Recently I was invited to give a presentation to a varied audience about internet security, to discuss safe practices online. Most of tomorrow night will be me drawing up slides and hand-outs for the half-hour presentation, but I wanted to give something of a primer here on my blog, both to help organize my thoughts and because I think the information is valuable to a broad audience.
Use Different Passwords
As computing power has increased, and the number of websites and applications we use has skyrocketed, old advice about passwords doesn’t ring true any more. A “complex” password that’s only 8 characters can be cracked in less time than it took you to read this sentence. The fact of the matter is, breaches happen, and they happen all the time. The number one piece of advice I can give to someone is to use a different password for every website. There are software password managers to help keep track of them all, and to auto-fill in credentials where necessary, but even writing them down in a journal you keep at home is better than using the same password for all of your sensitive online dealings; in this way if (when) a website gets hacked, only that one account of yours will be vulnerable.
Employ an Ad-Blocker
I don’t know anyone who actually likes seeing ads on webpages, but that’s not why I highly, highly suggest using an ad-blocking extension or add-on for your browser. Most of the infections I see these days are due to malicious ads being served on otherwise innocent websites, forcing your computer to install programs and run code, even without you clicking on anything. Companies like Google and Yahoo! have served bad ads in the past, and it’s a trend that will continue well into the future. Not only will use of an ad-blocker (I personally like uBlocker Origin) reduce the chance of you catching a virus this way, it will also prevent you from accidentally clicking on an ad, which could further cause problems, and speed up your internet experience, since your computer doesn’t download those large images or movies any more.
Updates, Updates, Updates
Just to get it out of the way, I know that, very occasionally, incomplete or poorly-tested updates get released. That said, for the vast majority of computer users, it is absolutely critical to have your computer do key updates – this includes for your operating system (e.g. Windows), your web browser (e.g. Chrome), and other programs that you commonly use (e.g. iTunes). Security updates help keep your computer protected from attackers, and new security vulnerabilities are being found – and patched – by big software companies all the time. Most programs can be set to do updates automatically, and as a general rule, particularly for residential or home use, industry leaders recommend you turn them on.
No, that Email is not Legit
The second most common way to get infected with a virus or to accidentally hand over your sensitive login details is through email fraud. As an overarching rule, your bank, the IRS, and your doctor will never email you, particularly not with an “important” link you have to click on. If ever there is doubt, and there should always be doubt, do not click on any links the message includes, and instead manually type in the website address of your bank/doctor/et cetera manually into your web browser. This rule doubly applies for companies such as Amazon or PayPal who incessantly spam their customers. One of the most effective scams I’ve seen is to email someone a fake Amazon receipt with “click here to cancel this order” inside. The person sees the (fictitious) order, clicks to cancel, and gives their username and password to the bad guys.
Two-Factor Authentication (2FA)
An increasingly common account security measure offered by Amazon, Google, Facebook, and many online retailers is the idea of “two-factor authentication.” This is an extra layer of security that helps prevent anyone else from logging in to your accounts. The basics of 2FA are that, when your account logs in, you receive a text message or email with a unique code you must type in to prove that the login is valid. Someone who doesn’t have your phone or access to your email won’t be able to use the code, and so can’t use your account, even if they know your password. I highly encourage all users to set up 2FA for the websites or services that offer it.
To Summarize…
Realistically, I could talk about internet and device security for hours and hours, particularly to or with an audience that’s technically-inclined. I was specifically invited to give this talk because I can also talk to non-technical people, and that’s a skill I think that is too often undervalued in the IT profession. No matter how good an engineer is, there has to be someone to put things into terms the client or end user can understand. With any luck I’ll spend about half an hour going over the above topics, with the inclusion of a few pictures, and be able to impress upon the audience the importance of security in today’s connected world.
If you other ideas or examples you think I could present, please feel free to email me – I love hearing from other industry professionals, particularly those who have an interest in security or outreach.