Secure operating system boot. Your operating system will need self-checking processes to ensure its intended boot process hasn’t been compromised. UEFI-enabled systems (v.2.3.1 and later) can use UEFI’s Secure Boot process to begin a trusted boot process. Non-UEFI systems may have a similar feature, but it’s important to understand that if the underlying hardware and firmware do not have the necessary self-checking routines built in, upper-level operating system checks cannot be trusted as much.
Secure storage. Any device you use should have secure, default, encrypted storage, for both its primary storage and any removable media storage devices it allows. Local encryption makes it significantly harder for physical attacks to read your personal data. Many of today’s hard drives are self-encrypting, and many OS vendors (including Apple and Microsoft) have software-based drive encryption. Many portable devices offer full-device encryption out of the box. You should not use a device and/or OS that does not enable default storage encryption.
Two-factor authentication. Two-factor authentication is fast becoming a must in today’s world, where passwords are stolen by the hundreds of millions annually. Whenever possible, use and require 2FA for websites storing your personal information or email. If your computing device supports 2FA, turn it on there. When 2FA is required, it ensures an attacker can’t simply guess or steal your password.
(Note that using a single biometric factor, such as a fingerprint, is not even close to being as secure as 2FA. It’s the second factor that gives the strength.)
2FA ensures that an attacker cannot phish you out of your logon credentials as easily as they could if you were using a password alone. Even if they get your password or PIN, they will still have to get the second logon factor: biometric trait, USB device, cellphone, smart card, device, TPM chip, and so on. It has been done, but is significantly more challenging.
Be aware, though, that if an attacker gains total access to the database that authenticates your 2FA logon, they will have the super admin access necessary to access your data without your 2FA credentials.
Logon account lockout. Every device you use should lock itself when a certain number of bad logons have been attempted. The number isn’t important. Any value between 5 and 101 is reasonable enough to keep an attacker from guessing your password or PIN. However, lower values mean that unintentional logons might end up locking you out of your device.
Remote find. Device loss or theft is one of the most common means of data compromise. Most of today’s devices (or OSes) come with a feature, often not enabled by default, to find a lost or stolen device. Real-life stories abound in which people have been able to find their devices, often at a thief’s location, by using remote-find software. Of course, no one should confront a thief. Always get law enforcement involved.
Sign up for Computerworld eNewsletters.