5 ways to be more secure for the paranoid PC user

Getting a little sloppy with your security? Time to shape up. Practice these five habits to protect your data at home, in the office and out in the world

5 secure habits of the paranoid PC user

We know how it goes: You mean to practice safe computing habits, really you do. But when you fire up your computer, you just want to get stuff done -- and that's when even savvy users begin to cut security corners.

We'd all do well to take a lesson from truly paranoid PC users, who don't let impatience or laziness stand in the way of protecting their data. Let's take a look at some of their security habits that you may want to practice regularly.

After all, staying safe online doesn't have to be onerous or time-consuming. Invest an hour or two this weekend to put a few safeguards in place, consciously start to practice a few good habits -- and before you know it, your good intentions will become a daily reality.

1. Use a VPN everywhere

A perennial concern of the security conscious is having an interloper listen in on online activities, which can make you a ripe target for phishing attacks or even result in a hijacked connection. This could happen in a variety of settings, including at unprotected public Wi-Fi hotspots, fake cellular base towers or Wi-Fi access points, or hotel networks that have been compromised by hackers targeting executives traveling on business.

While enabling two-factor authentication (see below) and visiting only websites that are secured with HTTPS can alleviate some of these risks, a hacker in any of the above scenarios could still gain far too much information about the sites you visit. You may also be unknowingly exposed to threats posed by insecure apps running in the background on your laptop.

[ Further reading: 8 password managers for Windows, Mac OS X, iOS, and Android ]

It makes much more sense to access the Internet through a virtual private network in which all outgoing and incoming traffic is funneled through an encrypted channel to a trusted Internet gateway. Another advantage of this strategy is how it masks your current IP address, which should further reduce opportunities for phishing.

Fortunately, commercial VPN offerings such as VyprVPN and PureVPN abound for individuals and small businesses, and are typically priced at between $5 and $10 per month. Almost all of these services provide their own VPN client to log in to the correct servers with minimum configuration required. Affordability aside, some considerations when choosing a suitable VPN service include its performance in the region where you live or travel to, the number of simultaneous client devices it supports, the platforms it supports and its reliability.

For users with technical chops, an alternative is to set up your own VPN connection to a VPN server in the office or even on a home router. This is worth considering due to the increasing number of home routers and other network appliances that are capable of acting as a VPN server. For instance, the recently released Synology Router RT1900ac, $150 (Amazon price - What's this?), offers add-on software that turns the router into a VPN server.

Synology router VPN server screenshot Paul Mah

Wireless routers such as the Synology Router are increasingly offering built-in VPN capability.

2. Enable two-step or two-factor authentication for your online accounts

Basic password hygiene -- creating lengthy, complicated passwords/passphrases, using different passwords/passphrases for different accounts and managing them all with a password manager -- is still an important security fundamental, but it isn't nearly enough to protect your computer in 2016.

Bad guys use multiple methods to steal static passwords: devices like the $99 WiFi Pineapple that can be used to masquerade as Wi-Fi access points, $10 hardware sniffers that spy on and decrypt the signals from wireless keyboards, and keylogging hardware devices that can be plugged unobtrusively into a PC (there are dozens available on Amazon). Malware attacks, bugs in poorly written software and man-in-the-middle loopholes open up additional threat vectors.

As such, having a second, dynamic code that is generated on the fly and delivered via an alternate, trusted route overcomes some of the inherent vulnerabilities of a static password and increases the likelihood that your account will stay safe even if your password is compromised. The simplest and most common form that this security measure takes is a one-time code sent to your cell phone via SMS when you log in to an account. Just type in the code to complete the login.

Because the code is sent to your phone, some industry watchers hold that this two-step process is a simple form of two-factor authentication, which adds something you have (your phone) to something you know (your password). Other experts argue that because it relies on SMS, which is inherently insecure and can be intercepted by someone who doesn't physically possess your phone, it's not true two-factor authentication. Semantics aside, two-step verification is still much more secure than relying on a password alone.

Even more secure are two-factor authentication methods where codes are generated on a device itself, such as mobile phone apps that are primed to generate one-time codes on demand, hardware security fobs such as RSA authenticators that generate a code for you to type in, or devices like the $40 YubiKey (Amazon price) that are plugged into an available USB port. Slowly gaining in popularity is multi-factor authentication, which adds something you are (using a fingerprint or other unique biometric data) to something you know and something you have.

hardware security tokens from banks Paul Mah

Banks in Singapore, where the author lives, are mandated by law to implement two-factor security for their customers. Many use hardware security fobs like these. (Headphones shown for scale.)

While every online service will benefit from the use of two-step or two-factor authentication, a good place to start is with your email account and your cloud storage service. The latter is self-explanatory, while the former is important because a hacker who gains access to your email account can use it to reset the passwords of all your online services linked to it.

In fact, the threat of an email address being leveraged to social-engineer additional information from customer service departments is real, and security experts recommend that really important accounts such as the root credentials of an Amazon Web Services account, for example, should be linked to an email account that isn't used anywhere else.

3. Always lock your PC

One habit that most users are aware of but few practice is to ensure that laptops or desktop PCs aren't left unattended and unlocked, even in a semi-private space like the company office. Given that many users log in to their computers as administrators, it takes just a few seconds of unfettered access to a running PC to install some form of malware or spyware tailored to evade detection by popular antimalware software.

