Tips for Increased Cyber Security

Brief

Technology is becoming an essential part of people’s lives, helping facilitate their day-to-day activities. It has also become the arena for many malicious actors trying to inflict damage to their victims. This article will look at steps that a tech savvy person can take to increase their cyber security in relation to basic technology such as (click on links to easily navigate to your desired topic):

Browser
Microsoft Officer
PDF
Cellphones and Desktop Operating Systems
Telephone/ text
E-mail (this link will take you to our “E-mail 101” article)
Wi-fi Connections

We will also provide a basic cheat-sheet for non-tech savvy readers to increase their cyber security.

The Techy User Manual

Browser

Web browsers are commonly used around the world to gain access to a variety of websites and data across the internet. The access to internet data can lead to harmful unwarranted connections to electronics and/or privacy. Below is a list of settings and extensions that allows for a safer browsing.

Note: There are several browsers available for users to choose from, however, the most widely used browsers in the market are Mozilla Firefox (Open Source), Chrome (Google) or Internet explorer (Microsoft), therefore it is often preferable to use one of them as your primary browser.

Steps to Increased Browser Security & Privacy

Turn-off third-party cookies (Firefox, Chrome, IE) – This will decrease the amount of data gathered from you on behalf of third-parties tied to the frequented websites.
Browser Automatic Updates – Set your browser to automatically update as this will ensure that fixed bugs and vulnerabilities have been implemented in the browser. In Firefox, go to ‘Settings’>‘General’> tick the ‘Automatic install updates (recommended)’ button.

Do not save Login & Password – Unless you are 100% certain that no one else will use the electronic and you are willing to take the risk of a cyberattack extracting that data, it is preferable to not save login & password on your browser. For Firefox users, go to ‘Settings’ > ‘Privacy & Security’ > Untick ‘Ask to save logins and passwords for websites’

File Download Request – Some websites may try to automatically download a file into an electronic. To limit that risk, a Firefox user can go to ‘Settings’ > ‘General’ > ‘Files and Applications’ and tick the ‘Always ask you where to save files’ box

Disable Javascript (Link) – Although Javascript is widely used in websites, it continues to be marred with a number of vulnerabilities that are exploited by hackers. To limit that risk, users are encouraged to disable Javascript as long as it does not impact day-to-day operations. Please note that by disabling Javascript, some sites may not work as intended, some prefer to whitelist sites they need from using Javascript while others take the risk and leave Javascript on.

Add-ons for Enhanced Security

Install Ublock extension to help block and filter ads. (Firefox, Chrome, IE). If there is a trusted site that requires ads that have been blocked, click the uBlock icon then press the power Icon once and it will turn gray.
Note: Some advance users believe that there may be a conflict of interest in a firm building both the search engine (ad revenue) and the web browser. An ad revenue driven firm such as Alphabet (Google) and Microsoft (Bing) may be strongly against solutions such as Ublock, therefore potential making it their interest to build a web browser that circumvents an ad blocker.

To ensure a secure, encrypted communication between you and major websites, use HTTPS Everywhere (link). If there is a need to turn off HTTPS Everywhere, click on its icon, then toggle off the “HTTPS Everywhere is on”

Tips for Daily Browsing

Use the Private Browsing mode (CTRL+SHIFT+P in Firefox) to automatically delete history & cookies from your browser after the browser is closed.
Make it a habit to use incognito mode when browsing the internet since it will automatically clear the browser history once you exit the application. Beware that this mode will not make you anonymous on websites that have captured your data, hence why you should follow the steps above.

Microsoft Office

Microsoft office products such as Word, Excel, PowerPoint, and Outlook have been very popular for decades, helping businesses and individuals with their day-to-day operations. This popularity has also led to an increase in its use by malicious actors to try to gain access to electronics. To ensure a higher degree of security, information will be provided regarding how to protect a user.

Trust Center Settings

Most MS Office solutions contains a Trust Center where it allows you to increase/decrease the security level of the software. Below is a list of settings that can be changed to conform to the level of sophistication that the user has.

