1. Best practices for on-line
SECURITY
by Peter Finney
| Thinker | inventor | innovator | technologist | consultant |
husband, dad | into eXtreem sports
____
As more of our everyday objects become connected (the
internet of things) more and more of our personal data and
interactions are been shared and stored on-line. Not just your
name, address, age, with home automation, heating and
lighting, cctv, with wearables this is extends to health data,
location, with biometrics your finger or voiceprint, with
telematics apps or smart-cars your driving, and with
smartphones and tablets, contacts, banking and other
application data. Privacy and security of our personal
information is key, with all of this data frequently stored in the
cloud and on social profiles a comprehensive in-depth view of
our attributes could potentially be obtained. So what are the
risks and how can we better protect our information. You can
never say never with security! However this presentation
highlights some of the on-line security risks and best practices
and recommendations to get you started and help better
protect you in the evolving digital world.
____
@peterfinney
December 2014
2. Getting to know the risks
the bad guys
• Weak passwords default and easy to guess or crack with tools.
• Shoulder surfers watching you type a password.
• Social engineering masquerading as a trustworthy entity.
• Phrising email, fraudulent websites, social media post, text
and phone calls.
• Click jacking what does that short link really point to.
• Drive-by-download malware download without your knowledge when
visiting a website, viewing an e-mail or by clicking
a deceptive pop-up window or link.
• Malware spyware such as key loggers and RATs (Remote
Access Tool kits).
• Man in the middle conversation controlled by the attacker,
you are not in direct communication.
• Rogue hot-spots is that free Wi-Fi hotspot legit and safe.
• Packet sniffers intercepting data over Wi-Fi or wired
connection.
• Zero-day attack or threat that exploits a previously
unknown vulnerability.
“Objective: steal your personal data or information such as
credit card numbers, passwords or other information”
3. Best practices
Passwords
• Create complex strong passwords
Use non dictionary words, include upper/lowercase characters,
numbers and symbols !ӣ$%^&*().@#<>
Long length 15-20+ characters.
• Change frequently, every 3 months
• Use a different password for each account
• Review use of a password vault, or an encrypted password file
examples
Lastpass https://lastpass.com/
One Password https://agilebits.com/onepassword
iCloud keychain http://support.apple.com/en-us/HT5813
(Safari)
Chrome password
manager
https://support.google.com/chrome/answer/95606?hl=en-GB
(easy to find chrome://settings/passwords, password management option in
advanced settings)
reference
http://www.microsoft.com/en-gb/security/online-privacy/passwords-create.aspx
********************
4. Best practices
Two factor authentication
• Use two factor authentication where supported
Something you know, a strong “Password”
and something you own, Your Phone (…is sent a text code)
or by using a one time password generator such as the
“Google Authenticator” for android / iphone.
********************
Site Setup guide
Facebook https://www.facebook.com/help/?faq=162604937135512
Google http://support.google.com/accounts/bin/static.py?hl=en&page=guide
.cs&guide=1056283
Twitter https://blog.twitter.com/2013/getting-started-with-login-verification
Linkedin http://blog.linkedin.com/2013/05/31/protecting-your-linkedin-
account-with-two-step-verification/
Dropbox https://blog.dropbox.com/2014/10/have-you-enabled-two-step-
verification/
Wordpress http://en.support.wordpress.com/security/two-step-authentication/
Apple ID http://support.apple.com/en-us/HT204152
5. Best practices
Shoulder surfing
• Use a privacy screen to help prevent shoulder surfers,
be mindful and aware of your surroundings, public spaces such as
planes, trains, café, hotel, meetings, conferences.
