A brief introduction to computing security

I’ve been interested in computing and cybersecurity since I was fairly young.(1) I’ve noticed that this is a fairly uncommon, so I’ve listed here a few simple steps toward a more secure (and private) computing existence (these are also important considerations for mobile devices, like tablets and phones).

Additional points can be found here.

Software

• Brian Krebs’s three basic rules for online safety provide an excellent starting point:
  • If you didn’t go looking for it, don’t install it.
  • If you installed it, update it.
  • If you no longer need it, remove it.

• Enabling update checking is very helpful for ensuring that all your software is up to date (just make sure you actually allow the updates to take place). This is especially important for anything you use that interacts with online resources: your operating system, word processor, PDF reader/editor, and web browser are key.
  • Creating a calendar reminder to check for and install updates every month can be helpful.
• To prevent random people from accessing your personal data, set up a sign-in passcode or biometric solution (such as a fingerprint) for your devices.
• A dedicated security suite will protect you from most additional online threats. UCL provides free subscriptions for students and staff for both F-Secure Premium and Sophos Home through the ISD software database, both of which are fairly good options for both Windows and Mac.
• Consider enabling disk encryption (such as Windows Bitlocker) if you have that option.

Passwords

• Use a unique and complex password for each account, and keep these in a dedicated password manager. This way, the only password you really need to remember is the one you set for your password manager. It can also generate complex passwords for all your online accounts and prevent you from entering a password into the wrong website. 1Password and Bitwarden are top choices, but a wide range of options exist, which should work on all of your devices. Keepass is a good free open-source alternative, although much less user-friendly than the others. Lastpass offers a free account for use on a couple of devices.
  • Avoid allowing the browser to save passwords (or other personal information). Browsers are popular targets for attack by malicious actors and have had a mixed record on their ability to appropriately secure private information.
  • Using insecure storage options, like a text file, Evernote page, or phone contacts list is a bad idea.(2)
  • Don’t reuse passwords.
  •  There’s a running gag on Archer involving sensitive information, from personal medical records to nuclear launch codes, being protected by the password guest.
• Long, complex and unique passwords don’t necessarily need to be impossible to remember. The XKCD method for generating strong passwords is quite popular, but you may need to add special characters and/or numbers to fulfill password complexity rules. For example, something like Brave+BUNNY+h0pp3r is long, complex, uses special characters, and is fairly easy to remember.(3)
  • Even if you go the XKCD route, you should use a password manager to avoid repeating or forgetting passwords.
• Security questions are an antiquated form of security.(4) One way to deal with these is to use your password manager to generate more passwords. If you ever have to deal with a customer-service representative, reciting one of these can make for a fun conversation!

Backing Up Your Data

Back up your data. Performing regular data back-ups is as important as performing regular checks for software updates. The simplest option is to use a cloud-based storage provider. UCL’s Office 365 subscription includes the use of OneDrive. Dropbox is another very popular solution, although free accounts are virtually useless. Box provides a similar service, and you can usually get 50GB with a free account.

If you have privacy or security concerns relating to the data you are backing up, you’ll need to encrypt it before sending it to your cloud provider so that it remains encrypted on the server. Boxcryptor provides a fairly straight-forward approach to this.(5) Alternatively, Backblaze, SpiderOak, Sync, and Tresorit provide good no-knowledge cloud storage solutions (that means that only you hold the decryption keys); the caveat is that you’ll need to ensure that your login credentials are securely stored, because if you lose them, you’ll lose your data.(6)

Backing up data to a local external drive is always a good option, but you need to ensure that you don’t lose the drive and that it doesn’t fail. In the context of UCL assignments, extenuating circumstances do not apply to data loss as a result of an insufficient back-up strategy.(7)

 

---

1. This is partly due to where I grew up, as well as the fact that a number of people frequently mistake an early gmail address of mine for their own. I’ve been sent a ton of sensitive information (both personal and business) as the (un)intended recipient.
2. The first two examples have enabled publicly-disclosed breaches. The third is simply a poor practice, because many mobile apps access contact data, so you have no control over who sees your passwords.
3. Unfortunately, this specific example is no longer secure, as it’s been published online. However, you can use it as an example to form your own long, complex, secure passphrase.
4. If you answer security questions truthfully, the information is probably available through public searches, social media, and/or social engineering.
5. Other options for more technically savvy users include VeraCrypt or a password-protected archive, but these require more work.
6. ProtonMail is currently developing ProtonDrive, so may soon be another entrant into this space.
7. Safeguarding against potential drive failure can be a pain. I lost the code and data for an early collaborative research project due to three mechanical drive failures (and potentially a fourth that was misplaced).

 

Version: May 2022