2019年网络安全状况_知道吗，如何加强个人的网络安全状况？

2019年网络安全状况

“Zaphod’s just this guy, you know?”

“ Zaphod就是这个人，你知道吗？”

– Halfrunt, Hitchhiker’s Guide to the Galaxy by Douglas Adams. The book, not the movie. Definitely not the movie.

– Halfrunt，道格拉斯·亚当斯(Douglas Adams)的《银河系漫游指南》。 这本书，而不是电影。 绝对不是电影。

Some people (🙋🏻‍) are really into cybersecurity, end-to-end encryption, and totally geeked out when they first learned how the Enigma worked. These people are likely to have an innate interest in building a less-than-laughable personal cybersecurity posture.

有些人(🙋🏻)真正地致力于网络安全，端到端加密，并且在他们第一次了解Enigma的工作原理时就完全迷住了。 这些人可能对建立一个不那么可笑的个人网络安全态势有着天生的兴趣。

Most people, unfortunately, consider cybersecurity optional. Most people say things like:

不幸的是，大多数人认为网络安全是可选的。 大多数人都说：

“There’s no one targeting lil ol’ me.” “I have nothing to hide, anyway.” “I’m too busy to learn all this stuff. Why can’t someone just give me a simple summary of best practices that I can skim in approximately seven minutes?”

“没有人会瞄准我。” “无论如何，我没有什么可隐瞒的。” “我太忙了，无法学习所有这些东西。 为什么有人不能给我简单总结一下我可以在大约7分钟内浏览的最佳做法？”

To those people, I say, hello, hypothetical incorporeal reader! Here is a simple summary of best practices that you can skim in approximately seven minutes.

我向那些人问好，假想的读者！ 以下是最佳做法的简单摘要，您可以在大约7分钟内浏览一下。

等等我为什么在乎 (Wait why do I care)

You may have a hard time understanding why cybersecurity matters when you’re just an average person. Sure, you don’t want your devices hacked or your personal data stolen, but it’s not like anyone is coming after you, specifically, right?

当您只是普通人时，您可能很难理解为什么网络安全很重要。 当然，您不希望您的设备被黑客入侵或您的个人数据被盗，但是这并不意味着有人要追随您 ，对吧？

Hey Alex, I’ll take “right,” for $400. It’s unlikely anyone is attempting to steal your particular stuff, although I must admit that Persian rug of yours would really tie the room together. Instead, it can help to understand cybersecurity if you think of it in terms of low-hanging fruit.

嘿亚历克斯，我拿“对”，花了400美元。 这是不太可能有人试图窃取您特别的东西，但我必须承认，你的波斯地毯真的扎房间里。 相反，如果您以低调的成果来考虑网络安全，则可以帮助您理解网络安全。

You’ve got some fruit, I’ve got some fruit. Joe from down the block has a 1.21 gigawatt flux-capacitor-powered fruit-snatching robot. Joe doesn’t know either of us exist, but his robot goes (very quickly) from door to door, all the way around the block, looking for fruit. If my front door is locked and yours is standing open, whose fruit is Joe’s robot going to snatch?

你有水果，我有水果。 街区下方的乔有一个1.21吉瓦的通量电容器供电的水果抓取机器人。 乔不知道我们两个人都存在，但他的机器人(很快)从门到门，一直走到街区，一直在寻找水果。 如果我的前门被锁着，而您的前门是敞开的，乔的机器人将抢走谁的果实？

If that sounds like boring, old, regular security, you’re correct! Cybersecurity isn’t about finding some magic spell that makes your fruit maximally secure. It’s about making your fruit more secure than the fruit next to you. You do this by employing some thoughtful habits, in much the same way as you learned to lock your front door to guard against fruit-snatching robots.

如果这听起来像是无聊的，过时的常规安全性，那么您是对的！ 网络安全并不是要寻找使您的水果获得最大安全的魔术。 这是为了使您的水果比旁边的水果更安全。 您可以通过采取一些周到的习惯来做到这一点，就像您学会锁住前门以防抢水果的机器人一样。

Security breaches and incidents happen every day. Most of them occur because an automated scanner cast a wide net and found a person or company with lax security that a hacker could then exploit. Don’t be that guy.

安全漏洞和事件每天都会发生。 发生这种情况的大多数是因为自动扫描程序投出了一个宽广的网络，并发现了安全性不强的个人或公司，黑客随后可以利用它们。 别那样

等待安全态势 (Wait what's a security posture anyway)

Here is how the National Institute of Standards and Technology defines security posture:

这是美国国家标准技术研究院定义安全态势的方式：

The security status of an enterprise’s networks, information, and systems based on information assurance resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes. (NIST Special Publication 800–30, B-11)

基于信息保证资源(例如，人员，硬件，软件，策略)的适当位置的企业网络，信息和系统的安全状态，以及管理企业防御并随情况变化做出React的能力。 ( NIST特殊出版物800–30，B-11 )

The important bit above is, “capabilities in place to manage the defense of the enterprise.” In the context of personal security, you are the enterprise. Congratulations. May you boldly go where no man has gone before.

