1. Only install software from trusted sources. Don’t install dodgy things you find on the Internet. This goes for your cell phone, computer system, virtual machines, containers, and so on.
  1. Backup your data. If you get hit with ransomware, you don’t have to pay if you have backups.
  1. Always keep your systems fully up to date with the latest security fixes. The number of systems that are outdated and have known security vulnerabilities is scarey. Script kiddies rely on younot to update your system.
  1. Take advantage of the auditing subsystems. There are lots of cool tools to help monitor your system. If you do have a break in, the audit system might well be able to tell you what happened and what the attacker did.
  1. Always use HTTPS when connecting to services on the network. Chrome and Firefox now have modes to enforce this. If a web site does not support secure communications by 2016, it is probably not worth your visit.
  1. Never use the same password on different web servers. This one is difficult not to fall into the trap. Tools like Let’s Encrypt help a lot. It’s even better if you use ssh keys to log into systems.
  1. Don’t install or use Flash. Firefox no longer supports it, and hopefully most web servers are moving away from it.
  1. Use confined SELinux users to control what users do in your systems. If you are running a shared login system, set up users as guest_t.
  1. Control the devices available to your service. Systemd provides theDeviceAllow directive, which controls the devices available to the service. DeviceAllow=/dev/null rw will limit access to /dev/null and only this device node, disallowing access to any other device nodes. The feature is implemented on top of the device’s cgroup controller.
  1. Coming soon to a systemd system near you is a new feature,ProtectSystem Strict, which can turn on all of these namespaces to fully lock down the environment in which a service runs.
  1. Only run distributions with a Security Response Team watching over the security of the distribution. Enterprise Software is important.
  1. Most hacks are social engineering—for example, email links, web browser attacks, and phone calls. The best option here is to be educated and skeptical. No one from Nigeria is giving you money. The IRS is not calling your house demanding money. If you get a link to a web site in email from your bank, don’t use the link. Type the address directly on the web browser.
  1. Use a syncstop when you have to charge your phone in a public place, or bring your own battery backup.
  1. Run applications in the SELinux Sandbox whenever possible—it was a container before containers were cool. Also follow the development of Flatpack, which soon should be developing sandboxing capabilities.
  1. Use tools like OpenScap to scan your systems for vulnerabilities. Sadly, new vulnerabilities are always popping up, so you must keep your scanners up to date.
Share this post on: