Forward by Chase Cunningham
A Personal Firewall for Life
Let’s face it—cybercrime isn’t just something that happens to large corporations or the tech-savvy. It’s not a distant threat, but a pervasive one, lurking at the edges of your Wi-Fi connection, eyeing your email inbox, and waiting when you click “Sure, I accept cookies” without thinking twice. But here’s the thing: protecting yourself from cybercrime doesn’t have to be an arduous task.
In today’s hyper-connected world, where even our refrigerators want to be on the internet, cyber threats are a reality for everyone. We’re talking about data breaches, identity theft, phishing attacks, ransomware—the list is longer than your Netflix queue. But while these threats are everywhere, so are the tools to protect yourself, and, spoiler alert: you don’t need a PhD in computer science to do it. These tools are within your reach, empowering you to take control of your digital security.
Cybersecurity, at its core, is about making life just a little harder for the bad guys—and that’s not as hard as it sounds. It’s like locking your front door and not leaving your wallet on the dashboard when you park your car. Well-applied, basic security principles—like using strong passwords, avoiding sketchy links, and updating your software occasionally—are all necessary to create a solid defense. These are simple measures that anyone can implement, and they can make a significant difference in your digital security.
The goal of this book isn’t to turn you into a hacker’s worst nightmare (though that would be cool). It gives you the tools to stay one step ahead of today’s cyber threats without feeling like you’ve entered the Matrix. You don’t have to wear sunglasses at your keyboard to feel secure, but a little awareness and a few well-placed protections can make all the difference between a peaceful night’s sleep and a frantic call to your bank.
So, buckle up, keep your guard up, and remember: in the digital world, staying safe isn’t about being perfect; it’s about being prepared. Let’s make sure the cybercriminals swipe left on you.
About Chase
Known in the cybersecurity industry as “Dr. Zero Trust,” Chase Cunningham has extensive experience in all aspects of enterprise security. Before joining G2, he was the former CSO at Ericom Software. He was also previously Vice President Principal Analyst at Forrester where he tracked and covered all aspects of enterprise security, including zero-trust trends, technologies, and frameworks. Creator of the Zero Trust eXtended framework and a cybersecurity expert, Chase has decades of operational experience working in various capacities supporting NSA, US Navy, FBI Cyber, and other government mission groups. Chase was also a Forrester analyst tasked with managing and developing their zero trust portfolio of accounts and leading the research in that channel.
Introduction
Years ago, I was at a hacker conference in Las Vegas called DEFCON. During a session in the Social Engineering Village an awesome social engineer said stop delivering the same lame corporate training to your company’s employees. She said, “Teach them how to protect themselves and their families.” That struck a chord with me, like an A-Sharp (for the musical folks). In large enterprises, we deliver training, which is usually required annually for compliance reasons. But, it’s lame and boring, and as such, most people have it running in the background while they ignore it and do some real work.
In the end, we all care about our personal details, safety and money way more than we care about our employers assets. I like my bank account to have money. Or, when there’s none, it’s because I bought lots of music gear.
That’s what led me to write this document. Something that you can use at home. Some simple education. It is also something that doesn’t require an IT degree to understand. Plain English, or in my case, a bastardized Scottish-American vibe… anyway, we’ll try to keep it easy.
Identity 101: A Quick Lesson
Before we start, when you use most apps, services, and websites, they want to know it’s you. So, they ask you to create an account. This requires a bunch of information, but the core thing is a username and password. This is so they know it’s you.
A username obviously has to be unique since it’s only tied to you. The most common way to do this is to use an email address, but some companies still use a username that you or they create, and your email address is then separate (this is with the idea you may wish to change email over time). The password is then something you create; which as we explain below should be unique to that account and not re-used.
Apps, services and websites have collected a wide range of personal identifiable information (PII) on each of us, including, but not limited to, our government IDs, Social Security numbers, driver’s license numbers, home addresses, health information, financial information, relative’s names, pet names and much, much more.
Often, when an app, service, or website is hacked or compromised, the personal information that has been collected on its customers is stolen, traded, or sold by the hackers.
Browser Plugins: A Quick Lesson
Browser or I guess “web browsers” or you may just know them as Microsoft Edge, Google Chrome, Internet Explorer, Safari, Firefox, DuckDuckGo, Opera, and a few more…. For most of us web browsers are how we access the internet and almost all of the applications that run on the internet.
What’s good to know is that every browser includes the ability to install mini-applications called “plugins.” These are small applications that add features and functionality enabling the web browser to have added capabilities.
