Foreign governments are currently engaged in sustained, hostile attempts to access digital infrastructure to gain access to critical systems, steal intellectual property for economic gain, and steal data on individuals for intelligence and economic purposes.

If you believe that you are not vulnerable to cyber attack, you are mistaken… and compromised.

Four steps you must take to protect yourself:

  • Implement a proper password security protocol
  • Implement two factor authentication on your accounts
  • Secure your network
  • Secure your internet connected devices

Password Security

There are two mistakes people commonly make with passwords:
1. Use the same password in more than one place
2. Choose a password they can remember

If an account is compromised, the first thing an attacker will do is test the same password on other services, starting with your email. Once someone has access to your email, they can reset passwords on other accounts. At that point, you are in serious trouble.

If you choose a password you can remember, it can probably be guessed by an algorithm. So you must use randomly generated, lengthy and unique passwords for every service.

That’s a problem, because you need to remember passwords while storing them securely. The solution is a password manager. I recommend Lastpass. The security model for LastPass was analysed in detail by security expert Steve Gibson in an episode of Security Now if you are interested in going down that rabbit hole as I did.

You can use Lastpass for free, or pay for additional features such as family sharing of passwords. There are browser extensions for all major web browser platforms, and phone apps for Android and Apple. You will need to spend some time going through each service and resetting your passwords to something randomly generated by LastPass. It’s a weekend job, but you need to do it.

Two-factor authentication

This is important but not well understood. You can add an additional layer of security to accounts that allow you to implement two-factor authentication. You may have experienced this where you provide a mobile phone number, and a text message is sent to you when you log in with a code that must be entered to complete the login. That is the second factor, your phone is presumed to be in your physical possession, a hacker in North Korea can’t see the text message you just got. That protects your account from anyone who has your login credentials.

Many services, including all major email platforms, offer a two-factor protection but you often have to go into the settings menu and look under the login/security options. You may see an option for “Google Authenticator” which will tell you to download an app, but I’m going to recommend LastPass again.

There is a separate LastPass Authenticator app that can be used exactly the same as the Google app. The advantage of the LastPass app is it allows you to back up your codes to your LastPass account, so if you lose your phone, you can reinstall the app on a new phone and using your LastPass credentials. This lets you restore access to your services and not be locked out. It’s a reasonable balance between security and potential disaster.

Two-factor authentication services that use the authenticator app will show you a QR code during the setup that you scan with the app, then confirm the six-digit number to complete the set up.

You should have two-factor authentication set up on your email as a matter of the highest priority. Once an attacker has access to your email, almost everything else is at risk, including your banking.

Secure your network

These days a home internet connection provides a whole-of-house service, not just a connection for one computer. Consumer internet routers increasingly include basic firewalls. It’s important this is turned on to protect your whole home network.

Steve Gibson also operates a service called Shields Up!! that will scan your internet connection for potential vulnerabilities, just like an attacker would, then show you a report on the results. Use this to inform yourself.

Securing your home network is becoming sufficiently serious that you should consider whether your router is up to the job. Do some research using the model number and look on places like Whirlpool Forums for information.  If you have a router more than a few years old, it might be worth thinking about upgrading.

It is becoming easier to buy routers with business grade security at consumer prices. One good example is the UniFi Dream Machine (UDM) from Ubiquity Networks. This is a business class device, which can control a medium sized business internet connection, at a price similar to a good quality consumer router. It offers a significant upgrade to the router provided by your ISP.

Secure internet connected devices

These days everything wants to connect to the internet. That’s a potential problem. In the “old” days of internet connection it was only your home computer that connected to the internet, and you could protect it through security updates. Now we have phones, network attached storage, game consoles, smart speakers, light globes, security systems, home theatre equipment, fridges and even cars connecting to our home network.

You may not be able to install security updates to all of these things even if you wanted to. That is a problem. Your router protects bad things from the outside getting in. Once something is on your network, it potentially has access to everything else. You could wake up one morning to find your important data has been encrypted and cannot be accessed without paying a “ransom”, because your network drive was hacked via your light globes.

There is a way to mitigate the danger of this without over-reacting and ripping out all technology. The UDM referred to above allows you to set up multiple networks. You can create one for “trusted” devices over which you have control such as phones and laptops, and another for devices that you want to work, but not have access to the valuable data on your secure network.

Disclosure: The publisher of Northern Beaches Advocate operates a separate technology advisory business at which assists customers on issues including digital security. This article is written as a general advisory to inform people in light of the recent government warnings about cyber-security threats. It is not intended as specific advice. Please seek specific advice if you require it.

Image: Envato