Security 101

Here's a one-stop shop that offers an overview of many things that'll help keep you safe online, your computer and data safe, and privacy maintained.
I've also written a number of separate, more-detailed articles that discuss various aspects of security, privacy and safety. They are linked in this article.
But this particular article is mostly a punch list of what you should do and perhaps a little bit of why thrown in.

Password Hygiene

Here are my five recommendations for good password security. These are all important but the first two especially so.

online security.png

ONE -- Passwords must be unique!  You don't want a cyber-criminal logging into your bank or Amazon account because you reused the password from some other web site that got hacked. Yet this happens all the time. By using a UNIQUE password for every account and website, then any password breach will be limited to just that one account.

TWO -- Passwords must be looooong!  Today's best passwords are a long string of uppercase letters, lowercase letters, and numerals. At 20+ length, you can do without special characters unless a website requires one. Length beats complexity. Non-complex passwords are easier to type even if they are longer. My passwords are all 20 to 50 characters long, depending on what the web site allows.

THREE -- Use a Password Manager!  We are long past the era for people to remember their passwords. You should be using a password manager to do the remembering. These are browser add-ins to help you choose long passwords and safely store them for you and sync them between your devices. Most browsers also have their own password managers baked-in. Use them!

Caveat: Password managers that are baked into the browser won't work with any other browser. If you use only one browser, such as Google Chrome, that's not a big deal. But if you like to have multiple browsers installed, as I do, and if you want your passwords to sync between them, then you'll need a 3rd party password manager that is browser agnostic, such as LastPass or, my fav, 1Password.

Another benefit to a password manager, either baked-in or 3rd party, is that it can detect if a bogus, look-alike web page asking for credentials and will refuse to provide them. You, silly human 😁, might easily be tricked by sophisticated and convincing (but bogus!) password prompts, but your password manager won't be tricked.

There's lots of password managers. Here's a PC Magazine Article outlining several. No, they aren't free. But the few dollars they cost is well worth the added protection you'll receive since you'll now be using strong and unique passwords.

FOUR -- Fib when setting up your security questions! Most websites automate the "I forgot my password" self-recovery feature. When you first create an account, your bank for example, they'll often ask you to provide answers to a menu of questions like mother's maiden name, street you lived on when you were a kid, name of first pet, name of your high school, stuff like that. Problem is, all that info about you is readily discoverable online either through social media or from big data (discussed more below). But if you provide fake answers to these questions then no one else can use the actual truthful answers to reset your password to gain access.

Needless to say, you must record those questions and fake answers in the dedicated password spiral notebook that you should have.

FIVE -- Use Two Factor Authentication (2FA) whenever it's available! 2FA is when you type in a numeric code that's texted to your phone, or better, displayed by a code-generating app like Google Authenticator, when you log into an account that's 2FA protected. The idea is that even if a hacker figures out your password, s/he will then hit the second-factor roadblock. No phone, no code, no access! Rather than waste time, they'll move on to the next victim. It goes a long way to securing your account.

 

Some services, like Gmail, let you trust your commonly-used computers and devices so you aren't pestered for a 2FA code each time you login. But a login attempt from an untrusted computer, like a hacker using an internet cafe in Bangladesh, will prompt for the code -- and that's the protection. You can think of the 2FA code as second, randomly generated password.

 

We've long hit "peak password" -- the flaws are that obvious and glaring. Best security practices are (albeit very slowly) moving away from passwords. One approach is using the 2FA code as the primary, and only, passcode with various options for what to do if you lose your phone.

More on passwords here.

Multiple Identities

Using separate email addresses, just like using a unique password, can help protect you if a website password database is breached. I know, I know... Unique passwords are already a pain. But unique email addresses, too!? Seriously??

But here's an elegant answer to that...

Gmail has a little-known yet incredibly useful "email alias" feature that lets you create special-use email addresses for all your (important) accounts. By using a unique Gmail alias for each of your sensitive accounts, then if another website is breached (usernames and passwords stolen), the bad guys will never know what the email aliases are.

e.g.  For your bank account, consider this sample Gmail account: johndoe+chase@gmail.com  The portion in red, +chase, is the alias. You can make the alias whatever you want. +PNC, +Chase, +BOA, or whatever pleases you. (The + must be present) Email sent to that address resolves to the root address (johndoe@gmail.com) and will land in the same inbox. If you use that alias for your bank login only, then no other web site will know that.  So if some other website gets hacked the bad guys won't know your bank alias, even if they know your root email address. 
 

