Cyber Security For Normal People: Protect Yourself Online

1. Welcome To The Course!: Hey there. Thank you so much for joining me. My name is Brad Merrill. I will be your instructor, and I'd like to take just a moment to explain what this course is all about. We live in a world that's increasingly dominated by computers and the Internet. Almost everything we do these days revolves around technology and were more connected than ever before. You know, it's pretty amazing. Today's reality is like yesterday's science fiction. You can have a real time video conversation with someone on the other side of the planet. You can send and receive money without even taking out your wallet. You can post content online and share it effortlessly with millions of people. All these things that are part of our daily lives today weren't even imagined just a few decades ago. Unfortunately, the same technology that enables all this new freedom and convenience also exposes us to new security threats that we've never encountered before. Malware that infects your computer and watches everything you do. Phishing scams that steal private information For millions of people, today's digital world is a criminal's playground. It makes the process of stealing money or even stealing someone's entire identity way more efficient. That's why it's important to have at least a basic understanding of cyber security because it's up to you. To protect yourself in this course will show you some of the best ways to do that. This is not a high level course for I T professionals or anything like that. These lectures are designed for everyday Internet users who may not be technology experts but still want to stay safe online. Very briefly, a bit about me and my background. I've been working with technology in one form or another for most of my life, and today I live a truly digital lifestyle. Professionally, I'm an entrepreneur. I build digital media companies that rely 100% on the Internet, and I have to manage all the data security responsibilities that come along with that. And then personally, I used the Internet for all my communications, productivity finance. In fact, I actually use a bank that has zero physical branches there, strictly online bank. So my entire lifestyle imposes a need for strong cybersecurity, and I think you can probably relate, even if you're not as deep into the digital world as I am. It's hard to avoid the Internet these days unless you live a disconnected life off the grid . And if you're taking this course, I assume that's not the case for you. So anyway, I've spent the last few years building a tight wall of security around myself, my businesses and my data, and in this course I'll teach you to do the same more specifically here. Some of the things will cover. First. We'll talk about why security matters and acknowledge an important truth, and that is that you are a target of cyber criminals. Even if you're not a celebrity or Fortune 500 CEO, you are a target. Your data is valuable, and it's up to you to protect it. Then we'll look at some of the most common threats you need to watch out for from malware two different types of social engineering. I think it's important to analyze the problem before you start trying to solve it, so we'll be sure to do just that. After that, we'll spend a few minutes getting you into the right mindset and reshaping your behavior and habits to keep you safe. As you browse the Web, we'll discuss smartphone security which is obviously very important. These days. Almost everybody carries a smartphone, and that smartphone carries just about all of your personal information. And you don't want that to fall into the wrong hands. Of course, you know we have to talk about passwords. We'll talk about what makes a good password or a bad password, and we'll see an easy way to manage strong, secure passwords across all of your accounts. Most people's passwords are really bad. And to illustrate that I'm actually going to show you a list of the world's most commonly used passwords. And statistically speaking, around 10% of the students of this course we'll see at least one of their actual passwords on the screen, so that will be interesting. Next, we'll look at something called two factor authentication, which is a simple but under used way to keep Attackers out of your accounts, even if they get a hold of your passwords. Toward the end of the course, we'll talk about a sneaky method that Attackers can use to gain unfettered access to your accounts without even knowing your passwords and, of course, how you can protect yourself against that. And finally, we'll talk about encryption, which is probably the single most effective method to ensure that your private data stays private again. This is a beginner level, of course, these air technical topics. But I hope to walk you through everything in a way that's actionable and easy to understand . And if you have any trouble along the way, I'm always here for you. All you have to do is ask. By the end of this, you should feel very comfortable with the basics of personal data security, and you'll be well on your way toe locking hackers, identity thieves and other cybercriminals out of your life once and for all. And by the way, thanks again for joining me in this course. I know there are a lot of other things you could be doing right now, so I promise I'll do everything I can to make it well worth your time. With that said, Let's get straight in 2. [Basics] Why Security Matters: I think it's safe to say the world has changed quite a lot over the last couple of decades . In fact, that's a pretty significant understatement. I don't know if you've ever thought about this, but we are actually living in the single greatest culture shift, at least since the Industrial Revolution and maybe ever, depending on how you look at it, Computers and the Internet are still relatively new things, but in their short life spans, they managed to turn our world completely upside down and change our way of life forever. Think about it. Nearly everything we do today revolves at least in part around technology. How we communicate with our friends, how we meet romantic partners, how we manage our money, how we make purchases, how we educate ourselves, how we do business. It's all powered by the Internet. The result is a world where people on every continent are connected with one another in an unprecedented way, and that is a beautiful thing. But this new world comes with some inherent risks. In the old days, security meant putting your money in a bank, putting a lock on your door and maybe installing an alarm system you might store important documents in a safe deposit box or just a secure location at home, but that was really the extent of it. For most people today, the world of convenience and endless data at your fingertips means that your money and sensitive information could just as easily be at the fingertips of someone else a criminal , a hacker, an identity thief. And the damage often goes beyond your own money and reputation. When you fall victim to a cyber attack, you put your entire network of friends, family and colleagues at risk as well. At this point, it's important to acknowledge an important truth about security, and that is that you are a target. A lot of people neglect taking steps to protect themselves because they think, Why would somebody want a hack me? What are they going to do with my information? Well, for starters, if you have any money to your name at all, there are plenty of tech savvy criminals out there who would be very happy to take it from you. Beyond that, they could also steal your identity to run up charges on your credit cards, open new utility accounts, get medical treatment, using your health insurance and a variety of other things that are undesirable, to say the least. And even if an attacker doesn't get access to your super sensitive information, for example, if they just managed to get into your social media accounts, they can still exploit your reputation and take advantage of the people who know you. So the bottom line is you don't have to be a celebrity or a politician or a corporate executive. You are already a target. That's why a basic understanding of cyber security is essential for anyone living and working in the modern world. 3. [Basics] The Importance Of Multi-Layer Security: There are a number of steps you can take to protect your data, but it's important to understand that nothing is ever 100% secure. Connections can be intercepted. Passwords can be guessed. Your best bet to dramatically reduce the risk of a breach is by putting multiple safeguards in place and using them in conjunction with one another. That way, if one fails, you've still got the others there to protect you. This is a concept called multi layer security, and it's exactly what it sounds like. Your data is protected by multiple secure layers, and these layers come in various forms. The first and most important layer is your personal mindset and technology habits. You can actually save yourself a lot of headaches just by understanding how to use the Internet and how to browse the Web safely, which we will cover in the next section. Then we have passwords. This is the only layer of security that most people use, and as we'll see, it's also one of the least secure in most dangerous. Those who really care about their security have additional layers like two factor authentication, encryption and virtual private networks. Don't worry if any of this sounds unfamiliar to you, that's okay. You'll learn how to use all of these tools later in the course. For now, though, I just want to emphasize the importance of multi layer security. And to illustrate that, imagine this situation. I'm trying to access one of your accounts without your permission, and I managed to figure out your password. If your password is the only layer of security you're using, that's it. I'm in your account, and I can proceed to do whatever I want, including lock you out. However, if you do have another layer of security in place, such as two factor authentication, where you have to confirm the log in using your phone, then I won't be able to access your account, even though I do have your password. So again, the moral of the story is toe. Always employ multiple layers of security, and we'll talk about exactly how to do that as we move forward 4. [Basics] The Most Common Security Threats: cybercriminals use a wide variety of tactics to get into your accounts and steal your data . Computer software has a lot of moving parts. A lot of variables so often hackers will find and exploit software vulnerabilities, toe access, your systems basically breaking in through some sort of flaw in the software's code. But as time goes on, technology is getting more secure and security is becoming more of a priority to manufacturers and developers. So there are also a lot of cases where these guys employ social engineering tactics to manipulate people in their behavior rather than trying to break into the systems themselves . So those are the two approaches, basically, and we can break those approaches down into some more specific threats that we see in the world today. So that's what I like to do with this lecture. Let's spend a few minutes getting acquainted with some of the most common security threats that you should be aware of. First, we have malware, which is what most people tend to think of when they think of computer security. Malware is umbrella term that refers to many different types of malicious software viruses , worms, Trojan horses, ransomware, spyware, adware thes air all programs that are intended to do malicious things to your computer, from destroying data to spying on you, or send expand to your contacts things of that nature. And they can also make your computer difficult or even impossible to use to be a little more specific. Let's take a look at a few common types of malware. First, we have what's known as spyware, which is exactly what it sounds like. A malicious program that monitors your activities. And since information about you to some third party, this information can include user names, passwords, Web browsing habits, the applications you use and what you do with them. The sky's the limit, and that's very bad for obvious reasons. Then we have adware, which hijacks your system and inundates you with lots of obtrusive pop up ads. This is kind of the stereotypical virus that we see portrayed in TV and movies, right, and you may have experienced this yourself. It's pretty common. It makes your computer really difficult to use because ads are popping up all over the place and it's just incredibly annoying and also dangerous. As 1/3 example, we have Ransomware, which has become increasingly common over the last few years. What