Yesterday I had the privilege of attending a Cybersecurity Town Hall with Congressman Mike Honda, as well as members of the FBI and U.S. Secret Service. The overarching theme of this event was how we, as citizens, can improve our personal cybersecurity hygiene. While this topic is broad, and this particular event was hours long, at the end, the presenters were asked to summarize their findings into the top three things we can do right now to better protect ourselves:
- Backup your data
- Use strong passwords
- Be vigilant about what links you click and how you share thumb drives
While the presenters covered a variety of attack types ranging from spear phishing to implementing RAM scraping malware to collect customer credit card data at point-of-sale systems (an incredibly effective technique, apparently), these three recommendations will go a long way in preventing common attacks, and protecting you in the off chance that you do get hacked. Since it can be quite difficult to know what exactly to do next, I’d like to walk you through a step-by-step process of protecting yourself based on my experience/research. Let’s dive in. . . .
Backup Your Data
I wrote about this recently, but I rarely come across individuals who execute this step correctly. Backing up your data doesn’t mean simply copying your computer’s files over to an external drive, it means verifying that your backups are intact to begin with and that your backups are reliable (and not subject to single-region geographic disasters). First of all, you should be running some sort of antivirus software on your machine prior to backing anything up. Otherwise, you could also be backing up malware and the like (I have seen this happen, and you will receive virus warnings each time you connect to your backup).
Malware and various viruses will often come through via your email, so if you are using third-party email software, make sure you aren’t downloading attachments by default. If you are, and you receive something dangerous, your antivirus software will complain. If you are backing up your locally-hosted email, this can create a perpetual virus alert loop.
- Step 1: Install and regularly run antivirus software on your computer. I would recommend Sophos Home (free). Make sure to turn of the web history tracking if you don’t want them snooping on your online activity under the guise of protecting your best interests. AVG AntiVirus is also a good choice. At some point comparisons between antivirus software becomes a practice of splitting hairs. You want software that isn’t bloated, and doesn’t try and take over your machine with its procedures. Make sure it’s a solid and well-tested option that keeps a database of current exploits, malware, and similar.
- Step 2: Select a backup solution. Please make sure you are using some sort of redundant solution here. Don’t just buy one Western Digital external drive and call it a day. You need Network Attached Storage (NAS)—which equates to a box with multiple hard drives that are mirrored across each other in the event of individual drive failure (which always happens). Synology and Drobo are good examples of this. I have used both and would recommend a Synology DiskStation since the software is better (and more secure based on my research). Please be sure not to connect these systems to the Internet unless you know what you’re doing, the last thing you want is unfettered access to your computer backups by someone sniffing about in these IP ranges. Drobo has been victim to this, and many customers with web connected boxes were subject to Ransomware requests. If you’re new to NAS, just buy a box with hard drives included. If you’re savvier, source your own drives. There are great options like the Western Digital Red drives (which are designed for these types of NAS appliances). These solutions can run $400-$750 or so, all things included. If this is too expensive, just buy two external drives and backup your computer twice. This will go long way in preventing catastrophe later. Also, don’t leave these drives lying about, since the ability for someone to acquire one and have instant access to your files defeats the purpose of this entire post. Encrypt and secure all backups.
- Step 3: Backup your data. This is a very involved process, since you are essentially making copies of your external brain, and similar to our own brains, there are a lot of latent connections and data we want to keep—ranging from Chrome bookmarks to software data stores in the user/library folder (for Mac users). I won’t get into all of this now, but it’s essential to a) create a checklist of the items you want to backup (including folders macOS makes less visible, like master copies of photos, and similar), and b) use software that can copy everything (including hidden files) reliably to your external drives. This is a bit of an art, and many experienced users will have scripts to simply run rsync commands to copy everything via the command line. For the rest of us, and for those who are too busy to deal with it, you can use software GUIs that do the heavy lifting for you. Backup Pro is a good option for Mac users.
- Step 4: Verify your backups. This doesn’t have to be rocket science. Log in to your NAS an make sure your files are there, and valid. Do a bunch of random sampling—go through and click around. Many people don’t have time to verify in a complete way, but if your backup software isn’t validating the backup for you, do something to ensure that you can retrieve as needed.
