This introduction to security is for everyone, with the goal being to ensure a baseline level of safety and confidence while enjoying our digital lifestyles.
Tip
If technology seems daunting, look for educational materials on digital literacy from sources you trust. Note that there are no pre-requisites for reading this document.
New material on security is published daily, so why should you read this? Two reasons:
- This IS NOT marketing material.
- Understanding this material will greatly improve your security posture, which benefits everyone -- your friends, family, employer, and society in general.
The second point is critical, and central to the motivation for this document. Threat actors (a general term for malicious parties) are devastating to society, including your community, and you directly. As the most topical example, consider that for every service you pay for, the price includes the cost of implementing the company's information security posture. This includes government services, which are paid for by your taxes.
If you're interested in this topic, PeerJ published a study: 'Cyberterrorism as a global threat: a review on repercussions and countermeasures', which can be found at the National Library of Medicine.
Simply adopting a few good habits will make you functionally safer than the majority of society. This is why the first section is "Daily Due Diligence", which outlines about a dozen points that are proven attack vectors that will likely never be permanently solved by technology providers.
If you only do a few things, start here:
- Use a password manager.
- Use a unique password for every account.
- Enable 2FA (prefer passkeys where supported).
- Keep devices, browsers, and apps updated.
- Verify links before clicking.
- Never enter credentials after following an unexpected link.
- Lock your screen whenever you step away.
- Enable full-disk encryption.
- Be cautious with public Wi-Fi (use a trusted VPN when needed).
- Report suspicious activity quickly.
Humans are the attack vector that technology cannot solve, which is why being aware of some of the common tactics threat actors use is essential. As noted, this material doesn't only help to protect yourself, but also your friends and loved ones, as well as your employer -- which is likely a big part of your community.
Wait, “Friends and loved ones!?” - yes. Here’s a real-life example:
You receive a message on a popular social platform from someone you trust, with a click-bait topic such as: “Is this you in this video!?”, with a link. The link will lead you to a fake login page for another popular site that you have to log in to. This will be a fake site designed to trick you into entering your username and password. These sites can be very difficult to distinguish from the real thing.
Upon entering your credentials the attacker immediately:
- Tries the credentials against: financial websites; websites that might have stored credit card information or allow them to make purchases; other social platforms, and
- Uses your social account(s) to send more fake message to your contacts. This is generally automated, and happens nearly instantly.
In this scenario, if you’re the one who’s had their social media account compromised, then it would be your friends and family who get that dangerous message, and likely several work colleagues.
Read on to learn more about safely navigating our digital lives.
Important
Legitimate government, financial, or other serious institutions will never call you and ask for your username, password, or other sensitive authentication details. If an institution calls you, ask them to provide a case number, then call back using a phone number you independently verify from their official website.
*See this Forbes Article, where I was mentioned for raising alarm over a particularly complex example of a like scenario.
-
DO NOT plug in "found" USB keys. Throw them away.
- Dropping malware infected usb keys around target locations is a tried-and-true method of getting an unsuspecting employee, or the target themselves, to give threat-actors direct access to their systems.
- Avoid USB keys from cheap/unknown brands.
- While on the topic of untrustworthy devices, the BBC did an article on clothes irons which were found to have microphones and wifi chips that would connect automatically to open wifi networks... International espionage is real.
-
Beware of links or files sent to you, even if they’re from a known contact.
- Hover over links, such as this to view their destination URL as a popup (in some browsers), or at the bottom left corner of the window.
-
Avoid shortened links, such as: https://t.ly/871C7. (This one is safe 😃)
- If it’s important enough to investigate, you can check if the site has been previously identified as malicious, preview it online, or even attempt to unshorten a URL.
- When following any link, make it habit to double-check that the domain in the address bar is correct. Often fake login site domains will be similar to legitimate sites, but with one character changed, ie: faccbook.com.
- Attackers may not always be after your credentials. This particular point is critical for any one dealing with matters influenced by current events. For example, if you're a fund manager, and you open a news.com link that details something about a company, then your decision making may be influenced.