Ransomware does is it locks you out of your computer completely, and it demands some kind of payment before it will grant you access. It's very dangerous, and as a piece of advice, you should never pay up. If you find yourself in that situation because number one you're giving the attacker exactly what they want and number two, there's no guarantee that they'll actually let you in. In fact, the more likely scenario is that they'll continue to extort you for money, says you can see malware is no joke. It could be extremely dangerous not only to your computer itself, but to your money and your identity as well. The good news is there are some very effective ways to avoid the vast majority of malware threats, and we'll talk about those. But remember, there's another category of threat that you should be aware of, and that is social engineering, like malware. Social engineering is kind of an umbrella term. It's defined as psychological manipulation of people into performing actions or divulging confidential information. This stuff has been around for a long time, much longer than the Internet But computers and the Internet have made it much easier for criminals to exploit a large number of people with social engineering tactics. So what are some examples? Well, the 1st 1 and you may be familiar with this is fishing that's fishing with a pH. Fishing is where criminal uses a fake website to deceive you into thinking you're on the website of a company or organization that you trust, like your email or online banking system. They re create the website you expect to see, so everything looks exactly the same. And then they get you to open the site, often by sending you on official looking email, asking you to click a link to verify some information or something like that. You click the link, but it doesn't open the official site. It opens the fake side, and so when you enter your information, say you enter your user name and password to log in. It doesn't actually log you in. It simply sends that information to 1/3 party who can then use it to access your account. Another tactic a cyber criminal could use if they can get into your Facebook account, for example, is exploit your friends and family by reaching out and asking for money. If they look through your message history with the people you talked to frequently, they could do a decent enough job at Impersonating you and staging some kind of crisis to get the people who care about you to send money to help you out. Though of course, the money goes straight to the attacker, leaving you to clean up the mess. One more scenario that happens a lot. An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually, they find an employee with an actual problem in the attacker will help them solve it and in the process, have the user give up information like their password. Run a malware program or give the attacker remote access to the machine. As you can see, social engineering can be just as devastating to your security as malware, and often the two are used together in a dangerous combination. So these are the kinds of things you want to be aware of and will spend the rest of this course talking about how to protect yourself from these and other security threats 5. [Habits] Developing The Right Mindset And Habits For Good Security: There are a number of technical ways to secure your data and will cover those in detail. But it's important not to overlook what is arguably the most effective security precaution you can take, and that is a mindset shift. As we've established, you are a target and realizing that is a crucial first step because it gives you the awareness you need to start protecting yourself. Now Remember, we discussed the importance of multi layer security in the first layer of your security comes from your own behavior and habits. That's what will cover in this section of the course, how to optimize your behavior and develop habits that will help to keep you and your data secure. 6. [Habits] The Importance Of Skepticism: the realization that cybercriminals air out there and that you are actually a potential target should open your eyes a little bit and make you more aware of your surroundings, so to speak, your digital surroundings. It's like if you've ever travelled to a tourist destination and been warned that there are a lot of pick pockets in the area, so you need to keep a close eye on your belongings so they don't get stolen. As soon as you hear that warning, you experience a certain mindset shift your suddenly far less trusting of the people around you, and cybersecurity requires a very similar mindset. I don't mean to be a total buzzkill here. I always try to see the best in people in day to day life, but when it comes to security, it's not a good idea to trust anyone too much. So what does that mean in practice? Well, it really comes down to giving everything a second thought. When you get an email or a phone call or message of some kind, just take a second to question the motivations of the person on the other side. You don't have to confront anyone. You could do this privately, but just consider the possibility that someone is trying to deceive you. So as an example, if you receive an email from a Nigerian prince or other royalty who wants to send you money , it's probably a good idea to consider how implausible that actually is. The Nigerian prince thing may make some of you laugh because it's so common. It's almost a cliche at this point, but some of you may be hearing about this for the first time. Basically, you get an email from someone who claims to be a representative of a Nigerian prince who needs to transfer millions of dollars out of the country but can't use an African bank account for whatever reason and therefore needs your assistance. They don't explain why they chose you in particular, but they need your help. They offer you a large sum of money to use your personal bank account to transfer the money out of the country. But first you have to open a Nigerian bank account with at least $100,000 in it, or something like that to be a qualified recipient of the funds, we'll tell you where to send the money, you send it and then you never hear from them again. It's a classic scam, and it comes in many forms. Sometimes it's a Nigerian prince. Other times you won some kind of foreign lottery. And yet other times somebody is claiming to be a distant relative who wants to send you inheritance money from someone who passed away. All scams, all completely bogus. Don't trust anyone who just jumps into your inbox and offers you unsolicited money. It's always, always, always a scam now, Like I said, those with a little more Internet experience will be able to recognize thes scams for what they are. Pretty easily, most of us understand that we're not gonna be handpicked to move money for a Nigerian prince, and we're not gonna magically win a foreign lottery that we've never played. But things get a little murky when an email appears to come from a company or institution that we know and trust. Banks are a good example. This is another classic Internet scam that's a little harder to detect if you don't have a trained eye. So let's say you get an email that looks like it's from your bank and says. There's some kind of problem with your account, and they need to verify some information. Here's the thing. In general, legitimate financial institutions will never email you asking for information. There are rare exceptions, but generally that will never happen. It's almost always a scam. So what do you do? Well, first of all, don't click any links in an unexpected email that appears to be from your bank, because it could very well be a fake link toe a fake site that's just going to steal your information. You also don't want to reply if they ask you to reply via email. That's a huge red flag, because banks and never wanna handle account information over an unsecured channel like email. If you think there's any chance the message could be legit, there are two things you can dio. First, open your Web browser and go directly to your bank's official website without clicking any links in the email. Then sign in and see if there's a corresponding message in your bank secure message system . The other thing you can do is call your bank using their official customer service number. They will be able to tell you for sure if the message you received is indeed riel. So we've gone pretty deep into a couple of examples, and I do hope they've been helpful. But the real point here isn't about Nigerian royalty or bank emails. It's about not being too trusting. If it sounds too good to be true, it probably is. But even more mundane things like bank emails compose serious risks. What I want to encourage here is a healthy dose of skepticism. You have to understand that there are people out there who have a motive to deceive you. That's why it's so important to be aware of the threats and question everything. 7. [Habits] Avoiding Malicious Sites And Applications: One of the great things about the Internet is that it has totally democratized media and publishing. And today just about anyone could go online and distribute content, whether that be through articles, images and videos or through software and applications. But and you probably know where I'm going with this because anyone can publish and distribute things online. There are a lot of bad guys publishing and distributing things online. It's hard to avoid this. When a technology offers certain freedoms, those freedoms apply to all of us, even those who may use them for nefarious purposes. So there are a lot of dangerous things online websites that will try to scam you programs and applications that will install malware on your system. And that brings us to the main point of this lecture. Remember, we said that your mindset is kind of your first layer of security, and that holds especially true here. When you're using the Internet, whether you're just browsing the Web or installing applications on your device, you want to maintain the same level of skepticism that we talked about in the previous lecture. This is really just a matter of considering the source before you hang out for too long or provide any personal information to a website, you should probably have at least a general trust for the website. And look, I know this is a little subjective, but I think you'll find it valuable once you start training your eyes to recognize certain red flags that indicate you may be hanging out in an unsafe area of the Web. So let's talk about how to do that. First and foremost, a little common sense goes a long way. If you're trying to do shady things on the Internet, you're going to come across shady websites and shady programs and shady people. That's just the way it is. If you want to avoid that, I would suggest staying away from those kinds of shady activities. I'm not gonna list examples. I think you probably know the kinds of things I'm talking about. The fact is, you're playing with fire, and if you get burned well, unfortunately, that is a consequence of playing with fire. So, like I said, just use common sense. Be smart and try not to venture into those darker areas of the Web. So assuming you're not doing anything shady How do you know if you can trust a website? Well, honestly, your first impression will tell you a lot when you land on a site, take a look at the design and assess the user experience. Is it easy to read and navigate, or is it a total pain? Websites that are kind of fly by night operations generally don't put that much effort into delivering a good user experience. So if the page looks like it's straight out of the nineties and you've got all kinds of pop up ads in your face, that's an indication that at the very least that website doesn't have your best interest at heart. It may just be a bad website, but it could also be something a little more sinister. So be aware of the design. Be aware of the user experience. The next thing you can check is the Sites SSL certificate. If it has one now, this is a technical topic, but it's pretty easy to check, even if you're not tech savvy and I'll try to explain it in layman's terms. So whenever you visit a website and you look up at the address bar and it says http s instead of just http and there's also a little green padlock. What that means is the site is using what's known as the SSL Encryption Protocol to protect your data while it's moving between your computer and their Web server. The best way to understand SSL encryption is to picture a tunnel going from your computer to the secure website. Any information you submit to a secure https website will be protected by that tunnel. So if it's intercepted by 1/3 party somewhere between you and the website, that third party won't be able to get into that