Security Best Practices

June 27, 2022 by Andrea Kornfeld

One approach to mitigating cyber risks is to implement layers of security so you can prevent attacks from happening, detect when attacks happen, and respond quickly. Some of the security layers are around having controls and policies in place. Other layers involve securing the network, systems, application, and transmission of data. The general idea of having defense in layers is that if a bad actor gets through one layer, another layer will stop him or her. For example, if someone falls for a phishing email, but has two-factor authentication set up, the bad actor won’t be able to log into the system.

Passwords

Recommendation	Why?	How?	Tools
Use strong passwords on your devices (mobile phones, computers, etc.) and accounts (especially important accounts such as email, social media, bank accounts, etc.)	It doesn’t take long to hack simple passwords. Here’s a calculator that will tell you the strength of your password and how long it will take to crack.	To create a strong password, you want something that is easy to remember and hard for other people to guess. Longer passwords are better than short ones. If you include lower case, upper case, numbers, and special characters, it’s even more difficult to hack your password.	Use password managers. Password managers can create randomly generated passwords and remember those passwords for you. Here's a (xkcd) comic to help you remember a password help you remember a password
Use different passwords for each account.	If one account is hacked, your other accounts will not be.	Use password managers. A password manager keeps track of all your passwords and helps you create different passwords for each account.	Check to see if your email or passwords have been in a data breach.

Recommendation

Why?

How?

Tools

Use strong passwords on your devices (mobile phones, computers, etc.) and accounts (especially important accounts such as email, social media, bank accounts, etc.)

It doesn’t take long to hack simple passwords. Here’s a calculator that will tell you the strength of your password and how long it will take to crack.

To create a strong password, you want something that is easy to remember and hard for other people to guess.

Longer passwords are better than short ones. If you include lower case, upper case, numbers, and special characters, it’s even more difficult to hack your password.

Use password managers. Password managers can create randomly generated passwords and remember those passwords for you.

Here's a (xkcd) comic to help you remember a password help you remember a password

Use different passwords for each account.

If one account is hacked, your other accounts will not be.

Use password managers. A password manager keeps track of all your passwords and helps you create different passwords for each account.

Check to see if your email or passwords have been in a data breach.

Here are several password managers: Buttercup (open-source and free), LastPass, and Dashlane.

Here is a comparison of password managers.

Phishing

Phishing is a way that bad actors may try to deceive you into giving them your password. This often occurs through email, phone calls, or social media. Someone who seems trust-worthy may send you a link to a fake website and try to steal your password.

According to the Verizon Data Breach Investigation Report (page 7), almost 50% of data breaches involves stolen credentials and almost 20% involve phishing attacks.

Here are some resources to learn more about protecting yourself and your organization from phishing attacks:

Two-factor Authentication (2FA)

If you only use a password to log into a system, and someone learns your password, the system is no longer secure. To add an extra layer of security, you can use two methods to have the system verify who you are. For example:

Something you know (such as a username and password)
Something you have (such as a mobile phone)
Something you are (such as using your thumb print or your iris)

If you are going to use something you have such as a mobile phone to authenticate, here are a few two-factor authentication applications: Google Authenticator, Last Pass, and 1Password.

Note: Don’t use your phone number to receive a PIN from a text message.

VPN

A VPN (Virtual Private Network) is a tool that can secure an internet connection. VPNs encrypt your data in transit, so other people cannot see the content of your data. VPNs are especially useful if you are using a public WIFI in a hotel, airport, or restaurant.

Here are some recommendations:

IVPN - ($6 / month)
Mullvad VPN - (5 EUR / month)
Mozilla VPN - ($5 / month)

Here are reviews of VPNs.

Device and Software Updates

Apply Software updates in timeline manner.

When your computer or phone notifies you to update your operating system or other software, it is important to do so in a timely manner. Why? In most cases, someone found a vulnerability in the software, and the company (such as Microsoft in the case of a Windows update) wants to ensure your computer is protected.

Anti-virus software

Install anti-virus software on all your devices. It’s also important to update and run the software regularly. Here are a few free options: Malware Bytes, Avast, and AVG. There are many other anti-virus software programs on the market that have additional features that may be worth paying for.

Microsoft Windows also has built-in virus and threat protection. Make sure you update and scan your computer regularly. You can also set-up OneDrive to back-up your computer regularly in case there is a ransomware attack.