I drink lots of coffee and solve lots of problems.
Thursday, August 27, 2020
Digital Security for Normal People
This is an update to an original post, If I continue to rewrite this it will never be posted so I suppose I’ll need to update it yearly.
The other day I was in Starbucks and overheard a local computer tech helping someone reinstall windows on their laptop, the tech left, and I started a conversation with the laptop owner. His laptop had been infected with ransomware and he, unfortunately, didn’t have a backup. We had a short conversation about backups where the painfully obvious was stated and not much more. Having backups may not sound like a security strategy because most of the time when we think of security we think about keeping the bad guys out, in the day and age we live the paradigm of how to build a better digital moat has for the most part been dealt with and what we now need to turn to is how do we deal with threats already behind our gates. Digital security now must encompass a much wider practice security is now the art of protecting time. In the case of the man I met at Starbucks what he had lost was documents that he spends time writing, pictures he had spent time taking, bookmarks he had spent time finding, business data he had spent time working on, and a computer he now had to spend time getting fixed using money he had spent time earning. Correctly thinking about security depends on what you are trying to protect, for most people at a minimum that means their own time, for Systems Administrators that means protecting the time of others as well. To best do that it’s important to have a working definition of what security means. I define security as:
"Security is the art of protecting assets, knowledge or time in such a way that the “Cost” of destroying, disrupting, or disappearing them is insurmountably high. The “Cost” of attack is equal to the amount of either negligence or effort that you or an attacker must pay to destroy, disrupt, or disappear the protected asset.
Realistically if someone can pay the “Cost” in either time or money to conduct the attack they can compromise your security."
The following is the collection of advice I wish I could have also given him but just did not have the time to, this is also advice I give to family members, coworkers, and people like you who stumble across my website. This is how you increase the cost of an attack.
A. Securing Online Accounts
Use a password manager and avoid reusing passwords across sites like the plague, side note: it is the plague. LastPass and 1password are a great starting point. There are likely many other good online options. In my opinion, the most important thing about a password manager is that it be zero knowledge, meaning that the company running the service your using has no way to decrypt the data you entrust them to store. If you don’t like the idea of storing your passwords online look at offline options such as KeePass, password safe, or perfect paper passwords.
Enable second-factor authentication on all your accounts, especially your chosen password manager.
Recognize the human error factor, humans make mistakes. When you use the web make sure you’re using an adblocker to avoid malicious advertisements that might lead you to a phishing site. U block Origin is great for this. Using 3rd party DNS is also a great help, Cloudflare, Quad9, and OpenDNS Greatly increases your security at no cost and are fairly easy to set up on your router.
Declare digital sovereignty, if your primary email account is tied to your internet service provider, I would strongly consider looking to either a big tech company (google, Microsoft, or apple) to get a new email address with or looking at a smaller independent company like fastmail or Hey if you’re willing to pay for email services.
B. Securing the Personal Computer
Don’t use an admin account for everyday computing this applies to macOS, Linux, and Windows no exceptions. Follow the Principle of least privilege.
Data security is just as important as account security in most cases, having backups is the best way to secure your data from accidental deletion, corruption, and ransomware. Veeam endpoint free is free and does a great job backing up your entire system.
Run an up to date version of your operating system and preferred web browser and ensure you have security updates installed.
If your computer does get infected just nuke and pave. If your system has been compromised it truly is the only way to be sure your safe again. Make sure you have a good backup, erase the internal disk, and reinstall your operating system.
A note on Antivirus Software: I did not mention antivirus here because consumer-grade antivirus systems seem to change like the wind lately. In general, if you’re looking for an antivirus system I would recommend looking at reviews from IT people as they will spend a lot more time than you can imagine looking at antivirus solutions for their respective companies. Nearing the end of 2017 I had begun to see a rise in malware that exploits antivirus systems to compromise the systems they were designed to protect, in general, your best antivirus option is having an up to date computer with the most recent security patches installed and following best practices, B.1 is your best bet.