tunnel and see your data. It will be encrypted now, just to be clear, If you're submitting information to a website, that website is still going to be able to see it. But SSL encryption keeps you safe from third party Attackers who aren't associated with you or the website. With that caveat in mind, seeing https in your address bar is generally a good sign for the trustworthiness of the website itself because it shows they've gone out of their way to give their users that extra security benefit. However, that's not a perfect litmus test. Anyone can obtain an SSL certificate and convert their site to https. I've done it myself many times, and honestly, it can take his little US 15 minutes if the Web developer knows what they're doing. The good thing is websites run by large companies and banks will often put one more security measures in place to verify that they are who they say they are. And this is integrated right into that SSL certificate. So when you're on a site like that, you'll see https. You'll see that it's secure, but you'll also see the name of the company or organization that runs the site. So if you see that you know you're dealing with the official website of that particular company, the next thing is pretty simple. If you're not sure you could trust the website, grab the name of the site and run a Google search on it. See what results come up, see if it appears to be reputable, and if a lot of other people seem to trust it, you're probably in the clear. If you can't find any information about it or if it's gotten a lot of questionable attention, it might be safer to walk away the same kinds of principles apply when you're installing software on your devices, whether you're using a PC or a smartphone or tablet, be very careful not to download any software or applications that could contain malware. Again, it comes down to considering the source. If you're installing a program on your computer, make sure to get it directly from the developers, official website or the official APP store for your device. It's pretty common for Attackers to distribute unofficial copies of popular programs and rigged them to include malware in the installation. You don't want that to happen, so always be sure to go straight to the original source. That also rules out piracy, which, besides being illegal, is also quite dangerous to you personally because many illicit software distributions will contain some type of malware. So you have to be careful about that as well. Now, assuming you're getting a program or application from the original source, if you're not familiar with the developer already and this is some kind of software that you've never heard of, it's a good idea to just do a minute or two of research to make sure everything is on the up and up. If you just found the program in some random corner of the Internet, do a Google search and make sure the software is safe and you're downloading it from the right place. If you're downloading from a marketplace like the Google play store or the Windows or Apple APP stores, take a second to browse the reviews and make sure that other people are happy with the software as well. So those are some tips to keep in mind to help you steer clear of anything online that may pose a risk to your security. Like I said, it's all about having a skeptical mindset in considering the source of websites and applications before you use them. And really, just being aware of these things is gonna make you much safer than the general population. 8. [Habits] Why Software Updates Matter: one of the easiest ways to improve your data security that's commonly overlooked is by keeping your software up to date. And when I say software, I mean all of your software your core operating system, which would be Windows, Mac OS, Android, IOS, whatever you happen to use and then all the programs and APS that you use as well. And don't forget about the other Internet connected devices in your home. Modems, router, smart TVs, smart thermostats. Anything that's connected to the Internet needs to be updated regularly. And as we saw earlier, Attackers are always looking for flaws and vulnerabilities in software that they can use to infect your system with malware. Software developers stay on the lookout for these vulnerabilities as well, and they periodically roll out security updates to patch them when they're discovered. So those nagging updates you've been putting off and let's be honest, we all do it. But those updates in many cases are there to keep you safe, and it's in your interest to stay on top of them and make sure that they get installed when they're released. Also, it's worth noting that if you are using an ancient operating system like Windows XP, for example. You're not getting security updates anymore, and that is not good. So I hate to be the one to break the news, but it is time to upgrade. That may mean installing a newer operating system on your existing computer. But if it's that old, the more likely scenario is that you'll probably need to replace your computer altogether. Unfortunately, cos Onley provide security updates and support on older systems for so long. And once that window closes, you are exposed to any number of future attacks that may be targeted at your particular operating system. So again, it's extremely important to keep your software up to date to make sure your devices stay free of any critical vulnerabilities. It's well worth a few minutes. You may have to spend waiting and hey, pro tip, let your updates run at night while you're sleeping, so you don't have to wait at all 9. [Habits] Knowing (And Limiting) Yourself: So we've established that I am all about multi layer security having multiple safeguards in place so that if one fails, you still have others there to protect you. And I believe that the first and arguably most important layer of security is your own behavior. However, where one layer fails, you can put another layer in place to compensate, and here I need you to exercise a little bit of self awareness. Let's say you're not the most tech savvy user, and you have a bit of a history of getting infected with malware. If you think the tips we've covered so far in this section will help you improve on that, then definitely go ahead and put them into action. But if you're the same non tech savvy user, and you don't really feel comfortable trusting your own tendencies with technology, there is a technical safeguard, weakened implement. At least if you're using a Windows PC, and that is instead of using an administrator account on your computer, you can switch yourself over to a limited user account when a malicious program accesses your system. It has the same capabilities as the user account that was used to install it. So if you're using an administrator account in you download a virus, that virus will be able to change anything in everything on your system. But if the same viruses downloaded by a limited user, it's essentially crippled and unable to do many of the harmful things that it could do with administrator rights, this is a surprisingly effective way to protect yourself. In fact, a study conducted by Manchester Security firm of Ecto found that 92% of all vulnerabilities reported by Microsoft with a critical severity rating could be mitigated simply by removing a users admin rights. Now again, this is specifically for Windows, which is where you're going to see the most problems with nowhere anyway. Eso If you're a Windows user and you'd like to start using a standard limited user account , you can open up control panel. Click on user accounts, click it again, then click. Manage another account. At the bottom. There's a link toe. Add a new user in PC settings. Click that, and when the screen appears, click. Add someone else to this PC, then follow the on screen instructions to create a new account by default. This new account will be a standard user with limited privileges. And from now on, you can sign into your PC with that account instead. And that will protect you from the vast majority of malware threats. Now, of course, you could still sign into your administrator account when you need to make changes. But for your day to day Web browsing and stuff like that, you'll be much safer using an account with standard privileges. 10. [Smartphones] Why Mobile Security Matters: as we've seen, the world has changed dramatically over the last couple of decades and were more dependent on technology than we've ever been. I think the best evidence of this is the fact that nearly everyone carries a small computer around with them. Everywhere they go seriously, smartphones have taken over the world. We use them for just about everything, and that's why it's so important to keep your mobile device is secure. They are a window into every part of your life, your social life, your financial life, everything. Think about it. If I'm a cyber criminal and you give me unfettered access to your smartphone, I can learn just about anything about you. I can steal your private data. I can take your money. I can use social engineering tactics to exploit your friends and family to get more information and more money. For example, if I can get into your banking app on your phone, I can initiate a wire transfer and completely drain your account. And once I've done that, I can go to your text messages or Facebook messenger or WhatsApp or whatever you use for communication and contact someone who cares about you I can look back at your message history to get a feel for the way you typically interact with this person and what you would say to them. And then all I have to do is impersonate you long enough to tell them that you're in some kind of trouble and you need money fast. And before you know it, that money is in my account. Or let's say you work for a big company and I'm one of your competitors, and I happen to know that you use your phone for business correspondents. I could potentially get my hands on trade secrets and other proprietary information just by taking a look at your phone. Those were just a couple of examples. There are a lot of bad things that could happen in that situation, but all of that can be avoided by properly securing your mobile devices, and in this section will go over exactly what that entails 11. [Smartphones] Setting Up A Passcode Lock: first and foremost from a security standpoint, using a pass code lock on your mobile device is absolutely mandatory. You never know when you're gonna leave your phone somewhere by accident. And ultimately, no matter how careful and protective you are, there's no guarantee that it won't eventually be stolen. If you use a pass code lock, you don't have to worry about unauthorized access. Your data will always be protected. Now, what I'm gonna recommend next is a little inconvenient, but it will make you more secure. And that is. Instead of using a simple four digit numeric pass code, use a complex password that includes letters, numbers and maybe even symbols. Short numeric passwords are pretty easy to guess, and it's even easier for someone to just look over your shoulder and memorize the numbers you type in with a long, complex password, it's much more difficult. You can also use a biometric authentication system like a fingerprint scanner. If your device has one. That makes it easy to bypass the pass code entry screen in many cases, and biometric data like your fingerprint is not easy to replicate, so it should be just as secure in most cases. Some third party APS that handle private information such as banking and budgeting APS will give you the option to set a separate pass code or require a fingerprint scan toe. Access them even when your device itself is already unlocked. This is another great example of multi layer security. Even if someone manages to get into your phone, they won't be able to access your bank account if your bank app is protected by a different pass code. Now, of course, the key here is to use a different pass code for this second layer. If you use the same pass code, you're not really adding much extra security. So to summarize, enable a pass code lock on your smartphone. Use a complex password used biometrics if you wish, and protect private applications like your banking app with a separate pass code. These air some of the simplest but most effective ways to keep your data safe from thieves and other prying eyes. 12. [Smartphones] Managing Third-Party App Permissions: many of the things you do with your smartphone are made possible by third party APS. And as we discussed earlier, it's always a good idea to vet an application before you install it on your device, and you should only ever install laps from the official APP store. But even after a particular app has passed your tests and you've installed it, it may ask for permission