There is a world of difference between targeted and untargeted attacksAre you a likely target for a hack? If you happen to be, say, a presidential candidate, a foreign secretary, a governor of a state, a billionaire, a well-known celebrity, etc., the answer, invariably is yes. This means that you need to be prepared for the possibility that someone will launch an attack specifically aimed at you. They may try to hack you through a friend, an employee, or a close relative. For instance, they may befriend your parent or spouse, find out what they and you have in common, such that one day, when your mom, Sis or Bro sends you a PDF attachment or a PowerPoint presentation with a bunch of cute cat pictures, you would not hesitate opening it. And bang you are hit because it contains malicious code, a “zero-day exploit” - exploiting a system bug that is not yet known to software manufacturers or the makers of security or antivirus programs, and your computer is hijacked.
This is something you need to be prepared for if you are a likely target for this kind of personalized attack, sometimes called “spearphishing”. But, for better or for worse, most of us are just not this important. Boris', Macron's. or Trump’s. hackers are unlikely to pay us any attention any time soon. Still, we are all vulnerable to attacks that are targeting a large number of people, are not personalized, and are basically just counting on the fact that if you target a million potential victims, there will be a few thousand among them who are vulnerable.
And by “vulnerable”, I most certainly mean people, not computers. Most successful attacks are primarily “social engineering” attacks, designed to trick the human, not the machine. For instance, you may visit a strange Web site and suddenly, a genuine-looking virus warning pops up, telling you to act immediately, recommending that you download a free virus scanner. Or you get an e-mail informing you that someone hijacked your Webcam and recorded a video of you doing something embarrassing. Many people fall for such scams. If they are lucky, the scam artist is only asking for a one-time payment. If they are unlucky, their computers may end up hijacked. Thus, the weakest link in a computer system is the human operator. If you were not aware of this, you need to take heed now else you are a sitting duck.
To protect yourself against such threats, you must educate yourself. Make sure that you recognize scams for what they are. Be ultra-cautious whenever something is obviously designed to frighten you, such as a sudden virus warning. Do not ever accept unsolicited downloads or e-mail attachments, even if they seem to come from a trusted source. And so on. But most importantly, assume the worst: That one day, when you are tired, when your attention is elsewhere, you inadvertently make a mistake and expose your computer by clicking on something you shouldn’t have. The three most obvious things that you can do to protect your computer are:
Have an up-to-date virus scanner.
Have a working firewall;Make sure all your software is up to date with security patches. The first one is obvious. The second, ditto; nowadays, most home Internet routers do serve as rudimentary firewalls, so you are probably OK. The security patch business, however, is not trivial. Sure, you keep Windows (if you are using a Windows machine) up to date, as Microsoft insists. But what about all the other software on your machine? Software that may be invoked when certain types of files are opened from the Internet or as e-mail attachments? This could be a media player, a media editor, third-party productivity software, CAD software… the list is long, and you are mostly on your own.
The point is, even if you become a victim of social engineering, these three things may protect you. A virus scanner may recognize the illicit payload that you inadvertently downloaded. A firewall may prevent this payload from “phoning home”, connecting to its owner. The payload may be trying to exploit an older bug that is fixed by up-to-date patches that you already installed.
Still, it is possible that none of these defenses do the trick, and you do become a victim. That’s when your last line of defense must kick in:
Know how to recognize that something is wrong
Assess the damage
Have a recovery planIf your computer behaves oddly; if it is unusually slow; if the router shows network activity when you are not doing anything on the Internet; it may be because your computer has been hijacked. Assessing the damage is important: at the very least, you want to know that your personal files are safe (a computer can always be ditched so long as your personal data are protected) and what information might have been exposed. As for a recovery plan, the most important thing is to know what steps to take to protect your money and your identity. E.g., if you know that your credit card information might have been taken, phone that bank right away.
Beyond that, one thing that you can never have enough of are backups. Make backups of your data. Make backups of your backups. Use USB storage, an external hard drive, another computer, whatever happens, to be available and convenient. Store backups away from your home, at a trusted friend or relative, or maybe in a safety deposit box. This really is your best protection in case disaster strikes. (An off-site backup may also protect you from other disasters, e.g. if your house burns down.)
No, none of these steps will keep your computer completely secure. That is just not possible outside of a vault. But doing the best you can, you can ensure that under any reasonably foreseeable sets of circumstances, you will be able to mitigate the damage and recover from an attack even if the worst happens.
Finally, one other thing I should mention, which is applicable especially to laptops that you carry around, or computers to which others may have physical access, is whole disk encryption. This is easier to set up these days than in the past, and it guarantees that even if someone has physical possession of your machine, they won’t be able to read your data.
And yes, unfortunately, this means that we all have to acquire a little bit of expertise when it comes to computer security. This is most unfortunate. Truth be told, there aren’t that many bad guys out there. But the problem is, the Internet knows no geographic distance. This means that every crook, every scam artist is effectively standing right in front of your virtual front door, so to speak, ready to pick the lock or ring your doorbell to sell their spiel.