©2007-2020 by SAFE Washington. http://www.safewashington.com

It’s not just about passwords anymore…

Updated: Oct 17, 2019

Least Privilege Configuration

Recommendation: The best practice for your PC is to have a user profile for daily use and a separate administrator profile that you only use to install applications that you intend to run.

You go to your favorite electronics store, buy a PC, and take it home. You boot the new machine up, it asks for your name and a username, you create a password, the operating system puts you on a desktop, and you are off and running, right?

Wrong. What I just described is a poor setup for keeping your computer secure. You do not want to run your computer as an administrator. Instead, go to the control panel and create a new user account. Make that account an administrator, set it up with a long and complex password, then log in to that new administrator profile. While you are in that new profile, change your first login, the one with your name, to a "user" profile. Remove that user profile’s administrator permissions. This configuration is known as “Least Privilege.”

Why use this configuration? You do not need administrator privileges on your computer in order to use it day to day. When your primary login has administrator privileges, you can create problems, which I’ll describe below. You want to make sure that your daily use profile is something that doesn't have the ability to modify the basic operation of the computer. You reserve that functionality for the admin account. This is true for both home and business users.

Here’s a big reason why: Say you accidentally go to an online server that tries to run a virus or other malware on your machine. If you are running your machine as admin, it can install without your having to do anything further. If, however, you are running as a user account and it tries to install, you will see a prompt. At that point, you know something that you don’t want on your machine is trying to install. You can click “cancel.” You want this behavior from your computer. You want the machine to question every install. You do not want a program to just install without your being aware.

If an application is executed, and you have “user” configured as the security profile, the application just runs and you use it as intended. If, however, you try to install an application with “user” as the security profile, you will be prompted to enter an admin password. The install won't happen with it. This behavior is what you should want to happen, as this is the best way to have your system configured.

This recommendation applies for both full business networks, to even those with one person using a single computer, at home or at work (including desktops, and laptops.)

Least Privilege is your friend. Even if you have made sure your software, drivers, firmware, and operating system are up to date and there are no known holes in your security, making sure you don’t allow applications to install without your explicit permission gives you the best chance of keeping your machine secure.


Recommendation: A good, strong password must have letters, numbers, and symbols, at least 16 digits long but ideally around 30.

Passwords? Yes, they are still necessary. Coming up with good passwords is a balancing act. They must be complex. They must be easy for you to recall and hard for others to guess, especially if there is a data breach. They must not include personal data, such as your birth date. And please, never use the word “password” as a password! Yes, that happens.

Giving people password direction is never the highlight of any IT administrator’s day. We get it. A long, complex password can be difficult to remember. Typing it several times a day every day is a chore, especially if you mistype and you have to re-enter it. And, you must have a different long, complex password for every one of your computers, every profile, account you have, and every website you visit.

Despite the hassles, having a long, complex password is not optional. It’s necessary in today’s world. There is, however, a method that makes the process a bit easier. It’s called “pass-phrase.” Use several words to make up a single password. I recommend taking it a step further: think of creating an email address, but use random words with capital and lower-case letters, combined with numbers, to create the address. Here’s a good example: "General 4 Good @ Internet [dot] com." This password/phrase is pretty easy to remember, it has 25 digits, and it is complex. If you made passwords like this, a brute-force script used by a hacker would take a very long time to guess it correctly. However, you Can NOT re-use a single password like this on multiple sites. The reason is really simple. If a site gets breached, and your password becomes known, the hacker just has to take your email address and this known password, and start visiting other websites. They copy/paste your credentials. It isn't much easier than that. You would be surprised how often this works.

Want to see how many times your credentials have been lost? Check out https://haveibeenpwned.com Sign up for their alerts. They will let you know when it happens and happens yet again.

So, to reiterate; Long and Complex Passwords protect your logins, profiles and devices on the front end. Please use them, and use a different one everywhere you go.

You should take passwords a step further however, as a password by itself is no longer enough. You should also Enable 'two-factor' or multi-factor' authentication.

