DEV Community

loading...
Cover image for Healthy habits for good cybersecurity

Healthy habits for good cybersecurity

Victoria Drake
Director of Engineering. I lead development of cybersecurity products and technology teams. Core maintainer, OWASP Web Security Testing Guide. https://victoria.dev
Originally published at victoria.dev on ・4 min read

In a similar fashion to everyone getting the flu now and again, the risk of catching a cyberattack is a common one. Both a sophisticated social engineering attack or grammatically-lacking email phishing scam can cause real damage. No one who communicates over the Internet is immune.

Like proper hand washing and getting a flu shot, good habits can lower your risk of inadvertently allowing cybergerms to spread. Since the new year is an inspiring time for beginning new habits, I offer a few suggestions for ways to help protect yourself and those around you.

1. Get a follow-up

Recognizing a delivery method for cyberattack is getting more difficult. Messages with malicious links do not always come from strangers. They may appear to be routine communications, or seem to originate from someone you know or work with. Attacks use subtle but deeply-engrained cognitive biases to override your common sense. Your natural response ensures you click.

Thankfully, there’s a simple low-tech habit you can use to deter these attacks: before you act, follow-up.

You may get an email from a friend that needs help, or from your boss who’s about to get on a plane. It could be as enticing and mysterious as a direct message from an acquaintance who sends a link asking, “Lol. Is this you?” It takes presence of mind to override the panic these attacks prey on, but the deterrent itself is quick and straightforward. Send a text message, pick up the phone and call, or walk down the hall, and ask, “Did you send me this?”

If the message is genuine, there’s no harm in a few extra minutes to double check. If it’s not, you’ll immediately alert the originating party that they may be compromised, and you may have deterred a cyberattack!

2. Use, and encourage others to use, end-to-end encrypted messaging

When individuals in a neighborhood get the flu shot, others in that neighborhood are safer for it. Encryption is similarly beneficial. Encourage your friends, coworkers, and Aunt Matilda to switch to an app like Signal. By doing so, you’ll reduce everyone’s exposure to more exploitable messaging systems.

This doesn’t mean that you must stop using other methods of communication entirely. Instead, think of it as a hierarchy. Use Signal for important messages that should be trusted, like requests for money or making travel arrangements. Use all other methods of messaging, like SMS or social sites, only for “unimportant” communications. Now, if requests or links that seem important come to you through your unimportant methods, you’ll be all the more likely to second-guess them.

3. Don’t put that dirty USB plug into your ***

You wouldn’t brush your teeth with a toothbrush you found on the sidewalk. Why would you plug in a USB device if you don’t know where it’s been?! While we might ascribe putting a random found USB drive in your computer to a clever exploitation of natural human curiosity, we’re no sooner likely to suspect using a public phone-charging station or a USB cable we bought ourselves. Even seemingly-innocuous USB peripherals or rechargeable devices can be a risk.

Unlike email and some file-sharing services that scan and filter files before they reach your computer, plugging in via USB is as direct and unprotected as connection gets. Once this connection is made, the user doesn’t need to do anything else for a whole host of bad things to happen. Through USB connections, problems like malware and ransomware can easily infect your computer or phone.

There’s no need to swear off the convenience of USB connectivity, or to avoid these devices altogether. Instead of engaging in questionable USB behavior, don’t cheap out on USB devices and cables. If it’s going to get plugged into your computer, ensure you’re being extra cautious. Buy it from the manufacturer (like the Apple Store) or from a reputable company or reseller with supply chain control. When juicing up USB-rechargeables, don’t plug them into your computer. Use a wall charger with a USB port instead.

Practice healthy cybersecurity habits

Keeping your devices healthy and happy is a matter of practicing good habits,. Like battling the flu, good habits can help protect yourself and those around you. Incorporate some conscientious cybersecurity practices in your new year resolutions - or start them right away.

Have a safe and happy holiday!

Discussion (12)

Collapse
hozefaj profile image
Hozefa

Few other things I recommend,

  1. Not using same password for all accounts. Use something like lastpass or 1password or even browsers native password utility.
  2. If using Google, Facebook or Twitter to log in to different websites, view the permissions that you give and time to time take stock of the list. Revoke the permissions for websites/apps no longer needed.
Collapse
thatblairguy profile image
That Blair Guy

Yes on the password managers! Particularly their ability to generate and store random strings as passwords.

I'll admit to not checking recently, but the password tools built into the browser only store passwords, they don't help you create good ones.

(I'd love to be corrected on that one, particularly with a mainstream browser, as convincing people to install a third party password manager is an uphill battle.)

Collapse
hozefaj profile image
Hozefa

I know Safari on Mac can create passwords. Not sure if other browsers have implemented that functionality, but I presume they will soon.

The advantage of using a password manager that it will help on your phone as well. If you are using iPhone then iOS13 allows that natively. But for android, this will be useful.

safari password

Thread Thread
thatblairguy profile image
That Blair Guy

Nice! Firefox and Chrome include functionality to sync bookmarks, saved passwords, etc between multiple computers. If they add generation of secure passwords, that would be a huge step toward eliminating the "P@ssword123" problem.

Collapse
karfau profile image
Christian Bewernitz

I think this article is worth translating into as many languages as known on this platform, so we can share them with non English speaking friends and family.

I will try to do that for German and reply to this comment to cross link

Collapse
victoria profile image
Victoria Drake Author

Amazing! Thank you so much for helping to spread the word.

Collapse
karfau profile image
Christian Bewernitz

Is there a markdown source of the post somewhere other than github.com/victoriadrake/victoriad... ?

Collapse
codedgar profile image
codedgar

I loved this article! Is really sad how much people lose money thanks to scams and dumb security breaches on their computers.

I also think that spreading the word can help a lot others to stop falling into these traps. For example, my mother and grandma don't open weird links, weird emails or anything that seems sketchy, and they also keep their social media accounts private :)

Collapse
victoria profile image
Victoria Drake Author

Sounds like you’re doing a great job already! :) Keep it up!

Collapse
binarylife profile image
Travis Dean

OK, this is great advice if you're picking up that "flash drive" you found in the parking lot that's actually a HID-input device that's gonna drop a reverse shell in .2 seconds flat.

But basic USB drives? Given sane defaults like... Don't autoexecute whatever the drive asks to do, what should be one's security stance? Granted, there will always exist vulns that may result in compromise anyway, like that old .lnk bug in Windows (and I'm sure there are similar vectors across platforms).

Collapse
thomasjunkos profile image
Thomas Junkツ

Thank you very much for this good advice!

Number 3 I see is naturally going away. If I look at my kids: The barely do not even know what a USB-Stick is nor what it is good for. My kids asscociate "storing portable information" with "there is a cloud service to do that" - which of course is its own field ;)

Additionally I try to build awareness for mobile devices and cloud:

  • Live so as you knew your mobile device is hacked (and do e.g. no banking on it)

  • When putting things in the cloud think of them as being tomorrow publicly available. If that's okay for you - put it there.

E.g. I have a bunch of roleplaying game material as PDF stored in the cloud. It saves me GB of local data. And when my account is compromised: Have fun with playing RPGs - it doesn't bother me.

Collapse
karfau profile image
Christian Bewernitz

German translation is ready: dev.to/karfau/gute-gewohnheiten-fu...
Maybe it will change a bit over time due to proof reading or further suggestions.