I work on cybersecurity issues, either “offensive” security (identifying vulnerabilities by attacking computer systems) or “defensive” security (implementing countermeasures to prevent attacks).

In these two contexts, as well as in the content I consult as part of my technological watch, a number of bad habits frequently arise, whether in companies or among individuals.

Here are the 5 most important recommendations based on these experiences:

I - Take care of your passwords

Poor password management is one of the most common intrusion vectors in 2019, and even if you don’t disclose them, it is quite likely that one of the sites you are registered on has suffered or will suffer a security breach giving access to your personal information!

Currently, over 9 billion login credentials have leaked and are freely available on the Internet. Statistically, you are more likely to have one of your passwords in a publicly accessible database than not.

Therefore, it is crucial to follow these few rules regarding your passwords:

• Never use a password more than once.
• Prioritize length over complexity (for example, 1AgaceSonBecAvec1Brûle-gueule will be infinitely harder to crack than %&*#!a5 by a potential attacker).
• Never use a dictionary word as a password.
• Change your password every 6 to 12 months (depending on what is feasible for you).

All these precautions can be simplified by using a password manager, which will keep your passwords in memory and synchronize them for you.

Among those currently available, I recommend:

• KeePass (which was CSPN certified by ANSSI in 2011)
• 1Password (which has the best integration for Android, iOS, Windows, and MacOS)
• LessPass (this one does not store your passwords but “calculates” them based on the site you are on and your identifier)

II - Be cautious on public networks

The democratization of HTTPS helps address many security issues, with SSL and more recently TLS technologies involved in encrypting your exchanges with websites to limit the risk of someone else spying on them.

However, there is still an alarming number of sites that do not use HTTPS, endangering the privacy of your exchanges.

For example, on a public WiFi (airport, café, coworking space), it is technically possible to intercept and monitor the exchanges of all other connected devices, an attack that is relatively easy to set up, even from a smartphone! Bettercap: A software that allows you to observe network traffic If you are connected to a WiFi that you do not own, caution is advised. If you can, prefer your private 4G network and under no circumstances browse a site that your browser does not recognize as secure. Example of a connection recognized as secure Finally, if you have a VPN subscription with a provider you trust, using a VPN adds an extra layer of privacy to your exchanges on a public network.

III - Update as soon as possible!

It is often inconvenient to be interrupted during an activity by an update of your operating system or software, and we are all tempted to postpone them, or even disable them completely.

Unfortunately, it’s not worth the risk; a device (smartphone, computer, connected object) that is not updated is often a gateway for intrusion.

Updates are increasingly imposed on the user, but it is often because they address recently discovered security issues, and whether on a personal or professional device, it is always very risky to fall behind on them.

IV - Use an easy-to-use antivirus and firewall

One of the problems that can lead to intrusions with serious consequences (financial losses, identity theft, and personal information theft) is the lack of visibility over the actions of software installed on a machine.

It is essential to control and monitor what is happening on your devices, especially by using an antivirus that will check that you have not accidentally installed malicious files, and a firewall that will let you know which applications are using the Internet and limit their permissions.

There are many antivirus and firewall software on the market, do not hesitate to rely on ANSSI’s recommendations to try several and find the one that suits you best.

V - Make (real) backups

Finally, let’s address a point that is too often overlooked before an incident occurs: backups.

Whether due to a failure, malware, theft, or loss of a device, data loss is a risk for everyone and can sometimes have disastrous consequences.

Implementing a backup strategy can sometimes be time-consuming (choosing, installing, and configuring backup software, for example), but whatever time you invest, it is quickly offset by the peace of mind of being able to retrieve your data on multiple supports in case of trouble.

A “real” backup must be located on a different support than the one containing the backed-up data, otherwise, it will be inaccessible in case of a problem with the concerned device.

If possible, having 3 copies on 3 different devices of your data is a comfortable setup, especially since hard drives and SSDs of your computers all have a limited lifespan!

It is also very important to test the backups made, as sometimes the backed-up data does not exactly match your expectations!

If you have any questions regarding these points, you can contact us for advice and support in securing your information.

Resources

• https://www.ssi.gouv.fr/particulier/logiciels-preconises-par-lanssi-2/ (French)

• https://www.cnil.fr/fr/5-arguments-pour-adopter-le-gestionnaire-de-mots-de-passe (French)

• https://mashable.com/2017/02/28/passwords-reuse-study-keeper-security (English)

• https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf (English)

Illustration photo by Anomaly.