Patch patch patch

Ten years ago everyone would joke about core operating system security and though it is not perfect today the blame game has changed partly. Most infections start off by something (a human is of course behind it) exploiting add-ins or browsers; Opera, Firefox, Chrome etc. + PDF, Flash, Silverlight, Java more.

Set automatic updates, let the PC restart when it starts and pay even more attention to non-core operating system software (browsers above) and add-ins (add-ins above). To reduce the attack surface only install what you need, and review items installed from time to time, and remove what is rarely used.

 

Login as a user

Windows has two main account types, an administrator and a user. An administrator can install software, uninstall software, change settings, views logs and a lot more. A user can uninstall and install very little, if anything and cannot edit or view certain settings nor view security logs. Attackers love privileged accounts.

Create or update your PC to make two accounts: an administrator and a user account, and ideally do not name them JohnSmithAdmin or JaneDoeUser. This has two purposes, if someone steals or finds your laptop it makes it hard to identify the owner (there are other ways of course) and secondly users with user rights cannot install software easily and malware can only do so much damage with user rights.

 

Do not rely on inbuilt antimalware

Pre-Windows 7 the operating system had no antimalware software installed by default. Microsoft Essentials was added and now Windows Defender. Linux usually comes with nothing and though it should have something, it is less needed due to the number of vulnerability and entry points - "this is a different kettle of fish".

Windows Defender is of course something, but it is basic and do not have sub-functions. Paid antimalware software over Defender or some free ones has various sub-components, like an automated firewall, intrusion prevention, anti-exploit and importantly some kind of local web filter which filters known spam, malware, phishing sites. Some even have real-time phishing detection. You get what you pay for!

 

Secure your Wi-Fi while at home, at work and on the road

The British MoD and private defence contractors barely have Wi-Fi at their sites which really says a lot. Neighbours pinching free Wi-Fi (or something “framing” you by using your home network) is not the only problem or really an important one on the grand scheme of things. Wi-Fi at an office is really an extension of the RF45 port which is physically secure inside a building. Poor setups can allow a way in to the network or existing traffic being intercepted and then used to login to online web apps.

Home Wi-Fi router/modems are more basic than networking kit at the office so changing the SSID, changing the PSK to something 20+ characters, implement MAC filter (a slowdown not at all bulletproof), change the default username/password and ensuring only WPA-2 is used. Securing work Wi-Fi is different and includes changing the SSID to something less obvious, implementing certificate or username/password auth which is called WPA2-Enterprise. Nomadic devices should not be forgotten, and a good VPN should be given and the auto connect function off for SSIDs.

 

Creating a strong password (or passphrase)

The ideal password is long, complex, and easy-to-remember – but hard to break. Below is a method of creating a non-dictionary password or you can follow it to make a passphrase with a bit of tweaking.

First pick a group of words

  • I have a black labrador dog called charlie
  • my house is in south-east london
  • my favourite rock band is the beatles
  • my favourite musical instrument is the saxophone
  • I got married in paris in france

Take each first character and make a word

  • ihabldcc
  • mhiisel
  • mfrbitb
  • mfmiits
  • igmipif

Add a random word at the end to further strengthen

  • ihabldccapple
  • mhiiselemail
  • mfrbitbmicro
  • mfmiitsred
  • igmipifebay
  • ihabldcc@pple
  • mhii$elemail
  • mfrb1tbmicro
  • mfmiits-red
  • igmipif+ebay

 

QA have an extensive Cyber curriculum offering a number of courses to improve Cyber Awareness. QA have also partnered with The AntiSocial Engineer Limited to provide advanced social engineering and phishing courses.

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

About the author

Graeme joined QA in 2017 and has worked in security on and off for 13 years. His last role was as a Senior Technical Security consultant at Capgemini covering public and private sector. From the age of 17 he was running investigations into online scams and phishing. Today his experience is in OSINT and thinking like a hacker to review + tweak settings with a fine tooth comb.

Related Articles