2019 ECSM: Tips for your cyber hygiene

Hygiene is about maintaining health by doing many different actions, e.g., taking a bath, washing your hands, or cleaning surfaces in rooms. When it comes to “cyber hygiene”—the first of two topics addressed by the 2019 European Cyber Security Month—we think of “actions to keep or improve your level of information security.”

In this article, we share numerous tips to keep or improve your level of information security.

Always stay in the loop!
Subscribe to our RSS/Atom feed.

Actions for better cyber hygiene

We share numerous tips. No specific order exists, and you don’t have to implement everything. Feel free to contact us if you have further suggestions.

Your devices

You may own one or more devices to access our website and the whole internet. Devices are smartphones, laptops, routers, and desktop computers. However, more devices in the “everything is smart” world exist, like IP cameras, smartwatches, or fridges connected to the internet. You may run a server somewhere. All devices need care.

Here are some tips:

  • Install security updates for your operating systems, applications, and software packages ASAP: This tip looks straightforward, but some people postpone installing security updates (“I don’t have time for this."). In rare cases, security vulnerabilities may be severe and easy-to-exploit for attackers. Severe vulnerabilities can occur everywhere, e.g., in your operating system (including Windows, iOS, macOS, Android, Linux) or in the firmware running on your router or printer. Enable “automatic updates” if possible.
  • Keep an up-to-date inventory of your devices: This may look like an unnecessary task. However, if you ever lose devices, this inventory can be a lifesaver. Start with a list of your devices. Continuously add and update your entries. For example, document names of devices, information about the warranty, monthly costs, and security-related data. Which operating system runs on the device? Which IPv4 and IPv6 addresses are used by the device? What is the MAC address of the device?
  • Disable unused interfaces: Every device comes with interfaces to interact with human users, processes, or other devices. Examples are WiFi, Bluetooth, NFC, USB ports, file sharing, or optical interfaces. If you do not use Bluetooth, turn it off. If you do not use WiFi, turn it off. If you are tech-savvy, turn off USB or network ports. Disabling unused interfaces may decrease the attack surface.
  • Uninstall unused applications and software packages: If you don’t use certain applications on your device, uninstall them. Software that isn’t on your device can’t be exploited. Software may install dependencies on your system during its installation. Regularly check if you need these dependencies (like Java Runtime Environment or Python 2). Uninstall unused dependencies. Uninstalling unused software may also decrease the attack surface.
  • Delete unused accounts and settings on your devices: Many devices allow you to “remember” specific data, e.g., a list of WiFi networks you connect to, or a list of Bluetooth devices connected to your smartphone. Regularly review such lists and remove any outdated entries to (again) decrease the attack surface.
  • Never connect removable media to your devices without knowing its origin: Did you find a USB flash drive, a USB charging cable, or a smartphone? Never connect it to your devices. Attackers can modify or use special removable media to attack your devices.
  • Turn on full-disk encryption: If your device allows you to set up full-disk encryption, turn it on. This encryption protects data at rest (data stored on your device’s storage media). For example, if someone steals your USB flash drive, hard disk, or laptop, your data is encrypted. Keep in mind that full-disk encryption doesn’t protect data in transit (like your network traffic) or data in use (like data currently in your device’s memory).
  • Securely dispose devices: If you don’t need a device anymore, be aware that it may contain personal and sensitive data. Deleting data or resetting to factory settings isn’t always sufficient. Look for possibilities to securely erase data on the devices or remove their data storage before disposing or selling the device. If you are unsure whether your family photos, web searches, and banking data have been securely deleted, contact service providers specialized in securely disposing media.

Your accounts

You likely registered one or more accounts on the internet. Examples are e-mail accounts, online banking accounts, and online shopping accounts. Applications on your devices may also create accounts for you. For instance, an instant messenger on your smartphone may create an account for you within the application.

