Today I’d like to share with you my new favorite book about personal cybersecurity, Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals by Bart R. McDonough. I’ll give you my summary of the book, but I highly recommend that you read the book for yourself!

Note: this page contains affiliate links. Please see Affiliate Disclosure.

Book Summary

This is now my top recommendation in personal cybersecurity books! It’s the type of book I would write; it’s exactly the type of content I’m working to share through Defending Digital. It’s bursting with step-by-step advice for everyday individuals to protect their devices, networks, accounts, identities, money, and personal data. The plethora of steps are based on 5 simple “cybersecurity hygiene” habits.

In most personal cybersecurity books you needed to wade through fluff to find the practical advice. Not so with this one! It’s clearly spelled out with many lists of numbered steps. There are plenty of specific examples to illustrate digital dangers. I like how common myths are dispelled with facts.

Much of the advice is repeated from section to section. This is fine if you treat the book as a reference, but it’s tiring if you read it cover to cover as I did. Some of the stories are slightly longer than necessary to make their point.

Part 1 describes various threats to personal cybersecurity, with a few protection tips sprinkled in. Part 2 goes into more detail, with many specific protection recommendations. The book’s emphasis is more on security than privacy, though there are privacy-related tips.

McDonough is clearly a cybersecurity expert, and brings in authoritative research to support his advice. He’s the CEO and founder of Agio, a provider of cybersecurity and managed IT, and he’s on the board of several security companies.

McDonough both raises awareness and gives practical advice on prevention and remediation. He’s realistic; he doesn’t resort to doom-and-gloom scare tactics, nor does he have an overly-optimistic, Pollyanna attitude.

In my summary below, I generally only define terms and acronyms once, so if you don’t understand one, look higher in the post, or check the glossary.

Introduction

Online, we all live in a “bad neighborhood” and need to take precautions.

“Brilliance in the Basics” Habits

  1. Update devices
  2. Enable two-factor authentication (2FA)
  3. Use a password manager
  4. Install and update anti-malware
  5. Back up data

Overview of Cyber Risks

Before performing a wire transfer, confirm instructions with other party, in person or by video or phone call. Do a test transfer of $100 before doing the rest.

81% of hacking-related breaches used stolen and/or weak passwords.

Definitions

Breach: incident where sensitive, private, or confidential info is accessed without authorization.

Cyberattack: attack with primary objective of accessing, modifying, disclosing, selling stolen info. Doesn’t necessarily involve hacking.

Hack: malicious act using manual or automated tech to crack a code or break into a target’s computer systems.

Attackers

90% of hackers are under age 34, 97% are male, 45% have full-time jobs and hack in spare time, according to HackerOne study.

72% of hackers hack for the money, 71% for fun, 66% for the challenge, 51% to do good.

80% of black-hat hackers are connected to criminal organizations.

Attack Methods

Phishing is most common way individuals are hacked.

Phone numbers can be spoofed easily, so don’t provide personal info by phone or SMS/text unless you verify recipient is valid and there’s a true need.

To guard against crypto-jacking, use anti-malware and browser plugin that can block it, monitor CPU levels and computer processes.

FBI says don’t pay ransomware ransoms because bad actor may not decrypt your files, and paying encourages the behavior.

If you receive a call claiming to be tech support, hang up and call support number on company website, or submit a help desk ticket through company website.

FBI says if you receive a suspicious call demanding money in a short time period for sake of family or friend, hang up or use a different form of communication to check with referenced family or friend.

Protect Yourself from Robocalls

  1. See if your phone carrier has robocall protection.
  2. Get a robocall-blocking app such as Nomorobo.
  3. Don’t answer unknown calls.

Attack Vectors

Financial institutions will never ask for password or 2FA passcode by email, SMS/text, phone; only on website.

Disable setting that allows devices to connect to open Wi-Fi.

Brilliance in the Basics

There’s far less malware for Macs than Windows, but there exist adware, spyware, potentially unwanted programs (PUPs) for Macs that Apple’s XProtect doesn’t guard against, but anti-malware will.

Incident Response

Phishing Victim Response

  1. Disconnect computer from Internet.
  2. Restart in “safe mode” (search “safe mode” and name of your operating system for instructions).
  3. Back up to secure external drive.
  4. Check for malware.
  5. From a known clean device, change credentials of account that was targeted.
  6. Enable fraud alert and credit freeze with credit bureaus (Experian, Equifax, TransUnion, Innovis).
  7. Report to authorities (IC3, US-CERT) and forward phishing email to spam@uce.gov, including full email header. File complaint at FTCcomplaintAssistant.gov. Report phishing email to reportphishing@apwg.org. If damage was high enough, file report with local law enforcement. See IdentityTheft.gov for steps to minimize risk of ID theft.

