Student Guide to Internet Safety- This tutorial focuses on how kids can stay safe and secure when using the internet. Although it is designed as a basic backgrounder for college-age students, the advice and best practises for increasing personal security will benefit everyone.
Another data leak is the latest in a seemingly never-ending series of bad news. Every week, fresh security breaches make the news. Every year, billions of records containing personally identifiable information (PII), such as user names and passwords, are leaked. Students are often hyper-connected, and they must take precautions to avoid internet predators.
Social engineering, spam, adware, trojans, worms, and phishing are examples of online hazards to which students are particularly vulnerable.
Without a detailed analysis of password security, no discussion on internet safety is complete. The best method to safeguard gadgets and online accounts is to use strong passwords.
The security industry is working hard to develop a better solution for online security than user names and passwords. As of yet, no viable alternatives have emerged, at least not for general public use.
Although some advancements to passwords, such as biometrics and multi-factor authentication (MFA), have made substantial advances, password-based systems remain the norm. Password protection is crucial in the current stage of security evolution.
The primary purpose of biometric authentication, as it is usually employed for mobile device access, is convenience. It is considerably easier to access a smartphone using a fingerprint than it is to input a password. This solution is still password-based, but it is now more faster and simpler. In effect, the biometric scanner verifies the user’s fingerprint and then gives the device or app the password. Even if the biometric input is missing, the password is still valid and can be used manually.
The use of a fingerprint reader reduces the likelihood of a password being witnessed and so stolen by an onlooker, which provides a marginal level of enhanced security for device and app biometric authentication. Because of their employment as fingerprint, hand geometry, and facial recognition readers in physical access controls, biometric readers have grown in popularity. The inclusion of biometrics in these physical security systems gives a better level of security because the biometric input, or the biometric input in combination with an access card, is the only way to gain entry to a secure area. Logical access controls on devices and apps do not have the same level of security because, in most circumstances, an alphanumeric password can be used instead of a biometric input.
Multi-factor authentication, on the other hand, has a lot of advantages in terms of security. MFA, also known as Two Factor Authentication (2FA) or 2-Step Verification, necessitates the use of at least one additional piece of evidence when logging into an account or device. A one-time code given to the user’s cell phone is usually the second piece of evidence. This method is more secure because it is extremely unlikely that a hacker would gain access to the user’s device in order to obtain this code.
The most frequent method for transmitting the 2FA one-time code is by SMS text message to a cell phone. This method works effectively because it does not necessitate the installation of a new programme or any additional setup. In the event of an unwanted access attempt, the user is notified through SMS text. After that, the user can change their password.
SIM Swap Scam
Crooks have used a SIM switch fraud to circumvent the 2FA SMS one-time code security in some documented incidents. A hacker employs social engineering to obtain a replacement SIM card for the victim’s phone or persuade the carrier to switch the number to a SIM that the fraudster already owns. Scammers can simply intercept a two-factor authentication text message and exploit it to aid in an account takeover attack by diverting incoming texts.
It’s impossible to protect yourself from a SIM swap scam. The individual being conned is not the owner of the cell phone number, but rather a cell provider employee. It can be tough to halt a hacker who has refined their social engineering skills. However, there are several safeguards that can be put in place.
It will be more difficult for a hacker to social engineer a SIM change if you have a PIN or passcode for your cell phone account. Almost every carrier either requires a PIN or allows you to use one as an option. Authentication applications are another option, and they are likely to provide superior long-term security.
SMS-based two-factor authentication is no longer recommended by the National Institute of Standards and Technology (NIST). They are now more likely to use authenticator apps. SIM changing is not an issue with these mobile apps. The app can work even if there is no mobile coverage and provides authentication.
For students who want to improve their internet security, there are several authenticator apps available:
- Google Authenticator
Some password managers, such as the ones listed below, can also help with this.
Long vs. Complex
Traditionally, the length of a password was more important than its complexity. Long passwords were thought to be too difficult to remember, while short passwords were thought to be too easy to crack using brute force attack tools. As a result, security experts believe that using shorter but more complicated passwords is the ideal approach.
Many businesses mandated that subscriber-created passwords be short and contain at least one of the following:
- Lowercase letter
- Uppercase letter
- A special character, such as a punctuation mark
This viewpoint has shifted.
The previous approach to password length vs. complexity neglected to account for the human aspect. Humans are prone to seeking the path of least resistance in order to complete their tasks and move on with their lives. It became clear that most people are incapable of remembering complex passwords. People devised ways to make the password security procedure easier, such as writing them down and reusing them across many accounts. Both of these are terrible ideas.
The National Institute of Standards and Technology (NIST) recently updated their password guidelines. The most significant difference between them is in terms of intricacy.
NIST states, “Highly complex memorized secrets introduce a new potential vulnerability: they are less likely to be memorable, and it is more likely that they will be written down or stored electronically in an unsafe manner. While these practices are not necessarily vulnerable, statistically some methods of recording such secrets will be. This is an additional motivation not to require excessively long or complex memorized secrets.”
