Cyber Security Audit

I am getting a new laptop and have decided to do a total cyber security audit of my pc, network, and online accounts. I am looking to maximize security and am looking to make a comprehensive checklist. Feel free to recommend anything you feel will help. Some things I have thought of include:

  • Switch to a password manager/Change all passwords
  • make sure all updates are in place (anti virus, anti malware, windows, etc.)
  • enable bitlocker full drive encryption
  • secure the uefi/bios (I know it can be erased by removing the cmos battery, but its a step)
  • encrypt everything
  • backups
  • switch to standard user account, secure administrator account
  • Edit UAC (user account control) settings
  • Enable 2FA (two factor authentication) where available.
  • Start using a vpn (any recomendations?)
  • maybe switch to tor
  • lock down unused ports

I am running windows 10 pro and I am pretty technically inclined, however feel free to add any recommendations. My point is to maximize security even if the user experience could be slightly effected. I want to lock down my pc and network as best I can.

Have you heard of QubesOS?

3 Likes

Like @nx2l said. You’re gonna need to drop Win 10 if you want to be this locked down.

I’m going to agree with the others. Just kicking windows out is half of the work right there.

1 Like

Switching to linux is not much of an option. In day to day operation I depend on windows specific applications that do not work well with virtualization.

Alright well then the other option is to be offline half of the time :confused:

Set up a couple of VLANs and put your W10 box on the same VLAN as your cameras and other untrusted devices.

Your company doesnt secure your devices?

These are the ones to be concerned with. You have no control over these.
An external firewall will provide you more control over the OS than you are allowed by microsoft.

Problem with switching to linux though is that its shit. Now that Windows 10 natively supports Bash while Linux still has awful software support Windows is the only go-to for daily usage. Depends a little on your usage though I guess, I can’t even imagine trying to use Windows for anything server-related.

Very. Id argue against your claim, but thats for another thread.

It’s used all the time for server stuff. In fact, you basically have no choice if you use Windows your locked into it.

well you should probably reinstall the OS on your laptop as soon as you get it. besides bloatware, you dont know what else, or who else had access to it before you got it or what they put on it. remember superfish?

vpn recommendation from me is https://www.privateinternetaccess.com/ also check out the comparison list
https://thatoneprivacysite.net/vpn-comparison-chart/

also dont just focus on the individual device but also your network and what is on the network. if your smart solar panel array gets infected then it’s going to spread.

Most things have been covered.

Other things you can consider:

  1. When using any encryption e.g. Bitlocker make sure you have a backup of the keys properly secured away from your machine/house. Using Tarsnap could be an option to backup a keepass file that you can retreive. If you lose your keys and get locked out of anything, say goodbye to your data.

  2. On Windows never ever sign in with an account that is a local admin for day-to-day work. Once you set the machine up just sign in with a regular account and elevate processes with another admin account. There are a few times this will piss you off, but only a few once you get used to it.

  3. Consider using a second drive to hold all your docs etc. Setup Bitlocker on this and then never cache the password, you will need to unlock it everytime you login but even if someone gets your password to login with the disk is encvrypted.

  4. A variation of the above. Create a VHDX file and then mount and encrypt that with Bitlocker. You now need to mount and unlock the file to get to your docs. Back the VHDX file up with Tarsnap or similar.

  5. Setup 2 x HDD with an ReFS mirror to store your docs. Protect with Bitlocker as point 3. If you use Googledrive or Onedrive you will need to host them on NTFS formatted VHDX files to use this disk as they are incompatible with ReFS.

  6. Use secure boot.

  7. For the super paranoid Win 10 Pro user - add a new disk. Offline it in Windows, then assign it to a VM in HyperV and install FreeBSD or GNU/Linux on it and encryot the disk. Use that for any super sensitive work. Add a second NIC and assign it just for the VM’s use. Use the PIA VPN or similar from that VM.

  8. If you use MS/Google accounts sign in and carefully go through all the options disabling anything you don’t like the sound of, both will build up a good profile of you and your habits on their default settings.

  9. Never setup your home network to be on the same subnet as any external networks you VPN to. If some bozo let’s a virus get onto that other network and you then VPN in…

You don’t say who you are trying to protect yourself from, aiming to keep yourself secure from criminals is a lot simpler than getting paranoid about Microsoft/Google/Facebook and the government…

Also remember you need to protect your data from:

Malware,
Bitrot & hardware failures.
Your own stupidness when you are called out at 3am and drop the database instead of detaching it, yes, I’ll put my hand up to that one…

In all honesty if a western government wants you (cos you are some sort of l33t hacker after UFO secrets) they will find a way to get you, best advice is don’t go looking for the secrets or learn the symtoms of aspergers, threaten to kill yourself and hire a good lawyer - sorry for the cynicism - it’s common theme in the UK at the moment :wink:

3 Likes

Please stray from comments like this in the future. You could start a flamewar in the wrong thread. We’re trying to minimalize them.

3 Likes

So I used to use bitlocker but then I took it off because I didn’t know if it would do anything if my system / network has been compromised. Should I have in turned on?
Also how could we “clean” a router if we think it’s been infected?

Depends on the router.

For your bitlocker question, turn it on (And keep a backup of your keys). Its useful if your system is compromised when your not at it, away, travelling with it, etc.

Will WDE protect you against threats on the network? No. Whole disk encryption keeps your data safe when people physically steal your computer. When your machine is booted, and the encryption key has been entered, then your data is as secure as your OS.

Should you run WDE software? Unless you’ve got a particularly pathetic computer, probably. You would be hard pressed to be actively using a computer that is so slow that you would notice the difference when whole disk encryption has been setup.