Explore

I Need Information Security

...written for my friends and family.

Disclaimer | Notice

This was written for friends and family, and not for Information Security (InfoSec) professionals.

Information security (InfoSec), Cybersecurity, Security...are used interchangeably...albeit not technically correct. Imagine this as a conversation between friends over a coffee/drinks. This is not professional/legal advice. Authors/editors have been in the InfoSec industry for a long time.

If you have suggestions, email:

ineedinfosec@gmail.com⁠

⁠

Table of Contents

⁠

Basics⁠

⁠

Information Security (InfoSec) vs Privacy vs Convenience⁠

⁠

What do I want to protect?⁠

⁠

Account / Password Protection⁠

⁠

Anti-Virus Software⁠

⁠

Phishing⁠

⁠

Computer Backups⁠

⁠

Home Network Security⁠

⁠

Network Security⁠

⁠

Content Filtering⁠

⁠

Privacy (In Progress)⁠

⁠

Basics

Information Security (InfoSec) vs Privacy vs Convenience

InfoSec and Privacy are often interchangeably used. This is incorrect, although they are close cousins.

⁠

Information Security ⁠

is about protecting your assets from unauthorized access or alterations.

Cybersecurity is

often used interchangeably⁠

. For the layman, using it interchangeably is okay.

⁠

Privacy⁠

is the state or condition of being free from being observed or disturbed by other people [...or machines that can be used by people].

Sometimes, you have to sacrifice a bit of your privacy so that you can be protected. There is a constant tradeoff between InfoSec and Privacy. Examples:

Give 911 your name and location so you can receive assistance.

FBI/CIA/NSA monitoring/collecting the world’s data to find terrorists..both foreign and domestic.

Companies monitoring their laptop/desktop/software/email so no bad guys can steal valuable information.

Privacy vs Convenience

Cost of ‘free’ services

Understand the COST (your privacy) when you use FREE services such as Facebook/Instagram, Google, Tiktok, etc.

If someone is providing a service to you for free, YOU ARE THE PRODUCT and the service is delivered at the cost of your data (loss of privacy).

This is fine as long as you

understand the exchange⁠

. Most people don’t understand this. If you are not happy with this arrangement, find/pay for another service. Note: It’s not ok if companies abuse this arrangement...another topic that won’t be covered here.

The “Cloud”

There is a joke that goes: There is no cloud - it’s just someone else’s computer.

⁠

This is mostly true...especially for the average person. Understand that most ‘cloud’ services, including services that you pay for, probably have access to your data. Here is an example explanation from

Dropbox⁠

. For most people, I wouldn’t worry about it.

What do I want to protect?

Examples:

Online bank accounts

Pictures (baby/kid pictures)

Social accounts (Facebook, Instagram, etc)

Action Item(s):

Make a prioritized list of assets you want to protect from the most valuable at the top.

Document related information to each asset.

Create a todo checklist.

Mark each account complete as you implement security controls.

Understand: What is your primary goal for each asset? Refer back to ‘Basics’ section above to understand the differences and tradeoffs.

Security?

Privacy?

Convenience?

Account / Password Protection

Have I already been compromised?

Check if your email(s) have been compromised. If so, change your password immediately.

haveibeenpwned.com⁠

You can also check if your password has been compromised. It’s okay to enter in your current password.

haveibeenpwned.com/Passwords⁠

You probably use the same password for banking, netflix, reddit, email anyway. (See password best practice to NOT do this).

Use a Password Manager and create a different password for each account.

Seriously? Yeah, if you wanna be serious about this.

Use a password manager that will auto-generate unique passwords for each account.

Services:

⁠

https://1password.com/⁠

(most user-friendly - best UI)

⁠

https://www.lastpass.com/⁠

(really good too)

⁠

https://keepass.info/⁠

(bit more geeky)

Enable Multi-Factor Authentication (MFA)

This is the ‘code/PIN’ that you have use and enter to access the account.

Most of the major websites and apps support MFA. Enable it.

