Cybersecurity Checklist

best viewed on desktop. there are no affiliate links on this version.

Top 5 Cybersecurity Threats for the average user in 2024

Phishing & Social Engineering: Fake emails, texts, or calls trick you into clicking malicious links or revealing personal information. Be wary of anything unexpected, even if it seems familiar.
Malware: Malicious software like viruses and ransomware can steal your data, lock your device, or even spy on you. Be cautious about downloading from untrusted sources and keep your antivirus software up-to-date.
Weak Passwords & Password Reuse: Using guessable passwords or the same password for multiple accounts makes you an easy target. Use strong, unique passwords for every account and consider a password manager.
Unsecured Wi-Fi: Public Wi-Fi networks are often open to eavesdropping. Avoid sensitive activities like banking or online shopping on public Wi-Fi and consider using a VPN for added security.
Outdated Software: Unpatched software has vulnerabilities hackers can exploit. Regularly update your operating system, apps, and web browsers to stay protected.

Youtube Playlist of Cybersecurity Threats (Full List Below)

https://www.youtube.com/watch?v=pLPpl2ISKTg&list=PL62MN-aCRi2bN2oSo_sLJN3FvkbKO_7Zl

Identify your attack surface

What is an attack surface

Imagine your online accounts, computer, or smartphone is like a house with lots of doors and windows. The cybersecurity attack surface is all the places where sneaky hackers could try to break in and cause trouble.

Make an Personal Attack Surface List

You will be listing all your devices and accounts, I'd suggest using a pen & paper to start (so there is no digital footprint of this to be hacked). By doing so, you can see where your information exists online and on your physical devices.

Make a list of all your most used accounts: email, social media, online banking, brokerage.

Make a list of all your devices: smartphones, computers, tablets, tvs, smart displays, home assistants, etc...

Now that you have a list of your accounts and devices, identify what's important in those accounts:

List your data locations. Quickly go over each account and each device and list the most important things in each account or device. Photos, Tax Returns, other important documents.
Think about potential threats. Are your passwords strong enough? Do you have an outdated phone? Do you constantly use coffee shop internet?

Personal Attack Surface List (Example)

Accounts

Gmail: myname@gmail.com
- Google Drive Files
- Google Photos
Instagram: @dreaminfluencer
- Stories of my children
Bank: Wells Fargo
- Threat: Access to transfer funds (Zelle)

Devices

iPhone 13
- Pictures
- Google Authenticator app
HP Laptop
- Scanned tax returns and brokerage statements
Router
- Threat: Wifi access to local network

Address weak spots & be aware of your vulnerabilities

Your weakest spots are going to be a system or phone with no updates, no virus scans performed, and no backups. Another weak spot will be an account that has been breached. This is the recommended order I suggest you start. A good backup will mitigate bad hardware problems. Sometimes updating your OS will reveal bad hardware or even malware in your systems. A full antivirus scan will likely catch anything your OS update didn't catch and updating your browser before doing a security checkup will prevent prying eyes if you had any imminent vulnerabilities in your browser.

1. Backup

Backing up your data is like home insurance for your home. It is a crucial safeguard against data lost due to hardware failure, accidental deletion, ransomware, and preserving photos. A good backup habit will allow you to recover your data or easily switch from device to device without worrying about losing data. Do this for all the devices you have listed that has your valuable data.

Time: Typically 30mins to several hours depending on speed of transfer and amount of data.

Recommended frequency: Every 3 months. Sooner if you are working with sensitive data.

Backup Cloud

If you suspect your account has been hacked, skip to step 5 first and then perform a cloud backup.
Google (Android & Chromebooks): https://takeout.google.com/

iCloud: https://support.apple.com/en-us/108306

OneDrive: https://support.microsoft.com/en-us/office/download-files-and-folders-from-onedrive-or-sharepoint-5c7397b7-19c7-4893-84fe-d02e8fa5df05

Backup Desktop

Windows to External Drive:
https://www.lifewire.com/back-up-computer-to-external-hard-drive-5184117

Windows to OneDrive: https://support.microsoft.com/en-us/windows/back-up-your-windows-pc-87a81f8a-78fa-456e-b521-ac0560e32338

MacOS Backup: https://support.apple.com/mac-backup

3-2-1 Backup Strategy

Having your data on your laptop, cloud, and external hard drive a good place to start.