The alias feature is already available and working for all @gmail.com. 

 

Here's how to set it up:

  1. Log into whatever account you want to protect with an alias, like your bank.

  2. Think up an alias such as +chase or whatever. Your email address just for this bank account, becomes johndoe+chase@gmail.com

  3. Go to your profile settings for your bank and change your login email address. It's probably in the same place where you'd change your password, phone number, etc.

  4. You'll probably have to confirm the new email address. That confirmation will be sent to johndoe+chase@gmail.com. Since +chase is just an alias, then it'll automatically land in your regular johndoe@gmail.com email inbox.

You should repeat this for all your important accounts, giving each one its own alias. For less important accounts, you can use your root email only. Or use a catchall alias for those, like +misc. Note that some websites won't let you use a + sign in your email address so that trick won't work for them. But most will allow it. I make extensive use of this feature.

Another cool use for aliases is that you can filter incoming email for special processing that is sent to that alias. e.g. Bypass the inbox, or mark it bright red to get your attention.

Just another of the many reasons to use Gmail.

Disable Phone Notifications on the Lock Screen

Most of us like seeing our text messages and other notifications while our phone is locked. Problem is, that's good for thieves as well. If your phone is stolen, especially if it was a targeted theft, a thief who knows or susses out your email address could be inside your online accounts in minutes, including possibly your bank accounts. How?

When you or a bad guy pretending to be you uses the "forgot password" feature of most websites, one of the self-recovery features is to send a one-time security code text message to your phone. We've all done this, you know how that works. That code is how you prove your identity. If your phone is set to display text messages while locked then that code is visible to anyone holding your phone. They can easily use the security code to reset your passwords and gain access to whatever accounts they want.

Imagine this: If I personally know you or specifically targeted you and stole your phone, chances are pretty good I could be inside your Amazon.com account in less than five minutes and having lots of nice expensive laptops shipped to a mail drop or to your home and ready to be intercepted by me when the UPS guy drives up in two days. Or, better yet, gift card instant delivery (ka-ching!) and you'll never know this happened because once I'm in your Amazon account, I'll be resetting your password, changing the email address, and changing all your account recovery options to make it that much harder for you to regain rightful access. All without ever unlocking your phone. Wow! Who knew?

Disable that feature immediately. iPhone and Android defaults to showing text messages while locked so you'll want to turn that off now. In fact, you'd be wise to disable all lock screen notifications except maybe calendar alerts, but especially text messages. The only thing my phone shows when locked is the time of day. That's it! Allowing personal content to show on the lock screen undermines the entire point of having a lock screen in the first place.

Freeze Your Credit

Forget LifeLock and other credit monitoring services. They are expensive and unnecessary. You can easily freeze your credit yourself with all three major credit bureaus at no charge. Yep, for free, no catch. Why is this important? When your credit file is frozen, then potential lenders cannot examine your credit worthiness. So if a bad guy tries to get credit in your name, the credit grantor being applied-to cannot access your file. Application denied.

When you need to open a new line of credit, such as getting a car loan, applying for a mortgage, or a credit card, then you can temporarily lift the freeze for, say, 30 days. Then you can apply for the needed credit. The freeze is then automatically reapplied after the temporary lift.

Credit freezes have been around since 2007 yet as of 2018 only 12 percent of Americans have frozen, or locked, their credit file. It's disappointing that 88% of us aren't taking advantage of this free and useful service -- don't be one of them.

Here's the links to freeze your credit file with the three major credit bureaus:

     Equifax, Experian, TransUnion

Stop Using Social Media. Yeah, Right

We all know that Facebook cannot be trusted. Zuck and other FB executives should be in prison for the data crimes they've committed. But FB isn't unique. All social media companies make their money largely the same way -- monetizing your data. Remember this: On social media, you aren't the customer. You are the product being sold.

We all got along just fine before Facebook came along.

More on social media privacy here.

And while we're on the topic of Big Data, let us not omit the huge data mining companies that you've probably never heard of. You know, household names like Acxiom, DataLogix, Epsilon Data Management, and Intelius. Many of these Big Data companies have free, opt-out features you can use.

For more on opting out of Big Data, click here.

Examine Statements

How often do you examine your credit card statements? Probably never? I'm guilty of that, too. But you should. A lot of fraudulent charges are purposely small dollar amounts that aren't likely to be noticed if all you look at is the outstanding balance. Worse, your credit card company is unlikely to catch or flag small dollar fraud. Although the likelihood is still small, you could be losing a couple of hundred dollars per year in small dollar fraud.

