Zen Planner Guide to Online Security
Malicious online activity is on the rise, so you need to know how to protect your sensitive personal and business information. But, there are so many pieces to consider that it's even hard for experts to get it right, let alone regular people. Zen Planner is committed to safeguarding your school data, which is why we've put together this guide to help you protect your online identity.
This is NOT a comprehensive checklist. Instead, this is a plain-English guide to the best "first-steps" that you can actually do. We believe it's more important to take a few positive steps forward NOW, instead of compiling the "perfect" list that's too complicated to start. Please read through this guide, and see what steps YOU can take to protect yourself and your school online.
And as always, if you have suggestions that you'd like to share, let us know and we'll add your comments here.
1. Protect your email password religiously
Like it or not, your email address is your online identity. Today, nearly all of our important correspondence flows through our email addresses -- including personal, financial, and legal documents. To ensure your safety online, your top priority should be securing your email address. This means that nobody else should have access to your personal email account (not employees, interns, trusted friends, etc.). And, you must use a strong password that only you know, and that others can not guess. (more about strong passwords below)
Protect your email password more than your social security number, bank account, any other password. Today's reality is that if someone has your email password, they can likely get the rest of those personal identifiers anyway.
2. Use a password manager
To secure your online accounts from professional hackers, most security experts recommend a combination of steps:
- Use "strong passwords" on every site you use. Strong passwords (described below) are very difficult to guess, making it difficult for someone to get unauthorized access to your account.
- Use different passwords on every website. This helps isolate each account so that if someone breaks in to one account, they can’t get into others.
- Change your passwords on a regular basis -- at least every six months. This protects you in case an old account is somehow compromised.
But, you’d need a super-human memory to follow all of these recommendations together. The most realistic way to accomplish these goals is to use a password manager that stores a secure copy of all your passwords in one very safe place. And, most password managers include a simple way to copy passwords into the websites where you use them.
Here's a great article about using a secure password manager. You can also get started with the tips at the bottom of this page.
3. Know what your backup email address is
Some services -- like Gmail -- will send your passwords to an alternate "backup" address in case you forget your password. This is very bad, because it opens another door for thieves to get control of your digital identity. This is how some high-profile hacks have happened recently.
To protect yourself, make sure that you know what your backup email addresses are, and that they will not expire. Do not use Hotmail as your backup email address, or any other service that will expire your account if you leave it inactive.
4. Be careful with "password reset" questions
The answers to "Password Reset" questions are typically easier to guess than the passwords themselves -- letting the bad guys take complete control of your accounts from that point forward. The best suggestions out there are to make your answers to these questions at least as strong as the passwords themselves.
5. Learn to avoid "phishing" scams
Scammers are becoming more sophisticated in their attempts to trick you into revealing sensitive personal information online. Called “phishing”, these scams impersonate trusted institutions (like your bank or email provider) in an attempt to get your account information or passwords. Then the scammers empty your bank account and disappear into the Internet.
Microsoft posted an excellent article that lists several telltale signs that an email is not legitimate:
- Email asks you to "Verify your Account"
- "Dear Valued Customer" email doesn't include your name or other personal information
- Artificial deadlines, such as "If you don't respond within 48 hours, your account will be closed"
- Garbled web addresses, or links to servers without names (like http://192.168.255.05)
In general, make sure that you know that you’re logging in to the correct websites BEFORE you enter your password. Phishing messages are usually disguised to appear like they came from an official source, and often include official logos and artwork. But, you can tell that something is not quite right if you pay attention.
If you suspect something “phishy” just type the web address in personally instead of clicking on a link in an email.
There are many online resources dedicated to combating phishing. Here are a few good recommendations to get you started:
6. Disable Flash
Flash is great for browsing rich media sites like Hulu and YouTube. But once you're done with videos of cats playing piano, flash leaves many open doors for hackers to infiltrate your computer. And security researchers are predicting that Flash will become the number one hacker target in the next year.
If you're using Firefox, download the Flashblock extension to turn off flash videos by default. With one click you can restore the flash movies that you DO want to see, without automatically launching malicious ones that you're not expecting.
7. Use an Anti-virus program
Anti-virus programs are not a complete solution in themselves, but they are an important part of your online security. Creating viruses has become a big business, and computers are constantly exposed to malicious programs that can steal your data or destroy it entirely.
There are many good anti-virus programs available, including top-rated free anti-virus tools from Microsoft and AVG. If you don't already have anti-virus included on your computer, it costs nothing to install one of these.
8. Learn how to turn on your computer's firewall
Plugging your computer into the Internet allows it to connect to other computers all over the world. It also lets computers all around the world connect to yours. And, millions of computers around the world are already infected by malicious programs (called bot-nets). One way that bot-nets spread is by searching for other computers that are left open to specific kinds of connections.
A "firewall" is a filter that determines which connections your computer will accept, and which ones it won't. For most home and office computers, the answer should be "none". Regardless of any other filtering (for instance, by your ISP) you should turn on the firewall on your computer so that it does not accept ANY connections that you don't explicitly allow.
9. Stop using Internet Explorer
There is a growing set of evidence that using Internet Explorer -- even the most recent versions -- makes you less safe than if you use another browser (like Firefox,Chrome, or Safari). There are many reasons for this, including the fact that Internet Explorer is the most commonly used, but least frequently updated browser. This makes it the biggest target with the biggest potential reward for hackers. Many high-profile security breaches have occured because of problems with Internet Explorer, prompting many groups to recommend alternative browsers. While this advice may change in time, you're safer today if you switch to a more secure browser.
10. Don't reuse passwords!
See this detailed guide on why reusing passwords is a bad choice:
Getting Started Details
Understanding "strong" passwords
Online, your password is the only thing standing between your identity and the hackers who want to steal from you. In theory, there are so many possible passwords that it would take forever to guess the one that locks up your accounts. But most people tend to use similar patterns for their passwords, and hackers have gotten very good at guessing passwords. In fact, some bot-nets have spread very successfully just by trying 200 of the most common passwords on each computer.
To retake control, you need to make sure you’re using “strong” passwords on every account that’s accessible online. This means that you need to use a long, random password that can't be guessed by another person or a computer with a dictionary.
Here are some common guidelines for generating strong password:
- Should include both letters and numbers (uppercase and lowercase)
- Should be at least 8 characters long
- Should not be a word in the dictionary
Tips for Setting up a Password Manager
There are many great password managers for both Windows and Macintosh, including several that are completely free. Personally, I like KeePass and PasswordSafe on Windows and KeePassX and 1Password on Macintosh. Another option is to use an online service like Xmarks, or LastPass. Regardless, it's important to find something that will work for you -- and that you'll actually USE.
This is likely to be a change from the way you've managed passwords before, but you can take it one step at a time, moving accounts into your password manager one by one as you use them. Eventually, everything will be safeguarded in your encrypted password database.
If you install a password manager on your computer, then it's very important to store this database safely and securely. You must have a backup of your password database that is kept securely somewhere off-site -- not stored on your main computer. The worst outcome would be to put all of your passwords in one place and then lose them if your computer crashes.
Once you're up and running with a password manager, make sure to print the most important passwords and store the printout in a safe (and locked) location. This will give you an extra layer of backup in case something goes wrong.
Other Steps You Can Take Now
There are many excellent resources online that will help you protect your account information online. Here are some that I've found useful: