PITSA: Personal IT Security Advices
Often I think about security (in any sense) when I cruise around the world. Because many dangers lurking around: we have to be careful.
For this very reason, I have decided to write this comprehensive guide for a broader audience, since there is no individual and independent security. There is only collective security, and the safety of the group depends on the security of the individual members of that group.
Now, what I am trying to achieve with this article, is to collect some objectively good practices to enharden your private personal security IT-wise. It is important not just for your mental health, but losing access to your IT world, being hacked and robbed… or getting extorted by any chance…
You have to defend yourself, no doubt. Not just for your sake, but as I mentioned above: your little IT bubble contains data about other people as well. Your friends’ and families’ phone numbers, pictures, calendar events, and addresses. Having these, being hacked could threaten their physical health as well!
What can I do?
Fortunately, plenty of things. If you reading this post, you are on the right track. The first step of awareness. Good job! Now you have a responsibility to spread the knowledge… and I hate to say this, but share this article.
The following list contains some very foundational practices to use. Some of them are mandatory, and some of them are nice to have. I do not maintain order between the points, but trying to show you the low-hanging fruits and the next level of security as well.
Password Manager
One of the important stuff. I would say mandatory, but there are other ways. However, using a password manager is undoubtedly useful.
The point is, to have a unique password for every instance where you would use a password. In this case, when (definitely not “if”) one of these instances got compromised and your password will leak, you just will have one password to forget about. Change it, you are in the clear water.
You could use some strategy in your head, from a base password how you would iterate passwords for separate instances, but I generally do not recommend this. Hard to keep, hard to maintain. You have to come up with new ideas as time is telling, rules change, and sites got hacked.
There is an interesting thing about these passwords, and that is the entropy. You should always use random passwords with at least the length of 16 characters… but better to settle with 20-32. Use all characters (letters, numbers, symbols). Do not worry about the difficulty to remember. You do not need to.
The length is what matters.
Suggestion: Check your leaked passwords on haveibeenpwned. Change them!
Suggestion #2: You probably could use any software for generating and storing passwords, the three biggest ones are perhaps BitWarden, 1Password and LastPass. I do not recommend the last one, I have heard too many successful hacks on that company. Personally, I use BitWarden now (open-source), but to be honest I have accessibility problems with them right now.
Suggestion #3: If you are a technical person with the required skillset, you could self-host BitWarden or Psono for yourself.
Multi-Factor Authentication
Inevitable. I cannot emphasize the significance of this feature. If you have the opportunity to enable this, DO IT!
Having an MFA means that somebody with your password cannot log in without a second factor. It is usually a one-time password generated upon some shared keys between you and the instance you trying to log in.
Suggestion: If you can do so, do not use SMS as MFA. It is a generally non-secure channel and potentially could be hacked. Not to mention, what if you lose the number?
Suggestion #2: It seems very convenient to store this method in your password manager as well, but think about it. Would not it degrade your setup to one factor?
Using different software, like Google Authenticator, or Aegis (open-source) is the way. I use both of them (work and personal stuff separated).
Updates
Yeah, I know. Everybody knows this. Update your software. But not just speak about it, do it. Frequently. If you got security updates, immediately do it.
Disk Encryption
It is so important, yet, nobody really cares. Just imagine, if your laptop (or PC) would be stolen. If your disk is not encrypted, your data is public. They could save everything from the disk: the data from your browser, from your other applications, your pictures, your docs. Turn this feature on. Please, I am begging you.
Suggestion: It is something your operating system does. If it lacks this feature, upgrade it. Seriously. Trust me, it is definitely worth that few euros.
DNS
You cannot be sure, how trustworthy the ISP you are using is. Therefore you cannot rely on the DNS service they provide. Fortunately, there are alternatives, and it is kind of easy to set up. The two biggest are Google DNS and Cloudflare DNS.
Suggestion: I am using Cloudflare, because it cares about privacy… and is faster.
Suggestion #2: If you are a technical person, you could install a pihole instance in your home network. It gives you granular control over the DNS resolution, therefore it could make you safer. For example, you could disable .zip TLD!
Hardware/Physical Security
Hardware security is generally about enforcing software security with a hardware component. Sometimes it is the next level, but sometimes it is so a low-hanging item, you definitely should pick it.
Hardware keys
Because we are speaking about hardware elements, it requires money. Hardware keys help you extend your MFA with a virtually non-accessible component. Meaning, your attacker should have physical access to your key.
