Skip to content

December 23, 2010

5

Top 100 Security and Privacy Tips

In celebration of the 100th post on Security Generation, I’ve decided that a list of 100 security and privacy tips would be appropriate. The tips start off basic then get a bit more complex, and cover a range of areas from general computer and information security, to safe web browsing, email security and privacy. Thanks to everyone who’s been visiting (and to those who are following on Twitter), I hope to keep bringing you useful and interesting content into 2011. Feel free to share this with others, and suggest any other tips that you think I may have missed out! Let’s kick off the 100 Security Tips, enjoy:

  1. Keep informed of current events in security by reading (or listening to) relevant security news
  2. Always be aware and alert for threats, and adjust your security to fit your current environment
  3. Be skeptical (not paranoid), and use common sense
  4. Ask for help or information if you’re ever suspicious or unsure about something
  5. Help educate others about good security practices, and point them to useful resources
  6. Regularly patch your system, browsers, and other software and mobile devices when updates are available
  7. If you use antivirus, and you probably should, update the signatures hourly at a minimum
  8. Don’t use an Administrator (root) account for day-to-day use. Set yourself up a standard user account
  9. Use good, strong passwords with a minimum of 8 characters
  10. Do not use “password”, abc123, 12345, qwerty, your username, any dictionary word, or any derivatives of these as your password!
  11. Use a good password generator if it helps
  12. Don’t re-use passwords, especially for important sites or services, and avoid copy & pasting password as these can remain on the clipboard
  13. Change your important passwords regularly (add yourself a calendar reminder every 6 months or so)
  14. Don’t share your passwords with others
  15. Don’t write down your password, and if you must, don’t write down what it’s for or its associated username (destroy it when you no longer need it). Do NOT stick the login password to your computer onto your monitor, underneath your keyboard or anywhere near your computer!
  16. If you need to store your passwords somewhere, use a secure encrypted password storage tool (such as KeePassX) together with a strong decryption password
  17. Set strong (hard to guess) secret questions and answers. If you can’t set your own secret questions and have to use something like “What is your hometown”, then enter your home town, but add a unique piece of information that only you will remember (eg. New York 1984). Weak secret questions are usually the easiest way to break into accounts!
  18. Consider using two-factor authentication such as biometrics, USB dongles, or smart cards to strengthen your authentication process
  19. Disable auto-login on your computer
  20. Don’t plug in unknown or suspicious USB devices into your computer
  21. Ensure any auto-run functionality is disabled
  22. Don’t leave your computer unattended in public places
  23. If you use and travel with a laptop, consider installing software (such as Hidden or Prey) that would help you with recovering it, if it gets lost or stolen. For iPhones, check out Apple’s free Find My iPhone service
  24. Beware of shoulder-surfers when typing in your password, or sensitive information is displayed on screen
  25. Consider buying a privacy filter for your screen if frequently working on sensitive materials in public
  26. Set a screensaver password and lock your screen when leaving your computer
  27. Use a physical computer lock and secure it to the desk or other immovable object when leaving your computer in public or even workplace environment
  28. Pay attention to SSL errors when browsing, and reject invalid certificates if you feel something’s wrong
  29. As a general rule, try to avoid using public or untrusted computers to log in to sensitive services (eg. email, banking), as these often lack patches and may have keyloggers.
  30. If you do use a public computer, use ‘Private Browsing’ functionality in browsers to prevent them from saving history and cache files to the disk
  31. Only browse to and from sites you trust
  32. Only install software from sources you trust (beware that a lot of bootleg software can contain malware)
  33. When browsing to sensitive sites such as online banking, email (or even non-sensitive sites like Facebook), force SSL by using ‘https://’ ahead of the URL. Make sure your bookmarks are set to use this too
  34. Use a browser plugin (such as HTTPS Everywhere) that will enforce persistent SSL on specific sites
  35. Regularly clear cookies to purge any unneeded or unwanted tracking cookies
  36. Sign up for two-factor authentication services if your bank offers them. These include pin pads, SMS codes, etc
  37. Only perform financial transactions (eg. transfer money or purchase goods) from sites with a known good reputation. If unsure do a bit of Google research, many scam sites are already known and talked about online
  38. For online services between individuals (eg. eBay), beware of scammers when selling anything of value. They will often over-bid, send you a fake PayPal (or other) payment notification email, and ask for the item to be shipped quickly. Always verify youself that the payment has been received before releasing any goods
  39. Learn to recognise current phishing, vishing and other scams
  40. Don’t store credit card details in a file on your computer. Malware can easily scan your computer in search for credit card numbers. Many secure password tools (such as KeePassX) allow you to also enter other sensitive pieces of information such as CC numbers
  41. Only click on links from sites or people you trust, but don’t click if you feel the link is suspicious
  42. Beware of URL shorteners, as these can be used to mask malicious URLs. Most services will allow you to preview the full URL (eg. adding a + at the end of a bit.ly URL)
  43. Use browser plugins like NoScript to block potentially unwanted or malicious scripts
  44. Don’t allow your browser to remember your credentials for websites. Browsers do not adequately protect this information!
  45. When configuring email clients, set it to use SSL when connecting to the POP, IMAP or SMTP server
  46. Don’t click on unknown links or attachments in emails
  47. Encrypt sensitive information and/or attachments in emails, and send the decryption key via another method (eg, by phone, SMS, smoke signal). PGP/GPG (GPGMail) is a good solution for encrypting and digitally signing email
  48. Never send credit card details by email, including scanned images of your credit card (yes, people do this for some reason)
