Cybersecurity for your personal computer: Difference between revisions

From Alliance Doc
Jump to navigation Jump to search
No edit summary
 
(29 intermediate revisions by 6 users not shown)
Line 1: Line 1:
== Context ==


Cyber criminals spend their days trying to deceive us into giving up our information, tamper with our devices and even steal our identities. When cyberattacks like phishing are successful, they can ruin our days, to put it lightly. That’s why, this Cybersecurity Awareness Month, we’re encouraging Members of the Alliance and the Federation to ruin a cybercriminal’s day!
<languages />


For October Cybersecurity Awareness Month, the National Security Council’s Cybersecurity Training and Awareness Team is sharing resources and planning a series of workshops to help Members of the Alliance and the Federation improve their security knowledge and awareness.
<translate>






== Our Four Topics ==


We have selected four topics this year:
= Best practices = <!--T:7-->


* Basic Computer Hygiene
<!--T:8-->
* Password Hygiene Habits
Don’t know how to keep your personal computer secure?  Want to review the security level of your computer?<br>
* Safe Browsing and MFA
Here are a few tips to enhance your computer’s security. If you’d like to evaluate its security level, you might like to take this [[Cybersecurity: Personal computer health check|short quiz for a health check on your computer]].
* Linux Permissions


=== Basic Computer Hygiene ===
== Security updates == <!--T:9-->
Enable ''Install Update Automatically'' to allow timely installation of security updates on your operating system and software.<br>


Don’t know how to keep your computer secure at home?  Want to review the security level of your computer?<br>
For more information, see [https://www.getcybersafe.gc.ca/en/blogs/software-updates-why-they-matter-cyber-security Software updates: Why they matter for cybersecurity].
In this section, we have a few tips for you to enhance your computer’s security, and a short quiz for a health check on your computer.
 
==== Security Updates ====
Enable “Install Update Automatically” to allow timely installation of security updates on your operating system and software.<br>
 
For more information, please visit [https://www.getcybersafe.gc.ca/en/blogs/software-updates-why-they-matter-cyber-security Software updates: Why they matter for cybersecurity].
   
   
==== Passwords ====
== Passwords == <!--T:10-->
Strong passwords are essential to keep your computer and your accounts secured.  Refer to [https://docs.alliancecan.ca/wiki/October_Cybersecurity_Awareness_Month_2022#Password_Hygiene_Habits Password Hygiene Habits] for more tips.
Strong passwords are essential to keep your computer and your accounts secure.  Refer to [[Cybersecurity for your personal computer#Password_hygiene_habits|Password hygiene habits]] for more tips.
   
   
==== Antivirus ====
== Antivirus ==
To prevent your computer from malware infection, install an antivirus software on your computer and keep it updated.
To prevent your computer from malware infection, install an antivirus software and keep it updated.
   
   
==== Phishing ====
== Phishing ==
Pay attention to the hyperlinks attached in emails or search engine results before you click on them, a hyperlink containing a weird domain name is a strong signal of malicious activities.<br>
Pay attention to the hyperlinks contained in emails or search engine results before you click on them. A hyperlink containing a weird domain name is a strong signal of malicious activities.<br>
For more information, please visit [https://www.getcybersafe.gc.ca/en/blogs/signs-phishing-campaign-how-keep-yourself-safe Signs of a phishing campaign: How to keep yourself safe].
For more information, see [https://www.getcybersafe.gc.ca/en/blogs/signs-phishing-campaign-how-keep-yourself-safe Signs of a phishing campaign: How to keep yourself safe].


==== Wi-Fi security ====
== Wi-Fi security == <!--T:11-->
To protect the Wi-Fi network at your home, set a strong Wi-Fi password and update your router’s firmware regularly.<br>
To protect the Wi-Fi network at your home, set a strong Wi-Fi password and update your router’s firmware regularly.<br>
   
   
Avoid using public Wi-Fi as much as possible. If you need to use it , consider installing a trustworthy VPN solution and enable it when you connect to a public Wi-Fi spot.<br>
Avoid using public Wi-Fi as much as possible. If you need to, consider installing a trustworthy VPN solution and enable it when you connect to a public Wi-Fi spot.<br>


For more information, please visit [https://www.getcybersafe.gc.ca/en/secure-your-connections/private-networks Private networks] and [https://www.getcybersafe.gc.ca/en/secure-your-connections/public-wi-fi Public Wi-Fi].
<!--T:12-->
For more information, see [https://www.getcybersafe.gc.ca/en/secure-your-connections/private-networks Private networks] and [https://www.getcybersafe.gc.ca/en/secure-your-connections/public-wi-fi Public Wi-Fi].