On average, it is preferable that ‘non tech savvy’ users receive training to ensure they are well equipped to navigate the challenges of the technological world since it is difficult to determine when someone will gain access to an electronic without the setting provided below.

Note: MS Word has been used for exemplification purposes, most MS Suite solutions follow the same rationale.

Open Office Software >File > Options > Trust Center > Trust Center Settings.

Trusted Documents

Go to the ‘Trusted Documents’ segment and check mark “Disable Trusted Documents”.

Add-ins

For Tech savvy – Check mark the “Require Application Add-ins to be signed by Trusted Publisher”
For Non tech savvy – Check mark “Disable all Application Add-ins (may impair functionality)”as long as user is not expected to use ‘Add’ins for their daily operations

ActiveX Settings:

For Tech savvy – choose “Prompt me before enabling Unsafe for Initialization (UFI) controls with additional restrictions and Safe for Initialization (SFI) controls with minimal restrictions“ & checkmark “Safe Mode”
For Non Tech savvy – choose “Disable all controls without notification” unless user is expected to receive documents with ActiveX. In such cases, extra training may be required to ensure they understand the risks. Always check mark “Safe Mode”

Macro Settings

For Tech savvy – “Disable all macros with notification”
For Non Tech savvy – “Disable all macros without notification” unless user is expected to receive documents with Macros. In such cases, extra training may be required to ensure they understand the risks.

Technical: If (Status = 1 or N/A, then leave it blank), otherwise if status is Blank, then let the user know that the “Status is Unavailable”. If none of the points raised before have occurred, then take the Due Date minus Today’s Date.

Protected View

Checkmark all options.

Message Bar Settings for All Officer Applications

For Tech savvy – Pick “Show the message bar in all applications when active content, such as ActiveX controls and macros has been blocked
For Non Tech savvy – Choose “Never show information about blocked content” unless user is expected to receive documents that they are expected to open with active content. In such cases, extra training may be required to ensure they understand the risks.

Good Habits

Do not download or open files from untrusted sources
Keep MS Office, antivirus & computer systems up-to-date
Do not open attachments from untrusted sources

Do not click on hyperlinks from untrusted sources.
Always look for cues to determine whether the trusted source is really who you think it is or whether someone is acting as if they are impersonating someone.

PDF

PDF or Portable Document Format has become an industry standard for files that are meant to be opened and readable in almost any device/system. With its popularity, a number of people decided to exploit it to gain access to other people’s electronics and data. Below is a guideline to increase PDF security and a set off good habits everyone should have.

PDF Security Settings

Open Adobe Acrobat Reader >Edit > Preferences

Go to ‘Security (Enhanced)’ and follow the check marks provided in the picture below

Cellphones and Desktop Operating Systems

As of 2019, Android and Windows Operating systems have the highest market share throughout all platform at around 37% each (Source). Therefore, a majority of advice will be catered to these two groups, although some advices are cross-platform in nature.

