Laser Technik Ltd
Providing Internet services for over a quarter of a century
Security
Security comes at a cost and is commonly regarded as an optional extra a bit like insurance, it comes at a cost and you may never need it. Most domestic burglar alarms are reportedly bought by householders after they’ve been robbed.
So it’s a boring topic, you’ve heard the message so many times before, you’re going to stop reading now…
Still here? Well I’ll try to keep it brief.
My concern is with protecting your web site. There’s a weak link outside my control: you!
If you use your PC to make updates to your web site, any problems with your personal security could facilitate an attack on the web site.
There’s a lot you can do to improve security. I doubt anyone uses all possible measures but let’s take a look at that scenario. Some of these suggestions will be familiar, others may be “too technical”. The complete list (and more) may only be applicable to the most paranoid employees of GCHQ so it’s not a check list but the more the better.
- If your PC security is compromised then so, potentially, are all your passwords.
- Your PC is connected to the internet via a router, it’s a potential way in to your PC for a hacker. It came with a default password, that should be changed.
- I expect many of us have an older PC perhaps scheduled for recycling. You could use that as a dedicated website update terminal. It’s not as difficult as it sounds, just retain the processor box and use a KVM switch to share Keyboard, Video and Mouse with your “normal” PC.
- Windows Login. Use a good password.
- Use Two Factor Authentication (2FA): If you use online banking you’ll have encountered 2FA, it takes various forms, examples are a small keyring device that generates a one-time password or it may work by sending a code to your mobile.
- Win10 offers 2FA login protection, why not use that too?
- Only install software you need.
- Don’t let the kids play games on the “work” computer – actually, don’t let them use it at all.
- Take great care to ensure any software you install is from a reputable source and make a Google search to see if it has a good reputation (but beware, malware authors post fake positive reviews).
- Use a password vault. I have hundreds of passwords and, since all must be different and complex, impossible to remember. LastPass was a good way to keep them safe but they recently changed policies and prices https://bitwarden.com offers a strong alternative (with a free tier) and will import data from LastPass. The problem is that a password vault then holds all those login credentials and so is an even more tempting target so its still more important to protect its password. Once you have logged in to the password vault it remains open so all your passwords are readily available.
- You should use 2FA with your password vault.
- Use 2FA wherever it’s an option. Note that 2FA that works by text message or email is less secure if your mobile is not password enabled.
- Ensure your Email account login is secure (good password, 2FA).
- Install a good commercial security package (quantity licenses, multi-year multi-PC licensing can bring the cost per device down to a few pence a week).
- Most web browsers (Chrome, Edge, Firefox etc) now offer to store passwords of sites you visit. The security of that storage is questionable, best avoided.
- Be alert to Phishing email (and phone) scams. Any exhortations to take prompt action are suspect, even if they appear to be from a legitimate source. If in any doubt whatsoever, it’s a scam. If you do think it may be genuine find a different way to get in touch to check legitimacy. No legitimate organisation should ever ask you to take any action or ID unless you initiated the contact.
- WordPress login security, Most new websites are created using WordPress
- We can set up 2FA on a WordPress site on request, we don’t do so automatically because it needs your involvement.
- You will have been given a Login address, a User name and a Password. Never share them with anyone. It’s easy to add a separate user and their access rights can be limited to those they need (i.e. no Admin access)
- Hackers will assume a username of Admin (so avoid that!) and then try some “obvious” passwords. Most login pages will now limit the number of password attempts.
- The password we set up will be strong and hard to remember. That makes it difficult for you and there’s a temptation to change it for something easier. Don’t.
- Consider using a VPN. This means even more of your internet traffic is even more secure but it can slow access. I mostly use VPN for such as access to online banking.
- Trust nobody. That’s not that the individual may be untrustworthy but they may not treat security with the same caution as you. Also circumstances can change.
- Take great care with social media not to disclose any information which could be used to your detriment. For example if the MD’s kids announce that the family is off on a cruise (communication may be difficult on holiday, especially at sea) for a well-earned break, perhaps his deputy will be a good target for manipulation (… I promised the MD (we were at [university name found on LinkedIn] together) I’d complete [an important task] by the end of this week, didn’t he tell you? He mentioned he was taking [name of wife from Facebook] to [location information from facebook] as a reward for [child’s name from facebook] for the great “A” level result [as announced on facebook]. Must have been too busy packing! Can you help? I just need the password…).