Good examples are things like the Grammarly application, a password manager, Google Translate and ad blockers. These are all great little applications that help you, but make sure you download them from reputable sources.
So, the main point here is be aware that browsers and any browser plugins should only be installed from trusted reputable sources.
Signs of a Scam
Scammers use so many methods these days, could be legitimate sites like LinkedIn or embedded in a paid advert in your favorite news source. Text messages, Messenger applications (e.g. WhatsApp, Telegram & FB Messenger) phone calls and even QR codes.
There was a time where what appeared to be a reputable post on obtaining a lower mortgage rate resulted in the excited user clicking the link to a malicious site. Which of course prompted the unsuspecting user to enter some detailed information which included their social security number and bank details. Of course it looked like a reputable bank.
It’s no longer the prince of Nigeria asking for some money ;-)
The reality is there are common themes to any scam; at a high level these tend to be:
- The call, the email was received when you don’t expect it.
- There was a sense of urgency (do it now otherwise….we’ll cut off your gas, your phone or whatever).
- Microsoft, Apple and Google will never call you to say your device has a virus or been compromised.
- No one should contact you and say they are sending you a code (text message/SMS) or ask you to share a code from an authenticator app.
- They may ask for payment in gift cards (this is common in a small business setting).
- Websites selling goods and services - if it’s too good to be true…well, you know that saying. One thing to watch out for is if they say they are unable to collect the item but they’ll pay more upfront for a courier. They give you extra for your trouble and include the courier fee; but then want you to pay the courier via Zelle or Venmo. Then you later find out their money did not clear and you’ve lost the money you sent the courier.
- Includes a link to click and sometimes they look so real:
- Spot the Difference?
- maybank2u.com ✅ is not the same as maybank2u.com ❌
- citibank.com ✅ is not the same as citibank.com ❌
(The first one is correct, the second one is from hackers) - The “a” in the latter url is a cryrillic alphabet. An average user can easily fall or this.
- Beware of any email requiring you to click a link. Please Say Alert
- Spot the Difference?
- Some pesky examples in recent months:
- Email from a bank I don’t use.
- Text message for a delivery I’m not expecting (or requires payment for delivery).
- Random strangers liking your social media posts, usually someone of the opposite sex and if you look at their profile they have almost no followers or posts. Their goal is for you to get excited cause you think they’re hot and reach out to them. Don't.
How to protect yourself?
Links to Websites
Instead of clicking the link, visit the official website.
Phone Call
Ask for their details; if they give you a number, write it down, but don’t call it (or trust it). Look up the official phone number for that business (via their website, maybe); then call that number.
Social Media
Simple steps include going to privacy settings and making your profile only visible to your connections (private, not public).
If you only did or took away 3 things from this document I’d say do a Credit Freeze, and start using a Password Manager and Multi-Factor Authentication (MFA) today.
Credit Freeze and Credit Thaw (United States)
What is it?
Credit has been popular since the 1970s, but it’s not just consumers who love it—hackers do, too. Last year, 52 million Americans experienced credit card fraud, but your credit can be misused in many other ways. Chances are your personal information will be–or has been–compromised.
What risk does it solve?
Freezing your credit is free and prevents someone from using your stolen information to open credit accounts or loans in your name, protecting you from potential debt, loss of property, or even bankruptcy.
How to use:
- Visit Experian, Equifax and TransUnion
- Create accounts using a strong password and enable Multi-Factor Authentication (strong passwords, managing passwords, and Multi-Factor Authentication are also discussed in this document).
- You’ll need to provide personal information (like Social Security Number, birth date, address) to verify your identity.
- Follow the steps by Experian, Equifax, and TransUnion to freeze your credit.
- When applying for new credit, log in to “thaw” your account. Thawing can take up to 24 hours, so plan ahead. Afterward, refreeze your credit or set a time period for it to automatically freeze again.
Important:
A credit freeze is free, and you don’t need to pay for extra services, which may sound more secure but aren’t necessary.
Fraud Alert:
In addition to the credit freeze, you can also add a “fraud alert” to your credit report.
Adding a fraud flag above and beyond the credit freeze provides additional proactive protection. While a credit freeze locks your credit file, the fraud alert indicates to creditors that additional verification is required before issuing any new credit. The fraud alert is a good tool to help prevent identity thieves from opening accounts in your name–even if they have your personal information.
Password Manager
What is it?
