Kanawha I T Security

               Home              About              Contact Us           Photos             Tips        

Basic Security

I have been involved in security since 1987 when I had to have a secret clearance to do my job in the National Guard. I have been chief of operations at Kanawha I T Security for nine years. I have put together a list of recommendations to help you enhance your security and am sharing it with you.

1. Make your regular computer account a standard user. Up to 94% of all Windows malicious software (malware) is stopped by this one action, combined with proper use of User Account Control (UAC). This is assuming you are using Windows, as most Linux distros create a standard user during installation.

2. Use a password that is at least 15 characters, make them unique to each account, and change them every 30 days*. If you insist on taking longer to change them, make them at least 30 characters long. You may choose to reuse them for some of the forums or sites that do not involve finance or personal information, but be aware that when an attacker gets access to any account, they may use it to pivot to other, more sensitive accounts, especially if you reuse passwords.

3. Create an email account that you only use to reset passwords. Put a ridiculously long password on it and enable two factor authentication.

4. Enable two factor authentication (2FA) on all sensitive accounts. This means that when you login to a site, you will get a text message, or some other piece of information proving that you are who you say you are.

5. Use an adblocker. This is debatable, as on the one hand, it takes away ad revenue from website owners, but on the other hand, there are lots of ads out there serving malware. You can allow ads for certain websites you frequent while blocking those you don't know.

6. Write down your passwords. This also covers passwords, but it is that important, as it is the first line of defense. This allows them to be longer and have them changed more often. You can use a password manager you trust or a small notebook like I do. Some will argue against the paper, but give an attacker physical access and it is game over, period.

7. An often overlooked area is security questions. Never answer them correctly unless you want someone to have access. My technique is to use nonsense. For your high school you could put "cobweb" or for your favorite pet you could answer "city sewer system". Get creative and write them down and they will never be guessed.

8. Always keep your computer up to date. This also means not using unsupported operating systems like Windows XP, as they are no longer updated. This one is not for you, but for me, as it allows criminals to use your computer for illegal activities, such as attacking other systems or to spread malware to other systems.

9. Don't click things just because they say you need to. This should be obvious, but if you get a popup saying your Flash is out of date and to click here to update it, you are asking for trouble.

10. Maybe the most important thing of all is to always back up anything you don't want to lose. I put one folder on my desktop and put everything inside folders in that one. This way, all you have to do is grab that one folder about once a week, or daily if you save lots of things, and put it on an external hard drive. A very important thing to note here is not to leave that hard drive hooked up to a computer, as ransomware can encrypt this drive as well, ensuring that you can never recover anything. If you have a copy of all your important data, criminals cannot erase everything you have or force you to pay to get your data back.

This is not an all inclusive list, nor is it a guarantee that you will not be involved in a breach or attacked by criminals. This is merely a list of basic security procedures you can use with little inconvenience to help keep you out of trouble. If your system is harder to break into than most, criminals will move on to the easier attacks.

And one additional note: please quit calling criminals hackers. I am a hacker and I am one of the good guys. We work very hard to try to keep the rest of you safe. The guys out there who attack networks and steal information or ransom your data for payment are criminals, nothing more.

* Since I wrote this, NIST has changed their password recommendations. You can find them here. Basically, they say that changing them frequently makes users choose poor passwords. Since most people recommend using a password manager, I am leaving the tip as is for now. If you would like to have an in depth discussion about passwords and how I personally manage mine, feel free to reach out.