Maintain 3 places for your data. 1 primary location (laptop) and 2 backups (cloud, external storage)

Maintain 2 copies on separate media (cloud & external storage can be considered 2 different media)

Store at least 1 copy at an off-site location (cloud can be considered off-site)

Test your backups!

If you’re backing up to an external drive, test the ability to view and recover data on another computer, this will allow you to verify data integrity, missing files, and uncover potential problems.

2. Update OS

Typically 5-45 mins, unattended

Frequency: Bi-monthly

Updating your operating system (OS) is like patching the walls and windows of your digital home, keeping hackers out and your data safe.

MacOS: https://9to5mac.com/2018/07/18/mac-how-to-check-for-updates/

Windows: https://its.uiowa.edu/support/article/1418

iOS: https://support.apple.com/en-us/HT204204

Android: https://support.google.com/android/answer/7680439

Router: https://www.zdnet.com/home-and-office/networking/how-to-update-your-routers-firmware/

Always make sure that your mobile device has 2gb+ free and your desktop has 10% free of storage or more for app and os updates. A full disk puts you at risk!

3. Update Browser

Typically 1-3 mins, in background

Frequency: Daily

Browser updates patch security holes, while you're away from your home virtually, keeping your browsing adventures safe and your data out of harm's way. I do this everytime I use a desktop browser.

Most browsers update automatically by default, but you can manually update it by doing the following:

Open your browser menu.
Find your browser's About page and select it.
Click the update button.
Close your browser and relaunch it.

source: https://www.highspeedinternet.com/resources/how-to-update-web-browser

4. Antivirus

Typically 20mins - 2hrs, unattended

Depending on type of drive storage and amount of data to scan

Frequency: Monthly

MacOS XProtect: Apple’s built-in antivirus technology for macOS, automatically detects and blocks known malware, providing effective protection without the need for additional virus scanning. https://iboysoft.com/wiki/xprotect-mac.html

Perform a FULL SCAN. Full virus scans deeply search your system for hidden threats, ensuring peace of mind and safeguarding your data from potential harm. If malware is found, I recommend performing another "clean" backup.

Windows: Scanning with Windows Defender https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963#bkmk_run_an_advanced_scan

ISP Provided Antivirus

While Windows Defender has improved, some third-party antiviruses offer more advanced features, wider threat detection, and better performance, potentially enhancing your overall online security. Your ISP may provide one for you at no cost:

ATT: https://www.att.com/support/article/u-verse-high-speed-internet/KM1046931/Spectrum: https://www.spectrum.net/support/internet/security-suite-windows-installation

5. Security Checkup

Typically 5 mins

Frequency: 3 months

Regular security checkups let you manage data privacy, adjust security settings, and identify potential threats, keeping your on

line information safe and sound.

Google/Gmail: https://myaccount.google.com/intro/security-checkup

Facebook: https://www.facebook.com/security/checkup/

Microsoft/Outlook/Hotmail: https://account.microsoft.com/security

Implement Cybersecurity Best Practices

Do not start this step unless you've done everything in the last step. Skipping OS updates, malware scans and then changing passwords/working with sensitive data can put you at risk of "leaking" your data. Remember, the most effective approach depends on your individual needs, risk tolerance, and comfort level with technology. Carefully evaluate the advantages and limitations before implementing any of the best practices below

Link Verification Tips

NordVPN Link Checker https://nordvpn.com/link-checker/
Never click on suspicious links, especially those from an unknown sender.
Never click on unsolicited links about family emergencies: accidents, hospitalizations, and/or death.
5 URL Warning Signs https://www.du.edu/it/services/security/5-url-warning-signs
Always call/text a contact you have verified to authenticate any suspicious links.
Use the link hover technique

Link Hovering Technique

Link hovering safely reveals the true destination of a link before clicking, preventing you from unknowingly visiting malicious websites.

