Personal security policy
Notes on what I've done to make sure I am safe from digital threatsOrganizations I've worked for spent substantial time, money and effort on building, implemnting and enforcing various security policies. This is a standard in today's business, and since the businesses in most cases rely on IT completely, usually these policies are IT-centric.
Looking at all these policies, being abide by them, helping with testing and deployment of tools and processes around them I've come across an important question.
Both my professional and private life is dependent on IT. Emails, documents, photos, contacts, music, scripts... they may get lost, stolen or damaged. I may become a victim of malware, phishing or identity theft. My privacy is at constant risk as I use digital money, websites I visit profile me and http traffic is easy to wiretap. What should I do to be sure I can sleep in calm?
Am I doing all the right things to protect the digital part of my life?
This question imediately triggered a whole bunch of others. What exactly I want to protect? Against what threats? What is my data and where it is? How should I protect it? Will I need some extra tools? Will it be inconvenient to use them? Do I need to spend money? Do I need to give up something? I realized that this issue could not be addressed by one rule to follow or one piece of software to install, fire up and forget. And so after several approaches to the text editor I compiled up the list of the most important stuff. Is your list similar?
DATA:
Critical data - I need to make sure they are never lost and they are never accessed by an unauthorized party:
My ID documents, birth certificate, school diplomas, tax related documents, medical data, email, passwords, private keys, IM archives, personal notes and documents. SMS and contacts stored on the phone.
Other data I find sensitive or important:
web searches, full configuration of my systems
Worth backing up:
All data on hard disks
RISKS:
I may lose my data
Someone may get access to my data and use it agaist me
Even if some things changed since April 2000, still security is a process. I've taken various steps to address the above in a consistent and effective manner. I wanted all my efforts to be consistent, work as a whole and cover as much areas as possible. I gave them one common name.
Personal security policy
A general set of guidelines and rules I decided to follow to protect myself.
Physical domain
Yes, protection of my digital self starts with physical objects.- Scan most important paper documents to have a record if they get physically destroyed eg. in a fire.
- Buy and use a paper shredder for all even remotely sensitive documents I no longer need. Any piece of paper with my name/address/phone number/bank account or credit card number/financial records etc. must not end up in garbage can in readable form.
- Do not use an NFC-enabled credit/debit cards. As a minimum, disable the wireless payment functionality and carry the card in a jammer. Erase CVV code with a needle and a marker and keep it in a password manager.
Digital domain
- Do not use proprietary software unless it's unavoidable. Have real, full administrator/root privileges on any device that I trust my sensitive data.
- Block ads and known malware-hosting domains as well as HTTP referrers I find offending to my privacy (like those ubiquitous "Like" buttons). Disable automatic plugin execution in web browsers.
- Never store any sensitive data on unencrypted media. Implement FDE.
- Encrypt as much Internet traffic as possible. Force HTTPS where available. Do not use unknown wireless networks without a VPN that I control. This applies to my phone as well.
- Use anonymizing services like Tor whenever you find suitable. I disagree with the "I have nothing to hide" approach - a good read on it here
- Avoid online services based outside EU, especially in the US.
- Don't let my passwords be recorded when connecting remotely from a machine I dont't trust.
- Do not store passwords in browsers or online. Use Keepass to store them. The longer and more random, the better. Same applies to security/password restore questions. Have a extra backup of Keepass files.
- Do not permit devices I don't trust to my wireless network.
- Have a full, encrypted backup of my main machine at home. Have an encrypted offsite backup of as much data as possible. Have a tested, proven recovery procedure recorded.
- Encrypt the data on the phone.
- Have a backup of important data from the phone.
- Read and learn. Be up to date with security news, keep OS and all software updated.
Disclaimer: All the above suggestions cover my personal case. They are based on my needs, my views and habits. They may be helpful or inspiring for you (and I publish them hoping they will be!) but my answers to the questions above may be wrong or just completely different than yours. You may have to ask yourself completely different set of questions. My solutions may be incomplete, flawed or not suit you.
Do your homework. Think carefully, do your own research, know the tools you use before you trust your digital self on them. Testing, learning and cracking through new systems or software is easy and safe using virtualization.