Abacus Semiconductor Cybersecurity Suggestions
Cybersecurity today is in a pretty rough shape. Multiple layers of deficient hardware, firmware and software as well as a lack of user awareness all contribute to this problem. Most of the workforce in small to medium sized businesses and most private users do not have a general level of education to fight this ongoing and ever-increasing threat.
Tech gobbledygook and unnecessary use of acronyms as well as the tendency to hide behind terms that are incomprehensible to the average user prevent a widespread use of available security measures.
In reality, cybersecurity is not that difficult, and we try to help the average user with implementing basic security measures.
You need to be aware of the fact that not all breaches are due to bad technology or lack of proper IT systems configuration. Some are just plain old good social engineering attacks — and they usually succeed. However, you need to also understand and accept that if a nation state attack against you is underway, you will not detect it, and they very likely will be successful as any nation state can muster enough resources to crack the weakest link in your defenses.
As a result, train your family and your employees and everyone with a need to access your IT such that they recognize attacks and in doubt always chose to not act. One common signature of an attack is that the attackers try to create a sense of urgency. "Quick, the boss needs you to go to Apple/Target/Walmart and buy Gift Cards and have you scan and send the barcode on the gift cards to the boss via text message." 100% of these are scams.
Simple Security Measures
Here is a set of suggestions we make to all of our customers so that they are as safe and secure as they can be.
Use a secure Operating System. MacOS, Linux and all UNIX variants are good. Windows is not too bad either these days, so any version 11 or newer when fully patched works if you follow all other instructions.
When you or your IT person set up your computer, create only one admin account and multiple user accounts.
Strictly separate the user account from an admin account, meaning that you conduct your daily business and all routine transactions using your user account, not the admin account.
Never let a visitor or a friend or family member use your admin or user account — it is much easier to create a visitor account and then delete the entire account after the visitor has left. Learn how to quickly set up a new user account and how to delete it after it has outlived its usefulness.
Learn how to say NO. If anyone pesters you to let them use your account, the only acceptable answer is NO. That includes friends, family and visitors. The answer is NO.
Do not share any of your wireless account info with anyone. If you have a guest account on your computer, the visitor will be able to use the wireless access without the visitor having to ask for a wireless access password or passphrase. A visitor will be able to use your wireless Internet without knowing your wireless passwords or passphrases. If the wireless setup is done by an admin on a computer, then all account users including guests can use the wireless LAN without having to know or ask for the wireless access key or passphrase.
All digital security starts with a secure password or passphrase, and in this case you cannot rely on others to keep it secure for you. You must create a secure passphrase, and you must never forget it. You will have to create a passphrase, and please make sure of two things: it must be unique, and you must never forget it because no one can recover it if you lose it. However, you will need to write this passphrase down. This passphrase is going to be your primary key to secure your other secondary passwords in your password manager. Therefore it must be unique as the security of all of your other keys depend on it. Do not print it as someone could intercept your printer communication. Hand-write (not in cursive, and make sure you can differentiate between O and 0 and I and 1 and I and l) the passphrase once each onto 3 pieces of paper. Put each paper into an envelope and seal it. Make crosshatch marks across the area where the flap folds over the body of the envelope. Fully wrap this envelope into aluminum foil and tape it shut. Put this into another larger envelope and repeat this for all three papers containing your passphrase. Put one of them in a drawer in your office, one in a place in your house that will not be found easily by intruders, and give one to your most trusted friend for safekeeping, or put it into a bank lockbox if you have one. If you ever have to retrieve the passphrase, check if the envelopes are still protected the way you created them, particularly the crosshatch pattern at the flap edge. If you have retrieved the passphrase, redo the protection the same way you did it originally. Why not print it? First of all, USB and Ethernet communication can easily be intercepted, and second, most printers retain all print jobs in their print queue until the queue is overwritten, not when it is confirmed to have been printed.
Here is my suggestion with regards to password managers: use a password manager that is NOT cloud-based; any local password manager will do. Use this passphrase you had created and safeguarded as in the instructions above as the primary key for your password manager. Your password manager will help you create secondary or tertiary keys for web sites, devices and all other items that need authentication, and the password manager will remember those. If possible, use 2 Factor Authentication (2FA) for all sites that allow it, and either use your phone as an authenticator for those, or a separate key such as YubiKey. If at any time you feel that your primary passphrase is not secure enough any more, let the password manager suggest a new longer and more secure one, and then change the passphrase accordingly. Try to avoid reusing passwords across multiple sites as it creates a security problem. If one site gets breached, another site for which you used the same credentials is going to be vulnerable.
