I've always taken my Security seriously.
Ok, no I'm lying, just like most folks I've approached it haphazardly and given it little thought until recently.
I've always trusted the Services to do the job for me and always approached my Security as an inconvenient, unnecessary annoyance.
Something you do if you have something to hide.
Obviously, there's a ton of flaws in this thinking because - WE DO - have Information that we should be Protecting and Defending.
It's far more inconvenient when your Bank account gets drained because of a hacker, or your Identity is stolen from a threat actor than it is adding some Security layers to protect yourself and your information.
Daily, in the news you see the Attacks. Ransomware is on the rise, Data Leaks and Breaches are on the rise, and there is little that can be done to catch the people committing these crimes.
In my spare time, I've been reading up on Security Frameworks, the Policies and trying to learn how our governments or big corporations are Defending themselves against these threats. My issue with alot of these is that they are so dry, and raw. Very legalese, and most of them quite frankly aren't even meant to help educate Individual People on how to defend themselves, they're geared more around large Companies, or Governments. Which, is ok, I get it...
For me, this is what I want to do both personally and professionally. I want to understand what the Threats are, where they are coming from, how they are attacking us, and what kind of foundations that can be put in place to Defend against these threats.
I've been working on a Project for a while now - Improving my own Personal Security while digging into the Cybersecurity lingo and Services that are out there, trying different things. I'm trying to eat, sleep and breath Cybersecurity and Infosec right now. I didn't know how I was going to document what I was doing, but I've been taking notes of the things I've read, the things I've been doing with the goal to break it down and simplify it and share it with as many people as I can.
This Project has sort of manifested into my own "Personal" Zero Trust Policy if you will.
Is it perfect? NO, hardly. I have no experience in the industry - YET, I haven't even taken a single Security Course - YET. There's a ton of information out there, a ton of Services and Tools and Resources, so no I haven't tried them all. My experience is a drop in the bucket compared to most.
This is meant to just be my - Starting Point - a Guideline for my own Personal Security, and best practices. To develop good habits, to be aware and mindful of the threats and the problems that are out there.
I hope it helps some of you, perhaps even give you ideas on developing your own habits to improve your Personal Security.
"Personal" Zero Trust:
1. Never Trust, Always Verify
Use a Password Manager to manage Passwords and make them Complex.
Use 2FA - Keep it separate from your Password Manager and any other Services that you use, so no Google Authenticator either if you use Gmail or other Google Services.
Consider an Offline Password Manager - Like Stash
Consider a Physical Security Key - Like Yubikeys
2. Implement Least Privilege
Home Network Security
Router Access/Password
Firewall Security
Port Security
Device Security
Personal Cloud Backup Secure Vault
Physical/Secure Offline Backup
3. Assume Breach
Assume your "General information" is already out there, logged, and being sold to everyone. So don't sweat the small stuff.
Don't use your "General Information" in any Passwords, Email Logins, or Usernames.
Use Email Aliases, on top of having a different Password for every Login, use a Different Email - or at least Group Emails by like Services.
For example: All Streaming Services have streaming12@generic.com, and all Job Sites/Forums have employmentemail@generic.com.
With an Email Alias system in place, both of those emails would still route back and can easily be turned OFF in the event they are compromised or generating tons of spam, without it affecting your real main email address.
Use Digital Phone Number Services, like Google Voice Numbers or others when filling out Forms on the Web - don't use your Personal Phone Numbers. Protect it like you would your Passwords, protect it like you should your Private Email Account. This will limit Spam exposure and can help protect against Phishing Attacks.
"Personal" Zero Trust Blueprint:
1. Zero Trust for "Insider" Threats
Don't share your Login Information with Anybody. Including your Family. (I know, that's probably controversial and debatable, but it's the Zero Trust Policy for a reason.)
Don't share Password Managers, although most of them have Family Share type features. Just Don't. Encourage them to have their own and teach them how to use them and create their own system of Security.
Protect Physical Security Keys, lock up your Backups, consider Safety Deposit Boxes or something for backups.
2. Zero Trust for Hybrid Workforce
When Working From Home, on Work Devices, Only "Work Related" activities should be done on these devices. No, don't shop on Amazon, don't surf Social Media News Feeds. The only thing that should be done on your Work Laptop/System is Work. NOTHING ELSE. Keep Work on Work Devices, and Personal on Personal Devices.
With your Office Environment, be mindful of where your Systems are located and where the Cameras are. For example, I have 4 Systems in my Office. I sit at a U - Shaped Desk. I'm careful where my Camera's on my Laptops are facing. In fact, I usually cover all Cameras with Privacy devices, and I mute all Microphones, and leave these disabled - until I need them.
3. Zero Trust for Privacy
I don't have alot of Private "General Info"... Most of it I freely give away, it's on my Personal Webpage, my favorite color, my favorite movie... I don't care. Happy to share it. I'm a human being first and foremost and I think it's important to understand - you can't protect everything. I focus my efforts on the more sensitive information.
When possible, switch away from Paper Statements and go Paperless. This prevents dumpster divers from trying to find out your Personal information to use against you.
Don't carry all your Credit or other Personal Information in your Purses or Wallets. I try to only take what I think I'll need for the errands I am doing. I carry a minimalist wallet and don't have alot of things in it. I plan to investigate Digital Wallets and see what more I can do to protect this as well.
4. Zero Trust for Cloud
Cloud is a great place to keep your Backups, but don't Trust them 100% either. Be careful at what Documents you store in your Cloud Service Providers - expect, they will be Hacked, and that data will be Breached/Leaked.
Maybe I'm too old school, but your most Private, Personal, Sensitive Data should just simply be stored on Physical Media, locked up, in a Fire Protected Vault or Safe. Period.
This is simply a guideline... and by no means did I think of this all on my own.
As most of you will know, this is the foundation of the Zero Trust process/policies and framework. I just adapted it to suite my own Personal Security practices.
To keep this Article from getting too insanely long, I didn't dive super deep into each of the Key Points.
As I try to do with all my posts, I encourage you who don't understand what I'm referring to and getting at to conduct your own research, be an ACTIVE player in your own Personal Security/Defense.
I hope this information was helpful, and maybe... it inspires more ideas to generate more content for some of you to take it a step further.
I know I will continue to keep fine tuning things as I learn more from my Studies and experiences.
Bình luận