Title: Introduction to security good practices
Author: Solène
Date: 09 May 2021
Tags: security
Description:
# Introduction
I wanted to share my thoughts about security in regards to computers.
Let's try to summarize it as a list of rules.
If you read it and you disagree, please let me know, I can be wrong.
# Good practices
Here is a list of good practices I've found over time.
## Passwords policy
Passwords are a mess, we need many of them every day but they are not
practical. I do highly recommend to use an unique random password for
every password needed. I switched to "keepassxc" to manage my
passwords, there are many password managers on the market.
When I need to register a password, I use the longest possible allowed
and I keep in my password database.
If I got hacked with my password database, all my passwords are leaked,
but if I didn't use it and had only one password, good chance it would
be registered somewhere and then the hacker would have access to
everything too. The best situation would be to have a really effective
memory but I don't want to rely on it.
I still recommend to have a few passwords in your memory, like the one
for your backups, your user session and the one to unlock the password
database.
When possible, use multi factor authentication. I like the TOTP (Timed
One Time Password) method because it works without any third party
service and can be stored securely in a backup.
## Devices trust
It's important to define a level of trust in the devices you use. I do
not trust my Windows gaming computer, I would not let it have access to
my password database. I do not trust my phone device enough for that
job too.
If my phone requires a password, I generate one and keep it in my
password database and I will create a QR code to scan with the phone
instead of copying that very long password. The phone will have the
password locally but not the entire database but yet it remains quite
usable.
## Define your threat model
When you think about security, you need to think what kind of security
you want, sometimes this will also imply thinking about privacy.
Let's think about my home file server, it's a small device which only
one disk and doesn't have access to the internet. It could be hacked
from a remote person, this is possible but very unlikely. On the other
hand, a thief could come into my house a steal a few things, like this
server and its data. It makes a lot of sense to use disk encryption
for devices that could be stolen (let make it short, I mean all
devices).
On the other hand, if I had to manage a mail server with IMAP / SMTP
services on it, I would harden it a lot from external attacks and I
would have to make some extra security policies for it.
## Think about usability
Most of the time, security and usability doesn't play together, if you
increase security that will be at the expense of usability and
vice-versa. I'll go back to my IMAP server, I could enable and enforce
connecting over TLS for my users, that would prevent their connections
to be eavesdropped. I could also enforce a VPN (that I manage myself,
not a commercial VPN that can see all my traffic..) to connect to the
IMAP server, that would prevent anyone without a VPN to connect to the
server. I could also restrict that VPN connection from a list of
public IP. I could require the VPN access from an allowed IP to be
unlocked by an SSH connection requiring TOTP + password + public key to
succeed.
At this point, I'm pretty sure my users will give up and put an
automatic redirection of their emails to an other mail server which
will be usable to them, I'd be defeated by my users because of too much
security.
## Don't lock yourself out
When you come to encrypt everything or lock everything on the network,
it could be complicated to avoid data loss or being locked out from the
service.
If you have important passwords, you could use Shamir's Secret Sharing
(I wrote about it a while back) to split a password in multiples pieces
that you would convert as QR code and give a copy to a few person you
know, to help you recover the data if you forget about the password
once.
## Backups
It's important to make backups, but it's even more important to encrypt
them and have them out in a different area of your storage. My
practice here is to daily backup all my computer data (which is quite
huge) but also backup only my most important data to remote servers. I
can afford losing my music files but I'd prefer to be able to recover
my GPG and SSH keys in case of huge disaster at home.
## User management
If a hacker got control of your user, it may be over for you. It's
important to only run programs you trust and no network related
services.
If you need to run something you are unsure, use a virtual machine or
at least a dedicated user that won't have access to your user's data.
My $HOMEDIR has a chmod 700 so only root and me can access it. If I
need to run a service, I will use a dedicated user to it. It's not
always convenient but it's effective.
# Conclusion
Good software with a good design are important for the security, but
they don't do all the job when it comes to security. Users must be
aware of risks and act accordingly.