SBN

Getting Started: Basic Personal Cybersecurity for Everyone (3 Easy Tips)

This post was originally published on 10 MAY 2023; it has since been updated and revised.

Welcome to the world of cybersecurity!

This guide was written for complete cybersecurity and privacy novices in mind. It is designed to get anyone started on improving their personal cybersecurity, which is becoming increasingly important as more of society’s lives intertwine with a digital landscape.


Preface


digital padlock outline in blue on purple tech background

These are basic personal cybersecurity steps anyone can take regardless of any kind of established or developed “threat model.” For the uninitiated, threat modeling is a continuous process in cybersecurity wherein you identify assets, analyze threats, manage risk, and identify fixes.

In a simpler sense, you identify what is important or valuable to you (usually your data or personal information), how/who that can be compromised, define your risk appetite, and then go about addressing it. Threat modeling for cybersecurity is ultimately based on risk – primarily mitigating risk and defining what is acceptable risk for yourself as the user.

(Threat modelling extends to the topic of digital privacy as well, albeit it takes on a slightly different meaning in a privacy context.)

Much good and popular popular advice out there encourages users to threat model. However, my argument to this (overall good) advice is: first steps in good personal cybersecurity (and by extension, privacy) is not to threat model, but to do the bare minimum for security.

It makes little sense to threat model but continue to use weak and/or compromised passwords, use outdated software/firmware, or not to use strong(er) MFA methods when available. Threat modelling is important after the basics are in play. After the basics are completed, users should move into threat modeling and deploying/using tools that help them accomplish their goals.

Threat modelling in both the cybersecurity and privacy context helps users to direct their resources to better accomplish their desired goals and wants. However, a baseline – which this guide aims to serve as – should be established prior to threat modeling.

There are basic cybersecurity “101s” users should perform first to get the most out of threat modeling:

  • Developing good password management practices
  • Using multifactor authentication (at bare minimum for sensitive accounts)
  • Keeping devices and software updated

What about my privacy?


red fingerprint on a blue tech background

Users reading this guide may also be interested in improving and maintaining their online privacy – or otherwise, starting their own privacy journey.

If you are starting from “zero” in both security and privacy, you should be sure these cybersecurity basics are in play first before anything else. Security lends itself to privacy in both the real and online worlds; basic security is a must for maintaining privacy.

However, this security guide has a “sister” guide for privacy. It’s highly advised to finish this guide (no rush) before jumping into the privacy version of it.

Improve your privacy

Develop good password management practices

Good password management overall greatly improves your security posture as a user.

Passwords are by far the most common means for securing your accounts – if a malicious actor has your password, then they could log into your accounts, even though they are not you. This spells trouble for crucial accounts such as email accounts and bank accounts.

For example, if I successfully guess the password to your email account, then I can compromise other accounts connected to your email and/or send far more convincing phishing emails to your contacts. If I successfully guess the password to your bank account, I have access to your money and a wealth of information about you.

The assumption between the authenticating service and you (as the user) is that only you know the password. I’m not you, but I know your password(s), so to the online account service/website, I have authenticated as you. So, as far as the server handling the logging in/authenticating, I am you.

Of course, what accounts are compromised can have different consequences. Other ramifications for failing to implement basic password best practices for various online accounts includes, but is not limited to:

  • Compromised accounts or full account takeovers
  • Compromised personal identifiable information (PII) (ex: tax returns)
  • Compromise of sensitive information (ex: social security numbers)
  • Theft/selling of personal information
  • Doxxing (publicly posting private information without consent)

Stop reusing passwords

Stop reusing passwords.

Stop reusing passwords.

Stop reusing passwords.

Reusing passwords (even those considered “strong”) does zero security favors; by reusing passwords, users place an increased trust in the security of the website, web app, or web service’s servers and place a higher risk for unauthorized account access on themselves.

While this may not seem like a big deal to most users, it creates compounding issues when/if credentials (including passwords) are exposed/leaked, which is very common given the prevalence of data breaches and data leaks in the modern landscape.


password field with asterisks

With data breaches continuously on the rise, credentials – such as passwords – are increasingly falling into the hands of malicious actors. Reusing passwords ultimately malicious actors’ lives easier; they frequently take leaked credentials and try them in credential stuffing campaigns, where the malicious actors attempt to break into user accounts across different websites and web services using the leaked credentials.

Reusing passwords leaves you open to these
credential stuffing attacks
because credential stuffing campaigns rely on the assumption users reuse passwords across different accounts and services. Unfortunately, they are often correct in this assumption – many users reuse passwords,

What exactly does this mean? A breach where credentials are compromised at Company A can result in your accounts at Company B and C also getting breached if you reuse the same password from Company A. So, if a user actively uses a password that is compromised, the attackers bet users will reuse these passwords (or weak variations) across different accounts.

In this specific example, the attackers don’t specifically know your credentials at Company B and C but given the assumption behind credential stuffing (users reuse passwords), and the past successes with using this password attack method, they’re betting the “theory” holds true… because it works. But only because users reuse passwords.

Keep in mind the security of most web apps and web services struggle to detect these types of attacks – most of the time the credential stuffing attacks are distributed and use sophisticated methods of automation….

*** This is a Security Bloggers Network syndicated blog from Avoid The Hack! authored by Avoid The Hack!. Read the original post at: https://avoidthehack.com/getting-started-cybersecurity