Interesting list, thanks for posting. I'm curious about the rationale of several points on this list. Why shouldn't you use an Android phone but at the same time Chromebooks are recommended? I'm also surprised about uninstalling any antivirus products except for Windows Defender. I understand some companies are moving to CrowdStrike/Carbon Black, but what about individual users or smaller companies.
Also, is there a similar list for small companies focused on remote working?
Regarding antivirus, I can only suggest - talk to someone who has worked at an MSP for a while.
Companies with minimally or ad-hoc supported environments are nearly always dealing with various outbreaks (I mean literally daily), and yet the one thing they are always doing for security is buying McAfee or SEP because it's the one thing an auditor from an accounting firm told them to do.
Have a look at actual detection logs across several thousand machines. You'll see silly things like "tracking cookies" show up ("glad we bought that antivirus!!"), but blocked malware will be far more rare than actual outbreaks.
This will leave you with the view that they are not effective.
Then, talk to the sales team there. Often the only thing they can tell you about AV is that, aside from Office 365, it's the only guaranteed subscription service a client will sign up to. So now you know why having AV is a big deal.
Then look at how many hours get burned on things like "slow servers", where you find your Linux PostgreSQL server is configured with its database being scanned on write. And politically, it's easier to upgrade RAM and CPU than to try and exclude the database. So now you're just totally jaded on AV wish the whole industry didn't exist.
I've never seen a bad Defender update nuke a running Windows installation, which I cannot say for any popular product. Look at last week's Webroot meltdown.
Because Chromebooks are more secure than Windows, Linux, or Mac laptops, but Android is markedly less secure than iOS. This isn't about which is our favorite company; it's about what the best options are for ordinary users.
If you know exactly what you're doing, and you're using a Google phone, you might be able to get approximately the same security out of an Android device as an iOS device. But ordinary users have no chance.
Can you help me to understand the validity of this statement [0]?
> When used with the best practices for web security, the Chromebook is secure against most direct attacks on the local hardware and the Chrome browser, but its dependence on a web-based backend where US courts have already ruled there's less of an expectation of privacy is something no amount of end-point security is going to fix.
While what you present is a possible extreme end result it is highly unlikely, and the level of attention would have to be far above just being 'interested' in the work of the journalist. The US government does not care about the work of 99.9999% of the journalists out there and if you are in the group that they care about you know it and are probably going to be using a less user-friendly but more secure process. Contra claims by the tinfoil crowd, Google is not in the habit of giving up info without fighting against the request so this option provides very strong protection for almost all of the potential audience for this.
For US Persons anyway, they cannot get such data without a warrant, you are mistaken (I did not downvote you btw, as your interpretation is semi-common).
Is there any hope for Android at this point? I like the freedom to hack on my phone, but it's quickly feeling like I'll need to get an iPhone for real work and leave the Android stuff as a hobby.
At least on Google's own phones, Android is improving continuously. When they get to the point where they're comparably secure, the guide will be updated. As you can see: it's not anti-Google bias producing that recommendation: the guide also says to use Chrome, and Chromebooks if possible.
If you don't mind elaborating, what do you consider the most important security properties still missing from Android on the Pixel phone?
My personal wishlist would include an equivalent of iOS's ability to encrypt new files to a public key while the phone is locked, as pointed out by Matt Green in "The limitations of Android N Encryption", but I'm interested in your perspective.
It depends on what you're storing. I completely trust Dropbox with the screenshots I'm about to post to Twitter. If your financials aren't especially sensitive, Freshbook is probably fine. I'm not a fan of Evernote w/r/t privacy and security.
> I'm not a fan of Evernote w/r/t privacy and security.
I've been interested in perhaps using Evernote given its popularity but haven't done much research into it. Do you have a quick summary to share, or perhaps a preferred reference for more reading on this?
It's dangerous to rely on password-protected ZIPs. The default ZIP implementations use an 1990s amateur cipher that cryptographers have been cracking for sport for decades. There's a ZIP standard for authenticated AES, but you have to use a high-quality ZIP implementation (like 7z) to get it, and most people don't have special ZIP software installed.
Apparently you haven't had to crack any recently. As an attorney with infosec certification, I can tell you that in my world, AES ZIPs are just as practically impossible to crack as you'd guess.
You're not reading what I wrote carefully enough. I'm not suggesting that AES-encrypted ZIPs are especially easy to crack. I'm saying that on most platforms, AES-encrypted ZIPs aren't what you get: you get ZIP 2.0 encryption.
Lawyers generally take physical security seriously but rarely give digital security much thought. They're often working on their own (somewhere between 1/4 to 1/2 of lawyers are independent/very small firm in Canada/US). This means they don't have the time, expertise or money to invest in knowing what to do or how to do it. But I've found they usually do want to know and that was the reason for this presentation.
This isn't a list of the best things to do, it's a list of some practical steps that can make things better. But ultimately the right level of security depends on the importance of the client communications. Some things are fine to do as Google Docs and other things you'll want to do with in-person meetings where no phones are allowed.
Please, please, please always mention basic security as well!
I recently got a free server off craigslist to learn more about server hardware. Turns out the Server contains ALL company data from a small law office.
- pictures of the office opening party
- clients addresses
- employee contracts + data
- written warnings to employees
- ALL communication to/from clients
- INCLUDING stuff like stalking Protective Orders
Additionally, one CEO saved data from his other company on the server. His company dealt with medical stuff. The company was eventually sold for an undisclosed amount of money - but the server also contains correspondence to investors and board of directors....
The data is almost 10 years old, but some employees are still in business. Please always teach basic security when talking to anyone who handles 3rd party data. Lawyers must be aware of the value of their data. No victim of stalking wants to have their case correspondence public.
Instead of learning more about server hardware, I'll probably use this data to learn more about data/document analysis and use it as a simple example when talking about the boring topic of computer/data security.
That's a pretty egregious example but I'm sure that's not the only time that's happened with a law office server. This is a really good example to add for future presentations - thanks!
https://techsolidarity.org/resources/basic_security.htm
We've used this as the basis for training we're doing with NGOs, the press, and some legal groups.