In today’s increasingly digital world, the importance of information security has become more crucial than ever before. Information Security, commonly known as Infosec, is a discipline that involves a variety of components associated with security. As a user, it is important to be aware of the risks associated with digital activity and take the necessary steps to mitigate them. One of the most important aspects of information security is having strong and unique passwords or passphrases.
In this day and age, this is no longer a “nice to have,” but a necessity. With the computational power of brute-force attacks, weak passwords are easy to guess. It is important to use a long password or passphrase with a combination of letters, numbers, and special characters to access social media, banking information, digital assets, and any other sensitive data. Gone are the days of using “password123” as your password.
A common problem, however, with using complicated passwords is the ease of retrieval. Although this is true, using a credible password manager can simplify the process while maintaining security. There are different types of password manager. Hence, when choosing one, a considerable amount of research is needed to assess if the application is open source, the history of security, and if these password managers are capable of selling personal information of its users.
Having authentication layers of security is also crucial. This includes two-factor authentication (2FA), which relies on an additional mechanism to ensure that the user is authorized to access the information. This can involve receiving a text message with a code, using an application with a randomly generated number, or using a fingerprint to unlock a device. Push-based or push-notification authentication is another form of 2FA that requires users to access a designated device and “push” a notification or prompt to confirm access. A newer form of 2FA is FIDO2 (Fast Identity Online) , which is a highly secure method of ensuring authorized access to any application that supports it.
One of the most well known products within this category is that of a YubiKey, which is a small piece of hardware that any person can insert into a compatible port in their phone or computer and when pressing it, it will automatically generate a long string that will act as a one-time password. One of the security features that makes it stand out against other forms of 2FA is that it requires the user to press it in order to generate the password, which means that it is impossible for any remote attack from any party due to the physical security requirement. The risk with relying on this 2FA method is if it falls into the wrong hands and the individual uses it in the same way. However, this would also require the other individual to also have access to the user name, and password, at a bare minimum in order to attempt to carry out an unauthorized access, which is less likely assuming that the end user does have good security practices.
Another best practice is ensuring that the website’s URL starts with “https” to indicate that the information transmitted to the website is protected by Transport Layer Security (TLS) encryption. It is also important to bookmark legitimate websites to avoid falling victim to website spoofing scams.
Keeping all software up- to- date is also crucial for maintaining information security. This is because updates often address security vulnerabilities and can protect against cyberattacks. In addition to these best practices, users should also be mindful of their social media interactions and exercise caution when sharing personal information or clicking on suspicious links. A recent example of this was in December 2022, the Cybersecurity and Infrastructure Security Agency (CISA) advised Google to patch a zero-day exploit for its web browser, yet it was not the first time Google has had concerning exploits out in the wild.
When receiving email messages, it is important that close attention is paid to the sender’s email address and not necessarily the sender name that appears. This is because there has been a history of phishing attacks that have been made where an attacker attempts to mimic a service provider with the same name, logo, and even standard verbiage, however, when the email address of the sender has a different domain or appears unwarranted. It is best not to click on any links provided and take time to review all details to ensure that it is legitimate, and for best practice, it is better to not interact with message contents and instead log into the website of the given service provider via the bookmarked url of the website in question and contact any client support or such directly regarding the given message. When using social media apps where people can come together and interact with one another, it is paramount to keep in mind that there are scammers that are on the prowl looking for victims.
Telegram, for example, is a widely used application where people can chat one-on-one and also engage in group discussions with anyone who joins into a group chat. And thus, poses a vector of attack for malicious actors to talk to people and lure them into another group where they might provide a link to a website that might be unsecured, ask the user to connect their browser wallet and imprudently sign a transaction that might deplete their funds, or ask for their financial information, or even post a video that can contain malware and conduct any type of attack on a person’s device.
Common best practices here are to turn off any auto-download feature in its settings, not having your telephone number visible to anyone who you have not physically and personally known, and be wary of others promoting any investment scheme or providing links in chats. Another popular app where users congregate, and in particular, crypto enthusiasts, is Discord. This app is somewhat similar to telegram in that people can chat one-on-one and also in groups, yet allows for even more complexity in its chats since each server can have a large amount of channels where users can chat based on a specific topic or use.
As a bonus point, let’s take you through some common security risks in crypto and how you can best stay safe.
Phishing Attacks
Phishing is a type of cyber attack where attackers send fake emails or text messages, trying to trick victims into revealing their personal information such as passwords, credit card details, and other sensitive information. These emails often appear legitimate and may even contain the branding of legitimate companies. To avoid falling victim to phishing attacks, you should:
- Always check the sender’s email address, and if it looks suspicious, do not click on any links or download any attachments.
- Look for spelling or grammatical errors in the email or text message, which could indicate that it is a phishing attack.
- Do not provide your personal information, especially your passwords or credit card details, in response to an email or text message. Legitimate companies will never ask for this information in this way.
Malware Attacks
Malware attacks are among the most common types of cyber attacks. Malware is a type of software that is designed to cause harm to your computer or device. Malware can be in the form of viruses, worms, or Trojan horses. These attacks can occur when you download a file or visit a website that contains malware. To avoid malware attacks, you should:
- Install antivirus software on your computer and keep it updated.
- Avoid downloading files or visiting websites that you are not familiar with or that appear suspicious.
- Do not click on any links in emails or messages from unknown senders.
Man-in-the-Middle Attacks
A man-in-the-middle (MITM) attack is where an attacker intercepts communication between two parties and can eavesdrop on the conversation, steal sensitive information, or modify the data being transmitted. To avoid MITM attacks, you should:
- Use secure communication channels such as SSL/TLS to ensure that your data is encrypted during transmission.
- Avoid using public Wi-Fi networks, especially those that are not password-protected.
- Always verify the identity of the website or application you are using before providing any sensitive information.
Ransomeware Attacks
Ransomware is a type of malware that encrypts your files and then demands payment to decrypt them. These attacks can occur when you click on a link or download a file that contains ransomware. To avoid ransomware attacks, you should:
- Backup your files regularly and keep them in a secure location.
- Keep your operating system and software updated to ensure that any security vulnerabilities are fixed.
- Be cautious when clicking on links or downloading files from unknown sources.
Denial of Service Attacks
A denial of service (DoS) attack is where an attacker floods a network or server with traffic, making it impossible for legitimate users to access the service. To avoid DoS attacks, you should:
- Use a reputable internet service provider (ISP) that has security measures in place to prevent DoS attacks.
- Use firewalls and intrusion prevention systems to detect and block DoS attacks.
- If you are the victim of a DoS attack, contact your ISP or network administrator immediately.
Incorporating these best practices can greatly reduce the risk of becoming a victim of cyberattacks and identity theft. While it may require some effort and diligence on the part of the user, the peace of mind that comes with increased information security is invaluable. By prioritizing information security, users can enjoy the benefits of the digital world while minimizing the risks.
