Basic Security Must-Haves: Personal Edition

[00:00:16.910] – Jason Pufahl

So today we’re going to talk a little bit about those basic security must-haves. But then I think where we normally focus on, say, information security, where it’s more specific to business environments, I think we’re going to spend some time on what you can do at home, personally, just to be more secure as an individual. We debated a little bit about whether or not this would be appropriate for what we’re trying to do in terms of a theme here.

[00:00:42.410] – Jason Pufahl

But the reality is everything that you do when you’re at home is relatable or applicable to the office environment. The generalized concepts are the same. Frankly, a lot of the techniques are the same. You might have the luxury of having an IT company or IT provider that’s actually helping you accomplish some of the stuff in the business, but good practices at home translate to good practices at your business.

[00:01:03.640] – Steven Maresca

And the other way right around. You want to do some of the things at home that you do at the office.

[00:01:09.220] – Jason Pufahl

So I think, we’ll probably, frankly, run through a little bit of almost a laundry list of smart things to do at home. Some we’ll cover a little bit more detail, maybe than others, no particular order. I have no preference with when we start first, so I don’t know if there’s anything you want to tackle, Steve.

[00:01:24.760] – Steven Maresca

Well, let’s talk about it, in general. People think of what they do at home is somehow a bit more protected or a bit safer. It’s a place of relaxation. It’s a place you go to get away from the day-to-day. For many people, that means not having to log in every 15 minutes or an hour or anything of that sort. It’s comfortable.

[00:01:48.440] – Steven Maresca

And sometimes that comfort is a problem, especially if you’ve ever lost data or had your system needing intervention to repair. I think that’s really the framing.

[00:02:00.700] – Jason Pufahl

So it’s funny you’re talking about comfort, right? I think we will talk in the future about that blurred line between the workplace and home. And how do you actually now be a remote employee, where maybe your home was your sanctuary and now it’s your office, too? So that will be an upcoming episode, no doubt.

[00:02:20.020] – Jason Pufahl

But the other comfort part is, how do you actually protect against the unforeseen to some degree. Personally, and this just happened this weekend, right? I was paddling across a lake with my wife. My son thought it’d be a great idea to try to jump into the canoe while we were moving. He was jumping off of a raft, immediately capsized us. It wasn’t dangerous. It wasn’t that deep where we were.

[00:02:50.440] – Jason Pufahl

But my wife had her phone. The phone is still at the bottom of the lake. And inconvenience aside, because it’s a pain just in general to go and have to replace your phone. We just went on a pretty long trip. And she, fortunately, had backed up all of her photos the day before. Living with me, you would expect we have a reasonably well-defined backup strategy.

[00:03:14.720] – Jason Pufahl

But you have to have one because ultimately the phone is older, the inconvenience of going to get it small enough. If you had lost 500 pictures from a trip you just took that are frankly irreplaceable, that changes the entire outcome of what really was a benign canoeing incident, right?

[00:03:37.150] – Steven Maresca

And the same thing is true for us like in an earlier time, was quite a photography person. Film, digital, I did quite a bit. And that’s a little easier. If you have that material, it sort of persists. It’s tangible. You can touch it. It’s on a shelf somewhere.

[00:03:56.920] – Jason Pufahl

That’s not the case. I have two kids now, and all of our photos are on our phones. We don’t have a dedicated camera.

[00:04:04.050] – Jason Pufahl

And they’re all works of art to keep. You want to keep them out of water.

[00:04:06.660] – Steven Maresca

And if we didn’t back them up, I mean, candidly, we’d be in a bad place. We’re soon to shift from one phone to another. That’s sort of a typical activity for a lot of people.

[00:04:17.850] – Jason Pufahl

Every couple of years for a lot of people.

[00:04:19.500] – Steven Maresca

Right. And it’s a pain point. How do you get your stuff off your old phone? Sometimes it’s possible to do when you get your new one. Other times, it breaks. What do you do then?

[00:04:27.490] – Steven Maresca

Backing things up to the cloud, to another device. That’s how you get around these problems, whether it’s a canoe or simply replacing something that’s now too old to use. 