上面重要的一点是， “具备管理企业防御的能力。” 在人身安全方面，您就是企业。 恭喜你 愿你大胆地走到没有人去过的地方。

Before you explore strange new worlds (it is the Internet, after all), there are steps you can take to manage your defenses. The word “capabilities” is apt, as having certain things in place will pretty much give you cybersecurity superpowers. Here are the three steps I consider most important and beneficial:

在探索陌生的新世界(毕竟是 Internet)之前，您可以采取一些步骤来管理防御。 “功能”一词很恰当，因为具备某些条件将为您带来网络安全超级大国。 以下是我认为最重要和最有益的三个步骤：

1. Use multifactor authentication
   使用多因素身份验证
2. Use a VPN
   使用VPN
3. Develop healthy skepticism
   养成健康的怀疑态度

With these three keys in hand, your cybersecurity posture goes from being robot lunch to War Games — where the winning move for an attacker is not to play.

有了这三个键，您的网络安全态势就从机器人午餐变成了战争游戏-在这里，攻击者无法取得成功。

1.使用多因素身份验证 (1. Use multifactor authentication)

Passwords are dead. Computationally, they are a solved problem, and cracking passwords is just a matter of time. Unfortunately, many people still help to speed up the process by using the same compromised passwords for multiple accounts, putting themselves at risk for inconceivable benefit. Pass phrases are longer and more complicated, and would take a lot more time to crack. I highly recommend them; even so, your password ultimately doesn’t matter.

密码已失效。 从计算上来说，这是一个已解决的问题，破解密码只是时间问题 。 不幸的是，许多人仍然通过对多个帐户使用相同的已泄露密码来帮助加快流程，使自己面临难以想象的收益的风险。 密码短语更长，更复杂，需要花费更多时间才能破解。 我强烈推荐他们； 即使如此， 您的密码最终也没有关系 。

The answer, at least for now, is multifactor authentication (MFA). MFA is made up of three kinds of authentication factors:

答案(至少目前)是多因素身份验证 (MFA)。 MFA由三种身份验证因素组成：

1. Something you know, like a pass phrase;
   您知道的东西，例如密码短语；
2. Something you have, like a chip pin card or phone; and
   您拥有的东西，例如筹码卡或电话； 和
3. Something that you are, like your face or fingerprint.
   您所拥有的东西，例如脸部或指纹。

Two or more of these factors are infinitely better than a password alone, especially if your password is on this list.

这些因素中的两个或更多个因素比单独的密码具有无限的优势，特别是如果您的密码在此列表中 。

Multiple authentication factors are now widely supported by account providers and social media sites. If you have the choice, avoid using text messages as a way of receiving authentication codes. SMS authentication leaves you vulnerable to the SIM swap attack — please direct further questions to Jack Dorsey. Instead, use an authenticator app like Google Authenticator to generate codes on your device. This ensures that you alone, using that particular device, will have the correct authentication code. No power in the ‘verse can stop you.

帐户提供商和社交媒体站点现在广泛支持多种身份验证因素。 如果可以选择，请避免使用短信作为接收身份验证代码的方式。 SMS身份验证使您容易遭受SIM交换攻击 -请直接向Jack Dorsey提问。 相反，请使用Google Authenticator等身份验证器应用在您的设备上生成代码。 这样可以确保您一个人使用该特定设备将具有正确的身份验证代码。 诗篇中没有力量可以阻止你。

The Google Authenticator app works with the specific device you set it up on, so when you get a new device you will need to move Google Authenticator to your new phone. Hardware authentication keys such as the YubiKey may present less hassle when switching devices, but aren’t yet as widely supported as authentication apps.

Google身份验证器应用程序可与您在其上设置的特定设备一起使用，因此，当您购买新设备时，需要将Google身份验证器移动到新手机上 。 诸如YubiKey之类的硬件身份验证密钥在切换设备时可能不会带来麻烦，但尚未像身份验证应用程序那样得到广泛支持。

2.使用VPN (2. Use a VPN)

The difference between using a VPN and not using one is like how The Dark Knight Rises was really good and Batman v Superman was really, really bad. Same franchise, totally different standards.

使用VPN与不使用VPN之间的区别就像《黑暗骑士崛起》的表现非常好，而《蝙蝠侠对超人》的表现却非常，非常糟糕。 相同的专营权，完全不同的标准。

Let’s say you send a lot of mail, but never bother to put your letters in envelopes or even fold them in half. Anyone who bothers to look will know that you’re not really the Dread Pirate Roberts after all. When you use a Virtual Private Network, especially if you often connect to public WiFi, it’s like putting your letters into cryptographically-sealed envelopes and sending them via a special invisible courier service. No one but the intended recipient can read your letters, and no one but you and the courier know to whom the letters are sent.

假设您发送了很多邮件，但始终不愿将您的信件放在信封中，甚至将它们对折。 任何烦恼的人都会知道，您毕竟不是真正的恐惧海盗罗伯茨。 当您使用虚拟专用网络时，尤其是当您经常连接到公共WiFi时，这就像将信件放入经过密码密封的信封中并通过特殊的隐形快递服务发送。 除了预期的收件人之外，没有人可以阅读您的信，只有您和快递员知道向谁发送信。

VPNs prevent others from reading your communications, like opportunistic attackers who scan open WiFi, and even your own Internet Service Provider (ISP) who may sell your usage data for advertising dollars.

