As streets worldwide are filling up with people, though, in face masks and disposable gloves, the suggestion that we’re entering our new reality is increasingly being heard. This new reality will possibly change our approach toward many things that we deemed normal like trips to other countries or even such minor events as commuting to work. But has this COVID-19 turbulence taught us anything? First of all, it has taught us to be cautious — in our movements and face-to-face contacts. But what about cyberspace, which recently came under great pressure, with people transferring not only their work but also daily habits into online?
The global pandemic that locked people worldwide inside their houses and made their devices the only link to the outside world became a golden opportunity for cybercriminals. They saw their victims increase time spent online while at the same time get rid of control of corporate cybersecurity solutions and experts.
This has turned the quarantine accompanied by the global shift to remote work into a time of increased cybercrime and big breaches. But let’s take the lessons learned and prevent this phenomenon from turning into a common practice by doing something that, let’s be honest, we never give deep thought to: increasing your daily cybersecurity.
Step 1: Identical passwords with no two-factor authentication — we can do better
Let’s talk about data leaks. The portal Have I Been Pwned?, on which anyone can check whether their data has been leaked, reveals that data from 433 hacked websites can be found on the web. This amounts to roughly 9.5 billion stolen accounts. Why is this bad and what do identical passwords have to do with it?
When someone steals a database from a website, the data becomes available to a certain number of threat actors (any Internet user, in fact). If your email address is in the leak together with your password, threat actors can use it to access your accounts on other websites. Say you have the same password for an old email account (that you have long forgotten about) and your online banking account (that you also rarely use since you mainly check your bank account through the mobile app). Threat actors can easily take advantage of such situations. Your correspondence from many moons ago won’t hold any interest to anyone, but the same cannot be said for your bank account. Here is a simple analogy: if you use the same key for all rooms, one key will open them all. The difference is that obtaining a duplicate in cyberspace is easy. How can this be avoided?
There are two simple ways:
- Use strong passwords and make sure you use a different password for each service you use.
- Enable two-factor authentication for each service you use.
The first challenge can be made easier thanks to software such as 1Password, KeePass, and similar programs. Create a password database that is stored in encrypted format. For the database, you create a unique, strong password that you never reveal to anyone. The app then automatically creates all your new passwords. Once the encrypted password database has been created, the key is not to lose it — if your hard drive stops working, for example. One way to ensure secure storage is to use a cloud service that you set up to sync with your file. Each time you make changes to the password database, the updated file will be uploaded to your cloud automatically. If you don’t trust this method, you can always store a copy of the encrypted file on a USB flash drive or in a safe. We appreciate that not everyone has a safe; a useful and quite effective alternative method of ensuring security is KeyFile. This way, you can protect both the file with authentication data as well as the encrypted container, in which you can save everything.
If using a special program is not an option for any reason, you will need to devise a way to create a strong password that would be difficult to recover using several available passwords and memorize the rest by heart. There are many ways to make up unique passwords by using words from a specific category, such as favorite food, song lyrics, animals, flowers, coins, and so on. One technique is to deliberately make spelling mistakes and add special characters and numbers (avoid using dates, however).
The second method is activating the relevant option in account security settings. We have compiled a list of guidelines on how to do this:
- Apple ID: https://support.apple.com/en-us/HT204915
- Google: https://www.google.com/landing/2step/
- Twitch: https://help.twitch.tv/s/article/two-factor-authentication-with-authy?language=en_US
- Facebook: https://www.facebook.com/help/148233965247823
There are many different solutions; feel free to Google other ways to set up two-factor authentication (2FA). In any case, the first step to set up 2FA in any service is confirmation through text message. There are also applications such as Google Authenticator for advanced users.
Speaking of text messages, it wouldn’t be the worst idea in the world to protect your SIM card as well. This involves two simple steps:
- Set up a PIN code for the SIM card.
- Ask your mobile operator to prohibit reissuing your SIM card without your personal involvement (and no, this would not be considered paranoia on your part).
Let’s sum up the recommendations so far. What should you do as soon as you start working from home?
- Change all passwords to make them strong and unique and save them to an encrypted database, also protected with a resilient password.
- Enable two-factor authentication on all devices and online accounts.
- Pour yourself a cup of tea and enjoy the peace of mind that comes with greater security.
Step 2: Figure out what social engineering is and learn to distinguish between phishing and original websites
It’s common knowledge that people are the least secure part of any system. Most cyberattacks, from hacking a bank to a simple online scam, involve phishing emails and fake websites. To leave threat actors with fewer chances of success, make sure you distinguish between google.com and qoogle.com and pay attention to the interface — it can differ from the original in color, logo, or an extra field in the authentication form.