C. Securing the Data
3-2-1 Backups, If your data is not following 3-2-1 backups your data does not exist. Make sure you can restore your backups.
If your storing sensitive data in the cloud use some form of “pre-internet encryption” for windows, mac and Linux VeraCrypt is probably the golden standard but there are other encryption tools, even having an encrypted zip file is better than nothing. Note: password protected and encrypted are different things. Know the difference and use the right one.
Back up everything. If its unimportant data back it up if it’s important data back it up again. The number one reason important data can’t be restored is that someone didn’t think it was important and thus did not back it up. If you backup everything all the time this is an easy pitfall to avoid.
D. Securing the Network
If your router can be found at routerpwn.com consider getting a different router or looking for firmware updates the fix the issue listed. If your router does not have firmware updates or a fix for a known issue, then it’s time to get a different router.
Take a look at what GRC’s Shields UP has to say, if your router has open ports make sure you have NAT enabled on your router. The best option to avoid potential conflict is to simply not be there “True Stealth” is the result you want from the Shields UP! test.
If you have internet of things devices on your network use the 3 Dumb Routers method to separate out your network.
If you have Wi-Fi make sure you’re using a good password, only use WPA2 or greater authentication and disable WPS if possible.
Use a 3rd party DNS server on your router Quad9 or OpenDNS are good options. To find out what DNS server is the quickest around you run the DNS Name Speed Benchmark from GRC.com
If you don’t require devices in your wireless network to talk to each other (this is rare) or have devices that don’t need to talk to other devices for any reason consider putting those devices on your guest network. Doing so will isolate those devices from the rest of your network making them less risky.
E. Securing the Human
This is the hardest part, even if you have done everything else correctly, we are only human and are going to mess something up. Securing the human part of the system comes down to checking yourself as you use your technology. There are a lot of moving parts to this but in general, the following are true and if followed will make you less of a risk to yourself.
Always Go to the Source, if you receive a phone call from your bank and they want to verify your social security number over the phone just hang up, Google your bank’s phone number (or look on the back of your debit card) and call your bank. If it truly was them then your good to go, if it wasn’t congratulations you have just evaded an attack. The same applies to handling email phishing messages. A common email I’ve seen is a message warning that your inbox is about to run out of space. If you click the link it then prompts you to login to your cloud email. The right thing to do is ask your email admin if you are running out of space or go to the source and find out if you are approaching a space limit. By going to the source all phishing attacks can be thwarted.
TNO, Trust No One. Criminals don’t target computer systems they target people. Be cautious about giving out information. Well-designed systems and services shouldn’t require you to have any trust in the people running them for your data to be safe.
If it’s too good to be true… (you know the rest of this one, your mother told you, my mother told me, the attacker’s mother told him we all know this.) SPOILER ALERT: it is. There is no Indian prince willing his inheritance to you and there is no free iPad you won. There is always a phishing campaign in the works run by smart people who are looking to make you the sucker. Think about the cost of a phishing message, how much it cost you to send an email? Right… if it only costs the bad guy a couple minutes of their time to try and cheat people out of their money then guess what they are going to try and do. Furthermore, attackers have reduced the cost of an attack by using automation. The result of this is that it’s no longer a couple minutes per person phished it’s a couple minutes per millions, and its target is not you… its target is everyone.
digital first aid kit is a great resource for reactionary advice.
There are a lot of good insights from the Surveillance self-defense page at the EFF.
Roger G. Johnston, Ph.D., CPP Security Maxims is a great read and provides lots of insight into the nature of security.
Microsoft’s 10 Immutable Laws of Security Administration is a great read for fellow systems administrators as is the article 10 Immutable Laws of Security
Final Thoughts: We live in a world now where hackers are driving the cost of attacking systems down by having systems and automation do the attacks for them. Microsoft said it best I think “Eternal vigilance is the price of security”.