Would you leave your car or house unlocked? Would you leave your wallet on a public sidewalk? You would not, but you might unwittingly do the digital equivalent.
Information security is important. Yet lots of folks do things which diminish theirs. In this article, I detail various information security concepts and best practices, and the rationales behind them.
An article about information security which doesn’t mention, or at least embody, the concept of threat modeling, is either amateur or remiss. Threat modeling simply means: figuring out which cybersecurity threats are relevant to you or your organization, the seriousness of the damage they could inflict, and what it would look like to protect against them.
Let’s look at two simple scenarios which might be part of a personal threat model.
Scenario 1: Meh
An email account that you only use for shady/spammy-looking sites gets compromised. This email account doesn’t even have your real information associated with it. Should you bother protecting it with methods which are so strong that they decrease usability? Probably not. You lose almost nothing if an attacker gains access to it.
Scenario 2: Serious
Your work email account gets compromised. Depending on what kinds of systems your work email is attached to, you might be looking at public embarrassment, identity theft, or even you being identified as the weak link in a larger phishing attack. It stands to reason then, that protecting your work email, even with methods which decrease usability, is probably worthwhile.
Security vs Usability
The idea is, there is always a trade-off between security and usability. You want to make it difficult for anyone except you to gain access to your accounts. Threat modeling helps you determine what that looks like and when it’s worth it.
The rest of this article assumes a sort of “common man’s” threat model.
How to Use Strong Passwords
Strong password design is tricky because most people don’t understand the concept of entropy. Rather than make specific suggestions about length or characters, or spend time emphasizing how you shouldn’t reuse passwords, I’m going to make a simpler suggestion: use a password manager.
A password manager will (1) generate better passwords than you can think up, and (2) will be easier to use than your homegrown password system.
Don’t Use Biometrics (Yet)
There are two simple rules for email safety which will do more for you than most other items in this article.
- Don’t respond with sensitive information. There are a variety of reasons for this, the least of which is not that: even if the other party is making a legitimate request, you cannot guarantee that their email account won’t be compromised, exposing your information. Email is just not an appropriate format for this sort of exchange.
- Check the “From” address. If that account deletion warning from your bank seems strange, who is the sender? If your bank is XBank and the “From” address is email@example.com, you’re probably safe to respond. If it’s firstname.lastname@example.org or email@example.com, then NO you don’t want to click that link.
Both Encrypt and Lock Your Devices
Every device you own should be encrypted: your phone, your laptop, your desktop, your tablet, etc. It is trivially simple to remove the hard drive from a stolen device and plug it into another device. Did you think your files were protected by your login password? Think again.
Encryption sounds difficult and scary, but it’s really not. Most Android phones and Apple phones and laptops have encryption options built into the operating system. You can encrypt your phone or MacBook from the settings menu. Windows devices aren’t much harder. Search for “encrypt my xxxxx” to learn how to encrypt each of your devices.
That said, if you encrypt your devices but don’t lock them, you’re missing most of the benefits of encryption. What good is the encryption doing you if anyone can get into your files by just swiping up on your phone? Encryption and locking go hand in hand. Do both or reap the benefits of neither.
Two-Factor Authentication (MFA/2FA)
Using 2FA means that an attacker will have to both have your password and some secondary means of authentication (ideally a physical device like a cell phone) to access your account. It adds a bit of hassle to your life (decreases usability) because it also means that you have to have access to that secondary means of authentication when you want to log in, but the trade-off is often worth it.
Text Message Security Codes
At present, the most common form of 2FA is the text message security code. You’ve almost certainly seen these: after entering your username and password on a site or app which has your cell phone number, a security code is texted to you. You enter the code and then you are granted access.
For most people, this method strikes a pretty good balance between security and usability. It should be noted however, that it is also the least secure 2FA method.
Physical Security Keys
Various companies make USB and Bluetooth security keys. These look like USB keys, but do not store data. Instead, they are used as a form of 2FA when logging into your accounts.
Basically, whenever you would otherwise have received a security code by text message, you plug the security key into a USB port, or hold it close to your phone, and that authenticates you. It’s easier than the text messages method, and more secure, since an attacker would need to acquire both your password and a physical object (the security key).
