2018-05-20

Online threats, risks, and mitigations

Have you wondered exactly how security risks arise on the Internet and what you can do about them? Here is a short summary of the more common threats, the risks that they cause, and mitigations (security measures) for those risks.

This is the "why" and the "what".  For the "how", see my blog generally and my previous blog post in particular.

Notes for the table below:
  • Most of the risks listed below can lead to theft of data, data exposure, data breach, account takeover, identity theft, reputation loss, financial loss, your spouse and/or dog running away, etc. 
  • User security awareness training: Some key tenets are "pay attention!", "look beyond initial appearances", "don't trust without a good reason", etc.
  • Strong, unique passwords: This means that each password is random and at least roughly 20 characters long, and is never used for more than one site. The only viable way to do this is to use a password manager. Use a stand-alone password manager, not one built into your browser. 
  • Two-factor authentication (2FA) / Multi-factor authentication (MFA): For account authentication, this is a second line of defense in case the first line of defense -- your password -- is compromised.  These are the common second-factor options, from most secure to least secure: 
    1. Cryptographically strong, e.g., U2F
    2. Push notification
    3. TOTP (e.g., Google Authenticator, Authy), HOTP
    4. Email
    5. SMS, phone call
  • Be aware that it's possible to phish a TOTP code, although this is a lot harder for an attacker to pull off than phishing a password. 
  • End-to-end encryption (E2EE): A service with E2EE is designed so that your data is encrypted on your device before it leaves the device for the cloud, and the encryption key used is never sent to the cloud. In this way, if your (encrypted) files in the cloud are stolen, they will be unreadable by the attacker.  (Also know as "zero knowledge" services.)

Threat
Risk
Mitigation
Malware, including ransomwareDevice compromise
Destruction of data
Theft/exposure of data (data breach)
Financial loss

 
N.B. Ransomware increasingly exfiltrates data (i.e., copies it to the attacker's server) before encrypting it in place, then the victim is threatened with exposure of the data
  • User security awareness training
  • Email malware and spam filter
  • Device hardening, including antimalware software
  • For recovery: Data backup
  • N.B. There is no technical recovery from a data breach
Phishing to website with similar name to real one; attack vector is often email Account takeover
Credential stuffing
Theft/exposure of data (data breach)
  • User security awareness training
  • Email malware and spam filter
  • Password manager: always fill your credential on a webpage using your password manager (instead of typing them in); it will refuse to fill your credentials into invalid domains
  • Strong, unique passwords
  • MFA
  • Against IDN homograph attack:
    • Firefox browser: about:config: set network.IDN_show_punycode to True
    • Chrome, Brave: already protected by default
Password guessing on weak passwords Account takeover
Credential stuffing
Theft/exposure of data (data breach)
  • User security awareness training
  • Strong, unique passwords
  • MFA
Business email compromise (BEC)Financial loss
Theft/exposure of data (data breach)
  • User security awareness training
  • Strong, unique passwords on email accounts
  • MFA on email accounts
  • Manual verification process on financial transactions, especially out-of-band verification
Theft of credentials from Internet service provider (SP), e.g., via break-in to SP's networkCase 1: SP stores the credentials properly (hashed and salted, etc.). Attacker cracks only some of the passwords used by SP's customers, viz., the weak ones.
Account takeover
Credential stuffing
Theft/exposure of data (data breach)
  • User security awareness training
  • Strong passwords
  • MFA -- although attacker might steal MFA data too (e.g., TOTP seed)
Case 2: SP doesn't store the credentials properly. Attacker access all passwords used by SP's customers.
Account takeover
Credential stuffing
Theft/exposure of data (data breach)
  • User security awareness training
  • Unique passwords
  • MFA -- although attacker might steal MFA data too (e.g., TOTP seed)
Theft of personal data directly from Internet SP providing cloud storage, backup, etc., e.g., via break-in to SP's networkTheft of all data in the cloud service
  • User security awareness training
  • Use cloud services with excellent security
  • Even better: Use E2EE services where possible and feasible
  • Proper initial vetting and ongoing monitoring of all cloud providers (third-party risk)
Various threats above (phishing, password guessing, Theft of credentials from Internet SP, etc.) Takeover of your email account -- then takeover of all accounts that use that email account as the owner/recovery email address
  • User security awareness training
  • Use an email provider with excellent security
  • Use a different (second) email address as the ownership/recovery email address for all your important accounts, instead of using your regular email address
  • Strong, unique passwords
  • MFA
Various threats from browsersMalware in ads, various risks from open networks (e.g., open Wi-Fi), etc.
  • User security awareness training
  • Don't click on ads
  • Use security type browser extensions such as HTTPS Everywhere, uBlock Origin, and Privacy Badger.
  • Consider using a VPN on open Wi-Fi networks
Theft of your device: computer tablet, phone, etc. (A physical threat, not an online threat)Theft of all data on device
  • User security awareness training
  • Full device encryption (full disk encryption)
  • Strong password or PIN 
  • Enable device auto-erase after 10 incorrect guesses

Updated 2021-02-28

2018-05-12

Core security advice for general users [aka security hygiene]

I finally wrote this up for some family and friends.  I've often tried to convey this information verbally to people when they ask (or when I'm trying to educate), but it's clearly way too much to absorb that way.  Now I can just point them to this blog post.