  49. Your bank should never be emailing you with requests for bank details, credit card numbers, personal details, etc. They are usually phishing attacks, so don’t reply. If unsure, call up your bank using the phone number on their website (type the URL in yourself, don’t rely on links or phone numbers in emails)
  50. Don’t reply to emails offering you money in return for accepting funds on the behalf of the King of Umbalawi (Nigerian people want your money)
  51. Unless you remember subscribing to receive emails, never reply to spam or click on links to unsubscribe, you’ll simply be signed up to receive more spam and may receive malware
  52. Don’t trust companies or online services to keep your data safe
  53. Consider using disk encryption features (eg. FileVault/BitLocker) or software (eg. PGP/PointSec) to protect files on your computer
  54. Use encrypted disk images, volumes or files when transferring data using USB sticks
  55. Back-up your important files
  56. Make another backup
  57. Re-read steps 55 and 56, just for good measure. Unfortunately most people, myself included, only learn the priceless value of backups after they’ve lost something
  58. Consider encrypting your backups, particularly if you’re going to make backups to an online service. Note, however, that a corrupted encrypted file or volume may leave you without access to your files!
  59. If you encrypt your backups, make sure you remember the decryption key or store a copy securely somewhere. Your encrypted backups are useless if the key is in your KeePass file on your lost/destroyed computer
  60. Store unencrypted sensitive data and backups in a secure location, such as a safe
  61. Test your backup recovery process to make sure you can get access to your files should you need them!
  62. Use secure delete functionality or tools when erasing sensitive files
  63. Remember that deleted sensitive files may still reside in backups, or in multiple backups if you’re using incremental backups. Delete them there too if need-be
  64. Use secure wiping functionality (Disk Utility) or tools (DBAN) to erase drives/devices before giving or selling them on
  65. Disable UPnP on your router to prevent the creation of unwanted inbound firewall rules
  66. Change the default username and password on your router
  67. Set trusted DNS services (such as OpenDNS or Google DNS) in your router and computer network configurations
  68. Avoid connecting to untrusted wireless networks
  69. Avoid connecting to unencrypted wireless networks
  70. If you connect to untrusted or unencrypted wireless networks, enforcing SSL is even more important
  71. If you don’t need a wireless network, then avoid having one. Ethernet is better anyway ;)
  72. If you use wireless, consider having a separate network for guests that is segregated from your primary network. Some wireless routers (eg. Airport Extreme) natively support this, otherwise two routers and some firewall rules will achieve the same effect
  73. Use WPA2 and a strong password/key to secure your wireless networks
  74. Set a custom SSID on your wireless network, this will make rainbow-table attacks significantly harder
  75. Turn off your wifi card, either in the OS or using a physical switch (if you have one), when not in use. This is to prevent fake-ap attacks. Also disable Bluetooth when not in use
  76. Turn off unnecessary network services (eg. file sharing, screen sharing, remote login) if unneeded or when not in use
  77. Use personal firewall features/software on your computer and learn how to configure it properly
  78. Use outbound firewalls such as Little Snitch or Zone Alarm to alert you of outbound connections from your computer
  79. When setting up or using network file transfers, try to use encrypted methods such as SFTP/FTPS and SCP
  80. Use certificates for authentication where possible (SSH, FTPS, VPN, etc)
  81. Use encryption such as OTR to protect your instant messaging conversations and authenticate your contacts
  82. Use Tor to anonymize web browsing, but beware that the destination/content of your browsing may be visible to a third party (use SSL!).
  83. Use SSH Tunnels or IPSec VPNs to secure and/or anonymize browsing, email and other traffic on untrusted networks (and unencrypted wireless networks)
  84. Remote desktop services such as VNC are usually unencrypted. You should definitely tunnel this traffic through SSH or VPN.
  85. Use mechanisms such as Single Packet Authorization to protect high-risk services like SSH or VPN.
  86. Set up a host or network-based intrusion detection system (eg. Snort) to alert you to suspicious activity on the network.
  87. Read up on easy things you can do to secure your system (eg. Securing Leopard), or go as far as following NSA hardening guides.
  88. Be mindful of the type and quantity of information you divulge online (aka. oversharing), as it may be used against you. Even information in ‘private’ services can come out for a number of reasons
  89. Think before posting your location on location-aware services (Foursquare, Facebook, etc), and consider what the effects could be of doing so, particularly if this is something you do on a regular basis.
  90. Many types of documents are embedded with some form of personally-identifying information which may include your name, contact details or location. If you are distributing documents online, text or images, be sure to remove undesirable meta-information.
  91. Familiarize yourself with your company’s privacy policy
  92. Be aware of the relevant privacy laws and security practices of other countries before traveling. In the UK you can be forced to reveal your decryption passwords, and in the U.S. the Department of Homeland Security can confiscate your computer or portable media and make copies of any information.
  93. Consider traveling with an empty ‘skeleton laptop’ and access your information at home remotely over SSH/SFTP/HTTPS/etc.
  94. Know your rights to privacy in your country, both in private and at work
  95. In an office environment, challenge unknown individuals attempting to enter behind you (tailgaters) to produce a valid badge/pass
  96. Report those unwilling or unable to produce a valid badge/pass to security
  97. Be suspicious of calls or emails from unknown individuals asking for information. This could be as benign as someone’s contact details.
  98. If someone claiming to be from tech support says they need your credentials because your account was hacked and they need the credentials to reset it, or they’re upgrading systems and need your credentials to do so, they’re probably lying. Tech support should not need to ask you for your credentials. Call tech support back yourself to verify it is indeed them. If they still need your password see Tip #5.
  99. Be aware that almost any device can be used to record audio and/or video, including smarphones, music players, pens, etc.
  100. No matter what you do, adapt your security to be usable, reliable, and not hinder your use of your systems and devices.

