I cannot recall a time where technology was not pervasive in my life. Part of that has to do with my schooling background in computing and growing up with the internet, but it doesn’t seem too far a stretch to say that it would be difficult for many across all generations to imagine life without the internet today. The field of computing has progressed by leaps and bounds since its inception around the 1940s and has continued to advance exponentially. Decades ago, using self-driving robots and owning intelligent personal assistants like Alexa might have sounded like something out of a science-fiction novel, but these concepts are our reality today. This technological space that we live in has also conveniently melded into our other reality of now: navigating life in a pandemic. This isn’t to say that our daily lives weren’t augmented by technology pre-COVID-19; rather, technology is now a necessity to be able to work, educate, connect with others, and even relax. With social distancing, quarantines, and lockdowns as our new “normal” for the foreseeable future, technology has ensured that people are not completely cut off from their loved ones and can maintain a relative sense of normalcy and routine in their daily lives.
There is a greater reliance on Internet-based applications today as almost everything has transitioned online. Classes and universities have shifted from in-person learning formats to online classes, aided by video communication applications like Microsoft Teams and Zoom, and by learning management systems to keep track of all material and deliver exams. Online marketplaces like Etsy and Amazon have risen in popularity due to the availability and accessibility of these platforms to the now-online consumer. There is a heavier reliance on social media applications and platforms as people continue to stay connected with each other. None of this is new, but the magnitude at which we are relying on the Internet today has increased. However, this presents a lot of considerations for cybersecurity, specifically cyber-hygiene.
Consider all the different software applications that you are now using for different tasks that you need to accomplish in a day. Have you ever thought about the privacy and security implications of using those applications? At the start of quarantine, many organizations transitioned to using Zoom for meetings. However, it came with its own set of problems, including but not limited to Zoom-bombers joining meetings, hackers gaining remote access to machines on Zoom meetings, and lack of proper protocols involving meeting room passwords and access. Many of these issues have now been patched and Zoom is actively working to ensure user privacy and security, but these changes occurred as mitigations, not preventions.
The responsibility to assure online privacy and security does not squarely fall on the user alone; internet service providers and technology companies have the responsibility to ensure that their product or service adheres to all appropriate standards. However, it does not mean that users of these products and services can be complacent about using technology. This can be a hard ask of the average person, especially in an unpredictable time as a pandemic. When there are so many applications in use, how can we assure our privacy and security online without feeling overwhelmed by the information overload from all the different applications we use? I’ve been reflecting on this lately as I’ve begun to use more applications for education, work and entertainment purposes, both from home and on-campus at Purdue. It is a good thing that we have all these applications handy, but we can go one step further to make sure that we don’t fall victim to any cyber attacks or unwittingly compromise our information by following some simple steps to secure our presence both online and offline.
i. Be aware of privacy affordances across platforms
Different online platforms are built for different purposes. Therefore, the privacy and security settings on these platforms will differ based on their purpose and the information that they are collecting. If you are creating an account on a platform, take a moment to look at the different privacy and security settings that the platform offers you when you construct your online profile. You can alter accessibility and visibility settings to your profile based on your preferences, which is a good first step in securing the data that you have online.
ii. Generate and use strong passwords/passphrases
A Wikipedia page titled “10,000 most common passwords” shows that “Purdue” is the 4546th most common password, and “boiler” is the 6977th most common password. Whether you think Wikipedia is a reliable source or not, there is truth to the contents of that page and unfortunately, people tend to leave their default passwords because they are easy to remember. However, this greatly compromises your account security as these passwords can be easily brute-forced.
What makes a good password? In general, the longer a password is, the better. This is because as the length of your password increases, the computing power it takes to brute force each character of the password increases. It can take hundreds of years to crack passwords that follow strong password policy guidelines. You might have seen these on websites; the general guideline is to include uppercase and lowercase letters, numbers, and symbols in your password. The more variability (or randomness in the selection of the characters) in your password, the better!
This does bring up a conundrum though – if your password has all these random letters and numbers that don’t follow a logical pattern, then how do you recall it? The temptation might be high but do not write down your passwords, even if you are the only person who has access to the written document. One solution would be to use password managers. At its basic level, a password manager is an application that helps generate complex passwords and store them. This can be stored locally on your device, online, or in an encrypted database. You just have to remember one password, the password to the manager itself, to be able to access the rest of your passwords. The second solution to remember passwords is to use a passphrase instead. As the name suggests, a passphrase is essentially a string of words, or a phrase, that follows mnemonics for easy recall. The only caveat here is that certain websites or services require your passwords to be a certain length, so use passphrases in cases where you can afford to make passwords with no set length limits.
It might also be tempting to store your passwords on your web browser. For instance, Google allows you to save your passwords on your browser so that when you navigate to a website or page that requires a password, Google’s password manager will automatically bring up the credentials for that particular website. This can be a secure method of storing your passwords, but only if you have secure authentication methods (like two-factor authentication) set on your Google account. Otherwise, this method is unadvisable, and I will go into the reasons for this further down in this post.
