I want to start a discussion on being as secure as possible while still being able to use technology to benefit ourselves. I'm not exactly an authority on this topic, I have a few years in enterprise IT and Security+ certification if that means anything. I want this to be a guide for people to better secure their lives wile using technology.
I'm not sure how to outline this so feedback would be great, I was thinking of something like working through the OSI model with tips and security practices. Or maybe by device? Not sure yet
Here are some topics I would like to cover:
General Internet traffic security (use VPN)
Passwords (use pw manager with strong passwords)
Mobile security (encrypt phones + vpn)
Desktop security (full disk encrytion? + vpn)
Checking hashes with downloads
Physical data security
Server security
home firewall and home network security
Operating systems security inb4 shit storm
Email
Use two factor authentication
The comments in parenthesis are meant as just my brief thoughts on the topics, not what I think it best. I'm probably forgetting something so let me know if there is another area I need to cover. What do you guys think of a thread like this? I think establishing good security practices is important, and starting early and making it a habit will be extremely beneficial.
It's a wide range of topics to cover and I think it's a really good idea to cover them. Not everyone knows this stuff.
Idea: Do you know how to make a Wki on Discourse. You should be able to since your a regular. That might be a good idea on how to cover those topics and other members could contribute their knowledge to it. The only concern would be trolls. If you could set permission on who could edit your wiki that would be awesome.
There are a few options here that make your life easier or harder.
With VPNs, ideally you want to pay for the service using a prepaid card, or something similar, so that the payment can't be traced back to you. Saying this, if the VPN provider doesn't keep logs, it shouldn't be possible to trace something back to you in the first place.
With password managers, the two obvious options are LastPass and KeePass. The former being a service, and the latter being software. The choice here really depends on whether you trust a service with your passwords.
LastPass has had breaches/exploits in the past, but nothing too damaging. Most of the time, if you're responsible online, it would be pretty hard to fall for an exploit. KeePass, on the other hand, gives you full control of your passwords, and it's portable, so you can run it on a USB stick on whatever machine you want to access it on. The problem here is if you lose the device that KeePass is stored on, and you have no backup, you've lost all of your passwords.
Multi-factor authentication can potentially be risky. For example, when a hacker took out a new phone plan in Linus' name, all of Linus' texts/calls were forwarded to the new phone the hacker got, allowing him to bypass passwords for the company's Google and Twitter accounts.
This is true. The way I'm mitigating this is by tieing my 2FA with Google Voice when I need to use mobile authentication. I make my primary Google account as hard as reasonably possible to get into.
I think Authy is another good service to mention for this discussion. For chrome users, FIDO U2F security keys are also worth looking at.
Has everything this thread needs, and quite frankly everyone should be practicing if you take security seriously for your workplace, client, or for yourself.
Or choose not to if it's a little over your head.
The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA has played a critical role enhancing the security posture of DoD's security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack.