As we have become more reliant on computers, smartphones and the internet in our daily lives the risks associated with cyber criminals has increased exponentially.
Looking at the news, the state of cybersecurity is shocking in the past week alone it has been revealed that Reddit has had 2 significant data breaches which it has not fully disclosed. Then Dixons Carphone said a massive data breach that took place last year involved 10 million customers, up from its original estimate of 1.2 million. Also, Government workers in a borough of Alaska have turned to typewriters to do their jobs, after ransomware infected their computer systems.
Last year we saw one of the largest cybersecurity issues on record with WannCry which affected more than 200,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars. This was then followed up by Petya/NotPetya a month later which targeted major companies within the Ukraine.
Then there has been the ongoing issue with Russian spies looking for vulnerabilities in routers across the world, then putting malware on the device that can be used to spy on your data or act as a bot for further attacks.
Routers have frequently been exploited over the past few years. VPNFilter a modular, multi-stage malware works on consumer-grade routers made by Linksys, MikroTik, Netgear, TP-Link, and on network-attached storage devices from QNAP, Cisco researchers discovered. It’s one of the few pieces of Internet-of-things malware that can survive a reboot. Infections in at least 54 countries have been slowly building since at least 2016, and Cisco researchers have been monitoring them for several months.
And our last example is the 1.5 million-strong botnet that was created from cheap internet-connected cameras and other unsecured online devices to carry out crippling distributed denial of service attack (DDoS) on websites and computer systems. DDoS attacks carried out by botnets are frequently sold as a service on the dark web, making it a lucrative business for criminals with considerably less risks associated with it over traditional forms of crime.
As a result of this the white hat cyber security industry is booming, many companies are allowing you to study a cyber security course, several UK universities now offer cyber security as a degree, and the GCHQ even have a Cyber Security Degree Level Apprenticeship.
While the state of cyber security is quite bleak, there are many things you can do to mitigate the risks associated with the issues we have raised above.
Change default passwords
Any device that you log into should have the password changed immediately after buying it, and in the case of unsecured devices, actually setting a password in the first place. This includes routers, security cameras, phones, switches, and any home automation device.
Keep software up to date
WannaCry was so prevalent and destructive within the business environment because there were hundreds of thousands of computers still older versions of Windows that had not been patched with the latest security updates. This included the NHS where 60% of their computers were still using Windows XP. While this is an extreme example, it shows the importance of keeping your software up to date. Cybercriminals will look for exploits in popular software and hardware as this will give them the most extensive reach for their hack.
Use a secure router and keep it up to date and disable WPS
This is a similar issue with the software on your PC, in the past manufactures releases router updates few and far between, with ISP supplied routers rarely getting updates, and the users that own them rarely bothering to update them. Nearly all the major manufacturers of routers have had their devices hacked, including Netgear, Asus and TP-Link.
They have improved things, for example, a lot of Netgear routers will now auto-update their software which such reduce the risks.
A more secure approach would be to choose a router than specialises in security. For advanced users rolling your own secure router using OPNsense is a great option.
If you are a consumer that just wants to buy a device then forget about it, our choice would be the F-Secure Sense. It is built around OpenWRT and receives regular security updates; it will also monitor all your IoT traffic and detect if any of these are sending or receiving suspicious data.
Alternatively, many routers from Netgear, Asus, etc. can be updated to OpenWRT themselves, and this often is a more secure solution to the default software.
Invest in a security suite
In general Windows Defender does an excellent job but investing in a premium alternative will often help keep things more secure, and security suites often include multiple applications to secure your data in various ways.
For example, F-Secure Total has anti-virus, a firewall, a VPN to encrypt and anonymize your internet traffic, as well as extensive family controls. The software comes with licences for your PC and mobile devices so you can secure the entire family.
Don’t download illegal/pirated files, in particular, software
It should be quite obvious, but if you download things illegally, then there is a higher chance you will infect your computer with something. Media files are generally safe themselves but frequently HTML documents are included in the package, and if you click on it you will be taken to sites that can potentially try to infect you. Pirated software is just asking for trouble, you literally have to install or run something from an unknown source on your PC, giving a hacker a perfect opportunity to install malware.
Use a password manager
Last but certainly not least is a good password manager, we are big fans of LastPass which will generate random passwords and store them online using bank-level encryption. We also use unique usernames for every site too. While storing your passwords online can have its own issues, in general it is safer than re-using the same small number of easy to remember passwords.
2 Factor Authentication
Every website that stores sensitive data should use this, while many don’t a lot of big sites do. This relatively simple processes ask for authentication via your mobile when you first sign into a service on a device. This can be done via a text message or a randomly generated code using an app such as Google Authenticator. Therefore, if a site does get hacked, the hacker would have to access your mobile before they can access the account. Using a similar method Google has eliminated phishing attempts on its 85,000 employees after implementing 2FA via a USB key.