==== Important notes ====
== Note == <!--T:13-->


The advice above is mainly for individuals to refresh their cybersecurity awareness and improve cyber defense on their personal computers.<br>
<!--T:14-->
Computers at the workplace are typically managed and protected by the organization’s IT services team, different sets of security measures may be applied.  You should follow your organization’s policy to protect computers at the workplace.
The advice above is mainly for individuals wanting to refresh their cybersecurity awareness and improve cyber defense on their personal computers.<br>
Computers at the workplace are typically managed and protected by the organization’s IT services team where different sets of security measures may be applied.  You should follow your organization’s policy to protect computers at the workplace.<br> [[Cybersecurity: Personal computer health check|Check out our short quiz for a health check on your computer!]]


==== Health Check ====
= Password hygiene habits = <!--T:17-->
Despite many solutions that protect information and systems, stolen usernames and passwords (credentials) are still the most common way attackers gain unauthorized access.  This is frequently the result of weak, guessable passwords and reused credentials that have been exposed.


The following questions are designed to assess the cybersecurity posture of your computer.  Let’s answer the questions to check whether your computer is secured.
<!--T:18-->
<br><br>
What do you think is the best way to keep your passwords secure?<br>
1. What is the software update setting on your personal computer?
A. Change them frequently<br>
:a. My personal computer is out of support, there is no software update.
B. Use special characters and a mix of lowercase and uppercase letters<br>
:b. I check and install software updates and security patches manually.
C. Create each password long and unique<br>
:c. Notify me about software updates but don't automatically install them.
   
:d. Software updates of the Operating System are automatically downloaded and installed.
Changing passwords frequently without cause can actually degrade security. When forced to change their password frequently, many people choose an easy one to remember based on predictable patterns.  
:e. In addition to the software updates of the Operating System, other software applications are also set to install updates automatically.
Long passwords can be quite secure, especially when they are unique. Adding complexity to a password can help, but length proves to be more important than the actual characters used. The best answer to this question is to create long passwords AND use a different one for each service. Why? Because breaches do happen and some service will eventually mishandle your credentials, which will then get exposed. Just have a look at https://haveibeenpwned.com/ to see that this has already happened to many. If your password isn't unique and is exposed, it can be used to access any system where your credentials are valid. This process called ''password stuffing'' is usually automated and can happen as quickly as 12 hours after the initial exposure.
<br>
   