Here are some tips:

  • Think twice before registering new accounts: Think twice if you need the service before registering for it (like an online store, forum, instant messenger). Read the privacy policy. Who runs the service? Which data must be provided to use the service? How long is your data stored? In which countries is your data processed? Does the party running the service share your data with third parties?
  • Provide the least amount of personal data possible, and document data you enter: Like a basic inventory of your devices, it is good to document personal data you enter on the internet. Many password managers allow you to store notes additionally to the password itself. Use these text boxes for documentation. For instance, you registered an account for online shopping. You entered your name, your physical address, date of birth, e-mail address, and password. Since you likely store the e-mail address and password for this account in a password manager, you only need to add “name, physical address, DOB” to this entry.
  • Download and delete old e-mails and other old data: Deleted e-mails and data can’t be leaked or accessed by unauthorized parties. You don’t keep your physical mail in your physical mailbox forever. If a two-year old e-mail is still relevant, download it and store it offline.
  • Delete or disable unused accounts: Did you try out a service and then abandoned it? Did you forget the e-mail address you used? Does it matter? Yes! If you don’t need accounts anymore, delete them. If you can’t delete them (for example, Wikipedia accounts can’t be deleted), disable them. This makes impersonation much harder. If the credentials for these accounts are leaked in the future, attackers can’t misuse them. Remember many service providers may still store information about you even after deleting your account (for instance, for legal reasons or in backups).

Your overall security

In the following, we list more general tips affecting both devices and accounts:

  • Use password managers and 2FA: Password managers help you to manage your digital accounts. Use them for managing accounts. Two-factor authentication like OATH-TOTP or U2F helps you to make authentication more secure. See our in-depth article on “Modern credential management — keep it simple."
  • Check security and privacy settings: Many devices and services allow configuring security and privacy settings. Spend some time to understand these settings and enable or disable them accordingly. Check if your configuration remains the same over time. Updates or attackers may change your settings.
  • Be cautious when using public network infrastructure: Do you know tips like, “always use a VPN if you are on public networks”? Do you actually improve your security by adding some “military-grade encryption”? We recommend using your cellular network even if free WiFi exists in your proximity. If you are a tech-savvy person, set up your own VPN server. Keep in mind using a VPN provider is always about trusting another party.
  • Back up data, and check its recoverability: Many ways to lose access to your favorite chats, family photos, and other memories exist. Back up your essential data from time to time, and try to restore it. Never assume your data can be restored without checking it.
  • Leave physical authentication media at home, or use RFID shielding: Banking cards, employee badges, and passports may include RFID or NFC chips. Even if they come without this technology, they can be lost or stolen. Leave them at home if you don’t need them. If you have such cards and badges with RFID or NFC, you may want to use wallets with RFID shielding.
  • Be aware of social engineering: Social engineering is much more than only phishing and perfectly works without technology since human characteristics are exploited. Be skeptical if something unexpected happens (e.g., something requires urgent action).

Other long-term activities

We recommend three long-term activities:

  1. Burst your filter bubble: Some “communities” specialized in creating a “we vs. them” ideology. The sole mission is keeping readers in filter bubbles so that readers repeat ideas and recommendations of such communities repeatedly without understanding use cases, threat models, or many other aspects that are important in the context of information security and privacy. It is vital to get information from various people and sources. Read the pros and cons, understand how things work, and ask people about reasons for their recommendations.
  2. Help to debunk myths: From time to time, we come across security and privacy myths. Please help us debunking them to improve everybody’s security and privacy.
  3. Tell your friends and family members about information security and privacy: Since many people still think that information security is only related to technology (as in IT security), they are not interested in this topic. This is perfectly understandable for us. No one can be an expert in every domain. However, a basic understanding of critical concepts of information security and privacy are essential for everybody nowadays. As a reader of our website, you may be part of the minority interested in these subjects. Inform your family members and friends. Tell them about your thoughts about information security and privacy. Discuss your ideas.

Summary

Cyber hygiene means keeping or improving your level of information security in day-to-day life. Read other articles on our website, and get information from other sources. Information security and privacy affect everybody nowadays, and it is a shared responsibility.