I talk about this in my #AwarenessTrainings that I put together for my company. People sometimes have the mistaken notion that they aren't targets for bad actors because they aren't famous and don't have a high net worth, or don't have a high-profile job. But that's simply not the case today. Anyone with any online presence is a potential target to attackers. That means everyone needs to know their cyber hygiene. So what does that look like?
Basic cyber hygiene is essential and easy. Steps include (extra details below):
➡️ Be more stringent about the info you share online π
➡️ Review and adjust #privacy settings π
➡️ Use strong and unique #passwords π️
➡️ Enable two-factor #authentication π️
➡️ #Monitor online presence π
➡️ Learn about data brokers ⬅️
➡️ Secure all devices π
➡️ Be skeptical of unsolicited requests π―
➡️ Regularly audit third-party apps with access to your accounts ❗
➡️ Monitor credit reports π°
➡️ Separate personal and professional identities π¬
π Sharing online: Especially if your posts online are public, be aware that anyone, including the bad guys, will see the post, its likes, and its comments unfiltered. They can use details and media included in social engineering attacks against you and your connections. They can clone your voice, or your persona, from a short video and then replay that to your connections to defraud them, or you. They can "guess" your passwords and/or security question answers just by browsing your social posts and comments. This is called #SocialEngineering
πPrivacy settings: Make sure to regularly review these settings on all sites and portals you frequent. Providers regularly update settings and provide new functionalities.
π️ Passwords & MFA/2FA: It's 2025 - you should be using a formal password manager that can provide long, strong, and unique passwords for every site/service you use. Some of them also provide OTP and QR code scanning capabilities for MFA/2FA. 1Password, Bitwarden, and Proton Pass are solid options in this space, among others. Make sure to fully vet whomever you choose (ensure they have a solid internal security policy and zero-knowledge framework at a minimum). Otherwise, use a 3rd party app like #GoogleAuthenticator or #MicrosoftAuthenticator to store your OTPs + a password manager. ProtonPass has a free tier that is very good, I use it myself. We use 1Password at my company, everyone loves it lol. Regardless of what tool you use, BE SURE TO USE ONE! The built-in browser password managers are not as secure, and only work with websites - they are basically fancy auto-fill tools, not a proper credential manager. A formal password manager will come with apps that work across all devices and operating systems so you can easily access your secrets anywhere you are.
π Monitor yourself: You should be aware of your #DigitalFootprint. Web search yourself, your email addresses, your phone numbers - find out what's out there about you. Google Alerts is a service where you can setup monitors for most any "topic." I've used them for years to search my name, email address, and the same for my immediate family. Whenever the "topic" pops up on a web page, I get an email alert. Also, you should be aware of any #BreachData out there with your info. I suggest https://haveibeenpwnd.com as a great starting point.
⬅️ Data brokers are horrible banes of our digital existence. They collect our data from so many places, most without our direct knowledge, and resell it for profit. Then they get hacked and our data is leaked outside of our control. Learn about these companies. Find ways to request for your data to be deleted from their platform. It may not be easy to erase this data, but persistence can be a good thing in most cases. Don't be surprised if you get stuck in a loop or outright denied when dealing with these companies. Your data is their profit - the don't want to give it up without a fight.
π Securing all of your devices sounds like a no-brainer, right? Wrong. How many parents leave their devices unprotected so they can permit their kids to play a game or watch a show/movie? I also see people using weak security methods to secure their devices - simple PIN codes that are 11111 or 12345 or MATCHING YOUR ATM PIN π (please don't do that!). Using a #biometric method (fingerprint or face or eye) is the most secure. Your device should also make you create a PIN as a backup to biometric - please use something good! I personally use a PIN with 6+ digits. Makes it much more difficult to brute-force.
π― Be skeptical of random DMs and emails, and especially of things that are "too good to be true". Spoiler alert! They usually are not good, nor true. Many hackers will use these methods to social engineer you. #Phishing is still the most common method of compromise globally. Email servers block trillions of emails per day as SPAM, most never even make it to your mailboxes Junk folder, but with AI the scammers are getting past even the most modern security platforms. #BeCyberAware #StayVigilant
❗Audit 3rd party app access to your accounts regularly. Remember that game you stopped playing a few months ago? You deleted the app, so you're good...right? Not if you signed into the app with your a social or email account. They still have access to your profile data and whatever else you gave them permission to see when you accepted those terms of service when you first opened the app! Make sure to go into your account's Security section and see what apps and services are still connected to your accounts. You should immediately delete/revoke any apps/services you no longer use, or you don't want to have connected to your profiles. This can include the aforementioned...Data Brokers π»π±
π°Monitor your credit reports! You want to check for any new credit or bank accounts you didn't apply for yourself, activity you don't recognize, loans taken out in your name - anything "weird or unusual". In the US, the Big 3 are: TransUnion, Experian, and Equifax. They all have free account levels, but you can of course pay for premium services if you want.
π¬Separating your personal and professional identities is important. Stop using your work computer and email for personal shit (please)! I can almost guarantee that is against [insert company name here]'s policy! As a security guy, I can tell you we really don't need to see your tax return, resume, pet's health records, your sister's/brother's picture from that [insert family event here] you went to last weekend, and I certainly don't want to see your shady Internet activity (seriously, please stop that shit). You don't want your company in your personal stuff, and your company doesn't want their stuff on mixed with your personal stuff. YOU HAVE A SMARTPHONE! Use that instead (please). If you need a PC for home/travel use, go buy a cheap one from the local electronics store. You can get a decent machine for ~$200 today that will handle simple web browsing, checking emails, and even voice or video chats. You can even connect your earbuds or headset to them. Go watch porn on your own time bruh! π
Now you're probably wondering what AI has to do with all of this. Well, all modern AI's (as of this blog post) are trained off of Internet data, along with many other training databases. So if you've ever put it out there on the Internet, ever (this blog included), it is being aggregated and processed by multiple AI foundation models and used to respond to user queries. This includes pictures and videos you have uploaded pretty much anywhere. Keep in mind there are a few #DarkAI models out there now as well that have zero guardrails, meaning anything is available unfiltered. All you need is a creative prompt.
It's a brave new world in 2025 ya'll. You need to know what is out there about you - because the hackers already do too.
