A Practical and Everyday Guide to Personal Cyber Safety and Resilience

It seems that there is a never-ending cavalcade of events that serves as catalyst for an increase in cyber safety. At the moment, it’s the devastating and abhorrent invasion of the Ukraine by Russia which has seen intelligence agencies around the world such as the Australian Signals Directorate ask its citizens to reinforce their cyber security defences as a result of preventing people outside the conflict zones suffer harm due to the increased levels of cyber warfare taking place. ?

However, what does ‘adopting an enhanced cyber security posture mean’? There is a lot of (very good) guidance out there that can assist. Much of it, however is aimed at professional audiences. So what I have done is taken this advice and made it a bit more relatable for everyday individuals who don’t ever plan on becoming cyber security professionals. This is adapted from earlier posts around cyber safety with a few new points added in and the advice is based on the Australian Government’s ASD Essential 8.

Note, I have ranked these in order of priority – however in my (professional) opinion, you should be doing all of these to some extent if you want to protect yourself.

Let's begin.

Step 1: Backup Your Data

I can’t emphasise enough that having correctly functioning and segregated backups of your data is THE SINGLE MOST IMPORTANT THING YOU CAN DO – not just for cyber security but also for your own protection. And I know that you are going to tell me that you already backup your data. Sure. However, a complete and readily accessible backup of your data remains the gold standard in safeguarding yourself against ransomware. This means that you really REALLY need to think about implementing the 3-2-1 rule of backup – 3 copies of your data, on two different types of medium and one copy being offsite. And you need to check that backup and make sure that its actually happening, that its complete and that can be accessed if needed. And that’s not all:

a.????Are you keeping your backup in the same physical location as your computer? You're going to have a bad time.

b.????Are you keeping your external hard drive plugged into your computer all the time? You're going to have a bad time.

c.????Are you relying solely on OneDrive, iCloud or some another cloud provider as your ‘backup’? Bad time.

I really can’t reiterate enough how essential backing up your data is.

Backups are not just important for cyber security. If your computer dies and you don’t have a backup, you are in trouble. If you have a natural disaster or fire and your computers get destroyed, you need a backup of your data offsite, otherwise you risk losing all of your memories.

Step 2: Update the Software on ALL Your IT Equipment

‘Oh Tony, I’m a savvy cat and I already update my phone and my computers’ I can hear you say. Great work, you get a pat on the back from me. Now, have you also updated the firmware on your Wi-Fi router recently? Have you updated any access points or repeaters/extenders you are using? Any network switches? Your Smart TV. Your Wi-Fi-connected air conditioner. Your kid’s smart watch. Your tablets. Your wearables. Your Wi-Fi connected clothes dryer? (why!) ….

Now that I have expanded your horizon a bit more, a few more things to consider:

a.????Do you see a popup with a message such as ‘Windows / Mac needs to install an update and restart your computer’ and keep postponing it for the next day and the next day and three months later you still haven’t done so? Please, don’t.

b.????Are you updating the applications (or what the cool kids call ‘apps’) on those devices as well? For example, any apps running on your tablet, or any programs running on your computers? As such, you need to do this and check manually.

c.????Are you updating the BIOS on your desktop and laptop computers? The BIOS is the code which runs your computer at its most basic level. Most people don’t need to tinker with the BIOS but BIOS bugs and vulnerabilities are a major cause of vulnerabilities and a source of cyber breach. Some of the larger vendors (HPE, Dell, Lenovo, Apple etc) provide BIOS update utilities on their product support page. All it takes is a matter of checking, downloading, and updating.

d.????Are you confirming that operating systems updates are occurring? For example, some operating systems may not prompt you to install a major release. Worse still, despite some operating systems claiming to the contrary, many do not automatically update.

e.????What are you doing with devices that haven’t had software updates in a long time, maybe even years? Chances are that device is End of Life. When this happens, you need to think very carefully about whether to retain that product or replace it, as the device will inherently have security risks associated with it. These risk can be managed, but you need to be careful about it. Because if you don’t, and you leave End of Life devices connected, ?this is never a good thing.

Step 3:?Get Rid of Apps You Don’t Use and 'Harden' the Apps that you do use.

