Saturday, November 28, 2015

Seven Tips for Personal Online Security

Last year I wrote Seven Tips for Small Business Security, but recently I decided to write this new post with a different focus. I realized some small businesses are in some ways indistinguishable from individuals, such that advice for personal online security would be more appropriate for some small businesses. In other words, some businesses are scaled such that one or a few people are the entire business. In that spirit, I offer the following suggestions for individuals and these small businesses.

1. Protect your email. Email is the number one resource most of us possess, for three reasons. First, imagine that you forget your password to just about any Web site. How do you recover it? It's likely you request a password reset, and you get an email. Now, if you no longer control your email, an attacker can reset your passwords and take control of your Web accounts. How does an attacker know what accounts you own? That is answered by the second key to email: content. A quick check of your emails will reveal the organizations with which you do business. The content can also provide means to access other accounts. The third reason email is so critical is that it is essentially your online identity. An attacker can use your email to impersonate you and try to gain access to those that trust you.

So, how should you protect your email? I offer four recommendations. First, select a provider who gives you plenty of insight into how your account is used. Would you get an alert when someone logs into your account from a foreign country, for example? Second, select a provider who offers two-factor authentication. This means you can choose to log in with more than just a username and password. Third, select a provider who has experience with confronting and defeating intruders, and who takes actions to continuously improve their security. For consumers, I prefer Gmail. Of course, I am not of fan of being monetized by Alphabet and Google, but the trade-off is worth it for most of us.

My last recommendation is to limit what you store in email. Don't transmit or store sensitive information, like your personally identifiable information (Social Security number, etc.), in your email. As a thought experiment, imagine what it would look like to have your email published online. What would be the consequences? Try to address those concerns by removing such content from your email.

2. If you don't need it, delete it. This general rule applies to applications and data. If you don't need Java or Flash or other applications on your PC, phone, or tablet, remove them. The less software on your device, the better. For data, be judicious about what you store in digital form. Anything stored on a device or in the cloud can be read, copied, changed, or deleted by an attacker. My post “If you can’t protect it, don’t collect it” offers more on this topic.

3. Patch the software you keep. If you use Windows, run a modern version such as Windows 7 or newer, and install patches regularly, for the operating system and applications. On Windows it can be tough to identify just what needs to be updated. A free tool that can help is SUMo, the Software Update Monitor. Download the "lite" version and run it to see what needs to be updated. Pay attention to applications from Adobe, like Flash, Reader, and such. Remember tip 2!

4. Run a modern Web browser. For general consumers, the best Web browser in my opinion is Google Chrome. Make sure it is set to auto-update so you are running the latest version. Install an ad-blocker like Adblock Plus.

5. Back up your data. Research and implement a way to back up the data on your devices. This can be a complicated issue. For example, you may keep sensitive data on your laptop or PC, and you fear putting it in the cloud. One way to address that concern is to store that data in encrypted form on your laptop or PC, such that when it is stored in the cloud it is also encrypted.

Some may argue that certain cloud providers will encrypt your data for you, so why encrypt it locally first? My answer: if an attacker gains access to your cloud backup username and password, he can access your cloud backup provider and download your data, regardless of whether the cloud provider encrypts it or not. If the attacker finds your most sensitive data encrypted within the cloud backup, that means he needs to beat the encryption you applied on your own. Like all the measures in this post, nothing is foolproof. However, introducing challenges to the adversary is the key to security.

Furthermore, don't confuse cloud storage with backup. If you store data in Google Drive, or other locations, don't consider that a backup. I recommend adding a real backup provider to your configuration.

On a related note, enable full-device encryption on devices you are likely to lose. This applies most likely to your phone and tablet. The danger you are trying to mitigate here is physical loss or theft of your device. Be sure you enable a numeric pin such that a thief can't simply log into your lost or stolen device. I am also a fan of services that let you remotely locate your lost or stolen device, such that you can either find them or wipe them at a distance.

6. Buy Apple phones and tablets and keep them up-to-date. This looks like a blatant advertisement for Apple, but I promise you I am not an Apple fan boy. The fact of the matter is that Apple iPhones and iPads, when running the latest versions of the iOS software, provide the best combination of features and security available to the general consumer. They are easiest to operate and to update. Updating iOS and the installed apps is exceptionally easy. Furthermore, the best metric we have regarding software security shows that exploits for iOS devices cost far more than other software or platforms. This means it is tougher for intruders to break into devices running iOS.

7. Consider a password manager, but not for every Web site. Nothing is (or should be) absolute in security. Password managers are applications that assist users with storing, supplying, and even generating usernames and passwords for Web sites and other applications. They are an improvement over using the same username and password at multiple Web sites. However, when using a password manager, you run the risk of a flaw in that manager being used by an attacker to access your username and passwords! It sounds like a tough situation, but in general the benefits of the password manager outweigh the risks. If you choose a password manager, select one that offers two factor authentication, such that accessing your usernames and passwords requires you to enter a numeric code. Also, don't put your most sensitive accounts in the manager. For example, in deference to point 1, don't store your email username and password in the manager.

Bonus: Be vigilant. Wherever you can introduce alerts about how your accounts and data are being used, enable them. For example, does your credit card offer the option to email you when a purchase is made? Perhaps you only care about overseas purchases, or purchases above a certain amount, or at gas stations. The point is to put your service providers to work for you, such that they give you information that informs your security posture. If you learn of a suspicious event and react in time, you can potentially limit or eliminate the damage through swift personal response.

There are many other considerations for individuals, especially with respect to resisting targeted attacks. I didn't address resisting social engineering, phishing, and the like, but I believe that is well-covered elsewhere. To counter the general opportunistic attacker, these are the steps I would recommend to individuals and small businesses.


Graeme said...

Perhaps number 6 on the list could be reconsidered given that a million dollar bounty was recently paid out for an exploit that can remotely jailbreak IOS 9 devices and install software on them.

Richard Bejtlich said...

Graeme, what do you mean? I think that makes my point.