Personal Cyber Hygiene Best Practices
Note: These are all best practices, but the implementation of every prophylactic described below is likely overkill. You
must choose how high of a defensive posture to take based off your perceived threat.
It is important to note the different between security, obscurity, and resilience:
- Security makes your data less susceptible to compromise. A complex, randomly generated password is more secure because it is harder to crack or guess.
- Obscurity makes it difficult to associate an account with your true identity, or your other accounts. Using randomly generated usernames accomplishes this.
- Resilience makes a successful attack less impactful, and easier to recover from. Using a different password for every account means a breach of one will not impact anything else
Use different usernames for different social media platforms, i.e. your Twitter and Instagram should not have the same handle. It is ideal to generate ones that are totally random. LastPass has a great one.
Password re-use, and the utilization of unsophisticated passwords is the number one vector for cybersecurity risk. If you only do one thing to protect yourself, it should be implementing a Password Manager. There are many to choose from, the best are KeepPass, OnePassword, and Dashlane. Here are the features you should look for:
- Syncing between your phone and a browser extension they offer
- Alerts for when a site you belong to has been breached
- Analysis of what passwords you have that are re-used across multiple sites
You will need to spend some painful time changing all the current passwords you have to complex ones that are automatically generated. This time investment will pay exponentially in your vulnerability.
Use this site to generate a password in a cinch.
You should be using two factor authentication wherever possible. Reference https://twofactorauth.org/ for what sites have it available. SMS 2FA can be intercepted – it is best to use an authentication app. I like Google Authenticator and Duo.
For additional security, you can use a hardware token (U2F) also, meaning in order to log into an account you need a password, one-time code, and physical hardware token either plugged into your computer, or connected wirelessly (via Bluetooth.) Google Titan and Yubikey are popular.
The prevailing philosophy of account access security is as follows:
- Something you know (password)
- Something you have (2FA)
- Something you are (biometrics, some U2F tokens read fingerprints)
I like the Brave browser, which is chromium-based (built atop Google Chrome.) It is built specifically to protect your privacy by limiting cross-site cookies and other types of ad tracking. I utilize the following browser extensions as additional layers of security:
The current industry standard for privacy is DuckDuckGo. They do not track the IP addresses associated with search requests. They
have made many improvements in the last year or so and are serving results almost as good as the ‘Goog.
Virtual Private Network (VPN)
Utilizing a Virtual Private Network (VPN) is a means to mask your online activity from your ISP. ProtonVPN is a great example for a
- They’re based in Geneva so they’re not sharing information with any governments
- If you want to go really nuts you can pay in cash so there will really be no record of who you are
- They provide a ‘KillSwitch’ so if the VPN drops your traffic is automatically stopped, preventing DNS leaking
- You can choose where in the world you want to VPN from (think about watching Netflix shows only available in other countries
- They provide an app for your phone
- They provide you with a ProtonMail account, the most secure email provider around
Privacy.com offers a great solution for protecting your payment accounts. You link it to one back account and they provide you a virtually unlimited number of burner credits cards to use. They are each only good for one merchant, and for a pre-determined value per month.
Scenario: If you use one Privacy.com credit card for Netflix, it will only work on charges from Netflix for the predetermined amount ($11.99/month currently) If Netflix’s financial data gets breached, the hackers will get information that is useless since the card can’t be used elsewhere. Privacy.com makes it very easy to manage multiple accounts. This is also nice if someone like Comcast wants to keep charging you for some remote control you can’t find, or upping your prices out of the blue. You can just turn the card off.
This is an American company so they are subject to law enforcement discovery requests.
As mentioned above, ProtonMail is the way to go.
When you travel or it is not in use, your computer should be turned off – not in sleep mode, not locked, not hibernating – turned off. That is the difference between having data stored in RAM or not.
The free version of Malware Bytes is a great personal solution. Run it regularly and keep it updated.
You can keep your devices in Faraday bags when not in use, I use tApricorn hem religiously when I travel. They block most electromagnetic signals. There are a lot of gimmicky ones out there (like the site I linked to) but don’t be fooled, I only trust the ones that have the zip-lock style seals. I’ve tested many with bug sweeping equipment and these are the best performing ones. I endorse this great, cheap variety pack from Amazon.
Apricorn makes fantastic external storage devices that are hardware protected – meaning you must physically type in a code to allow the data to be read.
It is ideal to have a few separate wifi networks:
- One for your PC and Phone
- One for your smart TV
- One for anything that was made in China
- One for guests
- have a name (SSID) that is a randomly generated string of letter
- should be hidden (not broadcasting its name)
- have secure complex long passwords
- utilize WPA2 encryption
The ultimate in security is only allowing specific devices to connect to your network, by MAC address (every device has one.) This means to get onto your network, someone must a) know the SSID, b) know the password, c) know the MAC address of a device that is already authorized access, and c) have the technical expertise to spoof a MAC address.