Growing up in Silicon Valley, I developed an interest in computing and cybersecurity from a fairly young age.(1) I’ve noticed that this is fairly uncommon. I’ve listed here a few simple steps toward a more secure computing existence (these are also important considerations for mobile devices, like tablets and phones).
- Install updates regularly! This is particularly important for your operating system, browser(s), pdf software, and office suite. If you use Flash or Java, include those on this list, after considering whether you really need them. Enable checking for automatic updates and when you get notifications of available updates, save your open work and install them.
- Require a sign-in password or similar biometric solution to unlock your computer. If you use a laptop, set it to lock after a specified and short period of inactivity.
- To protect any personal data on your machine, use your operating system’s disk encryption solution (in conjunction with a sign-on password). (Other solutions, like VeraCrypt may be better, but involve more technical knowhow.)
- Use a security suite. This will typically consist of antivirus/anti-malware, a firewall, and some utilities. PC Magazine maintains a list of their top choices (standalone antivirus); other publications have comparable results. Malwarebytes and Adguard provide additional protection for more specialized use cases (malware prevention in the former; privacy protection in the latter). Options for Apple are similar.
- Follow Brian Krebs’s three basic rules for online safety:
- If you didn’t go looking for it, don’t install it.
- If you installed it, update it.
- If you no longer need it, remove it.
- Don’t reuse passwords across multiple applications or websites.
- Don’t use simple passwords like ‘password1’ or ‘12345678’. If any of your passwords ever pops up on an annual ‘most common passwords’ list, you’re doing things very, very wrong.
- There’s a running gag on Archer involving sensitive information, from personal medical records to nuclear launch codes, being protected by the password guest. Both hilarious and bad.
- Get a password manager. You can typically install these across your devices (laptop/tablet/phone/etc.). Rather than using one password across all websites (a horrible idea – if one site is compromised, you’ll need to quickly change the password for other sites), you’ll need to remember one unique, complex password for your password manager, which will do the heavy lifting for you. 1Password and Lastpass are top choices, but a wide range of options exist. Keepass is a good free open-source alternative, although much less user-friendly than the others.
- Secure your password manager with a long, complex passphrase (see below).
- Don’t use a browser-based password manager: historically, these have been more susceptible to attack, and in general are less likely to work across different web browsers, applications, and devices.
- Use a long, unique password (or passphrase) for every website. Your password manager should be able to generate long and complex passwords for you; go for the longest string allowed by the website.(2) The XKCD method for generating strong passwords is also quite popular, but you may need to add special characters and/or numbers to fulfill websites’ own complexity rules. Even if you go the XKCD route, use a password manager to avoid repeating or forgetting passwords.
Back Up Your Data
Back up your data. This can be to an external drive or network attached storage (NAS) or to a cloud service. The choice is up to you. UCL’s extenuating-circumstances guidelines expect students to maintain back ups; as such, no extensions are offered where equipment loss or failure also results in significant data loss. Backing up data to a physical on-site device (external drive, NAS) has the benefit of being intuitively simple and allows you to maintain control over access to your data in a very tangible manner. There are a some shortcomings to this approach: failure/loss/theft of the back-up device could mean the same for the data. If you do use a local external device for backups, make sure you encrypt your data (prepackaged external drives often include back-up software that can do this for you) and store the password/passphrase in your password manager.
Cloud storage solutions typically offer good alternatives to offline solutions (or you can supplement an offline local solution with the cloud, or use one for sensitive data and the other as a general back-up solution). Dropbox is a very popular cloud solution, although free accounts provide severely limited space, and a lack of storage encryption means that Dropbox employees and governments can access your data while it rests on Dropbox’s servers. Box provides a similar service, although it targets corporate customers; you can usually get around 50GB with a free account, but with similar caveats to Dropbox when it comes to storage encryption. Boxcryptor provides encryption while files are at rest for both solutions, at a price.
Some alternative services provide both transfer encryption (which is standard with Dropbox and Box) and storage encryption. Well-regarded options here include Backblaze, SpiderOak, and Sync. They’re not particularly cheap, but a good secure back-up system is worth the investment (and Dropbox’s plans are expensive by comparison).
Harden Your Browser
Despite the fact that Google’s Chrome has become the de facto web-browsing standard and Apple and Microsoft do their best to push Safari and Edge, respectively, a lot of choice exists when it comes to browsers. For example, Vivaldi relies on the open-source Chromium engine that powers Chrome, but offers a wide range of additional features without the cost of Google monitoring your every online move. Likewise, the engine powering Firefox can be found elsewhere in browsers like Pale Moon and Waterfox. Regardless of your browser choice, take a bit of time to go through the settings: you’ll want to either enable automatic updating or check for updates on a regular schedule, and lock down cookie preferences. Firefox has the added benefit of building some fairly robust anti-tracking privacy measures directly into the browser. It’s worth reading into these tools and modifying your settings.
Extend your browser for security and privacy
- Compartmentalize your email life. Create aliases (this is easily done in Gmail and with a number of other providers) or separate accounts (that forward to your main account) to deal with different parts of life. For example, use your main account for personal conversations, use your UCL/school account for school/career-related interactions, and create separate aliases for banking, shopping, utilities/service providers, and any other interests you have.
- This serves two purposes: by limiting the spread of your banking (or other sensitive uses) email address(es), you’re less likely to receive spam or phishing attempts to that specific address; when you receive spam/phishing attempts at a different address, it is very easy to identify the phishing attempt. Depending on how you set things up (like a unique alias for each online retailer, financial institution, mailing list), it can be fairly easy to see where your information may have been leaked.
- Most login systems rely on an email address and password. While having a unique complex password for each site protects you against most common attacks, preventing distribution of your log-in email address provides some additional simple protection against brute-force attacks.
- Use two-factor authentication (2FA). While 2FA using SMS/text messages is weak, there are a number of application-based solutions: Authy, Duo Mobile, Google Authenticator, and a variety of mobile banking apps (increasingly common in the UK). These forms of authentication do rely on a fairly secure phone, so keep an eye on it and keep it updated (and with a trustworthy security solution).
- Use a screen-locking solution (fingerprint, pattern, password, PIN, etc.) on your mobile device. Not doing so is akin to leaving the front door to your home wide open whenever you leave.
- If you’re technologically adept, consider setting a DNS provider that isn’t your ISP. OpenDNS and Quad9 are good general options, while Simple DNS Crypt provides other, potentially more secure alternatives in an easy-to-use application for your machine. Avoid Google’s DNS service because they track usage for advertising purposes.
- Use a virtual private network (VPN) on public networks. NordVPN (despite a recent security breach) is a popular option. ProtonVPN (tied into the security-conscious ProtonMail) has worked well for me.
(1) This interest only heightened into an obsession when other people began to mistake one of my Gmail accounts for their own email addresses.
(2) Length is key. I clearly recall a mid-flight conversation with someone who worked in cybersecurity over password length early on in grad school. He thought I was crazy for maintaining a minimum length of 30 characters wherever possible. My response was that, assuming breaches were more common than those publicly disclosed, the length and uniqueness of my passwords meant I had fewer worries than other users. At the time breach disclosure wasn’t mandated by law; even where it is, disclosure still depends on detection. Better to be safe than sorry, even if you consider the account to disclose minimal personal information.
(3) Both Adblock and Ghostery take approaches to advertising networks that have been somewhat controversial. Adblock Plus in its default configuration will whitelist ‘acceptable’ ads, for a cost to the advertising network. Ghostery sells aggregated user data.
Version: November 2019