 

Checking your statements is also a good way to make sure you aren't being overcharged for subscription services or that a subscription service that you cancelled is, indeed, cancelled.

You should also check the statements for any investment and brokerage accounts as well. It takes just a few minutes each month to check over your statements.

Lock Down Accounts

If you don't regularly perform wire transfers or other large money transfers, call your bank and ask them to place a notice on your account to disallow any telephone-originated money transfer orders. Ask that such transfers must be made in person at a branch office. Same thing with any investment and brokerage accounts, especially if there's a local office that you can visit.

This is also important for the elders in your life. More on Elder Abuse here.

Install Anti-Virus Software

You should have anti-virus software on your computer. Today's fastest growing malware threat is "ransomware" that silently encrypts all your data then demands a large payment in Bitcoin. But there's plenty of other malware that can do all kinds of bad things. AV software on your computer is the first level of defense. And don't think that using a Mac will necessarily keep you safe -- they are just as vulnerable as PCs. You just don't hear about them as often because Mac market share is so low.

Good products that can identify modern malware and dangerous websites aren't free. And don't reflexively buy Norton or McAfee just because you've heard the name. There's lots of good products out there. As an I.T. professional, I've used Malwarebytes Premium for years and find to be among the best so that's what I recommend. 

More on malware here and here.

Backup Your Data

Malwarebytes Premium may help protect your data from encrypting ransomware, but it won't protect you from data loss due to fire, theft, flood, or equipment failure. For that, you need a data backup system. There are local solutions and cloud-based solutions, each with their own pros and cons. The time to backup is now before data loss occurs.

Local solutions (external hard drives) are cheaper over the long run, are much faster, and with the right software, will backup everything including the operating system, data, applications, all your settings -- everything.

Cloud-solutions cost a lot more over the long run (they are subscription-based), take longer especially for the first backup, and may not save every file. But depending on your use-case, there may be reasons to consider a cloud-based backup as a secondary backup system.

More on data backup.

Minimize IoT Gadgets

IoT stands for "Internet of Things". This is when an everyday appliance or gadget becomes "cloud-enabled", like thermostats, security cameras, the refrigerator, coffee maker, door locks, garage door opener, kids toys, and countless other things that never were before. It also applies to new things made possible because of the internet such as Amazon Alexa.

These gadgets are often poorly designed, have crappy security, and unbeknownst to you, may be recruited into a "bot net", attacking other users and websites on the internet. 

More on the security hazards of IoT gadgets.

Secure Your Laptop

Laptop theft is rampant and easy. A Kensington survey found that as many as 1 out of 10 laptops will be stolen during its lifetime. Gartner, a well-respected tech research firm, found that a laptop is stolen every 53 seconds. Whatever numbers you read, the takeaway is the same: Millions of laptops are stolen every year from airports, cars, offices, and public places.
 

Laptop data security is an absolute must. Just having a login password won't cut it, either, because any half competent criminal or an I.T. guy (like me) can bypass that in minutes. Full Disk Encryption (such as BitLocker) combined with a strong password and aggressive lockout policy is the solution. But I'll bet my retirement that you aren't doing that.

And don't think that having no data on your laptop protects you. All your website bookmarks and stored passwords are on the laptop as well. And that's okay, stored passwords relieve you from having to remember passwords so they can be long and complex, which is a good thing. But those stored passwords also let a criminal access your online accounts with ease. There's ways to fix that.

It's bad enough if a laptop with your personal info is stolen. But what if the laptop had sensitive client information on it? Or access to sensitive online accounts that contained such information? That could be a ruinously expensive, extinction level event for your company. Upward 60% of companies, usually smaller ones, that experience a data breach are bankrupt within six months.

 

Laptop theft is just one way that data is breached. By properly securing your laptop, you eliminate that particular way as a possibility. 

Final Comments

Some of the above advice may seem rather extreme to those who aren't security geeks -- especially the IoT warnings. Feel free to use whatever advice you think best for you. But understand this: Everything I've mentioned above is borne from actual events. It's all happened, many times. These threats are all fairly easy to prevent but are often impossible to mitigate once it occurs. The time to safeguard is before something happens.

I can assist with pretty much everything you've read above. Or contact your favorite I.T. or security pro to help you.