Teaching Guide: My Devices

Objective(s):

In this session, you will help participants learn how to secure and protect devices they use to stay online. You will also review how to deal with the loss of such devices.

Teaching points:

• What you lose when you lose your mobile device or laptop;
• Why it is important to lock down and protect your device, and how you can do so;
• Reminders on full-disk encryption from My Data;
• How you can recover from a loss or theft of your device.

Practical skills taught:

• Keeping your device software up-to-date;
• Keeping your devices locked and encrypted;
• Keeping your devices safe with firewall and antivirus;
• Separating user privileges;
• Mitigating digital risks related to mobile devices.

Session length:

90 min

Skill level:

Basic for most of the content

Required knowledge:

Basic computer and email/social media literacy

Resources needed:

Projector, slides, paper, laptop connected to the internet, handouts

Deck:

My Devices

Handouts:

Quiz: My Devices, Activity Sheet: What’s on your phone?, Handout: Tips to keep your computer safe and secure

Advanced preparation required:

A. Setting the scene (10 minutes)

1. Start the session by describing what it is about, situating the session among the other points of the CyberSTAR, and outlining what the participants will learn by the end of the session.

2. Set the scene by discussing why it is important to keep devices secure. Ask participants the following questions to start the discussion:

   • How essential are your devices to your personal and work lives?

   • What kind of confidential or sensitive information do you have on your devices?

   • Who has access to your devices?

   • What will you lose if you lose your devices?

   • How can your devices be used if they are stolen?

B. Keep devices up-to-date (15 min)

1. Explain to participants the importance of keeping all their software up-to-date.

   Software updates offer many benefits. Updates often add new features to your applications and make them more powerful and easier to use. But first and foremost, software updates include patches that cover the latest security vulnerabilities.

   Software is built by code, and applications often contain tens of thousands of lines of code. Hackers look at every line of code and often find security holes or weaknesses (known as “vulnerabilities”) in applications and operating systems. When they find a vulnerability, hackers create malware that exploits it to gain control over your device or steal your data. As soon as such vulnerabilities are discovered, software developers create patches and release them in software updates. These patches cover the security holes that hackers actively exploit. Therefore, it is important to install software updates as soon as they become available.

   Every time you postpone an update, you leave a virtual hole to your device and all its contents open to hackers and give them more time to use that hole. The moment that a patch comes out, it also tends to also be the time that hackers have code that they can utilize to exploit the hole. They know that people will start to patch the hole soon, so the sooner that you patch the hole, the better the chances are that you’ll beat the hackers to the finish line.

2. Tell participants that because operating systems are the most important pieces of software on their devices, it is particularly important to use the latest version of the operating system they can afford and update it as soon as updates become available.

3. Encourage participants to set up auto update for software on their computers and mobile devices. For applications that do not update automatically, encourage participants to make it a habit to check for and apply available updates on a frequent and regular basis.

4. Now talk about risks associated with the use of pirated software.

   Unlicensed or pirated software is created on the basis of older versions of genuine applications. Since these versions were used, hundreds or perhaps thousands of bugs and vulnerabilities in those apps have been discovered and fixed by developers. But if you use pirated software, you cannot apply many of these patches and updates. More than that, most pirated software already comes with malicious code built in. Therefore, by using unlicensed apps, you leave a virtual door into your device and all its contents open permanently to cybercriminals.

5. Explain why software should only be downloaded and installed from sources you trust.

   Cybercriminals often distribute phony software that looks like genuine apps. When you install such software, you leave another virtual door into your device and all its contents open to cybercriminals.

   Therefore, encourage participants to follow these rules:

   • Download software and updates directly from trusted sources. For example, when updating Adobe Acrobat Reader, download the updates directly from Adobe, rather than third-party websites.

   • Download mobile apps only from the trusted stores. For example, use the Google Play store for Android and the Apple App Store for iPhones.

   • Before downloading any new and less known software, read reviews to make sure this software is safe to install and use.

6. Encourage participants to make it a habit to regularly review applications they have on their computers and mobile devices and uninstall apps they no longer use.

