Establishing Best InfoSec Practices (Discussion/ Guides)

I want to start a discussion on being as secure as possible while still being able to use technology to benefit ourselves. I'm not exactly an authority on this topic, I have a few years in enterprise IT and Security+ certification if that means anything. I want this to be a guide for people to better secure their lives wile using technology.

I'm not sure how to outline this so feedback would be great, I was thinking of something like working through the OSI model with tips and security practices. Or maybe by device? Not sure yet

Here are some topics I would like to cover:

  • General Internet traffic security (use VPN)

  • Passwords (use pw manager with strong passwords)

  • Mobile security (encrypt phones + vpn)

  • Desktop security (full disk encrytion? + vpn)

  • Checking hashes with downloads

  • Physical data security

  • Server security

  • home firewall and home network security

  • Operating systems security inb4 shit storm

  • Email

  • Use two factor authentication

The comments in parenthesis are meant as just my brief thoughts on the topics, not what I think it best. I'm probably forgetting something so let me know if there is another area I need to cover. What do you guys think of a thread like this? I think establishing good security practices is important, and starting early and making it a habit will be extremely beneficial.


It's a wide range of topics to cover and I think it's a really good idea to cover them. Not everyone knows this stuff.

Idea: Do you know how to make a Wki on Discourse. You should be able to since your a regular. That might be a good idea on how to cover those topics and other members could contribute their knowledge to it. The only concern would be trolls. If you could set permission on who could edit your wiki that would be awesome.

1 Like

Would be nice for regulars only to edit the wiki.

1 Like

Good place to start:

1 Like

Also, always enable 2 factor authentication where the option is available.


Yeah, a lengthy post about email might be in order as well, use 2 factor and encrypt all the things.

There are a few options here that make your life easier or harder.

With VPNs, ideally you want to pay for the service using a prepaid card, or something similar, so that the payment can't be traced back to you. Saying this, if the VPN provider doesn't keep logs, it shouldn't be possible to trace something back to you in the first place.

With password managers, the two obvious options are LastPass and KeePass. The former being a service, and the latter being software. The choice here really depends on whether you trust a service with your passwords.

LastPass has had breaches/exploits in the past, but nothing too damaging. Most of the time, if you're responsible online, it would be pretty hard to fall for an exploit. KeePass, on the other hand, gives you full control of your passwords, and it's portable, so you can run it on a USB stick on whatever machine you want to access it on. The problem here is if you lose the device that KeePass is stored on, and you have no backup, you've lost all of your passwords.


Maybe an overview of PGP

Just gonna leave this here.

1 Like

Multi-factor authentication can potentially be risky. For example, when a hacker took out a new phone plan in Linus' name, all of Linus' texts/calls were forwarded to the new phone the hacker got, allowing him to bypass passwords for the company's Google and Twitter accounts.

This is an SMS second factor, should generally be avoided, thinggs like s security token are superior to this. That was social engineering.


I wouldn't say social engineering. More bad practice on the phone provider's side, not asking for ID or anything.

General rule of thumb is to use 2 of three of these; something you are, something you know, somewhere you are, something you have.

A good place to start for those that want a quick setup up and running in no time. I use this for on the go.

This is true. The way I'm mitigating this is by tieing my 2FA with Google Voice when I need to use mobile authentication. I make my primary Google account as hard as reasonably possible to get into.

I think Authy is another good service to mention for this discussion. For chrome users, FIDO U2F security keys are also worth looking at.

I've been debating in my head about whether or not I trust Google with my email.

What advice can you give me transitioning from Win10 to Linux (Arch) in terms of security recommendations.

Disallow users any administrative privileges. They are not qualified to make decisions about their systems.

If you have programs that need administrative privileges to run, you need new programs.

This alone will tighten up about 90% of security issues. (How to use STIG viewer and Download link) (Download applicable STIG's for your machine you're locking down, also any software on a system)

Has everything this thread needs, and quite frankly everyone should be practicing if you take security seriously for your workplace, client, or for yourself.

Or choose not to if it's a little over your head.

The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA has played a critical role enhancing the security posture of DoD's security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack.

Not even close to 90%. See above.

Edit: a word and formatting.

"At least we're better than Microsoft." - Google, 2016.

I've been using my hotmail account for too long, and the address of the gmail associated with my Google account is unprofessional as fuck.

1 Like