This article will cover the basics of keeping your accounts secure, it is not an exhaustive list by any means.
Security is best done in layers, there is no one and done thing to do - it's a cohesion of utilizing available tools and techniques to make you a less attractive target.
- When you receive an email asking for you to do or look at something, check the sender; particularly if it's a MIAD user emailing you outside of miad.edu -- chances are, it's a scammer pretending to be them in attempt to obtain information from you, or access to your account
- Don't engage; email the user back on their MIAD account to follow-up
- Be wary of any links or files attached, if you don't trust the sender, don't open anything and contact them in person before following any links or opening any files
- Be suspect of any links you intend to click. When you hover over them, are they something identifiable, or an obfuscated link, such as those found in emails or social media sites? If you don't know the true destination, don't click it.
Once a link is clicked, pay attention to the address bar - did the URL change? Scammers often use javascript rewrites or css decorations to hide a link's actual destination. Refrain from clicking anything from a URL shortener, as these often lead to bad places. - Before signing into a website or entering any sort of data, look at the address bar of your browser - are you on the intended website, or did something change from google.com to google.example.com? Look for any signs that the intended site's URL changed. Some innocent changes may be online shopping (for example) - vendors may redirect you to their bank's payment portal, but you should always investigate to ensure you're on a known vendor's domain before entering anything into their forms.
- Consider what access you give to websites or vendors; “Sign in with Google” or "Sign in with Apple" (or any other service) often grants website owners and developers often more information and access to your account than they need (varies by app/developer) - such as:
-
-
Read/write access to Google Drive
-
Do you store passwords in a spreadsheet or text file? If so, now is a good time to stop!
-
-
Your email address and name (which can be used to cross-reference you with other, unrelated services
-
Access to your calendar
-
Email - some apps can send email on your behalf
-
Recommendation: Go through your account permissions at https://myaccount.google.com/permissions and remove anything that’s not necessary or unrecognized
-
-
Protect yourself while browsing the web
A common attack vector is malicious ads or embedded code on websites. You can reduce your attack surface by using a good adblocker.- Don't click on ads
-
uBlock Origin for Chrome-based browsers: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm
-
uBlock Origin for Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
-
Amplify your protection while browsing the web by routinely purging your cookies and cache; cookies store authentication data.
Depending on how the site you’re authenticated to utilizes fingerprinting, your session can be stolen and reused by an attacker.-
In Chrome: Set your browser to purge cookies & cache at every close:
-
Click the more icon ( … ) in the upper-right, to access Settings
-
On the left menu, click Privacy and security
-
Toward the center, click Cookies and other site data
-
Toggle the Clear cookies and site data when you quit Chrome setting
-
-
In Firefox: Set your browser to purge cookies & cache at every close:
-
Click the menu button (3 stacked lines) in the upper-right corner to access Settings
-
On the left menu, click Privacy & Security
-
Under Cookies and Site Data, add a check to Delete cookies and site data when Firefox is closed
-
- Cookie Auto-Delete can also handle this on a per-tab basis; further strengthening protection as it will purge cookies as soon as you exit your tab (if configured to do so), rather than waiting until you close your browser for the day (it's recommended to layer both options)
-
-
Firefox users can use Multi-account containers to reduce the likelihood of session or cookie stealing (use a separate container tab for browsing than you do for logged-in tabs/accounts)
-
If you responded to a phishing message, or your account’s password was phished - do you reuse that password anywhere else? If so, change all affected accounts immediately.
-
For any accounts that have weak, easily-guessable passwords: change them and make excessively long passwords - a good rule of thumb is to use a mix of uppercase and lower case words, with special characters and numbers in a random sequence. Password managers usually offer password generators, too.
-
Use a password manager with multi-factor authentication enabled, to secure your new and super long passwords; Bitwarden is recommended (and free, with paid options if you decide the paid features are useful): https://bitwarden.com
-
Enable MFA (multi-factor) / 2 Factor authentication on every account that offers it; MIAD accounts have the capability, email the tech desk to have it activated, if it's not already enabled on your account.
Multi-factor adds a layer of complexity to accessing an account, should your password get stolen - the thief would need to have access to your MFA device (usually a phone with an authenticator app, like Authy), in order to access your account - missing one or both = no access -
Ensure your operating system is always up to date on all devices with internet access. There are frequent exploits in every operating system (MacOS / iOS, Windows, Android and Linux-based systems) that can be utilized for attackers to gain a foothold into your device or connected networks. Remaining up to date reduces the attack surface.
- Only download & install apps from websites and vendors you trust. Ideally, do not search something like "discord download" and necessarily click on the first result - most often, these are ads with malicious downloads and websites not run by the real app developer.
- Be cautious of app stores. Apps available in your device's app store are not necessarily trustworthy.
- Be cautious of app stores. Apps available in your device's app store are not necessarily trustworthy.
-
Activate a firewall on all of your internet-connected devices. This will protect you from vulnerable, un-patched devices connected to the same network(s) as you.
-
Resist the temptation to connect to “free wifi” at stores and airports - these are areas hackers like to hang out at, looking for vulnerable systems they can break into. Only connect to trusted networks; use your mobile data, instead of connecting to anything 'free.'
- Be wary of consumer VPNs (consumer VPNs are not the same as VPNs that may be supplied by your work) - VPNs may be handy (and offer a layer of security in a public wifi setting), but unless positively necessary, refrain from any sort of personally-identifiable behavior while using them:
- You can never be sure how truly 'secure' the other end is; how frequent their server obtains security patches, whether or not it has a firewall, etc.
- How well isolated you are from other users; VPNs are essentially a 'shared' network with thousands of simultaneous users
- Whether or not someone is watching what you're doing, on the other end of your connection - all of your traffic is essentially routing through a stranger's server
- Consider the cost. Often times "free" is only free because you are the product; with that, your data is often sold to unscrupulous vendors and can end up in parts of the web you did not intend, exposing you to future identity attacks.
- Your sold data can be used to cross-reference you and locate your home address, phone number and social security number - all ingredients for identity theft. Identity theft can take years to clean up and affect credit lines or ruin the ability to obtain credit and loans, or cause irreparable damage to your reputation (impersonation on various accounts, for example)
- Convenience often comes at a cost; do not forgo personal operational security to save a few minutes.
While security and privacy are not the same, they are very much related and should be taken into consideration when assessing your threat model.
-
Don’t post personally-identifiable information about yourself on social media; this can be used to socially-engineer access to your accounts; “account takeover attacks”
-
Use a disposable email address for separate services - ie. never use the same email for your bank account that you do for your portfolio website (many providers offer the ability to generate email aliases within your primary account)
-
Use a VOIP account, like Google Voice, if you need to give vendors your phone number, or post to your portfolio (again, separate such things from your bank account / personal life)
Are you the victim of an account compromise?
How was the account compromised?
Did you enter your password into a suspicious form, or have a sketchy app on your phone?
The most important step to protect yourself going forward is to know where your lapse in security fell.
Comments
0 comments
Article is closed for comments.