7. Reinforce what you have discussed so far by summarizing these tips:

   • Install software updates as soon as they become available;

   • When selecting a mobile phone to purchase, keep in mind the availability of updates and the privacy features for that phone. Consult the “CyberSTAR – Selecting a Mobile Phone” guide for an in-depth discussion on this point;

   • Set up auto update or check for updates on a frequent and regular basis;

   • Don’t use pirated software;

   • Download software and updates only from sources you trust;

   • Review apps on your devices regularly and remove the ones you no longer use.

C. Activity: Are you up-to-date? (5 min)

1. Explain the activity to participants. The objective is to help participants learn to check for updates and install them.

2. Tell participants to check if there are updates that need to be installed. If so, ask them to install the updates, providing technical help if necessary.

D. Keep your fences up (Firewall and Antivirus) (5 min)

1. Start this part by telling participants that antivirus and firewall are two critical pieces of software that help keep their devices protected from digital threats. Therefore, participants should always have antivirus and firewall up-to-date and running on all devices.

2. Provide a basic overview of what firewall and antivirus do, and how they differ from one another.

   An antivirus is an application that prevents, detects and removes malware on your device.

   A firewall is a system that monitors and controls incoming and outgoing network traffic between your device and the rest of the Internet.

   The major difference between them is that a firewall acts basically as a barrier for the incoming threats to your device. In contrast, antivirus protects your device against internal threats such as malware.

3. Tell participants that just like with all the other types of software, they should only use licensed antivirus software and install updates as soon as they become available.

E. Activity: check your firewall and antivirus status (10 min)

1. Explain the activity to participants. The objective is to help participants be aware of the status of firewall and antivirus on their devices, and to learn to check the status.

2. Ask participants to check if the firewall and antivirus are running on their devices. Provide technical help if necessary.

F. Lock the gates (5 min)

1. Explain why it is important to lock devices every time you step away from them.

   You have a lot to lose if your device falls into the wrong hands, even temporarily – exposing your private correspondence, confidential or sensitive files, banking information and more.

   Locking your device every time you step away, even briefly, is the most basic layer of device protection. It helps prevent others from viewing or using your device when you are not around.

2. Now tell participants how to lock their devices.

   • Set up a strong user password to start up or wake up your device

     Depending on your device, you can set up Touch ID, pattern or PIN instead of a password. Newer devices also offer fingerprint and face-recognition options. Keep in mind that both of these options have the problem of making it easy for someone to force you to unlock your device.

   • Disable auto login. Without entering the password, you should not be able to start up or wake up your device

   • Set your device to automatically lock when you are not using it (after two to three minutes of inactivity)

   • Manually log off or lock your device before stepping away.

     • Windows PC: Windows Key + L

     • Mac: Control Key + Command Key + Q (or enable “hot corners”)

     • Smartphone: Power button

G. Accounts and privileges (5 min)

1. Explain why participants should care about separating user accounts and limiting user privileges on shared devices.

   Anytime a work device is shared by two or more users, it is important to create separate accounts for each user. This limits the amount of damage hackers or other malicious actors can cause if they find a way to access one of the user’s accounts by stealing their login credentials or accessing the device when it is unlocked.

   In organizations with a dedicated IT person, it is also important to separate user and admin accounts, and restrict user permissions to only what is required to do their work. For example, users should not necessarily be able to install applications or disable the firewall on work devices. If there is not a dedicated IT person, it still makes sense to have a separate administrative user on the device, so that installing new software requires the entry of a password (even if the user knows that password).

H. Physical security of devices (5 min)

1. Remind participants that physical security of their devices is as important as digital security. Encourage participants to follow these basic tips:

   • Do not leave devices unattended when you take them out of the office.

   • Leave your devices at home or in the office when visiting places where you can be asked to give them up, such as government offices, embassies, border control posts and so on.

   • Unless you must, do not take devices with sensitive or confidential files on them out of the office, particularly when traveling abroad.

   • Follow the directions in My Data, and ensure that you’ve enabled full-disk encryption for all of your devices (laptops and mobile).

   • If you travel often, consider getting a separate phone for your trips.