If your answer is:
:a. Out of support software does not have security updates, leaving your computer with a number of severe security weaknesses.  You should consider upgrading your computer to a supported version.
:b. There is a high chance that you may miss checking and installing software updates on your computer.  You should consider installing software updates automatically.
:c. Installing software updates manually may leave security weaknesses on your computer for a significant timeframe.  You should consider installing software updates automatically.
:d. Well done!  You have done a great job in updating your operating system, now it’s time to check the software update setting for other software applications.
:e. Awesome!  You have done a great job in updating your computer, keep your good work!
<br>
2. How do you manage your passwords for accessing Internet services, such as emails, Internet banking, online shopping, etc.?
:a. I use the same password on multiple Internet services and never change it.
:b. I follow a pattern (e.g. Tech0001, Tech0002, Tech0003) to create passwords and use them on multiple Internet services.
:c. I create unique passwords for accessing Internet services and record them in a text file, sticky notes, etc.
:d. I create unique passphrases for accessing Internet services.
:e. I use a reputable password manager to create, store and change my passwords regularly.
<br>
If your answer is:
:a. Having the same password on multiple Internet services means that a single compromised password will affect all of the services. You should set unique passwords on Internet services.
:b. Using a pattern to create passwords is not a secure way as attackers can guess other passwords from a single compromised password.
:c. It’s generally not a good idea to record passwords in a text file or sticky notes as others may be able to read your passwords.  If you really need to drop something down for memorizing your passwords, try writing password hints that only make sense to yourself.
:d. Good job!  Passphrases have a good length and make it difficult to break.
:e. Well done!  Password managers create random and complex passwords which are strong enough to withstand password breaking.
<br>
3. Is there any Antivirus software installed on your personal computer?
:a. No, there is no Antivirus software installed on my personal computer
:b. Yes, an Antivirus software is installed on my personal computer but I am not sure whether it’s trustworthy.
:c. Yes, a reputable Antivirus software is installed on my personal computer.
:d. Yes, a reputable Antivirus software is installed on my personal computer and it’s configured to update automatically.
<br>
If your answer is:
:a. You should check the availability of Antivirus software for your operating system and consider installing one if it is available. The most popular operating system needs an Antivirus software to keep it safe from malware attacks.
:b. Installing a questionable Antivirus software is as bad as no Antivirus installed.  Some Antivirus are not effective in catching malwares, and some others are developed by hackers and act as a malware.  You should uninstall the questionable Antivirus software and install a reputable one.
:c. It’s nice to have a reputable Antivirus software installed.  The next step is to set it to update automatically.
:d. Excellent!  The Antivirus software will significantly reduce the risk of malware infection on your computer.
<br>
4. How do you configure the Wi-Fi router at your home?
:a. I haven’t changed the default password on my home’s Wi-Fi router.
:b. The default password has been modified on my home’s Wi-Fi router.
:c. The default password has been modified, and firmware updates are installed on my home’s Wi-Fi router regularly.
<br>
If your answer is:
:a. Using default password on Wi-Fi router may leave your home network wide open to attackers.  You should change the default password at your earliest.
:b. Good work!  Changing the default password is the first step to protect your home network.  Now you can check and update the router’s firmware to the latest version to make it more secure.
:c. Excellent!  You have done a great job in protecting your home network.
<br>
5. How do you connect your computer to Public Wi-Fi spots?
:a. I connect my personal computer to Public Wi-Fi spots whenever it’s available.
:b. I would not connect my personal computer to Public Wi-Fi spots without using a trustworthy VPN connection.
:c. I do not connect my personal computer to Public Wi-Fi spots.
<br>
If your answer is:
:a. Public Wi-Fi spots are open to everyone, including attackers.  As a result, the network traffic via Public Wi-Fi spots is subject to eavesdropping attacks.  You should consider using a trustworthy VPN solution to protect your network connection while using Public Wi-Fi spots.
:b. Awesome!  Your network traffic is well protected by the VPN solution.  You may refer to [https://www.getcybersafe.gc.ca/en/secure-your-connections/public-wi-fi Public Wi-Fi] for other tips on using Public Wi-Fi spots.
:c. Nice! It’s a good practice to avoid connecting Wi-Fi spots that may not be secure.
<br>


=== Password Hygiene Habits ===
Despite many solutions that protect information and systems, stolen usernames and passwords (credentials) are still the most common way attackers gain unauthorized access.  While this might be through social engineering or phishing, it is frequently the result of weak, guessable passwords and re-used credentials that have been exposed.


Which is most important for keeping your password secure?
<!--T:21-->
# Change it frequently
'''Best password tips'''
# Use a mix of cases and characters
 
# Make it long and unique
<!--T:22-->
   
* Use a password manager
** Regardless if you choose one that is standalone or integrated into your web browser, open source or commercial product/service, a password manager is essential when it comes to all the other steps below.
* Use a different password for everything: every service, every system;
** This is quite easy if you’re using a password manager.
* Make it long - 15 characters or longer is a good size;
** Again, easy with a password manager when you allow it to generate the passwords for you. Using passwords with 20 to 32 characters is not a problem since you don’t need to remember them anyway.
* Never share it with anyone... really... no one... ever;
** Your credentials belong to you, they identify you. Sharing them not only compromises your identity but is also usually a violation of the policies of the service or system they are used to access.
* Change them only if there is a reason.  
** If you believe the password may have been compromised, may be reused, or is weak, you should change it. There is no good reason to change passwords based on a specific schedule, which may still be required by some organizations.
 
