How To Secure Online Activities

Expert Reference Series of White Papers

How To Secure Online
Activities

1-800-COURSESwww.globalknowledge.com

How To Secure Online Activities
James Michael Stewart, CISSP, ISSAP, SSCP, CPTE, CDFE, Q/SA, Q/EH, CH,
CHFI, Security+

Introduction
The Internet is not automatically a secure or safe place to be. If we had doubts about that previously, we
shouldn’t any more, based on the revelation of NSA’s PRISM. We now know that a significant portion of Internet-based activities are being perused by the US government under the banner of protecting US citizens from
foreign terrorists. Whether you agree with the activities of the NSA or not, everyone should reconsider what they
do online. What we need to reconsider is what it means to be secure or insecure when it comes to our online
activities.
It is important to be clear and distinct when discussing security. Security is not a singular concept, solution,
or state, rather it is a combination of numerous aspects, implementations, and perspectives. In fact, security is
usually a relative term with graded levels, rather than an end state that can be successfully achieved. In other
words, a system is not secure; it is always in a state of being secured. There are no systems that cannot be compromised. However, if one system’s security is more daunting to overcome than another’s, then attackers might
focus on the system that is easier to compromise.

Misunderstood Issues: Privacy and Anonymity
When facing the task of securing your online activities, we need to look at several specific aspects of security and apply technologies that might provide better protections. Online security should address at least two
commonly misunderstood issues: privacy and anonymity. Privacy is the protection of information about one’s
self against collection without knowledge or consent, in order to allow the person to select which aspects of
their information they choose to reveal and to whom. Generally, privacy is the ability to provide confidentiality
protection (i.e., defense against unauthorized disclosure, to information about an individual). Anonymity is being
able to communicate without revealing an identity. Another way at looking at these two terms is:
• ith privacy, others cannot see what you are doing or what you are communicating, but they can know
W
who you are.
• ith anonymity, others can see what you are doing or what you are communicating, but they don’t
W
know who you are.
When online security is discussed, I often notice that these two concepts are misunderstood. Often, one or the
other is assumed to be provided or protected by a solution when, in fact it is only protecting one of these and
not the other. Usually we want both privacy and anonymity. Unfortunately, we typically have neither in relation
to our online activities.

Copyright ©2013 Global Knowledge Training LLC. All rights reserved.

2

When considering online security options, always have a goal or purpose for the security. Accidents, malicious
code, malicious hackers, governments, and corporations can all be seen as threats to online security. Only with
a specific target or result in mind can you choose the best responses. A measurable or detectible result is also
important in order to determine whether or not the security implementation is working. By knowing what you
want to prevent, you can test whether or not that activity can still occur after implementing a security solution.
Also realize that responding too quickly to new threats or concerns, such as NSA PRISM, before understanding
what the real issues are, can result in a false sense of security when improper actions are taken or assumptions
of the benefits of a new product or service are made. Take the time to step back, consider other perspectives,
evaluate the options, and then make a calculated choice for your response. Kneejerk reactions or following the
crowd is almost always the wrong thing to do.

Use a VPN
There is no fully safe location on the Internet. Everything can be hacked by someone. But the worst place is your
local connection. The connection you use to reach out to the Internet is the most sensitive link in your connectivity chain. All of the data passing through your local Internet connection is definitively related to you, as being
sent out by you or being requested for retrieval by you. This is also the location where DNS spoofing attacks
(giving you false domain name resolutions), man-in-the-middle attacks (manipulating your communications),
sniffing attacks (capturing your data), and hijacking attacks (taking over your connection) are most effective and
targeted (at you!). You must make it a habit to protect yourself on the Internet. All of my other recommendations are helpful, but if you fail to protect your local link, none of the other options will have much effect.
To protect your local link, you need to use a Virtual Private Network (VPN). A VPN is an encrypted network connection from your system to another system somewhere else over the Internet. This connection is used to pipe
all of your Internet communications through an encrypted tunnel. This provides local protection against attacks
and attackers at or near your initial Internet link. This would include neighbors, others in the coffee shop, rogue
access points, and even unscrupulous ISP employees.
Using a VPN is not a complete solution, but it is a first step. When a VPN is in use, all of your traffic will leave
and enter your system in a protected encrypted form. However, the VPN will need to be anchored somewhere
and all of your traffic will exit and enter the other end of the tunnel in whatever default form that data takes,
which could be cleartext or encrypted (such as SSL/TLS). You need to find a VPN provider that seems trustworthy.
I personally use ProXPN (www.proxpn.com). There are a wide range of VPN providers, both free and paid. You
need to find one that you are comfortable with.

