Personal Security

Types of social engineering attacks

- Baiting - Quid pro quo - Social media impersonation - Tantalizing emails - Tailgating - False alarms - Water holing - Virus hoaxes - Technical failures

Alternatives to passwords

- Biometric authentication - SMS based authentication - App based one time passwords - Hardware token authentication - USB based authentication

Strong Passwords

- Combine three or more unrelated words and proper nouns, with numbers separating them. - If you must use a special character, add a special character before each number; you can even use the same character for all your passwords. - Ideally, use at least one non-english word or proper name - If you must use both capital and lowercase letters, use capitals that always appear in a particular location throughout all your strong passwords

Physical Security Matters - Inventory

Properly inventorying every mobile device so that you can properly secure all such devices is critical. Stationary devices, such as desktop computers, networking equipment, and many IoT, such as wired cameras, are devices that don't move from location to location on a regular basis. Mobile devices are computerized devices that are frequently moved. Laptops, tablets, and smartphones.

False alarms

Raising false alarms can also social engineer people into allowing unauthorized people to do things that they should not be allowed to.

Responding

Refers to acting in response to a cybersecurity incident. Most security software will automatically prompt users to act if they detect potential problems.

Biometric authentication

Refers to authenticating using some unique identifier of your physical person such as fingerprint and iris-based authentication. Consider that your: - fingerprints are likely all over your phone - If you biometric information is captured, you can't reset it as you can a password - if your biometric information in on your phone or computer, what happens if malware somehow infects your device? - cold weather creates a problem - glasses pose challenged to iris scanners - biometrics can undermine your rights (law enforcement may be able to force you to provide your biometric authentication) - impersonation is possible (face recognition in some devices can be tricked into believing that a person is present by playing to them a high-definition video of that person) - Voice-based authentication is useful for voice phone calls

Detecting

Refers to implementing mechanisms by which you can detect cybersecurity events as quickly as possible after they commence. Today, most personal computer security software has detection capabilities of various types.

Recovering

Refers to restoring an impacted computer, network or device - and all of its relevant capabilities - to its fully functioning, proper state after a cybersecurity event occurs.

Multifactor authentication

Requires a user to authenticate using two or more of the following methods: password, fingerprint or hardware token. Also there are biometrics, digital certificates, one time passwords, knowledge based authentication.

Social media impersonation

Some attackers impersonate people on social media in order to establish social media connections with their victims.

Crime Prevention Through Environmental Design (CPTD)

States that you can reduce the likelihood of certain crimes being committed if you create a physical environment that allows legitimate users to feel secure, but makes ill-doers uncomfortable with actually carrying out any planned problematic activities. - Access Control: Limiting access to authorized parties, makes it harder for criminals to penetrate a building or other facility. - Surveillance: criminals often avoid committing crimes that are likely to be seen and recorded (cameras, guards, motion sensitive lighting all discourage crime) - Marking: criminals tend to avoid areas that are clearly marked as belonging to someone else.

Banking Online Safely

Strong and unique password Choose a random PIN for your ATM card and/or phone identification Consider asking your bank for an ATM card that can't be used as a debit card Log in to online banking only from trusted devices that you control, that have security software on them, and that are kept up to date Log in to online banking only from secure networks that you trust Log in to online banking using a web browser or the official app of the bank Sign up for alerts from your bank Use multifactor authentication and protect any devices used for such authentication Do not allow your browser to store your online banking password Enter the URL of your bank every time you visit the bank on the web Use a separate computer or a different web browser for online banking and be sure to keep that browser up to date. As an extra precaution, you can configure your browser to remember the wrong password to a site so that if someone ever does get into your laptop or phone, he or she will be less likely to successfully log into that site using your credentials. Secure any devices from which you bank online (physically, requiring a password to unlock them, and enabling remote wipe) Monitor your account for unauthorized activity

Quid pro quo

The attacker states that he needs the person to take an action in order to render a service for the intended victim. ex: pretending to be an IT

Privacy Mode

Google Chrome: Control + Shift + N Microsoft Edge: Control + Shift + P Firefox: Control + Shift + P Safari: Command + Shift + N

Implementing Physical security

Locks, video cameras, security guards, alarms, perimeter security, motion-triggered lighting, environmental risk mitigation, backup power and continencies for power failures, contingencies during renovations and other construction, and risks from backups (protect backups of data with the same security precautions as you do the original copies of the data).