Here is the list of the core things to do to make your (digital) life more secure and resilient.

Use a secure web-based email service for your primary email account. You want a secure email provider to use for the email address that owns (and is used for password recovery) for all your other accounts.  Gmail is an excellent choice, assuming you don't philosophically want to avoid Google.
https://www.google.com/gmail/
You may want to use a different (second) email address as the ownership/recovery email address for all your important accounts, instead of using your regular email address.  Doing so makes it harder for an attacker to find out your ownership/recovery email address, which means it's harder for them to take over that email address and then use it take over your all your accounts using that address.

The passwords for all your accounts -- except for a select few like LastPass -- should be long (e.g. 25+ character), random, and unique, and stored in a good password manager like LastPass.  This includes your passwords for Authy, Gmail, Sync.com, etc.  Use LastPass's Generate Secure Password feature to generate those long, random, and unique passwords, and store them in LastPass.
https://www.lastpass.com/
(Another good password manager choice is 1Password. LastPass is the most widely used, so it gets the most attention from security researchers. In any event, use a stand-alone password manager, not one built into your browser, and one that is cloud-based.)
Start with your important accounts and, over time, change all the passwords on accounts to long, random, and unique.  "Unique" means that you never use the same password on more than one account: every account gets its own, unique password.  This will protect your from a big class of attacks.

Install LastPass on all your devices so that you can log into your accounts and access other personal information no matter where you are.  This is very handy for when you're not at home or traveling, or for when one of your devices has a problem.

Many services, when you create an account, want you to provide security answers such as your date of birth, your first pet, favorite teacher in grade one, etc.  These are used for account recovery in case you forget your password.  Do not answer those security questions truthfully; instead, treat them like passwords, so create a random string (of letters and digits, say 20 digits) and store that in LastPass.

Set up Multi-Factor Authentication (MFA) -- aka Two-factor Authentication (2FA) -- for all your important accounts that support it, especially LastPass, Gmail, and Sync.com.  It's very important to have MFA on Gmail because if an attacker gets control of it, they can take over most of your accounts. And MFA on LastPass is a very good idea too.  (But if you do that, you need to choose an Authy Backups & Sync password you can and will remember, for recovery purposes.)

Use Authy for MFA; it's more convenient that Google Authenticator.  Install the Authy client on your phone, tablet, and computer, and set up Backups & Sync password so that all your accounts sync across all your devices.  That way you can do the Authy second-factor authentication on any of your devices, which is useful if you forgot or lose one.  Store the Authy Backups & Sync password in LastPass.
https://authy.com/
When you're configuring an account for MFA, it will offer you "Google Authenticator", if it supports that.  Choose that option, as Authy is completely compatible with Google Authenticator.  Do not install Google Authenticator; instead use Authy wherever you see Google Authenticator mentioned.

Some accounts let you choose to use SMS (aka text messages) for MFA.  SMS for MFA is not so good a choice, because it's possible for attackers to redirect SMS messages to themselves.  If an account gives you a choice, always choose Authy (Google Authenticator) first.  If there is no choice, SMS is better than not having MFA.

You'll want to encrypt your computer's main drive using what's called full drive encryption (or full disk encryption).  That way, if your computer is lost or stolen, no one will be able to pop out the drive and read everything on it.  (Your computer password provides no protection against that, but does protect against other threats, so it should be a quality password.)  With the main drive encrypted you can safely store whatever you want on your drive; more below.