<!--T:23-->
If this is not what you’ve been doing, '''don’t panic!''' You can start making changes today. If you have hundreds of passwords, start with a few of them, do a couple every day at lunch. Every time you make even one set of credentials more secure you’re doing yourself a big favour.


The correct answer is that long and especially unique passwords are the most secure. Password complexity can help, but length is much more important than the characters used. Despite this, many systems still enforce outdated complexity rules, but password length is what’s critical. The most important is that a different password is used for every different service. Why? because breaches happen, eventually some service will mishandle your credentials and they will get exposed. Just have a look at https://haveibeenpwned.com/ - for most people, it's already happened. IF you password isn't unique, and is exposed, it can be used to access any system where that same credential is used. This process (called password stuffing) is usually automated and can happen as quickly as 12 hours after the initial exposure.  
= Safe browsing and MFA  = <!--T:24-->
We rely on a variety of online resources and accounts to help us in our work and to tackle tasks effectively. How we access these tools and how we behave online can have a significant impact on our personal security and the security of the resources we share.


Changing passwords frequently, without cause, can actually degrade security. When forced to change their password frequently, many people choose an easy to remember password based on predictable patterns.
<!--T:25-->
Taking control of the information we provide to online service providers, limiting the extent to which commercial entities can track our activity, and thinking about how we authenticate to online accounts can all have a security benefit.


<!--T:26-->
We can start where we are and start today. We can choose to share less personal information voluntarily when responding to requests, signing up for services, posting on social media. The less personal information you share about yourself, the harder it is for an attacker to connect those pieces of information and use them to target you.


So how can you best protect yourself?
<!--T:27-->
We can choose to use privacy-enhancing search tools like DuckDuckGo ([https://duckduckgo.com/ duckduckgo.com]), install browser extensions like Privacy Badger ([https://privacybadger.org/ privacybadger.org]), HTTPS Everywhere ([https://www.eff.org/https-everywhere eff.org/https-everywhere]), uBlock Origin ([https://ublockorigin.com/ ublockorigin.com]). We can limit the use of cookies via browser settings and turn on features that limit the links and tracking tools of social media companies ([https://www.mozilla.org/en-US/firefox/facebookcontainer/ mozilla.org/en-US/firefox/facebookcontainer]).


* Use a password manager
<!--T:28-->
** Regardless if you choose one that is standalone or integrated into your web browser, open source or a commercial product/service. A password manager is essential when it comes to all the other steps below.
When authenticating to online accounts, we can use different identities/usernames/emails for different services; separate work and personal accounts; practice good password hygiene (see our password tips above); and enroll in the MFA schemes provided by online service providers.
* Use a different password for everything - every service, every system;  
** This is quite easy, if you’re using a password manager.
* Make it long - 15 characters or longer is a good size;
** Again, easy with a password manager when you allow it to generate the passwords for you. 20-32 characters is easy since you don’t need to remember them anyway.
* Never share it with anyone; really, no one, ever;  
** Your credentials belong to you, they identify you, sharing them not only compromises your identity but is also usually a violation of the policies of the service or system they are used to access.
* Change only if there is a reason. 
** If you believe the password may have been compromised, may be reused, or is weak, you should change it. There is no good reason to change passwords based on a time schedule.  


If this is not your current situation: '''Don’t Panic!''' just start making changes today. Every little bit helps. If you have hundreds of passwords you need to change, start with a few of them, do a couple every day at lunch. Every time you make even one set of credentials more secure you’re doing yourself a big favour.
<!--T:29-->
Doing even some of these things will make it more challenging for attackers to target us and our colleagues in phishing attacks, to engage in credential stuffing or password guessing.


=== Safe Browsing and MFA  ===
= Linux permissions = <!--T:32-->
We rely on a variety of online resources and accounts to help us in our work and to tackle tasks effectively. How we access these tools and how we behave online can have a significant impact on our personal security and the security of the resources we share as members of the Alliance Federation.


Taking control of the information we share with online service providers, limiting the extent to which commercial entities can track our activity, and thinking about how we authenticate to online accounts can all have a security benefit.
<!--T:33-->
Audience: the content below is intended for a technical audience such as users of our supercomputers.


We can start where we are and start today. We can choose to share less personal information voluntarily when responding to requests, signing up for services, posting on social media, and make the task of connecting the dots about who we are and what we do on and off line more challenging for attackers.


