> ## Documentation Index
> Fetch the complete documentation index at: https://roadtocybersec.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Device Hygiene

> Keep devices resilient with patching, extension inventory, endpoint protection, public Wi-Fi safeguards, backups, encryption, and physical security.

# Device Hygiene

Device hygiene is the routine maintenance that keeps laptops, phones, tablets, routers, and workstations harder to compromise and easier to recover. A single unhealthy device can expose passwords, session cookies, code repositories, cloud tokens, and private documents.

This page focuses on practical controls that reduce everyday risk.

## Software Updates and Patch Management

Software updates fix known vulnerabilities. Once a vendor releases a patch, attackers can reverse-engineer it and build exploits for people who delay. This dangerous window is called the **patch gap**.

### Update Priorities

| Priority | Update quickly                                    | Why                                                             |
| -------- | ------------------------------------------------- | --------------------------------------------------------------- |
| 1        | Operating system and browser                      | Most exposed to internet content and local privilege escalation |
| 2        | Password manager and security tools               | Protect credentials and detection capability                    |
| 3        | Messaging, email, office, PDF, and archive tools  | Common phishing attachment targets                              |
| 4        | Router and IoT firmware                           | Often exposed and forgotten                                     |
| 5        | Developer tools, package managers, and extensions | Powerful access to code, terminals, and credentials             |

### Patch Management Best Practices

<Steps>
  <Step title="Enable automatic security updates">
    Use automatic updates for operating systems, browsers, mobile apps, and security tools whenever practical.
  </Step>

  <Step title="Restart promptly">
    Many patches do not fully apply until restart. Do not postpone critical restarts for days.
  </Step>

  <Step title="Prioritize exploited vulnerabilities">
    If a vendor or security team says a vulnerability is actively exploited, treat it as urgent.
  </Step>

  <Step title="Review high-risk tools">
    For developer tools and extensions, update deliberately through trusted sources, and remove tools you no longer need.
  </Step>
</Steps>

<Note>
  Updates are usually protective, but recent supply chain attacks show that high-privilege extensions and developer tools need governance. Individuals should install fewer tools. Organizations should maintain allowlists, staged rollout, and monitoring.
</Note>

## Extension and App Inventory

You cannot secure what you do not know exists. Inventory is a basic but powerful habit.

### Quarterly Review Checklist

* Browser extensions
* VS Code or IDE extensions
* Password manager integrations
* VPN profiles
* Remote access tools
* Cloud sync clients
* Developer CLIs and package managers
* Mobile apps with access to email, files, or work accounts
* OAuth apps connected to Google, Microsoft, GitHub, Slack, or other identity providers

For each item, ask:

* Do I still use it?
* Do I trust the publisher?
* Does it request broad permissions?
* Does it run automatically?
* Would compromise of this app expose sensitive accounts or files?

## Endpoint Protection

Endpoint protection helps detect malware, suspicious processes, malicious scripts, and unsafe behavior on devices.

For individuals:

* Keep built-in protection enabled, such as Microsoft Defender, macOS XProtect, and mobile platform protections.
* Do not disable security tools to run cracked software or unknown scripts.
* Run a full scan if you suspect compromise.

For organizations:

* Use EDR or XDR where possible.
* Collect endpoint logs from developer machines.
* Alert on unusual child processes from browsers, office apps, terminals, and IDEs.
* Monitor for mass repository cloning, unusual token use, and unexpected outbound connections.

## Public Wi-Fi Risks

Public Wi-Fi networks in airports, hotels, cafes, schools, and conferences are shared environments. You do not control the router, other users, or monitoring on the network.

### Common Attack Scenarios

| Attack                      | How it works                                                 | Impact                                                        |
| --------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------- |
| **Evil twin**               | Attacker creates a fake Wi-Fi network with a familiar name   | Traffic can route through the attacker                        |
| **Man-in-the-middle**       | Attacker intercepts or modifies traffic                      | Credentials and sessions may be exposed if protection is weak |
| **Captive portal phishing** | Fake login page asks for email, password, or payment details | Account or payment theft                                      |
| **Network discovery**       | Other devices scan the local network                         | Exposed file sharing or services may be targeted              |

### Safer Public Wi-Fi Habits

1. Use your phone hotspot for sensitive work when practical.
2. Verify the exact network name with staff.
3. Avoid open networks with no password.
4. Use a reputable VPN when you do not trust the network.
5. Disable auto-join for public networks.
6. Keep file sharing and AirDrop-style sharing restricted.

## Backups and Recovery

Backups are not only for hardware failure. They are also your best recovery option after ransomware, accidental deletion, cloud sync mistakes, or device theft.

### The 3-2-1 Backup Rule

* **3** copies of important data
* **2** different storage types
* **1** copy off-site

### Backup Best Practices

* **Automate backups**: Manual backups get forgotten.
* **Use versioning**: You need to restore files from before corruption or ransomware.
* **Test restores**: A backup is only useful if it can be restored.
* **Encrypt backup drives**: A stolen backup drive should not expose data.
* **Protect cloud backups**: Secure cloud accounts with strong MFA and recovery planning.
* **Keep at least one offline or immutable copy**: Ransomware can encrypt synced files.

<Tip>
  Organizations should also test continuity plans. If a SaaS vendor, learning platform, or cloud provider becomes unavailable, teams need a documented fallback for critical work.
</Tip>

## USB and Peripheral Risks

USB devices bypass many network defenses because they interact directly with hardware and the operating system.

### Risky Devices

* Found USB drives
* Unknown charging cables
* Public charging stations
* Keyboard-emulating devices
* Conference giveaway storage devices
* External drives from unknown sources

### Safer Habits

* Never plug in unknown USB storage.
* Use charge-only cables or data blockers at public charging stations.
* Disable auto-run where possible.
* In organizations, use device control policies for USB storage.
* Scan external drives before opening files.

## Full-Disk Encryption

Full-disk encryption protects data at rest if a device is lost or stolen.

| Platform | Built-in option                                                |
| -------- | -------------------------------------------------------------- |
| Windows  | BitLocker or Device Encryption                                 |
| macOS    | FileVault                                                      |
| Linux    | LUKS or distro-specific disk encryption                        |
| iOS      | Enabled when a passcode is set                                 |
| Android  | Enabled by default on modern devices when a screen lock is set |

<Warning>
  Encryption protects a locked or powered-off device. Once you unlock and use the device, malware running as your user may still access files and sessions. Encryption does not replace malware prevention.
</Warning>

## Physical Security

Physical access can bypass many digital controls.

* Lock your screen every time you step away.
* Use a short auto-lock timeout.
* Do not leave laptops unattended in public places.
* Use privacy screens when handling sensitive data in public.
* Enable device location, remote lock, and remote wipe features.
* Keep recovery keys and backup codes in a secure place.

## Key Takeaways

1. **Patch high-risk software quickly**.
2. **Keep fewer extensions and apps**.
3. **Inventory tools that can access files, credentials, code, or cloud accounts**.
4. **Use backups with versioning and tested restores**.
5. **Encrypt devices and lock screens**.
6. **Treat developer workstations as high-value targets**.
