In light of recent news with Equifax, I’ve been asked by several non-tech friends and family members (Love you, Mom!) for advice on how to avoid getting hacked. This memo is for them.
Golden Rule: Apply common sense
If something sounds too good to be true, it probably, most likely, definitely - is.
I don’t expect a regular user or run-of-the-mill small organization to have security on par with the Pentagon (and even they get hacked). That’s just not realistic or economically feasible. [I’m not talking about the likes of Equifax, whose core business should be to keep personal data safe]
But there are some simple things that smaller organizations without a large IT team and just regular people at home can do. There’s a reason these things are considered cliché security advice. You’ve probably heard many things on this non-exhaustive list before, but you’d be surprised by how many people don’t follow it. I’m guilty of the same sometimes:
-
Trust that gut feeling
- Do you remember how to play “Floor is Lava”? Well, treat your email as Lava.
- Do not open suspicious emails and links.
- Modern-day services like Gmail and Outlook are pretty good at detecting SPAM and viruses. They are good. But they are not 100% fool-proof.
- Do you remember how to play “Floor is Lava”? Well, treat your email as Lava.
-
If it sounds too good to be true, it probably is
- Do not trust every message on the Internet you see, that includes FB, LinkedIn, Twitter, WhatsApp, etc. If you do, I have a Brooklyn Bridge to sell you.
-
Better safe than sorry
- If you have doubts about an email or attachment, scan it. Check it. Send to IT dept. Ask a tech-savvy friend (not me! :-) ). Do not open it.
-
Mum is the word
- Do not give out any security information (passwords, SSN, credit card info, etc.)
- Especially if the call was unsolicited. You need to be the initiator of the call that discusses security - like a call to the bank.
- Only use PUBLICLY published contact info - if that 800 number for the bank didn’t come from the back of your credit card or bank’s website - do not trust it.
- If you have information you use for secret questions, like name of the school, town you were born in, name of the pet, don’t tell people about it! Especially on Twitter!
-
Are you Bernie Madoff?
- If not, chances are FBI, IRS and Royal Canadian Mounties are not after you. If they are, they’ll come knocking with a warrant and maybe a SWAT team, or simply send a certified letter.
- They will not call over a staticky international line with a robo-call
- They will not ask for a social security number, birth certificate or any other personal info over the phone.
- They will not accept a payment over the phone with a Credit Card or Zelle transfer.
- And they will definetely not ask for a Target or Walmart gift-card.
- If not, chances are FBI, IRS and Royal Canadian Mounties are not after you. If they are, they’ll come knocking with a warrant and maybe a SWAT team, or simply send a certified letter.
-
Repeat after me Do not give out any security information (It’s worth repeating twice)
-
Security doesn’t have to be expensive
- Invest in a good firewall. If you have technical know-how to run an open-source based firewall - great (I’ve used pfSense and like it). If not - get a commercial one.
- A small to medium-size company can get a firewall for $5–$30k. It doesn’t have to be a “state of the art” system for $100K if you can’t afford it. I’ve had good experience with Endian, Netgate (commercial offering from pfSense), SonicWall, UniFi Gateway, Untangle, Firewalla .
- A person can get a decent router for $100 - $200 for personal use, that comes with a basic firewall - learn how to use it and enable it!
- Compared to the cost of a security breach? That’s peanuts.
Which firewall to use?
I personally use Firewalla, it’s on a pricey side, but:
- It includes constant updates,
- Way better tracking and monitoring of your network, then a consumer/pro-sumer firewall should have.
- Excellent ad- & threat- blocking
- Very easy and intuitive interface
- Great support
- I’ve used pfsense, unifi, endian, untangle, openwrt, d-link, lynksys, buffalo, hp aruba - and for home use or small company in my opinion - Firewalla - beats them hands down.
-
Don’t go viral
- Get that anti-virus and update it! AVG, Avira, etc. - any antivirus is better than none. Don’t get Kaspersky, though. Windows Defender is a very good default choice! Just make sure you don’t disable it.
-
Update! Update! Update!
- Update security software & equipment regularly!!!
- So often companies/people get a firewall / anti-virus and feel that’s enough. Your firewall / anti-virus is only as good as the latest patch.
-
Change Defaults
- Once you get your firewall, make sure to set it up.
-
Allow-list it, don’t block-list
- Usually defaults are good, but it’s a good idea to go over them. If your firewall gives you an option to whitelist or blacklist websites, files, extensions, etc. - always default to whitelist.
- Allow-list - only these things. (I can access things that I know)
- Block-list - everything should be blocked by default. (There are millions of things that shouldn’t have access to your network, only a few thousand that should)
- Setup a DMZ.
- Setup a separate guest Wi-Fi - many modern routers let you do it. This way you don’t have to connect your guests to your private network.
-
No such thing as free cheese
- Do not trust free stuff. So many times people get a free USB stick at a conference or free download white paper - but do you trust that the source is legit? The person who gave it to you may not even be aware that the thumb drive is infected.
-
Train
- Do a simple training session with your employees (or family members). You have safety, alcohol abuse, harassment and other HR trainings, right? I’m sure you can squeeze in, once a year, a 15-30 minute security training. The most common response I’ve heard from employees was: “I didn’t know I can’t [plug in/download/open] this”. Don’t make training tedious - make it short, but effective.
-
Not invented here
- This is one of those times where NIH works. Don’t let your employees connect their personal devices to your network. Phones, laptops, mp3 players, etc. Even if they say they can improve something. At least test it first.
-
Your browser is your friend
- Trust your browser and update it regularly. If Firefox/Chrome/Safari/IE is telling you that the site is suspect - it most likely is.
-
Virtualize it
- If possible, set up a Virtual Machine just for browsing - that may be a bit over the top for personal use, but I’ve seen people do it.
-
Social Media is not your friend
- Do not post on social media when you are or going on vacation - that’s just common sense advice any police department will give. Physical breach is still a breach.
-
Buying / Shopping online
Beware
This is by no means an exhaustive list. Just a few (18!) things that popped into my mind.
- Don’t use a debit card. Only use a credit card. Most of them have fraud protection. It’s much harder to reverse a debit card transaction.
- Check your statement regularly
- Use PayPal / Amazon Payments / Google Payments / Apple Pay - when possible. That’s a free additional security layer on top of your credit card.
- Some credit card companies provide a service called Virtual Credit Card number. It’s a temporary credit card number for one-time use online. If you have it - use it.