My Thoughts - InfoSec Imperatives and Cyber Security Hygiene

We live in an ever-increasing connected world and because of this, it is impossible to bury our heads in the sand and pretend like cyber crime does not affect us.
More and more, the average individual risks being the target of a cyber security incident.
Luckily, there are lots of tools out there that are user friendly and can vastly improve your cyber protection online. Combine with a good set of InfoSec imperatives, this can mean the difference between stopping a cyber criminal in their tracks and losing everything.


The following are the core InfoSec Imperatives that I tend to follow for my every day life;

  1. Practice quality password hygiene.
  2. Don't click questionable shit.
  3. Avoid HTTP sites or just install/use HTTPS Everywhere.
  4. Whenever possible, maintain custodial rights to your data.
  5. When possible, use services that utilize zero knowledge.
  6. Whenever possible, use technology that utilizes strong encryption.
  7. When possible audit code or choose a product/service that publishes code audit reports.
  8. Take time to understand the technology you are using.
  9. Pursuant to point 8, whenever possible utilize true 2FA (2 factor authentication).

Lets break down what each of these means and give some context as to the hows and whys of them.

Practice quality password hygiene:

I have another blog post that goes into detail HERE, but the general overview is that there are some VERY basic rules you should follow with your passwords. Follow them. The password is literally the first line of defense against a hacker getting into your accounts and stealing all your shit. Following the basic rules here will go a long way to helping prevent that.

Don't click questionable shit:

See that link that google is telling you is suspect? How about that PDF that is attached to that email you received that cant be scanned for viruses. There are literally thousands of ways that hackers try to access your data and these sorts of phishing & social engineering campaigns are at the front of the heard. If you are not technologically savvy, then the best course of action here is to not click on links, attachments, etc, that you do not know or are not expecting.

Avoid HTTP sites or just install/use HTTPS Everywhere:

Whenever you enter a website you will typically see a prefix before the www in the domain (site name). This usually be either HTTP or HTTPS. HTTP stands for Hypertext Transfer Protocol and without getting into too much technical detail, its an Internet protocol suite, or to put it another way, its a foundational component of data communication on the World Wide Web.
HTTPS on the other hand is an encrypted extension of HTTP... in other words, its the secure little brother.
There is no regulation mandating the use of HTTPS on websites, and if you are using a website that does not use HTTPS, you could be exposed.
Luckily, HTTPS is being more widely adopted, in part because Google will de-prioritize sites that are not HTTPS in search results, but even with that, there are still sites that do not use HTTPS.
The good news is that there is a browser extension to handle specifically that and effectively create an encryption layer even if a site is only HTTP. That extension is called HTTPS Everywhere and it is maintained by the Electronic Frontier Foundation (EFF).

Whenever possible, maintain custodial rights to your data:

This essentially means that whatever software you use that produces data, you control that data. For example, if you use a password wallet that stores your database on their server, then they own and control your data, not you. By contrast, if you use a password wallet that allows you to choose where the database is located, they you have ownership over that data and maintain custodial rights.

When possible, use services that utilize zero knowledge:

Zero knowledge means that the entity providing the product or service does not store maintain identifying data about you, nor do they have any sort of universal access to you, your data, your account, etc... This is good for a number of reasons, however, for services that utilize a Zero Knowledge approach, the biggest concern is that you are responsible for things like account lockouts, as the company cannot help you if you lose your password or something like that, since they do not store you password. The onus is on you, the user to ensure that you are maintaining proper technology hygiene and for most people out there, this will probably take some changes in how you engage with your digital life (but in reality, these are probably changes you should make regardless).

Whenever possible, use technology that utilizes strong encryption:

In layman's terms encryption is essentially the act of "locking" data. This is done through a process of converting the data from "plaintext" to "ciphertext" by encoding it through cryptographic means. A special key (knows as a cipher) is then generated, allowing an end-user to "unlock" the data. In modern encryption, there are different strengths of the cipher that are used to secure data, which consists of a key size an encryption technique. Advanced Encryption Standard (AES) is commonly considered the best encryption technique right now, and the key size is typically a number that precedes the standard, so 256-AES means that the key size is 256-bits and the standard is AES. Cipher strength evolves constantly, but, as of writing this, a cipher 256-AES or higher is going to be essentially unbreakable with modern brute-force techniques. If you want to dive into the math, there is a really good article at Scrambox on this exact topic. In all honesty, most people will be safe using 128-AES or similar as well.

When possible audit code or choose a product/service that publishes code audit reports:

Source code is the data that makes up software. Its what programmers write to make your most popular applications, games, etc... In general, there are two types of source code, open-source & closed-source. Open-source means that the code is publicly available for view and in many cases, download. Closed-source means that the code is private typically protected by Intellectual Property laws. There are technically other classifications as well, but they are realistically outside of the focus of this post. Open-source software is easy, you can view and audit the code to prove or disprove that it is doing what it is intended to do... this is the ideal option.
Closed source is more tricky, especially when it comes to software (or hardware) that is storing sensitive data. Most companies that utilize closed-source and take security seriously, will hire an independent cyber security company to do an audit on their code, in which their code is picked apart, validated and proven safe. The auditor will then generate a report with their findings and proof-there-of, while retaining the privacy of the clients Intellectual Property. If a company cares, they will release the report.

Take time to understand the technology you are using:

Even outside of issues of cyber and information security, this is important. You should always, always, ALWAYS, take time to have a deep understanding of technology, tools and really anything you rely on for your daily life and/or safety. This is especially important when it comes to things as critical as data generated by your digital life.
I would be willing to bet that most Americans dont just toss their Social Security card in the corner and leave it there when guests come over. You probably have it in a safe or something similar. The data generated by your life online is, to be frank, FAR more valuable that your SSN and should be protected as such.
That being said, the deeper your understanding of the technologies you use, the more careful and mindful you will most likely become about how you utilize that technology.
Absorb every piece of data about the technology you use, as you can.

Pursuant to point 8, whenever possible utilize true 2FA (2 factor authentication):

Understanding how 2-Factor Authentication (2FA) works is critical! If you dont, you can, and most likely will, get locked out of your account forever. 2FA is different than 2-setp authentication, the latter being most commonly email or SMS authentication. These are not good options. It takes a hacker very little effort in most cases to hack a (non-privacy) email service and it takes a good hacker <5 minutes of close proximity with someone to clone a sim which allows interception of all phone traffic, including SMS. That being said, the only real solutions for true 2FA are either app (Authy, Duo, Google Authenticator, etc...) or key based (YubiKey, Titan Security Key, etc...). For the average person, a physical key is most likely overkill, so going with an app-based solution is probably fine. I personally use Authy and I find that it is the best of both worlds for "ease of use," especially for the non-tech savvy and strong security if you use it correctly.


Anyway, those are my thoughts on InfoSec imperatives & Cyber Security hygiene, I hope it helped. If you have any questions, please feel free to ask and if you like what I am doing, please consider supporting me through one of the links in the header of My Blog!


You'll only receive email when they publish something new.

More from Steve Chepp
All posts