1. Don't click shit
    1. What do you mean?
      1. Don't open/click/run suspicious files/links/programs. Rule of thumb: if you are not expecting it, it is suspicious.
    2. Suspicious files
      1. Don't open suspicious files, email attachments, or archived documents, if you do not completely trust the source they are originating from. If you are not the author of the file, you have to verify its origin by the means other than the media used to transmit it. For example, if you have received a Word document via email, and are not expecting it, contact the sender by IM or mobile phone and verify the reason for sending it. Any files or links from people you don't know should be treated as malicious by default. The most risky file types are: Any executable files: exe, com, bat, ps1, swf, jar etc. MS Office documents, especially with macros: doc/docx/docm, xls/xslx/xslm etc. PDF documents: pdf. Vector graphics with embedded code: svg. Archives of these files, especially password-protected.
      2. Sometimes it's hard to tell malicious files from legitimate ones under time pressure. You can use Virustotal to verify any file by more than 50 antiviruses. It is much better than scanning it by just one, however, consider the fact that you will need to disclose the file to a third party. https://virustotal.com
    3. Suspicious links
      1. Don't open suspicious URL links, especially those pointing to unknown web-sites. Always check web-site domain names before clicking the link: attackers could mangle the domain name for it to look familiar: facelook.com, gooogle.com are the examples. Using HTTPS and verifying web-site certificate can ensure the web-site is not cloned or spoofed by the attacker.
      2. Dissecting URLs can be tricky too, especially in HTML, documents and emails. Sometimes it takes hovering the mouse cursor over the link and waiting for a while before the real URL pops up. You can also right-click on it and copy it to the text editor to see its actual address. Also, you can use Virustotal to scan suspicious links the same way you can scan files. https://virustotal.com
  2. Use strong passwords
    1. What passwords are strong?
      1. Strong passwords are long, complex, and unique. This means they should be relatively long (preferably longer than 10 characters), contain different types of characters (letters, digits, special chars), and be different for every service, web-site or system you use.
      2. Cognitive passwords are bad passwords. Passwords shall not be cognitive, that means they have to be based on something else than data about the user or the system. Otherwise, public information, related to the user or the system, may help an attacker successfully guess the password.
      3. Passphrases are better than passwords. Passphrases eliminate problems related to passwords' length and use of dictionary words. To create a passphrase, choose a phrase you won't forget easily: a line from a poem or a song lyrics, a proverb, a slogan etc. Then transform it to a single string by removing spaces and replacing letters to similar digits. Adding special characters and capitalizing random words in the phrase also makes it stronger.
    2. How to create strong passwords?
      1. Password recipes are one way to create relatively strong unique passwords. Password recipe is an algorithm used to create different passwords for different systems using a common basis. For example: 1. Choose a strong password basis, say, the passphrase w3llD0nem8'. 2. Think about a way of linking the passphrase to the system. Simply adding server name in the end is easy: w3llD0nem8'google Splitting the name in halves and adding in the beginning and end of the phrase is even cooler: goow3llD0nem8'gle glew3llD0nem8'goo 3. Don't forget to apply a mangling rule too, say, change the last letter of the server name to a letter if applicable, and always add exclamation mark. goow3llD0nem8'gl3!
    3. Password managers
      1. Use a password manager software and follow these rules: 0. Generate strong random passwords of configurable length and complexity. 1. Make sure your master password is strong. 2. Use a password manager that encrypts password database before storing it in the cloud or synchronizing it between your devices via the network. 3. Backup your password database often. Examples of good password managers are: 1Pasword https://1password.com KeePass http://keepass.info Password Safe https://pwsafe.org
    4. Updating passwords
      1. Change passwords regularly and at least once a year. Your corporate passwords or the passwords you use more often (say, multiple times a day) have to be changed at least once a moth or two. The rule of thumb is: the more frequently you use the password, the more frequently it has to be changed.
  3. Use multi-factor authentication
    1. Enable multi-factor authentication
      1. Most respected online services allow multi-factor authentication. Enable it using a built-in software token (available on Facebook, Twitter, Google etc.) or an SMS one-time verification code. URLs to multi-factor authentication settings of popular web-sites: Apple 2-factor authentication https://support.apple.com/en-us/HT204915 Google 2-step verification https://myaccount.google.com/security/signinoptions/two-step-verification Facebook Login Approvals https://www.facebook.com/settings?tab=security&section=approvals Twitter Login verification https://twitter.com/settings/security Dropbox Two-step verification https://www.dropbox.com/account/#security
    2. Avoid SMS
      1. Prefer using Google Authenticator, physical token, or mobile app verification techniques. Avoid SMS one-time passwords wherever possible.
