Project Upskill Checklist

Checklist

1. Implement User Account Control to protect your personal computer.
   • Use a standard user account for general tasks.
   • If you currently use an administrator account for day-to-day activities, downgrade it to a standard user account.
   • Use strong passwords to protect your user and administrator accounts. 
2. Keep your device’s operating system (OS) and applications (apps) up to date.
   • Enable automatic updates for the OS on each of your computers and mobile devices.
   • Enable automatic updates for all software installed on your computer and mobile devices.
   • Designate time in your schedule each week to ensure updates are being installed.
     • Once a week, check your device for any pending OS or software updates that are waiting to be installed. 
     • Once a week, check whether software updates are available for any software that does not have an automatic update feature.
3. Ensure your OS antivirus and anti-malware protections are active. 
   • Ensure that the antivirus and/or anti-malware functions provided by your computer or mobile device’s OS are enabled. Set them to automatically update and automatically scan, if possible.
   • Periodically ensure that your antivirus and anti-malware solutions are still running and updated with the latest security patches.
4. Manage application permissions for privacy and security. 
   • Remove any apps from your computer or mobile device that you do not use.
   • In app permissions, deny access to data or functions you do not want an app to have.
5. Follow Wi-Fi, Bluetooth, and Near Field Communication (NFC) best practices if you believe you are actively being targeted by a malicious cyber actor due to your work or identity.
   •   Turn off Wi-Fi on all your devices when not in use.
   •   Turn off Bluetooth on all your devices when not in use.
   •   Do not connect or sync your mobile devices to rental cars or any other car you do not own. (Your mobile device will sync information like texts, calls, and phone books to the vehicle infotainment device that can be accessed by others who use the vehicle after you.)
   •   Delete Wi-Fi networks from your computer and mobile device that you either no longer use or you do not use regularly.
   •   Delete any Bluetooth pairing that you no longer use, or you do not use regularly.
   •   Consider storing your NFC and radio-frequency identification (RFID) cards in an RFID blocking case or wallet, such as:
     •   Credit Cards
     •   Hotel Door Key Cards
     •   Building Access Cards
     •   Garage Access Cards
     •   Other
   •   Do not use your NFC or RFID card on any terminal that appears to be tampered with.
6. Vet technologies before adding them to your network. 
   •   Evaluate technology solutions for cybersecurity and privacy before adding them to your digital ecosystem, including apps, cloud-based solutions, and Internet of Things (IoT) or smart home devices.
     •   Surf the web for news stories: Does the manufacturer, developer or vendor of the product have a history of privacy or cybersecurity breaches? How were they handled?
     •   Where is the company located?
     •   Will your data be shared with third parties?
     •   Does the product and vendor have an acceptable privacy policy?
     •   Are you able to adjust the product’s security settings to meet your security preferences?
     •   Does the developer issue regular software updates for security?
7. Protect the physical security of your digital devices.
   •   Have physical security controls in places where you store your devices.
   •   Keep important documents in a securely locked location.
   •   Lock your device if you have to step away from the screen.
   •   Do not leave your device unattended.
   •   Do not insert unknown media storage devices (like thumb drives) into your computer.
   •   Have a plan for device loss or theft.
   •   Do not charge your device in a public USB port without using a data blocker.
   •   Do not simply throw away or sell your old devices.
8. Formulate strong passwords and PIN codes. 
   •   A strong password satisfies the following three requirements:
     •   Length – A strong password has at least 16 characters.
     •   Randomness – Add randomness to your password in one of two ways. Use a random string of mixed-case letters, numbers, and symbols OR create a memorable passphrase of 5-7 unrelated words. Be creative with spelling and/or add numbers or symbols to make it even stronger.
     •   Uniqueness – Use a different password for every account.
   •   Apply principles of length, randomness, and uniqueness when formulating PIN codes, too.
9. Use a password manager to create and “remember” strong passwords.
   •   Ensure you are using a password manager to securely store and manage login credentials.
10.  Use the strongest form of multi-factor authentication (MFA) available to you. 
    •   Ensure you enable MFA for all available accounts, using the strongest form of MFA available to you:
      •   Strongest – Physical tokens with FIDO
      •   Physical tokens
      •   Biometric Authentication
      •   Software token
      •   Email One Time Passcode (OTP)
      •   Weakest - SMS Text OTP
11.  Back up and encrypt your data. 
    •   Back up your data to an external hard drive or a properly vetted cloud service.
    •   Encrypt all devices, hard drives, removable media, and relevant documents for enhanced security.
12.  Properly handle data and devices that you don’t use anymore.
    •   Be aware that when you “delete” a file from your device, it is often still recoverable. Therefore, you should encrypt your devices and storage media (e.g., hard drives, thumb drives) to protect all of your data, including deleted data.
    •   Don’t sell or recycle old devices, particularly if you consider yourself to be high-risk. Instead, store the device in a secure location, such as a safe.
13.  Communicate securely on your mobile device. 
    •   Avoid using standard calling and SMS texting when communicating sensitive information.
