While we lost our privacy many of us we still have a reasonable demand for better protecting our communication and digital assets. Better than an average Joe or maybe against professional hackers. Even security professionals and hackers don't follow best practices in using passwords or that of safe browsing. Because the right balance between good protection and efficient digital work is not trivial, especially when it needs to be tuned to your case — your risks and everyday practices.
This workshop is tuned for those participating in security audits, dealing with sensitive client data and reporting vulnerabilities. How to structure the internal and external cooperation on documents, sources and other sensitive assets? How to structure the work across cloud, mobile, laptops and client resources? What kind of NDA can make sense in real life? There is no perfect choice but there are good practicable choices. We start with common misconceptions and bad habits, we review the usual advises and we do some hand-ons with choices the instructor would make in different cases as a person with several years of experience in managing offshored security audits.
We'll discuss topics like: Business level threat modeling; VPN (OpenVPN vs WireGuard), Browser/browsing security; Secure emailing practices; Messaging and video conferences (iMessage, Zoom, Signal, Telegram, WhatsApp, etc.); Shared documents editing; Cloud storage, documents and files handling; File sharing and submission; The risks of using Google, FB, Dropbox, Apple, GitHub; Usable encryption practices, hardware tokens; Hardening your laptop (Mac and Windows); Proper security settings of your mobile (iOS and Android); Organizational and legal security policies; NDA compliance in practice.
Bring your own device with some apps preinstalled, let's test the use cases together and discuss the pros and cons. Hopefully some new security practices will be your takeaway. The course syllabus will let you continue improving your security practices after the workshop and maybe reengineer your internal processes and policies in pentesting and other audit engagements.
title: Practical personal cybersec for security auditors
audience: suitable for any interested person, tuned for the security testers (pentesters) and auditors
duration: 1 XL (7hrs)
developed by: Timur Khrotko
Bring your own device
Proficiency in practical security terms is assumed