Seven things security experts do to keep safe online
From using password managers to checking urls, best practices revealed in
new study
Alex Hern <http://www.theguardian.com/profile/alex-hern>
<http://twitter.com/alexhern>
Monday 27 July 2015 12.11 BST Last modified on Monday 27 July 2015 12.15 BST
Cybersecurity experts aren’t like you or I, and now we have the evidence
to prove it. Researchers at Google interviewed
<https://www.usenix.org/system/files/conference/soups2015/soups15-paper-ion.pdf>
more than 200 experts to find out what security practices they actually
carry out online, and then spoke to almost 300 non-experts to find out how
they differ.
Perhaps unsurprisingly, the security experts practice what they preach –
or, at least, they tell Google they do. They’re more likely to use
two-factor authentication, to install software updates, and avoid visiting
shady websites. Even for practices that are subject to healthy debate
within the security community, actions speak louder than words: the experts
are more likely to run anti-virus software and to use password managers
than non-experts.
So what do the experts do? And, perhaps more importantly, what are the
modern-day superstitions we can all stop doing to save time?
*1) Yes, you do want to install updates*
“Update all the software and firmware to fix any possible vulnerability.”
“Patch, patch, patch.” The experts are clear: never turn down a security
update. The researchers found that not only was installing updates the most
commonly cited practice that experts do to keep safe online, it was also
the largest difference between experts and non-experts: 35% of the former
mentioned it, while only 2% of the latter. And a further 2% of experts also
mentioned turning on automatic updates as one of the top three things they
do, something no non-expert mentioned.
Non-experts, however, were worried that the updates could themselves lead
to an infection: “Automatic software updates are not safe in my opinion,
since it can be abused to update malicious content,” said one. And they
were also worried that the updates would lead to new problems, with one
saying that “there are often bugs in these updates initially”.
Software updates are usually the only way to combat actual security
vulnerabilities – those bugs in software that let malicious attackers do
things they shouldn’t. For instance, the recent Adobe flash
<http://www.theguardian.com/technology/2015/jun/29/adobe-urgent-flash-patch-hacking-attacks>
vulnerabilities
<http://www.theguardian.com/technology/2015/jul/08/warning-adobe-flash-vulnerability-hacking-team-leak>
opened a user’s computer up to hacking if they continued using the
software: until patches were issued, there was little option but to simply
stop using Flash to stay safe online.
*2) Use antivirus software – but don’t bank on it*
Antivirus packages have a bad rap. For years, the software had a reputation
for slowing down computers with added cruft, foisting pricy support
packages on desperate users, and not really doing much to actually protect
the computers in the first place. But despite all that, a majority of
experts said they use the software.
However, antivirus software was vastly more favoured by non-experts than
experts, and barely 60% of the experts actually used it. Users in the know
said that “AV is simple to use, but less effective than installing
updates,” and that the software “is good at detecting everyday/common
malware. But nothing that’s slightly sophisticated”. In contrast, 70% of
non-experts thought the advice to use AV software was likely to be “very
effective”, and more than 80% of them had it installed.
So, while you shouldn’t uninstall your AV software, don’t get lulled into a
false sense of security about it. Oh, and like everything else, always
install the updates.
*3) Keep your passwords unique*
Password security online is frequently summed up as “strong, unique
passwords” – but it turns out one part of that might be more important than
the other. Non-experts tend to focus on the strong part, with 30% of them
picking that as one of their top three tips against 18% of the experts;
conversely, 25% of the experts pick “unique”, against 15% of the normal
users.
It’s easy to see why. Using a strong password (that is, one that uses a
good mixture of case, letters, numbers and symbols, as well as steering
clear of dictionary words) requires a one-off feat of memory, and can feel
very much like the sort of security procedure one should carry out, while
avoiding password reuse is an ongoing hassle, requiring a new password for
every site.
But in practice, most people are unlikely to face a brute-force attempt to
break into their account by simply guessing their password, and even if
they do, it doesn’t take much to render such an attack unsuccessful. But
most people *are* likely to be the user of at least one service which gets
hacked, as Adobe
<http://www.theguardian.com/technology/2013/oct/03/adobe-hacking-data-breach-cyber-attack>,
Playstation
<http://www.theguardian.com/technology/2011/apr/26/playstation-network-hackers-data>
and Ashley Madison
<http://www.theguardian.com/technology/2015/jul/20/ashley-madison-hacked-cheating-site-total-shutdown>
users have all learned to their disadvantage. Having a unique password can
prevent that misfortune compounding.
*4) Use a password manager*
How do you remember all those unique passwords? Password managers, such as
1Password <https://agilebits.com/onepassword>, Lastpass
<https://lastpass.com/> and Keepass <http://keepass.info/> solve that
problem. They are used by more than three times as many experts than
non-experts, and experts are four times more likely to name them as one of
the most important things they do online. The researchers cite one expert
as saying that “’password managers change the whole calculus, because they
make it possible to have both strong and unique passwords”.
Yet only 18% of non-experts thought the advice to use a password manager
was “very effective”, and some even explicitly said they don’t trust them.
Their reasoning is that password managers can be hacked, and that if other
software has bugs and flaws, who can guarantee the same problems won’t
apply to managers? In those worries, the users are backed-up by a team from
Microsoft, who reported in 2014
<http://www.theguardian.com/technology/2014/jul/16/microsoft-stop-using-strong-passwords-everywhere>
that users should rely on easily-memorised passwords rather than managers.
But the security experts are clear: despite their concerns, using password
managers is better than not. In fact, some of them even recommend writing
the most valuable passwords down on paper. As one says, “malware can’t read
a piece of paper”. But the number of experts actually writing down
passwords was still lower than the number of non-experts.
As a rule of thumb, if you can remember all your passwords, you’re doing it
wrong. Over half the non-experts claimed to remember every password, while
just 17% of the experts said the same.
*5) Use two-factor authentication*
Perhaps because of companies such as Google or Twitter being increasingly
pushy about trying to encourage users to switch to two-factor
authentication (2FA) – where a password is backed up by a code linked to a
specific mobile phone – almost two-thirds of non-experts say they use the
security system on their accounts. Those rates still lag behind the
experts, but the high numbers suggest that the message is getting through.
At the same time, the non-experts over-state the benefit of 2FA, especially
when compared to the less flashy practice of using a password manager. More
than four in five non-experts said they thought it was effective, compared
to just 32% for password managers.
*6) Visit secure websites, even if you don’t recognise them*
Non-experts tend to claim that they keep safe by only visiting websites
they already know about: “Visiting websites you’ve heard of doesn’t mean
they are completely safe, but there is a higher chance of this,” explains
one. But they might be exaggerating slightly: while 21% of non-experts said
that not visiting unknown websites was an important safety practice, only
7% of them claimed to never visit unknown websites.
Even though 32% of experts said they “rarely” visit unknown websites, the
more important piece of advice – and the one where the experts differed
from the non-experts – was to check for HTTPS, the secure connection
protocol, when visiting an untrusted website. In fact, it was the third
most mentioned security practice amongst experts.
*7) Do as I say, not as I do*
But not everything security experts do is something to be followed. Despite
recommending that users not click links on emails from unknown sources – a
way to avoid phishing emails as well as targeted malware – the researchers
themselves admit to doing so. “I do all the time,” one said, laughing, “but
I tell my mother not to.” Another admitted that the advice is given more
for simplicity’s sake than because it’s the best thing to do: “I never
really found a way of giving more precise advice for people who are not
technical on what is really safe and what is not.”