If you’ve made it this far, congratulations are probably in order… Either way thanks for reading! Comments or questions are welcome, and please use the buttons below to share this post!

5 Comments Post a comment
  1. Booga
    Dec 24 2010

    What about services like 1Password? You recommend to avoid it?

  2. Dec 24 2010

    Hi Booga,

    1Password is a great piece of software for Mac users. Possibly the best password safe out there. However I wanted to recommend free and cross-platform tools wherever possible, as some may not be willing to pay for something like password safe software. KeyPassX is a good one.

    Thanks for mentioning it though. I’ll probably write up a list of my top recommended free and commercial software.

  3. Jan 5 2011

    Good job with the tips! All well done. Nice looking blog here too. I originally started my blog with a info security focus, but I’ve expanded somewhat to include other areas, as I found the niche was too limited and hard to build solid traffic. Good luck!

  4. paul maregere
    Jun 6 2013

    job well done sir this is excellent . if we tried all these tips no doubt we will be safe…….

  5. Dennis
    Oct 6 2013

    Be aware of emails that come from your friends. Your friend might have been compromised and could have links that will lead you to unfriendly waters. Been there done this. Also a security breach might happen on their web site and there email is now in the wild. Hopefully your friend is willing to do something about the problem if not you will have to block them. Safety first.

Share your thoughts, post a comment.

(required)
(required)

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

Free WordPress Theme

css.php
mugen 2d fighting games
WordPress Themes