How to link hover: https://my.wlu.edu/its/how-to/safe-computing-hover-technique

Now that you know how to link hover, all the links below are clickable for you to practice.

Try to link hover of this link for PasswordKeeper, or click on it for fun. It's safe, I promise. If you don't believe me, use link checker from the last section.

Links - HTTPS Only Feature

HTTPS scrambles data, making your browsing more secure and protecting your information from eavesdroppers. Notice that I did not shorten any of the links on this page or hide them in text. It is so you can see the actual links, notice it has HTTPS, and that they go to a reputable domain. The HTTPS-only mode will ensure you receive a warning if you stumble onto an unsecured HTTP site.

Enable HTTPS Only mode in your browser

While HTTPS provides some security, even it can be misused for phishing. Here's how:

Deceptive URLs: Phishing sites often use lookalike domain names with small changes (e.g., "pаypаl" instead of "paypal.com") or misspelled words.
Man-in-the-middle attacks: Hackers can intercept traffic between your device and the website, even with HTTPS, potentially stealing data.
Beware of pre-filled forms: Phishing sites might use your email address obtained from data leaks to appear legitimate.

Remember, HTTPS adds a layer of security, but vigilance is key- verify your links!

Password Basics Tips

Don'ts:

Reveal your passwords to others.
Use weak, easy-to-guess passwords like "123456" or "password" that hackers easily can crack.
Reuse the same password for multiple accounts — in order to avoid credential stuffing

Do's:

Use long passwords or passphrases - length trumps complexity
Use upper and lower case, numbers, special characters
Use different passwords for different accounts
Use passwords hard to guess but easy to remember

Should I Use a Password Manager?

Pros of using a password manager:

Stronger passwords: Password managers generate and store complex, unique passwords for each account, reducing the risk of brute-force attacks and breaches.
Convenience: Remember only one master password to access all your accounts, eliminating the need to memorize numerous passwords. Allows sharing with family members.
Security features: Many offer additional security features like multi-factor authentication and secure password sharing.

Cons of using a password manager:

Single point of failure: If your master password is compromised, all your accounts are at risk.
Cost: Some advanced features might require a paid subscription.
Reliance on technology: If you lose access to your password manager, accessing your accounts can be challenging.

Password Manager Options

Cloud Options:

1Password
BitWarden
- Free Organization Plan (2 users free)
Proton Pass

Local Option (One Device Only):

KeePass/ KeePassXC

Ultimately, the decision to use a password manager depends on your individual needs and risk tolerance. Weighing the pros and cons and understanding the potential risks can help you make an informed decision.

If you do decide to use a password manager, once you input ALL of your passwords, you'll get a more complete picture of your online accounts attack surface area.

Multifactor (2FA) Options

Even strong passwords can be stolen, but 2FA adds an extra layer of security, making it much harder for hackers to break into your accounts using something you have (TOTP) or Physical FIDO2/UTF and something you know: password.

Authenticator Apps - Stores Time-Based One-time Passwords (TOTP)

Authy
Google Authenticator
Microsoft Authenticator
Password manager (not recommended): You can put TOTP in your password manager, but DON'T put your eggs in one basket. Compromising your master password potentially grants access to both passwords and TOTP codes, defeating 2FA's purpose.

Physical device - FIDO1 or 2/UTF Security Key

Yubikey: Using a smartphone that no longer receives updates poses significant security risks for banking activities, leaving your personal data vulnerable to hacking and compromising your financial security. It's what I use
Feitian ePass K9: A more affordable alternative to YubiKey with similar features, including support for FIDO2 and U2F protocols.
Thetis Bio FIDO U2F Security Key: Combines fingerprint authentication with FIDO2 and U2F support, offering an extra layer of security.
Google Titan Key: The Titan Security Key, developed by Google, is a FIDO-compliant hardware security token that enhances account protection by preventing phishing

When setting up 2FA, you will usually receive (10) one-time use codes for recovery purposes. Keep these in a safe place for account recovery.

