09 September 2016

How a penetration tester stays safe online

With rapidly evolving technology and new exploitation techniques frequently being released, it’s difficult to know exactly how to keep up with it all and stay safe online. We have become so accustomed to browsing the internet and doing everyday tasks, like banking or shopping, that sometimes it’s easy to forget that these activities can make your personal and financial data a target for scammers.

Fortunately, there are straightforward steps that can be taken to help you keep sensitive information exactly as you intended it to be – sensitive!

Here are my top tips…

Password Re-Use

Although it may seem like Usethere are a million passwords to remember for the many different sites that are visited on a regular basis, it is not a good idea to reuse passwords, especially for sensitive applications.

It is unfortunately very common for usernames and passwords to be exposed through breaches in security against online dating, career sites, email or other services. If these credentials are reused in online banking for example, that account is now compromised. However, it can be very difficult to remember unique, complex passwords for every website that requires a login. This is why it’s a good idea to create a password scheme, such as using the first letters from a favourite quote or song as a base password, and then adding some unique information for the application the password is for.

Although a password manager can be helpful, be mindful that it is storing all your passwords in one place and it does need to be protected by a strong password itself. Even though it is a digital world, writing down passwords and storing them in a secure place (not stuck to a monitor at work!) Can be an extremely effective way to remember passwords, and prevent password reuse. This can go a long way in preventing compromise of accounts, and helping ensure private data stays private.

Social Media

Social media is something that has become very prevalent these days, and it can play an incredibly integral part in our lives, allowing constant contact with family and friends, enabling career growth, and providing up to the minutes news and information around the world. However, the question still remains, how safe is personal data on these sites, and how can identity theft be prevented?

Be aware of what is shared online, and do not share highly personal information. Even seemingly harmless information could be used by an online attacker to gather information. The answers to those security questions we are all too familiar with, such as “What is your favourite pet’s name?” Can easily be gleaned off social media sites.

It is also worth considering using a different email address for social media, therefore Facebook updates don’t get mixed up with password reset emails from online banking, and it is less likely that the private email will get spammed. Make sure to go through the security and privacy settings, don’t just accept the defaults as they often will not be the most restrictive. Limit who can access the information, and check back every so often, as new updates often contain new privacy settings. Responsible social media use can reduce the risk of personal information being exposed.

Patching

It is extremely important to keep systems and software patched – so don’t ignore those Windows Updates!

Internet browsers are also updated regularly, patching critical vulnerabilities. There are a number of reasons why a system may be running out of date software – maybe a long holiday has left your home computer off and therefore unpatched, or perhaps an older version of software is needed for compatibility reasons. These may be understandable lapses in security updates, but be conscious of what malicious activity could be undertaken on an unpatched system.

Browser Configuration and Email Links/Attachments

When browsing the internet, it is important to maintain awareness of what sites you’re visiting, and how you opened them. For example, if the browser is redirected to a site which wasn’t explicitly requested, or typed in the URL bar, it may not be the site that was expected.

This is also important when receiving emails containing links – do not click on links or open attachments from unsolicited emails. If it appears like a legitimate email from someone important, such as your bank, navigate to the website separately to confirm what the email is saying. Even though more of us are becoming informed about the dangers of email phishing attacks, even a savvy user could be convinced by a very genuine looking email. If an email attachment seems valid, it is still worth opening it in Google Drive, or other similar applications to reduce the risk of harm by malicious software.

Risk can be further reduced by using a customised secure browser for sensitive applications. Consider disabling Java, Flash or other potentially harmful plugins, and be careful if installing any browser extensions – it is software and it could be malicious or have a number of bugs.

Untrusted Networks

While it may be convenient to connect to the free wifi at the local coffee shop, using untrusted networks should be avoided if at all possible. There is no way of knowing what malicious users are also connected to an open network, and just waiting for someone to join to then monitor their web browsing or worse.

Stay away from using untrusted networks to do anything sensitive, and be aware of what devices might automatically connect to untrusted networks, such as mobile phones. Consider using a VPN connection from untrusted networks to ensure the traffic is encrypted and cannot be trivially monitored. However, make sure the VPN provider is trusted.
It is becoming increasingly difficult to keep personal information out of the hands of hackers in today’s digital world. However, following these tips will help to ensure that your personal data stays protected and does not become fodder for identity thieves.

Better to be cyber safe than sorry.