In a world where hackers run rampant, it would behoove you to learn the basic concepts of cybersecurity practices to protect yourself online.
This article covers basic cyber security practices, taking security over privacy (important to note the distinction here.)
Security === Safety
Privacy === Don't look at my stuff
While utilizing both is the goal, we'll focus on nailing down security first. It's important to protect yourself online.
Why listen to this random dude on the interwebs?
My journey started in 2018, serving as a technical consultant to congressional campaigns. I have served on 2 congressional campaigns, cross-collaborating across many campaigns with colleagues to implement best practices, train staff and volunteers and monitor activity to ensure our elected officials are protecting themselves online. There's been significant improvement in the past 2 years, but still so much to do. My ultimate goal is to reach the general public and encourage improving your safety online as a whole.
Why it matters
When most people think of hackers and cyber-attacks, they probably imagine some high-stakes criminal breaking bank accounts and stealing their hard earned cash, or posting questionable memes on their Facebook accounts, or some ninja-coding hacker badass holding government digital assets hostage. Others may think "Well, it's never happened to me so...why should I care?" What they fail to consider, and admittedly I had as well for the longest time, is that most of these hackers/criminal master minds taking over the digital world, aren't necessarily after these high-stakes goodies.
Think of it this way: how often do you receive spam mail or spam calls? Or texts? I imagine, like most, a significant amount. More often than not, these hackers use some form of social engineering to ease their access in to stealing information, identity theft, targeting grandma, collecting tons of information with the path of least resistance. Brute-force hacking and guessing passwords and account names is costly and time consuming. Much easier to call grandma saying their grandchild is in danger and needs information and maybe some cash along the way.
Case study: Twitter
We're all well aware of the big break in Twitter recently. Big name accounts taken over, even accounts following best practices, how on earth did this happen? Further investigation revealed a common practice: Fake IT department calls, redirects to fake VPN pages, because COVID and remote work, leading to Twitter employee information being stolen and used to take over Twitter, if only momentarily. This was a bit of a rare instance, a large target with boundless resources in the security department. Remember, the path of least resistance is generally the path these bad actors will take. Should we be ultra-worried and paranoid about it? Not really, no. But should we be taking more precautions to safeguard our online life? Certainly.
It's not difficult.. just slightly time consuming
What stops most people? "It's a lot of work. Do I really have to have this? Why do I need a long, difficult password with random characters and numbers and symbols? I'm not going to remember that! I don't have time for it. It's not that important. I've never been hacked so why worry now?"
These are some of the common questions and complaints I hear on a regular. The most fun has been "Yeah, I take it seriously. I'll get this set up. Eventually." And eventually becomes never, and they laugh at their procrastination, I laugh, the hacker laughs, they lose their identity, existential crisis kicks in as they begin to question if they really are them or if the hacker is them and they've been living a lie all along and...lol. I kid. But only partly.
The reality is, it is not difficult. It's only a tad bit time consuming to start. So we have ways of working around that, making it less painful and more likely to be done. Ya' know, the good ol' developer's role of "Take a big problem and break it into smaller pieces that are easier to digest." Same concept here, but with securing your online self.
Tools to use
I'd like to start this section off by taking a moment to review how safe we have really been. The first tool I will introduce is a favorite place of mine to visit: haveibeenpwned This site will take in your email and review databases to see if it has been put in to any darkweb share lists or added to sites that have had security breaches. Remember your old childhood email address from the Neopet days? Try that out. That's a ton of fun. My primary email was even subject to issues regarding a popular addon with Google Docs. Addons are not necessarily safe, something to keep in mind moving forward. So, take some time, put your email addresses to the test and see what you find. No breaches? Congratulations. Let's help you keep it that way. 1? 2? 500? Let's take some steps to really lock it down (if it's over 5-10 breaches, maybe it's time to migrate to a new email?)
With that done, let's move on to the list, and then we can go in to a little more detail on each recommendation.
