Top 10 Things You Must Do to Avoid Getting Hacked
Top 10 Things You Must Do to Avoid Getting Hacked
This article was written for Peak Prosperity by Terence Kam, Founder and Cybersecurity Consultant at iSecurityGuru.com. You can follow his company on LinkedIn. Or subscribe to his writings on Medium, where he writes on a wider variety of topics.
One of the wonders of technology in this Information Age is that it allows for economies of scale that have never been possible before. It allows for Big Tech companies like Google, Facebook and Apple to scale up to serve billions of people.
But there is a dark side to technology as well.
It allows cyber-criminals to scale up their crimes as well, which massively increases the pay-off. Also, unlike ‘traditional’ crimes like bank robberies, cyber-criminals have a much lower risk of getting caught by authorities. They are often carried out from overseas, in places where the jurisdiction of your local law enforcement does not apply. In other words, technology helps make cyber-crime a very lucrative ‘business’.
With economic crises erupting all over the world, more and more people are falling into poverty and financial strife. Throughout history, whenever economically difficult times arrive, ‘traditional’ crimes like robberies and theft increase. But today, a lot more of these ‘traditional’ crimes are going to ‘migrate’ into the cyber realm. That means cyber-crimes are going to increase and as a result, cybersecurity is going to be more important.
Below are some of the basic steps you can take to improve your cybersecurity.
Invest in a password manager app
Let me be blunt.
If you don’t use a secure password manager app, you will eventually suffer some kind of data breach.
Remember the infamous Colonial Pipeline ransomware attack that caused extensive fuel shortages in the southwestern United States? It was caused by someone using a lousy password. Why was a lousy password used in the first place? Because someone didn’t use a password manager.
Why do you need a password manager?
Well, the password is an ancient authentication method used for thousands of years. This ancient method is no match for the astronomically powerful machines that hackers have at their disposal today. When you use your human brain to come up with passwords, it is like bringing a butter knife to a gunfight with hackers. That’s why, to win against the hackers, you need to bring a gun to a gunfight. That gun is the password manager.
A password manager can do powerful things that the human brain cannot (more scary details are explained here):
- Generate extremely long and random passwords that cannot be guessed by machines (not even a futuristic quantum computer). Only such passwords are safe from hackers. But the human brain cannot remember such passwords. However, a password manager can do it for you.
- Ensure all your passwords are unique. If you don’t ensure that all your passwords are unique across all your website accounts, then you are taking a risk with your cybersecurity. Nowadays, with too many digital accounts in our life (I have several hundred!), our human brain is not able to remember all these unique passwords. But a password manager can.
Furthermore, a password manager can do the following for you:
- Warn you if you are using lousy passwords. If you use a lousy password, a good password manager is going to warn you about it.
- Warn you of data breaches in websites. Some password managers will warn you if a particular website suffers a data breach and therefore, which of your passwords are in danger of being stolen.
- Protect you from phishing attacks. Password managers have the facility where they can automatically pre-fill in your passwords on websites. They know which password to fill because they can match the web address in the web-browser address bar with the web address of your password stored in their database. If you go to a phishing website, the web address will not match. Therefore, they will not pre-fill your password on the phishing website. This will tip you off that something is not right.
I recommend the following password managers:
- LastPass (All Platforms)
- 1Password (All Platforms)
- KeePass (Windows)
- StrongBox (iOS, iPadOS, macOS)
- iCloud Keychain (part of iOS, iPadOS, macOS)
Set up 2nd-Factor-Authentication (2FA)
Password as an authentication method is broken. But unfortunately, we are still stuck with this ancient method today. Therefore, we need something more than the password to secure our digital accounts.
To do that, we need at least 2 of the following to ensure secure authentication:
- Something you know (i.e. password)
- Something you have (e.g. mobile phone, authentication token)
- Something you are (e.g. fingerprint, face, iris)
We already have (1). We also need either (2) or (3). That (2) or (3) is known as the 2nd-Factor-Authentication (2FA).
More and more websites are allowing you to set up 2FA to further protect your digital accounts. For example, Google allows you to use the following as the 2FA:
- Text messages on your phone
- Google Authenticator app
- A prompt in your Gmail app
- Physical tokens like the YubiKey or the Titan Security Key
Note that 2FA is called differently by different vendors:
- 2-Step Verification
- 2-Factor Authentication
- Multifactor Authentication
- Duo Verification
But they all mean the same thing.
Avoid text messages of 2FA wherever possible
Some vendors use text messages as a form of 2FA. If you can have a choice of 2FA, avoid it.
Text messaging is an old technology that is not designed with security in mind. It is not private and there are a lot of cases where hackers had used SIM port hacks to intercept their victims’ text messages.
Update your software and operating system
The IT industry has not figured out how to write secure code.
Every time hardware and software vendors released new products, more lines of computer code are released as well. More lines of code mean more cybersecurity holes. That means there are always holes to be patched.
Worse still, there are always massive backlogs of holes to be found and patched. For example, even today, Microsoft is still finding holes in code written a dozen years ago in their latest Windows operating system!
Therefore, vendors are always on the never-ending treadmill of releasing patches for security holes in their code. You will need to be always up to date with the patches to be secure.