If at all possible, use an external firewall. Any external firewall, even if not perfectly configured, will beat a software firewall on a computer by a wide margin. If your wireless router has a firewall, use it. If you don't know how to configure it, ask your IT person or a good trusted friend to help you configure it.
If you have multiple wireless routers, use only one of them them as wireless router and all others as wireless access points connected to the main one through wired Ethernet. Then only configure the wireless router connected to the Cable or DSL modem (or fiber modem) as a firewall.
An even better solution is a true firewall, and they can be based on a cheap fanless PC with two or more Ethernet ports. Install pfSense or opnSense and configure it accordingly, and connect all of your wireless routers and wireless access points to it. Both pfSense and opnSense provide firewall, routing and VPN services.
If you have sensitive data on your phone or your laptop, make sure to use a Virtual Private Network (VPN) from that device into your firewall so that that part of the communication path is fully encrypted and all snooping on your data communication from a public wireless access point will render no useful results. A true IPSec VPN is nearly impossible to crack and will therefore protect you and your sensitive data, even if attackers try to intercept. With a VPN, man-in-the-middle (MITM) attacks will not be successful. A Virtual Private Network (VPN) is a piece of networking software that can be added to a laptop, PC or even a smart phone and network equipment such as a router or firewall, and it enables secure and secret communication through the Internet despite the fact that the Internet natively is not secure, not authenticated and does not keep data secret. A VPN effectively establishes a secure and secret tunnel through the Internet from one endpoint to another, thus protecting the data contents (aka payload) and the authenticity of the data communication. If you control both endpoints, for example your smart phone and your VPN firewall/router, then this tunnel is so secure that it is practically not hackable (not even by a man-in-the-middle attack), and thus the contents stays secret. Do not mistake a VPN that you create with a VPN Service that a Service Provider offers as that by the very definition cannot guarantee full secrecy because it cannot span the tunnel between endpoints. The VPN Service Provider will always be the termination point of your secure communication, and all communication between the VPN Service Provider with the other endpoint of your transaction is unencrypted and unauthenticated.
In general, it is a good idea to keep the BIOS, firmware, Operating System and all crucial applications on all of your devices (computers, laptops, cell phones, wireless access points and wireless routers, firewalls and cable/DSL/fiber modems) patched to a current level. That might sound like a lot of work, but compared to dealing with the aftermath of a breach, this is routine work and not terribly difficult.
Encrypt your data, on all of your devices. That includes your backups. Never give out the password or passphrase to your encrypted data to anyone.
If you have a printer and it offers USB, Ethernet (wired) and wireless Ethernet connectivity, disable all USB communication, disable the wireless Ethernet function, and connect it via wired Ethernet to your wireless access point. That way, it is still accessible via wireless LAN (WLAN), but it does not pose a risk for an inadvertently open wireless access point that is not well secured. This is particularly important if that printer is a multi-function device and you scan sensitive documents with it.
Use a shredder for all of the paper that may contain personal information. Whether it is a misprint or something you received via mail, if it contains any information that could help ID thieves to steal your identity, shred it. If anything contains a QR code that invokes a personalized web site for you to sign up to anything, shred it. If it falls into the wrong hands, someone can sign on on your behalf or worse, impersonate you and change the beneficiary of any moentary transaction while you are stuck paying the bill. Also make sure that when you empty the shredder bin, it is at least half full. If there is only one shredded paper in there, it is easy to reconstruct. Either wait until the shredder bin is at least half full, or just shred a few pieces of mail spam and mix the shreds nicely before dumping them into a paper bag, fold up the paper bag so nothing falls out, and then put that bag into another one. That way, no one suspects any paper shreds in your recycling bin.
A simple yet effective way to protect yourself is to reduce your attack surface and your public profile. The more anyone can find out about you on your social media, the more likely it is that you will be an easy target for digital burglars. Do not post that you are going to go on a long vacation away from home. Once you are back, you can post to your hearts' content.
Use the recommendations posted on SecureTheVillage. SecureTheVillage is a community-based response to the cybersecurity and privacy crisis. SecureTheVillage is a 501c(3) nonprofit with a vision of a cybersecure global village.
Do not get intimidated. Follow the suggestions and make a habit and procedure out of them. Make it your goal to become better each and every day.