Phone Protection

Biometric lock

Biometric locks on smartphones offer a higher level of security compared to traditional PINs or passwords, as they rely on unique biological data (such as fingerprints or facial features) that is harder for unauthorized users to replicate

iOS Stolen Device Protection
Enable Stolen Device Protection for iPhone adds an extra layer of security by requiring Face ID or Touch ID authentication and a one-hour security delay, preventing unauthorized access even if someone knows your passcode.

Account Protection

Recovery options
If you've forgotten your password and can't recover it, or your account has been hacked, become familiar on how to recover your account to ensure you can regain entry. Without it, you risk being locked out of your account, and possibly all your data, permanently.

Legacy contacts

Legacy contacts play a crucial role in ensuring that your digital assets are managed appropriately after your passing. By designating a trusted person as a legacy contact, you grant them access to specific online accounts, allowing them to download data or delete the account according to your wishes.

Advanced Data Protection

Apple ID : By enabling this feature, you ensure that your iCloud data receives Apple’s highest level of security. It restricts access to encryption keys, safeguarding categories like iCloud Backup, Photos, and Notes, especially on trusted devices.
Google (A FIDO compliant key is required): This program adds a physical identity layer through security keys, preventing unauthorized access even if someone has your password. It allows only Google apps and verified third-party apps to access your account data with your explicit permission, enhancing overall security.

Financial security

Credit report. You have 1 free credit report annually from 3 of the major credit reporting agencies. I recommend you rotate on a 4 month basis, so that you can monitor you credit throughout the year. Set a calendar reminder to do this from Experian, Equifax, and Transunion. The easiest way to remember for me is Christmastime, Tax Day, and End of Summer.

annualcreditreport.com (it's not clickable for a reason). The only link I will click to get to it is through USA.GOV (Keep checking those links!)

Credit freeze. Freezing your credit is one of the most crucial steps you can take to protect yourself from identity theft. By placing a credit freeze, you prevent unauthorized individuals from opening fraudulent credit accounts in your name. Essentially, it acts as a safeguard by restricting access to your credit report, making it challenging for anyone (including identity thieves) to establish new credit accounts using your personal information.

Experian: https://usa.experian.com/mfe/regulatory/security-freeze
Equifax: https://www.equifax.com/personal/credit-report-services/credit-freeze/
Transunion: https://www.transunion.com/credit-freeze

Activate Touch Payments: Using touch pay (such as Apple Pay, Google Pay, or Samsung Pay) is more secure because it encrypts your payment information and requires biometric authentication, adding an extra layer of protection against unauthorized access.

Activate Credit Card Alerts: Setting up credit card alerts is an important step in managing your finances and protecting yourself from potential fraud or unauthorized charges, allowing you to stay informed about your credit card activity and promptly identify suspicious transactions

Enable Account Activity Alerts to Level Up Your Financial Super Powers - Emusements by Randy Parker

Virtual Cards

Here are a few credit cards that are known to have virtual card generating capabilities: Capital One Venture X, Citi Diamond Preferred, Citi Premier, Citi Double Cash, American Express Blue Cash Everyday
Privacy.com is a secure payment service that helps users shop safely online by allowing them to generate unique virtual card numbers

VPN

VPNs enhance online privacy by encrypting your data, making it difficult for anyone to monitor your online behavior.

When you should use it?

Geo-restricted content viewing. VPNs allow you to access geo-restricted content by connecting to servers in other countries.
Public Wifi. Use a VPN to secure public Wi-Fi connections, protecting sensitive data from potential attackers.

However, there are trade-offs: VPNs can slow down your internet speed, introduce latency, and may involve costs and complexity. Choosing a trustworthy provider is crucial, for all your internet traffic will go to them when in use.