to do certain things or to access certain data. And it's up to you to decide whether to grant those permissions if you've installed a nap. Hopefully that means you've established that it's reputable enough, and now you just have to gauge whether each of the permissions it asks for are necessary for the functionality of the APP. For example, a photo editing app is going to need access to your photos and camera. Otherwise it won't be able to do what it's intended to do. But if a calculator APP wants to access your location data in your contacts, you should probably think twice about that. The nice thing about these permissions is that you congrats, all of them, some of them or none at all. And if you change your mind about anything in the future. You can always manage your privacy, an app permissions in the main settings of your device. The moral of the story here is simple. Don't grant permissions to an app if you're not 100% comfortable with that app having access to that particular data. 13. [Smartphones] Locating A Lost Or Stolen Smartphone: If your smartphone or tablet has ever lost or stolen, you're gonna want to get it back. And the easiest way to do that is by preparing in advance and setting up a remote device locator such as find my iPhone on IOS or find my device on Android. These systems use GPS to show you the exact location of your device at any moment, so if you just left it somewhere, you can easily go and pick it up. Or, if it's been stolen, you can handle location over the police so they can find the perp. Also, if your phone has been stolen and you're worried about someone accessing your information, these systems also offer a remote wipe feature. So if you've given up on recovery, you can erase all the data on your device so no one else will be able to extract it. This is a super important feature. It doesn't take long to set up, and if you're ever in a situation where you don't know where your phone is, you'll be really glad you did 14. [Passwords] The Importance Of Password Security: when it comes to securing your accounts for the various websites, APS and services you use, your password is your first and most important line of defense. In fact, your password is often the only thing protecting you from Attackers. But if you're like most people, you probably don't treat passwords all that seriously. And to some degree, that's understandable because most people don't see themselves as targets. But once you realize that you are a target, you'll see why passwords matter so much. Most people use the same password for all of their accounts, which is a very bad idea. And as we'll see in the next lecture, there are a small handful of passwords that make up a much as 10% of all passwords, meaning some students of this course we'll see their actual passwords on the screen in the next lecture Later in this section will talk about what makes a good password and how you can create and manage extremely secure and unique passwords for all of your accounts without having to remember any of them. The net result is that your accounts will be virtually untouchable to the vast majority of Attackers out there. Let's get into it. Shall we 15. [Passwords] The 25 Most Common Passwords: this lecture is fascinating to me, but it's also a little chilling. What you're about to see is a list of the 25 most commonly used passwords. Before we show it, though, I want to talk about where this data comes from. Normally, outside research firms don't have access to people's passwords because they're encrypted and reputable companies would never give away that information. But occasionally there's a data breach where a hacker breaks into a company's servers and manages to expose a large number of user passwords. Internet security firm Splash Data keeps tabs on these data breaches and looks through millions upon millions of leaked passwords. And the company uses that data to compile a list of the 25 most common passwords every year . These 25 passwords accounted for more than 10% of all the surveyed passwords, meaning that statistically speaking, dozens or perhaps hundreds of students of this course will see their actual passwords on the screen in this lecture. It is important to mention, though, that this data comes primarily from North American and Western European users. So if you live outside of those areas, the most common passwords for your country will be a bit different, though I imagine there is some overlap. So without further ado, let's take a look at the 25 most common passwords. First, we have 123456 and we have Password. 12345! 12345678 Football. Corti, Which is the 1st 6 letters on the top row of the keyboard. 1234567890 1234567 People really seem to like thes simple numeric passwords. Then we have Princess. 1234 Log in Welcome So low a, B C. 123 Admin. I imagine that's a default password in a lot of corporate environments. 121212 Flower password with a zero replacing the oh Dragon Sunshine Master hottie Love Me Z a Q one z, a Q one. And if you're wondering about that one, those letters air positioned over on the left side of the keyboard, right on top of each other and then password one. So I have to ask, Do any of these look familiar? I know there are probably two camps here. Some of you are probably laughing, and some of you are probably panicking. If your password is on this list, it would be wise to change it as soon as possible because you are essentially a sitting duck. If yours isn't on this list, that's good. But that doesn't necessarily mean you're in the clear. A few years ago, Google conducted a survey of 2000 people to learn about their methods for choosing account passwords. The results showed that most people tend to choose passwords based on easily accessible information, things like pet names, anniversaries, birthdays, your child's name, your birthplace, your favorite sports team or the name of your significant other. All of these categories are inherently dangerous because it's not that hard for someone to get a hold of that information and simply guess your password in the next lecture, we'll talk about what, exactly makes a good password so you can implement. The best practice is to keep your accounts secure 16. [Passwords] Best Practices For Strong Password Security: the main purpose of a password is user authentication. It's basically a way for you to prove that you are who you claim to be and that you have the right to access what you're trying to access. If a password is easy to guess, like the ones we saw in the last lecture, it kind of defeats the purpose right, because if your password is password, anyone can guess that so it fails at its only job, which is authenticating your identity. Unfortunately, it's not as simple as using on uncommon word or phrase, either. Even if your password is hard for a human being to guess, it may still be susceptible to what's known as a brute force attack. This is where an attacker uses a special computer program to systematically try a huge number of potential passwords. Until one finally works. The system calculates every possible combination that could make up a password and tests combination after combination over and over and over again until it finds the correct password. I should mention here that no password is completely safe from a brute force attack. Given enough time and enough computing, resource is, any password can eventually be cracked by brute force. The key is to use a password that's long enough and complex enough that it couldn't be cracked in any reasonable amount of time. As the length of your password increases the amount of time it would take a brute force script to crack, it increases exponentially so you want your passwords to be long, ideally 12 characters or more. But you also want them to be complex. And when I say complex, I mean they should contain a mix of capital and lower case letters, numbers and symbols that just adds another layer of complexity that makes your password more difficult to crack. It's also a good idea to avoid using a dictionary word or a simple combination of dictionary words, so you probably understand that cat would be a bad password. But passwords like black cat or cat in the hat wouldn't be much better because they're still pretty obvious combinations. In an ideal world, your passwords would look something like this a long, random string of letters, numbers and symbols that mean absolutely nothing and as a result, are almost impossible to guess. The problem is as an in perfect human being without a photographic memory. Remembering this password is going to be problematic, to say the least, However, as we'll see in the next lecture, you don't actually have to remember all your passwords if you use a password manager, which is something I highly recommend. But before we get to that, let's think about how we could come up with a password that not only meets our criteria of length and complexity but is also memorable. One of the best tricks you can use to create such a password is by coming up with a pneumonic device of one or more sentences and then compressing that into a password. For example, let's say our sentence is my college major was computer science, and my roommate in room 2 14 was Jeff. If this is something you could remember, you could easily turn it into a password like this. Capital. M. C. M. W. C s Comma A M R I. R. 214 W Capital J Period. That's 18 characters, including two capital letters, three numbers and two symbols, and when you look at it, it doesn't mean anything, so it's not something anyone would guess, but it's still easy for you to remember, because all you really have to do is memorize one sentence. That's easy enough, right? The next thing to keep in mind is that once you've come up with a password, you should really keep it to yourself. This may sound obvious, but multiple studies have found time and time again that more than half of all consumers share their log in credentials with other people. Please don't do that. It's never worth the risk. Another common mistake is writing passwords down, for example, writing your password on a sticky note and keeping it on your computer monitor in Casey. Forget it. Bad idea. Just memorize your password. If you really don't trust your memory and feel you need to keep a hard copy somewhere just in case, keep it in a secure location, like a safe in your home or safe deposit box at a bank. And finally, aside from making your passwords long and complex, you never want to use the same password for more than one account. For example, your Facebook password should be different from your email password, which should be different from your online banking password and so on and so forth. The logic here is that if one of your accounts gets compromised, the others will be safe and sound as long as they have different passwords. But if you use the same password everywhere, Attackers can get into all of your accounts with a single password, and that could be really, really bad. So make sure you never reuse a password. By the way, you've probably heard this advice before. But if you're like most people, you don't follow it because it just seems impractical, even if you use the pneumonic device trick we talked about. It's not easy to remember a dozen or more unique passwords, and that's OK. I get it. We're all human. We have limitations. That's why I advocate using a password manager to generate and store secure passwords for all of your accounts so you don't have to remember any of them. That's the subject of our next lecture, and I think you'll be pleasantly surprised by just how easy it is to manage your security with a password manager 17. [Passwords] Using A Password Manager: as we've seen, the best passwords are long, complex and difficult to guess. Unfortunately, though, passwords that are difficult to guess are often equally difficult to remember. So what are we to do? The solution is actually quite simple. By far the best way to create, store and manage unique and highly secure passwords for all of your accounts is by using a password manager. A password manager is a service that generates secure passwords for you and then stores them in a secure, encrypted database. Then, as you go about your day to day life, you can retrieve those passwords with the option of having them auto filled in your browser . So you get all the benefits of secure passwords without actually having to remember any of them. Password managers generally provide browser extensions and standalone APS that you can use on all your devices so you have all your passwords at your disposal wherever you are, and they're all protected by a single master password. So you remember one password and your password manager remembers the rest. Now it's worth mentioning that because you're using one password to protect all