How many passwords do you have? How often do you reuse them? A good password manager helps you use unique passwords for every account, so your bank password isn’t the same as your Netflix or Walmart login.
What risk does it solve?
When companies get breached, hackers try stolen usernames and passwords on other websites. If you reuse the same credentials, it’s an open door for them. Password managers protect you by storing unique, strong passwords and can also save time by automatically filling in forms.
Our picks for password managers:
1Password, Dashlane, Keeper, Bitwarden
How to use:
Download and purchase from the provider’s website or your device’s app store. On computers, install the browser plugins to sync passwords across all browsers and devices, even when using different browsers.
A few features that we love are:
Compromised Account Alerts: A dashboard shows accounts that might be compromised.
Password Generator: Helps create strong, unique passwords without needing to remember them.
Multi-Factor Authentication (MFA): Adds an extra layer of security by requiring a second form of authentication beyond just the password. MFA is also discussed in this document.
Syncing Across Devices: Install the manager on all devices and browsers for seamless access.
Password Sharing: Share passwords securely with others using the same manager.
Secure Info Storage: Stores personal info for auto-filling forms like shipping or account details.
Alternatives:
Operating Systems like Windows, macOS, iOS, and Android, as well as browsers like Chrome and Firefox offer limited password management features. If you switch between browsers or want more advanced features, a dedicated password manager is a better option.
We nearly included the Apple’s Password manager in the recommended list above, Apple’s offering checks all the boxes for a basic password manager and allows password sharing with other Apple users. There is even a Windows version of the app. At this time the app does not allow for storing of other secure information such as documents, credit card, passport or other personal information.
Different Email Addresses for Different Purposes
What is it?
Just like having different passwords for each site, using different email addresses for different purposes significantly improves security. While having multiple email accounts may seem impractical, even separating them for key purposes can make a huge difference.
What risk does it solve?
Using different email addresses based on purpose helps increase security, reduce phishing risks, and limit the damage if one account is compromised.
How to use:
Method 1: Two Lanes
- General Email: (first.last@email.com) – For most apps, services, and websites. Especially for mailing lists, discounts, coupons etc.
- Financial Email: (nothing.that.ids.you@email.com) – For banks and financial sites only.
- How it helps:
- When an app using your general email is compromised, attackers don’t have access to your banking email or passwords. Any emails pretending to be from a bank that arrives in your general inbox can be safely ignored.
Method 2: Three Lanes - ADVANCED
- Primary Email: (first.last@email.com) – For personal correspondence and important services like your doctor or phone carrier.
- Financial Email: (nothing.that.ids.you@email.com) – For banking and financial sites.
- Secondary Email: (first.randomnumbers@email.com) – For apps, services, and websites not linked to your primary or financial accounts.
- How it helps:
- It adds an extra layer of isolation from Method 1. Any unexpected emails in your primary inbox can be safely ignored.
Method 3 Masking - VERY ADVANCED
- Primary Email: (first.last@email.com) – For personal correspondence and important services.
- Financial Email: (nothing.that.ids.you@email.com) – For banking and financial sites.
- Masked Emails: Use services like Apple’s “Hide My Email,” 1Password, or Gmail’s ‘+’ trick (e.g., username+website@gmail.com) to create unique emails for apps and websites. These forward emails to your primary account.
- How it helps:
- When an app or website is breached, the attacker doesn’t know any of your other emails or other accounts. You can also safely ignore any financial-related emails that land in your general inbox.
Conclusion:
By using different email addresses for different purposes, you significantly reduce the risk of phishing and identity theft. It not only helps protect sensitive accounts like your bank or investments but also makes it easier to spot suspicious activity. Implementing even a simple two-lane system can strengthen your overall security without being overwhelming. Small changes like this can go a long way in keeping your data secure.
Multi-Factor Authentication (MFA)
What is it?
Multi-Factor Authentication (MFA) adds an extra layer of security to your accounts. It requires not just a password, but an additional form of verification—like a text message code, authentication app, facial recognition or fingerprint—before allowing access.
What risk does it solve?
Passwords are often stolen during data breaches and can be guessed, making it easier for attackers to access your accounts. MFA ensures that even if someone has your password, they still can’t log in without the second form of verification. This dramatically reduces the risk of unauthorized access and protects your personal data from being stolen.
How to use:
- Set up MFA on your accounts, especially your email, banking, and social media accounts. Most websites and apps offer this feature in their security settings.
- Choose your second factor of authentication, such as:
- A code sent to your phone via text message.
- Although not the most secure option, it’s better than not having MFA at all.