Operating System – Android

Screen Lock – Screen lock is the security code used to open your android device. Most devices will offer the following options (from most secure to the least): Password>Pin>Pattern>Face Unlock>Slide>None. The lowest security level a person should aim for is the Pattern. In the near future, technological advances may lead the Facial & Biometric screen lock options to become the safer bet to some.
Find My Electronic – In case a device is lost, having the ‘Find my (phone/electronic/device)’ turned on can help you potentially remote control & locate the device.
Electronic Encryption – Newer Android devices (2018+) will have automatic electronic encryption added to their system. For those interest in encrypting their SD cards, open setting and search “Encrypt SD Card” then follow the guidelines provided in the device.
Manufacturer Specific Privacy – Device manufacturers often offer enhanced privacy settings for settings such as location, sending diagnostic data and receive marketing information. This option can be found in different places depending on the manufacturer of the device. Depending on your risk/security profile, you may want to have or remove them.
Google Privacy – Most android phone require the user to create a Google account. When entering a Google account, there is an option to run a “Privacy & Personalization” and “Take the Privacy Check-up” to ensure that Google considers the owner’s privacy needs.
Software Updates – Keeping Android software(s) updated can help ensure a safer device with the newest capabilities. Go to Setting>Software Updates and turn on ‘Auto download over Wi-Fi’, for users that do not expect to use Wi-Fi often, it is preferable to do manual updates once every month or so. Updates should also be made in the Google Play Store>My apps & games.
Antivirus – Antiviruses have been used for decades to create an extra layer of protection against entities looking to gain access to electronics. Although some believe that the antivirus itself can become a conduit to accessing someone’s systems, others prefer some of the benefits that can come from using it. To help determine what tool to use, I often recommend clients to use Av-Test to see the options that have been tested for protection, usability and performance. Out of the top performers, a decision can be made on pricing (free options are available, but with less protection), supplier diversity, corporate discounting, etc. Tests are often made for home and business users of Android, MacOS and Windows.
- As of 2019, Google Play Protect has a low protection score, which means that some may prefer to have another Mobile Antivirus solution to support their needs.
Google Account 2FA – 2FA or two-factor authentication is an extra layer of security that can be implemented to protect you Google Account. For those interested in learning more about the tool and why it matters, visit Google’s 2-Step verification page.

Operating System – Windows

Windows OS Update – Keep your Windows up-to-date to ensure the highest software quality and protection. If you would like to specify a date & time for updates, refer to Microsoft (Link).

Cortana – Is a virtual assistant created by Microsoft that comes to any Windows machine by default. It supports a number of process requests a user may have (link). In some circles, it is considered a potential privacy nightmare. For those interested in limiting its capabilities, go to Windows>Settings>Cortana and uncheck the settings that makes you uncomfortable. Just remember that by removing some of the setting, Cortana may stop working.
Admin & Guest Account – In computer science, the principle of least privilege defines that a user may access only the information and resource needed to accomplish their tasks. For most, this means that an administrator account is not needed and may be even dangerous since it allows for changes to settings, folders and other things that can break or leave the device vulnerable. For those interested in creating a guest account, please refer to Microsoft‘s guidelines.
Windows Account Password – Be sure to create a Windows Password for both Administrators & Guest accounts to create an extra layer of physical protection. Refer to Wikihow on how to set-up/reset password.
User Account Control Notification (UAC) – User account control notification helps prevent potentially dangerous changes to Windows OS by notifying the user before it happens. To update UAC, go to search>User account> Change User Account Control settings and choose “Always notify”.

Hardware Encryption – Hardware encryption can serve to protect the data in your device. In Windows OS systems, Bitlocker encryption is often part of the package by default. To turn on Bitlocker, follow the guideline: Search>Encryption>Manage BitLocker>Turn on Bitlocker

Antivirus – Antiviruses have been used for decades to create an extra layer of protection against entities looking to gain access to electronics. Although some believe that the antivirus itself can become a conduit to access the data, others prefer some of the benefits that can come from using it. To help determine what tool to use, I often recommend clients to use Av-Test to see the options that have been tested for protection, usability and performance. Out of the top performers, a decision can be made on pricing (free options are available, but with less protection). Tests are often made for home and business users of Android, MacOS and Windows. Always keep the antivirus updated.
Third Party App Updates – Keeping applications up to date is critical to ensure the highest performance, security, new features and that bugs are fixed. Not all apps will automatically update or have an updater attached to it. Therefore it is important to note which software are used by the owner of the device, and create a plan. Some users prefer to have a Software Updater such as Avira, CCleaner or Iobit to help them keep better track of the updates they need to do. Others believe that these tools can potentially be used to harvest data or as an attack point to enter your device.
Backup – Without a backup, a catastrophe, incident or hack can destroy the systems and data a person had in their electronic. To decrease that risk, check our Backup section to understand some of the options and considerations.
Remote Desktop Services (RDS) – RDS allows a user to take control of almost all aspects of a computer over a network connection. It is useful when troubleshooting/supporting a business or family electronic without the need to be physically there. All Windows machine comes with it and should be used when the time arises. To get there, you need to Search>Remote> Remote Desktop Connection. Remember to have this App in the desktop and to configure the setting before-hand if the probability that it will be needed is high. There are other Remote desktop systems available (including Apple OS) with different functionalities, choose the one that works best for you.

