If you are reading this post, chances are you are aware of internet hacks – you have heard of the company that got all its data stolen, or the CEO whose social media account was compromised. If you work at an enterprise, it’s likely that your enterprise bought and deployed some security products to protect its employees and its intellectual property. However, there are multiple ways to trick such security measures, whether you are at work or when you are browsing from the safety of your own home. In this post I collected four simple rules that can help you stay protected. In the continuous battle between security and usability, following these four rules gives away very little comfort, yet significantly increases the chance you will not be hacked. These rules are good practices and they are enough for most people, chances are they will save you from being hacked. You will not always know if they helped you, but if you make them a habit, they will do you good.
- The most important advice on the list – protect your passwords. Credential leaks are today’s number one tool for cyber criminals to access user information. Usernames (or email addresses) and passwords are for sale on the dark web by the millions. Since hackers know people are often using the same password on different sites, when hackers get access to a list of usernames and passwords, they immediately try using these credentials on other, more valuable, sites. There are two main methods to beat this statistic, and you should use them both – use both a password manager and two-factor authentication.
- Humans are not meant to remember passwords, and good passwords should be hard to memorize. Let the computer remember them and use a password manager. This will allow you to get a unique random password for each site. If data leaks from one site, it will have no effect on the rest of the sites you visit.
- On top of that, use two-factor authentication where available (and it is available today on most large sites). This will ensure that even if a hacker has your password, it will be very hard to break into the site. Specifically, use two-factor authentication when you log in to your password manager.
Using a password manager might be considered a risk by itself – by doing so you put all of your passwords in one place. However, security experts believe that the risk is still lower than any other password system. Password managers are making it their job that your passwords will not be revealed, and common password managers are very good at it. However, in order to reduce the risk even more, never log in to your password manager on an unknown device – always use your mobile or other devices to access it.
The reason the password protection rule comes first is because you do not need to be a target in order for your credentials to be (re)used – if you have a username on one of the hacked sites (recent examples are LinkedIn, Yahoo Mail, Twitter, Target, and more) it is likely that without targeting you specifically, someone already tried using your leaked credentials elsewhere.
- The second most important piece of advice is protecting your devices from being hacked. Malwares have several infection stages, and the first one is running malicious code on the user’s device. There are a few simple behaviors that will reduce the risk of malicious actors running their code on your device and prevent it from being infected.
- Think twice before you click on web links – links can be on emails, on unknown websites, on web ads, and anywhere else. The link can lead you to an unknown site that might run code on your device and infect it.
- Avoid opening an unknown email attachment – almost any file type today can cause malicious code execution, even the innocent-looking ones. Make sure you expect the doc, make sure you know the link, and in case of any doubt just don’t open them. If you want to be sure, text the person who sent you the email to double check. Don’t allow physical access to your device – don’t connect a USB device you don’t know to your computer. This includes a disk on a key you may find on the street and the one you got from a trade show. Don’t connect your phone to a USB charger you don’t know. Don’t insert an unknown CD on your computer (for those of us who still have a CD / DVD drive).
Following these rules will prevent remote and physical access to your device, and will help keep all of your devices safe.
- Even when following the rules above, there is a chance your device will be hacked. You should keep the most important part of it accessible to you – back up your hard drive and work. The backup will become handy in case of a malware (ransomware) infection, and also in case of a disk failure. It will ensure you have access to your data, work, photos and more in case something happens. It’s a simple rule, which can save you a lot of money and trouble.
- The last rule is more educational than a practice – assume you can be hacked. Assume someone can get access to your data. Assume any email you send might go public (even as a result of an innocent forward or wrong recipient typing). If you have something private to say, say it over the phone or face to face, but not over email.
Assume your hard-disk can be compromised. Never save passwords in a file on your hard disk. Think twice before saving personally identifiable information (PII) on your disk. I know this is a hard-to-follow advice, so when you do save such data, balance the risk between usability and security and decide if the data is worth saving on a disk. Keeping the above in mind will ensure that even if you do get hacked, the damage is kept to a minimum.
The rules above can keep you safe in most instances, and should be followed as much as possible. By protecting your password and your devices, backing up your data and assuming you can be hacked, you will be more protected. Practice these rules, and its likely you will keep your online accounts and data as your own. If you want to be an even better internet citizen, make sure those you know also follow these rules, and benefit them too.