It feels like an enterprise solution, but it is not. If you were choosing a proper password manager, you could use these keys as the second factor of authentication. And it is not the only space where you could use them. (I will mention it later on.)
Suggestion: I believe the industry standard is to use Yubikeys. Easy to use, quite cheap. (Look for the discounts and bundles!) Be sure, that you have backup keys or you could lose access to your stuff. And of course, if you lose your key: delete it from everywhere you did save it.
Kensington
This lock type is a nice-to-have. I have never seen it in personal use. However, it could be very useful during a theft.
It physically locks your device into the furniture (in better case to the building itself) and could be opened only by your physical keys.
More awareness
Knowing tricks and techniques is a good thing. But you need to understand what are the reasons behind these methods. If you understand why you take a measurement, it makes you understand the problem you could have encountered… and it makes you able to apply similar logic to new and unfamiliar cases.
I have a few simple examples:
Public Internet Access
When you go to a café, gym, school… you would probably connect to the local Wi-Fi to save your cellular budget. Makes sense, but you should know if you were able to connect… other people could connect as well. These other people could be malicious with the intention to monitor the traffic on the whole network.
Meaning, if you would visit plain simple HTTP websites, all your communication could be read by anyone on the network. Your passwords and other secrets are included.
Suggestion: Using a physical cable connection is probably better in most cases. However, it is not a golden bullet so never visit any sites below HTTPS.
That is a fairly secure channel, and usually could not be encrypted by other people on the network.
Suggestion #2: In general you should disable plain simple HTTP connections. Probably your browser and your Internet Security system (formerly known as an antivirus, nowadays they do a lot more than that) will do it for you, but be aware: use only HTTPS connections. (unless you are a technical person and you know exactly what you are doing)
Suggestion #3: Bluetooth has similar weaknesses to Wi-Fi. Obviously, if you are listening to podcasts and Spotify, it probably does not matter to use it. But imagine if you conduct a confidential meeting, you got eavesdropped on… and important non-public information leaked out because of the accumulation of used wireless technologies.
Suggestion #4: Use VPN. It creates your own little private network inside any network you are in to connect to the internet. Though it will make your connection slower, it is a well-founded method to protect yourself.
Suggestion #5: When you do not use Wi-Fi or Bluetooth, just disable it.
Identity Protection
This will be a little bit far-fetched, but there are accounts of yours that are more important than other accounts.
If you could recollect, there are multiple spaces where you can log in with your Google/Facebook/Microsoft/etc accounts.
Extremely valuable accounts, I have to say. And as such, you should protect them accordingly.
Imagine if somebody could take over these accounts. How messed up you are then?
Suggestion: Use multi-level protection on these accounts. All of the suggestions above are a good start, though, you should go further.
For example, if you are using Google as your identity, you could enrol for the Google Advanced Protection Program and put stronger measurements into effect.
It will ask you to use hardware protection on your whole Google identity. It is a good measurement, and it applies to your Android phone as well.
With a proper NFC-capable hardware key the whole thing is easy-to-use, but you could even go for a USB-C connection as well.
Virtual Cards
Never use physical bank card details on the internet! They could be leaked, and you will be robbed. True, there are certain trustworthy providers. But still, do not do it.
Suggestion: Nowadays most banks provide virtual cards. Use these online. You could have more, so you could separate cards by usage, like shopping, subscriptions, etc. When you would like to shop on a less trusted entity, use one-off disposable cards. In this case, if the details are leaked somehow, the card is not reusable. You could check modern FinTech companies as well. Having multiple accounts in separate financial institutes is considered a wise practice. (I am relying on Revolut)
Malvertisement
I am a against-advertisement person. I hate them with passion.
I believe, everybody should avoid adverts, because they are not a good thing mentally. But from a security perspective, they often put you at risk.
Suggestion: Use Ad Blockers. Configure your pihole to block entire advertisement domains. Pay for ad-free subscriptions.
It really helps your life.
Fatigue
If you are not fatigued by adverts anymore, you will be because of your security. Having this security-first mindset is tiresome. Often cumbersome.
You will encounter a lot of popups, confirmations, and additional tasks to act upon. And sometimes, you will just click without reading. Be aware, fatigue attack is a real thing. Remember, why did you elevate your security level in the first place… and remain persistent.
Retrospect
Think about what level of security your life needs, but objectively speaking:
There is not enough security in the world to protect you completely.
If you are not a target, okay, you could settle with less defence… but consider this: If your acquaintances or family members are targets because they are working for the government, finance companies, or just holding cryptocurrencies. That makes you a target as well.
Protect yourself and your environment!