Cyber Smart Book Review: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals

Today I’d like to share with you my new favorite book about personal cybersecurity, Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals by Bart R. McDonough. I’ll give you my summary of the book, but I highly recommend that you read the book for yourself!

Cyber Smart Book Review & Summary

This is now my top recommendation in personal cybersecurity books! It’s the type of book I would write; it’s exactly the type of content I’m working to share through Defending Digital. It’s bursting with step-by-step advice for everyday individuals to protect their devices, networks, accounts, identities, money, and personal data. The plethora of steps are based on 5 simple “cybersecurity hygiene” habits.

In most personal cybersecurity books you needed to wade through the fluff to find the practical advice. Not so with this one! It’s spelled out with many lists of numbered steps. There are plenty of specific examples to illustrate digital dangers. I like how common myths are dispelled with facts.

Much of the advice is repeated from section to section. This is fine if you treat the book as a reference, but it’s tiring if you read it cover to cover as I did. Some of the stories are slightly longer than necessary to make their point.

Part 1 describes various threats to personal cybersecurity, with a few protection tips sprinkled in. Part 2 goes into more detail, with many specific protection recommendations. The book’s emphasis is more on security than privacy, though there are privacy-related tips.

McDonough is a cybersecurity expert, and he brings in authoritative research to support his advice. He’s the CEO and founder of Agio, a provider of cybersecurity and managed IT, and he’s on the board of several security companies.

McDonough both raises awareness and gives practical advice on prevention and remediation. He’s realistic; he doesn’t resort to doom-and-gloom scare tactics, nor does he have an overly-optimistic, Pollyanna attitude.

In my summary below, I generally only define terms and acronyms once, so if you don’t understand one, look higher in the post, or check the glossary.

Introduction

Online, we all live in a “bad neighborhood” and need to take precautions.

“Brilliance in the Basics” Habits

1. Update devices
2. Enable two-factor authentication (2FA)
3. Use a password manager
4. Install and update anti-malware
5. Back up data

Overview of Cyber Risks

Before performing a wire transfer, confirm instructions with the other party, in person or by video or phone call. Do a test transfer of $100 before doing the rest.

81% of hacking-related breaches used stolen and/or weak passwords.

Definitions

Breach: incident where sensitive, private, or confidential info is accessed without authorization.

Cyberattack: attack with a primary objective of accessing, modifying, disclosing, selling stolen info. Doesn’t necessarily involve hacking.

Hack: malicious act using manual or automated tech to crack a code or break into a target’s computer systems.

Attackers

90% of hackers are under age 34, 97% are male, 45% have full-time jobs, and hack in spare time, according to HackerOne study.

72% of hackers hack for the money, 71% for fun, 66% for the challenge, 51% to do good.

80% of black-hat hackers are connected to criminal organizations.

Attack Methods

Phishing is the most common way individuals are hacked.

Phone numbers can be spoofed easily, so don’t provide personal info by phone or SMS/text unless you verify the recipient is valid and there’s a true need.

To guard against crypto-jacking, use anti-malware and browser plugin that can block it, monitor CPU levels and computer processes.

FBI says don’t pay ransomware ransoms because bad actors may not decrypt your files, and paying encourages the behavior.

If you receive a call claiming to be tech support, hang up and call support number on the company website, or submit a help desk ticket through the company website.

FBI says if you receive a suspicious call demanding money in a short time for sake of family or friend, hang up or use a different form of communication to check with referenced family or friend.

Protect Yourself from Robocalls

1. See if your phone carrier has robocall protection.
2. Get a robocall-blocking app such as Nomorobo.
3. Don’t answer unknown calls.

Attack Vectors

Financial institutions will never ask for your password or 2FA passcode by email, SMS/text, phone; only on their website.

Disable setting that allows devices to connect to open Wi-Fi.

Brilliance in the Basics

There’s far less malware for Macs than Windows, but there exist adware, spyware, potentially unwanted programs (PUPs) for Macs that Apple’s XProtect doesn’t guard against, but anti-malware will.

Incident Response

Phishing Victim Response

1. Disconnect your computer from the Internet.
2. Restart in “safe mode” (search “safe mode” and name of your operating system for instructions).
3. Back up to secure external drive.
4. Check for malware.
5. From a known clean device, change the credentials of the account that was targeted.
6. Enable fraud alert and credit freeze with credit bureaus (Experian, Equifax, TransUnion, Innovis).
7. Report to authorities (IC3, US-CERT) and forward phishing email to [email protected], including full email header. File a complaint at FTCcomplaintAssistant.gov. Report phishing email to [email protected]. If the damage was high enough, file a report with local law enforcement. See IdentityTheft.gov for steps to minimize the risk of ID theft.

