The Eight Essentials of Secure Computing

Kevin Townsend 24 Jun 2019

Beginning with a secure browser and ending with a healthy paranoia, here are the essentials of staying safe online

A secure browser

For most of us, our web browser is the internet. It’s how we directly access the information and content online, for work, for fun, for research, for finance, for communication and almost everything else we do online. 

As our first, last and primary point of contact with the world wide web, it makes sense to make sure our browsers are as secure as possible.

Fortunately, for the most part, the most popular browsers are secure enough. Whether we’re a Firefox, Edge, Chrome, Safari or even Opera user, the in-built security functions are enough to serve our basic needs. However, this only goes for browsers which are kept fully up-to-date; so, learn how to check for updates. Do so frequently or enable automatic updating on the chosen browser.

However, even if the browser is kept secure, this doesn’t always apply to third-party extensions. Malicious extensions are frequently associated with click fraud. The browser is sent to an advertising site that uses 'pay per click' to earn the extension developer ad-based income. In early 2018, researchers discovered four related Chrome extensions (Change HTTP Request Header; Nyoogle - Custom Logo for Google; Lite Bookmarks; and Stickies - Chrome's Post-it Notes) that had been installed by around 500,000 users. The techniques used, however, could also be used to establish a beachhead into the local network.

In October 2018, Google introduced new security measures aimed against the installation of malicious Chrome extensions, resulting in an 89% drop over the course of the year. Despite this improvement, it remains important to take care over any extensions you install. Check to see if there are any reported problems before installing any browser extension.

Do not expect too much from the browser. It’s tempting to think, “I don’t mind clicking that link because Chrome will tell me if it’s malicious.” It might, but statistically, it probably won’t. Recent research suggests that there are more than 17.5 million websites infected with malware at any time. Only 15% of these are blacklisted by the search engines – which means there are nearly 15 million infected websites that the browser doesn’t know about, and cannot warn us about.

It may be worth looking into specialized security-enhanced browsers from reputable companies – like the Avast Secure Browser, built on the same fast Chromium engine as Google Chrome but offering expanded and more resilient security features.

Ad blocker

At first glance, an ad-blocker seems more like a quality-of-life essential than a security essential. All those pop-ups, pop-unders, banner and tower ads quickly become annoying, and shutting them out certainly improves our browsing experience. However, it is also important to limit the amount of advertising we allow on our browser from a security perspective. Ads can be a surprisingly effective vector for malware and cyber-attacks, such as last year’s PayLeak attack, which posed as a legitimate ad to lure users to fraudulent websites. This was an attack against Apple Pay wallets.

This type of attack is known as malvertising, where a seemingly innocuous advertisement quietly redirects us to a malicious site that attempts to infect us with anything from spyware to ransomware. 

Over the last few years another problem has been growing with online ads. We’re already accustomed to targeted advertising trying to sell us what the marketers think will be of interest. But now there are people trying to sell us political dogma. There have been documented, concerted efforts to influence the political landscape by serving targeted ads which prey on the psychology of users and try to influence the way we vote. This is political social engineering by way of online advertising. 

There are freely available, reputable ad-blocking plugins for most browsers. One is also built-in as a customizable feature of Avast’s Secure Browser. When using an ad blocker, we must not forget to whitelist the most trusted websites to allow our favorite blogs and news sites to afford their upkeep through legitimate advertising. 

Anti-malware

With so many malicious websites, so much malvertising, and so many other ways for bad guys to try steal our identity or infect us with malware, we absolutely need that staple of PC security: an anti-malware solution. Sooner or later, malware is likely to end up on our system, and when it does it needs to be removed as quickly and effectively as possible.

Some operating systems come with their own malware removal tools, like Windows Malicious Software Removal Tool, but these are often lacking in features compared to specialized anti-malware applications. It’s more than a good idea to have an effective anti-virus solution like Avast Free Antivirus to stay protected against outside threats, and to be able to quarantine and remove any malicious files that do make their way onto our machines.

There are several free anti-malware products available. Most have “premium” versions available at a small cost. While the basic malware detection and removal is the same across both versions, the professional system usually provides extra facilities – bells and whistles – that are worth considering.

Password manager (and generator)

A strong password is one of the most basic steps of security, but it’s also one of the most frequently ignored or compromised – a 2019 study from the National Cyber Security Center (NCSC, part of the UK’s GCHQ intelligence service) found that over 23 million users worldwide are still using ‘123456’. A good password is unique, hard to guess and has high entropy – that’s effectively a measure of how long it takes for a computer to brute-force the password. Password entropy is increased by using more characters and mixing  up letters, numbers and symbols. A truly strong password is unbreakable in any meaningful length of time with current computers. (Quantum computing will disrupt things in the future; but that’s another story for another time.)

We’re probably all already familiar with password security’s big problem. We’re supposed to have a different password for every single website and service we use, and each of those passwords is supposed to be long and complicated. It’s bad practice to keep written reminders of our passwords. If anyone gains access to a text file or a physical note, that gives them access to all our accounts and information with those passwords. But, in order to stay sane, most of us have compromised on password security at least a little, whether that’s by keeping reminders of our passwords or cutting down on their complexity.