Current thinking favours the idea that the longer the password, the better, as long as the user can remember it — this thought gave birth to the concept of a passphrase. A passcode is a short string of words and numbers that the user may readily remember. The National Institute of Standards and Technology (NIST) advocates the usage of passwords.
A comparison of password and pass is shown in the table below. It demonstrates the benefits of using a pass.
|Length||Complexity||Time to crack
guesses per second
|Password||rQlg+87d||8 characters||Upper case, lower case, number, punctuation mark – very difficult to remember||3 hours||4 months|
|Passphrase||bleeker adams run guitar||24 characters||Lower case, space – easy to remember||centuries||centuries|
Checking Password Strength
A password strength checker is available on many online subscription forms. The form provides feedback when the user types in a password, indicating the password’s strength. Weak, medium, and strong feedback are all terms used to describe this type of feedback. While feedback from a simple password input form can be beneficial for assessing if the minimal amount and type of characters have been reached, it can also be deceptive. A password checker should compare the password to multiple dictionaries and test it for specific password formation tactics in addition to checking for conformance with the stipulated amount and type of characters. The following tests should be included in these additional tests:
- Validate against a blacklist of tainted values.
- Test your passwords against popular password dictionaries.
- Compare your results to dictionaries of names.
- Substitute symbols for letters and numbers in a substitution assault.
- 12345 or efghi are examples of character sequences to look for.
Students should consider using the following online password testing sites:
Before providing your actual password information, be sure the site is trustworthy. Sites that check the strength of your password should not send your password to their server. Only your browser should be used to test the website.
One of the most prominent pieces of advice given by security experts is to never repeat a password.
This is excellent advice. Credential stuffing is a cyberattack in which a hacker uses stolen account credentials to gain unauthorised access and take control of a user account. Hackers frequently compare user name and password combinations obtained on the dark web to a variety of famous websites and applications. Hackers use this in the hopes that the user will repeat the same password across multiple websites.
“From November 2017 to the end of March 2019, security and content delivery provider Akamai detected 55 billion credential stuffing threats across dozens of verticals,” according to the website CSO. While some industries are targeted more than others, none are immune to the threat, according to CSO.
Today’s students are capable of having dozens, if not hundreds, of password-protected accounts. It’s nearly tough to remember a different password for each account. People are forced to reuse the same password again and over due to their incapacity to remember hundreds of passwords. There is an alternative.
A password manager is a better way for keeping track of all the passwords required to interact in today’s society. A password manager is a piece of software that stores many passwords in a safe digital area. The password manager encrypts the password storage, allowing users to remember only one master password to access all of their individual passwords used for various websites or services.
Password managers, often known as password vaults, can usually generate secure passwords. For users with lesser needs, several provide a free version. The following are some password managers to think about:
Student Cybersecurity Essentials
Students should use a password management to save strong passwords and use multi-factor authentication in addition to using a password manager to store strong passwords. Cyberthreats aimed at defrauding students are growing more sophisticated all the time. Any back-to-school strategy must include knowledge of these hazards, how to detect them, and how to avoid them.
The distribution channel for social engineering scams aimed at students is typically social media sites. Students’ social inclination is used in these scams, which are likely to contain fake romance ploys. This type of scam is particularly common on online dating sites.
The criteria for avoiding social engineering are straightforward. Never put your trust in someone who claims to be who they say they are on the internet. Never agree to meet in person unless you are escorted by a trusted person and in a public place where you are safe. Never give out personally identifiable information to someone you don’t know in person, such as your full name, address, phone number, or class schedule.
Students should be aware of this. Spam will arrive, and it will arrive in droves. A student’s inbox will be flooded with offers for credit cards, loans, cell phones, and every other conceivable convenience.
Students must learn to employ email blocking tactics quickly. This feature is available from most email providers. Students must understand how to utilise it for their specific service provider and practise using it on a regular basis. The offers are invariably appealing. “If it sounds too good to be true, it probably is,” says the old proverb. Never make a major decision without giving it some thought, and never buy something you weren’t looking for when the opportunity arises.
Malicious software that shows or downloads advertising content automatically is known as adware. Adware is frequently downloaded inadvertently when freeware or shareware products are installed. This advertising content frequently appears in the form of pop-ups or a window that the user is unable to close.
While most adware is an annoyance rather than a dangerous threat, it can be a sign of more serious problems to come. Adware authors rarely have any reservations about collecting and selling information from their victims’ computers.
A Trojan Horse, or simply a Trojan, is a form of virus that frequently masquerades as genuine software. The term Trojan comes from the myth of the deceitful Trojan Horse, which led to the destruction of Troy in Ancient Greece. Trojans are used by cybercriminals to obtain access to a user’s system and, in certain cases, to seize control of the victim’s machine.
Trojans, which are particularly harmful, are usually downloaded as a result of some form of social engineering. Trojans are commonly distributed via clicking on an unfamiliar link in an email or downloading a document or image from an unknown source.
Some Trojans are designed to harvest credentials from the victim’s computer and then upload them. Others, on the other hand, are meant to use the victim’s machine as a bot.
