoRun is a convenient method of automatically launching programs when a CD or USB drive, etc. is inserted. However, this can be used by malicious programs to infect your computer.
AutoRun has been replaced with AutoPlay in Windows 10 and 11.
Click Start ⇒ Settings ⇒ Devices ⇒ AutoPlay.
Weaknesses exist in ALL operating systems (Windows, Macintosh and Linux) as well as the software that runs on them (browsers, word processors, etc.).
Update Windows and other software to patch known security vulnerabilities.
It is unfortunate that Microsoft chose to use “malware tactics” to move people to Windows 10. As a result, many folks stopped updating Windows altogether.
All software should be patched where updates are available. Microsoft Office, browser plugins and Internet programs are the most vulnerable.
Run only currently supported software. Once support expires you should seek out a suitable alternative then uninstall the vulnerable (unsupported) program(s) after you've transferred any personal settings or data.
I strongly recommend uninstalling software you haven't used in a while.
This avoids issues with security flaws and problems with software that is no longer useful to you. In most cases you can reinstall the current version if you need it in the future.
Windows is more vulnerable to infections because it is poorly designed from a security perspective.
That said, Mac computers have become more popular (just have a look in any coffee shop). Macs are now a target so they need security software installed.
Windows Update is Microsoft's method of updating Windows and other Microsoft software.
Too often “optional” software is packaged with another program's installer or via pop-up ads.
Krebs's 3 basic rules for online safety:
- If you didn't go looking for it, don't install it.
- If you installed, update it.
- If you no longer need it, get rid of it!
Windows 10 comes pre-installed with Office (subscription required) and a bunch of other software including games. If you're not using them, uninstall them where possible (some have the “uninstall” option greyed out).
Even though you're familiar with obsolete products, you need to uninstall them and replace them with currently-supported software.
Replacing old software can be pricey, but there's a serious risk of data loss if your system isn't kept up-to-date.
— Acronis
Running older Windows versions makes you more vulnerable. Microsoft has ceased sales of all versions of Windows prior to Windows 10.
Windows 10 can run on more hardware than ever before, but is different than any previous Windows version.
Microsoft claims it is the safest Windows ever, but it is Software as a Service and there are privacy concerns (e.g., searches for local content are sent to Bing).
If you're running an unsupported version of Windows, you should immediately move to replace it with Windows 10 or a current version of an alternative operating system like Linux.
It is better to be over-prepared than regret your laxness later.
Backups are the only recovery option for ransomware. Paying the ransom only encourages repeat attacks.
Today it is too easy to forward information to everyone at the touch of a button.
Take a moment and decide if you'd forward the item if you had to retype it or photocopy it, then pay to snail-mail it to all the folks you're about to send it to. In most cases this isn't true.
If you've had to change your email address because of the amount of junk you're receiving, you're probably guilty of oversharing or have a “friend” that is.
Be kind. Don't assume that everyone wants their mailbox flooded with cute jokes.
Many people have significant amounts of legitimate email to deal with and such messages are usually NOT welcome.
Ask people before placing them on your list. This is known as opt-in as opposed to the opt-out (what spammers favour).
Please don't waste Internet bandwidth telling a person that they have sent an infected message.
If you receive a message with no text in the body except a weird-looking link, the sender's account has been hijacked. Don't click on the link.
If you receive a message with an unexpected attachment, don't open the attachment.
Use BCC: (blind carbon copy) when sending messages to groups rather than revealing a list of related addresses to everyone the message goes to.
Social engineering is often used to increase our vulnerability to threats.
A recent Nuix survey of 70 hackers at DEFCON 2016 found that 84 percent of respondents use social engineering as part of their attack strategy, and 50 percent change their attack methodologies with every target.
— eSecurity Planet
The human element of curiosity is a significant risk factor that no security program can protect you from.
The ILoveYou virus, exploited the human desire to be loved to encourage people to open an infected message.
Hoaxes take advantage of this trait.
Some websites use deceptive design patterns like pre-checked boxes that subscribe you to their newsletter or add extras like download insurance to your shopping cart.
Deceptive design patterns are tricks used by websites and apps to get you to do things you might not otherwise do, like buy things, sign up for services or switch your settings.
— Mozilla
In many cases these practices are illegal but even if they aren't, you might want to leave that site and look elsewhere.
Choose from known brand-name security vendors and only download from trusted sites.
Get to know your security software and how it responds to security threats.
Misinterpreting an “infection” can allow the hacker to gain total access in less than three minutes.
With just a few keystrokes, it's possible for a hacker to remove all antivirus software, create a backdoor, and capture webcam images and passwords, among other highly sensitive personal data.
— Hacking Windows 10
You need to learn what a legitimate warning looks like.
Do not respond to pop-up security warnings except those generated by your security software.
Phone calls from a “technical support” person are scams. Just hang up.
If you download and install the referenced software, you will be left with a false sense of security.
Don't assume emails are safe or that the sender's identity is what is stated in the email. Addresses can be forged or stolen.
If you're unsure about the legitimacy of an email (including unexpected attachments), call the sender before opening attachments or clicking on any links.
Never rely on the contact information in an email or dialogue box displaying a warning. Look it up in a recent invoice or statement you received from that company.
Microsoft will never list a phone number in a warning dialogue box.
Take the time to determine if the message is legitimate, even if it appears to come from someone you know.
Be wary of phone calls or emails that ask for personal information or insist you to go to a website to fix a problem.
These are scams, no matter who the sender claims to be.
Avoid embarrassment (or worse, a security breach). Be careful about how much information you provide. Facebook is NOT your friend.
I only use Facebook to keep in touch with family and friends.
If that was true of the majority of Facebook users, elections could not be tampered with and fake news would die in its tracks.
If you wouldn't share it with everyone everywhere, don't share it online!
Before downloading and installing new software or responding to an unexpected warning, search for relevant information.
Your search results for a particular piece of software or warning should give you more information than you need to make an informed decision.
“Free” external media is another form of social engineering.
Everybody likes free stuff. But that freebie may end up costing your or your employer a great deal.
It only takes one person to place that compromised media into their computer to compromise the whole network. If you're that person, what do you think your chances of retain your job will be?
On this site:
Return to top
RussHarvey.bc.ca/resources/strategies.html
Updated: July 31, 2024