This was recently published on the MalwareBytes Web site. It discusses how to
assist others who are overwhelmed or unsure as to how to keep their computers
from becoming infected with malware.
The lazy person’s guide to cybersecurity: minimum effort for maximum protection
Posted: February 21, 2019 by Pieter
Arntz<https://blog.malwarebytes.com/author/metallicamvp/>
Last updated: February 22, 2019
Are you tired of that acquaintance who keeps bugging you with computer
questions? Do you avoid visiting certain people because you know you will spend
most of the evening cleaning up their machine?
My uncle Bob is one of those people. He’s a nice guy, but with computers, he’s
not just an accident waiting to happen—he’s an accident waiting to become a
catastrophe. To keep Uncle Bob’s computer safe without blowing up the Internet,
we need to give him the simplest of instructions that result in protecting him
against as much as possible. Uncle Bob needs a lazy person’s guide to
cybersecurity.
It’s not that Uncle Bob is lazy. It’s that he’s overwhelmed by the amount of
stuff he has to do to keep his data and devices secure. Multiple passwords,
reading through EULAs, website cookies that he clicks “agree” to without really
paying attention—they’re giving him a serious case of security
fatigue<https://blog.malwarebytes.com/101/2017/04/how-to-fight-security-fatigue/>.
And as his helper, you’re probably pretty over it, too.
The funny thing is, with adequate cybersecurity, Uncle Bob’s—and by extension
all of our—problems would be much less frequent and less severe. So, let’s see
if we can work out a system of minimum effort that renders reasonable results.
Before we begin, we will should note that lazy cybersecurity should not apply
to devices used to store sensitive data, conduct financial transactions, or
communicate confidential or proprietary information. Lazy security is a good
way to protect those who prefer to do nothing rather than be overwhelmed by 50
somethings, but it shouldn’t have severe consequences if it goes wrong.
User education
Your first step should always be user education. So many of today’s most
dangerous threats are delivered through social engineering, i.e., by tricking
users into giving up their data or downloading the malware themselves from an
infected email attachment. Therefore, knowing what not to click on and download
can keep a good portion of threats off a lazy person’s device.
With most people, it helps to know why they shouldn’t download or click on
links in emails that look like they came from a legitimate institution. Just
telling them “don’t do that” may help for a bit, but advice is better retained
if it’s grounded in practical reasoning. Therefore, each item in this list is
accompanied by a brief explanation.
* Do not click on links asking to fill out your personal information. Your
financial institutions will not send emails with links to click, especially if
those links are asking you to update personally identifiable information (PII).
If a website promises you something in return for filling out personal data,
they are phishing. In return for your data, you will probably get lots more
annoying emails, possibly an
infection<https://blog.malwarebytes.com/101/2016/05/how-to-tell-if-youre-infected-with-malware/>,
and no gift.
* Don’t fall for too-good-to-be-true schemes. If you get offered a service,
product, game, or other tantalizing option for free, and it is unclear how the
producers of said service or item are making money, don’t take it. Chances are,
you will pay in ways that are not disclosed with the bargain, including sitting
through overly-obnoxious ads, paying for in-game or in-product purchases, or
being bombarded with marketing emails or otherwise awful user experiences.
* Don’t believe the pop-ups and phone calls saying your computer is
infected. Unsolicited phone calls and websites that do so are tech support
scams<https://blog.malwarebytes.com/tech-support-scams/>. The only programs
that can tell if you have an infection are security platforms that either come
built into your device or antivirus software that you’ve personally purchased
or downloaded. Think about it: Microsoft does not monitor billions of computers
to call you as soon as they notice a virus on yours.
* Don’t download programs that call themselves system optimizers. We
consider these types of software, including driver
updaters<https://blog.malwarebytes.com/cybercrime/2015/06/driver-updaters-digital-snake-oil-part-2/>
and registry
cleaners<https://blog.malwarebytes.com/cybercrime/2015/06/digital-snake-oil/>,
potentially unwanted programs. Why? They do nothing helpful—instead, they often
take over browser home pages, redirect to strange landing pages, add
unnecessary toolbars, and even serve up a bunch of pop-up ads. While not
technically dangerous themselves, they let a lot of riff raff in the door.
* Never allow web push
notifications.<https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/>
I have yet to find a useful reason for these, beyond advertising.
Beyond staying away from “allow” and “download” buttons, and steering clear of
links asking for PII, users who conduct any kind of financial transaction on
their machines, be it online shopping or banking, should approach those
transactions with extreme caution. Here’s where we ask users to take action,
looking for security clues and doing a little research before paying that bill
or buying that new book.
* Use a designated browser you trust. This needn’t be for all surfing, but
for purchasing especially, research the different
browsers<https://blog.malwarebytes.com/security-world/privacy-security-world/2018/10/tighten-security-increase-privacy-browser/>
and see which one you feel safest with, whether that’s because they have few
vulnerabilities, don’t track your surfing behavior, or encrypt all
communication. Major browsers such as Firefox, Safari, and Chrome have
strengths and weaknesses they bring to the game, so it’s a matter a personal
preference. We do suggest staying away from older browsers rife with security
holes, such as Internet Explorer.