If all that is clear, let’s look at signs of a phishing email:
- “Trusted” senders: A threat actor can pose as someone you know and use that person’s profile picture or even signature. In most cases, it’s easy to identify that the sender is actually a malefactor by carefully looking at the sender email address (see the google vs. qoogle example above).
- Emotional touch: The email invokes fear, seeks to raise curiosity, or promises points/rewards/compensation. Its author is most likely a threat actor.
- Calls to hurry: If the sender pushes you to rush (“Quick!”, “Open urgently”, “You have 24 hours until your points expire”, “Forward this email as soon as possible”, etc.), immediately delete or mark as spam.
In any case, if you are surprised by the way the person is writing, or by them asking you to click on a link, download a file or send money, call (or at least message) the person the email is supposedly from. Chances are they won’t know what you’re talking about.
Don’t forget the oft-ignored rule: pay attention to the address bar when browsing websites. All popular legitimate services have long switched to https and the little padlock icon is a sign that the website is secure. While this simple method won’t protect against advanced fraud schemes, it will definitely do the trick if threat actors rely on lack of attention. You can increase security even more with useful plugins for browsers (e.g. HTTPS Everywhere, WOT).
Use 3DS services to make payments when online shopping. First, check the payment details to ensure that they don’t refer to a personal account. This clumsy fraud scheme works surprisingly often.
Moreover, make the effort to check the domain registration date before making any payments. You can do this by using publicly available services such as https://whois.domaintools.com/. If the website was created less than a year ago, it is likely to be fraudulent.
Lessons to take away:
- Pay attention to the address bar and look for any suspicious details in its spelling (the number “0” instead of the letter “o”, the prefix “promo”, an unusual domain zone, etc.).
- An overly emotional email that pushes you to do something is a sign of fraud.
- Be cautious with payment details when online shopping.
- If a website raises suspicions, check how old it is.
Step 3: Tidy up your clouds
It is a good idea to check your cloud service yourself. If hackers decide to “probe” it, having it examined will come at a much greater cost.
Check the files you store in the cloud and delete any unnecessary ones. A lot of information is usually stored in clouds for years and then left forgotten. Check access to long-neglected shared files as well — some of them might be confidential. Regardless, all shared documents should be checked for what type of access has been granted and to whom.
Don’t forget to check the backup settings on your mobile phone. For instance, Apple devices upload all downloaded files and photos to iCloud. Maybe you should have restricted these freedoms a long time ago. On the flip side, if you lose your device, your new iPhone iCloud will only recover what you allowed your old phone to store.
In short, your head will no longer be in the clouds if you:
- Clear your cloud accounts of unused and forgotten files.
- Check who has access to important documents stored in the cloud.
- Restrict the freedom of automatic file backups on mobile devices.
Step 4: Update your gadgets and smart devices
Change default passwords for your entire IT arsenal, including smart home devices —otherwise, updates won’t do much good. Once this is done, update your devices to the latest versions. Here’s the checklist:
- Personal computer
- Mobile devices (smartphones and tablets)
- Smart TV, smart speaker, smart refrigerator, baby monitor, etc.
Latest software versions do not guarantee a lack of vulnerabilities, but they usually significantly reduce the risk of being hacked.
No need to summarize in this case; just remember that smart devices need some tender loving care, too.
Step 5: Wi-Fi — a separate discussion
We’ll start with the basics: if your Wi-Fi router is close to vintage, it’s time for an upgrade. An unprotected router and wireless network could become an access point for a neighbor practicing their computer security skills … or a bona fide threat actor.
Main Wi-Fi security recommendations:
- Don’t use default passwords. First and foremost, change the password for accessing router settings. This will require the device’s IP address, which you can find on a sticker on the reverse side of the router. Access this IP address in your browser and enter the login and password.
- Create strong passwords for your Wi-Fi network and the router admin panel (see above).
- Change the default name of the admin account.
- Change the device’s default IP address.
- Update firmware and install new software versions.
- Disable WPS.
- Disable remote access to the router.
- Use at least WPA2 (or better yet, WPA3) as the technology for your Wi-Fi network. You can also enable a mixed mode that uses both WPA2 and WPA3 (if your router does not support WPA3, it’s a sign that you should replace it with a newer version). Never use WEP or WPA.
It’s worth mentioning updates again. Any new software you install on devices should come from a trusted developer. It should never ask you for super-rights or suspicious access to device resources, and it should only be downloaded from official sources.