NordVPN

ProtonVPN

Encryption

Sensitive Data Storage Strategy

Most "sensitive" data will be files and documents that contain your social security number, banking, and/or medical information. If you're storing these documents, they are usually small files. Although there are features that let you encrypt your whole hard drive, if you're looking to only secure these files there are utilities that allow you to only encrypt a certain portion of your file storage. It will be like locking and unlocking a small portion of your data on your device.

Windows: https://veracrypt.eu/en/Beginner%27s%20Tutorial.html
Mac: https://www.digitalsecurity.film/create-encrypted-file-containers-on-macos
Mobile: https://cryptomator.org/
Cloud: https://www.boxcryptor.com/
Securely Delete Files: Most of the antivirus solutions provided by your ISP will contain a secure file deletion feature.

Be proactive

Keep up to date with evolving threats and breaches.

Email Newsletter: SANS Institute Ouch! Email Newletter. SANS is the most trusted resource for cybersecurity training, certifications and research and they have an email newsletter for the everyday user in easy to understand language.
Podcast: All The Hack
HaveIBeenPwned.com Check to see if your email or username has been part of a recent breach -
Identity monitoring solution. There are breaches happening often, so often enough that I would get free credit monitoring services every few years. Take advantage of these free services if you get a chance.

Do your own research. Most cybersecurity experts can poke holes in everything I list above. Because the threat landscape always changes, there will be some caveat to using a certain service, performing an update, or using a certain strategy. But for most people, NOT DOING ANYTHING puts them at more risk.
Cleanup your online presence. Using your password manager, you can identify idle/unused accounts and invoke your CCPA rights for deletion.
1. Delete old email accounts: backup and delete/permanent vacation responder.
2. Delete old online accounts.
Evaluate your family's attack surface. If you share accounts and/or data with your spouse, partner, children, or parents. It is only as secure as their security practices. Inform them. Do a security checkup, check their credit reports, help them freeze their credit.

Advanced Strategies

Advanced Backup strategies
- Windows and MacOS logins can be intertwined with your desktop/laptop and your cloud data. So if your account is hacked, 2 sources of your data may be at risk. When you are starting out, OneDrive and iCloud can be considered a backup, but they are actually cloud sync services. If one gets compromised, the other may also. It's time to consider a more robust cloud backup solution like Backblaze (in addition to your external hard drive backup). Other alternatives:
  - Sync.com
  - Proton Drive
Photo/Video Backup. These are usually going to be the biggest chunks of a backup. If you take a lot of photos and videos, consider using a separate cloud backup provider from your cloud files.
- Ente.io (privacy focused): Ente.io provides an end-to-end encrypted alternative to services like Google Photos, ensuring secure photo backup and sync across platforms
- Amazon Photos: As a Prime member, you get unlimited full-resolution photo storage with Amazon Photos, ensuring your cherished memories remain secure and accessible across all your devices
Firefox configuration: https://gofoss.net/firefox/#firefox-privacy-settings-browser-security
Go Open Source! I've learned a lot about free and open source software (FOSS) alternatives from various sources
- Go FOSS https://gofoss.net/
- Reddit subreddits: r/degoogle r/privacy r/selfhosted
Try a FOSS Phone OS:
iPhone Privacy Settings: https://www.youtube.com/watch?v=-nCRWI6cHJo

Multiple Email Addresses Strategy

Consider "diversifying" your email addresses. One email for online shopping and social media. One "secure" email for online banking, DMV renewals, tax returns, etc...

Advantages:

Reduced spam and phishing: Dedicate one address for each activity to minimize spam and phishing attempts targeting specific sites.
Data breach containment: If one address gets compromised, your other accounts and personal information remain protected.
Enhanced privacy: You can choose to share different levels of personal information with different services.

Disadvantages:

Management complexity: Remembering and managing multiple addresses can be cumbersome.
Verification challenges: Some services may require email verification for account changes, leading to confusion if using different addresses.
Limited effectiveness: While it helps mitigate certain risks, it's not foolproof against sophisticated attacks.