I. Mobile device risks (5 min)

1. Start by telling participants that smartphones are the fastest growing target of attacks by cybercriminals.

   Your smartphone is with you almost all the time, wherever you go. It is exposed to more networks and other devices than any other piece of equipment you own. Smartphones contain a great deal of personal and professional information about you. Many apps on your phone provide direct access to your email, social media, banking or other accounts that contain sensitive information. 2FA accounts are also often stored on your smartphone. Fraudsters can use these details to steal your identity and trick your colleagues or friends into providing their sensitive information as well.

2. Tell participants that in addition to following all the device security precautions discussed earlier, they should know how to mitigate risks that are unique to mobile devices.

J. Activity: What’s on your phone? (10 min)

1. Explain the activity to participants. The objective is to make participants aware of how much private, sensitive or confidential information they have on their phones.

2. Distribute activity sheets and ask participants to complete part one, taking stock of what they have on their phones. Give them five minutes to complete this part.

3. Now discuss risks associated with smartphone loss. Ask participants:

   • What would happen if you lost your phone?

   • If someone found the phone and managed to unlock it, what would they find?

K. Mobile device risks continued (10 min)

1. Explain that the best way to reduce these risks is by enabling remote wiping on your device.

   Remote wipe is a built-in feature that allows you to erase all of the data on your mobile device from a remote location if it ever gets lost or stolen. Remote wiping securely erases data, apps, call records, texts, photos, etc on the device as soon as it connects to a cellular tower or internet. Keep in mind that remote wiping is NOT without it’s failures though. If a functional internet connection isn’t in-place when you issue the wipe, or the phone is turned off, the wipe may never initiate.

2. Now share with participants some of the risks associated with location-based services and enabled Wifi / Cellular services.

   Most smartphones and other mobile devices feature location-based services, such as GPS. These services tell applications where a device is. In addition to GPS, some location services use Wi-Fi access point mapping. There are several reasons why you should turn off location-based services if you are not using them:

   • Malicious actors can use location-based services to track where you are.

   • Location-based services drain your device’s battery.

   • Location-based services may be providing your location to other apps on the device.

   Keep in mind that even a simple cellular connection does allow the mobile phone provider / government entities to track your location as well (albeit with less accuracy).

   [An example video is here]

3. Explain that it is important to consider several things before installing new apps on a mobile device or when reviewing apps that are already installed:

   • Do you really need it? If not, don’t add it. The fewer the apps, the more secure your device.

   • Is the app from a trusted source? Download apps only from sources you trust.

   • Check permissions carefully. Do not use apps that request access to things you are not comfortable sharing. Past examples of permission exploitation here.

   • Read reviews. What are others saying about the app?

4. Encourage participants to disable Bluetooth, Wi-Fi and/or NFC when not needed.

   Even when you are not using your Bluetooth, Wi-Fi or NFC connection, your phone is still sharing information and trying to make connections with other devices via those interfaces. It means that a hacker or any other malicious actor can use these connections to steal your confidential or sensitive information or implant malware on your device. It is very easy to disable these wireless services.

5. Tell participants about the risks associated with using rooted or jailbroken devices.

   When you root or jailbreak a device, you essentially undermine its built-in security measures and open all sorts of security holes. Rooted and jailbroken devices are much more susceptible to viruses and malware.

6. Reinforce what you’ve discussed in this section by summarizing these tips:

   • Enable remote wiping on your device.

   • Turn off location-based services when you don’t use them.

   • Be careful about what apps you download and what services you allow them to access.

   • Disable Bluetooth, Wi-Fi and NFC when you don’t use them.

   • Be aware that mobile operators are constantly recording your location, saving SMS messages, and may shut down phone services whenever they like.

   • Avoid using rooted or jailbroken devices if possible.

L. Wrap-up (5 minutes)

1. Provide a brief summary of practical skills that the participants should have learnt during the session.

2. Ask participants if they have any questions, answering the questions when possible or pointing them to online resources when the questions are not relevant to the rest of the group.

3. Distribute handouts and step-by-step practical guides.