How to protect yourself from basic cyber attacks

I read an excellent article on this morning about how to protect your infrastructure from basic cyber attacks. After reading it, I decided to share a few easy to follow ways for basic computer users to protect themselves.

Basic users have a really difficult time keeping their services secure. There is a misconception that security is hard. And, that misconception is reinforced by loads of advice written by experts that is just plain wrong. Consider the industry's obsession with anti-virus software. The unfortunate truth about anti-virus software is that by the time a piece of malware has been discovered and patched by researchers, it has already done its damage. And by the time the patch makes its way into anti-virus software, it is already obsolete.

This 'guide' is based on a few simple operating procedures:

  1. All software is vulnerable.
  2. If anyone with a budget wants to compromise your systems, they will be able to. There is absolutely no way that you (or anyone else) can stop a motivated attacker.
  3. The vast majority of people are not important enough to be targeted individually.

In light of these three principles, this guide is designed to thwart the lowest level of attacks.

Avoid using an admin user

People like me often like to make fun of Microsoft for a variety of reasons, but in my opinion, the worst offense that Microsoft ever committed against users was making admin accounts the standard. By default, admin accounts trust you to do anything that you want. And, by making admin accounts the default, Microsoft is essentially saying that they trust you. Complicating matters even further, you need to be fairly knowledgeable to set up an account that has next to no privileges by default.

The problem with this is it means that any software that runs on your computer can use those privileges against you. It makes you vulnerable to drive by downloads in which you visit a website and download/run malware in the background. It makes you vulnerable to email attacks where opening up a .pdf gives a criminal access to your banking info. It makes you vulnerable to compromised USB drives and a host of other security nightmares.

Contrast this with the Linux model of security. By default, Linus gives users absolutely no privileges. If you want to install or run anything, you need to approve the action and type in your password. It takes a significant amount of technical know-how to make Linus give you full admin privileges by default.

Using your computer as a basic user takes a little more time and it won't provide complete security, but it will protect you from the lowest hanging fruit. These most basic attacks are also the most common, so exposing yourself to the inconvenience of a basic account will protect you from huge numbers of attacks.

Use a password manager so that you have unique, difficult to crack passwords on every site you use.

Passwords are my biggest pet peeve about computing today. This is an area where our minds simply aren't equipped to deal with the complexity of being secure. a password like G673+wE6.asX is highly secure, but what if that was your password for gmail and your password for Facebook was 54_wYu0$qA3? Would you be able to remember those two and keep them straight??

I know that I sure can't, so I use a free password manager and simply copy and paste my login info on various sites.

Simply having strong unique passwords on every service you use will go a long ways towards protecting you. Password managers make that easier because seriously, who can remember strong passwords???

And, there you have it. If you follow those two bits of advice, you can protect yourself from a wide array of cybercrime. This won't protect you from everything, but it will protect you from the majority of qttacks. Anything else you add in (keeping your computer properly updated, ~~running anti-virus software~~, or running a firewall) will improve things even further, but if you do nothing else, do those two things.

Written on January 6, 2016