That includes your web-browsers (Firefox, Chrome), operating systems (e.g. Windows, macOS, Linux, Android, iOS, iPadOS), email software (e.g. Outlook, Gmail). Also, don’t forget the software code in your hardware appliances (e.g. routers, Smart TV, Internet-of-Things).
Remember: Anti-malware software is just the starting point for cybersecurity
There is a myth out there that says that all you need is anti-virus software and you will be digitally secure. This is NOT true!
That may be true 20 years ago. But hackers and cyber-criminals are getting smarter and smarter over the years. For one, anti-virus software cannot catch and detect every malware. Also, it cannot prevent sophisticated hackers from exploiting security holes deep in the operating system. In other words, sophisticated hackers can bypass anti-virus software.
Today, at best, anti-virus software is merely only the STARTING POINT of keeping yourself digitally secure. Having one is better than none. But do not let its presence lull you into complacency.
Don’t go installing software/apps that you are not looking for
This is a simple rule of thumb to follow.
If you are asked to install a software or app out of the blue, don’t do it. For example, a website may suddenly warn you that you need to install particular software to avoid being hacked. Or you need to install a particular video player software to view certain videos. There is a high chance that you may end up installing malware on your computer or device.
This is related to one of the 10 Immutable Laws of Cybersecurity:
Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore
Before you install any software or apps, always stop and ask yourself whether you trust whoever wrote the software. If in doubt, don’t.
Don’t forget web-browser extensions
Your web browser will also contain many third-party extensions (sometimes called “add-ons” and “plug-ins”), which are third-party computer instruction code that modifies or adds functionality to your web browser (e.g. help it perform specific functions like viewing special graphic formats or playing multimedia files).
They can be given permissions to access the ‘inner plumbings’ of your web browser, which can mean that they are permitted to access your private information in your web-browsing session. Therefore, you need to audit the extensions’ permissions from time to time to ensure that they are appropriate. If you are not comfortable with an extension’s permissions, you should disable it.
The general rule is to avoid installing web browser extensions wherever possible. If you have to, only install the ones from developers you trust.
Always check the web-browser address bar
A phishing attack is a scam in which the attacker pretends to be from a legitimate business such as a bank, telephone or internet service provider.
Usually, the scammer sends you a legitimate email that tries to induce you to click on a link to his website. That website looks almost indistinguishable from the legitimate website of an entity.
Except for one thing.
The web address of the phishing scam is not from the entity. Most phishing scams can be thwarted if their victims look carefully at the web browser address bar.
There are, however, more sophisticated phishing scams that try to fool people who check the address bar. I have listed some of them here. But most scams can be avoided by simply checking the address bar.
Ensure that the internal storage of your devices and computers are encrypted
Consider this news report from a recent news article,
Criminal networks are feeding off Australians’ lust for new technology by skimming data from computers dumped in Africa and Asia – and using it for blackmail, fraud and identity theft.
They will pay as much as $200 on the black market for discarded computer hard drives, which they mine for bank details, credit card numbers and account passwords.
These hard drives are among the mountains of electronic waste earmarked for recycling here. Instead, they are illegally shipped to developing countries by operators seeking bigger profits.
Before you resell, dispose or recycle your device, computer and disks, you have to take precautions to ensure that your personal information does not fall into the wrong hands. If not, you may find yourself to be a victim of identity theft later on. The best way to do that is to ensure all your data in your devices and computers are encrypted beforehand.
The latest Windows PC and Macs have encryption turned on by default. But older PCs and Macs may require you to turn on the encryption manually. All iPhones and iPads are encrypted.
But only some Android devices are encrypted. You need to check the settings and may have to turn on encryption manually.
Don’t forget to securely erase all your external drives and USB sticks
Do you know that when you ‘erase’ files or ‘format’ your external disks, the data is not removed? What happened is that the operating system merely marked the area that stores the ‘erased’ files and ‘formatted’ disks to be ready for reuse later on.
There are lots of data recovery software in the market that helps you recover ‘erased’ files and ‘formatted’ disks. If you store confidential data on such disks and lose/dispose of them, someone else can easily recover your confidential data.
Therefore, you need specialised secure erasure software like DBAN and iola DriveScrubber to truly scrub off confidential data from your ‘erased’ and ‘formatted’ disks.
Alternatively, you can encrypt your external disks beforehand so that you don’t need to secure erase your disks before disposal.
One last thing. Because cyber-criminals are opportunists, you do not need absolute cybersecurity.
To understand why let me tell you a joke:
Two men were chased by a bear. The first man told the second man, “Why bother to run? We can never ever outrun the bear!”
The second man answered, “I don’t have to outrun the bear. I only have to outrun YOU!”
The principle is this: If you are much more cyber-secure than most other people, cybercriminals, being the opportunists that they are, will find some other easier targets. As long as you are not specially targeted, it is easier for cybercriminals to target someone else.
That means you don’t have to fall into the paranoia of absolute cybersecurity.
Have cybersecurity tips to share? Join the conversation below…
– Peak Prosperity –
NOTE: Comments from the old website are still being migrated, but feel free to add new ones. Please be patient while we complete this process. Thanks!