DEV Community

Farrukh Yakubov
Farrukh Yakubov

Posted on

Personal Cybersecurity - a Practical Advice

When it comes to security a system is only as strong is its weakest link. In the case of personal cybersecurity, being imperfect humans, we are that weak link.

You'll find many guides on how you should use strong passwords, set up two factor authentication, or use password managers and anti-viruses. This post is not about those. Although you should do the aforementioned things, security starts with having a correct mindset and digital lifestyle. A security unaware person using the best gadgets and software money can buy does not come even close to a person with a good security mindset using everyday tools.

Here are some practical measures and digital lifestyles you can adopt to improve your personal cybersecurity.

1. Emails and communication channels

Have purpose built emails and accounts for communication. A malicious email/message may lead to social engineering or trick you into clicking a link, or downloading a malicious file.

Have one email for social interactions, a different one to manage your finances, and another one for work or a side hustle. Share each to the relevant people. Your "friend" sharing a link on a great opportunity will stand out like a Christmas tree on your non-social accounts. Because you are not expecting any communication from this person at this address.

If you have a mission critical email, don't even share that one and simply ignore/delete any emails that reach it.

Cost: $0. Having multiple emails is free.

2. Browsers

Have at least two browsers installed. Use your favorite as the one where you are logged on with your accounts and do not have any unofficial plugins installed. Use the second one to browse the web - and purge history and tracking cookies daily/in-between sessions. Now you can just click allow all cookies on the websites your searches led to knowing that these cookies are going to be short-lived anyway.

Cost: $0. Using multiple browsers is free.

3. Devices

A computer for your personal use vs a computer for your work should be separate. An attacker targeting your company may take advantage of your personal habits or hobbies, or the other way around. Did you install that plugin for the design software you were using? Did you post on social media/forums that you are looking for a certain 3d model, and downloaded it via a friendly stranger’s link? Did you download that Excel file from an email and opened it on Windows? Did you download that image file? All these are examples of valid paths how a malicious code can make its way into your device. They don't have to have the ability to self execute - payload comes first.

Employers that value security should already provide you with a device to do your work from day one. Cost of a device is likely insignificant compared to the losses a company can suffer due to a breach in security.

If your finances are anything out of the ordinary either in scale or technology (i.e. web3) then you better use an exclusive device for that too.

If for any reason you cannot have multiple devices, then at the least do things on a separate non-admin user account on the same device. Even better to run untrustworthy applications/files on a virtual machine. In these cases you'll add one more wall between the attacker and critical damage. They will have to do an elevation of privileges attack first - as the guest/non-admin user account or the virtual machine cannot influence things outside them by default.

Cost: $$. There is a cost for having multiple devices. However your work device may be provided by your employer. Using virtual machines and guest accounts come at no additional cost.

4. Encryption

Make a habit of setting up full storage encryption on your devices, especially the portable ones. You don't want other people getting their hands on any sensitive information or getting your login session data from your browsers storage. Hint: your system login password/mechanism does not prevent anyone from reading your unencrypted storage.

Cost: $0. Full disk/storage encryption is a built in feature of most modern operation systems and is free. But you often need to enable this encryption.

5. Public WiFi

Beware of connecting to public networks/WiFi. Free isn't always good.

If the WiFi isn't encrypted, your session information can be stolen depending on how the apps/websites handle things. Even on the encrypted WiFi, a hacked network router can be used to do a man in the middle attack. Unfortunately network routers tend to have default passwords and have their admin interface open to the public. Moreover there are readily available tools to brute force router passwords.

How much does your friendly neighborhood coffee shop invest in security? Hackers can be halfway across the world - they don't have to sit there with you. Think about that before enjoying the free WiFi.

Perhaps you are attending a fintech/blockchain conference, and staying at a hotel where everyone else is likely staying too. These hotel networks are a great opportunity for adversaries to employ cyber attacks on unsuspecting guests.

To protect yourself from the above, simply share a hotspot from your phone to your laptop. Alternatively use a VPN with seamless mode turned on - often not enabled by default! Note that, unless self hosted, a VPN is simply putting your trust into the hands of the VPN provider - which is acceptable for many people but not always.

Cost: $. Price of a mobile data plan, or a VPN service/hosting.

6. Personal Obscurity

Make information on your tech behavior scarce. Best adversaries will try to learn everything knowable about you. Exploiting a human weakness is often easier than brute forcing a way through a technical measure. What websites do you visit? What software do you use, what are the non obvious attack vectors to get malicious code onto your device?

Cost: $0. It only requires a discrete digital lifestyle from you.

7. When all else fails

Depending on how mission critical your personal cybersecurity is, the importance of the following will vary. For some the worst case is getting their photos stolen or data erased/locked, for some it can be millions drained from their wallets.

If a breach can put you into a crisis, then have a recovery plan for when the cyber hell breaks loose. What will you do if a certain thing gets hacked, your email login session is stolen? Malware on your device? Ransomware? Social media company posted about possible breach of user logins?

One thing everyone should do at the least is to have multiple backups of their data. One of the backups must be in an offline storage - an external drive normally not connected to a device. This will make you resistant to ransomware and give you the ability to reset your computer and start anew if you get your device hacked.

Cost: $ to $$$. Cost of an offline backup is the price of an external drive. The rest depends on your choices.

Last but not least,

There is no such thing as 100% security. One can only get better, and the goal is to be more challenging than the adversaries are willing to put up with. There is no need to over strengthen a particular part of your security when the rest is lacking - no need to put a steel door on a tent. The question you should be asking is what worst case scenario are you willing to accept if your security practices fail. If you are not ready to accept your worst case scenario, then you should probably invest in your cybersecurity by learning, or even getting professional advice.

Stay tuned and follow, later I'll share some exotic vulnerabilities you need to look out for if your security is mission critical.

Top comments (0)

Some comments have been hidden by the post's author - find out more