- Step 5: Run antivirus scans on your backups. This step will ensure you don’t have any hidden malware within your backups. Pro tip: if someone highly capable is working to compromise you, this can be more difficult if they have deployed something custom that isn’t in the commonly used malware and exploit databases referenced by your antivirus software (99.99% of you won’t need to fret about this).
Now you’re better prepared if someone targets your machine and successfully deploys a Ransomware script (that shows a single screen with a request for money to unlock your computer and files).
Use Strong Passwords
I would recommend you spend a few minutes to watch this video detailing how someone goes about cracking modern passwords (including the types we previously considered “secure”) in a matter of minutes. Now that we have access to GPU clusters—which can run millions of comparisons and calculations per second, password cracking attacks can now run at overwhelming speed. The old attack techniques are now running on steroids—and many common types of attacks can be run together in sequences to break apart harder passwords. I really want to emphasize how much easier this is nowadays, and if it’s easy for just one competent individual with a good GPU cluster, they can leak the compromised dataset, and thousands of other hackers (with less sophisticated gear) can use the revealed passwords to test your online systems—and own them. Don’t be stupid, use strong passwords.
To cut to the chase, your password should be a string of randomly generated gobbledygook (using a mix of case, characters, numbers, and weird symbols) that you couldn’t reproduce under any circumstance. You shouldn’t “know” any of your passwords, and every password you use should be different. Use a password management system, like 1Password (standalone version), and for the love of all that is good—run it locally, and don’t save all of your passwords in the cloud! Saving passwords to the cloud is a huge strategic risk depending on the security practices of the company, even if said companies are hashing the password database, since focusing password cracking efforts on a leaked password repository is a huge payoff since it gives attackers every password at once if they determine your master password.
You can easily generate highly secure passwords with 1Password (in 10 seconds or less). Your passwords should be as complex and long as the site you are generating them for will allow. For example, a 64-character long string of insanity (many sites only allow 32-34 characters for some reason). I don’t care if you don’t want to spend the time going through and changing all of your passwords—do it. Also, do it every so often—or just change your most high-leverage passwords every couple of months (e.g., Gmail, Twitter, Facebook). If you are using fake email accounts for spam newsletters, that’s less important. Focus on the systems that would change your life if compromised.
Be Vigilant About What Links You Click and How You Share Thumb Drives
This is a funny one, because the presenters merged two concepts into one final recommendation. I’ll separate them out and address each in turn.
Careful about your link clicks
First of all, I would suggest running a browser plugin to block external ad calls—like uBlock Origin, since it’s a common and successful way attackers can introduce malware using seemingly harmless ads. It also significantly speeds up page loading times, since many external code requests won’t load. The downside is a few news outlets will prevent access to content if you run an ad blocker, but I don’t care. Staying safe and maintaining personal privacy is more important to me, and I can always run their trusted sites using another browser, for example.
Many attacks rely on automatically downloading a piece of code, or initiating a script of some sort when you click a link. This is common sense to a degree, but be vigilant about what links you click. Better to be overly suspicious than download malware that somehow penetrates your networks and personal email accounts. I see this happen regularly to people I know, who have me in their email address books, and then I receive a shady email that could spread like a chain letter in the event I wasn’t careful.
Practice safe thumb drive sharing
Don’t use random thumb drives you receive for free at conferences. Make no assumptions about the quality of the drive. Don’t install thumb drives from anyone, basically. Does someone need to share a PowerPoint deck? Email it or use a service like Dropbox. Buy your thumb drives and keep them safe. I might do a future post with specifics for doing this in a step-by-step way, but dirty thumb drives take down top operatives. One of the presenters walked through how he was infected with a virus by a trusted entity using a thumb drive—because people we like can overwhelm of usual security practices.
Following these steps will not only increase your level of personal safety in the cybersecurity domain, but ensure that you have a plan if you are attacked by something less preventable. Backups are essential, strong passwords are a must, and being smart about how you allow access to your machine is something everyone needs to prioritize. If someone won’t allow me to share a thumb drive, I respect that, even if it is a pain to me in the moment. It’s the right thing to do.
Nick is the Founder & CEO of MetaSensor, a venture-backed internet of things startup located in Silicon Valley, and a Behavioural Product Designer at Duke's Center for Advanced Hindsight (with Dan Ariely et al.). | Read Full Bio »
All Else Equal: I’d Rather Not Get Hit …
There are times when a lot of things can simultaneously go wrong, and a person can quickly find themselves in a veritable maelstrom of worry. There are also …