An important aspect of securing any system is the concept of “defense-in-depth,” or having multiple layers of security and not depending on any one approach or technology to block all attacks. Here are some tools and approaches that are useful in stopping malware from invading a PC.
Learn, Memorize, Practice the 3 Rules
There are 3 Basic Rules for online safety, and you will drastically reduce the chances of handing control over your computer to the bad guys. In short;
1. If you didn’t go looking for it, don’t install it.
2. If you installed, update it.
3. If you no longer need it, get rid of it.
Keep Up-to-Date with Updates! The truth is that most software needs regular updating.
Prop up Your Passwords Here are a few tips for creating strong passwords. Take a moment to review these, and consider strengthening some of your passwords if they fall short. Create unique passwords that that use a combination of words, numbers, symbols, and both upper- and lower-case letters. Do not use your network username as your password. Don’t use easily guessed passwords, such as “password” or “user.” Do not choose passwords based upon details that may not be as confidential as you’d expect, such as your birth date, your Social Security or phone number, or names of family members. Do not use words that can be found in the dictionary. Password-cracking tools freely available online often come wth dictionary lists that will try thousands of common names and passwords. If you must use dictionary words, try adding a numeral to them, as well as punctuation at the beginning or end of the word (or both!). Avoid using simple adjacent keyboard combinations: For example, “qwerty” and “asdzxc” and “123456” are horrible passwords and that are trivial to crack. Some of the easiest-to-remember passwords aren’t words at all but collections of words that form a phrase or sentence, perhaps the opening sentence to your favorite novel, or the opening line to a good joke. Complexity is nice, but length is key. It used to be the case that picking an alphanumeric password that was 8-10 characters in length was a pretty good practice. These days, it’s increasingly affordable to build extremely powerful and fast password cracking tools that can try tens of millions of possible password combinations per second. Just remember that each character you add to a password or passphrase makes it an order of magnitude harder to attack via brute force methods Avoid using the same password at multiple Web sites. It’s generally safe to re-use the same password at sites that do not store sensitive information about you (like a news Web site) provided you don’t use this same password at sites that are sensitive. Never use the password you’ve picked for your email account at any online site: If you do, and an e-commerce site you are registered at gets hacked, there’s a good chance someone will be reading your e-mail soon. Whatever you do, don’t store your list of passwords on your computer in plain text. One thing to note about password storage in the Mozilla Firefox browser: If you have not enabled and assigned a “master password” to manage your passwords in Firefox, anyone with physical access to your computer and user account can view the stored passwords in plain text, simply by clicking “Options,” and then “Show Passwords.” To protect your passwords from local prying eyes, drop a check mark into the box next to “Use Master Password” at the main Options page, and choose a strong password that only you can remember. You will then be prompted to enter the master password once per session when visiting a site that uses one of your stored passwords.
If your email provider offers 2-step verification, take advantage of it. Google Gmail is one of the few that offers this added level of security, giving users a number of ways to receive the secondary logon codes. Also, don’t forget to add a recovery email account, if your email provider supports it. And if possible, use two-step verification on that secondary account as well.
Harden your Hardware Wireless and wired Internet routers are very popular consumer devices, but few users take the time to make sure these integral systems are locked down tightly. Don’t make that same mistake. Take a few minutes to review these tips for hardening your hardware. For starters, make sure you change the default credentials on the router. This is the username and password that were factory installed by the router maker. The administrative page of most commercial routers can be accessed by typing 192.168.1.1, or 192.168.0.1 into a Web browser address bar. Leaving these as-is out-of-the-box is a very bad idea. Most modern routers will let you change both the default user name and password, so do both if you can. When you’ve changed the default password, you’ll want to encrypt your connection if you’re using a wireless router (one that broadcasts your modem’s Internet connection so that it can be accessed via wireless devices, like tablets and smart phones). WPA2 is the strongest encryption technology available in most modern routers, followed by WPA and WEP (the latter is fairly trivial to crack with open source tools, so don’t use it unless it’s your only option).
Antivirus Software This is probably the most overstated tool in any security toolbox. For years, security experts have been pitching the same advice: Install antivirus and firewall software, keep up with patches. Some companies even market their products with bold (and I’d argue misleading) guarantees like “Total Protection!”. Here’s the reality: Antivirus software is good at detecting known threats, but not so great at flagging brand new malware samples. If you’re depending on your antivirus software to save you from risky behaviors online (downloading software from P2P/torrent networks, e.g.) you’re asking for trouble. Again, it is best to think of antivirus as another layer of security for a modern PC. Shop around: Antivirus companies make most of their money on renewals, and steeply discount their products for new customers.
Tools for a safer phone
The government hack of an iPhone used by a San Bernardino killer serves as a reminder that phones and other electronic devices aren't impenetrable vaults. While most people aren't targets of the NSA, FBI or a foreign government, hackers are looking to steal the financial and personal information of ordinary people. Your phone stores more than just selfies. Your email account on the phone, for instance, is a gateway to resetting banking and other sensitive passwords.
Lock your phone with a passcode Failing to do so is like leaving your front door unlocked. A four-digit passcode and an accompanying self-destruct feature that might wipe a phone's data after too many wrong guesses stumped the FBI for weeks and forced them to bring in outside help. Using six digits makes a passcode 100 times harder to guess. If you want to make it even harder, you can add letters and other characters to further increase the number of possible combinations. These are options on both iPhones and Android Phones. The iPhone's self-destruct feature is something you must turn on in the settings, under Touch ID & Passcode. Do so, and the phone wipes itself clean after 10 failed attempts. But the 10 attempts apply to your guesses,, too. if you forget your passcode, or if your kids start randomly punching in numbers. Android has a similar feature. Both systems will also introduce waiting periods after several wrong guesses to make it tough to try all combos. Biometrics, such as fingerprint scanners, can act as a shortcut and make complex passcodes less of a pain.
Use Encryption Much to the FBI's displeasure, iPhones running at least iOS 8 offer full disk encryption by default. That means that the information stored on the phone can't be extracted by authorities or by hackers and read on another computer. If the phone isn't unlocked first, any information obtained would be scrambled and unreadable. With Android, however, you typically have to turn that on in the settings. Google's policy requires many phones with the latest version of Android, including its own Nexus phones, to offer encryption by default. But, according to Google, only 2.3 percent of active Android devices currently are running that version.
Set up device finders Find My iPhone isn't just for finding your phone in the couch cushions. If your device disappears, you can put it in Lost Mode. That locks your screen with a passcode, if it isn't already and lets you display a custom message with a phone number to help you get it back. The app comes with iPhones, but you need to set it up before you lose your phone. Look for the Find iPhone app in the Extras folder. Meanwhile, Activation Lock makes it harder for thieves to sell your device. The phone becomes unusable it can't be reactivated without knowing its Apple ID. The feature kicks in automatically on phones running at least iOS 7. If all else fails, you can remotely wipe the phone's data. While your information will be lost, at least it won't end up in the hands of a nefarious person. There isn't anything comparable built into Android phones, but Google's Android Device Manager app, along with a handful of others made by third parties, can be downloaded for free from the Google Play app store.
Back up your phone If you do have to remotely wipe the phone's data, it's comforting to know that you won't lose all your photos and other important data. It's helpful, too, if your toddler dunks your phone in a glass of water. As mentioned before, apps such as Find My iPhone and Android Device Manager will allow you to do this, provided you set them up ahead of time.
Keep your software up to date Software updates often contain fixes to known flaws that might give hackers a way into your device. On iPhones, Apple prompts you to get the update. It's more complicated with Android because updates need to go through various phone manufacturers and wireless carriers first. But do install updates when asked..