It is important to refrain from reusing passwords or using the same password for two or more accounts. If one account is compromised, and the password associated with that account is used on multiple platforms, those accounts are also essentially compromised. The best practice would be to maintain different passwords across all your accounts, devices, and networks, and change your passwords semi-regularly (anywhere from every six months to once a year).
iii. Good website etiquettes, ad-blockers, and cookies
The internet is the large and scary forest, and the internet users are the metaphorical Hansel and Gretel making our way through it. The breadcrumbs are the cookies, except in this scenario, you’re not leaving the cookies. Instead, the websites ask you to accept their cookie policies and terms before you can peruse the website. Most people tend to accept the terms and move on, but it is important to look at the policy and select your preferred options before you begin browsing the website. For the most part, if you frequent certain websites, adjusting your cookie preferences is a one-time process so take the time to scan through those settings before you accept cookies and their settings. If you do not feel comfortable with the kinds of information that the cookies are collecting about your browsing patterns and selections, you are not obligated to opt in, and you can disable cookies.
Be mindful of the websites that you visit. For the average internet user, you can discern if a website is legitimate by looking at the URL of the website. Your browser can also indicate if the website that you are visiting is secure and can act as a safeguard by displaying warnings if you are navigating to a website that is “unsafe”. A good rule of thumb is to look at if the websites that you browse use the HTTPS protocol to secure the data on that page. It is also useful to invest in ad-blockers to avoid unnecessary pop-up ads. This can safeguard you from malicious advertising (like spreading malware through ads) and can also help protect your information online. There are free or reasonably priced versions of adblockers online that you can use for your browsers.
iv. Look out for the indicators of phishing and vishing attacks
Chances are if you’re a Purdue student reading this, you can relate to the number of times you’ve seen a spam or phishing email in your account despite the Cisco spam filter enabled on your account. No matter how many technical countermeasures we implement on our services, attackers will always find creative ways to bypass these filters to send phishing emails to your accounts. There are simple things that you can watch out for to identify if an email or a phone call is a phishing attempt, and they are as follows -
· Check the email headers of the suspected email. If it is from an unrecognizable address or a domain, it is most likely spam or phishing.
· Grammar can be a dead giveaway on phishing emails. For example, the Nigerian phishing scams utilize simple but choppy English to get their point across. Depending on the contents of the email, you can decide if it is legitimate or a scam.
· Even legitimate accounts can be compromised. To discern whether an email from someone in your organization is legitimate, analyze the contents of the email. Do not click on links and report the issue with the account as soon as possible so that the administrators can work on the recovery of the account. For the most part, phishing emails tend to make offers of additional income or ask you to change credentials on a website because of a suspected hack. These are generally false claims, but if you do have reason to worry about your accounts being compromised, do not use the links in the email. Instead, navigate to your accounts on your web browser so that you can access your account securely and make changes if needed.
· Related to the above point, seldom do people ask for sensitive information via emails. If there is a prompt to share personal information like social security and credit card numbers, chances are it’s a phishing email. If you do need to share sensitive information with someone through the online medium, use secure file-sharing platforms like FileLocker, which ensures that your information is shared securely, encrypted, and deleted after a specified amount of time.
· Similar to the previous points, calls asking for sensitive information are also spam or vishing attempts to gain your information. The best safeguard to this is adding such numbers to the list of blocked callers and adding your number(s) to the National Do Not Call Registry. In general, most organizations and agencies will not ask you to share your personal information via a phone call (they would ask you to share information on a secure portal online instead, for example). There are exceptions to this; for example, if you are calling your bank’s customer service line, there might be some verification steps you will have to pass. However, for the most part, your bank or other agencies are not going to call you first for information. This can be a key indicator of whether a call from someone asking you for information is vishing.
v. Manage your physical devices too!
Securing your offline technological presence, so to speak, is just as important as securing your online presence. Physical devices hold lots of personal information, and school and work documents, and are susceptible to be being stolen or damaged. Therefore, it is important to ensure that your devices are secure in the physical space as well.
· Make sure that you have strong passwords set on your devices. For your phones, it might be a passcode or some other form of authentication, but make sure that the methods and passwords are unique across all your devices.
· If you are sharing devices with others in your workspace, make sure that you don’t leave your accounts logged in. It might be tempting to stay signed in to your work email on your laptop, but if your laptop is stolen and has weak password protection, simply accessing your web browser can help the attacker gain access to your information and other accounts.
· Maintain the distinction between devices that you use for work or school and devices that you use for personal pursuits. If you are using the same device, consider using a virtual private network (VPN) to access the internal networks for work/education.
These are just a few tips out of the many things that you can do to secure your online and offline presence during the pandemic, but simple steps such as these are a start to ensuring that you practice cyber-hygiene in your online routines and stay protected on the Internet. These steps are low-effort and low-cost to implement but can help secure your presence even well beyond these current times of the pandemic.
Written by:
Lancia Raja
Graduate Student CSEC
Dept of Computer & Information Technology