Threat Brief: 12 cybersecurity tips for the holidays
15 December, 2018
This time every year, people all over the world get new devices. Regardless of what holiday(s) you may (or may not) celebrate, the end of the year is a time for people to give and receive some of the latest devices to come on to the market.
Nothing spoils a new gadget more than having some kind of security or privacy problem related to it. After that, nothing spoils the fun and excitement of unboxing and playing with an exciting new device than trying to figure out what you need to do to use it with reasonable safety and privacy.
To that end, here are some very basic, but critical steps that you, your family, your loved ones, and friends can take to ensure some basic security and privacy for new devices quickly and easily that can help you be safer and not spoil your unboxing fun.
In the vein of the holiday spirit, check out a list of twelve short, simple recommendations that can help you have a happy, safe, and private holiday season.
Use a password manager: Even though not all devices can use password managers directly, it’s still one of the best things you can set up. PCs and Macs as well as smartphones and tablets increasingly support the use of password managers directly. But even for devices that don’t, you can and should use a password manager to generate and store strong passwords for use on all devices in its vault. Preferably, find a password manager that requires two-factor authentication.
Protect your home routers and Wi-Fi: In a home of computers, phones, tablets and IoT devices, nearly always the common point is the home router and Wi-Fi. For most, it’s something they set up once and forget about. But if you want to keep your home devices more secure, you need to make sure the underlying router and Wi-Fi are more secure. Take time to ensure you have a good, complex, unguessable password. This is where a password manager can help. You may consider configuring it to not broadcast the SSID as well: that can make adding devices a little harder, but that means it’s even harder for people to try and join your home network.
Set up more secure accounts on your PCs and Macs: PCs and Macs (both desktop and laptop) are still around and as important as ever in the home. Take time to set up an account for everyone with their own username and password. Also, all modern operating systems allow you to make accounts “regular user” accounts rather than admin accounts. Set everyone up as a “regular user” and set up a separate administrative account to use for maintenance. If you have kids, avoid the temptation to let them all use one account or accounts without passwords: this is a chance for them to start to learn the right way to handle passwords by giving them their own and teaching them to never share that password. You can generate the password for them and retain it as the “administrator” if you want for monitoring. This also is an important lesson for kids to understand that privacy on computers isn’t absolute: the admin can always look at what they’re doing.
Prevent lost tablets and smartphones from turning into something worse: Portable devices means an increased risk of loss or theft. These days, our portable devices often have greater access to more sensitive information than our PCs and Macs do – in the form of mobile banking apps, wallet apps and stored credit cards. All modern tablets and smartphones have settings you should enable before you take these portable devices out of your home:
-Passcodes to lock the device.
-Encryption of information on the device.
-Lost device location.
-Deleting or “wiping” data if too many bad passcodes are tried or if you active it remotely.
Protect your data on smartwatches and personal fitness devices: Smartwatches and personal fitness devices are similar to smartphones and tablets and have some of the same features. In addition to using those features, you should take time to ensure you know what health information is being used and that the cloud account(s) these devices synchronize with have very strong passwords. These devices gather some of your most personal information. In some cases, the most serious risk isn’t around the device but the data being stored in the cloud.
Be smart with your smart home: Smart home is an umbrella term for a diverse set of devices that have one thing in common: they all feature some kind of internet connectivity. Each and every device will have its own security and privacy settings and it pays to take time to understand those BEFORE you put these to work in your home. Across the board, though, making sure your home router and Wi-Fi have good security and that you’re using good, strong unique passwords when paring devices with apps (where possible) are easy things you can do for all these devices.
Don’t forget about home entertainment apps, TVs and DVRs: When we think about home entertainment, there’s really two things you need to think about with security. First is the security of the devices themselves. In nearly all cases, good security around home routers and Wi-Fi will be the best thing you can do for the devices. But home entertainment isn’t just the physical devices. It’s the apps you use to view content. All apps like those from Netflix, Amazon, Hulu and others have their own passwords to connect to their service, and attackers crack and sell compromised accounts to these services. Because of this, make sure you’re using good, strong unique passwords for the apps you use on these devices. This will also protect these apps on your tablets, smartphones, PCs and Macs.
While you’re at it, protect your gaming consoles: Similar to home entertainment devices, gaming consoles have both the security of the actual device and then the security of the cloud-based accounts to deal with. Just like with home entertainment devices, it’s the cloud-based account that attackers are more interested in. Here again, taking time to set up good strong passwords is key. Also, many gaming platforms now include a second means of authentication (typically a text sent to your phone): you can and should enable that, if at all possible.
Configure user profiles for voice assistants: Voice assistants are some of the newest devices out there, which means they’re the least known and understood. The biggest risk that’s been popularly discussed is voice command hijacking by outside sources. While a cool news story, it’s not been documented to be a broad risk, especially as devices get better at specific voice recognition. For these devices, take time to configure individual user profiles as much as possible. And many of these devices feature mute buttons that can functionally turn them off when you don’t need them. If you haven’t been using it, consider using that feature.
Use smart speakers smartly: Smart speakers can be thought of as a subset of home assistants in that they are voice-activated devices in your home. And many smart speakers have digital home assistants built into them, making the distinction even less clear. This means that what you would do for security for your digital home assistant would apply to smart speakers as well. However, one thing to consider is if all you really want or need is a smart music device, it may make sense to keep your purchases focused on devices that do only that. This can improve your security by reducing the risk posed by features that you don’t want or need.
Drive safely and securely with smart cars: While “car hacking” is something that you see in the news, the reality is that practical smart car security is more common than headlines may lead you to believe. A key differentiating feature with smart cars is they often have “smart” lock and ignition systems that are tied to fobs and/or your devices (like a smartphone). Good smart car security in this case means building on the good security around devices and good physical security. Ensure that any connected smart devices have good security, especially to protect against loss or theft. Make sure you only give fobs to people that you trust. And ensure that any cloud-connected accounts have good passwords and use a second authentication method, if possible.
Patch, patch and patch some more: We close this list with patching because it is the most important thing you can do. Few people like getting into the guts of devices to manage updates and the apps on them but the reality right now is that this is not only critical for security and privacy, it’s also sometimes a process that can only be done manually. For every kind of device or system, you should think about and understand how you can do updates for:
-The “firmware”: this is the software that is on the physical device itself, like the actual router, the actual car or the actual DVR.
-The operating system on the device: Some devices don’t have an operating system separate from the firmware, but many do. PCs and Macs have firmware and an operating system (Windows, macOS and Linux).
-The apps and applications on the computer or device: Like we noted about home entertainment and gaming consoles, sometimes it’s the apps rather than the device itself that is important. Many apps these days have auto-update capabilities. But some don’t, so it’s important to make sure you know how apps get their updates.
If you take some time to understand these basic ideas and take these basic steps, you can ensure that you’ve got a good start on using new devices more safely and with better privacy during the holiday season.
Of course, this isn’t an exhaustive list. And it’s always good to know about other features and capabilities, for example child safety controls. But the start of a journey of a thousand miles begins with one step, and the start of a journey of a thousand days of using these new devices safely can start with these simple steps.
— Unit 42, the Palo Alto Networks threat intelligence team.
TAG(s):