Here’s your #InfoSec upgrade plan for 2018

My new year’s resolution is to try to write shorter blog posts, more frequently. Your resolution is to improve your information security practices and keep yourself from getting hacked, malware attacked, spoofed, etc. Consider this an #InfoSec equivalent to the “from the couch to 5k” plan

Here are:  Your How-To Guides | Your Monthly To Do List | Your Daily Rituals

Yes, we’re already a few days into 2018, but you still have time to set your New Year’s Resolutions, if you’re the kind of person who does these sorts of things. And if you’re concerned that your digital bits may not be properly strapped down, then that may be on your agenda this year.

These are your guides

Nothing (or, very little) in this post will tell you how to do anything. You can achieve almost all of the tasks below by using these online resources, or by going to the website of the software mentioned.

Start with EFF’s Surveillance Self Defence. Add the Umbrella App to your mobile. And be sure to bookmark Wired’s Digital Security Guide and Citizen Lab’s Security Planner (the current favourite of yours truly). There are many, many more digital security guides online, but these link to the best bits of some of those and these ones are generally the most up-to-date and are both readable and have good navigation for finding what you need.

This is your monthly schedule

I’ve broken this down into two sections. The first are month-to-month level-up items; things to learn or set up. Feel free to reorganise based on your needs or curiosity, or to go faster than one things a month. The important thing is to start. There are also weekly, Monday-Friday tasks listed below that. Some of these you won’t be able to do until you hit the monthly level-up.

JANUARY is for making your plan and getting ready to put it into action

Let’s face it, January’s almost done. Do your research, and get things ready.

Go through this blog post, put everything in your calendar or to-do lists, read through the guides listed above and identify if you’ll need to or want to budget for any related software or hardware mentioned below.

FEBRUARY is for backing it all up and starting to keep everything backed up

Learn where all your data is (locally and in the cloud) and how to keep it backed up. Backup your data.

See how much of your data (photos, music and video files, documents, contacts, emails, etc.) you can keep securely archived locally and in the secure (encrypted) cloud storage. Being able to back things up keeps you in operation after bad things happen. After January, nothing you have digitally is unrecoverable. In Apple machines, this could involves using Time Machine and/or iCloud, or other services. For Windows, you can set up a local backup and/or use OneCloud or other things (which may require more work).

MARCH is for strong passwords & how to manage them

Learn how to make strong, unique and possibly memorable passwords. Part of this also requires learning how password managers work.

Read up on what it takes to create strong passwords. For your devices, these should be long and memorable: pass phrases with your internal set of logical rules. For online accounts, these can be long (larger than 14 characters) and nonsensical or (better) completely randomised. You’ll also need to use the guides above to find a password manager that works for you (and create a long memorable password for that).

Check out Lastpass, 1password and KeePassXC. Start moving your accounts into the password manager as you improve their passwords.

APRIL is when you lock down all your accounts with two-factor authentication

Learn how to use (2FA) two-factor authentication (use one of the guides above)

Learn about SMS, the Google Authenticator App and Yubikey methods. Choose which one meets your needs in whatever cases you have. First up: Add 2FA protection to your password manager.

MAY is the last month you’re software will be more than one week out of date

If you’re devices are fairly new, this won’t be too painful. If they are on the older side, you’ll need to make some calculated decisions: invest in new gear, or take what you’ve got beyond where it was intended to go.

Computer and mobile companies don’t envision users keeping their devices as long as many users do. Planned obsolescence is a thing, even if it’s not always specifically around designing things to break. Newer software generally requires more power. If you’re on an older mobile, it’s operating system will only upgrade so far. If you’re on a vintage (5+ years old) computer, it will likely start protesting more and more as new operating systems come out. New kit can be spendy, so plan according to your budget. Now, with that intense caveat out of the way: putting your operating system and all its software on latest versions is key to good digital hygiene and making sure security patches are always up to date. Do it. If you can automate this process, do that. Now, make sure each week you’re on latest versions.

BONUS: It’s worth mentioning here: Don’t ‘root’ your devices. Don’t use dodgy, pirated software on your serious machines; don’t download and open up strange software not from the actual sources. I have no moral or ethical qualms against doing these things, but it’s only a matter of time until this habit results in you installing something you’re not going to want on your machine. If you’re eager to try all this stuff, get a different machine you won’t mind wrecking on occasion.

JUNE is for hard drive encryption

Turn on hard drive encryption on all your devices. Again, if you’re using an older device, you may need to check if this is available, but on recent version Apple and Windows computers and Android mobiles or iPhones, this is ready to go. Do it now.

This post isn’t advocating anything terribly fancy or complex. Use the settings that came with your device. Some software, such as Veracrypt, can encrypt files, volumes or even entire hard drives and securely at that, but it’s easy for things to go wrong if you’re not experienced at using these software options, and the data can then be lost if you mess up. Learn to use these tools at some point if and when you’re curious, but for now just learn how your regular system encryption works.