The List:
- Devices
- Phones
- iPhone
- Computers
- Chromebook
- Mac
- Security Key
- Yubiko
- Google Titan
- Phones
- Software
- Password Manager
- Browser
- Chrome
- Extensions
- Messaging
Things to note:
This list is highly focused on security over privacy. Later articles will go more in to privacy, and in time, finding a nice balance between security and privacy. This list is non-exhaustive. There are numerous things we can do to improve our personal security, these are just the starting points we work to ensure campaigns are following. I want to really reiterate and drive home the point that this is the general starting point for congressional campaigns, where security outweighs privacy. With that being said, we can take from this list what we need to secure ourselves and in time build on the privacy end as well. I still lean towards Linux/Windows OS myself, and use more open-source software.
The advantages Google/Apple have are extremely strong security practices and tools to ensure security. For example, if you use gmail, I highly encourage and recommend following their security check up and implementing their recommendations. If your work is high profile, you can and should also sign up for their Advanced Protection Program. APP enforces 2-Factor Authentication with a physical security key.
How to implement
Now, I know what you're thinking. "Damnit Travis! This is A LOT to do!" And...well, it is. While ideally you could set aside an afternoon to sit down and go through everything and knock it all out, I understand how daunting that task can be. So I recommend breaking it up.
First Steps
Your absolute first steps should be updating software. Update your computers, your phones, your applications. If you don't already have it turned on, turn on auto-updates. Unless you're big in to IT and take time to review things before updating, which is completely acceptable. For those that don't want to think about it though, enable auto updates.
For Mac users, enable FileVault to secure your drive. For Windows, enable BitLocker. Chromebooks: if you're following Google's security recommendations, you're good to go. Try to keep everything on Google Drive vs on your local drive. On your phones, make sure you use a strong password to unlock your device, or a strong pin.
If your phone carrier has the option, set a PIN for your account as well. If you're curious why this is important, check out this fun clip. I absolutely enjoy this one, as it shows how social engineering can work to gain not only control of an account, but access to more sensitive data.
Next steps would be to download a password manager. 1Password and LastPass are what we recommend to campaigns. I personally like BitWarden. It's free option is solid, and UI is fairly similar to 1Password. Try using a pass phrase generator. These create unique, long passwords in the form of phrases, so they're quite easy to remember!
This is where breaking the task down in to smaller bits comes in handy. Rather than go through and think of every. single. account. you have in existence, add them to your password manager as you use them. For example, you start your day logging in to your email to follow up on work, while you're there, add your email to it. Consider using your password manager to generate a 16 key unique password and replace the one you currently use. Do this each time you log in to something to break up the monotony of securing your accounts.
While updating passwords, check for accounts that allow 2FA. Some places may offer it in the form of text messages. This is generally not recommended, as it is easy to spoof a phone number and sim-swap to steal information. Opt for using an Authenticator (Authy is a good one, as it allows for cloud back ups, which makes transferring to new devices much easier.) And, ultimately, aim for physical security keys, such as a Yubikey or Titan Security Key. With physical security keys and 2FA enabled, you must have the physical key on hand to log in on a new device.
I'd like to really note that: you only need the physical key to log in to a new device. Once you have signed in, you can enable it to no longer ask on that device, so long as it is a device you trust. Any time someone attempts to log in some where else, they won't be able to without your security key.
I also recommend having at least 2 security keys. One primary key, and one for back up, in case something happens to your primary key. Keep the back up locked away in a safe space. Otherwise, if you lose your only security key, it becomes quite a process to get back in to your account. That is the caveat of security. But that is what we are aiming for after all.
Your cyber security check list
So, I know this is a lot to take in and consider. Maybe you're already doing some of these things. Maybe you aren't doing any. Maybe you're dope at security and do all of this already! But for those that need to catch up on their safeguards, I will be putting together a checklist of sorts that you can use to check off on your path to protecting yourself. Feel free to subscribe to get your check list as soon as it's ready. And please reach out with any thoughts, questions, opinions or anything you'd like to contribute. As I mentioned this is a non-exhaustive list that can and will be expanded on in future posts. While these are guidelines set for a particular group, we can use most of these to protect ourselves. My goal is to find and share a good balance between security and privacy. All feedback is welcome!