Email Providers options

Secure, but not so private: Gmail
Private, but not as secure: Protonmail, Tutanota

Multiple Device Strategy

Consider "diversifying" your attack surface among two computers. One computer for online shopping and social media. One computer for "secure" activities, such as: online banking, DMV renewals, credit reports, tax returns, etc...

Having two separate computers can offer some potential benefits for privacy and security, but it's important to understand the limitations and potential drawbacks. Here's the breakdown:

Potential benefits:

Reduced attack surface: Keeping financial activities on a separate machine reduces the overall attack surface exposed to potential threats like malware or phishing attacks targeting online shopping sites.
Improved containment: If one computer gets compromised, it may not directly impact the other, potentially limiting the damage and spread of malware or data breaches.
Enhanced awareness: Using designated devices can increase awareness of online security behaviors and encourage more cautious practices for financial activities.

However, it's crucial to consider the limitations and potential drawbacks:

Cost and complexity: Maintaining two separate computers can be expensive and inconvenient, especially if you have limited resources.
Maintenance challenges: Keeping both machines updated and secure with necessary software and patches requires additional effort and expertise.
Limited effectiveness: Sophisticated cyberattacks can still target both machines or exploit vulnerabilities outside the designated device, potentially negating the benefits.

Privacy tools

Whitelisting technique. Some privacy browsers, tools, and extensions can "break" websites causing it not to load certain areas, not work properly, or not load at all. Before you use any privacy tools, it's important that you understand how to whitelist websites that you need to use without disruption, such as Google Drive, iCloud, Amazon Photos, etc...
Privacy focused browsers. A privacy browser, such as Firefox or Brave, prioritizes user privacy by blocking ads, trackers, cookies, and employing features like onion routing
Adblockers: uBlock Origin is a CPU and memory-efficient content blocker that effectively blocks ads, trackers, and other unwanted elements while enhancing browsing performance
Tracking protection: Privacy Badger https://privacybadger.org/
Data Aggregator/OSINT Opt-Out: https://www.soc.mil/IdM/publications/docs/dataAggregators/Aggregator_Opt-out.pdf
Other Opt-Outs: https://www.consumerreports.org/electronics/privacy/easy-opt-outs-to-protect-your-privacy-a7017744648/
Privacy choices app: https://privacychoice.com/
- AppChoices (Android)
- AppChoices (iOS)
Under the CCPA Act, CA residents have the right to:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale or sharing of their personal information
- At the very least, you should be opting out of the sale of your information for every account you have listed.
ProtonPass is a complete suite of private email, vpn, password manager, and cloud storage
Email relay. An email relay enhances privacy by obscuring your original email address, allowing you to communicate without revealing personal information directly.
- Simple Login has 10 relay emails for free https://simplelogin.io/
- Firefox Relay has 5 relay emails for free https://relay.firefox.com/
- iCloud+ starts at $0.99/mo for 100?+ relay emails https://support.apple.com/en-us/HT210425
- Google Workspace has 30 aliases with a paid account https://support.google.com/domains/answer/6304345?hl=en
iOS Ask app not to track
- Disabling the “Allow Apps to Request to Track” option on iOS enhances privacy by preventing apps from collecting and sharing your data across other companies’ apps and websites without explicit permission

DISCLAIMER: The information provided on this website is for general informational purposes only. While we strive to keep the content accurate and up-to-date, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability of the information. Any reliance you place on such information is strictly at your own risk.We do not endorse or guarantee the effectiveness of any security practices, tools, or recommendations mentioned on this site. Cybersecurity threats evolve rapidly, and what may be accurate today could become outdated or ineffective tomorrow.Furthermore, we disclaim any liability for any loss or damage arising from the use of this website or reliance on the information provided. It is essential to consult with qualified professionals or conduct independent research before implementing any security measures.Remember that no cybersecurity solution is foolproof, and staying informed about the latest developments is crucial. Always verify information from multiple sources and adapt your security practices accordingly.Thank you for visiting my cybersecurity webpage, and please use the information responsibly.

Page updated

Report abuse