Be Anonymous
VPNs (and most other encryption solutions) provide privacy, but they do not provide anonymity. Either it is
possible to trace traffic back through the VPN to identity your system, or the VPN provider maintains logs that
contain your identity. In order to hide your identity when online, you must use an anonymous service. One of my
favorites is TOR (www.torproject.com). TOR was originally developed by the US. Naval Research Laboratory, but
it is now managed by a non-profit. TOR is used to hide the IP address of your computer. TOR is free to use.


3

TOR is not a VPN, as it does not fully protect the contents of your communications. In fact, all data leaving a
TOR exit node reverts back to its original form (cleartext or encrypted) for its remaining transmission across
the Internet to the destination. TOR protects your IP identity by preventing the general Internet and most of the
TOR clouds from learning your IP address. Instead, only the initial TOR system you connect to will know your IP
address. As long as you do not identity yourself as you interact with sites or service (i.e., don’t log in), you will
remain anonymous while using TOR.
TOR is not quite as simple to use as a VPN. With a VPN, all traffic in and out of your system goes through the
VPN. With TOR, only those services and applications you configure to use the TOR proxy service will be routed
through TOR. For example, if you configured Chrome to use TOR, then Web activity through Chrome would be
anonymous, while activities through Firefox will remain identifiable.
Anonymization tools and VPNs should be verified before you rely upon them. Both of these services will change
the IP address that you are perceived as originating from. Before turning on TOR or a VPN, first check your current identity by visiting a site such as whatismyipaddress.com. Then enable TOR or VPN, visit the same site again
and you should see a different IP address. This shows that your data is being re-packaged (i.e., proxied), and
your IP address is not being retained by the traffic once it reaches the general Internet.

Pre-Encrypt Everything
Any data that you move to an online location is at risk of being seen, copied, and changed. Sometimes this is
exactly what you want, such as with social network postings, discussion forums, image hosting sites, etc. However, when you use online storage to host or back-up personal, sensitive, or valuable files, you don’t want others
to have any access at all.
To add to the problem, many cloud service providers are offering 5 to 50 GB of free storage just to sign up with
them (often in hopes that you will get hooked and pay for more space). It is tempting to grab all the free space
offered, but you need to resist uploading everything to these cloud providers. At least resist until you have
encrypted your data locally.
Steve Gibson from Gibson Research Corporation (www.grc.com) via his Security Now podcast (grc.com/sn) often
uses the term PIE (Pre Internet Encryption). PIE is not just a term, it is a rule to follow: always pre-encrypt your
data before putting it on the Internet if you want to have control over that data. Anything placed on the Internet
in non-encrypted form is without protection and out of your control. Only with your own encryption can you
establish protection and retain control over your data files.
One option to consider is AES Crypt (www.aescrypt.com). This tool can be used to quickly encrypt any local file
with command line or GUI operation. You select a password, which is converted into a 256-bit AES encryption
key for locking down your file. Once encrypted, the file with a new .aes extension can be safely put anywhere
with no risk of compromise. When you need to regain access, download the file, then provide your password to
the tool to decrypt back into original form.