- Sophisticated attackers have developed methods to circumvent or bypass text message MFA, but again this method is better than no MFA at all.
- A code generated by an authentication app (like Google Authenticator, Microsoft
- Authenticator, Authy or Ente Auth).
- A biometric method like fingerprint or face recognition (for apps or devices that support it).
- A code sent to your phone via text message.
- Log in securely: Once MFA is set up, you’ll enter your password first, then verify your identity using the additional factor.
Limit Bank/Debit Card Use
What is it?
Your ATM, debit or bank card is directly linked to your bank account and usually requires a PIN (4-6 digits) for transactions.
What risk does it solve?
Using a debit card with a PIN is considered an approved transaction, so if someone copies your card through skimming or hacks a payment system, it can be difficult to prove fraud and get your money back. Instead, consider using credit cards, virtual credit cards, or digital wallets like Apple Pay or Google Pay.
How to use:
Limit your bank card use to your bank branch, preferable at the teller or indoor bank machines when possible. We won’t cover how to apply for credit cards or add them to virtual wallets in this article. However, using virtual wallets like Apple Pay or Google Pay is safer than using a bank or credit card alone. You can take security a step further by using services like privacy.com to create virtual credit cards for online purchases. These cards can be single-use or multi-use, with spending limits, and block fraud or overcharging.
Avoid Public WiFi
What is it?
Public WiFi, like at coffee shops, airports, or restaurants, is not secure or monitored for hackers. Anyone on the same network, or worse, controlling it, can use various tools to attack your device or steal your login information whether you’re browsing the web or using an app.
What risk does it solve?
Avoiding public WiFi reduces your risk of being targeted by hackers who may try to access your device or trick you into sharing sensitive information.
How to [not] use:
The safest alternative is to tether your laptop to your mobile device, or simply use your mobile device’s cellular data without connecting it to public WiFi. Stick to trusted networks like your home, work, or private WiFi. If you must use public WiFi and can’t rely on a cellular signal, a Virtual Private Network (VPN) can provide some protection, but VPN doesn’t eliminate all risks.
Alternatives:
- Virtual Private Network (VPN): Encrypts your internet traffic and routes it through a private server, helping to protect your online activity. However, VPNs can’t fully protect you if a hacker controls the network you’re on.
- Firewalls: These monitor and block unauthorized network traffic to your device. Both Windows and macOS have free, built-in firewalls that can be enabled easily, but they won’t fully protect you from a hacker-controlled network.
- Windows: Go to Settings > Update & Security > Windows Security > Firewall & network protection and ensure the firewall is turned on for your active network.
- macOS: Go to System Settings > Network > Firewall, and turn it on.
- Check Website Connections: Browser extensions and plugins like Wappalyzer and CheckMyHTTPS can help. For example, Wappalyzer shows which security technologies a site is using. If a site uses HTTP Strict Transport Security (HSTS), it ensures the site is only accessed over HTTPS, meaning the connection is encrypted for better security. The CheckMyHTTPS extension ensures that your secured web connections are not intercepted, decrypted, listened to, or modified.
Helpful Links:
[FREE] Built-in Firewall How To’s
[FREE] Browser Extensions
- Wappalyzer (Site Analyzer)
- CheckMyHTTPS (Connection Analyzer)
[PAID] VPN Services
When using a VPN, it’s important to pair it with a firewall for added security. If the Public WiFi network doesn’t allow VPN, disconnect from the Public WiFi network.
Conclusion:
Using public WiFi increases your vulnerability to attacks, so it’s best to avoid it when possible. Stick to using your mobile data or a trusted network. If public WiFi is your only option, a VPN can offer some protection, but pairing it with a firewall and secure website checks can help further reduce risks. Keep in mind that no solution is foolproof when using public networks, so it’s essential to stay cautious.
Protect Your Phone
What is it?
Your mobile phone stores a lot of personal and sensitive information, such as bank account details, access to your password manager, photos, and other personal data.
What risk does it solve?
Since your phone holds so much critical information, it can be a single point of attack, or failure. Protecting it is essential to prevent theft and cybersecurity breaches.
How to use:
- Set a 6-digit PIN, thumbprint, or Face ID to unlock your device.
- Consider disabling your thumbprint or Face ID when traveling, and rely only on your PIN.
- Never store passwords in Notes or Photos.
- Regularly backup your device.
- Set up stolen device protection:
- Apple iOS - Stolen Device Protection
- Android - Theft Detection Lock
- Avoid Public WiFi (as mentioned elsewhere in this document)
- For extra security, consider disabling WiFi on your device when not at home or work.
