Sean Wright


Personal blog of app security guy, blogging about application security related topics, focused primarily on web based applications.

Sean Wright

End User Security Cheatsheet

23rd February 2019

This cheatsheet is primarily aimed at end users, with the goal to improve their overall security based practices. While this is not a complete list, and this won't provide complete security (nothing will), hopefully by following the guidelines outlined in this list will help improve your overall security posture making it harder for the bad guys to be able to successful hack yourself.

While some might like to have some form a security magic bullet to solve all of one's security issues, nothing like this exists. By taking some simple, yet important steps you place yourself in a better position to thwate attempts by most attackers. At the end of the day, the best way to thwart an attacker is to make it so difficult and frustrating for them, that they instead spend their effort else where.

I will try keep this list as up to date as possible with changes tracked at the end.

Passwords

  • Use a password manager where possible.
    • Why: Using password managers allows for a user to be able to use long and unique passwords for each login.
    • Recommended vendors:
  • Use longer password as opposed to more "complex" password.
    • Why: This will likely take an attacker longer to brute force the password.
  • Use MFA (Multi-Factor Authentication where ever possible.
    • Why: If a password is compromised, this forms another layer in which the attacker needs to get through in order to gain access to the account. Passwords can be compromised through several scenarios, such as successful phising attacks, server breaches (and the vendor does not sufficiently protect user passwords), user accidentally leaking their password.
    • What is MFA: This is sometimes referred to as 2 Factor Authentication (2FA), 2FA is a form of MFA. Almost all authentication is performed using a known secret (a password). This is something which the user knows. MFA adds an additional validation step to the authentication process, using something which the user has which the user obtains out of band (from the system to which they are authenticating to). This could be something such as a hardware token, a software based token, a one time code, and other forms.
    • Where possible use the following forms of MFA in the following order:
      • U2F (Fido)
      • TOTP
      • Push notifications (for example in the case of DUO)
      • Phone call
      • SMS (this has known flaws but is still better than no MFA)
  • Only change your password when there is reason to believe it has become compromised.
    • Why: The old advice was to change passwords after a set period. However this lead to users using weaker passwords, or simply using passwords and appending a single character to the password. Regularly changing passwords does not provide any significant advantage and places a tremendous burden on the user, especially if they have several accounts. Enabling features such as MFA have a much bigger impact.

Software

  • Patch/install updates as soon as possible.
    • Why: Patches and updates, more often than not, contain fixes for security vulnerabilities in the system/service. Applying the patch will remedy these known vulnerabilities thus preventing attackers from using these known vulnerabilities to gain access to your system, service, account, data, etc.
  • Do not use End Of Life (EOL) software.
    • Why: This software is no longer maintained by the vendor. As a result any new security vulnerabilities are not fixed, and will remain a risk.

Mobile

  • Only install software from the official application stores (for Android this is the Google Play Store, for iOS this is the Apple App Store).
    • Why: Both Apple and Google have put in effort in to try detect malicious applications in their application stores. Although this is not fool proof, it does however provide significantly more protection than installing applications outside of the official application stores. When installing from outside of the application stores, there is no protection. Also having an application hosted outside of an application store should raise some suspicions around the intent of the application.
  • Ensure that the option to automatically update applications is enabled.
    • Why: This ensures that the applications installed on your mobile are updated automatically, and as a result receive fixes for security vulnerabilities as soon as possible.
  • Do not reply to text/SMS messages from unknown numbers.
    • Why: Some of these numbers are from premium numbers which can result in a charge being charged against your mobile account.
  • Do not call unknown numbers from texts/SMS.
    • Why: Some attackers use this method to get the victim to call a premium rate number which can result in additional charges being charged to your mobile account.

Email

  • Do not open attachments from untrusted senders. Only open attachments which you are expecting from a known source.
    • Why: Attackers will often try trick victims into opening an email attachment which will launch their payload, allowing the attack to do things such as install malware on the victim's system.
  • Do not click on any links from untrusted senders.
    • Why: Attackers will often try trick users into visiting links which they supply in the email. This is referred to as phising. The link could take the victim to a fake site which may do things such as present a fake login page, or even attempt to install malware on the victim's system.

Web

WiFi

  • Where possible avoid connecting to unknown and untrusted hotspots.
    • Why: Attackers can setup hotspots to be able to intercept your traffic. This puts them in a position to be able to view the data being sent as well as being able to modify the data (see the point above about Man in The Middle attacks).
  • If you have to connect to a public hotspot, use a VPN.
    • Why: Using a VPN ensures that the traffic transmitted through the wireless connection to the VPN server is encrypted. This prevents an attacker from being able to view and modify the data being sent to and from the victim's computer.
    • Recommended VPN providers:

Changes

  • 23 February 2019 - Original publication.
  • 24 February 2019 - Added additional details to MFA section, as well as improved formatting. Additionally added list of recommended VPN providers.
  • 28 February 2019 - Updated the email attachment advice.
  • 1 March 2019 - Added advice to use the HTTPS Everywhere browser plugin.

View Comments