Article by Timothy Lui, Kinecta Federal Credit Union and Ken Selfridge, Selfridge Security Services
With the COVID-19 Stay at Home Order, people are by necessity spending more of their time at home. Whether working remotely or helping children with remote learning, using the internet has been more prevalent in most households.
Most people don’t get involved in the technical aspects of internet connectivity and security on their own, unless they already have an interest in them. This guide will help point non-tech-savvy people towards how best to secure their home environment.
Authentication means “to make sure the person is who they say they are”. Most online accounts are protected by a username and password. While many people think that their account credentials are adequately secure, here are a couple statistics that may make you think twice:
“91% of people know that password recycling poses huge security risks, yet 59% of people continue to use the same password everywhere” – EntrustIT Europe
With the number of security breaches increasing each year, people’s credentials are being sold on the dark web for pennies. Using the same password for multiple accounts leaves all your accounts vulnerable if the password were ever to be compromised.
“90% of passwords can be cracked in less than six hours” – EntrustIT Europe
Hackers are sophisticated individuals and have developed numerous tools and phishing campaigns to help them steal your credentials. Always be vigilant, especially on emails that sound too good to be true or emails that require action with high urgency.
To help create strong passwords and secure your online accounts, use the following tips:
- Use a combination of lowercase, uppercase, numbers, and symbols.
- With each additional character in your password, the time it takes to crack increases exponentially.
- Do not use names or words that can be found in a dictionary.
- Use a password manager to help keep track of passwords instead of writing them down.
- Use passPHRASES instead of passWORDS.
- Using a phrase for a password is easier to remember and much more difficult to crack due to its length than a password compromised of random characters.
- For Example: “13ismyluckylottonumber!” vs “#Jd09)3jf@”
- Use multifactor authentication (MFA) whenever available to make it difficult for bad actors to impersonate users.
- Factors of authentication include something you know (password), something you own (phone), something you are (thumbprint).
- The most common combination of MFA usually includes a password and a text or an app (i.e. Duo or Google Authenticator) that randomly generates a code you must enter.
- Changing a single number or character in your password does not constitute a unique password!
To see more interesting facts about passwords or see how long it will take to crack a password similar to yours (DO NOT enter your actual password), check out this article from BetterBuys.
Internet Service Providers (ISP) supply internet connectivity to their customers for a monthly fee. A modem/router combination is usually supplied by the ISP with a default username/password for management. In many cases, the default username and password is “admin”. Knowing this information, a hacker can easily sit outside your house and log in to your home network. It is highly recommended that users change the default password on any network devices you may own including modems, routers, smart thermostats, smart plugs, etc.
Wireless Network Management
Much like modem/router management, ISPs configure wireless networking using default settings. Below are some recommendations to secure your wireless network and can be found in the management interface of your modem/router (see product manual on how to access the interface):
Change the wireless SSID (Wifi name) and password from the default
- Choose an SSID that is not easily identifiable to strangers.
- Many modems/routers now come with custom randomly generated SSID passwords.
Make SSID pre-shared keys different than modem/router management passphrase
- Someone using SSID keys could guess the management password if it is the same and make configuration changes.
Use WPA2 wireless protocol with AES encryption
- WPA2 includes several security enhancements over its predecessors WEP and WPA which can be easily cracked.
If possible, have visitors connect to a “guest” network that uses a different password
- Some routers are configured with “guest” networks to keep guest devices separated from your home network devices.
- This will prevent any guests from connecting an infected device on your network and spreading it to your computers.
All computers should have an antivirus software installed whether it be the built in Windows Defender or a purchased solution like McAfee, Symantec, or Kaspersky. Having this software installed will not guarantee a 100% malware free computer; however, it will protect users from a majority of the known attacks circulating the internet.
With more people staying at home, email is frequently used to stay in touch with friends and family. As a result, bad actors have been taking advantage of this by sending more phishing emails to users. According to an article from Devon Milkovich at Cybint, the FBI has reported a 300% increase in reported cybercrimes. A phishing email attempts to deceive a user into providing personal information (credentials or SSN) or clicking a hyperlink/attachment to infect their computer.
The graphic below explains the common red flags of a phishing email:
Ransomware has become a very popular method to hold data for “ransom”, in that clicking a malicious link or attachment in a phishing email will encrypt (scramble) your data. The bad actor will then demand money or bitcoin to decrypt (unscramble) it for the user. Keeping a backup of your data can help defend yourself against ransomware attacks.
Separate Work and Home Computing
Where possible, it is recommended that users keep their home computer and work computer in separate spaces.
Do’s and Don’t’s
- Use different passwords between work and home for computer login, websites, and email accounts.
- Change your home computer passwords every 90 days.
- Lock or log out of your work computer before you step away.
- Protect documents with sensitive information.
- Lock them up, or shred if no longer needed.
- Follow employer's work processes/policies.
- Don't allow family members to use your work computer.
- Avoid sharing files between home and work.
- USB drives can contain malware that activates on plugin
When kids are forced to stay home, they will likely spend more time on their computers/phones to stay in touch with friends and family. Keeping them safe from the dangers of internet-connected apps is both easier and harder than with adults. When kids are forced to stay home, they will likely spend more time on their computers/phones to stay in touch with friends and family. Keeping them safe from the dangers of internet-connected apps is both easier and harder than with adults.Email
Unless there is a specific need for your child to use email – such as for schoolwork – consider NOT activating email for them.
If you do activate an email address for your child, be sure to review the email messages they receive. As with adult users, they may receive emails from people that they may not recognize but act like they know your child. Teach them that if they don't recognize the sender or subject, they should delete the message.
Many social media applications contain instant messaging or “IM” capabilities. This can be used to communicate one-to-one or in group chat sessions and is very popular with younger users, taking the place of hallway or lunch conversations at school.
“Cyberbullying” – picking on or otherwise attacking schoolmates – has also become more popular as a result. Explain to your child in much the same way as real-life bullying, that they should tell you if they are being cyberbullied. Watch out for warning signs that your child may be subject to – or, hopefully not, engaging in – cyberbullying through IM.
If you can establish a rapport with your child as to why these measures are needed, it will prepare them to protect themselves and their privacy online.
Covid-19 has drastically changed the way we use computers and communicate with others. As a result, we must change our behaviors to adapt, which places even more importance on cybersecurity. While it may seem inconvenient to use a different password for each account or separating your business computer from your web surfing computer, following these simple security practices will greatly reduce your chances of being hacked. The headache of following these security tips will seem like paradise in comparison to dealing with a stolen identity or drained bank account!
Timothy Lui, Kinecta Federal Credit Union and Ken Selfridge, Selfridge Security Services
Timothy Lui is the Lead Information Security Architect for Kinecta Federal Credit Union where he manages and maintains various security tools to keep Kinecta safe from cyber-attacks. He graduated from Loyola Marymount University with a business degree emphasizing in Computer Information Systems and Marketing. Tim is passionate about security and sharing his knowledge to keep others safe. In his free time, Tim enjoys playing beach volleyball, basketball, golfing with his dad, and traveling with his fiancée Talia.
Ken Selfridge is the owner and proprietor of Selfridge Security Services, an information security consultant firm specializing in governance, program management and technical risk assessments. Prior to consulting, Ken worked for more than 20 years in cybersecurity. He has also worked in collections, risk management and investigations. His personal interests include movies, music and MMORP gaming.