Unfortunately, the U2F protocol used by security keys is not widely supported. You can check here to see if your favorite site or app supports it yet.
These apps work similarly to the text message security codes, except that they are entirely offline. Each account that you register with an authenticator app shows up in the app with a code that you can use to authenticate. These codes change every 60 seconds, and will even work in airplane mode.
Backup Codes: Awareness
Some sites offer to give you one or more “backup codes”, in case you lose access to the account. (That is, you forget your password, lose your cell phone for phone 2FA, get locked out of the email you set as the password recovery email, etc.) Backup codes are nice, but you should be aware of what an attacker would get if they acquired your backup codes. It’s different for different sites. Here are some examples.
- Hotmail backup codes: let you reset the account password, change the recovery email, and access the account.
- Gmail backup codes: even after entering a backup code, Gmail will still ask for another method of authentication before letting you in. If you do not provide one, Google will “review your request”.
- Dropbox backup codes: can be used in place of a phone.
Security questions are the poor man’s 2FA: their answers are often easy to find in public records or elsewhere. If you must use them, use them with care.
Only You Should Know Your Answers
Try to select questions and answers which are not available in public records. Here are some bad questions.
- Where did you go to high school?
- What was your mother’s maiden name?
- What was the make and model of your first car?
For contrast, here are some
good arguably better questions.
- What was the name of your first pet?
- Where did you meet your significant other?
- What is your favorite food?
A great point about security questions, which was raised a while back by journalist Brian Krebs: don’t answer personality (or other) quizzes online. You’re giving away information about yourself for free to potentially unscrupulous sources who may then try to use it to account-recovery or phish their way into your accounts.
Single Points of Failure
Do you have only one email address? Only one bank account? One laptop with all of your family photos, tax records, and the manuscript of the book you’ve been writing for nine years? Consider the following.
One Email Address
What would happen if your email address got hijacked? What would you lose access to? What would an attacker gain access to? It might be worth having more than one email.
Another proactive measure which can somewhat mitigate the severity of a future email breach: you can periodically archive and delete old emails which include sensitive information, or all emails older than a few weeks/months/years.
One Bank Account
If an attacker gained access to your bank account, could they drain your whole life savings? Even splitting your assets across two accounts would cut that damage in half.
One Storage Device or Account
Are you carrying around a laptop with lots of sensitive information on it? Storage is cheap. Why not move your sensitive data to a USB stick that you keep somewhere safe instead of losing everything while you were in the restroom at Starbucks?
You want to prevent the existence of any single point of failure in your setup. Any one account or device should be able to go without the whole system collapsing or being severely damaged.
Carrying cash or debit means that if you lose your wallet, get robbed, or get scammed, you’ve denied yourself the motherload of consumer protections built into almost every credit card. If you need to carry cash, carry just a little bit or put low withdrawal limits on your debit/bank card.
What Can Go Offline?
Take a lesson from Battlestar Galactica: if it’s not digital, a hacker can’t touch it. You might want to keep some things offline: in your desk or a safe. Of course, if it’s not digital, it’s also usually not encrypted.
Freeze Your Credit
Equifax, TransUnion, and Experian all offer free credit un/freezing service. If you’re not planning on buying a car or a house, signing a new apartment contract, or opening new credit cards, what reason do you have not to freeze all three (and Innovis and ChexSystems while you’re at it)? If you are planning on doing something which involves credit checks, you can always temporarily unfreeze the relevant credit bureau.
Be Careful With Installers
On laptops/desktops, installers are the best way to get keylogged or otherwise hijacked. Even installers from some reputable companies will come loaded with crapware.
- Whenever given the option, choose “Custom Install” and pay attention to what you’re clicking “Next” to.
- Where you download something from matters. The same software might be wrapped in spyware when downloaded from one site and clean from another.
- The more you get into the weeds with random third party programs, the more you put yourself at risk.
If you’re tech savvy enough, sandboxing and monitoring the installation is a good route when dealing with unknown new programs. For everyone else, just be cautious.
We’ve covered lots in this article, but there is plenty more good material out there. Here’s some of it!