Ransomware Response

  1. Gather evidence (symptoms, etc.). Take screenshots/photos of ransom note.
  2. Disconnect computer from Internet.
  3. Restart computer in safe mode.
  4. Use anti-malware to scan for ransomware.
  5. Use Crypto Sheriff to check for solutions.
  6. Search for additional decryption tools (search “decryption” and name of ransomware).
  7. Reinstall operating system (OS) to ensure ransomware is completely removed. Search “reinstall” and name of OS for instructions.
  8. Report ransomware to IC3.

Malware Response

  1. Disconnect device from Internet.
  2. Restart in “safe mode.”
  3. Back up to secure external drive.
  4. Delete temp files (search for instructions).
  5. Scan for malware using installed anti-malware. Then use a different computer to put Malwarebytes on a USB drive, and use that to install it on infected computer and scan with it.
  6. Reboot to normal mode.
  7. Scan for malware again.
  8. Install updates to OS and applications.
  9. Fix browser settings (if necessary).
  10. Reinstall OS if computer still seems infected, or you want to be sure to be clean.
  11. Change credentials for all accounts.

Email Compromise Response

  1. Reset password to strong password.
  2. Enable 2FA.
  3. Check email settings for any sign of attacker.
  4. Check forwarding settings.
  5. Check sent email.
  6. Change credentials for all accounts.

Protecting Your Identity

LifeLock has experienced multiple security issues and lawsuits.

Protect Identity and Credit

  1. Freeze credit with credit bureaus.
  2. Put a security freeze on mobile numbers with NCTUE and on bank accounts with ChexSystems.
  3. Opt out of preapproved credit offers at OptOutPrescreen.com.
  4. Shred unnecessary sensitive documents. Store necessary sensitive documents in a locked safe.
  5. Remove mail from mailbox ASAP. Dropping outgoing mail off at post office is safer than using your mailbox.
  6. Beware phishing. Be careful with links and attachments.

Protecting Your Children

Protect Child’s ID

  1. See if child has credit file. If yes, review it. If not, open it. Do with 4 credit bureaus.
  2. Freeze child’s credit.
  3. Only give out child’s SSN when truly necessary.
  4. Talk to child about keeping info private.
  5. Lock down child’s FAFSA account.

Protect Child from Smart Toys

  1. Research toy’s cybersecurity and privacy practices.
  2. Only connect toy to a network you own, preferably one separated from your main network.
  3. Ensure toy’s connection to Internet is encrypted, and Bluetooth connections require authentication.
  4. Apply updates promptly.
  5. Review and purge recorded video and audio from toy as necessary.
  6. Turn off toy when not used.
  7. Use strong, unique passwords and 2FA if available.
  8. Limit info entered into online account.
  9. Report anything suspicious to IC3.

Protect Child Online

  1. Create separate computer account for each family member, with only as many permissions as necessary.
  2. Consider parental control software such as what’s included in iOS, Qustodio, Net Nanny, Circle.

Protecting Your Money

  1. Enable 2FA and create nonsense answers to security questions.
  2. Use a password manager to create unique, complex passwords.
  3. Create a verbal password/PIN.
  4. Use separate email account for finances.
  5. Use separate, locked-down device for finances.
  6. Bookmark financial websites; don’t type their URLs.
  7. Use only verified financial apps.
  8. Freeze credit.
  9. Enable alerts.
  10. Ensure accounts have 0% fraud liability.
  11. Watch for card-skimming devices. Cover keyboard as you type PIN into card reader. Use card readers in busy areas covered by security cameras.
  12. “Dip” card’s chip; don’t swipe magnetic stripe. Or use mobile payment such as Apple Pay.

Protecting Your Email

  1. Enable 2FA.
  2. Use separate email accounts for separate purposes (banking, shopping, media, social media, etc.).
  3. Move sensitive info from email to secure file storage.
  4. Review activity and settings.
  5. Understand email privacy. Consider a provider of end-to-end encryption such as ProtonMail.

Protecting Your Files

Backup services: Backblaze, IDrive, Acronis True Image, Carbonite.

Protecting Your Website Access and Passwords

Password creation formula, for when you can’t have password manager create

  1. Pick 3 unrelated words.
  2. Between 2 words, put 2-3 numbers.
  3. After numbers, put symbol.
  4. Misspell a word.
  5. Capitalize a letter in a random location.

Changing passwords periodically doesn’t provide much benefit as long as passwords are strong, complex, random, unique. NIST no longer recommends periodic password changes, and a Carleton University study found the practice had minimal benefit.