[00:04:37.970] – Jason Pufahl

And it’s easy. It’s not getting data off of a mobile device like a phone. There’s an app for that. There’s no friction anymore. There’s really no good reason to keep data locally and risk losing it. Typically, the fees are pretty low. I mean, I think I used Amazon for mine over the last bunch of years, probably cost me less than a hundred dollars a year for a place to securely put my data, right? It just isn’t a big expense.

[00:05:07.230] – Steven Maresca

And if you have Apple or Android devices, it’s innate with the service. You can pay for more if you run out.

[00:05:12.480] – Jason Pufahl

And you’ll need to as soon as you start taking videos. That’s just the reality.

[00:05:16.120] – Steven Maresca

Right. Use it.

[00:05:16.840] – Jason Pufahl

Right. But so we started with backups. And pictures are a big part, certainly of the personal landscape. But you’ve got your taxes. You’ve got maybe some financial records. Probably the important part of this is your hardware is very replaceable, your data, not so much. Just back it up.

[00:05:38.240] – Steven Maresca

And shifting a little bit, be careful about what you send and how you do it. Taxes are a great example. We’re a couple of months after tax season now, but the odds are very good that you received at least some of your forms in electronic form these days. Don’t send it via email. Please don’t. It’s fundamentally not safe.

[00:05:58.750] – Jason Pufahl

Well, let’s be specific about that.

[00:06:02.320] – Steven Maresca

Sure.

[00:06:02.560] – Jason Pufahl

Email is not encrypted. [crosstalk 00:06:03] 

[00:06:04.100] – Steven Maresca

Right. Mail is not encrypted. It’s never intended to be a really private means of communication. But people send sensitive things about themselves to folks they’ve never really met like an accountant all the time. Just be mindful of what you send to whom. And if you can, use means of sending it securely.

[00:06:23.900] – Steven Maresca

They, meaning your accountant or financial firm, almost always have secure data transfer tools. If you have to, provide it physically. Send a USB key, something like that. It’s at least a bit more secure than sending it over in an unprotected route.

[00:06:41.020] – Jason Pufahl

It is interesting how many people utilize email to transfer data. I think it’s also interesting how often… And I’m trying to decide almost which way to segway into this. People don’t protect their email adequately. I’ll definitely have conversations with family members who’d say, well, it’s just my email. I don’t care if I don’t have a complex password.

[00:07:05.560] – Jason Pufahl

My counterargument to that would be email, arguably, is one of the most important places where it’s inexorably linked to the password reset chain, right? So if you don’t protect your email, in a way, you’re really opening up exposure to almost any service that you have.

[00:07:22.370] – Steven Maresca

Right. It’s a gateway to your bank, to your retirement funds, to your podcast provider, you name it. It’s how you access those platforms. And if you’re an attacker and you can get into email, you have access to everything else.

[00:07:36.810] – Jason Pufahl

Every service. You could change the password for basically every single service. So knowing that everybody probably has an email account, you can probably surmise they have a bank account, some other things. But just assume everybody has an email account, I think there are two key ways that we would say protect it, right? And the first would be good passwords like a strong password that is unique from all of your other accounts.

[00:08:02.380] – Jason Pufahl

We always advocate for a unique password for every type of business that you interact with and store that data in a password manager. So in two sentences, I just set a mouthful of things. 

[00:08:16.700] – Steven Maresca

Right. So bottom line, protect your email. Use a good password. If you are one of the folks who have a tendency to use a formula a password or embed a birth date or something like that to keep it memorable, I understand the mentality behind it, but it’s easy to guess. If it’s short, realistically, computers can process that rather rapidly.

[00:08:40.550] – Steven Maresca

Third-party providers of the many that you may use that password to access, they get hacked all the time. So your account and the password might be out in the open. And if you reuse it in a bunch of places, you’re just exposing yourself to other risks you don’t anticipate. Storing it in a password manager, you can have different passwords for everything.

[00:09:01.310] – Jason Pufahl

Different and complex ones.

[00:09:02.060] – Steven Maresca

Right.

[00:09:02.780] – Jason Pufahl

Because if you… So I think I got counted the other day. I think I had 463 unique credentials for different websites, right?

[00:09:12.330] – Steven Maresca

You might be a bit out of the norm.

