Today, in my humble opinion, you cannot use an Internet connection via Ethernet cable and WiFi (free or per pay) without having a virtual private network running at the same time. The era of hoping from free WiFi to free WiFi without a VPN is absolutely over.
Some of my readers are very well-versed in technical details, and others have never heard of the word VPN. Thus, I decided to navigate in the middle with this post, keeping in mind my not so techie readers. If you want to get into the ultra-technical details on how a VPN works, there is plenty of publicly available information on the topic.
What is a virtual private network?
Imaging that you have a virtual pipe running parallel to your Internet connection. In technical terms, we call this tunneling. This pipe has a different Internet Protocol (IP) address than your regular Internet connection, and the connection through this tunneling (pipe) is encrypted.
It does not matter who provides you with Internet services, you can always add a vpn service on top of that for your computer, phone and tablet.
How does it work?
You first connect to the Internet but your computer does not access the actual Internet until your VPN has engaged (if you use ExpressVPN.com with this option selected – highly recommended). Thus, you are using the public telecommunication infrastructure (Internet) but with an encrypted layer of protection that will not allow anybody to snoop on what you are doing while surfing the Internet.
Why do I need a VPN?
Every time you visit a website, the webmaster can see your visit because you are disclosing your actual IP address. Your Internet provider can see the sites you are visiting too.
Even though you might not visiting websites that are considered compromising, your privacy is the precursor of security. Thus, when all the companies are creating a profile of your Internet habits, your privacy ends up being the product they sell to whomever is willing to pay most. These buyers are marketers and also crooks.
The illustration below shows how you can be using your laptop (applies to phones and tablets) at a coffee shop (hotel, airport or your own home) to look at websites with a blue – non-encrypted connection and the red laptop along with the website master can see everything you do. On top of the illustration, you see how your IP address changes when you use an encrypted connection to look at the same website and the man-in-the-middle can no longer jump into your connection.
At home, you are probably embracing the phenomenon of the Internet of Things (IoT). You have many devices connected to your network, including cameras. When these cameras are not running on an encrypted tunnel (VPN), they can be accessed by anybody. Do you want to have fun? Take a look at this website that shows all unsecured cameras in the world. Do you want your camera to be listed in this website too? http://www.insecam.org/en/bycountry/US/ If the answer is no, then begin by changing the default passwords on all the devices you connect to the Internet and ALWAYS use a VPN.
What are the best VPN services?
A VPN company that offers the services for free is making you the product. This means, that the company is selling your private information. Encryption is very expensive, and we do not want anything lower than AES256. Thus, you need to expect to pay between $8.25 to $8.35 per month for a good VPN.
ExpressVPN.com has been voted by many reputable organizations as the best service provider, and it is the one that I highly recommend. The other four are Buffered, IPVanish, NordVPN, and VPNArea. You can read a well-written comparison here.
How do I configure it? Can I use it in multiple devices?
Asuming that you will go with my recommendation of ExpressVPN.com, you can have one account that includes one computer, one phone and one tablet. The computer can use the same account at the same time the phone or the tablet; but the phone and the tablet cannot share the same account at the same time.
To configure your VPN, go to Preferences, and ensure that you put a check mark on the two options under Network Lock. Under Protocol, select Automatic, and under Advanced, removed the check mark for the Diagnostic Data.
In your smartphones and tablets, make sure you select to Auto-reconnect, and that the Share Diagnostic Data is off.
That is all for now. Thank you for reading!
Meta brings the courses Risk Management When Online and Open Source Intelligence (OSINT) Collection and Analysis to your organization regardless of where you are located. Watch this short clip: https://www.youtube.com/watch?v=aRXazQuPzFs Then call us to schedule training for your team or organization.
The IT Department, as we know it today, can no longer address on its own the dynamic exchange of information that takes place in the cyberspace domain. This exchange of information includes benign and malicious traffic. In a paper I wrote some time ago and posted in LinkedIn, I was proposing the creation of the Cyber Security and Intelligence Department to operate side by side with the IT Department to track IP addresses that have unsuccessfully attempted to pass the IDS, traffic that appears normal but in context it shows that it has malicious nature, chatter in the cyberspace domain about the enterprise, its proprietary information and intellectual property, unauthorized disclose of information by employees, and threats against facilities and executives.