- If a link takes you to a login page and you need to be absolutely certain: close it, then open it in a new tab by typing the URL, or accessing it via google search results. Address bar spoofing is one of the more difficult tactics to defend against because they can look exactly like the real site.
-
Check for the padlock icon (:lock:) on the left side of the address bar before entering credentials. This indicates an encrypted connection (TLS), but does not by itself prove that a site is trustworthy.
- One study indicated that only 7% of internet users know what the padlock icon means.
-
Use strong passwords & 2FA (two factor authentication).
😀 For fun, you can check these passwords with the Password Strength Meter.
⚠️ NEVER put real password in any such tool. Assume that they're being recorded...- Strong password examples:
bmT?M4bGhYPcLPA$L#!xET- A completely random alpha-numeric-special string.- Impossible to remember, impossible to guess, very difficult to crack, and requires a password manager.
EveryoneShouldFear7-SevenAteNine!!Z0MG!!- Unique sentence with numbers/symbols/leet/etc.- Not too hard to remember, impossible to guess, extremely difficult to crack.
- Weak password examples:
TheC^keIsALi3- 'TheCakeIsALie' in leet speak.- Issues: common phrase with common leet speak character substitutions.
1234567890,lastname87,bartSimpson- Issues: phone numbers or other personal information, pop culture references, etc., are easily guessable or susceptible to basic dictionary attacks.
- See NordPass's Top 200 Most Common Passwords list for more. There are many, much larger password lists/databases out there.
- BONUS: haveibeenpwned has a massive db of passwords that you can search for your email to see if you’ve been pwned.
[!NOTE] Passwords are deprecating in favor of PassKeys. This will happen gradually, but at some point major service vendors will make them mandatory. See these resources for more, starting with the least technically demanding:
‣ 1Password has a layman-friendly and concise introduction here.
‣ FIDO Alliance’s intro material.
‣ The Future of Authentication | NCCoE (A NIST webinar aimed at security professionals.)
‣ The W3C Specification for webauthn can be found here. - Strong password examples:
-
Use a different password for every site.
- This ensures that if a site has their user database breached, your stolen password will not be usable on other sites.
- Requires a password manager.
-
In case you missed the hint -- use a password manager. They assist in strong password generation, form completion, darkweb monitoring, and even automatic password changes across sites that support it. There are several to choose from, my personal recommendations are:
- 1password - When managing credentials or other sensitive information that needs to be made available for multiple groups or teams of people. This is facilitated with their ‘vault’ system.
- Dashlane - When managing personal credentials or other sensitive information that does not need to be shared with others (this is a feature though). Dashlane can even monitor the darkweb for you.
- And one to avoid (in my very strong opinion): LastPass.
-
DO NOT leave your computer screen unlocked and unattended, especially in public. If it's a laptop and you're in public, ensure that it's physically secured with a laptop lock if you're going to leave it unattended for any amount of time.
-
DO NOT use “free” online utilities (at least be careful), such as json formatters, password generators, “secure” password sharing utilities, image editors, etc. Many bad actors offer these tools as a mechanism of collecting information or assets from unsuspecting end users.
-
Use an Antivirus application on your personal devices. My personal recommendations are (depending on OS):
-
BONUS: Ensure full disk encryption is enabled on your personal devices.
- Filevault for MacOS
- Bitlocker for Windows
- LUKS for Linux (See distribution specific documentation)
- Don't miss the encryption checkbox on/around the disk setup screen during OS install.
-
BONUS: Don’t use public hotspots without a VPN to encrypt your traffic. I recommend NordVPN or Mullvad. DO NOT USE FREE VPNs.
- Note that a VPN does not guarantee anonymity, thanks to device fingerprinting. If you absolutely require anonymity, research how to achieve this. These the basics for those who want to get into some more advanced material:
- Setup Encrypted DNS over TLS/HTTPS. This can be done with some VPN clients, or with a discrete solution.
- Research this, as it is more involved, and has various implications. Checkout this article: What are the best DNS Servers for Security, Privacy, and Speed?. DNS.SB looks promising.
