5 Tips to Keep Your Online Life Secure

Posted on February 7, 2020 by Robert Goyette

The internet has always carried an aura of mystery in the layman’s mind and for good reason, there is a lot going on.

Although the average person doesn’t need to know (or see!) everything on the internet, there are some things one should know to stay out of trouble.  It’s a best practice to learn a bit about operating a chain saw before swinging it around….the internet should be treated with the same caution.

There’s a flood of information available about every vulnerability, it’s “blinky box” solution or the latest cure-all SaaS – enough to transform online holiday shopping into a terrifying tiptoe through a virtual minefield.  It doesn’t have to be that scary.  Here’s 5 simple tips to keep your online life more secure without spending a ton or being cyber-paranoid.

Let’s Begin…

1. Don’t Reuse Passwords

Why is this a problem?

This is quite simple: if a password is guessed for one account, then they can use that password for all your accounts. This is an obvious problem, but there seems to be any easy solution: just design an unguessable password. This solution, although not the most secure, would work IF your password never appears in a leaked data breach. This brings us to the scary reality: one of your previous or current passwords has most likely already shown up in a data breach. It is inevitable that a password will be exposed in a data breach rendering password reuse, no matter how complex the password, insecure. A quick place to check if one of your accounts has been leaked in a KNOWN data breach is to input your various email accounts at the following website: haveibeenpwned.com.

What is the solution?

Since data breaches are going to happen and they are out of your control, the best thing to do is to isolate each account with unique passwords. If a breach exposes one password, your other accounts/passwords will be safe. If you can memorize unique passwords for all your accounts that’s wonderful, but this is impractical for most people (myself included). A more viable solution is to use a password manager or to keep your passwords in a password protected document. Essentially, what these two solutions are doing is hiding all your passwords behind one “master” password. This means you only need to memorize one password while having unique passwords for all your accounts. But what if that master password is guessed? Good question, however, this can be mitigated by having a very complex master password (after all, you’d only need to memorize one now) and, if possible, utilizing two-factor authentication. But more on the concept of two-factor authentication later.

 

2. Encrypt Important Emails

What is the problem?

Emails can be intercepted, email accounts can be compromised, and email servers can be breached. This might not be too big a problem if you are just sending your Aunt a birthday email, but do you really want to be emailing a copy of your son’s birth certificate? Let’s review these threats and their likelihoods of happening. First, there is the risk of someone intercepting the email. This is probably the least likely to occur, however, it is possible and as attackers get more advanced this risk will probably increase. Second, there is risk of your email account being compromised. This threat is much more likely. This could happen due to having a weak password, falling prey to a well-crafted phishing campaign, or having weak security questions. This threat can be somewhat mitigated by being more careful online, but we don’t live in a perfect world thus the spare tire in your trunk. It is always better to have an extra layer of defense. Also, even if you are always careful and avoid having your email account compromised, the recipient of your email can have his/her account compromised. Third, there is the risk of email servers being breached. It is hard to determine the probability of this event happening but based off news of recent data breaches, it is safe to say this threat is at least plausible. The worst part about this threat is it is completely out of your control.

What is the solution?

Although the most secure solution would be to stop emailing Personally Identifiable Information (PII) – such as Social Security numbers, birthdates, driver’s license numbers etc. – sometimes it is necessary and is certainly convenient. Luckily, there is a solution to this problem: encryption. I’m not going to explain the logistics of encryption but, essentially, it makes the email unreadable unless you have the correct password or key. There are a couple of different ways to use encryption so you can email important information. One way would be to send a password-protected Word document or a password-protected PDF document. Another way would be to utilize an encrypted email service which allows you to send password-protected emails. In both these cases, it is important that you do not email the password, because that would defeat the purpose. This is like changing the locks on your doors only to leave the key under the mat. Use another method to share the password with them, for example, over the phone or in-person.

 

3. Use Two-Factor Authentication

What is the problem?

What happens if your password is guessed, found in a breach, or gained by shoulder-surfing (someone watches you type it in at the local coffee shop)?

What is the solution?

First, I think it is important to explain what two-factor authentication is. Typically, there are three authentication factors: something you know (the password), something you have (a phone), and something you are (a fingerprint). Thus, two-factor authentication is using two of these three forms of authentication during the authentication or login process. If someone was able to obtain your password, he would still need another piece of the puzzle, either stealing your phone or your fingerprint. Conversely, if your phone was stolen the person would still need your password. Things you know could be stored online, while things you have or things you are cannot. Obviously two-factor authentication cannot provide complete security, since a clever attacker could still gain this information through stealing your phone or through social engineering. However, it will greatly decrease your chances of being attacked. As said before, it is good to setup an extra layer of defense.

 

4. Create Fake Answers to your Security Questions

What is the problem?

Security questions usually allow users to reset their password by answering one or two personalized questions. The problem with these questions is that they often ask for information that, though personal or unique to an individual, can often be found online due to data breaches and sites that sell your information. Another problem is that your close friends and family will often know the answers to your security questions. This may not be a big deal to you, but it is essentially the same as telling them your password. A third problem is security questions often ask for very simplistic answers which could potentially be guessed. Consider the security question: “What is the name of your first pet?”. There is a relatively small list of pet names out there, so assuming your first pet didn’t have an obscure name, this security question could be guessed quickly using a password attack.

What is the solution?

The solution to this problem is to make the answers to the security questions essentially passwords. Either memorize them or store them in a password protected file or in your password manager. Treat the answer to the security question just like you would treat a password. That means you should not be reusing a security answer across multiple accounts. Luckily websites have started turning away from the practice of security questions, but there are still some accounts which allow you to reset your password after simply answering one or two security questions. At the time of writing this at least two of my accounts were still allowing this weak password reset functionality.

 

5. Avoid Free (Communal) Wi-Fi

What is the problem?

The problem is you don’t know who’s on the Wi-Fi with you and what they are doing. They could be listening to your internet traffic or trying to hack into your computer. They could intercept your login credentials while you are visiting http websites (these are typically older and unsecured) or, if you haven’t updated your computer in a while, they could be hacking directly into your computer.

What is the solution?

The best solution here is to completely avoid using free Wi-Fi. However, if you still want to use free Wi-Fi, there are some ways you can mitigate the risk. Use a VPN service. VPNs, or virtual private networks, encrypt your internet traffic making it unreadable to others on that free Wi-Fi. Do thorough research when choosing a VPN service and before installing it as several free VPN apps have been found to install malware on your phone. Lastly, to mitigate people hacking into your computer make sure to keep your computer or phone up to date with the most recent security updates.

 

Robert is a Security Engineer for Blue Mantle Technology. His specializations include Penetration Testing and Threat Hunting, among other things. He finished in the Top 9% of 4,730 collegiate hackers in the National Cyber League. Robby has a BA from Thomas Aquinas College and holds several industry certifications including the Security+, OSCP, CCENT, AWS Certified Security Specialist, AWS Certified Cloud Practitioner, MCP and DISA HBSS 201/301/501.

Subscribe to Blog

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Back to the Blog

Contact Us

Let's talk about the best solution for you because that's the only one that matters.

Get in Touch

Join Us

Get a feeling for our company culture and picture yourself at Blue Mantle.

View Open Positions