Updating Your Software
Update Your Device
One of the most important security measures you can take is to ensure every device is running a currently-supported operating system (Android, iOS, Windows, macOS, Linux). Update to the most recent version supported by your hardware.
WannaCry hit organizations around the world hard in May 2017, infecting over 200,000 computers in three days. Yet a patch for the exploited EternalBlue vulnerability had been available for a month before the attack. Updates and patches need to be installed immediately and have an automatic setting.
— Check Point Blog
When your device's operating system is no longer supported, replace the device (or take it offline).
Once you've determined that your device is running the most current operating system, check that all the apps (software) running on it are currently supported.
Upgrading: Not Just About Features
Most people only consider the advantages of newer technologies and features when upgrading their software or hardware.
However, the ability to address security vulnerabilities is critical because this can greatly improve the ability of your device to defend against malicious attacks.
Otherwise, you risk not only your data, but your privacy.
Keep Your Software Current
You should only run software (apps) currently supported by the vendor.
Software is generally supported and free updates provided until the vendor releases the next major version.
Check for Updates Regularly
All software becomes more dangerous to use unless it is updated regularly.
Obsolete? Upgrade or Uninstall
When a vendor declares a program unsupported (or legacy), it needs to be replaced.
Replacing old software can be pricey, but there's a serious risk of data loss if your system isn't kept up-to-date.
This also applies to operating systems like Windows. macOS and Android. When no longer supported, find a replacement.
Delete Unsupported Apps
If the vendor provides a newer supported version, you can update the app. This may require purchasing an upgrade, depending upon the vendor's support policies.
If the app was still useful and an upgrade is unavailable, then replace it with a newer, currently supported app. Be sure it is safe to use and respects your privacy.
Uninstall Legacy Software
Software requires eventual replacement for a variety of reasons.
Keep it Clean
Where possible, uninstall any unwanted software. Regularly clear any unnecessary programs and data from your computer.
Unwanted software (sometimes called PUPs) can include the extra software that installs with Windows 10, software included with your computer, third--party software piggy-backed on downloaded software or because of a misleading download page.
Update Supported Software
As new vulnerabilities are discovered, supported software is updated to patch against it.
Keeping your operating system and your applications up-to-date is the best way to eliminate the vulnerabilities to your data. You'll avoid crashes by ensuring your system is running the most stable, enhanced version of the software you rely on — and will close the gaps that can give hackers a toe-hold in your system.
— Acronis Blog
Legacy Software: Dangerous to Use
Legacy software is software that has been declared unsupported by the vendor. Not only will there be no new features or upgrades, but vulnerabilities will no longer be addressed.
Over time, more and more unpatched vulnerabilities are discovered and exploited, making any legacy software increasingly dangerous to use.
No Security Updates
Legacy software no longer receives security updates from the vendor.
There is little financial incentive for vendors to upgrade older software and it is often difficult or impossible to add security features without completely rewriting the program.
Vulnerabilities in Legacy Software
Just because a product is no longer maintained, it doesn't mean that new vulnerabilities won't be discovered and exploited.
Newer, supported versions of the software, will continue to receive security patches. Hackers then check legacy software to see if they have the save vulnerabilities.
Anytime a new vulnerability is publicized, our threat intelligence team observes widespread scanning for vulnerable systems.
— Unit 42
Because legacy products will not receive security patches, they become more dangerous to use over time.
Be careful where you obtain software. Downloading and installing software from third-party sites can put you at risk.
Search for what others have said about a program using the program name as the search criteria. Blogs often provide interesting insight to the usability of such programs and their relative merits.
Keep it Updated
All software requires maintenance, especially security software (be sure to update the updater regularly).
When a program is no longer maintained, uninstall it then find a currently-supported replacement.
Avoid Unwanted Programs
Krebs's 3 basic rules for online safety:
- If you didn't go looking for it, don't install it.
- If you installed, update it.
- If you no longer need it, get rid of it!
Scroll carefully through the installation option screens and de-select any extra software like Google Chrome, McAfee Security, etc. before downloading or installing the software you actually wanted to install.
Better still, refuse to download software from any site that makes it difficult to determine the correct download link.
Beta (or pre-release) versions of software is sometimes available. Only experienced users should test beta versions.
32- or 64-bit?
Software is often available in both 32- and 64-bit versions. 64-bit versions are faster but you can only run them on 64-bit systems.
You can install 32-bit software on 64-bit systems, but not the reverse.
The Operating System's Store
Use your operating system's store where possible, especially for mobile devices.
- Apple Store
- Google Play
- Microsoft Store
Many apps on these stores have questionable experience and more than once there has been apps released that didn't follow proper security protocols thereby placing their users' privacy at risk.
Windows has a long history of supporting software from a wide range of vendors, much larger than any other operating system.
Only install software you've downloaded from a recognized vendor's site. See installation hints for suggestions to avoid problems.
Windows 10S won't install software downloaded from the web and Windows 11 settings may prevent that as well.
What About Mirror Sites?
Mirror sites should be avoided unless they are listed on the vendor's site and always contain the most recent version.
Unlike regular software, shareware allows you to try it out to see if it works for you. After the trial period, you need to purchase a licence to continue using it.
While many shareware vendors provide excellent software and support, they are often one-person operations. Support can disappear without warning.
I've used many shareware programs over the years, including NoteTab Pro which is used to build and maintain this site.
Open-source software is generally free and shares its program source with anyone wishing to view it. This can provide for greater confidence in the software if it is widely used and vetted.
Freeware is similar to shareware, except it is free to use without purchasing a licence.
I recommend searching for reviews or comments before using either shareware or freeware.
A quick search should reveal any issues.