- Use different browsers for different activities. IE: Chrome for gmail & other Google activities, and Vivaldi for everything else. Never login to Google in the other browser. Two browsers, minimum.
- Use adblock, anti-tracking, and anti-cookie extensions.
- Setup Encrypted DNS over TLS/HTTPS. This can be done with some VPN clients, or with a discrete solution.
- Note that a VPN does not guarantee anonymity, thanks to device fingerprinting. If you absolutely require anonymity, research how to achieve this. These the basics for those who want to get into some more advanced material:
-
BONUS: Never give away your biometric data. There are products surfacing which offer incentives for things like a retinal, fingerprint, or face scan... These assets are effectively you. Protect them.
-
BONUS: Be familiar with personal physical security considerations.
-
BONUS: Beware posts on social media that are designed to mine for account verification and recovery question answers, such as this:
- Disconnect from untrusted networks and stop using the affected account on that device.
- From a known-clean device, change the password and rotate any reused passwords.
- Revoke active sessions/devices and regenerate app tokens where available.
- Review and secure recovery methods (email, phone, backup codes, passkeys).
- Notify your employer/security contact (for work accounts) and monitor financial activity where relevant.
While everything above is essential for personal security, it also applies to professional security as well. This section focuses on additional organizational measures to ensure a strong InfoSec posture.
Do you know how to identify a data breach? It's not difficult.
Anytime you see PII (Personally Identifiable Information) or PHI (Personal Health Information), whether it’s yours or not (especially if it’s not), consider whether it should be there, and whether or not you should be viewing it.
If something seems off, refer to your internal security policy for guidance on raising an issue.
Security leadership will refer to the data protection laws for your company's geographic location as well as the region of the data subject's citizenship when determining when to notify the relevant Data Protection Authorities.
Important
DO NOT msg companies publicly regarding data breaches, or other security vulnerabilities, as this will lead to greater exposure than necessary. Contact them via the details in their privacy policy. If they have not listed such a contact, notify them of that on their public media channels and go from there.
Employees must complete general security training. The training does not specifically have to be a test with a pass/fail, but that is strongly encouraged as it demonstrates a stronger due-diligence posture on part of the company. Training completion must be logged.
Note
Reviewing this guide in a classroom-style session and recording attendance is better than nothing, and demonstrates a level of due-care and due-diligence.
Hold a brainstorming session to discover context-specific concerns for your company, product, and industry. Reviewing these points with AI if you don't have a dedicated security group isn't an awful idea. But you will need one at some point.
Recommendation: Jumpcloud, OKTA, Onelogin, keycloak, supertokens, etc., by use case.
All vendor accounts must be configured with an email group as the owner, NOT a personal email address. For example, use 'devops@email.com', rather than 'joefoobar@email.com'. This is to ensure that vendor accounts are retrievable in the event that the individual who set them up leaves the company, or goes on vacation.
Note
When configuring recovery details that ask the generic "first pet" type of questions, simply enter passwords for values. Record the answers carefully in your password manager.
Important
Record ALL vendor account credentials in a password manager (1Password/Dashlane) that someone else has access to. This is a Continuity Consideration.
All accounts used for the configuration of services MUST specifically be set up as service accounts -- NOT personal accounts. This is to ensure that services a person may have set up don't become disabled with their account when they leave the company, or their access changes.
Important
Record ALL service account credentials in a password manager that someone else has access to.
Software & licenses must be carefully tracked.
Important
Record ALL licenses in a password manager...
Securely communicating credentials can be challenging, but here are some simple recommendations anyone can follow:
- You guessed it -- use a password manager.
- Send username and passwords separately
- Send half of a credential via one method and the other half another.
Example: If the password would beabc123, then:
Send "abc" via email.
Send "123" via a different email address, or text message.
Any time a password manager is not available, credentials should ideally be communicated via an end-to-end encrypted tool such as WICKR, an email encrypted with PGP, or via a file encrypted with a tool such as VeraCrypt.