On a Windows machine, the full drive encryption is called BitLocker.  Getting the full BitLocker protection requires that your computer have a Trusted Processor Module (TPM) chip.  Your computer either does or does not have it; if it doesn't, you can't add it.  (The next time you buy a new computer, makes sure it has a TPM.)
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview
In order to get BitLocker itself you'll need Windows 10 Pro instead of Windows 10 Home.  You can buy the upgrade from Microsoft online for about $100 and then download the key.
https://support.microsoft.com/en-ca/help/12384/windows-10-upgrading-home-to-pro
As you're configuring BitLocker you'll discover that there are two main modes you can choose from: TPM-and-PIN and TPM-only.  (BitLocker also allows an alphanumeric password instead of a numeric PIN.)  TPM-and-PIN is definitely more secure but TPM-only might be secure enough for you -- you'll have to do some reading to decide -- and it's simpler to use.  (If you choose TPM-and-PIN you'll need to type in your PIN, before the Windows password, every time you power on the computer after shutdown or hibernation. You'll get used to this quickly.)  If you choose TPM-and-PIN, disable sleep mode and use hibernation instead.  (By the way, you have the option of using a real password, instead of a numeric PIN, to unlock BitLocker.)
https://www.howtogeek.com/192894/how-to-set-up-bitlocker-encryption-on-windows/
When you set up BitLocker, in either mode, it will generate a recovery key (a string of digits) for you.  You'll likely need to type in this key a couple of times a year, when something goes wrong with BitLocker.  You must store that recovery key somewhere you can get to no matter where you are, so put it in LastPass.

On Macs, macOS come with FileVault 2, which is full drive encryption similar to BitLocker.  Definitely turn it on.
https://support.apple.com/en-ca/HT204837
On a Windows machine, to make it more secure, you should make these changes in the BIOS settings:

  • set a BIOS access password (to keep an attacker who gets your machine from changing your settings)
  • enable UEFI mode
  • enable Secure Boot mode

BIOS is a layer of software below the operating system and is often forgotten about.  UEFI and Secure Boot are newer things that your computer either does or does not have; if it doesn't have them, you can't add them.

Encrypt your phone and tablet using the device encryption built into iOS and Android.  This will require setting a PIN or password for the device, which you'd obviously want to do anyway.  Don't use a PIN shorter than six digits, and longer is better.  Do set up automatic wipe on ten incorrect passwords.  You won't lose any data if that wipe happens because you shouldn't be storing any data only on the device: your data master copy should be in a cloud service or on your computer.
If you have a healthy mistrust of computing, you'll see that LastPass is a single point of failure: if you can't access it for any reason, you can't get into any of your accounts.  So remove that SPOF by creating some text document on your computer where you store all your account credentials and other personal information. This file lives on your computer as a backup to LastPass, and store that file in LastPass as well, as an attachment in a Secure Note.

But if you don't encrypt your computer's main drive, then you must not store anything sensitive directly on it, including that file with all your personal information. Without full drive encryption you'll only be able to store sensitive things in LastPass, or in an encrypted virtual drive like VeraCrypt, or on your (encrypted) phone or tablet.  Don't think twice, just encrypt your computer's drive.

You need to have a backup for all the files on your computer.  In fact, you need two backups:

  • one locally, e.g., on a USB external hard drive: encrypt it with BitLocker (called BitLocker To Go when applied to external drives), or macOS Disk Utility, so that it too is secure from loss or theft. (You can store a full main drive backup here too.)
  • one in the cloud: use a zero knowledge service like CrashPlan for Small Business or Sync.com.

"Zero knowledge" (a colloquial, as opposed to technically accurate, term) is a key concept for cloud services.  With a zero knowledge service, your data is encrypted on your device before it leaves the device for the cloud, and the encryption key used is never sent to the cloud.  As a result, if your (encrypted) files in the cloud are stolen, they will be unreadable by the attacker.  This is a good thing.
https://www.cloudwards.net/what-exactly-is-zero-knowledge-in-the-cloud-and-how-does-it-work/
Sync.com (free for 5 GB) is a service to store data in the cloud and sync between your devices, but it can be used for lightweight backup too.  CrashPlan for Small Business is a real backup service, but at USD $120 per year.  (CrashPlan used to have a Home version, but it was shut down in 2018.)
https://www.sync.com/ 
https://www.crashplan.com/en-us/business/ 
Whichever you choose, you should back up all your files both locally (on the encrypted external hard drive) and in the cloud.  If you use CrashPlan for Small Business for backup, you'll likely still want to use Sync.com to sync key files across your devices, and to share sensitive files with other people.

Web-based advertising is a privacy concern as well as a source of malware, so it makes sense to block as much of it as you can, until the web advertising industry cleans up its act.  The easiest way to do this is to install security- and privacy-type browser extensions such as HTTPS Everywhere, Privacy Badger, and uBlock Origin.
https://www.eff.org/https-everywhere
https://www.eff.org/privacybadger
https://github.com/gorhill/uBlock
If you do all the above, and don't fall for phishing links, you'll be more secure than 99.9% of people.

---

Resources if you want to learn more:

---

Updated 2020-08-29 to remove mention of Dashlane, since I've never used it and don't know anyone who has.