Last but not least … Your company probably made sure to have a decent VPN service for its employees and took care of everything. However, if this is not the case for any reason (e.g. you are a freelancer or your own sysadmin), we recommend that you purchase access to a leading VPN service and perform all critical actions only through VPN. This includes checking your personal email account, working with confidential information, accessing online banking services, and so on. We recommend NordVPN, ExpressVPN, and Surfshark. Here is a ranked list of VPN services to help you find one that ticks all your boxes.
To sum up, your Wi-Fi network belongs to you and nobody else if:
- Your passwords are strong enough to withstand brute-force attacks (automatic password guessing).
- Your router is new and its software is up-to-date and downloaded from official sources.
- The default account name and device IP address are not used.
- WPS and remote access are disabled.
- WPA3 is enabled.
- VPN is secure because your employer is conscientious or because you have followed our instructions and bought VPN access from a trusted provider.
Step 6. Create an encrypted backup copy of your computer
Encrypt your computer and create an encrypted backup copy of it on an external data carrier. Try sticking to a schedule for timely updates of the backup copy, e.g. per week/month/quarter. Keep the data carrier with the backup copy out of anyone’s reach. This will help ensure that your data (work-related or personal files, correspondence, bank details, etc.) is secure.
To encrypt your computer, enable FileVault 2 in macOS or BitLocker in Windows. These are built-in encryption tools that will suffice if you use a strong password. Be aware, however, that if you forget your encryption password, all your data will be lost permanently.
You’ve bought a safe? Excellent. If not, at least hide the backup hard drive away from prying eyes.
Step 7: Separate and clean email boxes
You should have different email accounts for different purposes. This way, you won’t miss an important email and will keep your confidential data secure. It makes sense to divide your email inboxes into the following categories:
- Spam inbox: newsletters, messages from online stores, and sign-ups to unimportant services
- Personal inbox: current correspondence and sign-ups to important services
- Cloud inbox: iCloud, Google Drive, messaging app accounts
- Secret inbox: for financial and other sensitive information, we recommend using email services with end-to-end encryption (e.g. Voltage SecureMail)
Key takeaways from this seemingly simple section about email hygiene:
- Separate personal and work-related inboxes for good; this prevents confusing email inboxes and sending work documents from personal email accounts or vice versa.
- Clear spam.
- Delete confidential files and password recovery emails that have been sitting in your inbox for years.
Step 8: What about chatting?
Even after the days of remote work are gone, messaging apps remain our best friends. But friends should be chosen wisely … and safely. It doesn’t matter which app you’re using: WhatsApp, Telegram, WeChat, or ones more popular in the cybersecurity industry such as Signal, Wickr Me, and Threema. Here’s what you should do straight away:
- Install the latest updates for every messaging app you use. Most updates are linked to security, e.g. to patch security holes that could be exploited by malicious actors. Do not neglect this step. Update.
- If the messaging app has a secure version, install it.
- Enable two-factor authentication and never turn it off.
Let’s go through this important step in detail: how to enable two-factor authentication in messaging apps. We’ll take two popular messengers as examples:
- WhatsApp: Settings > Account > Two-Step Verification > Enable (for iOS and Android). Then, enter a six-digit code you’ll be asked for when accessing WhatsApp and confirm it by entering it again. You can also add your email address to protect your account even further.
- Telegram: Settings > Privacy and Security > Two-Step Verification > Set Additional Password. You will then need to enter a strong password containing both letters and digits (thankfully, Telegram has that functionality), which will be asked for when accessing Telegram; confirm the password by entering it again. Detailed instructions on how to turn on this option can be found on the messaging app’s official website.
Basically: regardless of what messaging apps you use, two-factor authentication is key.
Step 9: Take an interest in information security
Nothing in this world can save you from threat actors better than a conscientious use of modern technologies. If you don’t know how cybercrime works, you can’t protect yourself, your family, or your company. Guaranteeing even 50% protection is impossible, let alone 100%. We recommend taking a traditional approach and reading some useful books from our personal library.
We’ll start with the basics. Below are timeless best sellers that anyone with a computer should read:
- The Art of Deception by K.D. Mitnick
- The Art of Intrusion by K.D. Mitnick
- Social Engineering and Social Hackers by M. Kuznetsov and I. Simdyanov
If you have read these — excellent! Below is a reading list for a more in-depth study of the world of cybercrime. These books will teach you much more about the methods and lives of cybercriminals.
- American Kingpin by Nick Bilton
- Incident Response: Investigating Computer Crime by Kevin Mandia
- Extreme Privacy Guide by Michael Bazzel
- Countdown to Zero Day by Kim Zetter
Take care of yourself, your secrets, and your company’s confidential data.