Secure devices

Cybersecurity courses

Students Teachers Employees

Computers, phones, tablets, smartwatches, robotic vacuum cleaners, or network-connected centrifuges in the laboratory. All these (and many more) are devices that can be used to attack our cybersecurity. Therefore, we must protect them, both in terms of their physical protection and with an emphasis on their software and the data we store in them. In the fifth module, we will focus together on the general rules of device protection, talk about the use of encryption, and finally smoothly transition to the topic of the need for data and file backups from our devices.

General rules for working with devices
Encryption
I backup, you backup, we backup

General rules for working with devices

Lock, Lock, Lock

If you don't lock your computer when you leave the office and leave something like Facebook logged in on your browser, you're practically inviting a classic prank where colleagues post inappropriate comments on your social network under your name. But that's the least of what can happen. The device simply needs to be locked when we're not using it - otherwise, anyone can do anything on it, and all our efforts to set strong passwords or 2FA are completely useless. The need for physical protection also applies to phones and other devices.

Need to lock your Windows computer? Press Ctrl + Alt + Delete and select Lock. An even quicker way is to use the shortcut by pressing the Windows key and the letter L simultaneously. You can do this in a second when leaving your computer. On a Mac, you can use the Control + Command + Q shortcut, and on Linux devices, the combination Ctrl + Alt + L usually works.

What's mine is mine, what's yours is yours

My work device is my device, and my account is my account. Do we need to check work email, but our laptop is dead, and we only have our child's old home computer available? Are we sure their device is really secure? Or a classmate in a lecture can't connect to the eduroam network and asks us to log in on their device with our username and password. We politely refuse. Our work device is simply ours, and our login credentials are also ours; we don't lend them to anyone.

Private devices in work deployment

If we have a work device, we always use it preferentially for work tasks. But we don't always have our own work phone or laptop, so it may happen that we use private devices for writing work emails or processing invoices. If this is the case, we must really strictly adhere to all the principles from other modules, such as choosing strong passwords, having antivirus software installed (see below), etc. It is our responsibility.

The use of personal devices at AMU for remote work is regulated by Rector's Decree 07/2024 - Employment Relations at AMU, Article 11 - Information Protection, point 2):

Employees working remotely will use only secure and regularly updated technical means, including but not limited to computers, laptops, tablets, and smartphones. These technical means must be equipped with a supported version of the operating system with the latest security updates, including web browsers, antivirus programs, and other software, and further protected by a secure access password.

It's worth suppressing curiosity

There's an abandoned USB stick lying on the windowsill in the hallway. Or someone left a memory SD card on a table in the library. Curiosity burns us, often with the idea of doing a good deed by finding the owner through the files on the "flash drive" or card and returning their lost memory. But we must suppress curiosity; this type of attack relies on natural human curiosity - and often successfully. We simply do not connect any unknown devices or media to our device because we never know what might be lurking on them.

Antivirus is still a necessity

Every day we download files from the internet and open documents from emails. Dozens and hundreds of files that can be potentially dangerous pass through our device. They can hide malicious code. Having antivirus software on your device that can identify and stop these potentially dangerous files before they cause damage is definitely necessary. Antivirus software also needs to be kept updated, but the program usually takes care of that automatically.

More is not always better. It is not good to install multiple antivirus programs on one device. Although it may seem that dual protection will be more effective, two or more active antivirus programs can lead to counterproductive detection or insufficient protection. The topic also includes antivirus software on mobile devices. Generally, we recommend it here as well, but more essential prevention is the regular updating of the operating system (e.g., Android) and installed applications.

Modern versions of the Windows operating system automatically include Microsoft Defender antivirus, which is fully sufficient for protecting regular home computers and laptops. So you don't need to pay unnecessarily for other antivirus solutions unless you specifically need their premium features.

Update, even if it delays us

Yes, updating Windows at the moment we least need it (like when we have an important meeting in five minutes) is really annoying. But updates are not just new features and visual changes in the operating system - updates are primarily responses to discovered security holes. Therefore, we never turn off automatic updates, and if we are offered the option to postpone them, we only do so in very essential cases. These rules apply not only to the Windows operating system but also to all installed applications and programs and, of course, to the system on our mobile phone or tablet (e.g., Android).

Most systems and applications update themselves automatically (or notify us of the existence of updates and prompt us to install them), but it is still good to check that automatic updates are happening. If we find that they are not, it is appropriate to report and resolve this with IT support.