Telephone/Text

Telephone and texts are often used as a conduit for fraudulent activities looking to extract data or resources from their victims. This session will look at some of the types of scams & steps that can be taken to limit its risk.

Robocalls – Automated phone calls looking to exploit a need or belief the user has for the benefit of the malicious actor. It often attempts to offer better interest rates on your loans/credit cards or anything that could be of interest to you. If a user responds in some form to the occurrence, it can either lead to loss of money, time or be utilized for future engagements.

Types of Fraud

[Wikipedia]

Business – Attempts to illegally use business related functions such as billing, telemarketing, employment, tech support and others to get the victim to provide information that will financially or otherwise benefit the perpetrator at the detriment of the victim.

Financial – Uses/poses as banks, credit cards, insurance, mortgage, tax and many others to defraud the victim for financial gains. If a real financially related entity reaches out to you, it is extremely unlikely that they will request for personal information to validate a claim/request.

Government – Uses the name of government entities such as the FBI, revenue agencies and others to extract valuable information from the victims that can be used for financial gains. Most government entities will use sealed mail or agreed with methods to contact the relevant party regarding an issue. It will most often, never ask you to provide personal information to resolve the matter. If you are in doubt, reach out to the entities website and contact someone you trust for counsel.

Examples

The ‘Nigerian Prince’ scam – Is a scam that looks to get up-front money in exchange for future riches. Although the ‘Nigerian Prince’ example is well-known, this type of scam comes in variety of forms. The best course of action is to not respond to the request and close the call or delete the text.

The ‘Captured/imprisoned Family Member’ scam – A family member has been captured for ransom or has been imprisoned and now needs bailout money. At least that is the narrative the malicious actors aims to portray as it looks to abuse a sense of urgency and care to lead its victims into being defrauded. Most often, the best course of action is to gain knowledge of the circumstances the victim is meant to be in, ask questions that, in theory, only you and the captured/imprisoned victim would know. Then you should end the call and reach out to the individual via cellphone/e-mail and to closer relatives that may have a better insight on what is happening to that person’s life. This, alongside cross-checking the information provided by the assailants should help you determine whether to take further steps or not.

E-mail

Refer to our “Email Security 101” article.

Wi-Fi Connections

Wi-Fi has become vastly important in the day-to-day electronic operations of millions of people around the world. This segment will look at the basic steps that should be taken to secure a Wi-Fi system and increase the security of private & publicly available Wi-Fi use.

Wi-Fi System

Change Administrative Login [Critical] – Every Wi-Fi system comes with a default login credential to facilitate installation. This information is often available on the internet, which increases the risk of someone infiltrating the Wi-Fi system.

Strengthen Password Protection [Critical] – Change the password of everything related to your Wi-Fi system to something that can be remembered, while at the same time being unique and hard to decipher. Make use of symbols, numbers and letters and a minimum of 12+ characters (e.g. 1Th()rp1N531)

Change SSID Name [Critical] – SSID is the name in which users will be able to identify your Wi-Fi. In most cases, factories will provide a default SSID that can be easily traced back to them, increasing the risk that your system will be infiltrated. To decrease that risk, Wi-Fi administrators are encouraged to change SSID name. Some will prefer to have a business related name while others prefer funny name (Refer to this website for ideas)

Hide SSID Name [Recommended] – Most routers will have the option to hide the SSID name, this will ensure that a limited number of passersby will be able to see the network through normal mens. Approved users of the network will need to have the accurate SSID name and password to be able to enter the network. A persistent actor can still find your Wi-Fi with little to no effort, so do not consider this as a ‘safe’ solution on its own.

Wi-Fi Encryption [Critical] – The best encryption most routers have to offer is a combination of WPA2 and AES, so always chose them. This will ensure that the communication moved within the wireless network is less prone to infiltration/leak. In the upcoming years, WPA3 will likely become mainstream, so if you see that option, go with it instead of WPA2.

