Patch patch patch
Ten years ago everyone would joke about core operating system security and though it is not perfect today the blame game has changed partly. Most infections start off by something (a human is of course behind it) exploiting add-ins or browsers; Opera, Firefox, Chrome etc. + PDF, Flash, Silverlight, Java more.
Set automatic updates, let the PC restart when it starts and pay even more attention to non-core operating system software (browsers above) and add-ins (add-ins above). To reduce the attack surface only install what you need, and review items installed from time to time, and remove what is rarely used.
Login as a user
Windows has two main account types, an administrator and a user. An administrator can install software, uninstall software, change settings, views logs and a lot more. A user can uninstall and install very little, if anything and cannot edit or view certain settings nor view security logs. Attackers love privileged accounts.
Create or update your PC to make two accounts: an administrator and a user account, and ideally do not name them JohnSmithAdmin or JaneDoeUser. This has two purposes, if someone steals or finds your laptop it makes it hard to identify the owner (there are other ways of course) and secondly users with user rights cannot install software easily and malware can only do so much damage with user rights.
Do not rely on inbuilt anti-malware
Pre-Windows 7 the operating system had no antimalware software installed by default. Microsoft Essentials was added and now Windows Defender. Linux usually comes with nothing and though it should have something, it is less needed due to the number of vulnerability and entry points - "this is a different kettle of fish".
Windows Defender is of course something, but it is basic and do not have sub-functions. Paid antimalware software over Defender or some free ones has various sub-components, like an automated firewall, intrusion prevention, anti-exploit and importantly some kind of local web filter which filters known spam, malware, phishing sites. Some even have real-time phishing detection. You get what you pay for!
Secure your Wi-Fi while at home, at work and on the road
The British MoD and private defence contractors barely have Wi-Fi at their sites which really says a lot. Neighbours pinching free Wi-Fi (or something “framing” you by using your home network) is not the only problem or really an important one on the grand scheme of things. Wi-Fi at an office is really an extension of the RF45 port which is physically secure inside a building. Poor setups can allow a way in to the network or existing traffic being intercepted and then used to login to online web apps.
Home Wi-Fi router/modems are more basic than networking kit at the office so changing the SSID, changing the PSK to something 20+ characters, implement MAC filter (a slowdown not at all bulletproof), change the default username/password and ensuring only WPA-2 is used. Securing work Wi-Fi is different and includes changing the SSID to something less obvious, implementing certificate or username/password auth which is called WPA2-Enterprise. Nomadic devices should not be forgotten, and a good VPN should be given and the auto connect function off for SSIDs.
Creating a strong password (or passphrase)
The ideal password is long, complex, and easy-to-remember – but hard to break. Below is a method of creating a non-dictionary password or you can follow it to make a passphrase with a bit of tweaking.
First pick a group of words:
- I have a black labrador dog called Charlie
- my house is in South-East London
- my favourite rock band is the Beatles
- my favourite musical instrument is the saxophone
- I got married in Paris in France
Take each first character and make a word
- ihabldcc
- mhiisel
- mfrbitb
- mfmiits
- igmipif
Add a random word at the end to further strengthen
- ihabldccapple
- mhiiselemail
- mfrbitbmicro
- mfmiitsred
- igmipifebay
- ihabldcc@pple
- mhii$elemail
- mfrb1tbmicro
- mfmiits-red
- igmipif+ebay
Visit our Cyber Security training page for more information on QA's extensive Cyber curriculum and to see how we can help solve the Cyber Security skills gap.