  4. OS and software
    1. Don't use pirated software. Don't run or install software downloaded from untrusted sources. This includes torrents and other peer-to-peer networks. This especially includes keygen and cracking tools that require administrator privileges to run. Morals or ethics have nothing to do with it: it is just totally insecure. First, trojaning the distribution and putting it online 'for free' is a known way of hacking into systems and it happens much more often than we'd like. Second, pirated software can rarely be kept up to date with security patches that just don't arrive to your system. Messing with 'activations' and re-activations just isn't worth it and the risks of not updating software are unacceptable.
    2. Turn on Auto-Update in your Windows OS. For more details refer to the official FAQ: https://support.microsoft.com/en-us/help/12373/windows-update-faq
    3. Make sure your Windows Update is configured to check for updates for all Microsoft products, including MS Office. https://www.winhelp.us/configure-automatic-updates-in-windows.html
    4. Update third party software regularly or automatically. For that, use Flexera (formerly Secunia) PSI or an equivalent tool that checks your third party applications for updates and allows you to update them automatically. http://www.flexerasoftware.com/enterprise/products/software-vulnerability-management/personal-software-inspector/
    5. Turn on AppStore auto-updates as recommended by Apple: https://support.apple.com/kb/PH25371
    6. Turn on your MS Office Auto-Update in macOS as recommended by Microsoft: https://support.office.com/en-us/article/Check-for-Office-for-Mac-updates-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1
    7. Use Homebrew to keep your third party apps up to date. You can easily find many tools you already use in Homebrew: $ brew search vlc $ brew search wireshark $ brew search gpgtools etc. To install Homebrew
    8. Alternatively, to keep third-party apps up to date, use MacInformer or equivalent tool. WARNING: although safer than not using any update mechanism, this kind of software may be invasive and not so secure as Homebrew. So no URL here.
    9. Just do 'apt update && apt -y upgrade' or whatever mumbo-jumbo you like more once in a while...
  5. Antivirus
    1. On Linux or macOS don't use antivirus. Security software comes with security vulnerabilities, it is not more secure than any other piece of code. However, in order to be efficient, antivirus normally requires elevated privileges in the OS. This introduces new risks that outweigh the dangers of getting infected on relatively secure and less popular platforms. If you follow recommendations in this guide, you can install an AV that is not continuously monitoring your OS and scan your system with it once in a while. Malwarebytes has one of those. https://www.malwarebytes.com/business/
    2. On Windows do use antivirus. But don't forget that AV is very ineffective against modern online threats. You can imagine antivirus efficiency to vary from 15% to 30%, most of the time this is true.
    3. Choosing antivirus is not easy: 'independent' tests are biased toward the AV vendors who in the end of the day pay for these tests. There are, however, more or less objective reviews and testing results. AV-Test.org https://www.av-test.org/en/antivirus/home-windows/ NSS Labs reports, if you can find any nowadays.
  6. Backup your data
    1. Use a separate encrypted external hard drive with configured Time Machine backups. Attach it whenever you are doing some important work, it will backup everything automatically. Recommended HDD size: at least twice as large as your internal hard drive. Apple guide: https://support.apple.com/en-us/HT201250
    2. Follow MIcrosoft recommendations on system and data backups https://support.microsoft.com/en-us/help/17127/windows-back-up-restore
    3. Select and use a third party backup software http://www.techradar.com/news/software/applications/best-free-backup-software-11-programs-we-recommend-1137924
    4. Linux users have many backup mechanisms at their disposal: from tar to rsync remotely to a file share. Less technically savvy users can choose from more user-friendly tools http://www.nuxified.org/blog/easy-linux-backup-software-time-machine-functionality/
    5. You can backup your data by putting it to a cloud drive such as Dropbox, iCloud Drive, Google Drive etc. Don't forget to encrypt data before uploading it though.
  7. Use crypto
    1. Use HTTPS on web-sites
      1. Always check that the web-site is protected by HTTPS, that means that it has https:// before it and the certificate is validated by your browser. Note that presence of HTTPS by itself should not increase your trust in the web-site: anyone can generate a valid certificate for his/her web-site. The web-site domain name should be verified because it can be easily spoofed and web-site cloned if you don't pay attention. And do not accept untrusted certificates neither temporarily, nor permanently.