[00:09:14.940] – Jason Pufahl

So I don’t know if I am. When I went through it, truly, I looked at it, and I thought, I kind of access these at some point over the course of a year, and they’re not that uncommon in a lot of ways. Some clearly are more maybe security important or your bank accounts, insurance carriers, things like that, a lot of them not as important. But if you can remember your passwords, the likelihood is they’re reasonably guessable. And so the password managers allow you to create pretty complex passwords stored in a securer format, right?

[00:09:47.860] – Steven Maresca

Right. Don’t write it on a post-it note and leave it lying around. It’s just asking for trouble.

[00:09:52.330] – Jason Pufahl

You got me thinking now, though, whether or not 400 plus different sets of credentials is extreme. I’ll bet you if you count them, you’re probably close to that. I’d be really surprised if you said something, it could be.

[00:10:03.720] – Steven Maresca

It doesn’t matter, ultimately. I have 10, you have a hundred same sort of thought process applies. So we got here from email, so let’s go back to that a little bit.

[00:10:11.950] – Jason Pufahl

Okay.

[00:10:12.680] – Steven Maresca

So being that email is the hub for interaction with so many services, what else can we do to ensure at home were protected?

[00:10:21.330] – Jason Pufahl

So before you jump, though, I’m thinking people are probably saying, what is a password manager? Do you have any recommendations? I’ll say, I personally try to avoid recommendations more often than not, but in general, I use LastPass. One password is another really popular one. Dashlane is the third. Those are just that come to mind.

[00:10:44.080] – Jason Pufahl

I would rather people walk away from this saying, all right, here’s a couple of choices for me. Do your own exploration. See if there’s anything that you like about one versus the other. But at a bare minimum, get a password manager. Keep your credentials secure. Create passwords that are complex and using that way.

[00:11:03.560] – Steven Maresca

We’ve often heard some concerns about what if an attacker gets access to it? What can they do? Well, the truth is that all these tools that we’re talking about from a password management standpoint are built around protecting those passwords. So they have a master password to let you in. But they are constructed in such a way that an attacker can’t break in and steal your passwords without that interaction with you.

[00:11:30.610] – Steven Maresca

So be comfortable in using them and know that you’ve reduced risk ultimately by making more complex passwords.

[00:11:38.210] – Jason Pufahl

Right. But use a reputable one, right? Make sure at least it’s got reviews and you got some sense that it’s legit.

[00:11:44.430] – Steven Maresca

Bottom line, use one, use anything. Don’t use formulae passwords.

[00:11:49.260] – Jason Pufahl

But I interrupted you, right? You were going down the path of saying, what else do we use to protect email?

[00:11:54.560] – Steven Maresca

Right. And I think that because it is sort of a recurring theme, especially in our conversation today, and we’ll return to it again, protect your email with additional security measures. Every email provider that’s free that I’m aware of offers multi-factor authentication, which is a mouthful. It’s called two-step login.

[00:12:16.250] – Jason Pufahl

Two-factor.

[00:12:19.600] – Steven Maresca

Two-factor secure login with text messages. Any variation of those themes is really what you’re trying to look for. Go into your account profiles, turn it on, get a text message, have your phone prompt you. All of these things help to protect your accounts. You may be familiar with it in the form of a text message or similar from your bank if you are asked to supply your phone number. It’s at least better than nothing.

[00:12:45.020] – Steven Maresca

What you’re doing is essentially enabling your account or you’re protecting your account by forcing a message to your phone or some other device when you log in. So in other words, if your password is stolen, assume that it will be, at the very least, that can’t be used against you without your awareness. And if that attacker doesn’t have access to your phone, they can’t get in.

[00:13:11.080] – Jason Pufahl

Right. So the general definition that you often hear is two-factor is protecting something that you know with something that you have, right? So you know your password. You have a phone that can receive a text message, right? So the idea being you really are limiting your exposure through multiple forms of authentications for that.

[00:13:33.390] – Jason Pufahl

And then critically important, two-factor multi-factor is quickly becoming, I’d say, a common or almost required component of protecting any critical data.