Activate Wi-Fi Firewall [Critical] – Wi-Fi Firewall serves as a layer of protection, telling the system whether a set of incoming data is in a blacklist that should be blocked or not. Every Wi-Fi system should have their firewall activated to increase the protection of the system and its users.

Wi-Fi System Update [Critical] – From time to time, router manufacturers will have updates that serve to improve its service or security patches. Some will automatically update, while others require the owner of the Wi-Fi system (router) to create monthly cadence to check whether there is an update via the manufactory’s website or the system’s interface.

Guest Network [Recommended] – A good portion of routers will allow for multiple networks to be created. For security purposes, it is preferable that external sources such as company or house guest use a Guest network to limit your data and network exposure. Similar settings to the ones listed above should be considered throughout the implementation, although passwords should be unique for Guests and may require it to be updated more often.

Implement a VPN [Optional] – VPN or Virtual Private Network is a tool used to extend security between two private network parties to decrease the risk of leakage or infiltration. A majority of Wi-Fi systems have the option to add a VPN to the network, although it often costs extra.

Conclusion – The items listed above will provide a basic level of security that every Wi-Fi system owner/admin should strive for. For those in need of a higher level of security or a better understanding of what/why certain levels of security is needed, you are encouraged to hire a professional. Data is a driving force for businesses and individuals in today’s technologically driven society, be sure to take steps to protect that data.

Wi-Fi for Users

Do Not

Enter an untrusted network.
Use public network for personal stuff such as banking, social media, corporate, etc.
Exception: If conditions are precarious, use a VPN + HTTPS websites to add a layer of protection.
Leave your Wi-Fi connector on when not in use. The capability of seeing multiple Wi-Fi’s can also be used to search for electronics interested in connecting to a Wi-Fi.

Double Check

The name of the WiFi (SSID) to confirm it is not a spoof.
Your VPN is working as intended. Use a website such as (link) to check whether the IPv4 & IPv6 shows your current address of the VPN address (you want the VPN address to show).
To see whether automatic connection to sensitive information is disabled prior to using a public network. For example, do not auto-connect to e-mail, file sharing, etc.
To see if your system and antivirus are up-to-date prior to using a public network.
For websites with HTTPS since it contains encryption that limits the snooping occurring within the Wi-Fi network.
The Terms of Conditions provided prior to using the Wi-FI.

Implement a VPN [Recommended] – VPN or Virtual Private Network is a tool used to extend security between two private network parties to decrease the risk of leakage or infiltration. Although it costs money to have, it also increases user privacy, decreasing the risk that private or public networks try to tap your data.

Have your own Wi-Fi – To decrease the odds that others are using their Wi-Fi system to snoop your data, bring your own Wi-Fi with you and use the Wi-Fi system guidelines to increase your safety on the internet.

Backup

Most businesses and individuals keep a large amount of data stored in their electronics. However, not everyone keeps a second copy of their most valuable data. So what happens if a laptop is stolen, a hard drive stops working or a virus wipe-out the data? That person can lose countless hours, money and resources if they did not take the necessary precautions to backup. This segment will look at some areas that should be considered prior to deciding the best backup solution for the individual/entity.

Decide

Whether to have a physical or virtual backup of your most important data.
What physical options exist and whether it works for the data I have. (E.g. Network Attached Storage, External Hard Drive, CD/DVD).
What Virtual options exist and whether it works for the data I have. (E.g. Dropbox, OneDrive, Google Drive, SharePoint).
Price, volume, security & speed.
The data/folders that need backup.
What settings I may need to have in my virtual or physical backup to conform to my needs.

Non-Techy User Manual

Support System – It is often preferable to receive support from a trusted friend/family member or a professional when issues arise with an electronic or the internet. Whether it is installing a new application, a virus pop-up or something else, the support system can help mitigate the inherit risks of not installing properly or becoming a victim of a hacker. For those unable to receive external support for their Browser, Microsoft, PDF, Electronics, Telephone, Text, E-mail, Wi-Fi or backup solutions, be sure to read the Tech Savvy manual in its entirety to gain a basic knowledge on the matter.