Here’s how it works: After you enter your username and password, the account or website that you’re logging into will prompt you for a third piece of data that it can text to your cell phone or send to your email address. This kind of password protection is a current best practice. If available, my best recommendation is to use tools made by sites like Google and Salesforce that utilize installed programs on your smart device that work without using SMS text messages, and can't be affected by thieves that utilize methods like SIM Jacking.

These tools are called "Authenticators". An Authenticator, like the SMS message that comes to your phone, is a randomly created number that expires every few seconds. Authenticators work offline, and they only work from your phone. When you are prompted to enter the third factor when logging into your account, you only have the time left on the Authenticator app's count down timer to enter in the digits you see in the app.

At this time; this form of multi-factor through software is your best protection.

There is one last option, vendors like Google have implemented safeguards like Multi-Factor hardware keys that work as your second factor. You physically plug in the key to your computer, open your email, it will check to see if the key is in place, and upon finding it, the client will load your data. If the key is not present, you will not be able to get in.

It's a very solid method of securing your accounts.

Updates and Patches

The next thing to keep in mind is to keep your equipment and software updated at all times. When your operating system or software vendor tells you to install a patch, pay attention.

Recommendation: Patch your computers. All of them. Every time you see a notification. Don’t wait.

Installing updates doesn't have to take up your day. Just get it done when you’re not expecting to use your equipment – for example, overnight while you’re asleep.

This recommendation applies to phones as well. Make sure to update your phone and patch the installed apps too. Remember that any tool you use that is classified as a computer has the ability to be hacked. You want to minimize the chances of an intrusion by someone who wants your data. Make it as hard as possible for hackers to breach your privacy.

Recommendation: Remove unwanted or unneeded apps and software.

As part of keeping your equipment as secure as possible, it’s important to take a look at what you have installed. Do you need all the applications that are installed? Pay special attention to Java and Flash Player. Do you need those? My suggestion is to remove both of them and see if you can live without them. Both are historically the most exploited applications you can have installed on your machine.

If you use the Chrome web browser, you don't need either of them because Chrome will give you a simulation of both services without having them installed. As for the rest of the applications, do you see any bloatware? Do you need any of it? If not, remove it. Any applications on your computer that aren’t of use to you could be exploited, either because they have a known security hole or one that has not yet been discovered, especially for applications that receive few or no updates. Remove what you don't use or need. It's just a good rule of thumb.

Internet Hygiene

Recommendation: Keep tabs on your internet traffic with protection systems that can help you avoid trouble online.

Your computer is a machine that has a few built-in functions, including those for carrying out a few local tasks, but, most likely, its biggest role is to connect you to the internet. Aside from local tasks like saving photos or writing word documents or spreadsheets, most people tend to spend the bulk of their time online. Because your devices connect to the internet, that means your devices are vulnerable when connected. As mentioned above, you can minimize your vulnerability by updating your operating system, updating and patching your applications, and reducing the number of unused or unneeded applications on it. So what else can you do? You can protect your device with specialized application tools that scan your drives, ports, and applications. Block unwanted connections through a software-configured firewall. That protection can come from rudimentary protection programs like anti-virus and anti-malware programs.

I would go a step further and scan not only your applications, what is downloaded, and what runs actively in memory, but install a program that also looks at your internet traffic, carries out advanced analysis that watches for potentially suspicious code, and looks at where domains are pointed. Use a protection system that blocks domains with a negative history, or are known for being parked or have an un-trusted status. You want a system that looks at the current configuration of your machine and watches for changes, and can revert back to a known good run state if there is a problem or unexpected change.

Look for protection systems that do packet filtration (a technique to monitor incoming packets and reject ones that don't follow a set of established rules), and actively monitor all other network traffic. Although all of these functions slow the operation of your machine a little, the added protections are worth it. Make sure that whatever tools you implement have decent reporting – notifying you what they are doing and/or what they have logged.

Zero Days and Encryption

Recommendation: If you suspect that a virus or other malware has compromised your machine, RESTORE from BACKUP.

