Posted on 10 May 2021 at 7:31 PM by Ger van Hees
The three best things you can do to improve your computer security, bar anything, have been the same three things you should have already been doing for the entirety of computers. The top three threats have been in list of top threats since they made enough computers with shared access to allow unscrupulous people to do malicious things with them.
1. Don’t Get Social Engineered
At the top of the of the computer threat list is social engineering. Social engineering is done by someone or something pretending to be something it’s not, often posing as a brand or item that you would otherwise trust more than something unknown. It then asks you to reveal confidential information (like a password) or to run a Trojan Horse malware program. It’s a con!
Social engineering is responsible for 70% to 90% of all malicious digital breaches. No other single root cause of a computer exploit comes close. The single best thing you can do to prevent computer maliciousness is to focus on mitigating social engineering. Concentrate on it first and best. To do otherwise, unless you have it well handled, is to be inefficient in your computer security defense.
2. Patch Your Software
Unpatched software is responsible for 20% to 40% of all computer attacks. There have been times when unpatched software, and in particular, a single program, like unpatched Oracle Java or unpatched Microsoft Windows, was responsible for nearly all successful breaches in a particular year. But since social engineering took over the number one spot (around 2009), unpatched software’s involvement has fallen. But it’s still a strong number two, and anything you can do to better and more consistently patch your most likely to be attacked software should be done as the second most important effort you can undertake.
3. Use Different Passwords Between Sites and Services
Contrary to popular belief, your passwords do not have to be super long and complex. An 8-character password with some complexity likely blocks 95% of all password attacks. The only attack type it does not mitigate is password hash cracking, but in order to do that attack, the hacker already has to have complete control of your computer (or somehow obtained your password hash another way). If you are worried about password hash cracking, which most hackers in real-attack scenarios, do not do, your passwords have to be at least 16-characters long (with or without complexity).
The far bigger problem, regardless of your password’s complexity is not reusing your password between unrelated security domains (i.e., different websites, services, networks, devices, etc.). The average person has three to 19 passwords that they split up among 170+ websites, services, and domains. This means there is a lot of sharing going on. This is very high-risk behavior. Because if a hacker obtains one of your passwords, no matter how he/she obtained it, he/she can start to try and re-use it at other places to which you may belong. And hackers have been using this method to access people’s important online accounts and identities for decades. So, make a hacker’s life harder. Use different passwords on every site, service, and domain you use. This usually means you have to use a password manager program, and it’s something that myself and many other computer security experts recommend, at least until some better form of authentication takes over.
So, there you have it! Don’t get socially engineered, patch your stuff, and use different passwords for everything.
It’s one sentence, three recommendations and 13 words.
You are likely going to read tens of thousands of words on how to best protect yourself and your organization against hackers and malware this year. I can assure you that those 13 words are the most important recommendations you can understand and use to create your computer defense. Everyone’s going to be trying to distract you with far more words, far more recommendations, and recommend you buy a bunch of expensive new devices and services. And they can only help. But what I am saying is that you need to concentrate on the three recommendations made above as if they were the top three things you can do to reduce risk in your environment, because they are. And any offering that helps do those three things should be your focus, this year, and every year, until the threats change.