Security for Everyone

Transcript

1. Security for Everyone Storm Joubert twitter.com/storm_undone

2. Threat Modeling A way of narrowly thinking about the sorts

   of protection you want for your data. It's impossible to protect against every kind of trick or attacker, so you should concentrate on which people might want your data, what they might want from it, and how they might get it. - https://ssd.eff.org/en/glossary/threat-model

3. Threat Model • What am I trying to keep safe?

   • Who am I trying to defend against? • How likely is it that an adversary will succeed? • How bad is it if they do? • How much effort am I willing to put into protecting this?

4. Threat Model Example • What am I trying to keep

   safe? ◦ Emails • Who am I trying to defend against? ◦ Bots, skiddies • How likely is it that an adversary will succeed? ◦ That depends on precautions • How bad is it if they do? ◦ Catastrophic • How much effort am I willing to put into protecting this? ◦ Significant
5. None

6. Password Managers • LastPass • Dashlane • KeePass, KeePassX, KeePassXC

7. When Password Managers Can’t • Still need a good one

   to protect your password manager • Passphrases are better than passwords • Diceware • https://xkcd.com/936/ (CORRECT HORSE BATTERY STAPLE)

8. 2 Factor Authentication 1. FIDO U2F device (http://www.dongleauth.info/) 2. Authenticator

   app (Google, Authy) 3. Backup codes on paper 4. SMS or email

9. Environment Variables • envchain https://github.com/sorah/envchain

10. None

11. Full Disk Encryption

12. Backups

13. Questions? Storm Joubert twitter.com/storm_undone