We can choose to use privacy-enhancing search tools like DuckDuckGo ([https://duckduckgo.com/ duckduckgo.com]), install browser extensions like Privacy Badger ([https://privacybadger.org/ privacybadger.org]), HTTPS Everywhere ([https://www.eff.org/https-everywhere eff.org/https-everywhere]), uBlock Origin ([https://ublockorigin.com/ ublockorigin.com]). We can limit the use of cookies via browser settings, and turn on features that sandbox the links and tracking tools of social media companies ([https://www.mozilla.org/en-US/firefox/facebookcontainer/ mozilla.org/en-US/firefox/facebookcontainer]).
<!--T:34-->
Linux permissions are one layer of protection to safeguard your research. Here are three common mistakes to avoid:


When authenticating to online accounts, we can use different identities/usernames/emails for different services; separate work and personal accounts; practice good password hygiene (see our password tips above); and enroll in the MFA schemes provided by online service providers (join the MFA presentation with Ryan and Pier-luc).
<!--T:35-->
'''''Mistake 1''''': Granting access to a file to the world via the command ‘’''chmod 777 name_of_file''’’.


Doing even some of these things will make it more challenging for attackers to target us and our colleagues in phishing attacks, to engage in credential stuffing or password guessing.
<!--T:36-->
Make sure you understand [[Sharing data#Filesystem_permissions|how Linux permissions work]] and restrict access to your files in our supercomputers to only those who need access to them.




Join our workshop on October, XXX where we will provide an overview of MFA project!
<!--T:37-->
'''''Mistake 2''''': Not using the ''sticky bit'', leading to the deletion of your files by someone else.


Session in English: <br/>
<!--T:38-->
Session in French:
When dealing with a shared directory where multiple users have read, write and execute permission, the issue of ensuring that an individual cannot delete the files or directories of another can arise. Make sure you are familiar with [[Sharing data#The_Sticky_Bit|the notion of sticky bit]] and use it when appropriate.




=== Linux Permissions ===
<!--T:39-->
'''''Mistake 3''''': Granting access to multiple individuals rather than groups.


Join our workshop on October, 27 at 12pm - 2pm EST where we will make a deep dive into Linux permissions!
<!--T:40-->
[[Sharing data#Access_control_lists_.28ACLs.29|Managing ACLs (Access Control Lists)]] can quickly become complex. It is best practice to use groups rather than multiple individual accounts to grant permissions when possible.


Session in English: <br/>
</translate>
Session in French:

Latest revision as of 18:28, 12 October 2022

Other languages:



Best practices

Don’t know how to keep your personal computer secure? Want to review the security level of your computer?
Here are a few tips to enhance your computer’s security. If you’d like to evaluate its security level, you might like to take this short quiz for a health check on your computer.

Security updates

Enable Install Update Automatically to allow timely installation of security updates on your operating system and software.

For more information, see Software updates: Why they matter for cybersecurity.

Passwords

Strong passwords are essential to keep your computer and your accounts secure. Refer to Password hygiene habits for more tips.

Antivirus

To prevent your computer from malware infection, install an antivirus software and keep it updated.

Phishing

Pay attention to the hyperlinks contained in emails or search engine results before you click on them. A hyperlink containing a weird domain name is a strong signal of malicious activities.
For more information, see Signs of a phishing campaign: How to keep yourself safe.

Wi-Fi security

To protect the Wi-Fi network at your home, set a strong Wi-Fi password and update your router’s firmware regularly.

Avoid using public Wi-Fi as much as possible. If you need to, consider installing a trustworthy VPN solution and enable it when you connect to a public Wi-Fi spot.

For more information, see Private networks and Public Wi-Fi.

Note

The advice above is mainly for individuals wanting to refresh their cybersecurity awareness and improve cyber defense on their personal computers.
Computers at the workplace are typically managed and protected by the organization’s IT services team where different sets of security measures may be applied. You should follow your organization’s policy to protect computers at the workplace.
Check out our short quiz for a health check on your computer!

Password hygiene habits

Despite many solutions that protect information and systems, stolen usernames and passwords (credentials) are still the most common way attackers gain unauthorized access. This is frequently the result of weak, guessable passwords and reused credentials that have been exposed.

