Everything we type, click, and swipe online can be used by someone. Often against us. In the modern Internet-connected world it's highly important to have a clean digital footprint. Why think twice before clicking on something, how to respond to unknown emails, and what should we show on personal social media profiles? Today, Igor Beliaiev, Security Expert at Ciklum, tells us how to behave online to stay safe and whether it’s possible to protect your personal information.
- Secure credentials
Usually, people understand “secure credentials” just as a good, secure password. However, having a secure email address is equally important. Always separate work and personal life by using your corporate email just for professional communication, and a personal one for private reasons. Why? Attackers could use your profile with a corporate email address on a social network/blog/forum and attach a password or other data on those profiles to attack your company or to make some reputational damage to it. Especially during the era of widespread corporate hacks and database breaches that reveal millions of user passwords. Even for private needs, I would recommend having a few email addresses. You can use the main one for critical services, such as bank accounts, shopping, Internet payments, private emailing, and other ones for more informal needs – social networks, forums, event registrations, Internet voting, etc.
Of course, having a complex secure password for your emails and accounts is the most important thing you can do to protect yourself. Please, don’t use your name plus your date of birth as a password, or other easy-to-guess things about you. Make it more complicated, more creative, illogical. It should be easy to remember for you, but at the same time – hard to guess for others. I recommend using a pass-phrase you like, lyrics from your favorite song, or even food you like, plus a few random characters inside the pass-phrase. It’s officially recommended to create at least 8-symbol passwords using capital and small letters and numbers and to change passwords every year.
It’s way safer to have different passwords for different websites – a more secure set of passwords for important things like personal emails, bank accounts, and a simpler one for things you don’t really care about (discount profiles, blogs, one-time services). Those passwords shouldn’t be similar or connected to each other. The main mistake users do – they make the main password and then use it’s modifications all the time on different websites, just with slight changes.
Are you tired of remembering passwords? There is a solution – password managers that help to store your passwords and keep them safe. I can recommend 1password and KeePass as some of the best and most secure password managers on the market. Such systems keep all your passwords in an encrypted database and all you need – one master password to open this encrypted database.
Another important thing you need to know is Multi-factor authentication (MFA), and I’d recommend to use it wherever it’s possible. Usually, it is implemented as a combination of login+password and second factor – SMS, mobile phone app, physical token, etc. and most modern services, such as Gmail, Facebook, GitHub, etc. support MFA. Even if hackers had your login and password, they would not be able to do anything harmful without the second confirmation step.
- To click or not to click?
It’s important to understand that a human is the weakest link in security. Due to lack of experience, mistakes or under emotions – people are very vulnerable to possible social engineering attacks. People like to click on malicious links in phishing emails, advertisements or other things on the Internet, made for spam or malware attacks. It might be something that looks interesting or is recommended by someone, or you could just be tired and distracted at the end of the day. There are a lot of stories when simple social engineering attacks caused terrible consequences. As an example of such attack – Ukraine became famous as the first country in history that got a power outage caused by hackers. The system of an electric power distribution company “Prykarpattyaoblenergo” got hacked, cutting electricity supply for 225,000 people in Western Ukraine for more than 6 hours. This case is famous since the attack happened just because of one wrong click, made by the company’s employee. Attackers got inside the power supplier’s corporate network using spear-phishing emails with malicious MS Office document + BlackEnergy malware. Then they took SCADA system under control, remotely switching substations off, destroying IT infrastructure components and files on servers. At the same time consumers of two other energy distribution companies, “Chernivtsioblenergo” and “Kyivoblenergo” were also affected by a cyber attack, but at a smaller scale.
Now you must understand that you definitely shouldn’t click on every link you get or see. In many cases, it’s easy to recognize a virus-infected link from spam attack, as it contains some strange not personalized enough text. The only thing you need is to pay attention and think twice before clicking on some weird links. If you’re hesitating, it’s better to ask the person who sent it to you. If you already clicked and now you are asked to download something, don’t do it. More personalized phishing attacks look much more real, and you need to be very careful and attentive. Check URL you are clicking on, as well as the sender’s e-mail address, often it includes a similar web-domain to a popular website or your company’s name with just one character changed (e.g. google.com and googie.com). So, always check the domain name when you type passwords or other important data. Corporate phishing emails are often generated on your boss’s behalf, because people click on such links faster, as they are afraid of their boss, want to complete urgent tasks from management faster, etc. Do not allow emotions to take control over your brain.
Remember to pay attention to file extensions. Don't open suspicious files, email attachments, or archived documents if you don’t completely trust the source they originate from. The most dangerous file types are the following – executable files .exe, .bat, .com, .cmd, MS Office documents, especially with Macroses inside.
- Secure your device and keep up to date
Updating your systems and programs also helps to keep your devices safe – older software versions are more sensitive to viruses. Don’t be lazy to upgrade your OS, programs, and apps regularly and turn auto-update on if possible. Use the official versions of desktop OS with all necessary software (Windows, MS Office, antivirus) and don’t root/jailbreak your Android or iOS devices. Don't run or install software downloaded from untrusted sources.
If we are talking about a personal workstation or laptop – it’s safer to have two separate OS accounts with different privileges – use administrator account for important things such as installing updates or new software and a limited user account for daily activities. If malicious software is launched with administrator privileges – it will completely compromise the whole system. Do not insert flash drives and other external devices into your computer unless you completely trust their origin, as there are various methods to force your device to launch malicious software from an external device automatically without the need to launch any file manually.
From the security point of view, it’s also smart not to share your personal devices with anyone else. Don’t leave your laptop or smartphone unattended, don’t give it to people you don’t know or trust. If you share a laptop or PC with your family members, teach them how to behave online, and even better make a separate account for them with limited privileges.
Last but not least, a few words about antivirus software. It’s definitely recommended to use antivirus for most users. But be aware that antivirus is not a panacea against malware, usually, antiviruses protect from well-known viruses and attacks with efficiency up to 40% and any targeted attacks and newest malware will bypass the protection.
- Care about network security
The best way to protect your traffic is using Virtual Private Networks. VPN encrypts your traffic, and even if it’s going to be intercepted by some attackers, they would only see the encrypted data. It’s very important especially for public Wi-Fi networks without passwords/encryption, as they are very unsafe. Most of us use public Wi-Fi networks, but not everyone knows how they work and what risks they might bring. When you turn on Wi-Fi on your device, it starts looking for previously saved Wi-Fi hotspots. If an attacker sets up a Wi-Fi hotspot with the same name – your device will connect to it automatically, and the attacker will be able to intercept your traffic and manipulate it. The best thing you can do here – turn off Auto-Connect to saved Wi-Fi hotspots and start using VPN.
For confidential chats use trusted end-to-end encrypted communication – most modern messengers support it as a “secret chats” feature. End-to-end encryption ensures that no one else besides you on your device and your recipient on their device can read the conversation.
- Surf safe and stay safe
It’s very common when people think that hackers won’t attack them because they have nothing to hide. It’s a totally wrong approach. Not only celebrities or top management of big companies are at risk. You share a lot of personal information online – in private messages, on your Facebook or other social media profiles, and it might be used against you. All of this information can tell a lot about your personality, your location, your hobbies, places you like to visit or your favorite food. For the sake of your security, be smarter in using such info. Limit posting or sending someone your personal pictures or pictures of your family. Social networks are made to introduce you to people and communities, but not to tell everything about you.
Backup your data regularly. As ransomware continues to spread, it’s necessary to make a backup copy of your personal data on a separate hard drive or in the cloud.Educate your family, friends, and colleagues to make the world around you a bit safer against security threats.