Practical Guide to Information Security
In modern times, Information Security has become more important with increasing reliance on technology to do things we normally do over the internet. This can range from online banking, shopping, etc. However, the security threats are increasing with data breaches, malware outbreaks, and ransomware that can not only infect your computer, but put your files and personal information in jeopardy.
Information Security or Infosec is the practice of protecting information through mitigation of risk. To protect yourself, you should identify your assets (and the value), potential threats and impact. Then, you evaluate the risks and determine how to treat them through mitigation.
For instance, you use a laptop for college and it contains your coursework. Sure, the laptop may cost $2000 in value, but the data might be more valuable. If someone stole your laptop or manage to obtain your classwork through a vulnerability in an operating system, the effects will be undesirable.
This guide is meant to protect not only your security, but to take information security and your privacy seriously.
Other Guides
- Basic Hardening of macOS
- Basic Hardening of Windows 10
- Scanning your Home Network for Vulnerabilities
The Basics
Social Engineering
Humans by nature are easily manipulated. When it comes to technology, if he or she with low knowledge of basic information security awareness will tend to click on untrustworthy links or open attachments from an unknown sender. The user will get infected and the attacker can use the infected computer to attack others through a botnet, which is a network of infected computers the hacker’s control.
In some cases, malware can encrypt all your data and demand money, usually cryptocurrency such as Bitcoin. If you don’t pay up, your data is gone forever.
This is called social engineering, which is the act of manipulating people to gain access to a system or worse, steal your personal information to commit fraud. Besides clicking on unknown attachments and downloading untrustworthy files, another method of social engineering is phishing.
Phishing is an email that poses as a legitimate business or organization to steal personal information and/or account information. You should always check the sender and do not click on any links. Copy the link instead and paste it in a text editor. In all cases, it won’t look like the legitimate site of a business. You can also check by going to the actual business’s site to see if the information in the email is true. Lastly, never send any personal information or account information. If an email requests this, it’s a red flag and you should simply delete it.
Also, do not fall for emails that say you win a foreign lottery or some prince offering you money also known as the Nigerian scam. In all cases, it’s too good to be true. By falling for these, not only your personal information is at risk, it can harm you financially.
Don’t Pirate
It’s tempting to pirate software, movies, or view illegal streams simply because you don’t want to pay. Besides the potential legal risks, pirated files can’t be trusted fully as you don’t know if an attacker embedded trojan horses, which is concealed malware disguised as a legitimate piece of software. Viewing streams on illegal sites will expose you to ads, which in most cases install malware onto your computer. If you value your security, you should obtain your software and entertainment legally.
Keep your Software Up to Date
I know, updates tend to break software, which is important in a business setting as it can disrupt business processes. For home users, this is less of an impact. Inconvenient as they may be, software and operating system updates are very important as they can patch known vulnerabilities in the software that the attacker can take advantage of.
By installing updates, you will protect yourself from known threats. This also means keeping the operating system up to date as well. If the operating system version is out of support, you will make yourself vulnerable from future attacks.
Use a Secure Password and Two Factor Authentication
Let’s face it, knowing complex passwords can be difficult, thus we use easy to remember passwords. The problem is, people tend to use passwords that contain common words, birth dates, real names, etc., which make it easy for attackers to crack and gain access to your accounts. In other words, you should use a password that is easy to remember, but hard for the attacker to crack. You can accomplish this by replacing some letters with special characters or numbers (e.g. @ for an “a” or 0 for an “o”) and using a rememberable phase.
If you don’t want to remember passwords, use a password manager like 1Password. You can use a master password and then generate random passwords for different accounts. However, password managers can become a vulnerability if you leave them unlocked. You should periodically lock them so that hackers don’t gain access to your accounts physically or remotely, if you have remote access enabled.
Two/Multiple Factor Authentication should also be enabled for extra security. What is Two Factor Authentication? Two Factor Authentication requires two different methods of authenticating yourself to gain access to your account or system. This can consist of the following:
- What you know: Password or Pin.
- What you have: Smart Card (a plastic card with a chip embedded, also referred to as a Common Access Card or Personal Identity Verification), USB security dongle, one-time password (smartphone or security token).
- What you are: Fingerprint, Facial Recognition, Iris scanner.
By enabling Two/Multiple Factor Authentication, it makes it difficult for the attacker to gain access, unless there is a weak link such as an unsecured email. When enabling Two Factor, you should copy the backup codes just in case you lose your smartphone. Otherwise, you won’t be able to get back in.
Use Endpoint Protection or Practice Common Sense
Endpoint protection is security software that consists of a firewall and anti-malware (also known as Anti-Virus) software that protects the system from security threats. While they will protect the system from most threats, there are zero-day threats, which are vulnerabilities in the software that got discovered, but the vendor does not know about or have a fix for yet. To protect from those, you should do the following
- Use a Firewall– Firewalls block unwanted traffic from the system so other computers, including attackers can’t gain access to a system. It may cause some problems for some programs that require traffic to go through the firewall. You can add rules to allow a program to communicate. A dialog box usually appears when this happens. Windows comes with one by default. While macOS also has one, it can only block incoming traffic. With that, I highly recommend using Little Snitch, which allows you to allow or block incoming and outgoing traffic and monitor it as well.
- Keep Anti-Malware up to date– While anti-malware can’t protect from unknown malware, it can protect yourself from known ones. Windows 8 and Windows 10 has a built-in anti-malware that will protect you from threats. However, macOS and Linux do not. While there are not many threats for those operating systems, most require administrator/root privileges to do damage. You can protect yourself easily by not downloading untrustworthy files or clicking on untrustworthy links.
