April 12, 2018
Whenever I tell someone I’m a penetration tester the reaction is always the same. First laughter at my ‘hilarious’ job title, followed by one of three questions:
“Can you hack into my friend’s Facebook account?” “Can you get me free money from the bank?” “Can you get me free cinema tickets?” (Maybe I’m just moving in the wrong circles?) Anyway, the question they really should be asking me is:
“What’s the easiest way to make myself more secure?”
But since everyone just wants free cinema tickets or to make jokes at my expense, I never get asked this. So, in this first post in the ‘Back-to-basics’ series, I’m asking it to myself, on your behalf.
My aim is to stop people feeling overwhelmed by all the noise and scare-mongering out there. Instead, I want people to realise they don’t need to be an expert to get themselves secure, in fact the most effective actions are actually really simple to implement. So, by setting them out in practical steps, one at a time, you’ll be able to prevent yourself becoming the low-hanging fruit that hackers love.
We’ll start with the machine you use daily, whether that’s your personal laptop, or desktop (for any nostalgia buffs out there).
Note: this article is written with your average Windows user in mind. Techies feel free to drag me over the coals, er, I mean, contribute your own ideas.
Take the following steps with me and one foot in front of the other, come toward the light….
Un-patched/Out-of-date operating systems are a hacker’s best friend. No need to get into the technical nitty-gritty here, just take my word for it (or if you don’t want to take my word, take these guys’ word, I won’t be offended): Keep your software patched.
Luckily this first step is probably the easiest, simply turn on ‘Automatic updates’ and updates will install themselves automatically, instead of just downloading. It’s the business.
And when the pop-up says ‘you need to restart to apply updates’, don’t just click ‘remind me again in 6 months’ do it there and then, or at least at the end of the day.
Let’s also not forget to keep the software on the machine updated too, especially the browser, and especially, especially Adobe stuff. Tut, tut, Adobe.
Lovingly crafted with MSPaint (really)
Ugh. Right, let’s wade into this one. Nobody can possibly remember strong passwords for all their logins. It can’t be done, so until a better solution comes along everyone should be using a password manager. To be specific KeePass or KeePassX. Job done. Don’t believe me? Ask this guy, he’s a lot cleverererer than me.
Sidenote: I’m sorry to say that even if you have always had strong passwords your email & password combos may already be compromised. This can happen when businesses you’ve had accounts with get hacked. To find out what is out there go to haveibeenpwned and then create new stronger passwords (using your password manager of course.)
The answer is: Yes, two-factor. Definitely.
Enable 2-factor/2-step authentication where made available (i.e. Gmail, Office365 etc), this really, really helps, and is a total pain for hackers and other miscreants (every security blog must use word ‘miscreant’ — it’s the law). Apps like Duo or Authenticator have taken the hassle out of 2FA and Gmail’s built-in android solution is particularly quick and painless, so no excuses!
If you only do this in one place, do it on your main email account (the one that’s used to reset passwords for everything else). If that gets hacked, it’s game over.
I still can’t believe the amount of machines I come across with no AV running on them. Security companies love trotting out scary statistics on this topic, and I’m no different. For example, did you know having an unprotected computer on the Internet for just 4 seconds is enough time for it to get infected with a virus, catch fire and melt into a puddle of molten plastic and metal; completely ruining your desk in the process. This is a FACT*.
*Not a fact.
Seriously though, at the very least ensure Windows Defender is turned on, and remember most AV solutions have host-based firewalls built-in so make sure they are turned on too. Come on, please? you owe it to your desk.
Step 5: Have a Think
‘If you didn’t ask for it, don’t open or click it.’
At this stage we’ve all heard of hackers using social engineering tactics like phishing. There’s a good reason for the hype: If you get hacked, it’s probably because you clicked on something you shouldn’t have. The first step in preventing this is to have a Think before acting.
Think: have you really just won a £250 Amazon voucher? A voucher which can be redeemed simply by entering ALL your personal details at the link below?
Think: was your card really used to buy something on iTunes to the value of $125? (especially if your account is in GBP).
Please, please, please when you get stuff like this just Pause. Let the adrenaline subside and Think before you click. Then ask your tech-savvy friend/cousin/neighbour for advice. You know the one, the one you only contact when you have a tech problem (I’m not bitter, I swear). Better safe than sorry, and when they’re done, Think about rewarding them with a pint/box of chocolates/free cinema tickets/£250 Amazon voucher. #Justasuggestion
Step 6: Surf carefully
This is super important. Without going into too much detail, (and at the risk of moving into life-coach territory here), a great way to keep yourself secure online is to only browse ‘reputable’ websites *ahem. Also, I’m not going to get into the ethics — or indeed, legality — of downloading or streaming pirated movies and TV shows, but from a security perspective: if you are going to do it, at least don’t use the same machine you use for online banking.
Step 7: Out and about
Couple of quick tips for when you’re out and about:
*Yes, I know I said ‘7 steps’ but I’d already paid the illustrator when I thought of another one.
With the rise of ransomware attacks, it’s never been more important to have backups. Personally, I like to work directly from the cloud-based services like OneDrive, Google Docs, DropBox etc. OneDrive I find to be particularly pretty seamless on Windows.
This approach avoids the pain of saving stuff onto a USB drive and all the problems that brings. (mini step 8.5 — don’t use USB sticks!) Let the big boys worry about keeping the backups, so you can concentrate on playing Call of Dut… I mean, er, working.
Right, well that’s it for now. There’s a lot more you can do but take these first 8 steps and you’ll be more secure than the next person (assuming they haven’t read this too), and that’s all it takes for a lot of hackers to pass you by.
Next time on Back to Basics: A (currently unspecified) number of basic steps for securing your startup.
If you want us to drop you a line when that’s ready drop us an email and we’ll let you know when it’s available!
Co-Founder and Head of Product Strategy @ OnSecurity
Conor has over a decade of IT security experience, and has held a number of impressive letters after his surname, including M.Sc, CRT, GCIH and CISSP. Over the years, his reassuringly common sense approach has helped global clients recover from large scale breaches.