* Look for HTTPS and the green padlock. No, it’s no longer a guarantee that
the site is safe just because it has a green
padlock<https://blog.malwarebytes.com/101/2018/05/https-why-the-green-padlock-is-not-enough/>,
but it does mean the communication is encrypted. If you combine that with
being on the true website of a trusted vendor, you can breathe easier knowing
your payment details cannot be intercepted in transit.
* Use a password manager. Simple as that. Passwords are a real problem, as
users tend to re-use the same ones across multiple accounts, keep old ones
laying around because they’re the only ones they can remember, or write them
down somewhere they can be easily found. No need for 27 different
passwords<https://blog.malwarebytes.com/101/2017/05/dont-need-27-different-passwords/>.
Just one manager, preferably with multi-factor
authentication<https://blog.malwarebytes.com/101/2017/01/understanding-the-basics-of-two-factor-authentication/>.
(Bonus points for healthcare or bank organizations with logins that use
physical or behavioral
biometrics<https://blog.malwarebytes.com/101/2018/04/securing-financial-data-of-the-future-behavioral-biometrics-explained/>.)
This could turn out to be too confusing for the Uncle Bobs of this world,
however. If so, best to point them in the direction of brick-and-mortar stores
for shopping, the checkbook for paying bills, and the actual bank to conduct
other financial business.
How to set up a system for a non-tech-savvy person
Perhaps Uncle Bob can only manage so much security education before feeling
overburdened with technical knowledge. In that case, it helps for a tech-savvy
friend or relative to pitch in and tighten up a few things on the backend.
Hardware
First of all, if someone is looking for a new computer for non-sensitive
purposes, such as browsing, social media, games, and some basic email or chat
functions, you can chime in with recommendations. For someone not invested in
heavy gaming, a Chromebook would be a good option, as it will save them some
money and can perform all those functions, plus any browser-based gaming.
However, someone with an interest in PC gaming will likely need an entirely
different OS and an intense graphics card (and therefore lots of protection
against
cryptominers<https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/>).
Meanwhile, Macs are good options for users looking to get into graphic design.
Software
Installing software on a system usually comes with the task of having to keep
it up-to-date. Therefore, any software programs that Uncle Bob selects should
minimize the potential pitfalls.
When Uncle Bob is shopping for software, recommend he finds programs that have
a self-updating function. We know this isn’t always recommended in a work
environment, but for the lazy security person, it’s perfect. One less thing to
worry about.
In addition, selecting software that allows users to minimize notifications to
only dire warnings will keep Uncle Bob from getting confused. Notifications
coming from programs can have strange effects on the less computer savvy for
several reasons:
* They don’t understand to which program they belong, which takes away the
context for them.
* The text in the notifications is designed to be short, not always
maximized for clarity.
* Technical terms used in the notification are unknown to the receiver.
Their reactions may vary. Some will simply click until they disappear. This is
the behavior that usually gets them into trouble, so you don’t want to give
them another reason to click–click–click away. Others may get worried and call
for backup immediately, asking what’s wrong and why they are getting this
“pop-up.” So, any software that can be set to only issue a warning when
something is really amiss deserves another plus.
Browser add-ons
There are some secure browsers out there that value your privacy, but I’m
pretty sure my Uncle Bob does not like using them. There is a learning curve
involved that may not seem steep to you and me, but my uncle Bob…you know what
I mean. But there is hope on the horizon. Some of the more user-friendly
browsers can be equipped with extensions/add-ons/plugins that boost security by
adding an extra protective layer.
There are browser extensions that can make your browser more secure by:
* Blocking
advertisements<https://blog.malwarebytes.com/security-world/2018/07/how-to-block-ads-like-a-pro/>
* Minimizing
tracking<https://blog.malwarebytes.com/cybercrime/2015/09/ghostery-a-tool-that-stop-trackers/>
* Enforcing https traffic<https://www.eff.org/https-everywhere>
* Protecting your privacy
* Blocking online scripts<https://en.wikipedia.org/wiki/NoScript>
________________________________
Read: How to tighten security and increase privacy on your
browser<https://blog.malwarebytes.com/security-world/privacy-security-world/2018/10/tighten-security-increase-privacy-browser/>
________________________________
It’s a fine line
Everyone deserves to experience a safe Internet, but unfortunately, this is not
always easy to accomplish. Peoples’ skill-sets and levels of experience differ,
as does their tolerance for bad news—or any news at all! What comes naturally
to some can be downright overwhelming for others. While you might wish that
Uncle Bob could have his computer license revoked, it’s better to sit him down
and show him basic survival skills—all the better to not only protect himself,
but others from dangers lurking on the web.
And if you go that one step further and help those less tech-savvy folks in
your life by setting up some automated support in the background, you’ll save
them time and and money having to run repairs or clean up an infected machine.
We always sign off by telling our readers to stay safe. This time, stay
safe…and help your friends do the same.
--
David Goldfield, Assistive Technology Specialist
WWW.David-Goldfield.Com<http://WWW.David-Goldfield.Com>