Inventorying assets

Make a written list of all devices that you attach to your network. Add to that list - in a separate section - all storage devices that you use, including external hard drives, flash drives, and memory cards.

Safely Using Smart Devices

Make sure that none of your IoT devices create security risks in the event of a failure If possible, run your IoT devices on a separate network than your computers Keep all IoT devices up to date If possible, disconnect devices when you are not using them Password-protect all devices Keep your smartphone physically and digitally secure Disable device features that you do not need Do not connect your IoT devices to untrusted networks

Easily guessable personal passwords

Name or birth of their significant other or pet, so crooks often look at social media profiles and do Google searches in order to find likely passwords.

Different levels of sensitivity

Not all types of data require the same level of password protection. On the basis of risk levels, feel free to employ different password strategies. Random passwords, passwords composed of multiple words possibly separated with numbers, passphrases, and even simple passwords each have their appropriate uses.

Basic elements of protection

Perimeter defense Firewall/router Security software Physical computer(s) Backup

Securing Data Associated with user accounts cont pt3...

Periodically check access device lists Check last login info Respond appropriately to any fraud alerts (contact the outlet at a known valid number that is advertised on its website) When you access websites, look for the padlock icon, indicating that encrypted HTTPS is being used (if you don't see the icon, do not provide sensitive information or log in). Beware of social engineering attacks, never click on links in any such correspondence Establish voice login passwords for your accounts whenever possible, that is, set up passwords that must be given to customer service personnel in order for them to be able to provide any information from your accounts or to make changes to them Protect your cellphone number, ideally set up a forwarding phone number to your cellphone and use that number when giving out your cell number (doing so reduces the chances that criminals will be able to intercept one time passwords that are sent to your phone and also diminishes the chances of various other attacks suceeding) ex: google voice Don't click on links in emails or text messages Don't overshare on social media Pay attention to privacy policies

BIOS password

Prevents the operating system from booting and the settings to be changed. It needs to set up this BIOS password that locks the device from use until a password is entered.

Locating your vulnerable data

Private photos and videos Recordings of your voice images of your handwriting financial records medical records School-related documents password lists Repositories of digital keys Documents such as passport, SSN, Credit card numbers, taxpayer identification, driver's license, vehicle, former addresses These items will need to be protected against cyberthreats. But, the data stores in which they reside also need to be protected physically.

Changing passwords after a breach

- Don't click any links in the message because most such messages are scams - Visit the organization's website and official social media accounts to verify that such an announcement was actually made - Pay attention to news stories to see whether reliable, mainstream media is reporting such a breach - If the story checks out, go to the organization's website and make the change PS: if you reuse passwords on sites where the passwords matter and a password that is compromised somewhere is also used on other sites, be sure to change it at the other sites as well.

Criminals guess password by:

- Guessing common passwords: often by using automated tools that feed systems passwords one at a time from lists of common passwords and record when they have a hit. - Launching dictionary attacks: automated hacker tools simply feed all the words in the dictionary to a system one at a time until they have a hit. - Credential stuffing: refers to when attackers take lists of usernames and passwords from one site and feed its entries to another system one at a time in order to see whether any of the login credentials from the first system work on the second.

SMS based authentication

A code is sent to your cellphone. This type of authentication is not considered secure enough for authentication. Criminals have ways of intercepting such passwords and social engineering of phone companies in order to take over people-s phone numbers remains a problem. PS: SMS one time passwords used in combination with a strong password are a step above just using the password.

