In honor of cybersecurity awareness month, today I’m going to write, at a high level, endpoint security and how to stay safe online. This is such an incredibly broad topic that I think I could write a book about it. The only problem with writing a book is that the threats change on a daily basis which means the defenses and tips change that fast too.
So, we will address this topic at blog- appropriate level and try to provide some good information that will help out most average Internet users, with a lot of links to additional resources.
Securing endpoints has always been a challenge as they have been a favorite target of attackers. The problem of vulnerable computers goes far beyond securing your computer and home network. Any Internet connected computer that has been compromised, could be used as part of a botnet to attack and take down other Internet systems or even slow down large parts of the Internet. Cybersecurity is bigger than all of us and is the responsibility of everyone for the good and welfare of the Internet at large.
Operating System Security
Endpoint and Operating system security is really made up of many things but to keep this blog post from becoming a textbook, we will focus on the following four items:
1. Whole disk encryption is basically encrypting your whole hard drive so that if someone steals or gains access to your drive, they cannot read any of the data without the encryption key (the password that you set). This is also important so that when you get rid of your computer, the next person does not run some basic forensic tools on your drive and get all of your data. This has been happening for years, from purchasing hard drives online, to old printers, copiers and fax machines, and pulling off all of the data such as this story where missile defense data was discovered on an old hard drive.
To enable whole disk encryption, it’s best to do this on a new computer but it can be applied at any time. On a Mac, this feature is called Filevault and it can be found in Preference > Security & Privacy > Filevault. This page will walk you through enabling Filevault.
On a Windows system you might have this feature built in and you might not. For some reason, Microsoft has really dragged their feet on integrating whole disk encryption, except on more expensive versions of Windows (Ultimate, Pro and Enterprise versions). The Microsoft solution is called Bitlocker and it works well and fairly seamlessly with Windows. If you don’t have Bitlocker, you may want to opt for one of the free solutions like Veracrypt. This article gives an overview of both options.
No matter what solution you use, just be sure to whole disk encrypt any system that is storing sensitive data or that has access to sensitive data, especially if it is a laptop or computer that is not otherwise behind locked doors like your house.
2. Good system passwords are essential to securing a computer that goes with you. Even if you are using whole disk encryption, if your encryption key (password) is something easy to guess (12345) or is taped on the bottom of your laptop, the encryption is bypassed, and you are no longer protected. Passwords should be more like passphrases. The most important aspect of a passphrase is that they should be long (at least 12 characters). An example would be: I have to take Fido out at 7am! This has uppercase, lowercase, numbers and special characters, is 31 characters with spaces and is super easy to remember.
3. Endpoint firewalls have become an integrated part of our operating systems these days but we have the option to enable/disable and adjust settings for them. The most important thing you can do here is just make sure it is enabled.
4. Patching is critical for all computers. Every month we get security patches for all of our devices because very month new vulnerabilities are found and patched. Over the years, we have seen operating systems like Windows and macOS, move from making you download and install patches on your own, to automated patch updates every month. Not everyone likes automated patching, and, in some cases, you can turn it off. Most software companies have taken the responsible approach of automated patching, which is great, except when your Windows laptop boots up overnight on the second Tuesday of the month and you forgot to save your open files.
On a Mac, go into the App Store app and click on App Store > Preferences and make sure Automatic Updates is checked.
On a Windows system, go into Settings > Update & Security > Windows Update > Advanced Options and make sure your system is up to date. Windows 10 will likely not show you an option to disable patching.
Web Browser security
So far, we have talked about network security and operating system security. Now let’s address application security. The most popular applications used on Internet connected systems today, is hands down, the web browser. According to a May, 2018 article Google Chrome is the most popular browser, followed by Firefox, Edge & Explorer, then Safari. No matter which browser you use, it is likely the application you use most on your computer if you are an average Internet user. All of these browsers are modern and kept up to date with automatic patching so the thing we need to focus on most from a cybersecurity perspective is plug-ins, extensions, add-ons, whatever your browser calls them. According to a September 2018 article by Brian Krebs, a hacked Chrome extension was used to send usernames and passwords to a rogue server. This is just one example of how attackers are directing attacks against the browser, rather than the computer itself. The best thing you can do is check your browser extensions regularly and make sure there is nothing loaded that you don’t know about or don’t trust. According to one study, most browser users have about 10-20 extensions installed on their browsers with many having well over 40. That is a lot of extra software added to your browser that could give bad actors a way into your browser. It is also likely to slow your browser down a LOT! Here is another article that addresses this problem.
The last topic to discuss in this blog is online accounts and security. This is another big topic, so we will hone it down to a few items to keep this blog readable in a day.
Passwords. We love to hate them, and we hate to use them. Don’t worry, there is a lot of work happening to get rid of passwords. Here is one example, but for now, we have to live with them. As I mentioned earlier, make passphrases that are over 12 characters long and yes, you can use spaces in most cases. Make sure you create something you can remember. Or…a better option would be to use a password manager.
The best approach to passwords is to have a unique password for every website, application, etc. but how are we supposed to remember hundreds of unique passwords or passphrases? You’re not! This s where the password manager comes into play. This is a tool that will store all of your passwords and other sensitive data in an encrypted blob on your computer and optionally, in the cloud. Only you should have the keys to decrypt your blob of data and now you only need to remember one password, that of your password manager. In many cases, the password manager will even enter in the password for you so feel free to have a 45-character password if the site allows it because you don’t even have to type it in! Here is a review of password managers from July 2018. Your browser will likely offer to store passwords for you as well but there are some risks associated with that. However, it is a far better solution than reusing passwords because if an attacker learns a username password pair, they will try that combination against every social media and Internet service they can find. I have only used a few password managers, but I have been a happy LastPass user for years.
Phishing attacks are prevalent and growing in numbers. They are also much more advanced than in the past. Read this blog and this one, to learn about some of the more advanced attack types and how to identify them. STAY ALERT!
This one is a little more advanced but changing your DNS settings on your computer can help reduce the attack surface. DNS or Domain Name System is the way that a domain name (www.google.com) is turned into an IP address (184.108.40.206). The Internet doesn’t know what google.com is so DNS acts like an address book to translate that domain name into something that can be routed on the Internet. When you use the Internet, you are likely using your ISP’s DNS. This is fine but there are some public DNS servers that offer a lot more than just address translation.
Changing your DNS servers to 220.127.116.11 or 18.104.22.168 can add some additional threat intelligence to your Internet browsing. So, if you, or more likely something malicious on your computer, happens to try to go to a known, malicious Internet address, these DNS servers will not allow it. Pretty cool! Here is an article that talks about both of these DNS servers and some other popular public DNS services.
I hope you this was helpful, and I wish safe computing to everyone!