Zero Days are an exploit or program that has been written and has not been used in such a way as to have been documented. It means that if it's used against your machine, your computer will likely succumb to whatever the exploit was written to do. As mentioned above, “least privilege” and other protections can help mitigate this threat, but, you still need to be watchful, be aware of what traffic is going in and out of your machine, review reports, and look at your log files. If you don't know how to do so, look it up: Google, Bing, DuckDuckGo, and other web search engines are your friends.

What if you go somewhere online, you think you’ve entered a hazardous area, and you suspect your machine has been exposed and is running a virus? What do you do?

RESTORE from BACKUP. Just do it. Don’t take chances. Don’t just reboot and hope that the problem will go away because chances are, it won’t.

Did you know that your machine can be compromised even if it’s turned off? That’s right. A person with a little expertise and time with access to your computer can make what's called an “image of the drive.” Here’s how it’s done: The intruder plugs in an external hard drive into your computer, and boots off either a thumb drive or a CD/DVD and into an Operating System designed to copy your hard drive in digital form. The process copies every piece of data from your current drive to the portable drive they brought with them. This system can be as compact as two thumb drives, or memory chips the size of a sim card, depending on the type of storage being used. By taking an image, hackers can then take their time getting in and work on the stolen data at their leisure.

When you turn your machine back on after such an intrusion, you will have no way of knowing if your computer has been touched, as there will be no log files changed. Your OS will not have run. Your drive and its data will simply be copied.

How can you guard against such an attack? Encrypt your hard drive. Disk encryption is a protection technique that has been around since the 1990's for desktops. There have been many programs written to encrypt drives, or create special containers that take up a portion of your hard drive space and create an encrypted file. Using both of these methods together is the ideal way of protecting yourself and any important data, because reversing two sets of encryption is a daunting task to any thief. This is also true for your smartphone as well. If disk encryption is available, use it and create a strong password that protects it.

Anonymity on the Internet

Recommendation: Keep as low a profile as you can when online.

Finally, an important way to protect your privacy and yourself online is to be as anonymous as you can while connected to the internet. You can do this in a number of ways – they can take time, provide varying levels of anonymity, and require diligence to make sure they’re still protecting you. First and foremost – be careful and observant.

One of the best and most easily used ways to guard your privacy online is to engage with a Virtual Private Network (VPN) service. If you go this route, I highly recommend that you use a paid service, which provides an expectation of getting what you pay for out of the service and with certain guarantees. Use search engines like DuckDuckGo.com so your searches aren’t tracked. Don’t sign in to any websites while you surf the internet. Remember to clear your cache, cookies, and temp files every time, or set your browser to automatically clear them for you.

To a point, VPN “tunnels” protect your internet connection’s packets from being sniffed, which is a technique that many hackers utilize to monitor network traffic and obtain your usernames, passwords, and other keystrokes that are being transmitted online.

Some hackers can even set up man-in-the-middle attacks, a way of intercepting your internet traffic and running it through their computers so that they can grab all of your transmitted data. This technique even works on Secure Socket Layer (SSL) traffic to different websites, providing that you go directly to the site once connected. A VPN tunnel however gives you a way to protect yourself, by creating an encrypted pathway from your connection to the internet to a point outside of the un-trusted network. By using such a tunnel you are effectively placing your computer into a network on the other side of the world, limiting your exposure to certain forms of hacking like sniffing and man-in-the-middle. It’s definitely a means to protect your machine online when you are traveling, or in any network that you don’t trust.

For those who are always in untrustworthy networks, you can go a step further:

Boot off a thumb drive, or DVD to an alternate Operating System, which automatically uses a VPN and destroys itself when you turn off your computer. This form of privacy protection is the ultimate way of protecting yourself online. Why would you go this far when a VPN tunnel to a service provider offers pretty good protection? Because a temporary Operating System offers you the protection of having nothing being stored on your hard drive. Nothing can be physically taken from you. You don’t have to worry about imaging, or even browser exploits that steal stored passwords. Every time you boot, you have a fresh operating system. It’s an option for those who want or need it.

As with all information and advice, you should study it carefully, do your own research, and make your own informed decisions. Don't just take our word for it.