securityinnovation / security-best-practices Goto Github PK

There should be definitions of some terms that aren't readily apparent, or used specific to this docoument. They should be linked within content.

A full review of content by another reviewer

The Travelling Safely page needs to be restructured. Right now it covers too many topics and is kind of confusing.

needs rewritting, doesn't work for this section

Full Content review by a peer

Add details to Android page about disabling GPS as we link to it from the GPS page.

There really should be a ton more stuff to add to this.

Once moved to the SI branch I'll start embedding the videos.

There should be definitions of some terms that aren't readily apparent, or used specific to this document. They should be linked within content.

reread all pages to ensure any mention of "Tips" is changed to "Best Practices"

Received a question from a non-technical user on which vpn software to use on a mac. This is good that they are asking questions, means they are reading the guide.

Add more details to vpn section on products and recommendations.

We should have a page on how to use bitlocker and FileVault2.

I also would love to recommend a cross-platform solution, but Truecrypt is the only one that ever worked well, and it's been "deprecated." Are there other ones out there?

So right now the threat section of each area is basically a mishmash of general threats to a topic (The Android page is a particularly good example). I like the idea of having the following structure.

#<Topic Name>

##General Threats
This should be general threats to a device. E.g. Android devices experience OS version fragmentation, mobile phones can be virus vectors, blah blah.

##Threats and Mitigations
This should be a list of threats and their corresponding solutions. E.g.
###Android OS Vulnerable to Known Attacks
**Description:** Google regularly provides important security updates to Android, especially to prevent known attacks against Android devices.
**Mitigation:** Regularly check that your phone is updated to the latest version blah blah

###Device Stolen
**Description:** If your phone is ever stolen or confiscated it can be trivial for an attacker to retrieve your files from the phone
**Mitigation:** Enable encryption on the device

##Tips
* Bulleted list of general advice that maybe don't directly mitigate a threat or mitigate multiple threats

##Additional Resources
* Bulleted list of additional resources on the topic

Current license (I believe) puts this content in the public domain. Consider adapting a different license. We may want to prevent commercial use, require attribution, etc. https://wiki.creativecommons.org/wiki/Considerations_for_licensors_and_licensees

All of the resources out there on BYOD security are all for the employer. We should add a page with considerations for regular users.

What are the implications of using my personal device at work?
What do the MDM's do and how do they impact my use / safety?
What will my employer be able to see?

Create an image security page for discussing how metadata can reveal sensitive information including geolocation.

If this is to turn into a book an interesting anecdote would be great to add to each section

The Browser Security page probably should be restructured: https://github.com/MrVaughan/Security-Best-Practices/wiki/Browser-Security

I am concerned that if we're going to be distributing this best practices document that we should be making strong product recommendations. Just saying Chrome is the best, is probably not sufficient, and will get all the Mozilla fanboys mad at us. We might want to say that Chrome sandboxes things better and have their own Flash binary instead of Adobe. Also, is Microsoft Edge that bad? Or even IE11 in terms of security? This is why I'm leery of recommending a specific product.

Also, why this? "Use incognito mode to do browsing sensitive sites"
Is it because it won't store the cookies? Maybe expand and explain why.

Get an industry peer outside of SI to review the first draft.

The https://github.com/MrVaughan/Security-Best-Practices/wiki/Backups page deviates from other pages by calling the heading "Easy Solution" vs. "Solutions."

I get why you did that, as you wanted to call out that this was less than ideal, but it's jarring to the reader. I would change it.

All first round pages need to be written.

• Device security guides (win,mac,ios,android)
• VPN / Proxies
• Tor
• Torrenting
• Backups

Consider adding this page at a later date.

The "Social Engineering" page is too colloquial and is written in a style that doesn't match the other pages. I would change some of the words and reorganize it to match.

This guide has the potential to be awesome enough that we should consider moving the content to its own domain and using Mediawiki (or equivalent).

For each section add additional external resources for more information.

For each "Do this' Mentioned in guide, write a step by step how to guide for each item

Currently we have a "Mac" page and a "Windows" page. One of them refers to the hardware, while the other one refers to the operating system. I would suggest changing the Windows page to "PC", to be consistent.

I was going to suggest changing the Mac page to OS X, but then realized our target audience might not realize that's the operating system that runs on Macs.

We talk about iMessage in the SMS page, but maybe we want to mention it in the Chat page? Since it's kind of a hybrid SMS and chat application