Simple steps you can take to reduce the chances of being targeted by cyber-criminals
Written by: Drew Kellerman
A few months ago, a mysterious firm moved in across the hall from us at the Gig Harbor Corporate Center. They installed all sorts of high-tech equipment, frosted their windows so no one can see into their office, and replaced the standard door lock with a high-security key-coded version.
We soon learned that they are a cyber-security firm supporting agencies on our national security team. Evidently, this firm operates globally on the ethereal, shadowy battlefield of digital warfare. Their services are in high demand, too. (One of their clients is the US Secret Service.)
A few weeks ago, I had a memorable conversation with the remarkable gentleman - a retired Air Force F-15 fighter pilot, now in his mid-70’s - who started and captains this venture. He pointed out something unsettling and strangely reassuring at the same time.
He told me not to worry about the possibility of an all-out cyber war between us the likes of Russia, China, Iran and North Korea. Why not? Because, that war has been in full swing for several years now. Every major government is trying to hack, spy on and disrupt everyone else with every digital-weapon available.
How is this reassuring? Well, this “war” has been going on for some time, and most of us don’t even realize it. Plus, the tools to thwart cyber-attacks are coming online just as fast as the cyber-weapons. Comforting, right?
Cyber Security and You
Okay, perhaps it’s “soothing” at a national level, but how are we, as individuals supposed to protect ourselves from cyber-criminals? Considering the recent string of major data breaches from “secure” servers (Equifax, Yahoo, Anthem, eBay, JP Morgan, etc.), as well as the sheer number of personal accounts being hacked, it’s tempting to feel powerless in the face of this threat.
Today’s newsletter will offer a few simple suggestions to help avoid being the “low hanging fruit” for cyber-criminals looking for easy targets. The realistic goal is not to be hack-proof. That may be impossible. Instead, we will explore simple steps to make you less inviting as a target.
Step #1: Install Anti-Virus Software on ALL Your Devices
This is just common sense. Any device that connects to the internet should have anti-virus, anti-spyware and anti-phishing software, and a firewall. This is a basic preventative measure for everything you do online. Many people use free versions, but considering the nominal cost of installing premium protection for the value they provide, we’d recommend a subscription service, such as Norton, MacAfee, Webroot, Bitdefender or Kaspersky.
Some services offer coverage on 5+ devices per account. This protects multiple computers, smart phones and tablets for one fee. Simply open an account with a provider and download the app on each device. Easy-peasy.
Think of this kind of software as a seatbelt in a car. It’s designed to protect you in most situations, but you still need to practice defensive driving to minimize the chances of being in a crash. The same applies to what you do when on the internet. Let’s look at some internet “safe driving” techniques.
Step #2: Password Strategies
Living in the digital world gives us the amazing ability to connect with virtually all our information online. Banking and paying bills, investing and wealth management, social media, news, entertainment and music, planning and booking a vacation, tracking our health and medical status, can ALL be accessed and managed from practically anywhere in the world!
This, however, requires most of us to access literally dozens of password-protected websites. In theory, this means we are juggling dozens of different passwords, too, which creates a whole new category of stress that our forefathers could never have imagined.
For example, we’ve all been admonished to create unique passwords with a combination of letters, symbols and numbers. Smug administrators suggest we use something like Z4%9v$U&6. Yeah, right. We’re also supposed to use a different password for each site, AND change all of them regularly.
Of course, now that we’ve created a long list of complex and unique passwords, we are never supposed to write them down or save them anywhere, in case someone gets a hold of the list. Is it any wonder then, that the most commonly used password is 123456? Overwhelmed, people give up when faced with these password “rules”.
Just to be clear, these are excellent guidelines to follow. Especially the one about not using the same password everywhere. (Doing so is very common and a very bad idea.) But, if you are like me, you can barely remember relatively simple passwords and rely heavily on Chrome and other browsers to automatically save and load them – ironically making it much harder to remember them!
There are solutions to this problem, including subscription services that help manage and generate passwords for you for a fee. However, here are some simple strategies you can use to improve your password security.
Use a Space
Security researchers obtained a list of 550 million passwords and found that only 0.03% used a space. A space works just like any other character in a password, but using one or more spaces increases the password’s strength. Security firm Kaspersky has a free password-strength-measuring tool on their website, which shows that adding a space to a password dramatically increased the length of time it would take to “hack”.
For example, let’s say you are a Charlie Brown fan, and know that he was created in 1948. You like to use this bit of random knowledge as the basis for a password. You also spice it up a bit by sprinkling in symbols for two letters, resulting in this: Ch@rl!e1948. Pretty strong, right? Upper and lower-case letters, symbols, numbers, etc.