Protect Online Accounts

  1. Enable 2FA whenever possible. Authenticator apps are more secure than SMS/text.
  2. Use password manager to create and manage passwords.
  3. Consider a VPN to shield you from your ISP.
  4. Before clicking a link, hover over it to see destination. Expand shortened URLs with CheckShortURL.
  5. Get alerts when website you use are breached, from your password manager or Have I Been Pwned?
  6. When a site you use is breached, change password ASAP.
  7. Create nonsense answers to security questions.
  8. Enable security and activity notifications.
  9. Ensure site is encrypted (using HTTPS) before entering sensitive info.
  10. Install ad-blocking and script-blocking browser extensions.
  11. Don’t use social logins (Google, Facebook, etc.).
  12. Access accounts from a secure device.
  13. Review privacy settings.

Protecting Your Mobile Devices

Protect Against Port-out Scams

  1. Set passcode/PIN on mobile account.
  2. Use authenticator app, not SMS/text for 2FA.
  3. Ask phone company to enable port freeze and SIM lock. You can also set SIM PIN on phone.
  4. Use Google Voice for accounts that only support SMS/text 2FA.

Protect Mobile Device

  1. Use securely designed device. iOS has secure design, less malware, updates managed directly by Apple. If you choose not to use Apple, get a Google Pixel device because they get more regular updates than other Android devices.
  2. Don’t jailbreak.
  3. Enable lock screen. Use code of 6+ digits. On Android, use passcode, not pattern. If you use pattern, use 8+ points in pattern.
  4. Encrypt device.
  5. Apply updates promptly.
  6. Back up to cloud.
  7. Install apps only from official app store.
  8. For Android, consider anti-malware (Bitdefender is rated highly). iOS doesn’t need anti-malware.
  9. Enable “find my device” and remote wipe options.

Protecting Your Home Wi-Fi

  1. Use a securely designed, modern router. Buy, don’t rent. Replace router when no firmware has been released in last year.
  2. Lock down router’s admin console by setting strong password.
  3. Set SSID (network name) to something generic that doesn’t identify you.
  4. Regularly update router firmware. Enable auto-updates if possible; if not, sign up for email notifications of updates, if possible.
  5. Use WPA2 with a strong password.
  6. Lock down router configuration. Disable insecure options such as WPS, UPnP, ping, Telnet, SSH, HNAP. Disable remote management. Enable firewall.
  7. Set up guest network for visitors and IoT (Internet of Things) devices.
  8. Consider turning Wi-Fi off when not home.

Protecting Your IoT Devices

Only wear wearables (fitness trackers, smart watches, etc.) when necessary, and lock down privacy settings. Researchers have used data from wearables to learn PINs and passwords with 90% accuracy.

Protect IoT Devices

  1. Buy from reputable companies. Research security history and frequency of updates. Ensure you can change device passwords.
  2. Review device’s privacy policy.
  3. Set strong passwords.
  4. Install updates promptly. Enable auto-updates if possible; if not, sign up for email notifications of updates, if possible.
  5. Install only verified apps.
  6. Lock down security and privacy settings.
  7. Secure home Wi-Fi. Consider separate network for IoT devices.
  8. Disable features you don’t need.

Protecting Your Information When Traveling

Avoid USB charging stations, which can be hijacked. Use electrical outlets or a USB cable that doesn’t carry data.

Protect Info When Away from Home

  1. Disable auto-connect to available Wi-Fi.
  2. Disable Wi-Fi when not needed.
  3. Verify network before connecting.
  4. Use a VPN when using public Wi-Fi, to encrypt and encapsulate emails, sites you visit, credentials, etc. VPN protects more than using HTTPS sites. TunnelBear is good VPN.
  5. Use cellular data rather than public Wi-Fi, if possible.
  6. Carry only necessary payment info and ID documents.
  7. Don’t post photos of boarding passes, passport, other travel documents.
  8. Don’t post about your trip. Disable location tracking on social media.

Protect Info When Traveling Out of Country

  1. See section immediately above.
  2. Research country-specific travel advisories.
  3. Remove sensitive info from devices and voicemail.
  4. Take a “burner” (temporary) phone, not your phone.
  5. When having sensitive conversations, turn off phone and remove battery if possible.
  6. Put black tape over camera would not using.
  7. Use a VPN.
  8. Use private browsing.
  9. Upon return home, wipe burner phone and laptop. Change all passwords.

Further Reading

I recommend that you read the book, Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals by Bart R. McDonough.

The Resources page has additional cybersecurity and privacy books.

What You Should Do

I recommend that you read the book. I realize my summary is long, but there’s a lot more in the book! Because I’ve already included so much above, I’m going to limit my parting advice to the 5 “Brilliance in the Basics” habits from the book:

  1. Update devices
  2. Enable two-factor authentication (2FA)
  3. Use a password manager
  4. Install and update anti-malware
  5. Back up data

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.