How to stay secure online?

The Internet is full of risks, it is crucial to be aware of how to stay secure online is crucial. You need to protect your sensitive or private data against any nefarious actors. You should assume that you may do mistakes. It doesn’t matter if you are a skilled and experienced technical person or a complete newbie. Things happen by accident, you may be distracted, and you may rely on sources, that you should have. However, quite important is to learn from your mistakes and self-enhance them. Just to build confidence online and sharpen your instincts. More on protecting yourself online you can read in my previous post.

Layers of defense

Just to mention one thing, in this post I concentrate purely on how to secure your identity online. However, defense on the web should not be limited only to one layer. To say secure online you need to adapt different protection controls and preventive measures on various layers. It should include protecting your devices, network, data, etc.

How to secure your devices online

Doesn’t matter whether it is your laptop, mobile phone, tablet, or any other device. When it is connected online or in any way exposed, you may be under threat. Therefore, it is crucial to take proper preventive measures to reduce or mitigate risk with the online surface. A strong recommendation is to follow vendor guidelines and best practices. Ensure to keep your systems up-to-date regularly. There are zero-day threats. However, most common malicious actions are performed by using known breaches, which can be prevented by using patches and updates already released by vendors.

How to protect your applications

A similar pattern applies to any software running on your devices, not only to operating systems. Try to keep your applications on the latest versions. It is not always easy, and some applications may not have auto-update. However, different solutions may support you in detecting outdated software installed on your machines. Some antivirus systems may already incorporate such app version scanners.

When we are on the topic of antivirus, make sure that install and use one. It is important that virus definitions are updated and your systems are scanned against such nefarious activities. Your system may already have a built-in antivirus solution, but try to avoid turning it off.

Filtering rules on devices. Sometimes your systems may be equipped with default communication rules. Some kind of built-in system firewall. This may prevent some applications from working properly. But instead of abridgedly disabling it or doing a general allow everything rule, try to just create a granular rule applicable to this specific application.

How to protect your data on the devices

Use encryption to protect your data which in most cases can be a valuable asset to you. It may contain sensitive information which you may not necessarily want to unwillingly disclose. Therefore, protecting it with encryption on the storage level (so-called at rest) will prevent a situation in case your storage will be stolen.

Be careful using public Wi-Fis

Free Wi-Fi available in a public area can be a threat to your data. The communication may not be encrypted. Therefore, your data will be unprotected. Also, this may be a way to lure you in to take over your passwords and other information. You should never use public and unsecured networks.  If you have to use such unprotected networks, the only reasonable protection is to use a VPN solution to protect your communication.

Reduce the use of password

Try to use shorter methods of logging e.g. pins, fingerprint, face scanners, etc. so no one may get access to your account, as these methods are directly bound to the device. However, a pin will not protect your data from being hostilely taken over when someone steals your device and have already your pin.

Protect your passwords

Surely, I don’t have to mention that it is not wise to share your password with anyone. But what if you share your credentials unintentionally? In public areas, shoulder surfing is not anything new. While entering any credentials be cautious or use any other way to authenticate e.g. PIN, face recognition, fingerprint, etc.

Stay secure online – beware of evil twins’ websites

It is quite common practice to create websites that resemble original ones are remarkable. The level of detail to convince a user that this is a legitimate website is quite often astonishing. However, two things are often debunked in this case.

The first one is in the address, particularly the domain. As this must be unique, a nefarious website cannot have the same name as the original one. Therefore, it most probably will be similar to the original e.g. small typo, which is commonly made by users typing website name. This can be by substitution of characters with others, which look similar e.g. zero and the letter “O”.

The second thing is to whom the certificate was issued. Then check if there are no typos in a name of the institution or company you wanted to reach.

Don’t provide any sensitive data on unprotected websites

Always check if a website uses HTTPS. Do not provide any credentials or any sensitive information on the website using no SSL. The data then is sent in plain text via the internet. It is not protected in any way. Therefore, make sure to validate if a connection is encrypted before providing any information. This also may be one of the signals that a website may not be a legitimate one.

Stay secure online – Use different passwords

Don’t use the same username and password on every website. You can support yourself with pseudo-random generators like KeePass. It generates your password and also can be used to securely store your credentials. It also doesn’t have to be installed. If one of such websites or applications is compromised and its database is leaked. It is probable that someone may test your credentials on miscellaneous websites and may gain access to your other accounts.

Always change the password in case of a breach

Whenever you receive information that security has been breached on a website or application you use. Or maybe some of the user’s credentials, even hashes, have been leaked, then always, unconditionally, change there your passwords. Do this just in case. It does not mean that your username and password necessarily is owned by an attacker. Why leave it to chance? Just follow the rule “better safe than sorry”.

Secure yourself online by using complex passwords

What does it mean that password is complex? Complexity can be referred to as a combination of different factors as listed below. Most of these you are probably familiar with, but it is just to ensure you do not miss anything.

• Use upper and lower case letters
• Use special characters – but remember that some of the systems may not support some of the special characters. Therefore, you may be forced to substitute or eliminate them
• Use letters and numbers
• Do not use any commonly used or known names – this is often used by dictionary attacks
• Do not substitute similarly looking letters for numbers and vice versa. E.g. instead of “A” do not use “4”. Instead of “0” do not use “O” and so on.

To come up with more complex passwords you can either use Pass Phrase instead of Pass Word or use a tool like Kee Pass which can generate a password for you. The longer password the harder it is to crack.

What is the minimum number of characters for a password?

To see a minimum number of characters recommended try to check online tables that provide the time to crack a password based on its length and complexity. This time required to break passwords tends to change due to technological progress. Therefore, try to keep the complexity and length of your passwords based on the current situation. Here is a link to the table from 2022.

Use Multifactor Authentication (MFA) whenever possible

Use Multifactor Authentication (MFA) whenever possible. Why? As this gives you another layer of protection against your account being breached. In case your credentials were hostilely taken over. It may be either to a security breach of any web service you used or due to your accidental doing. This doesn’t matter. With MFA you have another layer of confirmation to be provided before you are granted access to your account. There are different MFA solutions. This is a confirmation of something you have, such code or phrase can be delivered to you via text message to your mobile device, notification to your mobile phone, or phone call. You can install an application that generates code regularly, and of course, is associated with your particular account and service you use. You can even have a special separate device (physical token) that provides such codes.

E.g. RSA. There are different choices. However, the most important is that MFA prevents anyone from accessing your account, even if your credentials were disclosed. Why? Because someone should not only have your username and password but also should gain access to the solution or device where a confirmation code is generated. When I talk about authentication codes, it is worth mentioning that some of the authenticator applications offer also prompt notifications. This simplifies accessing your account, as you do not need to directly re-write the code from your device, but simply confirm that is it you, who try to get to this account. Unfortunately, not every application has eligibility to work with MFA. But whenever possible, enable this. It enables you to protect yourself and your sensitive data from treacherous actors.