Ransomware Response

1. Gather evidence (symptoms, etc.). Take screenshots/photos of the ransom note.
2. Disconnect the computer from the Internet.
3. Restart the computer in safe mode.
4. Use anti-malware to scan for ransomware.
5. Use Crypto Sheriff to check for solutions.
6. Search for additional decryption tools (search “decryption” and name of ransomware).
7. Reinstall operating system (OS) to ensure ransomware is completely removed. Search “reinstall” and name of OS for instructions.
8. Report ransomware to IC3.

Malware Response

1. Disconnect your device from the Internet.
2. Restart in “safe mode.”
3. Back up to secure external drive.
4. Delete temp files (search for instructions).
5. Scan for malware using installed anti-malware. Then use a different computer to put Malwarebytes on a USB drive, and use that to install it on an infected computer and scan with it.
6. Reboot to normal mode.
7. Scan for malware again.
8. Install updates to OS and applications.
9. Fix browser settings (if necessary).
10. Reinstall OS if the computer still seems infected, or you want to be sure to be clean.
11. Change credentials for all accounts.

Email Compromise Response

1. Reset password to a strong password.
2. Enable 2FA.
3. Check email settings for any sign of an attacker.
4. Check forwarding settings.
5. Check the sent email.
6. Change credentials for all accounts.

Protecting Your Identity

LifeLock has experienced multiple security issues and lawsuits.

Protect Identity and Credit

1. Freeze credit with credit bureaus.
2. Put a security freeze on mobile numbers with NCTUE and bank accounts with ChexSystems.
3. Opt-out of pre-approved credit offers at OptOutPrescreen.com.
4. Shred unnecessary sensitive documents. Store necessary sensitive documents in a locked safe.
5. Remove mail from the mailbox ASAP. Dropping outgoing mail off at the post office is safer than using your mailbox.
6. Beware phishing. Be careful with links and attachments.

Protecting Your Children

Protect Child’s ID

1. See if the child has a credit file. If yes, review it. If not, open it. Do with 4 credit bureaus.
2. Freeze child’s credit.
3. Only give out the child’s SSN when truly necessary.
4. Talk to the child about keeping info private.
5. Lockdown child’s FAFSA account.

Protect Child from Smart Toys

1. Research toy’s cybersecurity and privacy practices.
2. Only connect the toy to a network you own, preferably one separated from your main network.
3. Ensure the toy’s connection to the Internet is encrypted, and Bluetooth connections require authentication.
4. Apply updates promptly.
5. Review and purge recorded video and audio from the toy as necessary.
6. Turn off the toy when not used.
7. Use strong, unique passwords and 2FA if available.
8. Limit info entered into an online account.
9. Report anything suspicious to IC3.

Protect Child Online

1. Create a separate computer account for each family member, with only as many permissions as necessary.
2. Consider parental-control software such as what’s included in iOS, Qustodio, Net Nanny, Circle Home Plus.

Protecting Your Money

1. Enable 2FA and create nonsense answers to security questions.
2. Use a password manager to create unique, complex passwords.
3. Create a verbal password/PIN.
4. Use separate email account for finances.
5. Use separate, locked-down devices for finances.
6. Bookmark financial websites; don’t type their URLs.
7. Use only verified financial apps.
8. Freeze credit.
9. Enable alerts.
10. Ensure accounts have 0% fraud liability.
11. Watch for card-skimming devices. Cover keyboard as you type PIN into the card reader. Use card readers in busy areas covered by security cameras.
12. “Dip” card’s chip; don’t swipe the magnetic stripe. Or use mobile payment such as Apple Pay.

Protecting Your Email

1. Enable 2FA.
2. Use separate email accounts for separate purposes (banking, shopping, media, social media, etc.).
3. Move sensitive info from email to secure file storage.
4. Review activity and settings.
5. Understand email privacy. Consider a provider of end-to-end encryption such as ProtonMail.

Protecting Your Files

Backup Services

• Backblaze
• IDrive
• Acronis True Image
• Carbonite

Protecting Your Website Access and Passwords

Password creation formula, for when you can’t have password manager create

1. Pick 3 unrelated words.
2. Between 2 words, put 2-3 numbers.
3. After numbers, put symbol.
4. Misspell a word.
5. Capitalize a letter in a random location.

Changing passwords periodically doesn’t provide much benefit as long as passwords are strong, complex, random, unique. NIST no longer recommends periodic password changes, and a Carleton University study found the practice had minimal benefit.

