X

Black Hat and Defcon cybersecurity experts share tips on how to protect yourself

Here’s what people at the annual "hacker summer camp" think you need to do.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
5 min read
30063735758-4eb59eaf04-k

The stage at the Black Hat cybersecurity conference in Las Vegas.

Black Hat

During the week of Black Hat and Defcon, tens of thousands of security experts and hackers flock to Las Vegas for the back-to-back conferences. They hold discussions on issues like smart cities getting hacked, two-factor authentication, and security issues with voice assistants.

It can all get a little technical. But with so much cybersecurity knowledge in one place, I decided to ask individual experts for a single useful cybersecurity tip for the average person.

One of these tips may end up making all the difference when a hacker comes after you. Learning a little about how to protect yourself is increasingly critical at a time when hacker attacks on companies like Equifax and Yahoo can expose your personal information. But cybersecurity advice tends to be technical or inconvenient, which is why a lot of people tend to ignore it.

Think about how many 32-character passwords you really have, or how often you reuse your passwords. It's a Cybersecurity 101 practice, but might not be simple for everyone. As a parallel, think about how often dentists say you should floss twice every day, and how you lie every time by saying that you do.

"Security people are rarely the best people to advise about mass usability," Parisa Tabriz, Google's director of engineering, said in her keynote speech at the Black Hat cybersecurity conference Aug. 8.

So here's our roundup of advice on cybersecurity from the experts at Black Hat and Defcon. See for yourselves which tips you think are actually usable.

Parisa Tabriz, director of engineering at Google

Use Chrome.

I'm obviously biased, but Chrome stays up-to-date, and there are a lot of things we build in to keep people from ever encountering a phishing site or a site that's going to download malware. We definitely invest in making it the most secure browser from an exploitation standpoint.

Think about the software you're using in the same way that you'd look at a safety report for a car you're going to buy.

Marcela A. Denniston, vice president of field engineering at ShieldX Networks

Use dual-factor authentication and biometrics as often as possible to make gaining access to personal accounts, systems and data more difficult for hackers.

Mårten Mickos, CEO of HackerOne

Cybersecurity works only when everybody is concerned about it. Learn about it, ask your friends what they're doing, and have a daily discipline of thinking, "What could go wrong?"

Craig Williams, director of outreach at Cisco Talos Intelligence Group

Set things to automatically patch. It would probably take care of 85 percent of your problems. That goes for your computers, your IoT devices -- anything that has a button.

Stina Ehrensvärd, CEO and founder at Yubico

Two-factor authentication is my obvious answer, but just some basic simple learning around what not to do and what to do is important. Learn to watch for phishing, don't download stupid things, just some hygiene.

If you start there, and then have two-factor authentication, you're gonna be really good.

Jonathan Couch, senior vice president of strategy at ThreatQuotient

Don't trust anything. Or trust, but verify. Most attacks these days come from email, or you're getting phone calls all the time. Before you take any action to give any money, give any personal information, you should trust but verify.

Don't take people at their word at who they are over email or over the phone. Get some information, go out, do your own research and make sure you actually verify who this person is before you ever give away any personal information -- or especially money.

Watch this: Credit card readers had a vulnerability where you pay the price

Haiyan Song, senior vice president of security markets at Splunk

Be super vigilant. I send my team to Defcon, and I tell them to just go there, even if they don't understand some of the talks. I want them to listen to these stories because I want them to feel paranoid.

Mikko Hyppönen, chief research officer at F-Secure

Back up your phone, back up your computer, back up your tablet, then make a backup of your backup so you can restore them even if your house burns down.

Patrick Sullivan, director of security at Akamai

If you have to use a password, and you're not using something like a multifactor solution, take a look at a password manager. That makes it pretty easy to log in to sites and have a variety of passwords.

Chris Wysopal, chief technology officer at CA Veracode

Be skeptical about any information that's pushed to you, whether it's a messaging system or an email system. Just always be skeptical and always find another way of figuring out how to validate that that stuff is real.

Daniel Crowley, research director at IBM X-Force Red

The weakest link is definitely passwords. Expecting someone to remember 200 passwords that are 30 characters, mixed with numbers and symbols, is impossible. While we're still using passwords, use a password manager.

Hyrum Anderson, technical director of data science at Endgame

This is what I tell my mom: Hover before you click so you see the actual URL at the bottom. Be suspicious of email, install an antivirus, install a DNS filter so you don't have porn accidentally served to you. You present the greatest point of vulnerability to your safety.

Frank Mir, former UFC heavyweight champion*

Keep your passwords diverse and don't use the same one for everything. Once I did that, I don't think I ever had any problems. Just making sure I didn't pick any simple passwords, and not using the same ones multiple times over. At times it can be a pain in the ass, trying to remember 30 different ones or keeping them in a safe place, but in the long run, it's given me a lot fewer headaches.

For my children, for every device, whether it's a Microsoft account all the way to their PlayStation account, use different passwords.

* Yes, we know Frank Mir is not a cybersecurity expert. But he did give some pretty good advice.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.