• Jeremy Druin

Security Mistakes Everyone Makes: Improving Personal, Mobile and Home Network Security - Part I

Updated: 6 days ago


Perfection is unrealistic but making relatively easy changes can significantly improve the security of mobile devices and home networks. Check out these tips that can greatly improve your security posture.


Mistake: Putting all our eggs into the password basket


Passwords are difficult to secure because there are so many effective ways to compromise them. Multi-factor authentication (MFA) is much stronger since additional information is needed to login and this extra information is not as easy to obtain as someone's password. The most common form is Two-factor Authentication (2FA); so-called because a password (something you know) plus another factor is needed. The second factor is usually something you have like a phone number, text, or email account. In many systems, the system requires your password then sends you a code that is hard to predict to your phone or email. Definitely use multi-factor. The Two-Factor Auth website lists brands that use 2FA and documents on how to sign up.


Even when 2FA is available, we are stuck with passwords for the short-term. Some sites do not support 2FA even though this is not as big an issue currently. Even for sites that offer 2FA, usually, a password is the first factor. Use a password manager to store passwords. Not only is the storage more secure, but password managers help us overcome two more common mistakes: reusing passwords and using short passwords. Since the password manager will remember the password for us, we can use much longer passwords that are different for every site. Win-Win.


When possible, use an alternate factor. Many platforms, especially mobile, support fingerprints and facial recognition. Hardware keys that follow FIDO protocols can be particularly strong alternatives.


Mistake: Failing to recognize the importance of our email accounts


Email resides in the foundation of the security house of cards. If a hacker obtains someone's email account, it becomes much easier to compromise other systems. Think about how many systems use email for registration and password resets, not to mention the ability to impersonate someone. It can be argued that mobile device security is the most important link in the personal security chain, but email is comfortably in the "top 3".


Be extra careful with email security. Use two-factor (2FA) authentication to secure email accounts and have a healthy suspicion about all messages, links, and attachments arriving in the inbox.


Mistake: Short Passwords


In computer systems that can only store short passwords such as the 8-character limit imposed by many backend systems, compensating controls like complexity and rotation are important considerations. However, modern platforms tend to allow much longer passwords of 24, 32, and even 128 characters. When it comes to security, the characteristic that matters most is the length. Complexity helps, but does not compare to length. Ultra-fast computers will crack a password of "&y3Qy1^" fairly fast but struggle mightily with supposedly "simple" passwords like "cat.concrete.giants.indiana.snowball".


Mistake: Failing to Backup, then Backup the Backup


File backups are underappreciated; until you need them. Whether due to drive-hopping malware, run of the mill accidents, or the fact we have our digital lives loaded on our computer, backups are as important as ever. When creating backups, there are a few tips to make them more resilient so they are ready when we need them most.

  1. Ensure backups are automated. We have the best intentions, but chances are you do not backup as often as you should.

  2. Backup the backup. Advanced malware might make its way onto connected storage devices or an ordinary accident can damage an onsite drive. Having multiple backups of different types significantly increases the chance that a copy survives when that day comes.

  3. Ensure one of the backups is "off-site". This may be as simple as backing up to the "cloud" using automated software or simply storing a backup drive outside the office. If storing backups in the cloud, aka "someone else's computer", consider encrypting the data first. Some cloud services offer Zero-Knowledge Encryption so the data is automatically encrypted before it moves up to the cloud. If using your own drive, use an encrypted drive so the data is safe before it exits the building.

  4. Ensure one of the backups is "air-gapped" which means the backup device is never connected to the network except when it is time to create the backup. Air-gapped drives tend to be more resistant to malware that spreads across the network since the air-gapped device is (hopefully) not connected to the network at the time of infection. Air-gapped devices may be more resistant to digital accidents since they cannot be accessed unless someone connects the drive. Small, name-brand 4 TB, USB 3.0 (aka speedy) drives cost less than $100.00. SSD cost significantly more but are even faster and more compact. These can make attractive options for the home.


Mistake: Not Encrypting all the Things


Encryption technology has advanced to the point that it is relatively easy to use. There are many different uses for several types of encryption tech. Three come to mind immediately.


Protecting Lost and Stolen Devices


If a device is lost and if the user is not logged-in, full-disk encryption (FDE) can protect the files stored on the device. Phones, tablets, laptops, and desktops support full-disk encryption but require the user to activate the feature.


Windows Device Encryption and Windows Pro BitLocker both offer FDE although Device Encryption requires using a Microsoft Account and BitLocker requires a Pro license. OS X File Vault provides FDE for Macs if the user enables the feature. Regardless of which you choose, enable the full-disk encryption available.


iOS devices encrypt user data with Data Protection. iOS 7 or later and iPadOS 13.1 receive this protection automatically. Android generally requires the user to opt-in. A login must be set up on the device; preferably something better than a password or pin such as fingerprint authentication. Afterward, full-disk encryption can be enabled.