of your other passwords, it's crucial that you use a secure master password. So I recommend using the pneumonic device trick from the previous lecture to come up with something good and using that as your master password. So what are your options when it comes to password managers? There are many different services out there, but these are three of the most popular last pass dash lane and one password. They all offer Mawr or less the same thing. There are advantages to each one, and you can feel free to do some research and make your own decision. But the service I'm going to demonstrate and recommend in this course is last pass. Last pass is kind of an industry leader. It's trusted and endorsed by security experts all over the world, and it's completely free to use on all your devices. I've been using it myself for years, and as someone who has accounts on probably hundreds of different websites and services, it has been absolutely life changing. So will spend the rest of this lecture going through the process of setting up last pass so you can start using it right away. If you decide you'd rather use a different password manager like Dash lane. That's fine, too, and I think you'll find the functionality is quite similar. So to get started with last past, the first thing you want to do is head over the last past dot com and click get last past free. What happens next depends on what device you're using. If you're on a desktop, you'll be prompted to install the last past browser extension, which will go ahead and do. If you're on a smartphone or tablet, it'll ask you to install the mobile app, but the process after that looks mostly the same. Once the extension is installed, you'll notice a new last pass icon in your browser toolbar, and it should open up this registration page where you can start creating your account. So will enter an email address, accept the terms and click, create account, and then on this page, we need to create a master password again. This is the password that protects all of your other passwords, so it needs to be good. Remember the pneumonic device method we used in the previous lecture? We came up with the example. My college major was computer science and my roommate in room 2 14 was Jeff, which translates to capital M. C M. W. C s comma A M R I. R. 214 W Capital J Period. Try to come up with something at least as complex is this. It's 18 characters. Contains two capital letters to symbols. Three numbers, and it's not easily decibel, even though it's something you can remember pretty easily. So we'll go ahead and re enter the password in the next field here, and then we can create a password reminder. This is a short phrase that will help you remember your password if you ever forget it, because there's no way to recover a last pass password if you can't remember it. So if you think there's any chance you may forget, I recommend filling this in with something. Now it's important to note that this reminder could be seen by anyone who's trying to log into your account, whether it's you or someone else who is trying to guess your password. So whatever you enter here should be enough to remind you what your password is while still being vague enough that it won't give your password away to an attacker. For this example, I think the word college would be enough to jog my memory. So that's what all use. Once you're satisfied with your password and your reminder, you can go ahead and click. Unlock my vault. Your account will be created, and if you click the last pass icon in your toolbar, you'll be able to log in and access your vault. So here it is. This is your last past vault. This is where everything is stored, and this is what the main interface looks like. The first screen you see here is sites. It's empty right now, but once you start saving your credentials for different sites, you'll start to see those sites listed here. As you can see on the left side, we also have secure notes, which you can use to securely store just about anything. Bank information, credit card numbers, WiFi passwords, even things like insurance, information and passports. It's really handy to have that stuff on hand when you need it, and it's all fully encrypted and can't be accessed without your master password. We also have form fills, which is basically a more secure version of what your Web browser already does. It allows you to store credit cards, addresses, contact details, things like that and then auto. Fill that information into a form when you're doing things like shopping online. There's also a sharing center where you can securely share passwords with other people. If you need to say for business accounts, you need to share with colleagues or a Netflix account you share with your friends. This is just a better way of allowing people to access individual passwords without sending them over email or SMS or something like that. And finally, we have a security challenge, which analyzes the strength of all the passwords in your vault and gives you a percentage based score that represents how good your security is. As faras passwords go, I definitely recommend exploring all this stuff, but for the purposes of this lecture, were mostly concerned about passwords. So how do you actually use last pass on a day to day basis for logging into accounts? First, we need to add our first site, and to do that, we'll go back to the sites tab. If you want to add a site manually, that is, if you just want to type in all the information yourself you can click this button here at the bottom. This is all the information that last Paschen store about a site for you. All that's required is a password, But filling out everything else here will make your life a lot easier. So first up is the URL. That's just the Web address of the site you want to add. Last past uses that to determine when you're on a particular site, so it knows when Toe auto filthy user name and password, for this example will use facebook dot com as the URL. The name field is completely optional. It just lets you give the site a custom name if you prefer something other than the URL. So well, interface book here, next up is folder. Once you start accumulating a ton of sites that could be helpful to start grouping them into folders, for example, you might have a folder for work, one for Social media, one for entertainment and so on. This is totally optional, too, but we'll go ahead and enter social media. Next, you have your user name and password, which is pretty straightforward. Your user name is whatever I d. You used to log in. So, like with Facebook, you log in with your email address so you would enter your email address as the user name field. And then, of course, enter your password as well. Notes are optional, and that's probably not something you'll use much. So we'll just skip over that for now. And before we save this, let's also expand the advanced settings down here and take a look at those. The first option down here is require password re prompt. You might use this for especially sensitive sites or information. It just requires you to enter your master password again before you can access the password for this particular site, just to make sure to you, the second option is auto log in, which is really handy if you check that box when you visit this site. Last pass will not only a no fill your information, but it will also submit the log Inform so you'll be logged in automatically without having to type anything or click anything. It's just an instant log in every time you visit this site, and then the third option here is disable auto fill. That's exactly what it sounds like if you check that last past will still store your password for the site, but it won't fill in the long inform automatically. So now if you click, save that site will be added to your vault, as you can see here. And if we go ahead and visit the site, I'll show you how to get your password out of last pass and into a website. It's very easy. You see the little last pass icons in the log in form. If you click one of those, you'll see any matching sites that you have saved in your last pass fall. This is the one we just created, and if we click it, it fills both your user name and your password into the form and you're ready to go. Okay, so we saw the process of adding a site manually. But last past can also add a site automatically after you either log in or sign up for an account somewhere. So first, let's log into an account justus. We normally would, and you'll notice last pass offers toe. Add that site for us. Super easy, as long as you confirm that your password will be saved in last pass and you don't have to do anything else now. Of course, last fast Onley increases your security if you're actually using unique secure passwords for all your accounts. If you're still using the same password for every site, it doesn't do you much good to store that password in last past 15 times. That's why I recommend generating your passwords through last pass as well. When you're signing up for a new account, you'll see a little icon in the password field. If you click that you can have last past, generate a secure password and fill it in for you. Then, once you complete the sign up process, it'll ask you if you want to add that site toe last pass. And just like that, you've created an extremely secure password that you never have to remember. You can also follow the exact same process to change one of your existing passwords to something more secure. And if you ever need to, you can generate a password from the last fast menu in your toolbar and just copy and paste it somewhere. Using last pass on a smartphone or tablet is a little more cumbersome, but it's still fairly intuitive, and it allows you to have all of your passwords and secure notes at your disposal at all times. So I highly recommend installing the last pass app on your mobile devices. So from here on out, you can replace all your existing passwords with secure passwords that are much more difficult to crack, and you can let last pass. Remember all of them for you. Your last past master password truly is the last password you'll ever have to remember. 18. [2FA] What Is Two-Factor Authentication?: in the last section, we dove deep into the world of passwords. We saw some pretty bad passwords, but we also talked about what makes a good password and how you can use a password manager to generate and store secure passwords for all of your accounts. If you follow the advice in that section, you will be light years ahead of most typical Web users when it comes to security. And that's fantastic. But we can still go a little bit further. Remember early in the course we talked about the importance of multi layered security? Well, your passwords air one layer, and at this point they should be quite a strong layer. But again, no password is ever 100% secure. And even if you're careful, there's always a possibility that you could fall victim to a phishing scam where your password is stolen by 1/3 party. But don't worry. In this section, we're going to talk about another layer of security that will lock Attackers out of your accounts even if they manage to steal your passwords. This layer is called multi factor authentication. It's a method of access control where a service grants you access only after you present multiple pieces of evidence that you are who you claim to be. This evidence comes in three forms. There's knowledge, which is something you know, possession, which is something you have and inherent, which is something you are. In most cases, the knowledge factor is your password. It's something, you know, that hopefully no one else knows. An example of a possession factor would be your phone. So you enter your password and then your phone gives you a unique code that you have to enter to verify the log in process. It just proves not only that you know your password, but that you're also in possession of that particular mobile device. And finally, inherent factors include biometric methods such as fingerprint readers, retinal scanners and facial recognition systems. Multi factor authentication includes any combination of two or more of these categories, But what I'd like to focus on in this section is a common two factor authentication process where you combine your password with log in verification on your mobile device. Most popular Web services thes days offer two factor authentication and more and more services air adding support for it every day Here's what it looks like in practice. You go to a website to log in, you enter your password and the website says, Please enter the code that we sent to your phone. So you pick up your phone and you've got either a text message or a push notification containing a 4 to 6 digit code that you can then use to log in. That code is basically a second password that's generated on the fly and can only be used once. So even if an attacker gets ahold of your main password, they won't be able to access your account unless they also have access to your phone, I promised. This is not as complicated as it may sound, and I highly recommend setting up two factor authentication on any account that supports it . It does make logging in slightly less convenient, but I think the added protection is well worth the extra 5 to 10 seconds you'll spend entering a log in code in the next few lectures will take a closer look at two factor authentication, and you'll see exactly how to set it up on some of your favorite accounts. 