Recently, I was invited to co-present on security. We each brainstormed up a list of what we thought were the biggest online threats today and some practical steps people can take to protect themselves. Here is the list I created:
Brewer's top five threats
- Dangerous scripts (flash, javascript, others) in browser
- Insecure/questionable links (in email, in social media, etc)
- Insecure attachments
- Insecure plugins, extensions, apps, etc
- Social Engineering
Brewer's recommendations
These are intended to be some basic steps anyone can take to improve their security, although they are not necessarily convenient.
Use Firefox with both no-script and flashblock enabled.
Only do banking, human-resources stuff, etc with fresh web-browser session:
- Use a different browser only for that purpose
- Start up browser, do session, quit browser
- Do the same for insecure/questionable links.
View (and send) email as plain text only
- Look at links carefully
- Don't leak information via images and web-bugs
Look at full headers of questionable email
- Only trust headers written by known hosts.
- Learn to recognize suspicious hostnames.
Don't just click on links!
- know the structure of links:
scheme://[user:password@]hostname:port/path?query_string#fragment_id
- Navigate there directly
- Critically evaluate links
- Look at hostnames & paths
- Avoid apps that obfuscate links
- Use copy & paste
- Use "whois" for questionable hostnames
- Remove parts of path that might have tracking information
Don't be a monoculture -- don't just use the most widespread software:
- Open Microsoft documents with Libre Office.
- Don't use Acrobat: Use Preview (or something else).
Only use software that has a strong, open community
Periodically review addons/extensions/apps for browser, phone, social-media apps
Question/verify the provenance of people & information
- Confirm human references "out of band"
- online resources — even DNS — can be spoofed
- fake hostnames can look like real ones
- Steven D. Brewer's blog
- Log in to post comments