Applications on your devices represent the single biggest source of cyber vulnerabilities around today. What does this mean? It means that you need to ensure that your applications are as secure as possible. This means doing 3 things:

1. Deleting apps that you don't need. Does your iPhone home screen span across 20 scrolls because of all the apps you have installed? Every single one of those apps often represents one or a multitude of vulnerabilities that a cybercriminal can use to access your device. It is best practice to delete any unwanted or unused software from your mobile devices, laptops, desktops, or any other computing device. You’ll also get the added advantage of more free space and (probably) a faster running device as well. If I don't need an app any more, I delete it. Additionally every six months or so, I go through my devices and delete any app I don’t remember using in recent memory. I recommend the same.
2. Turn off or disable app features you don't need. While getting rid of apps you don't need is always a prudent move, it's not enough. For the apps that you do use, its best to disable features and functionality that you do not need or use. For example, you might use an app that features remote login functionality. Its best to disable this if in fact you do not need it. Why? Have a read of this.
3. Update your apps. For mobile devices, your App Store will usually do this, however you should periodically check to ensure that apps are updated to the latest version available. For apps installed on your PC's and Macs, this can be a bit more difficult. You may need to manually check for updates within each app. You may need to ensure that any auto-update feature within an app is actually functioning. Either way, it's essential that you update all of your apps. Common apps that need regular updates include the Microsoft Office suite (Word, Excel, Powerpoint, Outlook, OneNote, Teams, Access etc); Java JRE, your browsers (Chrome, Firefox, Opera etc), Webex, any games that you run on your machine as well as any other productivity programs (such as Adobe Photoshop / Illustrator).

Step 4: Using a Good End Point Protection (EPP) Product is Critical.

In the olden days when people were using operating systems such as Windows 95, what we now call an EPP used to be called an ‘anti-virus’. An EPP, however, is far more sophisticated. Most EPP products include a firewall (which looks to keep intruders out), email filtering (to prevent spam malicious attachments to emails from infecting your computer) and nowadays include detection and response functionality (which provides proactive protection and indicators of suspicious activity as well as actual malware).

All devices, including devices such as laptops, desktops, phones, NAS's and anything else with an operating system should have an EPP installed.?Contrary to the baseless myth that keeps being perpetuated, Mac computers (desktops and laptops) need an EPP as much as a Windows machine does.

Which product should you use? Well, products change regularly and my recommendation is don’t rely on who has the flashiest marketing or spams you most with sales pitches - look at independent product review sites for your best particular need.

Step 5:?Update Your Passwords and Enabling Two Factor Authentication Where Possible.

This section deserves to be an article by itself. However, despite cyber security professionals banging on about passwords for decades now, passwords remain one of the most common ways for cyber criminals to compromise accounts. So, are you still using the same password you cleverly created in first year university??If you're as old as I am, I admire your perseverance. However, you can rest assured that that password is swimming around on some hacker forum tied to your email address and you probably used it?for a bunch of different sites, including some that need things such as credit card details or your date of birth. So, here is an action plan for you to look at this issue and fixing it:

a.????Start off by having a look at the website ‘Have I Been Pwned’ and type in your email address to see if your details come up on any known data breach list. (don’t stress, the website was set up as a tool to help people). Don’t forget to check old email addresses and work email addresses as well. It’s very likely that you will find some accounts on here. Simply log in and change the password.

b.????If you have decided on a possible new password, run it through the ‘How Secure is My Password’ site. The site will also provide you a guide on how to best create a password, including through using numbers, letters, characters, a minimum length, and other ideas such as not using personal information or putting a ‘1’ at the end of an existing password followed by an exclamation mark. Recall my clever first year university password? It would take a computer approximately 54 milliseconds to crack today.

c.????If you are wondering, ‘Tony, why can’t I use personal details for my password?’ check out this video.

d.????If you are wondering, ‘Tony, look…. I get that your password has to be complicated, however I think you're talking garbage about the “1” and the exclamation mark!’ check out this video. (fast forward to 2:30).?

e.????If remembering passwords is hard to do, consider the use of pass-phrases instead.

f.?????Use a secure, credible, and strong password keeper app to store your passwords. We all need help remembering sometimes. Better still, invest in a notepad and pen and write them all down on hard copy. Keep the notepad in a safe.

g.????Have you ever seen a website asking you to set up ‘multi-factor authentication’ when you log in? Multi-factor authentication (MFA or sometimes called ‘2FA’ for Two Factor Authentication) is a mechanism by which logging in requires two steps. The first ‘factor’ is to use your traditional password (hopefully updated by now!) which consists of something you know. The second ‘factor’ is to use a token, key or PIN number sent to you through an ‘out of band’ pathway. This could be an SMS with a pin number, an email with a key, a phone call with a?sequence of numbers or a pin generated by an authenticator app. You then need to enter these details into the login screen. This represents something you have. Once you provide both, you can login to the service you need. Now, I need to stress that MFA/2FA is not full proof. But its lightyears better than simply using a password, no matter how good that password is.

