The modern guide to staying safe online

Keeping safe and productive online requires smart decision-making and just the right preventive measures to fit the level of risk you can live with.

1 2 Page 2
Page 2 of 2

It’s difficult to detect all phishing attempts -- some are extremely good. Make sure you don’t use the same password for your accounts so that a stolen one doesn’t mean all others are compromised. Use a password manager to generate discrete passwords for each site account. Try to keep personal Internet separate from work Internet, and never register for sites using your work address. If that account gets compromised, you don’t want it to lead to phishing attacks against your work address. Turn on two-factor authentication, when a site supports it, to make it harder for attackers to use stolen credentials -- especially if that site is a financial institution.

Threat level 6: Nuclear protection

If you’re going for maximum protection, you'll need to set up a system of multiple browsers and operating systems to keep activities separate. And you might want to consider a series of virtual machines to isolate the threats.

First action: Use different web browsers for different activities: Have a browser for financial transactions, another for communications, another for just browsing. That way, if an attacker compromises a web forum you frequent, he or she can’t use cross-site scripting to get access to online banking because the attack can’t jump across browsers. A Facebook scam can’t escape to gain access to Amazon.

For a very sensitive website -- the crown jewel of your accounts -- have a dedicated web browser for that site and be restrictive in its configurations. For example, having a dedicated browser used only to access your Amazon Web Services control panel means there is no way to “accidentally” browse to some other site (whitelist only AWS, block others) and potentially expose your organization’s entire cloud infrastructure. Turn on all security options to lock down the browser.

Pro Tip: For extremely risky -- potentially dangerous -- or incredibly sensitive sites, consider splitting up the activity across multiple virtual machines. Do all your banking in a dedicated virtual machine using a locked-down (yet up-to-date) browser. This eliminates all banking-focused web attacks, and the attacker would have to do a lot more work to get your banking information.

Linux Live CDs are great alternative to running VMs -- you can even run a Live CD in a VM for maximum security. Tails is a very stripped-down Linux variant that runs off a USB drive and can be used to hide digital footprints, since it keeps nothing persistent.

Got an email attachment that looks hinky? Open it in a VM. If it’s malware, it has infected just an empty VM. Of course, don’t assume that everything is okay just because nothing happens in the VM: Malware can be designed to not execute within a VM. Keep that file always in the VM and away from your main desktop.

If you want to hide your activities online, consider Tor, which conceals your identity by using encryption to scramble data transmissions and routes traffic between multiple Tor nodes to obscure the origin. Since your traffic passes through random servers with Tor, the data is no longer tied to your personal IP address.

Use NoScript to disable Java, JavaScript, Flash, and other dynamic content. This option will break a lot of websites, but it lets you authorize content manually, so it requires careful attention to ensure malicious code doesn’t get approved by accident. Adblock Plus blocks pop-ups and other content from known advertising and spyware sites. There are concerns with how Adblock Plus creates blocklists, because advertisers can pay to be whitelisted on the platform, but it gets the job done if the goal is to shut down pop-up ads and block potential attacks.

An alternative is to disable JavaScript and block pop-ups from the browser itself. Most browsers automatically block pop-ups by default, but JavaScript is enabled by default, again because it’s so widely used.

Keep safe

Being safe online is a combination of technology, awareness, and willingness to jump through hoops. Today’s browsers offer lots of protections, including the ability to disable plugins and turn on anti-phishing mechanisms. Just turning those on and completing basic security hygiene, such as updating all software, will address much of the low-hanging fruit.

But it is easier than ever to be infected with malware or get hit by a phishing attack. Sometimes it’s just a matter of being in the wrong place at the wrong time. But once you know what you are most worried about and what your appetite for risk is, you can set a sensible security regimen to fit your needs, keeping you safe and productive online.

1 2 Page 2
Page 2 of 2
NEW! Download the Winter 2018 issue of Security Smart