• Use a screen saver
set a suitable idle time e.g. 5 mins before activation
always lock the screen when you are away from your computer
Recommeded
http://solutions.3m.com/wps/portal/3M/en_US/SDP/Privacy_Filters/
6. Best practices
Firewall, Antivirus / Malware
• Always enable and use Firewall (software)
• Install, update and use Antivirus and Malware software
OS Consider
Windows 8.1 Windows Defender is free anti-malware software included with
Windows
http://windows.microsoft.com/en-gb/windows-8/how-protect-pc-
from-viruses
Apple Sophos (Free)
http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-
for-mac-home-edition.aspx
Intego Virus Barrier
http://www.intego.com/virusbarrier/
Mobile https://www.lookout.com/
7. Best practices
DNS, Web filtering
DNS (Web Filtering)
Options Consider
OpenDNS Changing DNS settings to use OPENDNS http://www.opendns.com/
DNS Servers
208.67.222.222
208.67.220.220
DNScrypt / DNSSEC https://www.opendns.com/about/innovations/dnscrypt/
Google Public DNS https://developers.google.com/speed/public-dns/
DNS servers
8.8.8.8
8.8.4.4
https://developers.google.com/speed/public-dns/docs/security
ISP Parental Controls
(Security inc. in your
broadband package?)
BT
http://bt.custhelp.com/app/answers/detail/a_id/46768/~/bt-
parental-controls---%27how-to...%27-guide
Virgin Media
http://store.virginmedia.com/discover/broadband/broadbandextras/
web-safe.html
Blue Coat K9 Web Filtering, Blue Coat K9 web protection for home users
http://www1.k9webprotection.com/
8. Best practices
Wi-Fi Hotspots
• Can you trust that Wi-Fi hotspot?
• Always use a trusted VPN service from your laptop, tablet or
smartphone, this will encrypt your session.
Free Wi-Fi
Here
Options Consider
Surfeasy https://www.surfeasy.com/
Hotspot Shield http://www.hotspotshield.com/
9. Best practices
Updates, trusted software and applications
• Keep your OS, applications and plug-in’s up to date
turn on automatic updates
• ONLY install software and applications from a trusted source!
Otherwise it could contain malware
10. Best practices
Encryption
• Encrypt your Hard Disk and external disk / USB drives.
• ENSURE that you generate and securely store a recovery KEY !!
Options Consider
MAC File Vault
http://support.apple.com/kb/HT4790
Windows 8.1 Pro Bitlocker
http://windows.microsoft.com/en-gb/windows-8/bitlocker-drive-
encryption
11. Best practices
Backups (Zero-day)
• Maintain regular backups (Encrypted) of your computer and social site
profiles.
• Store backups on an external drive in a DATA approved firebox, offsite
away from your primary location.
• Consider cloud backup such as Google Drive, Dropbox. Cloud storage
providers which support two-factor authentication.
Social Site Backup guide
Google https://www.google.com/takeout/
Facebook https://www.facebook.com/help/?page=116481065103985
Linkedin https://help.linkedin.com/app/answers/detail/a_id/3/~/exporting-
your-linkedin-connections
12. Best practices
Secure browsing
• Always connect to a social site using, https:// if supported ?
this encrypts your connection to the web site with SSL.
• Check website's address begins with HTTPS, and that a LOCK icon
appears in the Address bar.
• Click the lock icon, view the site security certificate details. Check that
the certificate is issued by a trusted root CA such as “VeriSign” et al
• Keep your web browser software up to date.
• Do not browse the web using a “admin” account, ensure your user
account type is “STANDARD”.
Create a “STANDARD” user account for general web browsing
Use a separate “Admin” user account for system maintenance
13. Best practices
Step to avoid being Phished
Fake emails, social media posts, texts and phone calls.
• IF in doubt delete it! Only call a reputable trusted company back and
verify the message was genuine.
• Never respond and give your login or personal details.
• Do not click on embedded links.
• Do not reply, mark as SPAM and delete.
• Do not call or text back missed unknown numbers.
Guides
Phishing: Frequently
asked questions
http://www.microsoft.com/en-gb/security/online-privacy/phishing-
faq.aspx
How to recognize
phishing email
messages, links, or
phone calls
http://www.microsoft.com/security/online-privacy/phishing-
symptoms.aspx
Simple Steps to avoid
being phished
http://www.sophos.com/en-us/security-news-trends/best-
practices/phishing.aspx
14. You can never say never with security.
I hope this presentation has
answered some questions and maybe a starting point to research more.
Remember there is always another point of view and something else to try
the examples and recommendations are
a guide to get you started.
Safe surfing.