“Free to Play” Games Manipulate Us
While free to download and play, many such games are very profitable. How else could they afford to advertise during prime-time television?
"Free to play" games manipulate us through many techniques, such as presenting players with a series of smoothly escalating challenges that create a sense of mastery and accomplishment but which sharply transition into a set of challenges that are impossible to overcome without paid upgrades.
— Cory Doctorow
Think about the security of your device when installing new software.
Install Security Software
I strongly recommend using security software on all your devices.
Choose your security software with care. You are trusting it to protect your data, your privacy and to secure your system from exploits.
Not all security software is as effective. See my recommendations.
Effective Security Software
Traditional security products (antivirus and antispyware) are made to fight PC-based threats.
All current security suites and most antivirus software contains some form of antispyware/antimalware protection.
The Threat Landscape Has Changed
You need a security suite that protects you simultaneously from all possibilities.
You also need to protect your mobile devices. Most security software vendors support these in some fashion.
Keep it Updated
Security software must be constantly updated to deal with emerging threats.
One study indicated that the time from the discovery of a vulnerability to when it is exploited is now four days or less.
More recently that window of discovery has narrowed to less than a day. Zero-day exploits are usable immediately (0 days until useful because they are generally undiscovered except by hackers and government spy agencies).
- Check for updates at least daily.
- Weekly scans are a bare minimum.
- Real-time scanning is critical for today's threats.
Secure Your Network
You cannot afford to be without an effective firewall. Today's computers and devices are continuously connected to the Internet.
No firewall is like leaving your front door open for anyone to walk into your home uninvited. Not everyone is polite enough to resist the temptation.
Your Privacy Threatened
“Nothing to hide” is a falsehood perpetrated by those profiting by collecting and reselling your information.
Your privacy has never been under attack as intensely as it is today. You need to protect yourself using legitimate privacy tools.
An effective hardware and software firewall combination is an essential part of your protection.
Your router not only secures your high-speed access to the Internet, but it allows you to share it between both hard-wired (LAN) and wireless (WLAN) computers, laptops, tablets, smartphones, game consoles, TVs and “smart home” devices.
While many issues have been fixed in newer routers, there are undocumented and unpatched vulnerabilities (zero day exploits) that both governments and hackers take advantage of.
More than half the routers currently in use are easily hacked. The recommendation is to replace your router if it is more than a few years old, especially if listed here.
Passwords are an essential part of life today. They are used for everything from accessing your email to the millions of websites and forums that require you to identify yourself using a username/password combination.
Single Sign-on Flawed
Never choose to log into a third-party site using your Facebook or Google account (single sign-on). Instead, create a new login account using a strong and unique password.
Long and Strong
Make your passwords long and strong using random upper and lower case letter, numbers and symbols (some symbols are not permitted by some sites or vendors). Generally, the longer your passwords, the harder they are to hack.
Be sure that each site or account has a unique password.
Protect Your Passwords
Increasingly, sites are using your email address as your identity, making it very easy to hack your other accounts if you use weak passwords or use the same password on multiple sites. The following is only one example of how password reuse can have significant financial repercussions:
A total of 5,500 CRA accounts were targeted in what the federal government described as two "credential stuffing" schemes, in which hackers use passwords and usernames from other websites to access Canadians' accounts with the revenue agency.
— Times Colonist
Use a Password Manager
Everyone has far too many passwords today to manage strong and unique passwords for every site and account we hold on the Internet without using a password manager. Humans simply have too much difficulty creating and remembering effective passwords.
I strongly recommend LastPass to manage your passwords. LastPass is secure, encrypts the passwords BEFORE uploading them and can be shared between your various computers and devices.
Two-factor authentication provides additional security that isn't available with even a strong password. As implied by the name, two-factor authentication has two components:
The second device could be
- a cell phone number (recommended); or
- a specially-design hardware authentication device like the YubiKey (shown above) in combination with LastPass; or
- a second email address (less secure as it too could be hacked).
The authentication device is preferably something that is always with you and is inaccessible to potential hackers.
Unfortunately, it appears that it isn't that hard to hijack your cellphone's SIM card, after which they have access to the very two-factor security that is supposed to protect you.
Recovery Options Weak
Instead of hacking your password, the “Forgot password?” recovery option on a site can provide a much easier place to obtain unauthorized access to your email account.
People post too much personal information about themselves on public places such as social media sites where the answers to typical security questions can be harvested. The nature of these questions are such that many are easily guessed:
- your favourite sports team(s);
- your favourite authors or movies;
- your best man or maid of honour at your wedding; and
- your home town or favourite teacher.
Many of these are items that you're prompted to include on your Facebook profile.
Protect Your Email Account
Some security protocols require you to respond to an confirmation sent to the registered email address for a requested password change. If your email account is protected by a weak password, this mechanism can be compromised.
There are many causes of data loss, including:
- hardware failure (hard drive or backup media)
- ransomware attacks
- lost devices
- theft or vandalism
- environmental disasters (fire, flood, earthquake)
More and more our private information is electronic and stored on our computers or devices.
From the dawn of civilization until 2003, humankind generated five exabytes of data. Now we produce five exabytes every two days…and the pace is accelerating.
— Eric Schmidt (2010)
Planning for Recovery
The first step in planning for recovery is to ensure that you regularly backup all your data using reliable systems and schedules. The more frequent the backups, the less that can potentially be lost.
Having multiple generations of backups ensures that a problem with one set can be resolved with an older backup (you might not get everything, but most of it will be there).
You should also plan for disaster by ensuring off-site backups either via cloud backups or physical backups stored offsite.
Unfortunately, cloud storage data is threatened by poor security and government data collection policies.