Personal Security Quick Wins

Improving your security posture can be a daunting task, especially if you’re not particularly tech savvy, so here are some quick wins to get you started, that I figure you can probably do within about 10 minutes.

Automatic Updates

Whether it’s your phone, a Windows computer, a Macbook or your Smart TV, one of the best things that you can do to keep yourself secure is have automatic updates enabled.

In the world of security research, when someone finds a vulnerability and goes through responsible disclosure to pass the vulnerability details to the vendor, the vendor then creates a patch to fix this vulnerability so that it cannot be exploited by a malicious attacker. These are then sent out in the form of updates, so by having automatic updates enabled, you are receiving these security patches as quickly as possible.

Make Secure Passwords

Opinions on what is a secure password have changed over the years. It used to be that you should create a password with lowercase and uppercase letters, numbers and symbols. This seems to mostly have been based on making the password difficult for a human to guess.

Now, with the availability of password crackers and enough computing power to run through cracking those passwords quicker than ever before, password security is much more about length.

The current NCSC guidance (found here) is:

“A good way to create a strong and memorable password is to use three random words. Numbers and symbols can still be used if needed, for example 3redhousemonkeys27!

Be creative and use words memorable to you, so that people can’t guess your password. Your social media accounts can give away vital clues about yourself so don’t use words such as your child’s name or favourite sports team which are easy for people to guess.”

In fact, it has been found that an 8 digit password, often the standard minimum requirement for website and even organisations, can be cracked in less time than it would take you to watch Avengers Endgame. Read more on that here. The longer your password is, the better.

Check Data Breaches For Your Details

The website https://haveibeenpwned.com/ is an excellent resource, allowing you to enter an email address and see whether it has been found in any data breaches. If your address does show up, this doesn’t necessarily mean that your email account has been hacked, it just means that a website which you used that address to sign up to has been breached and it’s possible that some of your other information has been leaked, including your password for that website. You can also set it up to notify you if your email address appears in a data breach (I got one of these recently) and you can often see the leaked password as well.

This brings us on to password reuse. In an ideal world, you should not use the same password for more than one website. This would mean that someone gaining one of your passwords through a data breach would only have access to your account for that website. If you reuse passwords, you would have to change your password on any site where you use that same username/password combo.

For example, let’s say you use the email address “test1@test.com” along with the password “password23” on Website1. This gets leaked in a data breach from Website1. Then you realise that on Website2, Website3 and Website4 you have used the same details and have to change all of those passwords too. Maybe in that time, the attacker has accessed those websites with your credentials, and maybe one of them is Paypal, or your bank, or your Amazon account and they could have spent your hard-earned money. Those are the risks.

Install Antivirus

This is one that everyone should be aware of, but make sure that you have antivirus installed and activated on your computers, as well as having the firewall switched on. If you don’t want to pay for a premium antivirus, there are a number of free alternatives out there and, in fact, Windows Defender ranks quite highly now among those free options for personal use.

There are also things like Malwarebytes that have free versions that are worth downloading just to give your computer a cleanout of any adware etc now and again that antivirus software might not pick up.

If you have a Macbook, it is still worth getting hold of an antivirus. The old theory that Macs are immune from viruses is definitely not accurate, and as always it’s better to be safe than sorry.

Better yet, if you are going to get a premium antivirus then it is smartest to invest in something that not only provides the standard signature-based antivirus, but also EDR (Endpoint Detection and Response) which is capable of catching “Zero-Day” attacks, attacks that have not been seen by security companies before, whereas standard endpoint protection cannot.

Enable User Account Control

User Account Control is responsible for those annoying popups every time you go install something on your Windows computer. However, those annoying popups prevent automatic remote installation of programs that could be harmful to your computer or allow someone unauthorised access to it.

When I was 16, I had a Windows XP computer and completely disabled UAC. Whether or not that would have stopped the virus that prevented my computer from booting at all and meant I had to do a fresh install (including ripping all my CDs into media player again) we’ll never know, but it could have. This brings us nicely onto backups.

Backups

If the worst happens and your phone or computer is destroyed by a virus, or ransomware, imagine it’s as simple as reinstalling Windows or factory resetting your phone and restoring from a backup. Well it could be!

Windows has a backup solution built in, as do Macs, that mean you can take a full backup of your system to an external drive. This can then be restored from if your computer breaks, either through a fault or an attack.

iPhones will automatically back up when plugged into your computer if they’re synced with your iTunes, or on newer Macs, with Finder. You can also buy iCloud storage and back up to the cloud. There is a similar system in place for Android phones.

It takes a short time to set up and could be the difference between a devastating loss if something happens to your device, or a mild inconvenience.

So there you are, roughly ten minutes and an external hard drive and you can greatly improve your personal security posture. Give it a go, and let me know if there are any other quick wins you think I can add.