Devices are not just computers and phones

As the number of devices around us connected to the internet dramatically increases, so does the number of ways to attack our cybersecurity. In the era of the so-called Internet of Things, when our refrigerators, light bulbs, home security cameras, smart TVs, or laboratory microscopes are connected to the global network, we need to be on guard. Cases where attackers have exploited weak security of these devices and, for example, defrosted a refrigerator or scared apartment residents by turning lights on and off have been increasing in recent years. Most risks can be resolved with good old practices - strong passwords, regular updates, etc. However, solving some security risks of these devices is beyond our capabilities as users, but it is good to at least think about the risks. What could happen if an attacker, for example, gained control of my robotic vacuum cleaner? Can we imagine such a scenario? It might be more realistic than it seems.

Devices are not just robotic vacuum cleaners and smart bulbs

Computer, phone, tablet, smart bulb, or intelligent refrigerator... are we forgetting something? There are also devices that we don't hold in our hands every day like a phone or tablet, nor are they as sexy as modern smart home elements or smart equipment in the office or laboratory. These are all the boxes behind the desk and under the TV that connect us to the global communication network: Wi-Fi, routers, hubs, amplifiers, etc. They can also be the target or intermediary of an attack. At work, their security is handled by the cybersecurity team and IT department, but at home, we usually have to take care of them ourselves.

There was a time when you could deduce the password from the name of the internet provider UPC network and connect to your neighbor's secured home Wi-Fi in a second - and through that, perhaps even to their network data storage full of private files? Today it's not that simple, but what about your home Wi-Fi password? Does it match what we've already shown about passwords? Isn't it time to change it? Study the manual for your device to find out how.

Encryption

We have already talked about encryption in connection with so-called E2E encryption. However, securing communication is not the only area where encryption can help. Have you ever forgotten your USB drive in a public computer or a public place? Anyone who found it could easily access all the files stored on it. Hopefully, they weren't any sensitive documents.

When we talk about encryption, we usually mean some (often very complex) mathematical process that ensures that the information we want to secure will be readable only to those who have the key to decrypt it. Encryption is a very effective method and we encounter it in many different forms.

Communication encryption - Nowadays, we commonly send sensitive information via email or communication applications. In the previous module, we have already shown that messages sent over the internet can be read under certain conditions - and that the solution is, for example, so-called E2E (end-to-end) encryption.

Web browsing - Browsing the web is nothing more than a constant stream of files, texts, and images between us and computers on the internet, so-called servers. This sending takes place through various protocols, one of which is the HTTP protocol. To ensure that our web browsing is a bit safer, its encrypted variant HTTPS is used. Today, most sites use HTTPS, allowing users, for example, to securely log into online banking or email accounts so that the information sent cannot be intercepted on the network.

Using VPN - A Virtual Private Network allows us to connect to the university network from home and use all the services and benefits of our institution as if we were directly at the university. Internet traffic is encrypted when using VPN technology, so no one can intercept, alter, or even monitor our activity.

Instructions for setting up VPN at AMU: Connecting to Cisco AnyConnect VPN.

Data storage encryption - So far, we have shown the use of encryption mainly in areas where information is being sent somewhere. But we can also encrypt the information we store somewhere and do not send anywhere - for example, files on our computer or phone. These can also be threatened, for example, if our device is stolen. Or honestly answer the question, how many times have you forgotten your USB drive somewhere so that anyone could have access to it and the data on it? If this flash drive were encrypted, no random finder would be able to access the data without the key.

To encrypt an external USB drive in Windows, you don't need any special application; the BitLocker encryption tool is implemented directly into the Windows operating system. Connect the USB drive, right-click on its icon in Windows Explorer, and select Turn on BitLocker. The system will guide you through the next process. Just don't forget the password you use to encrypt the USB drive - save it, for example, in a password manager. Note that a disk encrypted with BitLocker can only be decrypted on Windows devices.

Where sensitive information is handled, hard drives in computers are also encrypted. Imagine an attacker physically steals your laptop - they don't know your Windows system password, but that won't stop them from accessing your data stored on the laptop. How? They simply open the computer and remove the hard drive. They then connect it to their computer and can easily access the data on your HDD. However, only if your hard drive was not encrypted - in that case, the attacker will be out of luck.

Encryption is a powerful technology, but it can also be misused. Let's take a moment to discuss the topic of backups and ransomware.