4

Limit Social Networking
If being tracked by the NSA or by browser cookies seems creepy, then you also need to realize that you are
being tracked by social networking platforms as well. Social networks offer a wide range of services, but often
their primary business model is to collect demographic data about users to sell to advertisers. Generally, if you
get something for free online, then the product being sold is you.
To minimize this activity and protect yourself in the process, you need to limit your social network activities.
Here are some good practices to adopt:
• Don’t fill out your profile with identity information, leave it generic or non-specific.
• Don’t spend significant effort to like, link, plus, or mark everything of interest; be generic.
• Minimize your use of applications or add-ons within the service.
• Don’t fill out surveys.
• Re-asses your profile settings quarterly and minimize information disclosure approvals.
• Don’t link your social networking profile to other sites or services.
This might make your social networking experience less “special” or “specific”, but it will reduce how much
information someone can learn from your social networking activities. Keep in mind that it is not just the NSA
and corporations who want to watch you, there are plenty of identity thieves lurking around as well.

Secure Passwords
Too many online sites and services still “protect” your account with just a simple password. When more secure
options are not available, you must take full advantage of the password options being offered. Here are some
important steps to take:
• se a secured, encrypted password manager. I use LastPass, but OnePass and 1Password are other good
U
options.
• ecure your password manager with a 20+ character password constructed from five words you can
S
remember, misspell at least one of them, then intersperse a symbol or two. NEVER use this password
for any other purpose.
• Use the longest password allowed by the site.
• Use a random password generated by your password manager.
• Always use uppercase, lowercase, and numbers in your password. Use symbols when supported.
• Never use the same password twice.
Use long, complex, and random passwords everywhere. However, whenever a site or service offers multi-factor
or multi-step options for authentication, use them. They may be a hassle and inconvenience at first, but they will
become second nature to you eventually. Plus, you’ll have significantly stronger protections on your account that
those to fail to use the upgraded authentication.


5

Password Recovery Security Question
Many sites now require that you define the answers to several security questions. These are questions you will
be presented when you attempt to recover your password, when you make sensitive changes to your account
(such as your shipping address), or when you connect to the site as another part of authentication. While some
might advocate defining false answers to these questions that would require that you keep track of all those
answers.
I recommend instead that you take one of two more realistic approaches:
• ou could answer the opposite of the question posed. For example, if asked “what is your favorite
Y
food”, rather than answering “ice cream,” answer the opposite question of what is your least favorite
food, such as “fried chicken feet.”
• ou could answer the question truthfully then add personal padding material. Pick a phrase or stateY
ment, such as “Monkey1969” or “I Like Pickled Herring,” and add that to the end of each correct
answer. If asked what is your favorite color, rather than just listing “teal,” set your answer using your
padding material, such as “teal I Like Pickled Herring”.
Using either of these methods will not make these questions significantly harder for you to remember the
“correct” answer. But it will make it nearly impossible for someone to guess or discover your answers.

HTTPS Everywhere, All the Time
Using a VPN is your best practice for staying encrypted locally, but whenever possible, having your connection
encrypted all the way to your destination is even better. A growing number of Web sites now support secure
Hypertext Transfer Protocol Secure (HTTPS) connections. HTTPS was initially the HTTP Web protocol encrypted by
Secure Sockets Layer (SSL), but many years ago, SSL was replaced by Transport Layer Security (TLS). We retained
the HTTPS URL prefix and most of us still misuse the term SSL, much like we misuse the term Kleenex.
A plug-in from Electronic Frontier Foundation (EFF) called HTTPS Everywhere for Chrome and Firefox will ensure
that your browser requests a secure connection every time you type in a URL or click on a link. Only if a site
does not support HTTPS connections will you default back to cleartext HTTP.

Keep Clean
Another serious threat to your privacy, anonymity, and overall security is that of malware. Infections of malicious
code are rampant, and their sources and vectors are legion. You have to take precautions and avoid risky activities that could expose you to new malware.
Install a current-generation anti-virus anti-malware scanning program. Set it to monitor your system in realtime, set a schedule to scan your entire system at least once a week, and set to update at least once per day.


