Saturday, November 28, 2015

Seven Tips for Personal Online Security

Last year I wrote Seven Tips for Small Business Security, but recently I decided to write this new post with a different focus. I realized some small businesses are in some ways indistinguishable from individuals, such that advice for personal online security would be more appropriate for some small businesses. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, some businesses are scaled such that one or a few people are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire business. In that spirit, I offer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following suggestions for individuals and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se small businesses.

1. Protect your email. Email is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number one resource most of us possess, for three reasons. First, imagine that you forget your password to just about any Web site. How do you recover it? It's likely you request a password reset, and you get an email. Now, if you no longer control your email, an attacker can reset your passwords and take control of your Web accounts. How does an attacker know what accounts you own? That is answered by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second key to email: content. A quick check of your emails will reveal cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organizations with which you do business. The content can also provide means to access ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r accounts. The third reason email is so critical is that it is essentially your online identity. An attacker can use your email to impersonate you and try to gain access to those that trust you.

So, how should you protect your email? I offer four recommendations. First, select a provider who gives you plenty of insight into how your account is used. Would you get an alert when someone logs into your account from a foreign country, for example? Second, select a provider who offers two-factor aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ntication. This means you can choose to log in with more than just a username and password. Third, select a provider who has experience with confronting and defeating intruders, and who takes actions to continuously improve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir security. For consumers, I prefer Gmail. Of course, I am not of fan of being monetized by Alphabet and Google, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trade-off is worth it for most of us.

My last recommendation is to limit what you store in email. Don't transmit or store sensitive information, like your personally identifiable information (Social Security number, etc.), in your email. As a thought experiment, imagine what it would look like to have your email published online. What would be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 consequences? Try to address those concerns by removing such content from your email.

2. If you don't need it, delete it. This general rule applies to applications and data. If you don't need Java or Flash or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r applications on your PC, phone, or tablet, remove cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. The less software on your device, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 better. For data, be judicious about what you store in digital form. Anything stored on a device or in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cloud can be read, copied, changed, or deleted by an attacker. My post “If you can’t protect it, don’t collect it” offers more on this topic.

3. Patch cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 software you keep. If you use Windows, run a modern version such as Windows 7 or newer, and install patches regularly, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 operating system and applications. On Windows it can be tough to identify just what needs to be updated. A free tool that can help is SUMo, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Software Update Monitor. Download cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "lite" version and run it to see what needs to be updated. Pay attention to applications from Adobe, like Flash, Reader, and such. Remember tip 2!

4. Run a modern Web browser. For general consumers, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best Web browser in my opinion is Google Chrome. Make sure it is set to auto-update so you are running cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest version. Install an ad-blocker like Adblock Plus.

5. Back up your data. Research and implement a way to back up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data on your devices. This can be a complicated issue. For example, you may keep sensitive data on your laptop or PC, and you fear putting it in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cloud. One way to address that concern is to store that data in encrypted form on your laptop or PC, such that when it is stored in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cloud it is also encrypted.

Some may argue that certain cloud providers will encrypt your data for you, so why encrypt it locally first? My answer: if an attacker gains access to your cloud backup username and password, he can access your cloud backup provider and download your data, regardless of whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cloud provider encrypts it or not. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacker finds your most sensitive data encrypted within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cloud backup, that means he needs to beat cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 encryption you applied on your own. Like all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 measures in this post, nothing is foolproof. However, introducing challenges to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 adversary is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 key to security.

Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, don't confuse cloud storage with backup. If you store data in Google Drive, or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r locations, don't consider that a backup. I recommend adding a real backup provider to your configuration.

On a related note, enable full-device encryption on devices you are likely to lose. This applies most likely to your phone and tablet. The danger you are trying to mitigate here is physical loss or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft of your device. Be sure you enable a numeric pin such that a thief can't simply log into your lost or stolen device. I am also a fan of services that let you remotely locate your lost or stolen device, such that you can eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m or wipe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m at a distance.

6. Buy Apple phones and tablets and keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m up-to-date. This looks like a blatant advertisement for Apple, but I promise you I am not an Apple fan boy. The fact of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 matter is that Apple iPhones and iPads, when running cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest versions of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 iOS software, provide cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best combination of features and security available to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 general consumer. They are easiest to operate and to update. Updating iOS and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installed apps is exceptionally easy. Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best metric we have regarding software security shows that exploits for iOS devices cost far more than ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r software or platforms. This means it is tougher for intruders to break into devices running iOS.

7. Consider a password manager, but not for every Web site. Nothing is (or should be) absolute in security. Password managers are applications that assist users with storing, supplying, and even generating usernames and passwords for Web sites and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r applications. They are an improvement over using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same username and password at multiple Web sites. However, when using a password manager, you run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk of a flaw in that manager being used by an attacker to access your username and passwords! It sounds like a tough situation, but in general cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 benefits of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 password manager outweigh cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risks. If you choose a password manager, select one that offers two factor aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ntication, such that accessing your usernames and passwords requires you to enter a numeric code. Also, don't put your most sensitive accounts in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 manager. For example, in deference to point 1, don't store your email username and password in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 manager.

Bonus: Be vigilant. Wherever you can introduce alerts about how your accounts and data are being used, enable cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. For example, does your credit card offer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 option to email you when a purchase is made? Perhaps you only care about overseas purchases, or purchases above a certain amount, or at gas stations. The point is to put your service providers to work for you, such that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y give you information that informs your security posture. If you learn of a suspicious event and react in time, you can potentially limit or eliminate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 damage through swift personal response.

There are many ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r considerations for individuals, especially with respect to resisting targeted attacks. I didn't address resisting social engineering, phishing, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 like, but I believe that is well-covered elsewhere. To counter cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 general opportunistic attacker, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 steps I would recommend to individuals and small businesses.

2 comments:

Graeme said...

Perhaps number 6 on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 list could be reconsidered given that a million dollar bounty was recently paid out for an exploit that can remotely jailbreak IOS 9 devices and install software on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

Richard Bejtlich said...

Graeme, what do you mean? I think that makes my point.