[00:13:43.890] – Steven Maresca

Other practical things you can do just to move things a bit is freeze your credit. Consider interacting with your credit bureaus. It’s free. It’s not exactly onerous to do. And what it will effectively allow you to say is, hey, you can protect your systems from identity theft. You can protect your data and your credit line from identity theft by simply requiring that creditors interact with you before performing a credit check.

[00:14:15.030] – Steven Maresca

It’s not especially painful if you need to open up a new line of credit open alone. You just turn it off for a little while and then off you go. But you can rest assured that if someone has your Social Security number, date of birth, and financial information, that they can use it against you.

[00:14:29.600] – Jason Pufahl

It’s a hugely powerful tool that individuals have, right? Every time you open up any kind of credit, they’re going to check one of the major credit bureaus. The challenge, of course, is you rarely can be told which credit bureau they are going to check, so you probably have to unfreeze it at each. But it really puts the control into your hands, which is, I think, one of the more difficult things to get when operating this technology is regaining that control, and that allows you to do that.

[00:14:58.380] – Jason Pufahl

So tempted just to talk about the internet of things just for the sheer fun of it, because I know that’s not your favorite term. So let’s just call it smart devices, right? And it’s important that you always have up to date versions of whatever product you’re running, whether it be your Mac and your PC, your Nest Thermostat, your Apple TV, your Chromecast, you can run down a list of all of those internet-enabled devices that you have in your house now. They all represent an attack vector of the source.

[00:15:36.420] – Jason Pufahl

And it’s a little bit onerous because sometimes the update process isn’t totally seamless with these, but it’s really valuable to go through and make sure that those devices that you use regularly are updated. Wireless routers would be another spot that I think represents a legitimate risk to potential internet-facing attacks, and you want to make sure you update those as well.

[00:16:01.720] – Jason Pufahl

One of the places that briefly comes to mind for me would be if you can or if you have the capability at home to enable guest Wi-Fi on your routers. I think everybody’s got visitors, transient folks. Maybe you want to put your smart devices on your guest wireless and better protect some of those more important internal computers. But creatively, using guest Wi-Fi is often a useful individual protection quality.

[00:16:28.510] – Steven Maresca

And review what you have. If you don’t use your smart TV, don’t connect it to your Wi-Fi network. The most secure device is something that’s not connected to anything else. And just be mindful of the tools that are deployed, be mindful of the things that you have on your network at home.

[00:16:44.500] – Jason Pufahl

So all the conversations we’re having here are in more generalized terms, these things we would have talked about with business customers. If we were sitting with business, we’d say, make sure you do a data flow diagram. Make sure you do a data inventory. Make sure you patch.

[00:16:59.070] – Jason Pufahl

The terminology might be slightly different. The scale and sort of breath that you might attack some of these problems is going to be different, but at the root of it, everybody needs to have their passwords. You really want to use two-factor. In my opinion, there’s really nothing more important than backing your data up and ensuring that you’ve got reliable secondary copies.

[00:17:21.640] – Jason Pufahl

I love that you brought up the freeze of your credit. I think that’s such a valuable financial tool. You do all of those, and I think you’ll find yourself in quite a good position at home.

[00:17:34.980] – Steven Maresca

And as always, be mindful of what you’re doing, what you’re using, and how you interact with data and devices. If you do that, you’ll at least detect something that’s likely to impact you before it does.

[00:17:45.000] – Jason Pufahl

So one thing we didn’t talk about is phishing. And actually, I intentionally want to avoid diving into that today because I believe that’s really a topic on its own. But when thinking about phishing and mindfulness is what brought that to mind for me, you want to pay attention to the email that you get. You want to really feel confident you’re getting it from people that you know.

[00:18:06.590] – Jason Pufahl

I think we’ll spend a bunch of time in an upcoming episode around phishing detection and how you can better understand what’s legitimate versus what’s fraudulent. People spend some time on that. But take advantage of some of these tips. Protect yourself better at home.

[00:18:24.060] – Jason Pufahl

The skills and the routines that you develop there will translate into the workplace and provide a better work/life balance to some degree. And with that, as always, I’d like to thank you for listening. And we truly hope that you got some value out of this. Thank you

[00:18:41.500] – Speaker 3

Stay vigilant. Stay resilient. This has been CyberSound.