19. [2FA] Types Of Mobile Two-Factor Authentication: there are a couple of different methods that service is used to generate. Log in codes for two factor authentication. You'll have different options with different sites, so in this lecture will take a moment to get familiar with each of them. The first and most basic method is SMS, where a log in code is sent to your phone number in a text message. SMS verification is pretty easy to set up, and it's generally your only option if you don't have a smartphone. But it's actually not the most secure option. There have been cases where Attackers have used social engineering tactics to get phone carriers to redirect a person's text messages so they could break into their accounts and sidestep the whole two step verification problem. With that, said, SMS verification is offered as an option by many popular Web services, and it does add a strong layer of security to your accounts. The other method that's getting more and more popular is an authenticator app. This is an app that you install on your smartphone and linked to any accounts that support it, and all it does is generate log in codes, the same type of code you'd receive in a text message, but it's always generating them every 30 seconds. The old one expires, and a new one appears. So when you need to log into one of your accounts, all you have to do is open that app and a code will be waiting for you there. Services that support authenticator APS generally support any third party authenticator app . But one of the most popular choices and the one I recommend, is Google Authenticator. Adding an account to your authenticator app is as simple as scanning a barcode. You just scan it with your camera and boom. You've got secure. Log in codes whenever you need them. Some companies go a little bit further and use their own proprietary systems for long and verification. Apple is a good example. When you have two factor authentication set up and you go to log in using your apple I d. On a new device. You'll get a push notification on your existing iPhone, iPad or Mac asking you to confirm the log in. So those are the different options you have when it comes to two Factor authentication. If anything's unclear, don't worry. We'll take a closer look in the coming lectures 20. [2FA] LastPass Two-Factor Authentication: If you set up a password manager such as Last Pass and you're generating secure passwords and storing them all in your vault, you're much more secure in one sense because all of your passwords air unique and complex, which is super important. But there's also an inherent risk in using a single password to protect all of your other passwords. Right, because if an attacker gets their hands on your master password, they've got access to every single one of your passwords. Well, that's where two factor authentication comes in, and your password manager should be the first place you enable it that way, even if your master password is compromised, somehow all of the other passwords and your vault will be safe. Let's take a quick look at how you can enable two factor authentication In last pass in a desktop browser, open up your vault and click account settings toward the bottom of the sidebar at the top of this box. Click over to the tab that says multi factor options. As you can see, there are quite a few different methods here that you can use for this example. I just want to take a look at the 1st 2 last pass, authenticator and Google authenticator. In my experience, last pass authenticator is the most convenient option available. Whenever you log into your last pass account, it sends a push notification to your phone, and all you have to do is tap a button to verify the log in. It's a simple is that you don't even have to enter any coats to set it up. Click this edit icon over here and change the enabled option to Yes, you'll need to re enter your master password, and once you've done that, you have to enroll your device with last pass authenticator, click and roll and then follow the instructions on screen to install the app and connect your device. Now let's set up Google Authenticator. As I mentioned earlier, Google Authenticator is universal and can be used for a wide variety of different accounts , including last pass. So I figured now would be a good time to see it in action. You could start by installing the app on your mobile device. Just search the APP store for Google authenticator and what's you've done that you can click the edit icon next to Google Authenticator in last past and then next to where it says barcode click view. You'll have to verify your password, and then it will show you a barcode in your authenticator app. Tap the plus icon in the upper right corner toe. Add a new site, then choose scan barcode. Then all you have to do is use your camera to scan the code, and it will start generating log in codes that you can use to verify your identity. And you can follow the same process for other services that support Google authenticator. It really is a simple A scanning that barcode also wants Your app is set up. Don't forget to enable Google authenticator using this first drop down box right here. So that's what two factor authentication looks like in last pass. If you enable both of those methods, next time you log in the last pass, you'll have the option of just tapping. Verify in last pass authenticator or opening Google authenticator and typing in the code that it gives you either way will work 21. [2FA] Google Two-Factor Authentication: If you're like most people, your Google account is a big part of your life. It may have access to your credit card for shopping on Google, Play important documents and Google Drive your email in Gmail. Your videos on YouTube A significant portion of your digital life is wrapped up in your Google account, and that's why it's so important to keep it secure. So you probably want to enable Google's two step verification system to do this head over to your Google account. Security settings like last past Google offers a few different options here, and it's a good idea to enable more than one just in case one fails or you don't have access to it. The first and simplest method is the Google prompt. To set this up, you just need to have the Google search app on your phone, and whenever you log in, it'll send you a push notification asking if you're trying to sign in, you just tap one button to verify it's you and your in. The second option is the Google Authenticator app. This works exactly the same as it does with last pass, just enable it scan the barcode and you'll have log in codes whenever you need them. Google can also send you codes by voice or text message. This is pretty straightforward as well, just at your phone number. And then you can use a voice call or SMS instead of a nap. And finally, Google also offers backup codes that you can use in the event that you don't have access to any of the other methods of verification so you can write these down or print them. But if you choose to do that, make sure you keep them in a secure location and keep in mind you can Onley use each code once. 22. [2FA] Facebook Two-Factor Authentication: Facebook is another account you don't want to lose control over, and thankfully, it also offers several options for two factor authentication. You can set this out by opening your settings and clicking over to the security and log in tab. Locate the option to use two factor authentication and click edit. Here you'll see the various options. You have to add another layer of security to your account, the two you'll most likely want to set up our text message and code generator. The text message option is the standard method where you receive a code by SMS, and the co generator is a feature where you can generate codes and verify Loggins right from within the Facebook Mobile app. If you'd rather keep all your log in codes in one place, you can also use Google authenticator. Just click where it says, set up 1/3 party app, scan the barcode with Google authenticator and enter the code. It gives you to confirm pretty simple 23. [2FA] Twitter Two-Factor Authentication: Twitter also offers multiple forms of two factor authentication. To set it up, open your account settings and check the box that says verify log in requests by default. This will enable SMS authentication, but you can also use Google authenticator by clicking set up a code generator app, as you've probably come to expect. You'll see a barcode that you could scan with your authenticator app, and then you just have to enter the code it generates for you and you're good to go. Once you've done that, you can also click this button to get a backup code that you can keep somewhere safe, just in case you ever lose access to your device. 24. [2FA] Two-Factor Authentication For Other Services: says you can see the process of setting up two factor. Authentication follows roughly the same protocol everywhere. It doesn't vary all that much. So with that in mind, you should feel comfortable digging into the settings of other services and setting up log and verification on any of your accounts that support it. If you're short on time, I would recommend prioritizing your most important accounts. The ones were an attacker could do serious damage. For example, your email, your bank payment services like PayPal. Any account that has access to your credit card or bank information. Take a few minutes to set up two factor authentication for all of these. I know it takes time, and I know it makes the log in process a little less fluid. But if it prevents an attacker from getting into your accounts and stealing your money or your identity, it'll all be worth it. And just to reiterate a point I made earlier, if you have the option to use either SMS or an authenticator app as your second factor, I recommend using the authenticator app. Google Authenticator makes the process super simple, and it's a little more secure than SMS so that's something to keep in mind. Either way, you're adding another layer of security on top of your already strong passwords, and you're making yourself a much more difficult target for cybercriminals. 25. [Connected Apps] The Danger Of Rogue Connected Apps: at this point in the course, we've covered most of the factors that people traditionally think of when it comes to security. But there are still some risks that often get overlooked, and I want to devote this section toe one of them. Many of today's popular Web services allow third party developers to create interconnected APS using data from their platforms. For example, if you've ever logged into a website or app using your Facebook account or granted permission for an app to access your Google account, you know what I'm talking about. It looks something like this. Well, as you might imagine, authorising certain applications to access your accounts introduces some security risks. For instance, if you've logged into an APP with Google and given it full access to your Gmail account, it has the ability to read all of your emails. And not only that, it can also send emails on your behalf. Now, of course, if the app you're using is 1/3 party email client, it needs those permissions to function properly. There's no way around that, but if a nap is requesting access to something you don't think it needs, the best answer is usually to deny those permissions. What makes these connected APS unique is that you authorize them once, and then they have lifetime access to your account forever without ever needing to access your password or your two factor authentication method. They don't need anything, and they have access indefinitely from the perspective of a cyber criminal. Connected APS are a goldmine. They make it so much easier to infiltrate your accounts and steal your data because they no longer have to target you as an individual. They could just target you're connected APs and get your information that way. So here's the thing. Your accounts are only as secure as the least secure app you've connected to them. And when I say the least secure app, I'm not just