VPN会阻止他人读取您的通信，例如扫描开放WiFi的机会主义攻击者，甚至是您自己的互联网服务提供商(ISP)，他们可能会以广告收入出售您的使用数据。

Choosing a trustworthy VPN provider requires some research, and is in itself material enough for a separate article. As a starting point, look for providers with firm policies against logging, and expect to pay between $5-$10 USD monthly for the service. Avoid free VPN apps and services with ambiguous privacy policies; they’ll typically cost you much more than you’ll know.

选择一个值得信赖的VPN提供商需要进行一些研究，并且本身对于撰写另一篇文章来说足够重要。 首先，请寻找对日志采取严格政策的提供商，并期望每月为服务支付5至10美元。 避免使用带有模糊隐私政策的免费VPN应用和服务； 他们通常会花费您比您知道的多得多的费用。

3.发展健康的怀疑态度 (3. Develop healthy skepticism)

Ultimately, the weakest link in your cybersecurity defense is you. All the MFA and VPNs on the Internet won’t protect you if a scam or malware bot can trick you into opening the front gates. Yes, I know it’s a very nice looking wooden horse. Also free. Did you order it? No? Then it can stay outside.

最终，您是网络安全防御中最薄弱的环节。 如果诈骗或恶意软件机器人可以诱骗您打开大门，互联网上的所有MFA和VPN都无法保护您。 是的，我知道这是一匹非常漂亮的木马。 也免费。 您订购了吗？ 没有？ 然后它可以留在外面。

Develop the habit of second-guessing things delivered to your virtual doorstep. Email, phone, and messaging scams range in sophistication, from rickety robot-assembled shotgun blasts to elaborate social engineering attacks that use cognitive biases very effectively. Don’t assume you’re too clever for them; humans are very predictable creatures. After all, nobody expects the Spanish Inquisition.

养成习惯去猜猜交付到您家门口的东西的习惯。 电子邮件，电话和消息传递骗局的范围非常复杂，从摇摇欲坠的机器人组装的shot弹枪爆炸到精心设计的社会工程学攻击，这些攻击非常有效地利用了认知偏见 。 不要以为你对他们太聪明了。 人类是非常可预测的生物。 毕竟，没人期待西班牙宗教裁判所。

Instead, ask questions. Double check communications that ask you to click on links or visit a website, even if they come from someone you know or a company you use. If you’re not certain, based on a previous in-person interaction, that your friend or bank or mother sent this email, pick up the phone and call them. Even if you think you are certain, pick up the phone and check. You don’t call your mother enough, anyway.

而是问问题。 仔细检查要求您单击链接或访问网站的通信，即使这些通信来自您认识的人或您使用的公司。 如果您不确定，根据以前的亲身互动，您的朋友，银行或母亲已发送此电子邮件，请拿起电话并给他们打电话。 即使您确定，也可以拿起电话进行检查。 无论如何，你对妈妈的称呼不够。

Oh, and if the person on the phone is from your local tax office or the IRS or the CRA and they’re about to freeze your accounts because a case of mistaken identity has resulted in you being criminally charged for not repaying a loan on a 600-foot yacht in Malibu, just hang up. You know better than that. Tax agencies don’t have phones.

哦，而且如果电话中的人来自您当地的税务局，IRS或CRA，并且他们将冻结您的帐户，因为身份错误的情况已导致您因未偿还一笔贷款而被刑事指控。马里布600英尺的游艇就挂了。 你比这更好。 税务机构没有电话。

您的个人网络安全入门包 (Your personal cybersecurity starter pack)

You now have three keys to open three gates to a robust personal cybersecurity posture. If those keys have also unlocked your curiosity, there’s plenty more rabbit hole to go down. I highly recommend the Security in Five podcast for Binary Blogger’s great advice, which inspired much of this post. Surveillance Self Defense offers the Electronic Frontier Foundation’s tips on securing online communication. Troy Hunt also has a YouTube series entitled Internet Security Basics that goes into more depth on how to protect yourself online.

现在，您有三个钥匙可以打开三个通向稳固的个人网络安全态势的大门。 如果这些键也激发了您的好奇心，那么还有更多的兔子洞可供选择。 对于Binary Blogger的出色建议，我极力推荐“ 安全五分之一”播客 ，这启发了本文的大部分内容。 监视自我防御提供了电子前沿基金会有关确保在线通信安全的提示。 特洛伊·亨特(Troy Hunt)还拥有一个名为“ 互联网安全基础知识”的YouTube系列，该系列深入探讨了如何在线保护自己。

For now, I hope you use your newfound cybersecurity powers for good. Mind what you have learned. Save you it can.

目前，我希望您永远使用新发现的网络安全功能。 记住你所学到的东西。 救你可以。

翻译自: https://www.freecodecamp.org/news/personal-cybersecurity-posture/

2019年网络安全状况