    2. Encrypt data
      1. You can use Full Disk Encryption feature of your OS to protect the data at your laptop or PC from theft or loss. FDE is a free feature on Linux, macOS, and Windows Pro.
        1. Enable File Vault. That's it, you're done. https://support.apple.com/en-us/HT204837
        2. Use LUKS or other means of Full Disk Encryption. Alternatively you can select disk encryption options or encrypt just your home partition during OS installation. This seems to be a reasonable guide for Arch, but every popular distro has a similar how-to. https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
        3. Enable BitLocker. It's fast, it's native to Windows, and it's easy to configure and use. http://www.howtogeek.com/234826/how-to-enable-full-disk-encryption-on-windows-10/
        4. In case your edition of Windows comes without BitLocker, use a third party solution such as VeraCrypt, a fork of TrueCrypt, which itself is not recommended. https://veracrypt.codeplex.com
      2. You can encrypt external drives or individual files too.
    3. Encrypt communications
      1. Use trusted end-to-end encrypted communications for private/confidential data. End-to-end encryption ensures that no one other than you and your recipient can access the conversation. The means of encrypting email end-to-end are PGP or GPG, or S/MIME. End-to-end encrypted Instant Messengers are Signal, WhatsApp, iMessage, Viber, Threema. Facebook Messenger, Google Allo, and Telegram have 'secret chats' that may be seen as more secure than default mode.
        1. GPGTools for Apple Mail and macOS https://gpgtools.org/
        2. Send OpenPGP Encrypted E-Mails From Microsoft Outlook 2016/2013/2010/2007 https://www.encryptomatic.com/openpgp/
        3. Encrypt messages by using S/MIME in Outlook Web App https://support.office.com/en-us/article/Encrypt-messages-by-using-S-MIME-in-Outlook-Web-App-2e57e4bd-4cc2-4531-9a39-426e7c873e26
        4. EFF secure instant messaging guide and scorecard https://www.eff.org/secure-messaging-scorecard
        5. End-to-end encrypted IMs: Signal https://whispersystems.org WhatsApp (uses Signal protocol) https://www.whatsapp.com Viber (uses Signal protocol) https://www.viber.com Threema https://threema.ch
        6. High anonymity IMs: Ricochet https://ricochet.im Retroshare http://retroshare.net
    4. Encrypt cloud data
      1. Encrypt your sensitive data before uploading it to the cloud. Remember: there is no 'cloud', it's just someone else's computer. Boxcryptor is a tool that allows you to encrypt data offline before putting it to your cloud drive. Use for one cloud drive is free of charge. Boxcryptor https://www.boxcryptor.com
    5. Use VPN
      1. To protect your traffic data and metadata from network sniffing, use VPN. You can choose from many VPN services providers, such as proXPN or OpenVPN AS. You can install and maintain your own VPN server as well. Always use corporate VPN when working with business data remotely. proXPN https://secure.proxpn.com OpenVPN https://openvpn.net How to setup your own VPN server: https://www.digitalocean.com/community/tutorials/openvpn-access-server-centos
  8. Mobile security
    1. Mobile network is as insecure as public WiFi access point. Use the same crypto tools while on your cellular data network. Don't consider SMS or your voice calls private: use end-to-end encrypted voice calls and messages instead.
    2. Use iOS. By all accounts, Apple mobile security and the security of its applications ecosystem is much more secure than one based on Android and controlled by your carrier or an OEM manufacturer (Samsung, LG, Sony etc.)
    3. If Android, then Google. Only direct support by OS manufacturer can guarantee timely security updates. Any additional hops in the supply chain (OEM vendor, cellular carrier, enterprise IT etc.) decrease your security level. In some occasions updates just don't reach you after a year or two of using the device.
    4. Don't root your phone. Use only authorised application repositories e.g. Google Play and Apple AppStore. Don't download or install 'emergency security updates' coming from sources other than software manufacturer.
  9. Physical security
    1. Keep your staff where you can see it. If an attacker can get close to your PC without you noticing, most probably he will succeed in complete OS takeover wit very little effort. Keeping user session locked can help, but there are modern attacks that it cannot protect against. So, don't leave your equipment unattended, especially when it is running. Shutdown or hibernate every time you leave it event for a few minutes. Require password every time you turn it on.