The analogy I use is that if I would have told a CEO 40 years ago that he/she would need an in-house attorney, I would have been given the same answer I am getting today when I say “you need a part-time or full-time in-house Chief of Cyber Intelligence” – Answer: Oh, I do not have those kinds of problems. No need for that. No ROI justification.
Well, today, most medium to large businesses have an in-house attorney. :-)
After 11 years of running Meta Intelligence, I have encountered many problems for which I have found solutions; however, this one is puzzling me because I cannot find the way to escape this swirl. I am hoping that some of my readers might have the answer, and also to bring to your attention this swirl that in my humble opinion is causing billions of dollars to the private sector industry.
At one end of the ping-pong table, there is the CEO who knows that he/she has hired the best CIO/CTO/CISO available in the market. CEO has not been informed of any breaches of security in his company so he/she is certain that his/her company is 100% secure.
At the other end of the ping-pong table, there is the CIO/CTO/CISO who knows that technology alone cannot provide a barrier of defense. He/she might be indeed one of the best in the marketplace but does not have the time/knowledge to design and teach a course that addresses the number one point of entry of cyber intrusions: the user of technology.
As of today, 95% of all cyber intrusions have been caused because someone inside an organization clicked on a link that has malicious load, connected an infected computer into the company’s network, traveled to China with the same laptop that then will connect back to the network, clicked on a link sent via txt, and the list goes on and on.
When a vendor, like Meta Intelligence, approaches the CEO with a solution, he/she often replies with one of these two options: 1) I have the best IT department and it has not brought that up as an issue; or 2) I don’t know much about cyber so you better talk to the IT department.
Both answers put the vendor in limbo land because the IT department personnel rarely will admit that they have zero knowledge on how to address user behavior as the number one barrier of defense and they will not approach the CEO requesting assistance and engagement of a third party vendor. The CIO/CTO/CISO is concerned that bringing a third party to solve this problem might get him/her fired for incompetence.
These are companies like HomeDepot, Target, Sony, Domino’s Pizza and many others you have seen in the newspapers and whose CEOs have been forced to resign, or even if remain in the company, they have paid a huge price on loss of revenues.
As of today, a company will pay on average $201 to $206 per employee to recover from a cyber intrusion. However, if the company stops the endless cyber ping-pong of CEO vs IT Department, and brings a good education program on risk management when online, it will save about $150 per employee and fend off 95% of cyber intrusions. Education of the workforce is not sexy but it is very effective. Otherwise, why do you think that you have to sustain the ethic in the workplace training, and the harassment in the workplace training, and some other mandatory training that some industries are required to have in place.
If you are hopefully going to provide cyber behavioral training, and by the way, this is what I have been doing since 2005 when I founded Meta Intelligence, you need to look for programs that do not leave solutions to the user’s imagination because imagination is limited by knowledge. If you, the user, do not know what man-in-the-middle attack is, you will be using free Internet all over the town and airports. Probably, you even attended a cyber security class where the instructor told you “be cautious when you open your email.” What does this type of warning mean to the average user of technology? Duck and cover when clicking on the email? Wear goggles or protective gloves? The average person reads emails on the phone and clicks and clacks on every link that sees floating on the email. Telling this person to be cautious without explaining the step-by-step of email handling is useless.
If you are conscious about overhead spending but want to do an experiment of this nature – investment in education instead of buying the latest “Dr. Techno software that will not let intruders in,” you can take advantage of some of the sites that offer free training, such as the Cybrary - https://www.cybrary.it/ As of today, it has over 600k members and more than 2k topics.
You can learn more about this concept of return on investment by developing strong cyber behavioral habits at: https://www.youtube.com/watch?v=aRXazQuPzFs
So, the question to you, is how do we break this swirl of pushing the education ball from one end of the ping-pong table to the other end? Last year, cybercrime caused the US economy about 24 billion dollars. Wouldn't you rather see that money used in something more useful that enriching the coffers of cyber crooks?
That is all for now. Thank you for reading!
About the Blog
This blog is updated on a bi-weekly basis and it will address a variety of topics concerning cybertechnology, privacy and ethics in the cyberspace domain.