- Tristan Shelley
- Wednesday, January 21
The internet can be a scary place at times. How can we be safe when browsing online, and protect ourselves from the various threats that exist?
We use the internet every single day in our lives, and it allows us to accomplish a lot. Have you ever stopped to think about how much of our personal information is out there for the world to see? This idea of all our information being online for people to search is a terrifying situation to be in. What can we do to hide our information? How can we ourselves browse the internet in a safe and controlled manner? First off, we have to get an understanding of how to defend and protect ourselves, and what information is out there.
This is what’s called our Threat Model, determining what vulnerabilities, threats, and risks are possible within a system, application or process. With technology growing at an immense rate, it is incredibly difficult to keep up with all the threats that exist in today’s world. However, it is important to know what they are to prioritize how you scale up and improve your Security Infrastructure.
So, what threats are there? How can I defend myself? What do I do if I get scammed? These are all the valid questions we ask ourselves. Let’s start with the 1st one: What threats are there? The Open Web Application Security Project (OWASP) organization is a non-profit that focuses on digital security in software and applications. Every few years, OWASP posts a list of the Top 10 most critical risks to web applications. Posted below are the Top 10 lists from 2025 and 2021:
Along with these lists, here is a list of some of the more common threats and cyber-attacks that can occur, along with links that explains them in more detail of how they work:
- Denial-of-Service (DoS) and Distributed-Denial-of-Service (DDoS): A DoS is a type of cyber-attack where an attacker floods the network with traffic to shut down the system. A DDoS is the same; however, it sends traffic through the network with a Botnet (A group of infected computers; Often referred to as zombie computers) that an attacker has access to.
- On-path attack: An attack where a malicious actor intercepts a transmission of data between 2 points to steal information. Another name for this attack is a Man-in-the-Middle attack (MITM).
- Phishing: A social engineering attack where a malicious actor sends an email that looks legitimate to steal login credentials.
- Ransomware attacks: An attack where a malicious actor steals data and encrypts it, then will unencrypt it and return it after a ransom is paid.
- Smishing: Same goal as Phishing and Vishing but using SMS text messaging.
- Spoofing: Creating a website or application that appears like the legitimate source but is a malicious copy. Spoofing can also be performed with phone numbers/caller IDs and Domain Name System (DNS) spoofing. (You can watch an interview where phone spoofing is demonstrated here, along with how voice cloning can be used with Artificial Intelligence (AI).)
- Trojan: A website or application that looks like one thing but is something else that can be malicious.
- Vishing: Same goal as Phishing and Smishing but over the phone on a call.
These are some of the most dangerous threats that exist, but there are a lot of other types of malware or attack variables. Along with that is this:
In a report from IBM in 2022, the average time between a threat entering the system and that threat being detected was 277 days (that’s over 9 months), and in the report for 2025 the average cost for recovery from a data breach was $4.4 million (Which is a 9% decrease from the last year).
So, knowing about some of these threats, how do we protect ourselves against them? Who can I contact if my information is being stolen by someone? While these answers may seem complex, you don’t have to be a security professional to know how to defend yourself.
Here are a few things you can do to improve your online security along with links to software's and tools you can add to your systems:
Think Before You Click
Look, we've all gotten some version of a phishing email with a link, and we want to click the link because we're either excited because we won some money, or were just curious about what happens when we click it. Alternatively, the phish could say that it needs to be taken care of ASAP. So we rush to click the link to not waste any time. These are the goals of phishing emails and what they aim to accomplish, and it never ends in a good way. So, analyze the email and pay close attention to the tiny details, and ask yourself if the email looks legitimate. Plus, here's a nice little trick: If you move your mouse over the "Click Here" button in the email (don't click it, just move it and hover over it) a small box should appear above or below the mouse icon with the URL of the page it will take you too. If it looks "phishy" it probably is.
To aide in analyzing these emails, you can find a list of common indicators of phishing emails here.
Want to test to see whether you can spot a phishing email? Take this quiz to test your knowledge and spot the phish.
Install and update your System and Antivirus/Antimalware software:
While the operating systems you use may vary, the software that is automatically installed (Defender for Windows, Xprotect for macOS) is dependable and strong. They can defend your system well. Make sure that these are updated to the latest versions, as they can be more vulnerable otherwise. If you want to add an extra defense, look into a subscription-based solution for antivirus. This allows you to double down on making sure that malware doesn't make its way onto your devices. Here are some antivirus/antimalware tools that are available:
Not only do these tools provide protection on your device, but they also include add-ons for browser protection. This will stop you from visiting any malicious sites that could potentially lead to installing malware onto your device.
Use Strong Passwords
While it can be annoying and troublesome at times, having a strong password for your accounts stops a majority of cyberattacks. However, most of us also reuse the same passwords for all our accounts. While you create your password, make sure you have a personal record of them if you can’t remember them (Write them down in a password journal). Alternatively, it’s a smart choice to invest in a password manager to secure and manage all of your passwords and generate new passwords for new accounts or password resets. Here are two Password managers that I have used before:
These password managers also are locked by a special key that only you create to access your manager, and backup codes to activate your manager across all of your devices. They also come with a password generator, which generates and saves random passwords that are mixed with letters (Upper case and Lower case), numbers and symbols (such as % $ ! . ? * ,). One more thing, a strong password is usually made up of no less than 12 characters.
