Credit to Author: Pieter Arntz| Date: Thu, 21 Feb 2019 17:00:00 +0000
Are you tired of that acquaintance who keeps bugging you with computer questions? Do you avoid visiting certain people because you know you will spend most of the evening cleaning up their machine?
My uncle Bob is one of those people. He’s a nice guy, but with computers, he’s not just an accident waiting to happen—he’s an accident waiting to become a catastrophe. To keep Uncle Bob’s computer safe without blowing up the Internet, we need to give him the simplest of instructions that result in protecting him against as much as possible. Uncle Bob needs a lazy person’s guide to cybersecurity.
It’s not that Uncle Bob is lazy. It’s that he’s overwhelmed by the amount of stuff he has to do to keep his data and devices secure. Multiple passwords, reading through EULAs, website cookies that he clicks “agree” to without really paying attention—they’re giving him a serious case of security fatigue. And as his helper, you’re probably pretty over it, too.
The funny thing is, with adequate cybersecurity, Uncle Bob’s—and by extension all of our—problems would be much less frequent and less severe. So, let’s see if we can work out a system of minimum effort that renders reasonable results.
Before we begin, we will should note that lazy cybersecurity should not apply to devices used to store sensitive data, conduct financial transactions, or communicate confidential or proprietary information. Lazy security is a good way to protect those who prefer to do nothing rather than be overwhelmed by 50 somethings, but it shouldn’t have severe consequences if it goes wrong.
Your first step should always be user education. So many of today’s most dangerous threats are delivered through social engineering, i.e., by tricking users into giving up their data or downloading the malware themselves from an infected email attachment. Therefore, knowing what not to click on and download can keep a good portion of threats off a lazy person’s device.
With most people, it helps to know why they shouldn’t download or click on links in emails that look like they came from a legitimate institution. Just telling them “don’t do that” may help for a bit, but advise is better retained if it’s grounded in practical reasoning. Therefore, each item in this list is accompanied by a brief explanation.
- Do not click on links asking to fill out your personal information. Your financial institutions will not send emails with links to click, especially if those links are asking you to update personally identifiable information (PII). If a website promises you something in return for filling out personal data, they are phishing. In return for your data, you will probably get lots more annoying emails, possibly an infection, and no gift.
- Don’t fall for too-good-to-be-true schemes. If you get offered a service, product, game, or other tantalizing option for free, and it is unclear how the producers of said service or item are making money, don’t take it. Chances are, you will pay in ways that are not disclosed with the bargain, including sitting through overly-obnoxious ads, paying for in-game or in-product purchases, or being bombarded with marketing emails or otherwise awful user experiences.
- Don’t believe the pop-ups and phone calls saying your computer is infected. Unsolicited phone calls and websites that do so are tech support scams. The only programs that can tell if you have an infection are security platforms that either come built into your device or antivirus software that you’ve personally purchased or downloaded. Think about it: Microsoft does not monitor billions of computers to call you as soon as they notice a virus on yours.
- Don’t download programs that call themselves system optimizers. We consider these types of software, including driver updaters and registry cleaners, potentially unwanted programs. Why? They do nothing helpful—instead, they often take over browser home pages, redirect to strange landing pages, add unnecessary toolbars, and even serve up a bunch of pop-up ads. While not technically dangerous themselves, they let a lot of riff raff in the door.
- Never allow web push notifications. I have yet to find a useful reason for these, beyond advertising.
Beyond staying away from “allow” and “download” buttons, and steering clear of links asking for PII, users who conduct any kind of financial transaction on their machines, be it online shopping or banking, should approach those transactions with extreme caution. Here’s where we ask users to take action, looking for security clues and doing a little research before paying that bill or buying that new book.
- Use a designated browser you trust. This needn’t be for all surfing, but for purchasing especially, research the different browsers and see which one you feel safest with, whether that’s because they have few vulnerabilities, don’t track your surfing behavior, or encrypt all communication. Major browsers such as Firefox, Safari, and Chrome have strengths and weaknesses they bring to the game, so it’s a matter a personal preference. We do suggest staying away from older browsers rife with security holes, such as Internet Explorer.