Note
If the credentials in question are for something such as a financial institution, or an AWS root account, then all possible due diligence is required. Consider self-destructing messages, where supported.
Review NIST Special Publication 800-63: Digital Identity Guidelines for the latest from NIST on Authentication and Lifecycle Management.
Some of the more severe risks that may exist for an organization may come from insider threats. These may be:
- employees who don't know how to behave in a secure manner
- employees who just don't care
- employees who know better, but choose to ignore or bypass security controls
- employees carrying out industrial espionage
- disgruntled employees
Some of these examples are ostensibly worse than others, but there are many scenarios where an employee who just doesn't care can do more harm with a careless mistake than an active threat actor, given their access.
Important
This is one reason why it's absolutely critical to maintain high eNPS scores. Engaged, invested employees, make fewer mistakes. This is a Continuity Concern.
Beware of these, and like phrases:
- "Keep it cheap and cheerful."
- "Massage the answers a bit."
- "We're not covered by <data protection law>", or "We don't need compliance."
- "Move fast and break things."
- "Enable password-only authentication for SSH."
- "Export production data to <lower env>"
- "Test in production" (not for anything but the most innocuous/topical changes)
- "The developer's laptops count as the 'test' env", or "We don't need pre-prod..."
- "Deploy from commit hash."
- "We don't need Content Security Policy headers."
- "We don't need access control."
- "We don't have to be GDPR compliant."
- "We can't afford <industry standards>."
Such notions indicate either a lack of understanding of the compliance landscape which businesses are exposed to, or willing negligence -- both of which will result in lawsuits.
Important
Note carefully that the level to which you can demonstrate due diligence and due care during a data protection authority investigation influences to a great degree the fines and other consequences you may be subject to.
DISCLAIMER: This is very specifically not legal advice -- consider it common sense.
This is a truly expansive, confusing, and expensive area of business operations. Here are a few key points to keep in mind:
- Domestic and International laws are continually, and rapidly evolving. This is one reason why understanding this material, and staying compliant is such a challenge.
- Data protection laws, like any other, dictate your compliance mandates.
- You do not choose which laws you are subject to. These are external mandates to which you are obligated and accountable.
- You may purposefully de-scope your organization and products from certain legislation by ensuring that you do not operate in any manner that would qualify you as a covered entity. This is usually defined as collecting, processing, handling, or sharing the protected data of data subjects. Practically this means restricting your business activities to designated regions with geo-restrictions, and rejecting sign-ups from citizens of countries for which you do not have adequate security controls in place to satisfy their regulations.
- Data subjects are widely defined by both regional location and nationality. This is another reason why this material is so complex.
- Aside from data protection authorities, corporate customers and the general public are becoming more demanding over time. Achieving and maintaining strong reports against baseline compliance frameworks such as SOC2 (Type II), and ISO27001 are not optional.
- Be aware that data protection legislation doesn't only concern itself with how you handle data, but also the business activities undertaken with it. This is critical, especially as AI use becomes common place. See Canada's Directive on Automated Decision Making, GDPR's Art 22, CCPA's FACT SHEET on it, etc.
- See also Web Accessibility, and WCAG 2.
- Compliance is a journey, which is why it's commonly referred to as the "Compliance Journey". This is a continually active surface for organizational development, and necessitates dramatic investment. This is another reason why the golden age of the startup is widely considered to be over.
- Finally, have a Compliance Partner, and a Compliance Automation Product to assist you in this. Even if you have a Chief Compliance Officer, it's too much material to handle in-house. I really enjoyed Tugboat Software before they were acquired by OneTrust -- so they're probably even better now. To illustrate the scope of this material, have a look at:
Q: When do you flag something as suspicious?
A: Anytime something seems wrong. Don’t wait until you’re feeling like this before raising the issue.
Q: How do you report security concerns?
A: First, DO NOT flag them in an open Slack channel, or other forum — Advise your manager, or privacy/security officer directly.
Copyright © 2024 Alex Atkinson. All Rights Reserved.