Worms differ from adware and Trojan viruses in that they do not require an active host programme or an infected and running operating system to run. Worms are self-replicating, stand-alone programmes. Worms are created with the intent of spreading throughout a network and infecting equipment along the way.
When connecting to unknown networks or using file-sharing services, students should be cautious. Advanced security software capable of detecting and eradicating worms and other dangerous malware is often installed on college and university networks. If a student discovers this type of software on their computer, they should notify the network administrators for all networks they use.
Student-friendly computer security products are available from a variety of manufacturers. Among the most well-known brands are:
Phishing is the practise of sending emails that appear to be from trustworthy companies in order to trick people into divulging personal information like passwords and credit card data. Hackers have been known to target students, assuming that they lack the life experience needed to distinguish a phishing email from a legitimate one.
The following are some pointers for spotting phishing scams:
- Emails that are written as if the sender knows the recipient yet include a generic welcome should be treated with caution.
- In most cases, phishing emails are sent in bulk. Examine the email for indicators that it was sent to a significant number of people.
- The email’s links may or may not take the user to the intended destination. Hovering the computer’s cursor over the link may disclose the link’s actual internet destination.
- The sender’s email address may appear real at first glance, but upon deeper inspection, it is discovered to be false. Keep an eye out for sender email addresses that have been cleverly disguised. In an attempt to make the address appear real, the fraudster may include names that should be in the domain section of the address in the username portion of the address.
- Phishing emails frequently ask the recipient for personal information.
- Phishing emails usually include a sense of urgency, urging the recipient to take action right away.
Thousands of email subject lines from simulated phishing tests were evaluated by KnowBe4 in Q4 2019. The company also looked at ‘in-the-wild’ email subject lines, which are genuine emails that consumers received and reported as suspicious to their IT departments. The outcomes are listed below.
The Top 10 Email Subjects
- A password change is required right away (26 percent )
- Deactivation of email in Microsoft/Office 365 is in progress (14 percent )
- Immediate password verification is necessary (13 percent )
- Employees are getting raises, according to HR (8 percent )
- Dropbox: Documents that have been shared with you (8 percent )
- IT: Server maintenance is scheduled, thus there will be no internet connectivity (7 percent )
- Change your Office 365 password right now (6 percent )
- RH admonition regarding the use of personal computers (6 percent )
- Airbnb has a new device login system (6 percent )
- Slack: Account password has been reset (6 percent )
If a student feels they have received a phishing email, they should delete it immediately without clicking any links or responding.
Whether or not a phishing scheme is suspected, URLs found in an email should always be manually typed into the browser instead than clicking on a link. If a student receives what appears to be a valid email from their bank requesting that they visit their website, the student should manually type the bank’s actual and known website address into their browser rather than clicking the link in the email.
Protect Your Device
Whether a student prefers to use a smartphone, tablet, laptop, or desktop computer, they should take some precautions to keep their gadgets safe. Few things are more likely to impair a student’s ability to concentrate on their studies than a major security incident. A data breach including personally identifiable information might result in significant financial losses. Academic aspirations can be thwarted by lost, destroyed, or copied research.
Precautions for device protection that must be strictly adhered to include:
- All devices should be password protected. A different password should be used for each device. Reusing device passwords, like account passwords, raises the danger that if the password is leaked or discovered, all devices that share that password will be susceptible.
- Passwords to devices should never be shared. Students are more likely to share their devices with their friends and classmates. If at all feasible, they should avoid sharing devices. If you’re sharing, instead of merely sharing the password, take the time to log into the device and keep the password hidden.
- Before you download an app, do some research on it. A few minutes spent researching an app to check if others have had success with it can help you avoid downloading malware. Look for apps from respected creators and read reviews.
- Clicking on questionable links should be avoided. While clicking a link rather than typing in a URL is more convenient, never open a link unless it is known to be accurate and legitimate. If a virus or other malware is prevented, the extra time and work will be well worth it in the long term.
- Keep your software up to date. New security features are frequently included in software updates. Software engineers release patches in the form of software updates as vulnerabilities are discovered. A hacker’s dream is to have out-of-date software.
- Open WiFi networks should be avoided. While free and open WiFi networks are convenient, they also present a channel for malicious actors to gain access to your device. Rogue open networks have been known to be set up by hackers to entice unwary users to connect to what they thought was an open public network. The risks of using open WiFi networks include man-in-the-middle attacks, malware propagation, and snooping, to name a few.
- Back up crucial data on a regular basis. Things go wrong, and horrible things can happen. Data backups can considerably lessen the negative consequences of a data breach.
Being a student comes with its own set of stressors and difficulties. It is possible to avoid a device breach and data loss by taking the effort to study and apply fundamental cybersecurity standards. Living in a connected world comes with its own set of risks. Even yet, using common sense and paying attention to details can help you avoid being a victim.
Use long passwords, enable two-factor authentication, do not share passwords, keep software up to date, always use antivirus and firewall applications, and learn to recognise phishing scams are all important things to follow.