Personal cybersecurity posture for when you're just this guy, you know?

Zaphods just this guy, you know?

Halfrunt, Hitchhikers Guide to the Galaxy by Douglas Adams. The book, not the movie. Definitely not the movie.

Some people () are really into cybersecurity, end-to-end encryption, and totally geeked out when they first learned how the Enigma worked. These people are likely to have an innate interest in building a less-than-laughable personal cybersecurity posture.

Most people, unfortunately, consider cybersecurity optional. Most people say things like:

Theres no one targeting lil ol me.

I have nothing to hide, anyway.

Im too busy to learn all this stuff. Why cant someone just give me a simple summary of best practices that I can skim in approximately seven minutes?

To those people, I say, hello, hypothetical incorporeal reader! Here is a simple summary of best practices that you can skim in approximately seven minutes.

Wait why do I care

You may have a hard time understanding why cybersecurity matters when youre just an average person. Sure, you dont want your devices hacked or your personal data stolen, but its not like anyone is coming after you, specifically, right?

Hey Alex, Ill take right, for $400. Its unlikely anyone is attempting to steal your particular stuff, although I must admit that Persian rug of yours would really tie the room together. Instead, it can help to understand cybersecurity if you think of it in terms of low-hanging fruit.

Youve got some fruit, Ive got some fruit. Joe from down the block has a 1.21 gigawatt flux-capacitor-powered fruit-snatching robot. Joe doesnt know either of us exist, but his robot goes (very quickly) from door to door, all the way around the block, looking for fruit. If my front door is locked and yours is standing open, whose fruit is Joes robot going to snatch?

If that sounds like boring, old, regular security, youre correct! Cybersecurity isnt about finding some magic spell that makes your fruit maximally secure. Its about making your fruit more secure than the fruit next to you. You do this by employing some thoughtful habits, in much the same way as you learned to lock your front door to guard against fruit-snatching robots.

Security breaches and incidents happen every day. Most of them occur because an automated scanner cast a wide net and found a person or company with lax security that a hacker could then exploit. Dont be that guy.

Wait whats a security posture anyway

Here is how the National Institute of Standards and Technology defines security posture:

The security status of an enterprises networks, information, and systems based on information assurance resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes. (NIST Special Publication 800-30, B-11)

The important bit above is, capabilities in place to manage the defense of the enterprise. In the context of personal security, you are the enterprise. Congratulations. May you boldly go where no man has gone before.

Before you explore strange new worlds (it is the Internet, after all), there are steps you can take to manage your defenses. The word capabilities is apt, as having certain things in place will pretty much give you cybersecurity superpowers. Here are the three steps I consider most important and beneficial:

1. Use multifactor authentication
2. Use a VPN
3. Develop healthy skepticism

With these three keys in hand, your cybersecurity posture goes from being robot lunch to War Games - where the winning move for an attacker is not to play.

1. Use multifactor authentication

Passwords are dead. Computationally, they are a solved problem, and cracking passwords is just a matter of time. Unfortunately, many people still help to speed up the process by using the same compromised passwords for multiple accounts, putting themselves at risk for inconceivable benefit. Pass phrases are longer and more complicated, and would take a lot more time to crack. I highly recommend them; even so, your password ultimately doesnt matter.

The answer, at least for now, is multifactor authentication (MFA). MFA is made up of three kinds of authentication factors:

1. Something you know, like a pass phrase;
2. Something you have, like a chip pin card or phone; and
3. Something that you are, like your face or fingerprint.

Two or more of these factors are infinitely better than a password alone, especially if your password is on this list.

Multiple authentication factors are now widely supported by account providers and social media sites. If you have the choice, avoid using text messages as a way of receiving authentication codes. SMS authentication leaves you vulnerable to the SIM swap attack - please direct further questions to Jack Dorsey. Instead, use an authenticator app like Google Authenticator to generate codes on your device. This ensures that you alone, using that particular device, will have the correct authentication code. No power in the verse can stop you.

The Google Authenticator app works with the specific device you set it up on, so when you get a new device you will need to move Google Authenticator to your new phone. Hardware authentication keys such as the YubiKey may present less hassle when switching devices, but arent yet as widely supported as authentication apps.

2. Use a VPN

The difference between using a VPN and not using one is like how The Dark Knight Rises was really good and Batman v Superman was really, really bad. Same franchise, totally different standards.

Lets say you send a lot of mail, but never bother to put your letters in envelopes or even fold them in half. Anyone who bothers to look will know that youre not really the Dread Pirate Roberts after all. When you use a Virtual Private Network, especially if you often connect to public WiFi, its like putting your letters into cryptographically-sealed envelopes and sending them via a special invisible courier service. No one but the intended recipient can read your letters, and no one but you and the courier know to whom the letters are sent.

VPNs prevent others from reading your communications, like opportunistic attackers who scan open WiFi, and even your own Internet Service Provider (ISP) who may sell your usage data for advertising dollars.

Choosing a trustworthy VPN provider requires some research, and is in itself material enough for a separate article. As a starting point, look for providers with firm policies against logging, and expect to pay between $5-$10 USD monthly for the service. Avoid free VPN apps and services with ambiguous privacy policies; theyll typically cost you much more than youll know.

3. Develop healthy skepticism

Ultimately, the weakest link in your cybersecurity defense is you. All the MFA and VPNs on the Internet wont protect you if a scam or malware bot can trick you into opening the front gates. Yes, I know its a very nice looking wooden horse. Also free. Did you order it? No? Then it can stay outside.

Develop the habit of second-guessing things delivered to your virtual doorstep. Email, phone, and messaging scams range in sophistication, from rickety robot-assembled shotgun blasts to elaborate social engineering attacks that use cognitive biases very effectively. Dont assume youre too clever for them; humans are very predictable creatures. After all, nobody expects the Spanish Inquisition.

Instead, ask questions. Double check communications that ask you to click on links or visit a website, even if they come from someone you know or a company you use. If youre not certain, based on a previous in-person interaction, that your friend or bank or mother sent this email, pick up the phone and call them. Even if you think you are certain, pick up the phone and check. You dont call your mother enough, anyway.

Oh, and if the person on the phone is from your local tax office or the IRS or the CRA and theyre about to freeze your accounts because a case of mistaken identity has resulted in you being criminally charged for not repaying a loan on a 600-foot yacht in Malibu, just hang up. You know better than that. Tax agencies dont have phones.

Your personal cybersecurity starter pack

You now have three keys to open three gates to a robust personal cybersecurity posture. If those keys have also unlocked your curiosity, theres plenty more rabbit hole to go down. I highly recommend the Security in Five podcast for Binary Bloggers great advice, which inspired much of this post. Surveillance Self Defense offers the Electronic Frontier Foundations tips on securing online communication. Troy Hunt also has a YouTube series entitled Internet Security Basics that goes into more depth on how to protect yourself online.

For now, I hope you use your newfound cybersecurity powers for good. Mind what you have learned. Save you it can.