My last post on securing the online classes for your kids drew in a lot of interest. I got a lot of friends also call me up / ping me offline about their own work/home place security. As one friend commented "an adapted version of this for adults would be useful".
In this post, I go over all the discussions that I had with people for their own personal setups.
There are still 2 parts to ensuring that your personal work is secure.
- The technology that we can use
- The behavioral changes
1. Technology
Working from home when the pandemic started was awesome - wasn't it ? No more long commutes. No more getting ready early. Learn the stuff you most like doing (which apparently for the large majority was cooking).
Its also been awesome for the criminally minded people. Spam related to covid response is quite prevalent. Here is a snapshot of the Covid response dashboard from McAfee:
And that's just the new threats from COVID related spam. All the existing threats still exist. Companies are still getting hacked and your data is still getting out there. The most recent one I know of is the Dr Reddy's data breach.
So, now lets talk about the tech needed for making your life a bit easier.
Which Anti-Virus to use ?
As always, if you are on Windows, an antivirus is a necessity. You could go with Windows Defender, as it has become quite robust, but 3rd party security vendors are much more focused on the security aspects. For instance, if I need some clarification on the WD scanning, how do I contact them. OTOH, with a vendor like McAfee or QuickHeal or Kaspersky etc, I know I can call their customers support to resolve issues I have.
How does one decide on which AV to use Vibhu ? The most commonly asked question.
The tests done by 3rd parties like AV-Test are a pretty good indicator of what to use. Here's the comparison for Windows tests and what you are looking at is the protection rating, followed by protection, followed by usability. As you can see, there are a lot products with full ratings on all 3 parameters.
But ... Vibhu, this is so confusing still ! There are too many choices ! What do I do ?
I would suggest you on this parameter - have a look at your existing AV - are you happy with it ? Does it compare well in the listing above ? Keep it.
If you are looking for a new AV, then check which is the current market leader in your country. Its better to get something which has a good spread in your local markets as they have got there.
Now, that the basics are set. You now have narrowed down to the product and you visit the website and the store. Oh Gosh ! What a lot of different products there are ! Hey, I just wanted something for my PC - how the heck am I supposed to make sense of this confusion !
First things first - look at all the devices you have at home. Many products now provide protection for multiple devices - and if you have a lot ( your laptop, your wife's, your kids, phones etc), you want a solution which can install on all with just one subscription.
Secondly, you do not want the base AV. The days of just having an antivirus is over. You want something that protects the internet also. Most AV products have a "Internet Protection" or equivalent. Thats the base you are shooting for.
Ok. The product is out of the way.
But there is still more. Passwords.
Most of the hacks these days happen due to weak passwords. You have no idea how much. You also probably have no idea in which all breaches your passwords have been exposed. The point to start here to figure out where your passwords are. Trust me, unless you have a very new email , your details are out there on some corner of the Dark Web.
Start with going to https://haveibeenpwned.com/ . Check by entering your email. See where all the breaches were and when. Now you have to do 2 things:
- Check if you have changed your password after the hack. Most companies do send out intimations to you to change the password in case of any such breach.
- Check if you have used the same password anywhere else. If so, change it.
There are many password managers out there. You should really consider using one. Most of us have issues with remembering more than a few passwords. The tools generate random passwords and store them securely, so you don't need to remember them all.
2. Behavioral
Tech gets you so far. And yet it won't help if you are not careful about a few things. Here are a few things you really need to start doing:
Check those URLs !
You get a lot of emails. And in scanning them you suddenly see something that gives you pause. The Tax department has sent you a mail with a link. You click that. It opens a site which looks just like the tax website and you need to log in. Hang on there cowboy. Give it a a pause.
Most Scam mails work in the same way - they entice you by fear or greed. The first thing you need to do is check if the email is coming from a legitimate location. Usually the emails are shown with the name, not the email address. You need to check if the email is correct. A tax email from a @gmail domain name is for sure a fraudulent one. Next, you need to check the link you are supposed to click on. On the desktop its easy - just hover above the link and you can see where it goes to.
Lets do this by example. What do you see the below link as ?
Let search on www.google.com
It goes to google.com - right ? But now if you hover over it, you will see it is actually going to this blog. That's a very friendly example of how this works. Scammers are not so friendly.
Many AV products provide web or URL protection. Make sure that your product has that. Even better, be suspicious of such mails and do not click links. Instead, for example, in this case, go to the tax website directly, not by clicking the link, and then log in.
But maybe something happened and you did click the link. Now you are on the website. Check the location of the URL bar for a few things :
a. Does it have the lock symbol ? Most fraud sites do not. If it does, click it to see where it is registered to. E.g. the one form reddit is :
Scammers do not usually spend any effort for such security.
b. check if the URL is the correct one for your tax/bank/etc. e.g. the url could be www.redditcom.com . This is suspicious. Note the site is redditcom.com. That's the modus operandi used by scammers. Make something so similar to the real thing that you get fooled into thinking its the correct one. Some variations of this could be:
- reddit-com.com. Notice the change in the address by adding a simple - symbol. Nope, not going to enter the details there.
- It may be ending in something other than the .com you are used to. e.g. instead of reddit.com it may be pointing to reddit.xyz .
- It could also be something that may be prefixed to another website address - e.g. reddit.wordpress.com
Make a note of the websites you use. Check every time you get a mail that you are going to the correct website. Its good too err on the side of caution.
Passwords Again
Finally, I would come to the passwords used. Although I covered it in the tech section, its still a behavioral change. We are not used to thinking of so many passwords. Nowadays it seems like that whichever site we go to, we need to create a login. Unfortunately, that's how it is.
So, at the bare minimum, you need to have a different password for each website you go to. There are various ways that you can use to generate the passwords:
- Use a password manager tool to generate and store the password as outlined in the tech section.
- Make a password using phrases. XKCD has a good post on it. Check it out. https://xkcd.com/936/
- Use a random password generator like the one on : https://passwordsgenerator.net/ . However its going to be difficult to memorize it.
It's become a rather long post already, so I am going to leave it here for you to digest it.
--
Thanks for putting it all in a nutshell! Good stuff!
ReplyDelete