β Back to Tools
Cybersecurity threats come from many directions: opportunistic criminals running automated attacks, targeted attacks by skilled adversaries, malicious insiders, and nation-state actors. Most people only face the first category β automated opportunistic attacks.
The good news: most cyberattacks are not sophisticated. They exploit the same basic weaknesses: reused passwords, unpatched software, and clicking on malicious links. Fixing these three problems eliminates the vast majority of your risk.
The 80/20 rule of security: 80% of breaches are caused by just a few root causes β weak passwords, phishing, unpatched vulnerabilities, and misconfigured systems. Fixing these is more valuable than exotic defenses.
π£ Phishing
Tricking you into revealing credentials or installing malware via deceptive emails, SMS, or calls. Over 90% of data breaches start with phishing.
β Verify sender addresses β’ Don't click unexpected links β’ Use 2FA β’ Hover over links before clicking
π Credential Stuffing
Attackers take email/password combinations from breached databases and try them on other services. Works because most people reuse passwords.
β Unique password for every site β’ Use a password manager β’ Enable 2FA β’ Check haveibeenpwned.com
π° Ransomware
Malware that encrypts your files and demands payment to decrypt them. Often delivered via phishing or exploit kits. Can spread across networks.
β Regular offline backups (3-2-1 rule) β’ Don't open unexpected attachments β’ Keep systems patched β’ Email filtering
π΅οΈ Social Engineering
Manipulating people into taking actions or revealing information. Exploits trust, urgency, authority, and reciprocity β not technical vulnerabilities.
β Verify requests through known channels β’ Never give credentials to inbound callers β’ Create a verification code word with family
π Unpatched Vulnerabilities
Attackers exploit known security flaws in software that hasn't been updated. Eternal Blue (used in WannaCry) was patched by Microsoft months before it caused $4B in damage.
β Enable automatic updates β’ Patch within 48 hours of critical releases β’ Remove unused software
π― Least Privilege
Grant users only the minimum access needed. If a process doesn't need admin rights, don't give it admin rights.
π‘οΈ Defense in Depth
Multiple layers of security. If one layer fails, others still protect. No single control is sufficient.
π Zero Trust
Never trust, always verify. Assume breach. Don't trust network location β verify every access request explicitly.
π Attack Surface Reduction
Remove what you don't use. Fewer services, ports, users, and software = fewer ways to attack.
π Separation of Duties
No single person should have enough access to commit and conceal fraud. Split critical functions across multiple people.
π Audit & Monitor
Log everything. You can't detect what you can't measure. Anomalies in logs often reveal breaches in progress.
Email Red Flags
- π©Sender email domain doesn't match the company (paypa1.com, amaz0n-support.net)
- π©Generic greeting ("Dear Customer") when the company knows your name
- π©Urgent language: "Your account will be suspended in 24 hours"
- π©Links that don't match the displayed text (hover before clicking)
- π©Unexpected attachments, especially .exe, .zip, .docm, .xlsm
- π©Requests for credentials, passwords, or payment info by email
Golden rule: If an email asks you to click a link to log in, don't use the link. Instead, type the website address directly into your browser or use your saved bookmark.
- βNever open email attachments from unknown senders β scan with VirusTotal if unsure
- βOnly download software from official sources and app stores
- βOn Windows: enable Windows Defender (free, built-in, very effective)
- βDisable macros in Office documents from the internet
- βRun as a standard user, not as administrator
- βUse an ad blocker β malvertising is a common malware delivery vector
- βVerify software checksums (SHA-256 hash) when downloading sensitive tools
The majority of successful cyberattacks exploit vulnerabilities that have already been patched. Updates are not optional β they are your most reliable defense against known threats.
- βEnable automatic updates for your operating system
- βKeep browser and browser extensions updated
- βUpdate apps promptly β especially anything internet-facing
- βReplace end-of-life software that no longer receives security patches
- βUpdate router firmware β often forgotten but critical
The WannaCry ransomware (2017) infected 230,000 computers using a vulnerability Microsoft had patched two months earlier. Patching is free. Ransomware recovery is not.
Backups protect against ransomware, hardware failure, accidental deletion, and theft. The 3-2-1 rule is the gold standard:
- 3Keep 3 copies of your data (1 original + 2 backups)
- 2Store on 2 different media types (e.g. internal drive + external drive)
- 1Keep 1 copy offsite (cloud or physically separate location)
Critical: A backup connected to your computer can also be encrypted by ransomware. Keep at least one backup that is offline or air-gapped.
Test your backups periodically by actually restoring a file. A backup you've never tested is not a backup β it's a hope.