    •   Use a messenger app that offers end-to-end encryption and Voice over Internet Protocol (VoIP) functionality for text messages and voice calls.
    •   To send a secure email, place any sensitive information in a document that can be encrypted with a strong password and attach the document to your email. Use a separate form of secure communication (such as a secure messaging app) to share the password with your intended recipient.
14.  Adjust your web browser settings for better privacy & security.
    •   Keep your browser up to date with the latest security patches. Restart your browser regularly to allow the security updates to take effect.
    •   Adjust the following settings on your web browser:
      •   Enable HTTPS Only mode.
      •   Consistently clear stored data from your browser history by changing your browser settings to “never save” or “clear when closing.”
      •   Clear cookies when closing your browser.
      •   Block third-party cookies.
      •   Do not allow your browser to save and autofill your information in online forms.
        •   Do not save payment information in your browser.
        •   Do not save passwords in your browser.
      •   Restrict website permissions (e.g., deny access to location data).
      •   Vet browser extensions in accordance with step # 6 before installing them.
15.  Access websites securely.
    •   Only connect to websites beginning with https://. Do not connect to websites beginning with http://.
    •   Verify website URLs to avoid connecting to a fake website.
    •   Click the padlock icon next to the URL in your browser’s search bar to verify that the website’s certificate is still valid and is issued by a legitimate certificate authority to the person or organization that owns the website.
16.  Get the most out of cloud storage and services while minimizing the risk.
    •   If you use a cloud service, verify that it satisfies the following requirements:
      •   Implements end-to-end encryption for data moving between your device and the cloud
      •   Implements strong encryption to protect your data when it is stored on cloud servers
      •   Allows you to use a strong password and MFA to access your cloud account
      •   Is headquartered in a country with privacy and security laws that help protect your data
    •   Be vigilant against phishing attempts to trick you into clicking on a link and entering your cloud account credentials.
17.  Secure your home Wi-Fi.
    •   Pre-Set-up:
      •   Find your router. It may have a sticker on it with the default setting information. While this information may vary, it typically includes the following:
        •   IP Address
        •   Service set identifier (SSID)
        •   Key (Password or Passphrase)
        •   MAC Address
        •   Account Name.
    •   Change the following router settings:
      •   Change your router login username and password.
      •   Check for router firmware for updates and set up automatic updates if possible.
      •   Change your default SSID (i.e., the name of your Wi-Fi network).
      •   Change your Wi-Fi password. To make the password secure and accessible, try creating a memorable passphrase using 5 to 7 unrelated words totaling at least 16 characters.   
      •   Change your Wi-Fi encryption to one of the following options:
        •   WPA2 AES
        •   WPA3 Personal
      •   Disable “remote management” in settings.
      •   Disable “Wi-Fi Protected Setup (WPS)” in settings.
      •   Disable “Universal Plug and Play (UPnP)” in settings.
      •   Store your router in a secure physical location.
      •   Create a Guest Wi-Fi.
        •   Your Guest Wi-Fi should be used by anyone who does not routinely connect to your home Wi-Fi.
        •   Additionally, connect any smart hope and other IoT devices to your Guest Wi-Fi if they only require internet access.
18. Limit your digital footprint. 
    •   Disable your device’s Ad ID.
    •   Manage app permissions and deny apps access to data that they do not require for functionality.
    •   Request removal of your information from platforms and data brokers that may be required by law to honor your request OR seek help from a reputable company that can help you to delete information about yourself online.
19.  Manage your online presence. 
    •   Exercise caution when deciding what to share about yourself online.
    •   Understand that other people’s posts can put you at risk if they reveal personal or sensitive information about you.
    •   Adopt the following best practices while using social media:
      •   Make your social media account private.
      •   Do not make your birthdate, location, or other personal details available on your profile.
      •   Disable location sharing and do not use geo-location tags.
      •   Disable “tagging” settings or enable controls to approve/deny tags before a post is associated with your account.
      •   Only add friends, followers, connections, or contacts that you know and trust. Verify that the account actually belongs to the person you know and is not a false account that was created to gain closer access to you.
      •   Like any other application, vet any third-party app integrations to ensure they meet your cybersecurity requirements.
      •   Adjust settings for personalized ads to limit what information third parties receive about your account activity.
    •   Consult USSOCOM’s step-by-step guide for a more comprehensive list of recommendations for adjusting settings on social networking services.
20. Follow cybersecurity best practices to protect yourself from tracking technologies and spyware. 
    •   If you believe you are the target of a sophisticated cyber threat actor, you should enable Lockdown Mode if you own a macOS or iOS device.
    •   Reboot your device weekly.
    •   Be wary of phishing attempts. Do not click on links or open attachments from emails, text messages, or other forms of digital communication from unknown sources.
    •   Only download software from its original source.
    •   Do not give your device permission to install any software you did not proactively seek to install.
    •   Do not leave your device alone or unlocked or allow others to access your device without your supervision.
    • If you believe you have been targeted with spyware, seek outside help.