This article covered the

major ones⁠

(e.g., Gmail, Apple, Facebook, Instagram, Twitter, et)

For a longer list, check out:

https://twofactorauth.org/⁠

There are different types of MFA:

SMS (text message) [better than nothing,

but you probably should do better⁠

]

Authenticator apps [this is probably the sweetspot]

Google Authenticator (

iOS⁠

/ Android)

LastPass Authenticator (

iOS⁠

/ Android)

Authy

https://authy.com/download/⁠

Hardware authentication key [Overkill for my mama]

⁠

https://www.yubico.com/store/⁠

Supported by 1password, Lastpass, Keepass

Here is a screenshot for configuration for one of my accounts:

⁠

⁠

Review Third-Party Accounts (Who has access to your data?)

These are other apps/companies that has access to your data through the main services that you use (e.g., Google, Microsoft, Facebook, Amazon, Fitbit, etc)

Review this list and remove any accounts that should not have access to your data.

Here is an example of apps that can access my Office365 account. Review this list for all your cloud accounts.

⁠

⁠

Anti-Virus Software

You may have heard that Anti-Virus (AV) is not enough. This is true..it’s not enough, but you should still have it installed as basic protection. Here are some options:

⁠

Best Free AV protection⁠

(per PCMag)

⁠

Best Paid AV protection⁠

(per PCMag)

Yes, even if you use a Mac, you should have AV installed.

Phishing

#1 Advice: Don’t click, download, open links/file that you don’t know.

Phishing is usually an email or text message sent to fool you to click on it which will:

trick you to enter in your username/password into a fake site that looks real (e.g, bank, email, netflix, etc)

get you to click on a URL link that will download malware:

pdf, word, excel

executable file

install software

Anti-virus software is usually pretty bad at detecting phishing attacks.

Here are some

phishing tips⁠

If you fall for phishing and become compromised, using a

Password Manager⁠

with unique passwords for each account will contain the damage to only that account.

Computer Backups

Backup your important folders/files on your computer. Just syncing files/folders to online cloud storage services like Dropbox/GDrive/Onedrive is not a backup.

If file(s) becomes corrupted and syncs to the online cloud service, the corrupted file will override the file in the cloud. There is a limited window of time where you can recover a previous version of the file, but you should know and be comfortable with how far it goes back.

There are the backup solutions:

⁠

NAS (Network Attached Storage)⁠

- physically sitting in your home.

⁠

Cloud backups⁠

- backups to the cloud.

You can do both above and depends on your risk tolerance. Here are some ways my mind goes:

If disaster strikes my house, I can grab the NAS.

If disaster strikes my house and I can’t grab the NAS, backups will be in the cloud.

If the cloud (someone else’s computer) backup service goes down, I have my NAS for backup.

Note: If your computer becomes corrupt with ransomware (encrypts all files), you can recover using these backup solutions.

Home Network Security

This title covers broad topics, but I’m focusing on your internet routers, wireless access points (Wi-Fi AP), and content filtering.

Network Security

Read and do ‘increase wireless security’ section of this website:

https://us-cert.cisa.gov/ncas/tips/ST15-002⁠

Network firewalls are more than what people usually do at home, but I do this, and these solutions makes it easier. Warning: this is more technical than the average person’s skillset. Read ‘install a network firewall’ section:

https://us-cert.cisa.gov/ncas/tips/ST15-002⁠

Here are few options for firewalls that are pro-consumer friendly-ish.

⁠

https://firewalla.com⁠

⁠

Firewalla Gold (this is the one I use)

⁠

https://unifi-network.ui.com/dreammachine⁠

⁠

Unifi Dream Machine (included Wi-Fi AP)

Unifi Dream Machine Pro (more LAN bandwidth)

Content Filtering

A.K.A., porn filter for “kids”

There are various ways to handle this. However, the best option for me is using DNS service. Here is a list of various services.

⁠

https://geekflare.com/dns-content-filtering-software/⁠

⁠

I use

Cloudflare Gateway⁠

Privacy (In Progress)

Resource:

⁠

https://privacytools.io/⁠

⁠

Podcast:

⁠

https://inteltechniques.com/podcast.html⁠

⁠

Browser

Brave

Search engine

Duckduckgo

VPN

This is not for security. It’s for privacy - breach of sensitive/confidential information.

⁠

https://protonmail.com/⁠

⁠

https://www.thehelm.com/⁠

⁠

Internet / Personal Reputation Management

⁠

https://statuslabs.com/⁠

⁠

Gallery

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.