Avoid catching a winter virus

It’s almost three weeks since Christmas, which means winter is well and truly here in the Northern Hemisphere. If you’re anything like me, it’s about now the first IT support queries about relatives’ new computers start to appear.

IT, security and data protection practitioners live in a fairly rarified bubble. We know what to (not) do and why, and can get frustrated with those who don’t understand. When we introduce defence-in-depth, convincing them becomes even harder.

Here’s some simple pointers to help avoid catching a winter bug:

Teach them about the consequences of their actions

Explain why (not) to do things, in language they’ll understand and why it’s important. Use this format to drive the message home: DO (NOT) do this thing, BECAUSE this outcome will happen, LEADING TO some consequence.

  • DON’T divulge passwords, PINs or secret questions BECAUSE someone can use them to access services and impersonate you LEADING TO fraud and identify theft.
  • DO learn the tell-tale signs of phishing emails BECAUSE it prevents falling for their tricks LEADING TO a lower probability of fraud happening.

Remember to explain the ‘why’ otherwise it’s just an arbitrary rule.

Passwords

Even with so many ways of authenticating now, passwords refuse to go away completely. Multi-factor authentication, biometrics, passkeys, and more all exist but the fallback option is nearly always the password.

  • Use different passwords for different sites, and don’t share them with others.
  • It’s better to choose strong passwords than change them regularly…
  • …unless you know or suspect a password might be compromised.
  • Use multi-factor authentication (even bad MFA is probably better than none at all)
  • Password managers are, on balance, better than password reuse or weak passwords…
  • …and arguably that even includes a “password book” by the PC, but I don’t recommend it!

Online behaviours

There’s a lot of resources online, that span countries, jurisdictions and legal boundaries. This brings malicious and inappropriate content and people closer than we want. We wouldn’t walk through the dodgy area of town after dark, stay away from questionable online resources.

  • Don’t visit sites or do things that will place you or your device at risk.
  • Security issues and incidents in the news might prompt you to find out more information, take action or change how you use affected services.
  • Assume your online (and increasingly, offline!) actions are logged.
  • There isn’t a reliable safety net for assistance. 999 (or 911/112) doesn’t exist.

Anti-virus and anti-malware

Years ago, people said Apple devices didn’t need anti-virus because they’re secure. The reality was much different, but the market size and economies of scale meant they weren’t as rich a target as Windows systems. Today, most devices come with a baseline of security software built in.

  • Install or enable anti-virus and anti-malware protection. Windows Defender and Apple XProtect are built in, so this doesn’t need to add additional cost.
  • Make sure you keep it updated!
  • Using filtered DNS such as OpenDNS FamilyShield or Cloudflare helps prevent malware and inappropriate content, particularly for children.
  • Consider browser extensions to prevent tracking, avoid ads, and prevent malware from downloading.

Least privilege

As Raymond Chen of Microsoft said over 20 years ago, “it rather involved being on the other side of this airtight hatchway”.

  • Don’t give out admin rights. It’s a mild inconvenience to log in as admin when absolutely necessary, but it avoids giving malware a wide-open door the other 99.9% of the time.

Patching

New vulnerabilities are discovered constantly, and if you don’t patch your device and apps, you run the risk of malicious programs gaining a foothold on your device, network and other devices.

  • Make sure your device updates or patches regularly. Know how to check and manually trigger updates if necessary.
  • Keep apps updated, especially those used online or to open downloaded files such as web browsers, Acrobat Reader and office apps. Check occasionally to make sure automatic updates are still working.

Firewalls

“If your name’s not down, you’re not coming in.” A firewall is necessary not only to thwart malicious activity from the rest of the Internet, but also in your own home should any device become compromised.

  • Turn on devices’ in-built firewalls where they have one, to protect against network-based attacks both at home and when using hotspots. Speaking of WiFi…

WiFi and internet routers

As WiFi signals can travel some distance beyond the home, neighbours and others could use your connection if you don’t properly secure it. Your ISP provides equipment that’s cheap, reliable and easy to use, but not always the best secured.

  • Don’t let your home WiFi name (SSID) expose which property it belongs to!
  • Use the highest level of security your router supports - WPA2 and a strong passphrase is a good baseline.
  • Try to avoid push-button or PIN-based WPS pairing as good practice. It doesn’t pose a high security risk in most residential settings, but it isn’t as secure as typing in a good passphrase.
  • Change weak default passwords. Many routers allow remote admin, and default admin passwords make compromise easy. Pick a strong and long passphrase, and disable remote admin features if you can.
  • Test the public attack surface of your router using something like Pentest-Tools or ShieldsUp! and investigate any issues they reveal.

Next Christmas (or your celebration of choice), give good security practice to someone. It’s much better than socks or a tie.

essential