top of page

DEFENSE: PROACTIVE, TECHNICAL


Every one of us wants to believe we’re safe, and we do so for different reasons. Many teenagers believe this because they’re invincible; many adults believe this because they’re competent and intelligent; and many seniors believe this because they’ve lived a long time. Every person can find some reason to believe in his/her safety. Please remember that the NSA was hacked. These are people with exceptional education, experience, and resources (arguably, that organization is the number one cyber security organization in the world). There is no debate amongst the greatest minds in the security industry that there is no such thing as a fully secure system, nor can there be.


Another interesting factor: there’s a subcategory of phishing known as “whaling” (from the word “whale”). Whaling consists of attempting to scam a “whale”, who is actually a high-level executive in a company, such as a CEO. The interesting fact is that these people are, oftentimes, surprisingly easy to fool. It seems that the higher the pedestal of the individual, the more likely they are to believe themselves invulnerable to psychological attacks, overestimating their own intelligence and defensive layers around their high station.


The point is not to assume you’re safe because you’re smart. Such ignorance is the start of the path to defeat. Instead, remember the crucial fact: information is power - constantly educating yourself and your family is the foundation for all defense. Your interest in such reading material already puts you in a better protected category of people.


Suggested formula: Maximum online family safety = close relationships + good technical defenses + well-informed individuals.


Any defensive strategy must initially include a clear understanding of what you are dealing with: your unique attack surface. In other words, if you consider that you and/or your family are a type of system, determine which parts of that system are vulnerable, and can be used to attack you. Once you have a clear picture of these vulnerable parts, you can focus on minimizing/eliminating them; this will make your attack surface smaller - everything you care about will be harder to harm.


Step 1: Analysis – Understand your attack surface from a technical standpoint.

What are the various ways that the Attacker can technically(!) make contact with the Target?
- Target’s cellphone?
- Target’s computer, tablet, or some other electronic device?
- How is each device secured? (are there passwords, antivirus software, firewalls, encryption, etc)
- What accounts and passwords are stored on each device?
- What sensitive information is stored on each device? How is it protected?


Step 2: Protect each device from malicious software.

Once you have such a list, analyze how each device is protected. Each device is different, and you might have to research them individually to understand potential vulnerabilities of each. For example, an Android phone is not the same thing as an Apple tablet, which is not the same thing as a Windows computer, etc… This might sound scary, but there is more than enough information online. Large antivirus vendors offer not just a simple antivirus, but multiple products that you can place on an unlimited number of devices, all for one annual subscription.


Ideally, you should have at least the following software on your device:
- Updated Anti-virus
- Updated Firewall
- Updated Operating System (meaning your Windows, MAC OS, Android, etc)
- Parental controls, if applicable


You probably noticed the heavy use of the word "updated" - there's a very good reason for this. When a new exploit is discovered, the bad guys are automatically ahead of the good guys, who are going to be patching their software, improving their anti-virus product, etc. Until an update or patch comes out, such a vulnerability is called a zero-day exploit. This means that even if you're fully updated, your software is probably vulnerable. Unfortunately, most people take this for granted. Conclusion is simple - you must minimize such vulnerabilities with regular updates.

No software recommendations will be made here to avoid the appearance of marketing, but please don't be afraid to make your own selection. When you search "top 10 anti-virus 2018", Google will give you plenty of good results with comparisons and discussions. You don't have to be technical to find something suitable.


This is a good start, but that's protection from malware (malicious software, like a virus or spyware). What if your device is lost or stolen? This should also be a primary consideration.


Step 3: Lock physical access to the device.

You lock your house and your car, so your phone or laptop should have an appropriate locking feature in place. Devices can have passwords, biometrics, patterns, passcodes, etc. Biometrics (fingerprint scanners & facial recognition) are considered the most secure, but this only really applies to some military-grade equipment - not smartphones. Even some of the latest smartphones from popular manufacturers can be defeated with old-school methods or certain software. Other methods mentioned above only work if they're complex enough. You can and should do extra research on this, but the main guidelines are:
a) include at least one of the four character types (abc | ABC |  123 | !@#)
b) make it memorable but unique to you, like a phrase: The20nty1stCenturyISaV3ryInteresting_time!
c) have at least 20 characters - length is just as important as complexity
Good: Str0ng_P455!!
Amazing: ThissimplephraseisverylongMemorableAndhasall4charactertypes!

There are other tricks to increase password security, but following these guidelines will make your password exponentially more reliable than something like "Ilovelamp1".

IMPORTANT: you may come across some website that places limits on password parameters (maximum length, for example). I have recently discovered that a major and famous insurance provider does not allow special characters (such as #$%@*) to be a part of the user's password. Their website portal deals with medical & dental claim submission; stores sensitive personal information; and has many other features that demand a high level of protection. Any time you see some website like this, understand one thing: this is an excellent indication of raw incompetence. The site owner did not take reasonable measures to secure access to the users' data. You don't know how else the site owner may have failed to ensure website security - best to stay away.

There are also password managers you can use, if your memory is not great - then you only need the one master password. For recovering lost/forgotten passwords, remember that the "Security Questions" can be used against you - anyone can see them. If your question is "my wife's maiden name", and the "secret" answer is the truth, like "Smith", then anyone who can find such info about you online (or who simply knows you well enough) can bypass that question. A better solution is to answer "my wife's maiden name" with something like "belongs to her annoying mother" - this is difficult/impossible to determine for anyone else, since it's personal to you and comes from your own creativity.


Step 4: Control sensitive content on your device

Look at what you have stored on the device. Your anti-virus is not going to tell you that your primitive notepad file where you keep your passwords is not secured (fix: get a password manager), or that your photos have geo-tagging enabled, and anyone with access to your photos can see where in the world you were when you took them (fix: disable geo-tagging on camera devices). If you saved something sensitive, like that notepad file with passwords, maybe that file is being uploaded to your online Samsung/Apple account (cloud) whenever the phone does a backup. You might still have the physical phone, but your cloud account might get hacked - now the attacker has that sensitive information before you even know about the breach (fix: review phone backup settings).


Step 5: Understand the nature of your software

Every electronic device is different. This is important to understand. Just because you have the exact same make-and-model phone as someone else, doesn’t mean they’re the same. One bad/malicious/misused app can mean the difference between a secure, clean phone, and a security breach. Consider also your apps. When you install any software, play Devil's advocate. Is the software from a reputable vendor? Is it an app asking for too many or weird permissions (like a music player app that wants to know your geo-location and all of your contacts)? Is it offering to install other software? Why? What kind? Scammers can be very convincing, and will make convincing advertisements. Software may look legitimate, but can be evil by design (made by bad guys); innocent but corrupted (hacked by bad guys before it's even installed); or simply weak (can be hacked by bad guys later on). Consider what apps you have on your device. A good anti-virus scan can detect malware but also suspicious programs.  Review all the apps you or your kids have on devices. Check "permissions" settings on your phones - what permissions does an app require? Why? Question everything you find suspicious, and do your research if you have to. When in doubt, simply deleting the app is always an option.



Remember: there is a ton of info on the Internet covering such topics. This site is by no means a complete resource.
 

bottom of page