The solution is to password-lock your device if you will be away from it, protecting your data while leaving running apps and the desktop untouched. A good habit to develop is to lock your computer manually via a keyboard shortcut every time you walk away from it. On a Windows PC, press the Windows key + L.

Doing this on a Mac requires a little setup first. Open System Preferences and go to Security & Privacy > General. Check the box marked "Require password...after sleep or screen saver begins" and choose "immediately" from the drop-down. To lock your screen, press Control + Shift + Power. Older Macs with optical drives can be locked using the Control + Shift + Eject shortcut.

Upon your return, you'll need to type in a password to unlock the device, but this minor inconvenience is worth the added protection. Of course, if you have a laptop with built-in fingerprint or facial recognition, such as the new Microsoft Surface Book, which starts at $1,425 (Amazon price), you won't need to key in your password manually.

Even if you are in the habit of manually locking your computer, it's still a good idea to set it to automatically lock after a period of inactivity as a hedge against the one time you forget to manually lock it. This can be done by setting a relatively short period before your PC goes to sleep, and to require a password on waking up. Another method that works well is to configure the screensaver to prompt for the system password, and to set a short idle period.

GateKeeper computer security fob Untethered Labs

The GateKeeper 2.0 features a smaller dongle than the first version, with better range and some new features.

An alternative is to use a physical token to automatically lock your device when you are away. The $60 GateKeeper (Amazon price), for instance, consists of a USB dongle and a fob that serve as a lock and key, respectively. The USB dongle plugs in to your PC and communicates with the fob wirelessly using Bluetooth, automatically logging you into your computer when you are near and locking it when you walk away.

4. Encrypt your drive

Encrypting the data on your PC is an important step in ensuring that your data isn't compromised. The hard disk drives found in some business laptops can be quickly swapped out to another PC and duplicated or implanted with spyware. Encrypting the drive means its data will show up as gibberish when loaded on another system. Even if that scenario doesn't seem likely to you, drive encryption provides an additional safety guard against prying eyes in case your laptop is lost or stolen.

Windows 8.1 and Windows 10 will encrypt your drive by default, though the former requires that a number of prerequisites be met, and the latter requires you to use a Microsoft account with administrator privileges or join a Windows domain. With this in mind, it is worth checking Control Panel > BitLocker Drive Encryption or Settings > About to ensure that disk encryption in the form of BitLocker is successfully enabled.

checking that Windows BitLocker encryption is enabled Paul Mah

It pays to check that BitLocker encryption is active and didn't get stuck for some reason.

Mac users should check that FileVault disk encryption is enabled: Go to System Preferences > Security & Privacy > FileVault. It's turned on by default in OS X 10.10 Yosemite and later versions, but it never hurts to double-check.

5. Make sure your own Wi-Fi network is secure

Home and small-business Wi-Fi routers and access points (APs) are something we tend to set and forget, but it's worth spending half an hour performing a security audit on your network and shoring up any weak points.

Because wireless signals typically propagate in all directions, it's critical that you use robust encryption to defend against eavesdropping and connection hijacking. Flaws in older security protocols such as WEP mean that they can be broken in minutes. Although new routers and APs have dropped WEP in favor WPA or WPA2, it's still a good idea to check the settings of older Wi-Fi devices to make sure that WEP (or WEP2) hasn't been inadvertently enabled.

And note that WPA is no longer considered secure because it relies on the unsafe TKIP encryption protocol -- so while you're looking, check that WPA2 and AES encryption are used. If your router or AP doesn't support WPA2, it's time for an upgrade.

For simplicity's sake, most small-office and home networks use a static password or passphrase as the encryption key to protect transmitted data. Unfortunately, it is possible for hackers to use brute force to break into a wireless network by repeated attempts at guessing the underlying passphrase. Indeed, there is now a sizable pool of software tools available to security researchers -- and hackers -- that were designed specifically for probing and breaking into Wi-Fi networks.

The most popular attack vector here involves capturing the legitimate wireless handshake that takes place between a router and a device connecting to it, and then cracking it offline. To substantially reduce the time required for cracking, hackers often rely on the use of massive precomputed hash tables known as rainbow tables, or leverage the greater processing powers of GPUs.

Raising the bar against such attempts ultimately hinges on the passphrase used. While complexity (using mixed case and special characters) matters, having a longer length of at least 20 characters (even longer is better) will probably have the greatest impact on making it harder for the bad guys to crack.

I also recommend changing common SSIDs like "Home," "WLAN," "Wireless" or "Wireless Network" to something unique, because WPA/WPA2 incorporates the SSID into the encryption key as a salt. In my research, I have come across hackers who pre-compute rainbow tables based on the top 1,000 SSIDs -- so you're more vulnerable if you use a common SSID.

Finally, many home and small-office Wi-Fi routers and APs support Wi-Fi Protected Setup (WPS), a standard that was designed to securely join devices and routers with the push of a button. You may want to disable the feature if possible, though, since various vendor implementations have been found susceptible to brute-force attacks due to the standard's reliance on an eight-digit number.

Obviously, following the above tips won't guarantee that you'll never experience a security compromise. But they're a strong start, and practicing these habits will perhaps turn you into a paranoid PC user yourself -- not at all a bad thing to be in an increasingly insecure world.

This story, "5 ways to be more secure for the paranoid PC user" was originally published by Computerworld.

Copyright © 2016 IDG Communications, Inc.