What do you think is the best way to keep your passwords secure?
A. Change them frequently
B. Use special characters and a mix of lowercase and uppercase letters
C. Create each password long and unique

Changing passwords frequently without cause can actually degrade security. When forced to change their password frequently, many people choose an easy one to remember based on predictable patterns. Long passwords can be quite secure, especially when they are unique. Adding complexity to a password can help, but length proves to be more important than the actual characters used. The best answer to this question is to create long passwords AND use a different one for each service. Why? Because breaches do happen and some service will eventually mishandle your credentials, which will then get exposed. Just have a look at https://haveibeenpwned.com/ to see that this has already happened to many. If your password isn't unique and is exposed, it can be used to access any system where your credentials are valid. This process called password stuffing is usually automated and can happen as quickly as 12 hours after the initial exposure.


Best password tips

  • Use a password manager
    • Regardless if you choose one that is standalone or integrated into your web browser, open source or commercial product/service, a password manager is essential when it comes to all the other steps below.
  • Use a different password for everything: every service, every system;
    • This is quite easy if you’re using a password manager.
  • Make it long - 15 characters or longer is a good size;
    • Again, easy with a password manager when you allow it to generate the passwords for you. Using passwords with 20 to 32 characters is not a problem since you don’t need to remember them anyway.
  • Never share it with anyone... really... no one... ever;
    • Your credentials belong to you, they identify you. Sharing them not only compromises your identity but is also usually a violation of the policies of the service or system they are used to access.
  • Change them only if there is a reason.
    • If you believe the password may have been compromised, may be reused, or is weak, you should change it. There is no good reason to change passwords based on a specific schedule, which may still be required by some organizations.

If this is not what you’ve been doing, don’t panic! You can start making changes today. If you have hundreds of passwords, start with a few of them, do a couple every day at lunch. Every time you make even one set of credentials more secure you’re doing yourself a big favour.

Safe browsing and MFA

We rely on a variety of online resources and accounts to help us in our work and to tackle tasks effectively. How we access these tools and how we behave online can have a significant impact on our personal security and the security of the resources we share.

Taking control of the information we provide to online service providers, limiting the extent to which commercial entities can track our activity, and thinking about how we authenticate to online accounts can all have a security benefit.

We can start where we are and start today. We can choose to share less personal information voluntarily when responding to requests, signing up for services, posting on social media. The less personal information you share about yourself, the harder it is for an attacker to connect those pieces of information and use them to target you.

We can choose to use privacy-enhancing search tools like DuckDuckGo (duckduckgo.com), install browser extensions like Privacy Badger (privacybadger.org), HTTPS Everywhere (eff.org/https-everywhere), uBlock Origin (ublockorigin.com). We can limit the use of cookies via browser settings and turn on features that limit the links and tracking tools of social media companies (mozilla.org/en-US/firefox/facebookcontainer).

When authenticating to online accounts, we can use different identities/usernames/emails for different services; separate work and personal accounts; practice good password hygiene (see our password tips above); and enroll in the MFA schemes provided by online service providers.

Doing even some of these things will make it more challenging for attackers to target us and our colleagues in phishing attacks, to engage in credential stuffing or password guessing.

Linux permissions

Audience: the content below is intended for a technical audience such as users of our supercomputers.


Linux permissions are one layer of protection to safeguard your research. Here are three common mistakes to avoid:

Mistake 1: Granting access to a file to the world via the command ‘’chmod 777 name_of_file’’.

Make sure you understand how Linux permissions work and restrict access to your files in our supercomputers to only those who need access to them.


Mistake 2: Not using the sticky bit, leading to the deletion of your files by someone else.

When dealing with a shared directory where multiple users have read, write and execute permission, the issue of ensuring that an individual cannot delete the files or directories of another can arise. Make sure you are familiar with the notion of sticky bit and use it when appropriate.


Mistake 3: Granting access to multiple individuals rather than groups.

Managing ACLs (Access Control Lists) can quickly become complex. It is best practice to use groups rather than multiple individual accounts to grant permissions when possible.

Retrieved from "https://docs.alliancecan.ca/mediawiki/index.php?title=Cybersecurity_for_your_personal_computer&oldid=120572"