6

Avoid risky activities that could lead to infection. Take extra care when downloading files. Try to find the source
of a file before downloading it from a third party. If you can’t find the source, then use third-party download
sites that are known to be trustworthy, such as download.com or pcmag.com. Avoid opening attachments to
e-mails unless you verify that the sender sent it on purpose. Avoid using portable storage devices from unknown
sources, you just never where what kinds of filthy systems it has been plugged into. And most of all, avoid participating in the exchange of pirated or copyright liberated materials.

Leave On Purpose
When you finish using a site or a service, use the log out button or command. Don’t leave a session hanging and
go elsewhere. Purposely leave, shutting and locking the door behind you. Hackers may be able to take over your
stale sessions, even after you have left the premises. And on a related note, be sure to clear out your cookies in
every browser at least once a week. Cookies are the dropped backstage pass to your online accounts.

Bring Your Own Internet
Using free Internet access at coffee shops, restaurants, and other public venues is great. Or at least until you
realize just how easy it is to be fooled by a rogue access point (someone running a fake WiFi network), an evil
twin attack (an attack that duplicates a trusted network from your device), sniffing/eavesdropping (listening in
on your communications), DNS spoofing (giving you false IP address resolutions to domain name queries), manin-the-middle attacks (a hacker positioning themselves inline between you and the destination of your communications), and hijack attacks (taking over your session).
Using a VPN will reduce some of these risks, but not completely. The only real way to prevent opportunistic
compromises based on public WiFi is to not to use it. Instead, bring your own Internet connection. Many cellular
providers offer tethering plans or mobile hot-spot options. Or, you can look into new independent services like
FreedomPop (freedompop.com) or Karma (yourkarma.com). These two services offer inexpensive portable WiFi
hot-spot services.
If you can plug into a port with an Ethernet cable, that will be much more secure than using open WiFi networks.
You still need to use a VPN, but at least you will be fairly sure you plugged into a real port in the wall. If there is
no other option other than open WiFi, then be cautious. Ask the manager at the location what the intended WiFi
network name is, connect only to the network with the exact correct name, and then immediately launch your
VPN.

Conclusion
These are just some of the myriad steps youcan take to improve your security online. Some focus on privacy, usually with encryption, some focus on anonymity, and yet others address security management, especially around
authentication. It is up to you to take the necessary steps and precautions to preserve and protect yourself
online. No one else is doing it for you.


7

Learn More
Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge
through training.

CISSP Prep Course

Cyber Security Compliance Mobility Course (CSCMC)

Cybersecurity Foundations

Enterprise Wi-Fi Security (CWSP)

Visit www.globalknowledge.com or call 1-800-COURSES (1-800-268-7737) to speak with a Global
Knowledge training advisor.

About the Author
James Michael Stewart has been working with computers and technology for nearly thirty years. His work
focuses on security, certification, and various operating systems. Recently, Michael has been teaching job skill
and certification courses, such as CISSP, ethical hacking/penetration testing, computer forensics, and Security+.
He is the primary author on the CISSP Study Guide 6th Edition, the Security+ Review Guide 2nd Edition (SY0301), and Network Security, Firewalls, and VPNs. Michael has also contributed to many other security-focused
materials, including exam preparation guides, practice exams, DVD video instruction, and courseware. In addition, Michael has co-authored numerous books on other security, certification, and administration topics. He has
developed certification courseware and training materials as well as presented these materials in the classroom.
Michael holds a variety of certifications, including CISSP, ISSAP, SSCP, CPTE, CDFE, Q/SA, Q/EH, CEH, CHFI, and
Security+. Michael graduated in 1992 from the University of Texas at Austin with a bachelor’s degree in Philosophy. Despite his degree, his computer knowledge is self-acquired, based on seat-of-the-pants hands-on “street
smarts” experience. You can reach Michael by e-mail at michael@impactonline.com.


8

How To Secure Online Activities

More Related Content

What's hot

Similar to How To Secure Online Activities

More from - Mark - Fullbright

Recently uploaded

How To Secure Online Activities