Protecting Sensitive Files


Full-disk encryption may be unlocked if the user is logged in. For example, if a Windows computer is running, the disk is decrypted so the files can be accessed. Imagine a shared system, like a Windows laptop, in which multiple people can log in. It can be possible for users to access the files of other users. File encryption protects files so that, generally speaking, only the owner can unlock them.


Windows includes Encrypting File System (EFS) which can encrypt folders. For many Windows users, encrypting the Documents, Downloads, and Desktop folder is a good start. If files are kept elsewhere, encrypt those folders as well. OS X includes Disk Utility which can also encrypt folders. There are many third-party options for file encryption that offer more flexibility for sharing encrypted files such as GPG.


Again, if storing backups in the cloud, consider encrypting the data first.


Protecting Network Traffic


Computers and mobile devices are constantly chatting. If this traffic is not encrypted, the information might be captured. Using a VPN can help encrypt traffic traveling over Wi-Fi but note that any protections provided by a traditional VPN typically stop once the traffic travels onward from the VPN to its destination. VPN only protects the "first leg" of the journey which might span several pieces of network infrastructure. To the extent possible, ensure communications have end-to-end encryption.


When browsing the web, always use HTTPS. Like other security practices, using HTTPS is easier if automated. The HTTPS Everywhere browser plug-in helps ensure HTTPS is always used even if you only type in the domain name, click on a favorite or bookmark, or just forget to type HTTPS://.


Mistake: Missing Patches


While not immediately obvious, the first step in having an excellent patching program is not patching but uninstalling. Look at software installed on computers, phones, and tablets. Remove any applications that are not used. This not only reduces the attack surface and the need to patch but may increase privacy and battery life. Disconnect devices connected to your home network that are no longer needed or do not require Internet access.


OS X will notify the user when operating system updates are available and will patch software installed from the App Store. These features do not care for programs installed manually from Apple Disk Image (DMG) files which must be patched by the user.


Network devices such as routers, switches, and Wi-Fi access points are sometimes forgotten. Other Internet-connected hardware like TVs, Media Players, and the Internet of Things (IoT) might be even more neglected. When possible, enable automatic updates but for critical network infrastructure, schedule the updates when the equipment will not be missed. Having a router patch itself can be a nice feature as long as it does not update in the middle of your virtual meeting.


Apple tends to support iOS devices for years. Andriod support is less consistent and can vary depending on whether the device manufacturer or the mobile operator is supplying updates. Android users can ensure a minimum level of support by using devices that are Android Enterprise Recommended.


If patching cannot be automated, set up a calendar reminder for no more than 30 days.


What about the security of my company?


A security audit, vulnerability assessment, or penetration test can uncover security vulnerabilities in your network, web application, mobile application, and APIs then teach you how to address the issues so you can take action. Ellipsis InfoSec provides top-quality security audits, assessments, and penetration tests from a highly-certified, globally-recognized expert with many years of experience testing healthcare, retail, supply chain, and other Fortune 50 network, web, mobile, web services, and APIs. Please reach out to Ellipsis today for more information.


[Next Up: Security Mistakes Everyone Makes: Improving Personal, Mobile and Home Network Security - Part II]


References


[1] statista: Average number of characters of leaked user passwords worldwide as of 2017

[2] iOS Data Protection: https://support.apple.com/guide/security/data-protection-overview-secf6276da8a/web

[3] Enable full-disk encryption on Android: https://www.androidcentral.com/how-enable-encryption-android

[4] HTTPS Everywhere: https://www.eff.org/https-everywhere

[5] Windows Backup: https://support.microsoft.com/en-us/windows/backup-and-restore-in-windows-10-352091d2-bb9d-3ea3-ed18-52ef2b88cbef

[6] OS X Time Machine: https://support.apple.com/en-us/HT201250

[7] Windows Device Encryption: https://support.microsoft.com/en-us/windows/device-encryption-in-windows-10-ad5dcf4b-dbe0-2331-228f-7925c2a3012d

[8] Windows BitLocker: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10

[9] OS X File Vault: https://support.apple.com/en-us/HT204837

[10] Windows Encrypting File System (EFS): https://docs.microsoft.com/en-us/windows/win32/fileio/file-encryption

[11] OS X Disk Utility: https://support.apple.com/guide/disk-utility/encrypt-protect-a-storage-device-password-dskutl35612/mac

[12] GPG: https://gnupg.org



© 2014-2021 by Ellipsis Information Security LLC

  • Twitter Metallic
  • LinkedIn App Icon
  • YouTube Long Shadow