Operating Systems – Set-up automatic system update at a time of convenience (Microsoft Windows, Google Android). It will limit the risk of a user forgetting or not knowing how to update their electronic. For operating systems where there are no ‘automatic update’ options, it becomes imperative that the user is taught how to update it and to provide a form of reminder (e.g. calendar) to help remember.

Display Simplification – The less cluttered a screen is, the easier it is to navigate. Add e-mail, relevant social media, browser & other key applications to the main screen and remove any system critical application from the user’s view.

Remote Access – For individuals that are expected to receive support from a trusted source, it is beneficial to have a remote access software if a user is expected to receive online technical support.

Remote Tracking – Electronics can be lost or stolen without a minute’s notice. To increase the odds that the electronic can be found, users can install or use default settings such as “Find my device”.

How to spot fake news – Refer to Harvard’s “4 Tips Spotting Fake News Story” & IFLA infographic in multiple languages.

Movies & Documentaries related to scams – Catfish, Catch me if you can, 10 Online Scams

Tri E-mail System – Create an e-mail account for personal use, one for business & one for miscellaneous use (e.g. website registrations).

Automated Daily/Weekly Backup – Use a hosting service (Dropbox, OneDrive, and Google Drive) to synchronize important data to ensure a second copy is available in case something goes wrong with the main electronic.

Double Check – Always double check the source of e-mail, website, text, etc, before moving forward.

Different Accounts, Different Passwords – Always have a different password for the different accounts you intend to have on your electronics and the internet. That is especially important for accounts associated with personal or business information.

Device Lock – Always lock the device every time it is not in use. Some devices will lock automatically after a couple seconds (assuming changes to settings have been made), others may require manual lock. Manual lock for Windows computers is Win+L and Mac is Control + Shift + Eject (or Power).

Illegal Software – Do not download or install dubious or illegal software.

Password Change – Change passwords every couple of months to decrease exposure to hackers.

Link Clicking / Opening Attachments – Do not click on links or open attachments from dubious or untrusted sources regardless of whether it is on a search engine, a file, an e-mail, or anything else

Secure network – Only use a secure Wi-Fi connection. If there is a need to use public network, ensure that all your actions are done under HTTPS websites & a VPN, and do not use it for personal or business related stuff.

Not in Use Connection– Turn off Location, Bluetooth & Wi-Fi connections if the electronic is not in use. Flight/Airplane Mode can be used to turn them all off.

“The Legit Scammer” – Some scammers will act like a government entity or a trusted business. Always confirm information (Use a search engine to confirm e-mail address, telephone number, etc) before providing personal information. A vast majority of legitimate government and business entities will not request for personal information when contacting a user.

Browser/Text/E-mail

Do not visit untrusted sources.
Do not click on links from untrusted sources.
Double check website/telephone number/e-mail adress name before entering personal or company information.
Do not click on “You have a virus”, “Free money” pop-ups.
Do not download files from untrusted sources.
Seek family or professional support if something looks odd.
Be mindful that scammers will use legit entities to try to get to you.

Technology Cheat-Sheet

In General:

Reach out to a family member or trusted advisor if something looks off. Their feedback can help you make an informed decision.
Always double check the sources before providing personal or company information.
Do not visit, click, download or install anything from an untrusted sources.
Scammers will often create a sense of urgency to get you to act before thinking. Always remember that!
Do not provide personal/corporate/financial information when an entity requests it unless you are 110% certain of the validity of the request.
Be mindful that scammers will use legit entities to try to get to you.
[Stay Safe from Phishing & Scams] video by Google
Remember to password protect anything of value. Always use a different password.
Always keep an eye for unsuspected shoulder surfing.
Do not leave your electronic without supervision. If that is not an option, always physically and digitally lock it.
Do not click on “You have a virus”, “Free money” pop-ups.
Always have a backup (digital or otherwise) for important data.
Keep your device up-to-date to ensure the highest security and quality of service.