ECSM 2019: Tips for your cyber hygiene

ECSM 2019: Tips for your cyber hygiene

Broadly speaking, hygiene is about maintaining health by doing many different actions such as taking a bath, washing hands and clothes, or cleaning surfaces in rooms. When it comes to “cyber hygiene”—the first of two topics addressed by this year’s European Cyber Security Month—we think of “easy actions to keep or improve your level of information security”.

In this article, we present several quick actions to keep or improve your level of information security.

Contents

  1. Quick actions for better cyber hygiene
  2. Other long-term activities
  3. Summary

Always stay in the loop!
Subscribe to our RSS/Atom feeds.

Quick actions for better cyber hygiene

In the following, we present several quick actions. There is no specific order, and you don’t have to implement everything. If you have further suggestions, feel free to contact us.

Your devices

You likely own one or more devices to access this blog and the whole internet. Examples are smartphones, laptops, and desktop computers. However, there are even more devices in our “everything is smart” world like IP cameras, smartwatches, or a fridge connected to the internet. Then, you may have a router, and other devices on your home network. Maybe, you also run a server somewhere. All devices need care. Here are some tips:

  • Install updates for operating systems, apps, and software packages: This tip looks very straightforward, but maybe you are one of these people who always postpone security updates. Of course, even your router or IP camera run software and there may be some important security updates that need to be installed. If possible, allow devices and software to automatically download and install updates. This is especially true for apps/software that directly communicate with the internet like operating systems, web browsers, and many apps.
  • Keep an up-to-date inventory of your devices: This may look like an impossible or unnecessary task. However, if you ever lose devices, this inventory can be a life saver. Start small and continuously add and update entries. For example, write down names of devices, information about warranty, monthly costs, and security-related data like if there are passwords stored on the device.
  • Disable unused interfaces: Every device comes with interfaces so that it can interact with you or other devices. For instance, there is WiFi, Bluetooth, NFC, USB ports, file sharing, or optical interfaces. If you do not use Bluetooth, turn it off. If you do not use WiFi, turn it off. If you are tech-savvy, turn off USB or network ports.
  • Delete unused apps and software packages: If you don’t use certain apps on your device, delete them. Software that isn’t on your device can’t be exploited. Sometimes, installing software also install dependencies on your system. Regularly check if you still need these dependencies (like Java Runtime Environment, or Python 2).
  • Delete unused accounts and settings on your devices: Many devices allow you to store certain authentication data, e.g., WiFi names and passwords, or Bluetooth devices connected to them. If you don’t need this data anymore, delete it.
  • Never connect removable media to your devices without knowing its origin: We think of a random USB flash drive in the parking lot here. Lost and found items can be malicious.
  • Turn on full-disk (or similar) encryption: If your device allows you to easily set up full-disk encryption, turn it on. This encryption protects data at rest (data stored on your device’s storage media), for example, if someone steals your USB flash drive, your hard disk, or laptop. It doesn’t protect data in transit (like your network traffic), or data in use (like data currently in your device’s memory).
  • Securely dispose devices: If you don’t want your smart-something anymore or if your laptop needs to be replaced, be aware that there is personal and sensitive data on it. Just deleting data or resetting to factory settings isn’t always sufficient. Look for possibilities to securely erase data on the devices, or remove their data storage before disposing/selling the rest. If you are unsure whether your family photos, web searches, and banking data has been securely deleted, contact service providers that are specialized in securely disposing media.

Your accounts

Besides devices, you likely registered one or more accounts on the internet. Examples are e-mail accounts, online banking accounts, and online shopping accounts. There are also accounts created by apps on your smartphone in the background. For instance, if you register for an instant messenger, it likely registered an account for you. Again, here are some tips:

  • Think twice before registering new accounts: Before registering for a new service (like an online store, forum, instant messenger), think twice if you really need this service. Read its privacy policy. Does it look complete? (see “GDPR: How to identify incomplete privacy policies?”.) Who runs the service? Which data must be provided to use the service? Keep in mind that online assessment tools are never sufficient (see “Pros and cons of online assessment tools for web server security”) to rate security or privacy of a service. These tools only look at a very small set of technical features, but can’t rate important aspects like processes, people, or organization.
  • Provide the least amount of personal data possible, and document data you enter: Like a basic inventory of your devices, it is a good practice to document personal data you enter on the internet. This may again sound like an impossible task, but this doesn’t have to be complicated. For instance, most common password managers allow you to store notes additionally to the password itself. Use these text boxes for documentation. For instance, you registered an account for online shopping. You entered your name, your physical address, your date of birth, your e-mail address, and a password. Since you likely already store e-mail address and password for this account in a password manager (we hope so at least), you only have to add “name, physical address, DOB” to this entry.
  • Download and delete old e-mails and other old data: Deleted e-mails can’t be leaked or accessed by unauthorized parties. Most people don’t keep their physical mail in their physical mailbox either. For instance, there is no reason to store 2-year-old e-mails online. However, some people never delete their e-mails. The same is true for other data. If it is still important, download it and store it offline.
  • Delete or disable unused accounts: Some people try out services by registering an account and then they never log in again. This seems to be true for many accounts on the Fediverse, for example. If you don’t need your account anymore, delete it. If it can’t be deleted (for example, Wikipedia accounts can’t be deleted), disable it. This makes impersonation much harder. Furthermore, if this data gets leaked in future, attackers can’t misuse it. Keep in mind that many service providers may still store information about you even after deleting your account (for instance, for legal reasons or in backups).

Your overall security

There are many more tips, of course. In the following, we have some more general tips that affect both devices and accounts.

  • Use password managers and 2FA: Password managers help you to manage all of your accounts. They do not only store passwords. Two-factor authentication like OATH-TOTP or U2F helps you to make authentication more secure. See also our in-depth article on “Modern credential management: security tokens, password managers, and a simple spreadsheet”.
  • Check security and privacy settings: Many devices and services allow you to configure security and privacy settings. Spend some time to understand these settings, and enable/disable them accordingly. However, you should also check if your configuration remains the same over time. Updates or attackers may change your settings.
  • Be cautious if you use public network infrastructure: Here, many tips are like “always use a VPN if you are on public networks”. But which VPN is best? And why is it good? Does it really improve your security by adding some “military-grade encryption”? We recommend to primarily use your cellular network even if there is a free WiFi around. If you are a tech-savvy person, set up your own VPN. In the end, using a VPN is always about trusting another party.
  • Back up data, and check its recoverability: There are many ways to lose access to your favorite chats, family photos, and other memories. Back up your important data from time to time, and check if it can be actually recovered.
  • Leave physical authentication media at home, or use RFID shielding: We think of your banking cards, employee badges, and passports here. Even if they come without NFC/RFID technology, they can be lost or stolen. So leave them at home if you don’t need them. If you have such cards and badges with radio interfaces like NFC or RFID, you may want to use wallets with RFID shielding. Some people call this overkill, others physically damage the chips in their cards to get rid of them. They are your cards, so it’s your choice.
  • Be aware of social engineering: Social engineering is much more than only phishing and perfectly works without technology since human characteristics are exploited. Be skeptical if something strange happens.

Other long-term activities

Finally, we recommend three long-term activities:

  1. Burst your filter bubble: Some websites and blogs specialized in dictating people what they should read, and what they should avoid on the internet. The sole mission is to keep readers in filter bubbles, so that readers repeat ideas and recommendations of such websites and blogs over and over again without understanding use cases, threat models, or many other aspects that are important in the context of information security and privacy. Due to this, it is important to get information from many different people and sources. Read pros and cons, try to understand how things work, and ask people about reasons for their recommendations.
  2. Help debunking myths: From time to time, we come across security and privacy myths (see our articles on myths). Please help us debunking them to improve everybody’s security and privacy.
  3. Tell your friends and family members about information security and privacy: Since many people still think that information security is only related to technology (as in IT security), they are absolutely not interested in this topic. This is perfectly understandable for us. No one can be an expert in every domain. However, a basic understanding of the most important concepts of information security and privacy are essential for everybody nowadays. As a reader of our blog, you are probably part of the minority of people interested in these subjects. Therefore, it is important to inform your family members, and friends. Tell them about your thoughts about information security and privacy. Discuss your ideas. You don’t have to give a lecture.

Follow us on Mastodon:
@infosechandbook

Summary

Cyber hygiene means keeping or improving your level of information security in day-to-day life. There are many tips that can be quickly put into practice. Don’t stop here! Read other articles on our blog, and get information from other sources. Information security and privacy affects everybody nowadays, and it is a shared responsibility.

See also