Protect Online Accounts

1. Enable 2FA whenever possible. Authenticator apps are more secure than SMS/text.
2. Use a password manager to create and manage passwords.
3. Consider a VPN to shield you from your ISP.
4. Before clicking a link, hover over it to see the destination. Expand shortened URLs with CheckShortURL.
5. Get alerts when the website you use is breached, from your password manager or Have I Been Pwned?
6. When a site you use is breached, change your password ASAP.
7. Create nonsense answers to security questions.
8. Enable security and activity notifications.
9. Ensure the site is encrypted (using HTTPS) before entering sensitive info.
10. Install ad-blocking and script-blocking browser extensions.
11. Don’t use social logins (Google, Facebook, etc.).
12. Access accounts from a secure device.
13. Review privacy settings.

Protecting Your Mobile Devices

Protect Against Port-out Scams

1. Set passcode/PIN on your mobile account.
2. Use the authenticator app, not SMS/text for 2FA.
3. Ask phone company to enable port freeze and SIM lock. You can also set a SIM PIN on the phone.
4. Use Google Voice for accounts that only support SMS/text 2FA.

Protect Mobile Device

1. Use a securely designed device. iOS has secure design, less malware, updates managed directly by Apple. If you choose not to use Apple, get a Google Pixel device because they get more regular updates than other Android devices.
2. Don’t jailbreak.
3. Enable lock screen. Use code of 6+ digits. On Android, use passcode, not pattern. If you use patterns, use 8+ points in the pattern.
4. Encrypt device.
5. Apply updates promptly.
6. Back up to the cloud.
7. Install apps only from the official app store.
8. For Android, consider anti-malware (Bitdefender is rated highly). iOS doesn’t need anti-malware.
9. Enable “Find my device” and remote wipe options.

Protecting Your Home Wi-Fi

1. Use a securely designed, modern router. Buy, don’t rent. Replace router when no firmware has been released in last year.
2. Lockdown router’s admin console by setting a strong password.
3. Set SSID (network name) to something generic that doesn’t identify you.
4. Regularly update router firmware. Enable auto-updates if possible; if not, sign up for email notifications of updates, if possible.
5. Use WPA2 with a strong password.
6. Lockdown router configuration. Disable insecure options such as WPS, UPnP, Ping, Telnet, SSH, HNAP. Disable remote management. Enable firewall.
7. Set up a guest network for visitors and IoT (Internet of Things) devices.
8. Consider turning Wi-Fi off when not home.

Protecting Your IoT Devices

Only wear wearables (fitness trackers, smartwatches, etc.) when necessary, and lockdown privacy settings. Researchers have used data from wearables to learn PINs and passwords with 90% accuracy.

Protect IoT Devices

1. Buy from reputable companies. Research security history and frequency of updates. Ensure you can change device passwords.
2. Review the device’s privacy policy.
3. Set strong passwords.
4. Install updates promptly. Enable auto-updates if possible; if not, sign up for email notifications of updates, if possible.
5. Install only verified apps.
6. Lockdown security and privacy settings.
7. Secure home Wi-Fi. Consider a separate network for IoT devices.
8. Disable features you don’t need.

Protecting Your Information When Traveling

Avoid USB charging stations, which can be hijacked. Use electrical outlets or a USB cable that doesn’t carry data.

Protect Info When Away from Home

1. Disable auto-connect to available Wi-Fi.
2. Disable Wi-Fi when not needed.
3. Verify the network before connecting.
4. Use a VPN when using public Wi-Fi, to encrypt and encapsulate emails, sites you visit, credentials, etc. VPN protects more than using HTTPS sites. TunnelBear is a good VPN.
5. Use cellular data rather than public Wi-Fi, if possible.
6. Carry only necessary payment info and ID documents.
7. Don’t post photos of boarding passes, passport, other travel documents.
8. Don’t post about your trip. Disable location tracking on social media.

Protect Info When Traveling Out of Country

1. See the section immediately above.
2. Research country-specific travel advisories.
3. Remove sensitive info from devices and voicemail.
4. Take a “burner” (temporary) phone, not your phone.
5. When having sensitive conversations, turn off the phone and remove the battery if possible.
6. Put black tape over camera would not using.
7. Use a VPN.
8. Use private browsing.
9. Upon return home, wipe the burner phone and laptop. Change all passwords.

Cyber Smart Book Review – Final Thoughts

I recommend that you read the book, Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals by Bart R. McDonough.

The Resources page has additional cybersecurity and privacy books.

What You Should Do

I recommend that you read the book. I realize my summary is long, but there’s a lot more in the book! Because I’ve already included so much above, I’m going to limit my parting advice to the 5 “Brilliance in the Basics” habits from the book:

1. Update devices.
2. Enable two-factor authentication (2FA).
3. Use a password manager.
4. Install and update anti-malware.
5. Back up data.