A good, secure password manager will not only solve the problem of uniqueness and complexity, but will also provide greater convenience when browsing – it will enter the passwords for us. A service like Avast Passwords streamlines the login process without compromising the entropy or uniqueness of them. It can generate unique, high-entropy passwords that are nigh impossible to brute-force, while all we need remember is the master password for the service.

A VPN

VPNs – Virtual Private Networks – have been relatively niche until recently. However, with online privacy concerns growing year on year, and targeted advertisements growing more intrusive and far-reaching, many people are beginning to look for more ways of preserving their online anonymity.

VPNs work by connecting internet traffic to a centralized server network before routing the requests to their destination. This puts a new, anonymous IP address between our device and the websites we navigate to. It means that as far as tracking cookies or any malicious actors monitoring traffic are concerned, our activities can only be traced to the VPN’s server, not to us.

Be careful when choosing a VPN provider; only use trusted, well-known services. Less reputable VPNs can put us in a vulnerable position. While our traffic is not logged and monitored by the sites we visit, the VPN provider may keep its own record – and if the VPN’s owners are unscrupulous, that can be sold on along with other personal information, putting us in a worse position than before we started using the VPN. Avast’s Secureline VPN doesn’t log browsing activity or app usage, and has a seven-day free trial for anyone considering a VPN.

Data backups

Whether it’s by malware, hardware damage or catastrophic software failure, sometimes our devices break down and we lose access to our files. There are many ways to make backups of our data. We could consider external hardware storage, like a removable hard or solid-state drive. These keep a retrievable, long-term copy of our data, but can be time-consuming if our backups need frequent updating. They are also subject to physical damage and decay, which can either mean costly recovery services or permanent data loss.

There is also the option of cloud storage to back up our data. Many of the biggest cloud storage providers, such as Dropbox, OneDrive or Amazon S3, provide limited free storage if we don’t have extensive backup needs. However, some of the basic online services can be vulnerable and are easy to improperly configure for security; a report last year found that 1.5 billion records including sensitive information were left exposed thanks to misconfigured online storage. Since then, many more have been discovered – the most recent, in May, being contact information for millions of Instagram influencers.

While free services might be enough for individual users, small businesses should consider a purpose-built secure data backup and recovery service. A good service will keep important files automatically up to date and accessible across multiple devices – something like Avast’s Backup and Recovery, for example.

Data encryption

Data encryption usually goes on behind the scenes – when we register a password for an online service, that password is stored (or at least it should be) in a salted and hashed format – a form of encryption that prevents hackers from being able to simply read our login credentials if they gain access to the website’s database. A combination of regulations and good practice makes it standard for businesses to encrypt any sensitive customer information they store, so in a sense we’re already making use of data encryption. However, for personal security it would be even better to think about data encryption closer to home.

When we back up sensitive data, it may be worth encrypting it as well. Many cloud storage services encrypt data automatically, but encrypting local data may require a specialized solution.

Many VPNs provide encryption for outbound internet traffic, but they’re not the only option to keep our computing encrypted. We can turn on encryption for our wi-fi network – check the router’s manual for information on how to set this up. If the browser or router offers a setting to reject HTTP connections (which will make sure the computer accepts only the more secure HTTPS connections where available), make sure to enable it. The Avast Secure Browser has this setting enabled by default.

Finally, especially if a computer is shared between multiple family members, we may wish to encrypt certain files or folders to keep the data confidential to oneself. Windows 10 provides its own encryption capabilities, but there are also many third-party file, folder, and disk encryption services. In general when choosing an encryption service, choose a well-known peer-reviewed encryption algorithm – such as AES, Blowfish or its successor Twofish. Avoid encryption developed by the vendor unless it has been thoroughly reviewed by the cryptographic community.

A healthy paranoia

In some ways, this eighth essential for secure computing is the most important of all. It is paranoia - and it works. This is essentially a matter of having the right attitude to security, and is the cheapest and most accessible entry on this list, but can also be the hardest to obtain. The words ‘healthy’ and ‘paranoia’ do not medically go together, but for staying safe online a paranoid attitude is probably the healthiest attitude. 

We need to be aware that any email address can be compromised and that anyone can be impersonated – just because something seems trustworthy doesn’t necessarily mean that it is. It pays to be suspicious of anything online – an email, a website, a social media page – that asks for any personal or financial information, or which asks us to provide our login credentials. 

Do not automatically trust the links in received emails, nor ever open an attachment that isn’t expected. If in doubt, phone the person who sent the attachment to confirm it is genuine.

Remember that banks and financial organizations do not ask for sensitive information in an email or on social media sites. Try to find unbiased, independent reviews of any website or service being considered. Have a look at Avast’s information pages on phishing, social engineering, scams and identity theft for more information on how to spot and defend against such attacks online. Always remember the golden rule: No matter what’s on offer or how plausible it looks, if it seems too good to be true it probably is.

Put simply, we should reverse the proverb: “trust but verify”. For safe computing, we should verify before we trust.

--> -->