- Disable unneeded services– Most operating systems have services like file sharing enabled. You should only enable services that you use and not unnecessary ones. That way, attackers can’t exploit them and gain access to your system.
- Uninstall unused software– Software that is on your system that you don’t use might become a system vulnerability, especially if you don’t patch them. If you don’t use them at all, you should probably remove it.
- Use a Standard Account for Day to Day Activities– You should never use an Administrator account as a day to day account. There are two reasons why. Most malware require administrator privileges. By using an administrator account, malware will have an easier time to infect and compromise your system. Second is of course user error. Let’s face it, we make mistakes. While things like authentication prompts and User Account Control require you to grant permission to the app to make system changes, there are times that people enter their password or click “Allow” without realizing what will happen. By using a standard account, you are required to enter the administrator username and password, thus you will think twice before doing an action that can possibly break your system. Besides, you only need administrator privileges when you install/uninstall/update applications or change system settings.
- Do not leave your computer unattended – You should always have the computer lock after a certain amount of inactivity (e.g. 5 mins) so that an unauthorized user won’t easily gain physical access to your system. You can also lock the system on demand. On Windows, you can do this by pressing CTRL+ALT+DEL and selecting Lock Computer. On macOS, from the Apple Menu, select “Lock Screen.”
- If you download software, check the hash– It’s a good idea to check the integrity of a file that you downloaded before opening it. A hash is a one way to check the integrity. You do this by generating a hash of the file you downloaded in the terminal and check it against the one on the website. Below is the table of how to generate a specific hash.
macOS/Unix | Windows (PowerShell) | |
SHA256 | shasum -a 256 [filename] | Get-FileHash[Filename] -AlgorithmSHA256 | Format-List |
SHA1 | shasum -a 1 [filename] | Get-FileHash[Filename] -AlgorithmSHA1 | Format-List |
MD5 | md5 -r [filenames] | Get-FileHash[Filename] -AlgorithmMD5 | Format-List |
Note: You can drag your file to the terminal to get the file name and path.
Do not use Public Wi-Fi (or if you must, use a Virtual Private Network)
Wireless can easily be snooped on by attackers through the use of programs like Wireshark that captures web traffic. The attacker can use that data to possibly gain access to your web accounts. This is especially the case when the Wi-Fi is not WPA2 (Wi-Fi Protected Access 2) secured, which encrypts wireless traffic. In other words, if you go on the internet in a café or an airport, an attacker can possibly steal information, especially if you connect to a rogue or fake wireless access point that poses as a legitimate one.
In addition, using public Wi-Fi makes you vulnerable to Man in the Middle attacks, which the attacker inserts himself in between the connection of a legitimate server and your computer and poses as if it’s legitimate. From there, the attacker can capture your traffic, including your cookies, browsing activity and worse, your account information use for authentication.
One of the easy ways to protect yourself if you use Public Wi-Fi is using a virtual private network (VPN). A virtual private network is a virtual connection that encrypts all your internet traffic so the attacker can’t capture and read the traffic.
A virtual private network uses tunneling through the IP Security (IPSec) protocol that encrypts your traffic through encapsulation and send it to a virtual private network server, which will communicate with the destination server. This is akin to putting a letter in an envelope, putting it in the mailbox and the post office delivering it to the destination.
Consider using Full Disk Encryption
Full Disk Encryption protects the confidentiality of the data on your system. In most modern systems, this is handled by a special chip called the Trusted Platform Module, which handles the encryption. On modern Apple laptops and some desktops, the Apple T2 chip handles the encryption of the storage drive. For older Macs, this is done on the processor level, which can have a small impact on performance.
On Windows systems, if you are using Windows 10 Pro or Enterprise, you can enable Bitlocker, which encrypts your whole hard drive. If you are using the Home version, consider upgrading to the Pro version. For macOS, FileVault 2 accomplishes this. Be sure to store the emergency key in a safe place such as a deposit box. If you lose it and you need it, you will lose all your data.
What is encryption? Encryption is the act of converting data using a key to prevent unauthorized access of data. This is through the use of private and public keys (1 private key and many public keys) or asymmetric keys (1 key). An encryption key is similar to a key to a door that allow you to gain access to your home or office. Without it, you can’t gain access. The strongest encryption standard that is used to encrypt files is the Advanced Encryption Standard.
Secure your Network
Since your router is on 24 hours a day, seven days a week, improper configuration can cause your network to become compromised. When you configure the network, you should consider the following
- Change the default login – The easy way to get hacked is if you don’t change the defaults. The default passwords to routers can easily be found online and the attacker can easily gain access to your configuration.
- Use Secure Wireless Security– The recommended security for home wireless networks is WPA2 Personal. The key should be secure and rememberable like a password would so the hacker won’t easily crack it and gain access. Do not use WEP (Wireless Equivalent Privacy) or WPA Personal since they are deemed vulnerable and out of date.
- Keep your Router Firmware up to date – Like computers and laptops, routers are computers as well, thus you need to keep them up to date. While some routers can update through the administration utility, you may need to consult your manufacturer’s site for the latest firmware.
Extra Considerations
Protect your System with Deep Freeze
Deep Freezeis a system utility that protects your system partition from changes. In other words, if you accidentally install malware, you only need to restart your computer. When you want to do updates, you simply “Thaw” the partition, install the updates and freeze it. This will help prevent the need to reinstall the whole operating system because of a malware infection.
Please note that you do need to redirect your user profiles to a separate partition that is not protected by Deep Freeze. Otherwise, any changes won’t get carried over through restarts.