Perform your own personal security risk hygiene check to see where you stand. What assets or information do you have that is important and valuable to you? How is this information protected today? What risks could affect your valuable information – imagine a few worst case scenarios and how well do you hold up?
- Have you identified your sensitive information?
- Imagined a few risk scenarios?
- Using a password manager?
- Have backups?
- Not clicking on everything?
- Being skeptical?
If you answered yes to everything above then you passed your personal security risk hygiene check. If not, continue to read and learn what you should think about.
Identify, prioritize and mitigate your personal security risks
If large companies invest large amounts of time and money into having personnel that only works with risk identification and mitigation maybe you should invest some time into this as well. You, as well as the company doing all these things, have information that needs to be protected.
The company may have confidential company secrets that they do not want public or lost. You might have family photos that you do not want lost or public.
The company will have identified what their company secrets are and where they are stored and a number of potential scenarios that would risk the secrets’ existence or confidentiality. Based on these scenarios they have implemented risk mitigating strategies. For example
- Who has access -> limit who has access -> review access
- Where is the data stored -> physical security
- Natural disaster or fire -> have a backup location
You can and should also do your own personal risk analysis. What data and information do you have that is sensitive and needs protecting? For example
- Your passwords – will give access to your online identities and information
- Family photos and other stored information
Password manager
You need to have a password manager for your passwords. There is no way that you will have sufficiently long and complex passwords on all your logins that do not overlap with each other in your head.
You should know a handful of your passwords. The rest – you should not know. They should be unique, long and complex passwords stored in your password manager.
Different password managers for different needs
For most these will work excellent
- BitWarden (open source)
- LastPass
- 1Password
These password managers will save your passwords in online vaults that you can access via a mobile app or web browser extension.
If you twitched while reading “your passwords in an online vault” then
- KeePass (open source)
might be the password manager for you. With KeePass your passwords are stored in a local vault. This is a great security bonus – no one can get your passwords since they are stored offline. This is also the downside – you need to reach your vault to access your passwords and if you lose access to it. Well that would be unfortunate.
The passwords that might be necessary for you to know are to the following
- Password manager
- Primary email
There might be a reason for you to not have your primary email’s password in your password manager. On the abysmally small chance that the passwords in your password manager leaks or you lose access to them this is your safety. This will keep your communications going and hopefully let you restore passwords.
The fact that your primary email is that important also tells you that protecting it is critical for you. The password needs to be long and complex. And you need to enable two factor authentication.
Two factor authentication
Two factor authentication should be enabled on everything that supports it. This is a fantastic defense in depth strategy that if or when one of your passwords gets leaked will save you.
When enabling two factor authentication it is no longer enough to know your password to login to the service. You will also have to provide something else. Usually a time based token given to you via an app on your phone.
A number of solutions exist here both for individuals and companies. Two top alternatives are Google Authenticator and Authy.
| Google Authenticator is the most simple one and with simplicity you also arguably get more security. This app has no login feature and if you lose the phone with the app there is no way for you to recover those two factor tokens. |
| Authy on the other hand will save your tokens in your account so that you do not lose them. This is a very convenient feature that will come in handy if you ever lose your phone – this will prevent you from being locked out of other applications. |
If you do not like having an online account containing your two factor tokens then you could take this into your own hands. You could for example use Google Authenticator since it does not sync the tokens anywhere and during the setup of each two factor token you save the setup-QR code in a safe place. (Local keepass vault maybe?)
The QR code will enable you to recreate the token later.
Backups
Backups, backups, and backups. This topic is as much if not more hammered into your brain than passwords and two factor authentication. But it’s nevertheless critical for you to think about.
First you need to identify what important information do you have that would cause a lot of pain or monetary loss to you if lost?
The easiest mitigation would be to have a second copy, a backup of the information. If large companies have business recovery plans for every imaginable scenario why not copy this practice?
Your personal risk scenarios would be different but not too different from those of a large company. You probably have data stored on a hard drive that you would not like to lose. One potential scenario where the data gets lost is drive malfunction. To mitigate against this you backup the information to a second drive every week. Great!
Taking this one step further you realize that it is possible that a natural disaster or fire destroys your house and both of your hard drives. The mitigation for this would be to have the second (or third) drive stored at friends/family. Or to store the data in the cloud.
Do not click on things
What about computer security? Virus and malware?
Well in the absolute bulk of malware infections it starts with an end user clicking on something. This might be a link in an email or on a website.
This first click will probably lead to either an attempt to capture your password or to download malware. Assume that you fall for both of these things.
- You get redirected to a login site that captures your password. And you enter it. Because you have set up two factor authentication the threat actor will not get access to your account.
- The click initiates a download of malware. Be extremely skeptical when you get something downloaded that you did not really want downloaded.
Maybe you wanted to download a PDF on “How to grow a plant” and you got the PDF. Even in this case it is beneficial to be skeptical of the downloaded file. Is it really a PDF?
- Right click on it and investigate.
- If the downloaded file is not sensitive or confidential you could always try uploading it to virustotal.com to see if any antivirus vendors detect the file as malicious. (Uploading the file will allow other users of the site to download it – so use only on non-sensitive files that you can share – such as files available public download via the internet. This is in no way a guarantee to detect all malicious files but will work relatively well)
To summarize; Be aware of your risks and take action to mitigate them. Perform your own personal security risk hygiene check every now and then and try to come up with new risk scenarios. Perhaps you should think like a hacker during your risk scenarios?