Optional: Move from Single Sign-On (SSO) to 2 Factor Authentication (2FA) or Multi-Factor Authentication (MFA) for Applications and Websites
SSO is more convenient for us but can leave our data in a vulnerable state. The options for 2FA or MFA really put a strong front for your security posture. What’s the difference? 2FA would be like typing in your username/email, password, and then having the website send you a text message with a One Time Password (OTP). MFA would be the same as 2FA, but it could also ask you to plug in a USB key (Like a Yubikey) with your preloaded credentials to login to the website. These USBs are called Hardware Tokens. While implementing 2FA or MFA may seem like a pain and can get annoying, it’s worth the extra effort to really harden your own security posture and harden the threat landscape.
Encrypt and Backup your Important Data
While a VPN encrypts your network traffic, your local data may still be vulnerable. Encryption is a way to secure your data by locking access to the data and can only be unlocked with a password or passkey that is similar to MFA. So, even if attackers get access to the data, they wouldn’t be able to access it. Here are two free encryption tools that are available:
While you are encrypting your data, also be sure to create a backup of your data. This can be done via Cloud Services (Onedrive, Dropbox, iCloud etc.) or you can purchase a backup drive, like a USB or an External Hard Disk Drive (HDD) or Solid State Drive (SSD). These often come with encryption tools as well, so you keep your back up files encrypted as well.
Optional: Encrypt your SMS and MMS Text Messages
While your data is important to keep safe, this can include your phone calls and text messages. While some chats may just be "small talk", others could have data that you may not want out there for the world to see. Not only that, but being able to have access to messages means having access to your phone number. So, using messaging services that provide end-to-end encryption prevents attackers from seeing your private information, along with your conversations. Here are two messaging services that provide end-to-end encrypted messaging:
Now, what about phone calls? Well, there services that not only encrypt your calls, but also allow you to use another phone number all together. These services are called Voice over Internet Protocol (VoIP). These are smart if you want are calling a number you don't quite trust, or just want to keep your phone number safe. However, majority of these services are subscription based, and setup like a regular phone plan. Here are two VoIP services that are available:
Hide your Information
Our data is on the internet whether we want it to be or not, and we sometimes think to ourselves, “Why should I? It’s already out there.” While this can be true, it can be a dangerous mindset to have and can leave you even more vulnerable. It is worth investing in something to minimize your Digital Footprint and hide your information from potential attackers and data brokers. Here two tools that are available that trace your information online and work to physically remove your information from those sites:
Along with this, it is efficient to do some research of your own and search for your information and see what is out there. This is a task known as Open-Source Intelligence (OSINT). By knowing what information about you is available for everyone to see, you will get a better idea of what you are protecting. Sounds kind of creepy doesn't it? However, it will help in the long run of what you are defending, and what data needs to be protected.
Invest in a VPN for public networks
A Virtual Private Network (VPN) is a software that masks your Internet Protocol (IP) address, and assigns your device another IP address from another location (State, Country etc.) This helps protect you connecting to public internets (Wi-Fi) without the fear having your device traffic being monitored. It will also encrypt your traffic so that attackers can’t have access to internet traffic data. Here are some VPN tools that are available:
Not only do these services come with a VPN, but they also have built in antivirus/antimalware protection as well. Depending on the plan you choose, they can also provide Credit and Dark web monitoring, Encrypted Cloud Storage, and Password Managers. Choose the plan that you feel is right for you, and they will keep you protected.
Educate Yourself
So, you have all the protection set in place, you set up a strong front line against cyber-attacks, and you feel safe. However, technology is growing constantly and changing just as fast. This means that attack methods are changing all the time as well. How do you stay ahead of the game and keep your security strong? Perhaps the most important tool you can have is education. Education on this topic can help stay ahead of what is coming soon, or what is changing. It can also keep you in the loop of any breaches that have occurred. This can give you a chance to be involved and let your voice be heard on these new technologies.
There are many places to start your research like tech blogs, tech forums, tech news sites, tech YouTube channels, tech newsletters, discussions with friends and family, etc. Alternatively, just start researching tech topics and searching for terms that you don’t know. This part can be a bit overwhelming and don’t feel like you need to know everything ASAP. It will take time, so go at your own pace. Also, research topics that fascinate you; like AI, Cloud Computing, Coding and Programming, Cybersecurity, Networking, Software tools, etc. Make it fun and share it with your friends and family. Here are some resources that I use for new tech news and advancements:
Optional: Case Studies
Case studies are reviews of past security incidents (Data leak/breach, Ransomware attacks, Spoofing, Phishing etc.) By performing these case studies, you can view how these incidents unfolded, what caused the incident, and how these companies responded to them. By analyzing these cases, you can become familiar with the common symptoms of an oncoming attack. This can bring on the action of threat hunting on your own devices and network. You can find a list of real case studies that were conducted off of real security incidents here.
There's a reason that we call it the World Wide Web, as it contains infinite resources at our fingertips. However, there is a negative aspect to this wealth of knowledge that is simply waiting for the right moment to strike. With technology evolving at a rapid pace, cyber threats are evolving just as rapidly. Yet, our vigilance must remain strong, from investing into and learning tools for defense to researching what caused the latest data breach. Now, I understand some concerns that may come up. It can get complicated and expensive, and you may not have the time to learn all of this. Well, what I can say is that you don't have to do all of the advice, or download all the tools and services presented. What I recommend is to start by learning about how you could better defend yourself and your data, and learn about what security risks could be exploited.
Security online is something that we should take as seriously as security of our homes and personal belongings. How will you defend it?