I backup, you backup, we backup

The calculations might be a bit wild, but it is said that in the USA alone, 140,000 hard drives fail every week. In the rush of daily activities, we often don't realize what would happen if our disk went to the eternal hunting grounds. In the haste of digital lives, we leave files on the desktop of the computer or in the Documents folder on the local device, on the phone, or perhaps the tablet. There, our data is most threatened by two risks: unexpected device failure (or hard drive failure) and the threat called ransomware.

Ransomware

Ransomware is a malicious program that we download inadvertently from a spoofed email or it moves in without our knowledge when visiting an infected website. Ransomware then encrypts our data, blocks our access to the device, and demands a ransom for decrypting the data. The ransom is usually paid in anonymous digital currencies - and it's not a small amount of money.

A survey by Sophos State of Ransomware 2021 showed that the average ransom paid is around 3.6 million CZK, with the median value around 200,000 CZK. Only 8% of affected institutions actually get back all the data that was encrypted, 29% get no more than half of the original data. Yet many of them pay - they have no other way to access the data because they didn't address backups. And ransomware also affects individuals.

Ransomware often puts you in a time crunch - "if you don't pay as quickly as possible, I'll start deleting your files." The malicious ransomware Jigsaw and its subsequent variants, for example, delete a few of your files every hour after encrypting them - the longer you delay paying the ransom, the more of your files irreversibly disappear. If you don't pay within 72 hours, everything is deleted. Dozens of variants and clones of Jigsaw ransomware have adopted this malicious time strategy, and today they may also threaten to publish your sensitive data and files.

Some cybercriminals even have customer service lines. The fact that you don't know how Bitcoin works and where to get it is no problem for the attackers. Some ransomware has a link to chat with live support. The "customer" service representative will greet you nicely, explain everything to you, and guide you through the process of paying the ransom for your data. Business is business, and cybercrime has become significantly professionalized in recent years. But if you spend a few moments on backups, you'll save time, nerves, and money.

So how do you defend against a ransomware attack?

Install antivirus software and keep it updated.
Update all your programs, web browsers, and operating system.
Back up your important data.

What to back up?

Prioritize! Not all files are equal, some are more important than others. A draft of a thesis or a draft of a scholarly article is certainly more valuable than funny pictures downloaded from Facebook. When ransomware strikes, we probably won't even open our wallet for funny cat GIFs - but for a bachelor's thesis almost ready for submission, we might be desperate enough to break the piggy bank. Therefore, it is not necessary to back up everything, but it is useful to segment your files, selecting the most important and essential ones.

Locally or in the cloud?

Copying a backup of a draft thesis from the desktop to an external flash drive is not the most optimal way - but even that is better than nothing. What other options do we have?

Cloud backup - Probably the most commonly used method today is the so-called cloud backup. In the cloud, we have data backed up immediately and accessible from our other devices at any time. Usually, we set everything up once and then forget about the backup - everything happens automatically. The fact that the data is "somewhere online in the cloud" carries other security risks, and it is good to follow the advice regarding strong passwords and 2FA. At AMU, we use the OneDrive platform for cloud file storage.

Even the cloud is not immune to ransomware attacks. If I have backup set up to a cloud storage on my PC and I become a victim of a ransomware attack, will it affect my files in the cloud? Theoretically, yes. If you use cloud storage like Google Drive or OneDrive and have a program installed on your device that automatically takes care of uploading your files to the cloud and updating them, it can happen that the malicious ransomware encrypts the files and the unsuspecting synchronization program replaces the files in the cloud with encrypted versions. However, most cloud storage solutions will handle this for you, for example, OneDrive will notice that the file changes show signs of a ransomware attack and will guide you through the file recovery process.

Local backup - Can be done on external media. Today, no one probably backs up by burning to CD or DVD discs, but an external hard drive can be a good choice. Here too, backups can be automated. There are programs that can automatically send backups of preset files and folders to the disk after connecting the external drive so that we don't have to do it manually. However, it is necessary to remember that backups must be done regularly, and we cannot leave the external drive constantly connected to the device - when ransomware comes, it will encrypt the connected external media (including such a USB drive), and backups on external media can also succumb to it.

If a security incident has occurred or you suspect that your cybersecurity may have been compromised, please report it to us.

Author: CRP-Kyber, edited and translated by Jiří Krčmář | Date: 21.09.2024