Malware Protection
What is it?
Over the years, it’s been called Anti-Virus and Malware, and in the media, acronyms like EDR (Endpoint Detection and Response)
What risk does it solve?
When you click links or download email attachments then sometimes there’s malicious code that can compromise your device. Often using your device to launch attacks or steal your data and every day we’re exposed to emails that entice us to click links and web advertisements (even within legitimate sites) with an aim to install software on your device.
Our Guidance:
Most major computers, tablets, and phones come with built-in free software that is decent enough, so using additional third-party software is optional. Be aware that some vendors will scare you into thinking that you need their paid-for software and services, which is fine for the more paranoid person.
Special Callout for Artificial Intelligence (AI)
There’s a lot of talk about Artificial Intelligence (AI) in the media and there are many forms of AI. So let’s explore what the average person needs to know.
What is it?
I’m sure by now you’ve all heard something in the media about Artificial Intelligence. Not to be mistaken with humans who don’t have much intelligence… ;-)
“Artificial intelligence (AI) is a set of technologies that enable computers to perform a variety of advanced functions, including the ability to see, understand and translate spoken and written language, analyze data, make recommendations, and more.” (Source - Google Cloud).
The reality is you may not even notice that in the background there’s already a lot of AI supported services, the ones you already experience may be on your phone or personal assistant devices (aka Siri and Alexa). Or when you need online or phone support and go through those extremely frustrating menu systems.
What did the AI say?
So we asked Chat GPT a popular AI platform “what are the security concerns with AI for the average person” and here’s what it had to say for itself:
There are several security concerns regarding AI that the average person should be aware of:
- Privacy Issues: AI systems often require significant amounts of data, including personal information. There is a risk of this data being misused or exposed, leading to privacy violations.
- Surveillance: AI technologies are used in surveillance systems, which can infringe on individuals’ rights to privacy and freedom. This can lead to a society where people are constantly monitored.
- Manipulation and Misinformation: AI can be used to create deepfakes and other forms of misinformation that can mislead people, manipulate opinions, or harm reputations.
- Autonomous Systems: The rise of AI-powered autonomous systems (like drones or autonomous vehicles) brings concerns about safety and accountability if something goes wrong.
- Job Displacement: As AI capabilities improve, there are concerns about job loss due to automation, impacting people’s livelihoods and economic stability.
- Security of AI Systems: AI systems can be vulnerable to adversarial attacks, where malicious actors manipulate the input to an AI system, causing it to behave unpredictably.
- Bias and Discrimination: AI algorithms can inherit biases present in their training data, leading to unfair treatment of different groups of people in areas such as hiring, law enforcement, and lending.
- Dependence on Technology: Increasing reliance on AI can lead to a reduction in critical thinking and problem-solving skills, making individuals more vulnerable in situations where technology fails.
Being aware of these issues can help individuals make informed choices about how they interact with AI technologies and advocate for more ethical and secure AI practices.
Our take:
A lot of the same risks still apply, with AI one thing has certainly changed which is the easy access to create deep fakes. That’s where someone can fake a person’s voice and even video (so it may look like your son on the camera but it’s a scammer).
That means it’s even more important to follow the “Signs of a Scam” (above).
Deep Fake protection:
One of our good friends Theresa Payton sat down with 909Cyber’s founder and CEO Den Jones in 2023 and they talked about AI security. One gem which remains important is that you agree on a “safe word” with your family. In short, in the event of a deep fake - or what in reality you think is a crisis then to confirm it’s the correct person on the phone or video you ask them to repeat the “safe word”.
Useful Resources
- Want to see if you have compromised accounts? Visit HaveIBeenPWND
- Dark web monitoring is a service that scans the dark web for sensitive information that may have been leaked or stolen. This information can include credentials, intellectual property, and other materials that could be used to harm an organization or individual. Dark web monitoring can be used by both businesses and individuals to protect their data and reputation. Top10.com created a decent list of what they considered the top dark web monitoring services.
- Identity Theft monitoring
- You can also sign up for a service that monitors your accounts and the dark web to guard against identity theft, typically for a fee. If your data is exposed in a breach, the company whose network was breached will often provide one of these services for free for a year or more.
Credits
Authors:
Den Jones: LinkedIn
Aaron Wurthmann: LinkedIn
Contributor:
Tony Bradley: LinkedIn
Foreword:
Chase Cunningham: LinkedIn