JULY is for trying out Tor for better internet anonymity and privacy

Tor (short for “The onion router”) is a great piece of software to bounce your internet activity around the web in a secure fashion to hide what your doing from your local internet service provider (and anyone watching that), and disguising you’re really you to any web service provider (until you give that information, yourself, that is). This means its great for helping your privacy and anonymity, and is also a good way in many situations to bypass internet censorship.

Try out these Tor tools…

    1. Get the Tor Browser and learn about safer web browsing.
    2. Get OnionShare, convince one of your friends to try the Torbrowser, and share a file with them, securely, anonymously and without leaving a trace online.
    3. Get that same friend to try out Tor Messenger with you, for encrypted and secure, off-the-record communication (Possibly useful for sharing your OnionShare link from item 2).
    4. Get Orbot installed on your Android mobile and go through the settings to see which apps you may want to have run through Tor. And get it’s mobile web browser counterpart, Orfox.

AUGUST is for encrypted communications

  1. Use an encrypted app for communication with your friends and family.
    1. There are a few to choose from. Check the guides above for some descent options. I suggest starting with Signal, but there are some decent options. Wire is another good one. WhatsApp also uses Signal’s encryption technology.
    2. Learn the settings (and if it’s Signal, make it your default SMS app on your mobile.) Here’s a good Signal guide. Here’s one for Wire.
    3. Also, check out Jitsi for fast, securely encrypted voice and video calls.

SEPTEMBER is to lock down your browser

Browsers are great. I’m using one right now to write this. Your web browser is the single greatest tool AND security risk on your computer. It’s used for more and more activities every day, but it’s also letting a lot of code from other sources directly into your machine.

There are a lot of browsers out there to choose from, and you should do your research on which ones to choose based on security, usability and how much of a user and developer community exists around them. For simplicity sake, I’m going to suggest you either use latest version Chrome or latest version Firefox, but the common theme there is ‘latest version’, that there are ways to make these browsers even stronger.

Go through all the settings on the browser. If you’re linking your browser to your online account, then make sure you go through that account’s privacy settings as well.  Use HTTPS Everywhere and Privacy Badger to start with. The guides linked above may have some other good plugins as well, but I suggest not overloading your browser with too many things, particularly if they’re aimed at doing the same task.

OCTOBER is for nailing down how to best avoid malicious software

Learn how to avoid malware, spyware and ransomware and social engineering

  1. Actively distrust file attachments in email.
  2. Actively distrust unexpected contacts from people you don’t know in email, Skype, Facebook, etc.
  3. When someone you know contacts you via text, but something seems off, try to reach them by video or at least voice for a quick chat.
  4. When you download a file, right-click to save it instead of automatically opening it and check out the name file structure and look at the meta information (right click and check properties).
  5. Use a decent anti-virus software package or Virus Total to scan the file.

Other bits: Make sure your firewall is turned on and consider investing in a decent ‘endpoint security’ package (anti-attack software). Keeping your software up to date and backed up is also good defence.

NOVEMBER is for key-based and local encryption

Learn about strong open source encryption and what it can do. With newer and easier-to-use encrypted communications apps and file encryption services, the number of use cases for using these tools is getting smaller. But it’s still informative and potentially useful, and when/if you really want to make sure you’re encrypting something safely or securely, knowing how to locally secure something using strong, open source software can come in handy.

  1. Learn about GPG encryption for email and file encryption. Look at GPGtools for Mac, GPG4Win for Windows, Enigmail + Mozilla Thunderbid for any operating system. Set up your GPG encryption to work with your Yubikey and worry less about its security..
  2. Learn about file encryption. Download and learn about using Veracrypt, an open source file encryption tool. Learn how to use passwords, key-files, create hidden volumes, etc.
  3. Understand the limitations and risks of using these tools: What happens when your private key is exposed, when you forget your password, lose your key, etc. Appreciate good user experience design in other software.

DECEMBER is for reviewing, wiping and cleaning

Before the new year, spend some time with your set up. What’s working and what’s not.

What files aren’t needed any more. What accounts could you close? What new software or methods came along during the course of this year that could replace some of the things you’ve set up? Research and optimise.

Weekly love & care

  • Monday
    Check your devices for any updates and run them.
  • Tuesday
    Increase the security of one of your online accounts: change the password to something more complex and add it to your password manager, turn on 2FA if you can, go through all the settings and optimise them to give yourself better control over who you share things with, when and how. and see if anything’s public that maybe shouldn’t be.
  • Wednesday
    Check out some #InfoSec related news or blogs on your lunch break. Here’s a bunch of them, but you can probably find others.
  • Thursday
    Check out your mobile phone’s settings or go through the settings on one of your mobile’s apps to see what it’s doing and if you want to lock it down or even just remove it.
  • Friday
    Backup your hard drive, and/or make sure the automated backup happened.
  • Saturday
    Install something new and see what it does. Check out a new open source secure communications app or file storage thing. What kinds of security does it offer. How easy is it to tell if the security promise matching the reality? Keep or ditch?
  • Sunday
    Switch it all off and go outside.