Firewall/router

A firewall will block outsiders from trying to contact a computer inside your home, but it will not block a web server from responding if a computer inside your home requests a web page from the server. Routers use multiple technologies to achieve such protection. Network Address Translation, which allows computers on your home network to use Internet Protocol (IP) addresses that are invalid for use on the Internet and can be used only on private networks. To the Internet, all the devices appear to use one address, which is that of the firewall.

Securing Data Associated with user accounts

Always check the website of stores that you are conducting business with to see whether something loos off Make sure that you install the official app and not some malicious impersonator Malware that infects a computer can capture sensitive information from both other programs and web sessions running on the device (be careful with the free copies) Don't root your phone, a process that allows you greater control over your device, but doing so undermines various security capabilities of the device and may allow malware to capture sensitive information from other apps on the device, leading to account compromises Don't provide unnecessary sensitive information (Online stores and doctors don't need your SSN) Use payment services that eliminate the need to share credit card numbers with vendors, such as PayPal, ApplePay, let you make online payments without having to give vendors your actual credit card number

Baiting

An attacker sends an email or chat message that promises someone a reward in exchange for taking some action. Sometimes such scammers seek payment of a small shipping fee for the prize, sometimes they distribute malware, and sometimes they collect sensitive information

Security Software

Antivirus Personal device firewall capabilities antispam software on device on which you read email enable remote wipe on any and every mobile device require a strong password to log in to any computer and mobile device enable auto-updates whenever possible and keep your devices updated

Sensitive passwords

Because many modern online systems allow people to reset their passwords after validating their identities through email messages sent to their previously known email addresses, a criminal who gains access to someone's email account may be able to do a lot more than just read email without authorization: he or she may be able to reset that user's passwords to many systems, including to some financial institutions. Likewise, many sites leverage social-media-based authentication capabilities so a compromised password on social media platform can lead to an unauthorized parties gaining access to other systems as well.

Securing Data with Parities that you've interacted with

Browse in private session, for example, by using a Tor browser - which automatically routes all your Internet traffic through computers around the world before sending it to its destination - you make it difficult for third parties to track you. Tor browser bundle is free and comes with all sorts of privacy-related features enabled, including blocking cookies and canvas fingerprinting, and advances form of tracking devices. If Tor seems complicated, you can also utilize a reputable VPN service for similar purposes.

Water holing

Combines hacking and social engineering by exploiting the fact that people trust certain parties. Criminals may launch a watering hole attack by breaching the relevant site and inserting the poisoned links on it.

Physical computer(s)

Control physical access to your computer and keep it in a safe location Do not share your computer, if you need to share then create separate account and do not give any other users of the device administrative privileges on it. Do not rely on deleting data before throwing out, recycling, donating, or selling an old device (use a multiwipe erasure system for all hard drives and solid state drives.)

Technical failure

Criminals can easily exploit humans annoyance with technology problems to undermine various security technologies.

Virus hoaxes

Emails may contain poisoned links, direct a user to download software, or instruct a user to contact IT support via some email address or web page. Scareware that scares users into believing that they need to purchase some particular security software to be a form of virus hoax.

End-to-end encryption

End-to-end means that the messages are encrypted on your device and decrypted on the recipient's device and vice versa - with the provider effectively unable to decrypt the messages; as such, it takes far more effort by hackers who breach the provider's servers to read your messages if end-to-end encryption is utilized.

Transmitting Passwords

Ideally, if you need to give someone a password, call him or her and don't provide the password until you identify the other party by voice. If you must send a passwords in writing, chose to use an encrypted connection. If such tool is not available, consider splitting the password and sending some via email and some via text.

Reuse passwords

If the requirement to register and log in is solely for the benefit of the site owner and it doesn't matter one iota to you whether a criminal obtained the access credentials to your account and change them, use a simple password.

Complicated passwords aren't always better

It can lead to problems that can undermine security: - Inappropriately reusing passwords - Writing down passwords in insecure locations - Selecting passwords with poor randomization and formatted using predictable patterns, such as using a capital for the first letter of a complicated password, followed by all lowercase characters, and then a number PS: passpharases are passwords consisting of entire phrases or phrase-length strings of characters, rather than simply a word or a word-length group of characters.

Hardware token authentication

It generates new one-time passwords every x seconds, but you need to carry a specialized device that generates the one-time codes. They are prone to getting lost and are not always waterproof.

Tailgating

It is a physical form of social engineering attack in which the attacker accompanies authorized personnel as they approach a doorway that they, but not the attacker, are authorized to pass and tricks them into letting him pass with the authorized personnel.

Security for mobile devices

Keep your devices in sight or locked up, enable location broadcasting, remotely triggerable alarms, and remote wipe

Firewall/router recommendations

Keep your router up to date Change the default administrative password on your firewall/router to a strong password that only you know Don't use the default name provided by your router for your Wi-fi network name Configure your Wi-fi network to use encryption of at least the WPA2 standard Establish a password that any device is required to know to join your Wi-fi network If all your wireless devices know how to use the modern 802.11ac and 802.11n wireless networking protocols, disable older Wi-fi protocols that your router supports Enable MAC address filtering or make sure that all members of your household know that nobody is to connect anything to the wired network without your permission Locate your wireless router centrally within your home Do not enable remote access to your router Maintain a current list of devices connect to your network For any guests for whom you want to give network access, turn on the guest network capability of the router and, as with the private network, activate encryption and require strong password

Tantalizing emails

These emails attempt to trick people into running malware or clicking on poisoned links by exploiting their curiosity, sexual desires and other characteristics.

App based one time passwords

This is a good addition to strong passwords, but they should not be used on their own. App based one time passwords are likely a more secure way to authenticate than SMS based one time passwords but they can be inconvenient if you get a new phone.

USB based authentication

USB devices that contain authentication information can strengthen authentication. Use such devices only in combination with trusted machines, you don't want the device infected or destroyed by some device.

Securing Data Associated with user accounts cont...

Use one-time, virtual credit card numbers when appropriate Monitor your accounts Report suspicious activity ASAP Employ a proper password strategy Use multifactor authentication Log out when you are finished Use your own computer or phone Lock your computer Use a separate, dedicated computer for sensitive tasks Use a separate, dedicated browser for sensitive web-based tasks Secure your access devices with security software Keep your devices up to date Don't perform sensitive tasks over public Wi-fi Never use public Wi-fi for any purpose in high-risky places Access your accounts only when you are in a safe location Set appropriate limits Use alerts

General Privacy Tips

Use social media privacy settings Keep private data out of the cloud unless you encrypt the data Do not store private information in cloud applications designed for sharing and collaboration Leverage the privacy settings of a browser - or better yet, use Tor (if you are using the a web browser to access material that you don't want to be associated with you, at a minimum, turn on Private/Incognito Mode) Do not publicize your real cellphone number (get a forwarding number from a service like google voice) Store private materials offline and if you must store them electronically, store them on a computer with no network connection. If you use online chat, use end-to-end encryption (WhatsApp) Practice proper cyberhygiene

Providing passwords to humans

What you should do is never provide any sensitive information over the phone unless you initiated the call with the party requesting the password and are sure that you called a legitimate party.

Perimeter Defense

You can build that digital moat by never connecting any computer directly to your Internet modem. Instead connect a firewall/router to the modem and connect computers to the firewall/router. (If your modem contains a firewall/router, then it serves both purposes.)

Password manager

You can use a password manager tool to securely store your passwords. Password managers are software that help people manage passwords by generating, storing, and retrieving complex passwords. Typically they store all their data in encrypted formats and provide access to users only after authenticating them with either a strong password or multifactor authentication. Such technology is appropriate for general passwords, but not for the most sensitive ones.