- Look for HTTPS and the green padlock. No, it’s no longer a guarantee that the site is safe just because it has a green padlock, but it does mean the communication is encrypted. If you combine that with being on the true website of a trusted vendor, you can breathe easier knowing your payment details cannot be intercepted in transit.
- Use a password manager. Simple as that. Passwords are a real problem, as users tend to re-use the same ones across multiple accounts, keep old ones laying around because they’re the only ones they can remember, or write them down somewhere they can be easily found. No need for 27 different passwords. Just one manager, preferably with multi-factor authentication. (Bonus points for healthcare or bank organizations with logins that use physical or behavioral biometrics.)
This could turn out to be too confusing for the Uncle Bobs of this world, however. If so, best to point them in the direction of brick-and-mortar stores for shopping, the checkbook for paying bills, and the actual bank to conduct other financial business.
How to set up a system for a non-tech-savvy person
Perhaps Uncle Bob can only manage so much security education before feeling overburdened with technical knowledge. In that case, it helps for a tech-savvy friend or relative to pitch in and tighten up a few things on the backend.
First of all, if someone is looking for a new computer for non-sensitive purposes, such as browsing, social media, games, and some basic email or chat functions, you can chime in with recommendations. For someone not invested in heavy gaming, a Chromebook would be a good option, as it will save them some money and can perform all those functions, plus any browser-based gaming. However, someone with an interest in PC gaming will likely need an entirely different OS and an intense graphics card (and therefore lots of protection against cryptominers). Meanwhile, Macs are good options for users looking to get into graphic design.
Installing software on a system usually comes with the task of having to keep it up-to-date. Therefore, any software programs that Uncle Bob selects should minimize the potential pitfalls.
When Uncle Bob is shopping for software, recommend he finds programs that have a self-updating function. We know this isn’t always recommended in a work environment, but for the lazy security person, it’s perfect. One less thing to worry about.
In addition, selecting software that allows users to minimize notifications to only dire warnings will keep Uncle Bob from getting confused. Notifications coming from programs can have strange effects on the less computer savvy for several reasons:
- They don’t understand to which program they belong, which takes away the context for them.
- The text in the notifications is designed to be short, not always maximized for clarity.
- Technical terms used in the notification are unknown to the receiver.
Their reactions may vary. Some will simply click until they disappear. This is the behavior that usually gets them into trouble, so you don’t want to give them another reason to click–click–click away. Others may get worried and call for backup immediately, asking what’s wrong and why they are getting this “pop-up.” So, any software that can be set to only issue a warning when something is really amiss deserves another plus.
There are some secure browsers out there that value your privacy, but I’m pretty sure my Uncle Bob does not like using them. There is a learning curve involved that may not seem steep to you and me, but my uncle Bob…you know what I mean. But there is hope on the horizon. Some of the more user-friendly browsers can be equipped with extensions/add-ons/plugins that boost security by adding an extra protective layer.
There are browser extensions that can make your browser more secure by:
- Blocking advertisements
- Minimizing tracking
- Enforcing https traffic
- Protecting your privacy
- Blocking online scripts
It’s a fine line
Everyone deserves to experience a safe Internet, but unfortunately, this is not always easy to accomplish. Peoples’ skill-sets and levels of experience differ, as does their tolerance for bad news—or any news at all! What comes naturally to some can be downright overwhelming for others. While you might wish that Uncle Bob could have his computer license revoked, it’s better to sit him down and show him basic survival skills—all the better to not only protect himself, but others from dangers lurking on the web.
And if you go that one step further and help those less tech-savvy folks in your life by setting up some automated support in the background, you’ll save them time and and money having to run repairs or clean up an infected machine.
We always sign off by telling our readers to stay safe. This time, stay safe…and help your friends do the same.
The post The lazy person’s guide to cybersecurity: minimum effort for maximum protection appeared first on Malwarebytes Labs.