by David Snopek on January 31, 2017 - 11:58am

I'm a member of the Drupal Security Team, and many of the services offered by myDropWizard involve assisting our customers to improve the security of their Drupal sites -- so, I know quite a lot about security and try to be mindful about my own computer use.

However, computer security is an on-going process: it can always be improved and so you're never truly done.

In this article, I'm going to share my personal list of security resolutions for 2017!

Maybe you'll find something you'd like to implement as well?

Or perhaps you'd like to share your own security resolutions for this year?

Please share your thoughts in the comments (or on Twitter)!

Encrypt my home directory

Access to my laptop is already password protected, and it'll show a password prompt after it's been idle for a short time, or if the lid is opened, so, I always close the lid when I walk away from my computer.

But if it were stolen, the drive could be booted in another computer or with a boot disk, and someone with the right skills could access the data on my drive!

However, if my home directory (where any sensitive data would be) or whole disk were encrypted, a would-be hacker wouldn't be able to read any of the data! (Note: Whole disk encryption is generally considered superior, but it's hard or impossible to do without doing a complete reinstall of your OS.)

These days, encrypting some or all of your files is quite simple and performant. If you use Ubuntu (like I do), it's just a checkbox during install and relatively simple after the fact. While I haven't done it on MacOS or Windows, my understanding is that the latest versions have support for disk encryption built in!

Given the amount of confidential information (both personal and professional) that we all keep on our computers, I don't see any compelling reasons NOT to use encryption.

(This is actually something I already did back in December when I first came up with my resolutions and posted them on Twitter... So, don't steal my computer ;-))

Get a perfect score on the LastPass security challenge

There's a lot of relatively sophisticated things you can do to improve security: apply security updates, audit code for vulnerabilities, penetration testing, auditing permissions for the principle of least priviledge, etc.

But sooo much of that can be circumvented by bad password management.

We all know (or should know) to use complex passwords, have a different password for each account, rotate the passwords periodically and only ever store or transmit them encrypted. Using a tool like LastPass (which I've used for years and we use at myDropWizard) can assist you and I highly recommend it!

LastPass has this cool "Security Challenge" report which will look at all your saved passwords and check for:

  • Compromised passwords: If there was a known data breach of some service, it checks for passwords you haven't changed since the breach
  • Weak passwords: While LastPass will generate secure passwords, I sometimes forget to change non-secure passwords that were assigned to me
  • Reused passwords: When the same password is used for multiple services. Embarassingly, I still have some passwords left over from before I joined LastPass (despite that being many years ago) which are repeats -- they aren't for essential services, but still, I should change them
  • Old passwords: These are passwords you haven't rotated in a long time

This is a great report to run periodically (maybe annually?) and address anything that may have slipped through the cracks.

My LastPass Security Challenge score

My current score is 93%, putting me in the top 1% among LastPass users, which isn't bad. However, as a "security expert," I feel like I should aim for a perfect score!

Enable Two-Factor Authentication (TFA) everywhere

If you aren't familiar with it, Two-Factor Authentication (TFA) is where you login by authenticating via two different mechanism, usually, via a password and a mobile device. So, frequently, this means you enter your password, and then you're prompted for a code you get out of an app on your phone, or your phone shows a notification and you press a button to accept.

This mitigates a lot of the problems with passwords, and makes it a lot harder for someone to access your accounts if they've managed to steal some information from you.

For example, a lot of things we do as developers depend on our SSH keys. If someone managed to get ahold of yours (maybe because you didn't encrypt your home directory?) then they could potentially access all of the production servers you have access to! With TFA, they'd have to also get your smart phone -- which is secured too, right? ;-)

Not all services allow TFA, but increasingly more and more do! You can secure your Gmail and Drupal.org account with TFA, for example. And with the Drupal TFA module, you can add TFA to the user accounts on any of the Drupal sites you bulid.

I'm already using TFA for the most important accounts that I depend on, but certainly not everything! In 2017, I'd like to enable TFA on every account that supports it.

What are your resolutions?

Those are my security resolutions for 2017! While there's certainly more I could do, those are some great improvements, and I can improve even more next year. :-)

What do you think?

Do you have any security resolutions for 2017?

Please share them in the comments below, or on Twitter using the hashtag #SecurityResolutions!

Want to read more articles like this?

myDropWizard.com blog Subscribe to the myDropWizard.com blog and recieve e-mail updates when new articles are published!

Comments

Wow, we have a lot of common ground! Your LastPass score is humbling, I worked for an hour this morning to get to 32%! Lots of trash and ancient passwords, many from sites that do not even exist anymore. It was a little like looking in on my earlier self!

Thanks for great encouragement!

Add comment

o