talking about sketchy APs that clearly have bad intentions. Those are obviously bad, and you should try to avoid them. But even APS that are totally legit compose a risk if their security isn't locked down, because if they get hacked, if an attacker accesses their server, that attacker will also have access to your data and your accounts. The solution is to be extremely choosy with the permissions you grant to third party APS. You can usually grant permission selectively so you don't have to provide access to your entire account. You can just given app access to this. This miss in this section will talk about how you can do that with a couple of popular Web services, and we'll talk about how you can revoke any risky permissions you may have granted in the past. 26. [Connected Apps] Managing Connected Apps On Google: Let's first take a look at connected APS as they exist in Google's ecosystem. When an APP wants to access your account, you'll see a prompt that looks something like this detail in the exact permissions the APP wants to access. It could be as little is your email address and basic profile info, which generally shouldn't be a problem or as much as your entire Google account, including your email, your files, everything. Whenever you're signing into an APP with your Google account and you see this screen, make it a habit to look over the permissions and determine whether they're necessary for what you're trying to do. If they are, you could go ahead and click allow. But if anything makes you go, hold on a second. This seems excessive. You should probably think twice. The nice thing about these permissions is that you can revoke them at any time. If you open your Google account settings and click connected APS and sites under the Sign in and Security section, you'll see a list of APS that have access to your account, and you can click manage APS to see more details. So if you're like most people you probably have quite a few APS listed here that you had no idea had access to your Google account. That's okay, though. We're gonna clean everything up. What I recommend you do first is just scroll through this list and see if there are any APS that you don't use it all or haven't used in a long time or don't recognize those should be the first to go to de authorize an app. Simply click on it and then click. Remove access. Next, you'll want to look at the specific permissions that each app has access to. And again, if anything seems excessive, you can de authorize it when the permission say things like basic account info. That's probably an app where you just use Google as a sign in method rather than creating a user name and password and those air safe because they don't have access to your private data. But anything that has full access to your Google account or your Gmail and Drive accounts is worth a second look. Another thing worth mentioning is that Google divides your APS into two sections, one for third party APS and one for official trusted Google APS If you see anything in the third party section claiming to be an official Google app like Google Drive or Google Chrome, for example, it's probably a scam, and you should de authorize it. Official Google APS will only show up in this bottom section, so that's how you can manage your connected APS in your Google account. If you have a lot of APS, it's definitely worth cleaning up a little. Ah, and you can always return to this page in the future to keep an eye on things and make changes as necessary. 27. [Connected Apps] Managing Connected Apps On Facebook: Facebook also has a huge ecosystem of connected APS. When you go to authorize one, it will look something like this. You've probably seen this on many occasions. The nice thing about Facebook's log in process is that you can actually edit the info you provide. So if you think an APP is requesting excessive permissions, you can trim him down a little bit so they only get access to what you feel is necessary. And like Google, Facebook offers an interface where you can manage the connected APS you've authorized in the past to get their open your settings and go to the apse section again. You probably have more authorized APS than you realized, and it's worth giving this list a once over just to make sure everything is in order to see what information an APP has access to. Just click on it. And as with the log in screen, you can edit this stuff at any time, so if you gave a nap too many permissions, you can always revoke them. And if you want to de authorize an app completely, just click this little X to remove it. I recommend removing any APS that you don't use anymore or that you don't remember authorizing in the first place. And in the future, if you use Facebook to log into other absent services, make yourself aware of the permissions they're requesting and de select any information you're not comfortable handing over. 28. [Connected Apps] Managing Browser Extensions/Addons: another type of connected app, so to speak that may have access to a significant amount of your private data is a browser extension. Browser extensions, also known as add ons, are small APs that add extra features and functionality toe Web browsers like Chrome, Firefox and Safari. One extension you probably have installed if you've been following along with this course, is last. Pass extensions can be great. I use quite a few of them myself. But it's important to be aware of the data they have access to because a rogue extension could totally compromise your security. So how can you be sure that your extensions aren't out to get you? Well, first of all, as with mobile APS, you should only install extensions through your browser's official extension marketplace. In the case of Google Chrome, the browser I'm using, that's the chrome Web store. Before you install an extension, be sure to check out the user. Reviews on extension with thousands of five star reviews, is generally a safer bet than one with just a handful of reviews. Then, as you're adding an extension, you should see an overview of the permissions it needs to function often times. This includes the ability to and I quote, read and change all your data on the websites you visit so you can see it's very important that you only install trusted extensions. You're giving a lot of power, a lot of trust over to this one little app. So you have to have a fair degree of confidence that it's not going to betray you to manage your existing extensions again. I'm using chrome, but the process is pretty similar from browser the browser. Open your settings menu and find the extensions or add ons. Option. Here. You'll see a list of the extensions you have installed, and you can click details to get more information about each one, including the permissions you've authorized. Browser extensions are a common source of malware and other security threats, so if you see anything in this list that you don't recognize, you should probably remove it right away. And, of course, if any of your extensions have permissions you feel are unnecessary, that may be caused to remove them as well 29. [Connected Apps] Staying Secure With Third-Party Apps And Extensions: As we wrap up this section, I want to clarify my advice, so there's no confusion. What I'm advocating here is not that you don't authorize third party APS and extensions. I use plenty of them myself and make indefinitely add value to your life. I'm simply suggesting that you make yourself aware of the apse you've authorized and what permissions they have. When you authorize these APS, you're essentially giving them an open doorway into your digital life. So it's important to do so only with APS you trust. By the way, this section is by no means an exhaustive list. These air just a few examples of scenarios where you've probably authorized third party APS before. The idea here is just to get you into the right mindset so you can apply the same principles, toe other accounts and services where you may be allowing third parties toe access your data. Be very skeptical with any new third party app and only grant access to data that you're comfortable giving away 30. [Encryption] What Is Encryption?: when it comes to protecting your private data. One of the most powerful tools you can have at your disposal is encryption, so I'd like to spend some time in this section discussing what encryption is and how you can use it to keep your information from falling into the wrong hands. So what is encryption? Very simply, it's a technology that turns your plain text data into an unreadable, jumbled code. Encryption comes from the art of cryptography, which people have been using for thousands of years to send secret messages and protect sensitive information. In the old days, that is, before computers and the Internet. People would use what's called a cipher, which is a system of scrambling text in such a way that it's unreadable but can later be unscrambled if you know the key, which is the operation that was used to scramble it more than 2000 years ago. Julius Caesar is said to have used alphabet shift ciphers where each letter in a message is shifted a certain number of letters down the alphabet and then shifted back by the person who receives the message. As an example, we could take the word Hello and shift each letter three letters down the alphabet so the H becomes K T e becomes H, the two l's become owes, and the O becomes our. So instead of the word hello, we have K H O R, which can then be shifted back if you know the key to the cipher, which is simply an alphabetical shift of three. This kind of cryptography never really went out of style. In fact, many military leaders continued to use similar tactics to send encoded messages in the 20th century. Today, in the digital age, we still use cryptography, but things have gotten a lot more complex. Instead of a simple shift of the alphabet, we now use advanced computer algorithms to encrypt decrypt data. You still have an encryption key, but it's much more complex and not something you could decode on your own without the help of a computer. For example, I took this plain text sentence and passed it through an encryption algorithm, and the result looks like this. As you can see, the encrypted version is completely unrecognizable. You would have no idea what the original text was, and that is the point of encryption. We use it to securely mask data that we'd prefer to keep private. That way, even if our data is intercepted, it'll be useless to an attacker unless they know the encryption key. How modern encryption algorithms actually work is a little outside the scope of this course , but the point I want to get across here is that encrypted data is much safer from Attackers than unencrypted. Data in the next few lectures will talk about some real world applications and how you can use encryption to protect your private information without being a cryptography expert yourself. 31. [Encryption] How SSL (HTTPS) Protects Your Passwords And Private Data: The first form of encryption I want to talk about is something I actually mentioned very briefly earlier in the course, and that is SSL. SSL is an encryption protocol that provides privacy and data integrity between two communicating systems generally between your Web browser and the server of a website. Whenever you see https in your address bar, which is often accompanied by a padlock icon, that means the website is using SSL to protect your data. When you're on a website that supports SSL, no data that you submit to that website can be intercepted by 1/3 party sitting between you and the server. Because it's all encrypted. That includes your passwords, credit card numbers and any other private data you may be transmitting. If it's happening over https, it's encrypted and nothing is ever sent in plain text in practice. This means you should always be aware of whether a site is using SSL or not, which again is a Z Z is glancing up at the address bar. If a site is using SSL, you can feel a little more comfortable about doing things like entering passwords were making purchases. You still have to determine whether you trust the website itself. But you can feel confident that a random hacker isn't gonna grab your credit card number while it's in transit. The flip side of this is that you should be especially skeptical of sites that ask you to enter personal information. But don't use SSL. Don't get me wrong. A non https site isn't inherently bad. In fact, a lot of websites still haven't made the switch. But if you're being asked to enter your credit card information on a non https site, you should walk away, period. You never want to send private data like that over an unsecured connection. So the moral of the story here is pretty simple. Before you enter sensitive information like your credit card number, look up at your address bar to see if your connection to the site is secure. If it's not, there's a chance your data could be intercepted by 1/3 party, so you may want to think twice 32. [Encryption] Encrypting Your Web Traffic With A Virtual Private Network (VPN): in this lecture, I want to recommend a way to encrypt all of your Internet traffic, including the websites you visit, the APS you use and all of the data sent and received by your devices guaranteeing that your personal data stays private and safe from eavesdropping. What I'm referring to is a virtual private network, or VPN. For short. A VPN encrypts everything you do online and routes your data through a far away server that then communicates with the rest of the Internet on your behalf. The result is a fully encrypted Internet connection that prevents anyone, including hackers, your employer, your Internet service provider and even your government from being able to monitor your activity. So why would you want to do this? Well, there are a few different benefits, and they apply to different people in different scenarios. For me and for the purposes of this course, the most important selling point is security, particularly if you use public WiFi hot spots. So let's say you're in a coffee shop and you connect to the WiFi network there and go about your business, your Internet traffic, as well as any unencrypted data that's being sent or received by your device could potentially be intercepted by any other random person on that network. Public WiFi could be extremely dangerous, and hackers have even been known to set up fake WiFi hot spots to get people to connect so they can steal their data. Not good. But if you're in the exact same situation and you're using a VPN, those hackers won't be able to steal anything because, although see is a jumbled mess of encrypted data. So if you often find yourself connecting to public WiFi access points in restaurants, coffee shops or airports, for example, a VPN is a must. Another common use of a VPN is by people who do a lot of heavy downloading, especially using peer to peer methods like bit torrent. Whether they're downloading legally or illegally, they don't want to be subject to the witch hunt that often happens in that situation, so they use a VPN, and all their data is private and protected. A VPN can also be used to bypass firewalls and geographical restrictions. For example, if some content or service isn't available in your region or country, you can use a VPN to appear as if you're in a region or country where it is available. And just like that, you've got access. Same thing. If you're behind a company firewall that block certain websites or content, Ah, VPN will allow you to access that stuff. And finally, a VPN gives you a general sense of privacy that you wouldn't have otherwise. Normally, everything you do online can be tracked by the network you're using your Internet service provider, your employer and even your government. In some cases, if you would rather keep a low profile and avoid snooping, a VPN is the answer. So with those benefits in mind, how do you actually connect to a VPN? Well, you'll need to subscribe to a VP and service. There are both free and paid options, and there are a ton of different VP and companies out there, so I want to give you two quick recommendations to start your search. The 1st 1 is called Private Internet Access. This is one of the most widely used and trusted VP and providers. It supports Windows, Mac OS, Lennox, IOS and Android, so you can use it on any device. It has servers in several different countries, and it keeps no logs of your activity whatsoever. Pricing starts at seven U. S. Dollars a month, with volume discounts. If you purchase six months or more in advance. If you can handle $7 a month, private Internet accesses the service I'd recommend, and you can check it out at private Internet access dot com. My other suggestion is called Pro X P n Pro XP N offers many of the same benefits as private Internet access, but it also offers a free plan. The free plan limits your data transfer speeds and restricts you to a single server location, but it's still a great deal if you only need to use it occasionally, say when you're traveling and using public WiFi. It also offers premium plans, starting at $10 a month. Unfortunately, Pro XP N Onley supports Windows, Mac OS and IOS, so it won't work on Android. Once you've subscribed to a VP and service, getting set up is way easier than you'd expect. All you have to do is install a nap on each of your devices, configure your settings and forget about it. It's really a simple is that so? Definitely look into getting connected to a V P and the privacy gives you peace of mind. Being able to access geo restricted content is cool, and the added security on public WiFi networks could end up saving you a lot of time, money and headaches in the future. 33. [Encryption] How To Encrypt Your Computer's Hard Drive: So far, we've taken steps to ensure your data is encrypted wallets in transit. In other words, while it's moving between your device and various Web servers, now we have to tackle the problem of encrypting your data while it's at rest. Well, it's just sitting on your system because in many cases, even if your computer is protected by a password, someone could gain access to all of your private data simply by removing your hard drive and using another system to break into it. But if you're hard drive is encrypted, all they'll see is a bunch of useless scrambled data. Now for being honest. This isn't mandatory for everyone, but it's never a bad idea. And if you travel with a laptop, I highly recommend encrypting it just in case. It's easy enough to do, and it's something you only have to do once that could really save you if your devices ever stolen. If you have a Mac, you are in luck because Apple makes it ridiculously easy to implement full disk encryption . Using a built in feature called File Volt, just open the security and privacy menu in your system preferences. Click over to file vault and turn it on super simple. That's all there is to it now. Of course, the important thing to remember here is that because your data is encrypted, you'll need your log in password or the backup recovery key to access it. If you lose both of those things, your data will be lost forever. So keep that in mind if your Windows user, unfortunately, things aren't quite as simple. There's no built in encryption tool for the consumer versions of Windows, so you'll have to use 1/3 party program. The one I recommend is called Descriptor. It's a free, open source program that can encrypt your entire drive for you now before we go any further , something to be aware of. Once you encrypt your drive with descriptor, you have to enter the encryption password every time you turn on your computer in order for it to boot. This is separate from your normal Windows password, and you'll still have to enter that as well. Eso That's little minor inconvenience that you have to keep in mind. To get started using descriptor, go to descriptor dot net, click, download and then choose the installer. Meanwhile, you'll notice this yellow box at the top, advising you to create a boo doble live CD before you encrypt your system. That's optional, but it's definitely a good idea in case anything goes wrong in the future. And if you click that link, you'll see instructions on how to do that. Once the installer finishes downloading, go ahead and run it and then follow the steps to complete the installation. Once it's finished, you'll be asked to restart your computer, so be sure to save anything you're working on. And after the reboot, you can run the descriptor program. Select your system drive, which is usually drive C and click encrypt. Then you just have to follow the prompts to configure all the various settings, and you're probably best leaving everything as is. As for the password. It should, of course, be something long, complex and unique. But it should also be something you can remember, because if you ever forget your password, you'll lose access to your data. I highly recommend also adding it toe last pass so you don't lose it. The program may take a few hours to encrypt your drive, depending on the size of your drive. and in the meantime, you can use your computer for other things. Just be sure not to restart were shut down while descriptor is running, unless you pause it first. Once the process is complete, descriptor should list your drive as mounted and all your data will be encrypted. If you ever change your mind or need your drive to be unencrypted for some reason, just run descriptor again. Select your encrypted drive and click decrypt. Okay, so I know that was kind of a fast paced walk through. If you run into any problems, the descriptor website has a lot of good resource is that should be able to help you out. I also want to remind you one more time that regardless of whether you're on a Mac or a PC , if your drive is encrypted, it is absolutely crucial that you remember your password because that's the only way to access your data. If you ever lose your password, you lose your data as well. I cannot stress this enough. Please be careful with your password. With that in mind, once you've encrypted your system, your data will be inaccessible to any third parties who don't have your password, even if they have physical access to your device, that should give you great peace of mind, especially if you do a lot of travelling and have sensitive information on your laptop. 34. [Encryption] How To Encrypt Your Smartphone: In the last lecture, we covered encryption for laptop and desktop computers. But these days it's arguably more important to secure your smartphone right, because it contains so much of your personal data and you probably carry it with you everywhere. So the need for encryption on your mobile devices is kind of a no brainer, and luckily, it's pretty easy to enable much easier than on a laptop or a desktop. Let's take a look at how to do it on the two biggest mobile operating systems, IOS and Android on IOS. Encryption is enabled automatically when you set a pass code. So if you haven't already opened your settings, go to touch I D and pass code, turn it on and enter a strong pass code. That's it. As soon as you've done that, all the data on your device will be encrypted on Android. The process varies a little bit between devices. Most of the newer flagship android phones come with encryption enabled by default and similar to the iPhone. All you have to do is add a security code or fingerprint by opening your settings, going to security and then screen lock for older android devices you may have to enable encryption manually. If you're going to do this, make sure your phone is connected to power because the process could take a while depending on the amount of data on your device. So, first, create a pass code following the same process that we just talked about, then open your settings. Select security and tap encrypt phone. If you can't find that menu, it may also be hidden in the lock screen section under a menu called other security Settings. If your android device has an SD card, you can encrypt it and prevent it from being used in another device. If you go to your settings, select security followed by encrypt external SD card and just tap enable. It may be worth noting that your device will likely take a slight performance hit when you encrypted. It should be barely noticeable on newer high end phones, but you may feel a significant difference if you're using a really old device, so you'll have to weigh your options there. But all in all, smartphone encryption is pretty easy to implement, and it'll keep your data safe from thieves should your device ever be stolen 35. The Next Steps: we've covered Ah lot of ground in this course from the core principles of security to safe browsing habits, smartphone security passwords, multi factor authentication, connected APS and encryption. So what are the next steps? Well, most importantly, I hope this course has inspired you to look at security in a different way. It shouldn't have to be a chore, and it certainly shouldn't be reserved for I t professionals. Security matters to all of us because we all have valuable data that's worth protecting. As you go forward in your day to day life, I hope you keep these lessons in mind and take steps to protect yourself. Whenever you have the opportunity. Nothing can ever be 100% secure. But if you take my advice and surround your data with multiple layers of strong security, you'll be a cybercriminals. Worst nightmare. Thank you so much again for joining me in this course. I really hope it's been helpful. And if you have any questions, please don't hesitate to let me know