Step 6:?Check the Privacy Settings on your Social Media Accounts and Carefully Consider Your Approach to Privacy.

Besides LinkedIn, which I use purely for professional reasons across the various capacities and functions which I work within, for a myriad of different privacy and ethical reasons, I flat out refuse to use social media. However, I understand that people like to use social media, like to share their lives stories, and like to stay connected with people, regardless of what people like me say, think or suggest.

So, my recommendations to you are as follows:

a.????Check Your Social Media Privacy Settings. Each platform should provide tools to help you review your privacy settings. A selection of the most popular ones are below:

• Facebook
• Twitter
• LinkedIn
• Instagram
• Snapchat
• TikTok

b.???Assume that whatever you share regardless of your privacy settings will become public. It’s very easy for someone who is a ‘friend’ on social media to take a screenshot and then re-share it. Suddenly, it's outside of your control.

c.????Don’t share personal details, even if your profile is set to ‘private’. This includes old drivers licences with you sporting a mullet, a boarding pass of your business class fare to L.A., a winning gambling ticket to a horse race or anything that could be of value to anyone else.

And finally, if you love sharing your life away on social media but also happen to be concerned about things such as government surveillance and intrusion into your life, and as such feel the need to deploy a VPN to ‘protect your privacy’, I think that it’s very important that you carefully reconsider your overall approach to privacy. To provide contrast to the hyper-politicised agenda-driven take of the world that’s often seen on different social media platforms today, as a kid growing up in the 80’s, I remember asking my uncle who he voted for in a federal election. He sternly told me that voting is a secret matter and not to be discussed openly. Now, let’s fast forward four decades and I can pretty much figure out how people vote by studying their Facebook profiles for 2-3 minutes (maybe even less). As I remind peers and professionals of all experience levels, privacy is the grandfather to cybersecurity.

Step 7: ‘Trust No One’ Needs to be your Default Position when using the Internet and electronic devices.

What does this mean? Do you remember ‘stranger danger’ as a kid? Well, you need to think the same way when on the Internet. Assume that every link is dodgy until you confirm otherwise. Assume every email is fake unless you confirm it's not. Assume every phone call is dodgy unless it comes from a number verified to be from the actual person or organisation. Assume that you are being misled, lied to, or deceived unless you can confirm otherwise.

In a practical sense, zero-trust means doing the following:

a.????Learn to type websites into your browser window, rather than relying on links.

b.????Learn to confirm that the website you are visiting is a ‘https’ website and not a ‘http’ website.

c.????Look for the padlock in the address bar to confirm the website has security features built in.

d.????Get into the habit of manually checking the email addresses of emails you receive that you are unsure of.

e.????Do not open attachments in emails unless you know for certain they come from the person who says they come from.

f.?????When being asked to amend bank account details for payments, call the supplier on their official phone number, not the one listed on the email or letter.

g.????Install anti-tracking software into your browser. It's for this reason that I prefer to use Firefox and its suite of comprehensive tracking protection mechanisms.

h.????When paying for products, consider using a secure payment platform such as Paypal instead of using a manual credit card number. The reason for this is that it's going to be far easier to deal with fraudulent transactions via Paypal than it will be to have a new credit card reissued every time, given the sophisticated mechanisms these providers use to validate payments to prevent fraud.

i. When receiving text messages from numbers purporting to be from a parcel service, the ATO or any other source, do not rely on information provided in the message, including links. Visit the purported services official website and log in manually to verify any claims.

j. When receiving phone calls from numbers purporting to be from a large organisation, unless you explicitly recognise the phone number as belonging from the organisation, DO NOT PROVIDE ANY PERSONAL DETAILS OVER THE PHONE. Request a reference number and offer to call them back on an officially listed number.

k. When using Microsoft Office, be wary of any spreadsheets that asks you to open a Macro. Macro’s are a series of commands and instructions that you group together as a single command to accomplish a task automatically.?

In Conclusion.

I hope all of this comes in handy in protecting you, your loved ones and your family and friends in this very difficult era. Having grown up in an era of perpetual fear over nuclear war, I had hoped that humanity had moved beyond the need for armed conflicts and invasion. Hopefully, cooler heads will prevail and end this sooner rather than later. ?

Any comments, suggestions or corrections are welcome.

Important Note: This article represents the views of Tony Vizza as a cyber security and privacy professional and does not represent the views, opinions or endorsements of any affiliated parties, entities or employers.