The following is an article I placed on LinkedIn.
I am a microbiologist with over 15 years’ experience in the pharmaceutical industry supporting the manufacture of liquids, creams, ointments and tablets. I have a strong interest sterile manufacturing, leading and developing others. Recently I have been working closely with data security. I have an arty streak, an affinity for computers and ride bicycles…a lot.
Before I began working in IT security, my only thoughts to security were install an anti-virus, never share your password and to lock your doors and not to travel to dangerous parts of the world. These days, I have a more nuanced understanding of how to protect your physical and digital property.
Today your data is everywhere online. You can potentially lose your savings, access to various account and even your identity. With or without access to your online data, thieves can access your property and make off with your stuff.
In no particular order, here are my top 10 tips to protect your digital and physical self.
1. Restrict access
Without physical access to your property, it cannot be stolen. Physical access to a computer system makes theft easier. Hard drives can be removed and inserted into other systems. Routers can be reset. USB drives can be used to auto load malicious payloads.
Use user accounts for general use and save administrator accounts for system administration such as software installation or configuration. Systems that are not secure or are breached allow access to your data. Blocking ports on your devices that are no needed reduces your attack surface. Don’t give your grandkiddies access to your computer unless they have their own restricted access account. I periodically remind my parent of this.
When creating an account or installing a new device, change the default password immediately.
2. Use complex unique passwords
Use one key for your screen door, another for your front door, another for your server rack and another for your study. This may be inconvenient. Losing your property is more so.
For data, make sure your passwords are unique for each resource you access. Password managers are handy here. NEVER use passwords such as “12345” or “guessme”. NEVER recycle passwords by adding numbers or letters to the end of an existing password when prompted to update one. If using a password manager, give it a long and complex password.
3. Backup, backup, backup
For property, maintaining an inventory database is useful. This ensures in the event of theft or fire, you can substantiate (to the police, to your insurer) what has been lost and replacements sourced.
For data, if it is important, back it up. Ideally a local backup for convenience and an off-site backup for disaster. In the past this involved burning data to tape, CD or DVD and storing copies off site. Today, many cloud providers allow you to back up data in real time off site. If you have gone to the trouble of backing up, you should test your backups periodically. There is no point losing data only to find your backups are corrupt. I backup my main PC to my server. I also backup online. I don’t care about the data on my laptop.
4. Hide keys to your identity
Access passes, addresses or rego numbers on keys These are ways to identify where they can be used in the event of loss. Don’t store you keys in obvious locations when not using them. When keys were stolen from my partner’s car, what they accessed could not identified. They were not keys for anything local.
You should never wear your work passes on the way to work. A malicious actor could view your name and place of work while you commute and then send a targeted email as part of a social engineering or phishing campaign. You may even be called directly or your contact details found via social engineering.
Never store passwords in human readable form. Do not place them under your keyboard or stick them to your monitor of insert them behind the photo of a loved one.
5. Don’t give away information for free
See point 4 regarding passes and other personally identifiable information.
Don’t discuss private information in public. Conversations on public transport, in a café, while walking and talking on your phone etc. are not private. Useful information about you and your movements and associations can be gleaned from these conversations.
If you value your data, keep it to yourself. Most services perceived as free are not. Your data is the payment. Examples include Facebook, Google searches, email receipts sent to your phone, competitions requiring email entry etc.
When using portable computers, use a privacy shield to reduce the ease of shoulder surfing.
Information you should never share includes social media posts about where you are. If a criminal knows where you live and knows or finds you on social media, a post about your current overseas or out of town holiday is an invite to rob you. Your fitness app profile could be used to find your social media profile and from there, your address and movements. If you must post about your holiday, do it when you get home.
6. Use Multiple layers of security
Two or more layers of security are good here. Lock your external doors. Place a lock on your study/computer room door. If your router is in a rack or another room, lock that too. Some companies use what are known as man traps. Only one person can pass through the entrance (or even exit) of a restricted area at any one time.
For data, make sure your passwords are unique. Ideally use user accounts for general use and save administrator accounts for system administration such as software installation or configuration. Consider multiple forms of authentication, such as a password and also a fact or physical attribute.
7. Never open email attachments (or click on links)
Most of your security comes down to your actions and opening an email attachment without 100% verifying the sender sent it is very unsafe. Email can be used to verify the account exists, seek information from you such as passwords, download and install ransomware, download and install CPU hijackers and more. Clicking on links could take you to websites that use known or unpatched flaws on your computer to compromise it and your data. Linked sites can also be used to elicit private information such as account numbers and passwords.
Even with the latest and greatest security program, there is a risk malicious programs or system compromise can occur. Security software relies on known malicious programs and known attack techniques. Criminals are constantly honing and improving their attacks.
In the event that access to your data was obtained, encryption can prevent it being used. Only you (assuming you used solid passwords and a modern encryption protocol) will be able to access your data. If local or online data compromise occurs, encrypted data is useless to thieves.
Lost or stolen laptop? Stolen computer? Lost phone? These are all useless (other than possibly resale value) to a criminal. Without encryption, data compromise is inevitable. With encryption, despite what you see on CSI, it will take more than 1000 years to gain access to your encrypted data.
9. Monitor your property
For your property, keeping an eye on it helps you to track it and prevent theft. This could extend to security cameras. Auto notification emails or texts can be set up on systems where motion is detected.
Systems such as intrusion detection and prevention system can be used to monitor hacking attempts. Many online services send emails when an unrecognised IP address access an account of yours. Examining user access logs and system logs allows you to determine out of place activity.
10. Provide a false impression
You can use pseudonyms when using the Internet. If you run servers, use a honey pot to mislead hackers. Use a device that emulates TV glow when you are travelling. Use timers for lights. Arrange a neighbour to empty your letterbox to give the impression someone is home if you are not.
Do you agree with this list? Do you have anything to add or your own security ideas? Share them in the comments section or message me directly.