Device Hygiene
Device hygiene is the routine maintenance that keeps laptops, phones, tablets, routers, and workstations harder to compromise and easier to recover. A single unhealthy device can expose passwords, session cookies, code repositories, cloud tokens, and private documents. This page focuses on practical controls that reduce everyday risk.Software Updates and Patch Management
Software updates fix known vulnerabilities. Once a vendor releases a patch, attackers can reverse-engineer it and build exploits for people who delay. This dangerous window is called the patch gap.Update Priorities
| Priority | Update quickly | Why |
|---|---|---|
| 1 | Operating system and browser | Most exposed to internet content and local privilege escalation |
| 2 | Password manager and security tools | Protect credentials and detection capability |
| 3 | Messaging, email, office, PDF, and archive tools | Common phishing attachment targets |
| 4 | Router and IoT firmware | Often exposed and forgotten |
| 5 | Developer tools, package managers, and extensions | Powerful access to code, terminals, and credentials |
Patch Management Best Practices
Enable automatic security updates
Use automatic updates for operating systems, browsers, mobile apps, and security tools whenever practical.
Restart promptly
Many patches do not fully apply until restart. Do not postpone critical restarts for days.
Prioritize exploited vulnerabilities
If a vendor or security team says a vulnerability is actively exploited, treat it as urgent.
Updates are usually protective, but recent supply chain attacks show that high-privilege extensions and developer tools need governance. Individuals should install fewer tools. Organizations should maintain allowlists, staged rollout, and monitoring.
Extension and App Inventory
You cannot secure what you do not know exists. Inventory is a basic but powerful habit.Quarterly Review Checklist
- Browser extensions
- VS Code or IDE extensions
- Password manager integrations
- VPN profiles
- Remote access tools
- Cloud sync clients
- Developer CLIs and package managers
- Mobile apps with access to email, files, or work accounts
- OAuth apps connected to Google, Microsoft, GitHub, Slack, or other identity providers
- Do I still use it?
- Do I trust the publisher?
- Does it request broad permissions?
- Does it run automatically?
- Would compromise of this app expose sensitive accounts or files?
Endpoint Protection
Endpoint protection helps detect malware, suspicious processes, malicious scripts, and unsafe behavior on devices. For individuals:- Keep built-in protection enabled, such as Microsoft Defender, macOS XProtect, and mobile platform protections.
- Do not disable security tools to run cracked software or unknown scripts.
- Run a full scan if you suspect compromise.
- Use EDR or XDR where possible.
- Collect endpoint logs from developer machines.
- Alert on unusual child processes from browsers, office apps, terminals, and IDEs.
- Monitor for mass repository cloning, unusual token use, and unexpected outbound connections.
Public Wi-Fi Risks
Public Wi-Fi networks in airports, hotels, cafes, schools, and conferences are shared environments. You do not control the router, other users, or monitoring on the network.Common Attack Scenarios
| Attack | How it works | Impact |
|---|---|---|
| Evil twin | Attacker creates a fake Wi-Fi network with a familiar name | Traffic can route through the attacker |
| Man-in-the-middle | Attacker intercepts or modifies traffic | Credentials and sessions may be exposed if protection is weak |
| Captive portal phishing | Fake login page asks for email, password, or payment details | Account or payment theft |
| Network discovery | Other devices scan the local network | Exposed file sharing or services may be targeted |
Safer Public Wi-Fi Habits
- Use your phone hotspot for sensitive work when practical.
- Verify the exact network name with staff.
- Avoid open networks with no password.
- Use a reputable VPN when you do not trust the network.
- Disable auto-join for public networks.
- Keep file sharing and AirDrop-style sharing restricted.
Backups and Recovery
Backups are not only for hardware failure. They are also your best recovery option after ransomware, accidental deletion, cloud sync mistakes, or device theft.The 3-2-1 Backup Rule
- 3 copies of important data
- 2 different storage types
- 1 copy off-site
Backup Best Practices
- Automate backups: Manual backups get forgotten.
- Use versioning: You need to restore files from before corruption or ransomware.
- Test restores: A backup is only useful if it can be restored.
- Encrypt backup drives: A stolen backup drive should not expose data.
- Protect cloud backups: Secure cloud accounts with strong MFA and recovery planning.
- Keep at least one offline or immutable copy: Ransomware can encrypt synced files.
USB and Peripheral Risks
USB devices bypass many network defenses because they interact directly with hardware and the operating system.Risky Devices
- Found USB drives
- Unknown charging cables
- Public charging stations
- Keyboard-emulating devices
- Conference giveaway storage devices
- External drives from unknown sources
Safer Habits
- Never plug in unknown USB storage.
- Use charge-only cables or data blockers at public charging stations.
- Disable auto-run where possible.
- In organizations, use device control policies for USB storage.
- Scan external drives before opening files.
Full-Disk Encryption
Full-disk encryption protects data at rest if a device is lost or stolen.| Platform | Built-in option |
|---|---|
| Windows | BitLocker or Device Encryption |
| macOS | FileVault |
| Linux | LUKS or distro-specific disk encryption |
| iOS | Enabled when a passcode is set |
| Android | Enabled by default on modern devices when a screen lock is set |
Physical Security
Physical access can bypass many digital controls.- Lock your screen every time you step away.
- Use a short auto-lock timeout.
- Do not leave laptops unattended in public places.
- Use privacy screens when handling sensitive data in public.
- Enable device location, remote lock, and remote wipe features.
- Keep recovery keys and backup codes in a secure place.
Key Takeaways
- Patch high-risk software quickly.
- Keep fewer extensions and apps.
- Inventory tools that can access files, credentials, code, or cloud accounts.
- Use backups with versioning and tested restores.
- Encrypt devices and lock screens.
- Treat developer workstations as high-value targets.