Your friend Victoria Vandal wants to get a new phone because she thinks this one guy (Brad?) she met at Boise Fry Company hacked her phone. She shudders to take pictures, and doesn't want to comment on your latest Instagram post because "then he might get in her Instagram account". You think, hey, maybe, that could happen. You also know there are things Victoria can do to defend against cyber stalkers, criminals, and hackers like Brad? might be (maybe he's innocent). Special skills. Skills that could make her very annoying for someone like Brad (if he's not innocent).
Threat Modeling
You've heard that all good security starts with a threat model. It's like that part in the movie where everyone goes over the mission and says 'you go over there and do this' and 'we know they'll leave this door unguarded at 5pm on Tuesdays because that's when they get tacos from the truck by the old silo'. Victoria can use threat modeling to address any security concerns in her life (like protecting herbs in her herb garden from that fluffy cute herb-terrorist rabbit), though right now you're just going to concern yourself with cyber stuff. Like the internet. And smartphones. And your vandal accounts.
To form a threat model, ask yourself these five questions:
- What assets do I want to secure?
- Who do I want to secure these assets against?
- What happens if security is breached?
- What are the chances of a security breach?
- How much effort do I want to make to prevent a breach?
What assets do I want to secure?
In this case, we want to secure sensitive information that could be used to steal Victoria's identity, harm her privacy, or commit financial fraud. These include her transcripts, her social security number, e-mail messages sent to other students, health records, social media login passwords, and bank account numbers.
Who do I want to secure these assets against?
We want to secure these assets against potential bad-faith employers, journalists, fraudsters, criminals, roommates, and stalkers. (And of course, Brad?)
What happens if security is breached?
If someone gets Victoria's transcript, they may be able to use that information to impersonate her in a complex identity theft (the dramatic kind, like in the movie ‘Catch Me If You Can’ where Leo DiCaprio's character pretends to be a pilot at age 16- that pilot lost his identity). If someone gets your social security number, they may be able to use that to file for employment. If Brad? gets Victoria's gmail login information, he might be able to track her location in real-time.
What are the chances of a security breach?
You know risk is often modeled through probability estimates, though you don't really know the frequency of future rare events. Paying attention to the base rates (or how often a harm may occur within a given category of event) nevertheless gives you an idea of how likely an event might be. For instance, if you live in a town with a population of 25,000 that has 4500 bike theft cases per year, you can use that to assume that it is more likely for someone to steal your bike in that town than in a town with the same population but only 45 bike theft cases per year. How many Brads are there? You know that in the United States, there are like 350,000 reports of internet crime per year. You guess that there's at least four or five times that many breaches that are never reported, so you know that the base rate is about a million out of 250 million- assuming the other 73 million people in the United States are babies or old people not on the internet or something. So the chances are actually kinda low, but when it does happen it's going to be bad.
How much effort do I want to make to prevent a breach?
So, if Victoria really wanted to be ultra-secure, she could move to a deserted island and refuse to use any electronic devices. That is Grade A++ secure. That's probably not worth it, though. There is no way to guarantee total protection of your data. However, you know you can add layers of protections that make it more difficult for someone to access that data. For instance, adding a multi-factor authentication method makes it more difficult for a Brad? to access her data, but it does cost some more time and effort than simply using a password.
Passwords
You know that creating a strong password is a key part of maintaining security. Say Brad? finds Victoria's old hotmail password and he just tries it on all her accounts. If Victoria uses the same password for her Facebook account, he's all up in there. Worse, if she uses the same password for all her accounts, he might have her entire life in his pocket after getting just one password. Using a password manager like KeePass allows you to use one master password to track all your passwords. Some password managers may have weak security themselves, so it’s important to choose a password manager that is currently trusted.
When creating a password (as opposed to generating one in a password manager), you know you can use like six words or more to create passwords, as well as randomized elements such as numbers decided by rolling dice or a deck of cards.
You see the word 'luncheon' on the pamphlet in front of you, and then ask your pet hamster Georg to step on your keyboard until he finds some special characters, like # or @. Then, you make some impromptu tarot cards by writing random words from the dictionary on some index cards, shuffling them, and drawing the cards to divine your future password.
Boom, you have a strong password, like:
Lunc#eonVi@ductArrowFormLak3DirgeMay0
Privacy
In an age of information, Victoria's data is a valuable asset. You know that to protect your privacy, you need to review your security options with any accounts you may have. Your phone is used to identify you for many of your accounts. Ensuring your device is encrypted and your will help assure your privacy. Gotta make it hard for Brad? to get in to her smartphone even if he manages to steal it. You know that Elon Musk's twitter account got hacked with the help of a SIM card swap, so you make sure your SIM cards are locked. Text messages are generally unprotected and open to interception by anyone who's spent countless hours playing PC games and knows how to follow instructions (like Brad?). Using an encrypted messaging app like Signal or Element makes it harder for anyone to intercept your messages.
You tell Victoria to check for additional ways to secure her accounts at LockDownYourLogin.
To make sure she's got all her bases covered, you tell her to secure Instagram, Steam, Snapchat, and TikTok, as well.
Multi-Factor Authentication
You know that Multi-Factor Authentication involves protecting your accounts by requiring more than just a password. Just like spy and heist movies in which the protagonists require a thumbprint or an additional phrase to get past a door, Multi-Factor Authentication requires you to use more than one method to gain entry to your account.
You already use Duo Mobile, an MFA service, for your University of Idaho account. Multi-Factor Authentication may be used for more than just your University of Idaho account. Most social media, store, and bank accounts provide multi-factor authentication options. In addition to Duo Mobile, other third-party apps include Authy and, if you have many Microsoft accounts, Microsoft Authenticator. For Victoria's Google accounts, you recommend Google Authenticator.
Update Your Software!
Your devices run software that is updated periodically. Weaknesses that are open to exploitation are discovered in existing software every month, in the same way that your immune system leaves gaps open to exploitation by pathogens every day. Just like your immune system learns to close these gaps, developers update software with security patches so that these weaknesses are addressed. If Victoria doesn't update her software, Brad? may make one of these weaknesses to access her systems. For this reason, you pester her to update her software every time you notice a full moon rising.
Anti-Virus
Anti-Virus software may be used to protect against attacks made through malicious software. Malicious software includes viruses, which replicate by inserting themselves into other software, as well as well as software designed to take your data hostage or to spy on your actions. Today, even Mac and Linux distributions have viruses designed specifically for those operating systems.
Sophos Home, Windows Defender, and BitDefender are antiviruses available at no charge.
Knowing that people like Brad? may exploit scripts that run on websites they lure you into, you remind Victoria to use extensions that block executable web content, such as NoScript or AdBlock Plus.
Phishing
You know that Phishing attacks occur when someone like Brad? attempts to get you to click on a link, open a file, enter your username and password on their software, or to install applications on your device, like vampires attempting to get you to invite them in.
Where possible, you suggest that Victoria opens files that she's received in an online in a document reader like Google Drive or OneDrive or by uploading files to services like VirusTotal.