This is a quick guide on the things you should be doing for say, your families or non-technical friends machines. It won’t protect them from everything, but will hopefully result in less calls to you! (Or if you’re not a techie, then less calls to your more techy friends!)
Our threat model also doesn’t include nation states or “APTs”. Nor will it 100% protect you against someone that is targeting YOU specifically. (But it will make it harder) Just stuff that normal users probably have to worry about without sacrificing usability too much.
The two biggest sources of malware these days are a) Phishing and b) Not Patching Your Stuff (Or a combo of both), so let’s start with
Turn on those auto-updates. Just do it. I know they’re annoying and that Microsoft STILL hasn’t sorted out their shit (Which they promised us would happen by the time Vista was out) but you have to patch. Just do it. Having your machine reboot at 3am in the morning (Or in 15 minutes) and possibly losing work is nothing compared to having your precious data ransomed via Cryptolocker. Patch all the things. Patch them Now.
Web Browser: Get rid of the IE (and Edge in windows 10. It doesn’t currently support extensions/addons) icon and replace it with Chrome or Firefox. Since Chrome comes bundled with flash (that autoupdates) make sure it’s on “Click to run:” http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser/
For both browsers you want: ublock Origin (ads), Privacy badger (ads + trackers) and HTTPS Everywhere:
As a fall back, you can use DNS/hosts based blocking, if you’re comfortable enough following the instructions at: https://github.com/StevenBlack/hosts (Or in addition to adblocking in browser extensions)
Ah, our age old enemy. Passwords. Bets are most people without a password manager re-use their passwords across sites, or have a “base” password with the sites name tacked on it. This is bad because when one site gets hacked, attackers will take all the cracked passwords and try them across all the other different sites and if you reuse passwords, they’ll then have control of your accounts. (And you won’t!)
Despite Lastpass being bought out by LogMeIn i’d still suggest LastPass https://lastpass.com for use as an easy to use/available everywhere password manager. Have it autogenerate and auto-complete password fields, because this is Just Easier. (OS X does have it’s own built in keychain, but there seems to be issues with syncing with Chrome/FF in the latest version of OS X. YMMV)
At the very least, try to get the rolling code (TOTP) 2FA enabled on your email account that is used for password resets and whatever Cloud Backup solution you decide to go with, as well as whatever password manager you go with. (Lastpass does 2FA so does Google drive, Dropbox etc). Most decent 2FA implementations include backup codes, incase you lose access to your phone. Write these down and store them in a safe place. You can also print out the QR codes you get given to scan, just make sure you store these offline in a safe place. (A fireproof safe, your wallet, etc)
Ideally, enable 2FA on everything that gives you the option to. But feel free to click the “Trust this device” when logging into services with 2FA. This makes it a lot more user friendly.
For storing/using 2FA codes you can either go with the default Google Authenticator or Authy: https://www.authy.com/ (Which works across multiple devices and stores your 2FA codes in the Cloud. Just make sure you password protect the Authy backups)
Just go ahead and leave Windows Defender turned on. It’s a decent AV and while it probably won’t catch 0days or brand new-never-seen-before stuff, it will catch most of the stuff that most users will see. Plus, it’s free! (A bunch of the Free AV vendors have started monitising their “free” AV products by injecting ads or selling your browser history: http://www.wired.co.uk/news/archive/2015-09/17/avg-privacy-policy-browser-search-data )
Install Malwares Bytes Anti-Exploit (Free): https://www.malwarebytes.org/antiexploit/ which will stop most (not all!) “0day” or drive by attacks on browsers. The free version only protects browsers and Java however.
Also install Malwarebytes Anti-Malware https://www.malwarebytes.org/antimalware/ and set it up to run background scans every day (Which it should do by default)
If you have an android or iphone, make sure you enable the backup services provided. iCloud can backup your photos etc. On Android with a google account, you can do the same. In both cases, if you don’t have a large datacap, make sure you find the setting that only allows backups over wifi. Also make sure you enable 2FA for these services. You can also use Google Drive for storing backups of files, as well as something like Dropbox. Both offer file revisions (Up to 30 days only, however!) so if you get cryptolockered, you can in theory go back and recover the uncryptolockered versions. Make sure you keep copies of important documents in GD/Dropbox/etc and keep them updated. Also make sure that you have a local copy! Cloud storage can go away and keeping your only copy “in the cloud” is a bad idea.
Full Disk Encryption:
If you have a version of Windows that supports it, turn on Bitlocker Full Disk Encryption. Most windows laptops these days have a TPM so you don’t need a separate password for Bitlocker. Make sure you store a copy of the recovery key in your Microsoft account as well as somewhere physically separated from your machine. (Either in a safe or at friends place). Somewhere that a burglar isn’t going to be get to if they break into your house/car and steal your machine. This is particularly important for laptops.
A pretty basic one here. Set a screensaver for however long you think you’ll need (5-15 minutes is a good option) and then have it require a password to unlock. I’ve gotten into the habit of always locking my screen when I get up from the keyboard (Windows-L in windows land). Anyone with the right hardware and a minute or two can completely compromise your machine if you leave it unlocked.
That’s it for this post. There are more things you can do to protect yourself (and others) but require more effort and/or cost. If your Threat Model includes more advanced bad actors than what this post entails, you might want to ignore some of the advice here (Such as anything that stores anything in the cloud) but for most people, the above is probably the most you can do for minimal effort.