How can I Keep From Getting Hacked?

How can I Keep From Getting Hacked?

Who Are You? Identity is the Key to Everything
In 2017, security revolves around your identity. The principle of knowing and verifying who you are is the key to granting you access to resources and data that you have appropriate permissions for.

Hardware and software firewalls and filters are still important, to be sure. But it’s sort of the baseline now. It’s expected that if you’re running a business, you’ll have a high-quality, up-to-date firewall/security appliance, preferably with web content filtering and in-line malware scanning. And it’s expected that you’ll have some anti-malware software on your computer and a decent spam filter on your inbound email. And if it’s doing its job and being kept up-to-date, it’s likely fine. Not to mention that increasingly, we have data in Office 365 in Microsoft data centers, where it’s protected by multiple security layers, including dedicated teams using AI analysis to keep an eye on things. The way you get access to everything is by your identity.

Passwords
If security is all about Identity, then proving your identity is critical. Most times that job falls to a password, which is really too bad. Because most passwords are SO easy to crack.

There are three important rules, but they’re hard to follow all the time.

  1. Use Strong Passwords.
  2. Don’t Re-use passwords on multiple sites.
  3. Don’t write down your passwords (or save them in a document on your PC).

I hope 1 and 3 are obvious. As for 2, recent breaches exposing millions of passwords at sites like Yahoo, LinkedIn, and others, should give you pause. Especially if your Yahoo password was also your Amazon password or your LinkedIn password and bank password were the same.

Unfortunately, as we all get more and more accounts to keep track of, it’s nearly impossible to follow these 3 rules. Our memories just weren’t built for it. The answer is a password manager.

A good password manager will let you follow all the above rules with very little inconvenience. It will generate long, random passwords for you, it will remember them and keep them encrypted, and it will auto-fill them in for you as you browse. You remember only one password, the one for the password manager, and it unlocks the rest of your passwords. Then you go change your password on every site you visit, to a randomly generated long password that you don't ever have to know or remember.

For business use, something like LastPass Enterprise is recommended. LastPass has a good personal product, too, as do 1Password and several others. Just make sure you remember the master password!

Social Engineering
Today’s reality is that you are more likely to be hacked by social engineering, or by someone guessing or hacking your password. After all, if it’s hard to break through the firewall, why not take the easy route right in through the front door? A simple email, a website, or maybe even a phone call, could trick you into revealing something, downloading spyware, or granting access to someone. Then your fancy firewall has been rendered useless. This video shows how social engineering can fool even an IT help desk technician who should know better. http://money.cnn.com/video/technology/2016/05/30/watch-this-hacker-break-into-a-company.cnnmoney/

(Along those lines, Microsoft will never call you to tell you they found a problem on your computer and that they need to connect remotely to fix it. If you get that call, it’s a scam.)

Phishing is a specific type of social engineering using email that appears legitimate, to deceive you into revealing sensitive information. With any email you receive, some security tips can go a long way in preventing major problems:

  • Beware clicking links in emails - hover over the link to see the ACTUAL destination, which might be different than the hyperlinked text would lead you to believe.
  • Is it really from who it says it's from? A common tactic is to impersonate someone you know. The email address might be different even if the name is someone familiar. Is your contact referencing an actual conversation you had, or shared interest you've discussed, or is it very generic? "Hey I thought you would like this, check it out" with a link is a big red flag. Don't click the link.
  • The IRS won't email you. Delivery companies won't email PDF's or ZIP files that you'd need to open to get a package delivered to you. Your bank won't ask for your password through email.
  • If it seems like it's from a legitimate business, but you're not sure, open your browser and go to that business's site manually instead of clicking the link

Other Tips

  • Enable 2-factor/multi-factor authentication for important accounts whenever available. Most commonly this consists of entering a password, then getting a text or call and entering the code they send you. You’re verified by something you know (password) and something you have (phone). Even if a thief gets your password, without your phone he still doesn’t get access.
  • Lock your screen when you walk away from your computer. -L on Windows, Ctrl-Shift-Eject or Ctrl-Shift-Power on Mac. (Note on Mac, in System Preferences, Security, enable the "Require password after screen saver begins" option.)
  • Password protect your mobile devices.
  • Don't email sensitive information unencrypted. Regular Email isn't secure. We have put in secure email systems for companies with the need to send sensitive information, but unless you're using something like that, consider sharing it through a secure cloud storage platform (like OneDrive for Business), or encrypting the file before sending it.
  • Avoid clicking on ads. Click-bait headlines lead to scammy websites that have even scammier advertisements. If something randomly pops up that says it found 17 urgent problems on your computer, don't click on it.
  • Install AdBlock Plus or similar ad blocker in your browsers.
  • Update your Operating System and software. Software developers, generally speaking, will update their latest versions with patches and updates that fix security flaws that are uncovered over time. If you're running old software, you're vulnerable to a whole slew of known security holes that have already been fixed in the newer updates.

What do you think? Are there any I left out? Do you have other suggestions? Questions about any of the tips? Tweet me @castematech and let me know.

Or, you know, use email ([email protected]).