According to the Kaspersky tool, a 2012 Mac Book Pro laptop in the wrong hands could hack that password in eight minutes. So much for a “strong” password.
What happens if, instead, you use the full name and date with spaces as your password? Charlie Brown 1948. You’ve removed the symbols, making it easier to remember AND extended the potential “hacking” time from eight minutes to… 92 years! Why is this so?
Length Over Complexity
It turns out the longer the password, the more secure. It doesn’t need to be an unrecognizable mass of letters, numbers and symbols. It simply needs to be long. For example, let’s assume that one of your favorite movies is the original Star Wars. What famous line will you NEVER forget from that film? May the force be with you
Why not use this as one of your passwords? According to the Kaspersky tool, it will take the 2012 Mac Book Pro 10,000+ centuries to hack this simple sentence. Even if the cyber-criminal is using the world’s fastest super-computer, it would still take 5,773 centuries to “break” this password. Why? It has 25 characters and six spaces!
We suggest using several of your favorite movie lines and other quotes that you know by heart as your passwords. Then, rotate them around every now and then. This simple approach could significantly strengthen the security of your account access, and decrease your password management stress.
Yes, many sites require symbols, numbers, upper and lower-case letters. Take heart. You can work these requirements into your new passwords in a consistent manner that is easy to remember. For example, always start the sentence with an upper-case letter and finish the quote with the same symbol/number combination.
Are you in the habit of writing down your passwords somewhere? If so, try this technique. Say you have an online bank account and are using May the force be with you @1 as the password. Put a memo in your smart phone or tablet that simply reads, “Bank: Mtfbwy@1”. This will help trigger your memory of which password you are using with this account, but will likely bewilder anyone else who gets ahold of your device.
Step #3: Use Two-Factor Authentication Whenever Possible
Fortunately, you are not alone in the battle against cyber-threats. Many companies, especially banks and other financial institutions, now offer what’s known as Two-Factor Authentication (2FA) when you log in. This adds a second layer of security and “authentication” above and beyond just your username and password.
During the 2FA set up process, you provide your cell phone number and/or email address. Then, each time you log in, you’ll receive either a text message or an email. The text message usually contains a unique, four to six-digit security code you must type into the site within 15-30 minutes to take you through to your account.
With email 2FA, you will receive an email with a link that you click through to access your account. This is less secure, though, because if the criminal has managed to hack into your email, they can access the link, too.
While some sites make 2FA mandatory, others offer it as an option. We highly recommend “turning on” two-step verification with every website that offers it. This includes your online email account access. It takes just a few minutes and significantly strengthens your protection against hackers.
Step #4: Identity Theft Action Plan
If you are a victim of identity theft, or suspect your sensitive information has been breached, you can act to mitigate or prevent further damage. The following tips can start you in the right direction, but we recommend researching and implementing a complete action plan.
1) Cancel and replace all your credit and debit cards. Each institution’s fraud department will help you with this. Yes, this means you’ll need to update each of your autopay accounts, but it’s worth it.
2) Change all your passwords, your login user names and your email address. If you direct your new email address to “pull” mail from the old one, you don’t need to alert everyone you know about the change. Just make sure you do NOT instruct the old address forward messages to the new email. Doing so would provide a potential hacker with a portal to access to your new email.
3) Request a security freeze from the three, large credit bureaus. This blocks anyone from pulling a credit history report on you, and can help prevent a thief from opening an account in your name. The freeze lasts for 90 days, so you’ll need to request a new freeze four times each year.
4) Regularly monitor your online financial accounts for fraudulent activity. Don’t wait for paper statements to arrive. The sooner you can identify and report fraudulent charges, the better.
5) Be on guard for calls, texts or emails asking you to confirm your personal information.
a. Closely inspect incoming email addresses and web URLs. Criminals will often create fraudulent website URLs that are one letter different from legitimate sites. Look closely.
b. Never click on links from unknown emails or respond to pop-up messages asking to confirm your username or password.
c. If in doubt, look up and call the company’s customer service number to verify legitimacy of the communication.
Many folks are bewildered by the cyber-security world, and remain paralyzed with inaction. However, as our world continues to digitize, it’s best to become proactive. Remember, the goal is not to become completely hack-proof. However, by implementing the ideas we’ve outlined, you may be able to stay below the radar screen of the cyber-criminals who are looking for “soft” targets of opportunity.
Drew Kellerman is available at 253.509.0390 or firstname.lastname@example.org