The Paranoid Standard

Mandatory Security Controls for the Reality Where Everyone is Already Compromised

By The Cynical CISO | Steele Fortress Security Intelligence

You are already in at least three data breaches. Your email is for sale on the dark web for $2. Your home address is on 47 data broker sites. Your ISP logs every DNS query you make and sells it to advertisers.

The choice is not "secure vs. insecure." The choice is "expensive target vs. free money."

These are the controls that separate you from the victims.

1. Password Managers: This Is Not Optional

MANDATORY TOOLS:

• Bitwarden (Premium: $10/year) - Open source, independently audited, E2E encrypted vault, TOTP generator built-in. Self-hosting available for the paranoid.
• 1Password (Family: $60/year) - Travel Mode (hides vaults at border crossings), Watchtower breach monitoring, emergency access delegation.

BANNED: Browser built-in password managers (Chrome, Safari, Edge). These store credentials in plaintext-adjacent formats accessible to any malware with user-level permissions. If you use these, you are pre-pwned.

IMPLEMENTATION ORDERS:

1. Generate 24+ character random passwords for every account. No exceptions.
2. Master password: 6-word Diceware passphrase, minimum 35 characters. Write it on paper. Store paper in fireproof safe.
3. Enable biometric unlock only AFTER master password is memorized.
4. Audit mode: Search vault for passwords used more than once. Destroy and regenerate.

2. Hardware Authentication Keys: The Only MFA That Survives

THE PROBLEM WITH EVERYTHING ELSE:

• SMS 2FA: Defeated by SIM swap attacks. Telco employees are bribed for $100. This is not theoretical.
• TOTP Apps: Can be phished if you are socially engineered to enter the code on a fake login page.
• Hardware Keys: Use FIDO2/WebAuthn cryptographic challenge-response. Cannot be phished. Period.

MANDATORY HARDWARE:

• YubiKey 5 Series (5C NFC: $55, 5 Nano: $50) - FIDO2, WebAuthn, TOTP, OpenPGP, PIV.
• Minimum Quantity: Two. One for daily carry. One in a fireproof safe as backup recovery key.

SETUP PRIORITY ORDER:

1. Password manager (Bitwarden/1Password)
2. Primary email (Gmail/Outlook)
3. Email recovery account
4. Financial institutions (banks, brokerages, crypto exchanges)
5. Cloud infrastructure (AWS, Azure, GCP)
6. Code repositories (GitHub, GitLab)

BANNED: Using SMS 2FA as primary MFA anywhere that supports hardware keys. If the service does not support FIDO2, it is not serious about security and you should evaluate alternatives.

3. DNS Privacy: Your ISP is Selling Your Browsing History

THE SURVEILLANCE REALITY: Every DNS query you make through your ISP (Comcast, Verizon, AT&T) is logged, aggregated, and sold to advertising networks. This is legal. Congress explicitly allowed it in 2017.

MANDATORY DNS PROVIDERS:

• NextDNS (nextdns.io) - Custom blocklists, query logging YOU control, DNS-over-HTTPS/TLS. Free tier: 300k queries/month. Pro: $19.90/year unlimited.
• Quad9 (9.9.9.9) - Non-profit, malware blocking at DNS layer, no logging, free forever. Swiss jurisdiction.

IMPLEMENTATION:

1. Router Level: Change DHCP DNS servers to 9.9.9.9 / 149.112.112.112 (Quad9) or configure NextDNS profile. Covers all devices on network.
2. Device Level: Configure DNS-over-HTTPS in browsers (Firefox: Settings - Network Settings - Enable DNS over HTTPS - Custom: https://dns.quad9.net/dns-query).
3. Mobile: Install NextDNS or Quad9 configuration profile (iOS) or Private DNS setting (Android 9+).

VERIFICATION: Visit dnsleaktest.com. If you see your ISP, you failed.

4. Data Broker Removal: Your Address is For Sale Right Now

THE THREAT MODEL: People-search sites (Spokeo, Whitepages, BeenVerified, etc.) scrape public records and sell your home address, phone number, email, relatives, and employment history for $0.95 per lookup. Stalkers, identity thieves, and SWATers use these. Regularly.

OPTION A - AUTOMATED REMOVAL SERVICES:

• Optery (optery.com) - $95-190/year depending on coverage. Removes from 200+ brokers. Quarterly scans.
• DeleteMe (joindeleteme.com) - $129/year. Removes from 40+ major brokers. Monthly scans.

OPTION B - MANUAL REMOVAL (Free, Time-Intensive):

Submit opt-out requests to these sites quarterly. Set a calendar reminder. This is not optional.

1. Acxiom - isapps.acxiom.com/optout
2. LexisNexis - optout.lexisnexis.com
3. Spokeo - spokeo.com/optout
4. BeenVerified - beenverified.com/f/optout
5. Whitepages - whitepages.com/suppression-requests
6. Intelius - intelius.com/optout
7. TruePeopleSearch - truepeoplesearch.com/removal
8. PeopleFinders - peoplefinders.com/opt-out
9. Instant Checkmate - instantcheckmate.com/opt-out
10. MyLife - mylife.com/privacy-policy (email privacy@mylife.com)

TIMELINE: Removals take 7-30 days. Sites re-scrape data every 90-180 days. This is an ongoing operational requirement, not a one-time task.

5. Credit Freezes: Stop Identity Theft Before It Starts

CREDIT MONITORING IS A SCAM: Services like LifeLock tell you AFTER someone opens an account in your name. Credit freezes PREVENT the account from being opened. Monitoring is reactive. Freezes are proactive.

MANDATORY ACTIONS - DO THIS TODAY:

Freeze your credit at ALL FIVE bureaus. Not three. Five.

1. Equifax - equifax.com/personal/credit-report-services/credit-freeze (Phone: 800-349-9960)
2. Experian - experian.com/freeze/center.html (Phone: 888-397-3742)
3. TransUnion - transunion.com/credit-freeze (Phone: 888-909-8872)
4. Innovis - innovis.com/personal/securityFreeze (Phone: 800-540-2505)
5. ChexSystems (Banking) - chexsystems.com/security-freeze (Phone: 800-887-7356)

COST: $0. Federally mandated as free since September 2018.

OPERATIONAL REALITY: When you apply for credit (mortgage, car loan, credit card), you temporarily unfreeze for that specific bureau. It takes 60 seconds online. This minor inconvenience prevents $50,000 in fraudulent loans.

6. Mobile Device Hardening: You Carry a Tracking Device

iOS - LOCKDOWN MODE (Mandatory for High-Risk Targets):

Settings - Privacy & Security - Lockdown Mode. This disables:

• Most message attachment types (blocks zero-click exploits)
• Link previews in Messages
• JavaScript JIT compilation in Safari (kills most browser exploits)
• Incoming FaceTime calls from non-contacts
• Wired connections to accessories while locked

WHO NEEDS THIS: Journalists, activists, executives, attorneys, anyone in family court/divorce, anyone with a restraining order, crypto holders, infosec professionals.

Android - GrapheneOS (For the Truly Paranoid):

GrapheneOS (grapheneos.org) is a hardened Android fork with:

• Sandboxed Google Play (run Google services without root access)
• MAC randomization per-network
• Hardened memory allocator
• Secure boot with verified boot

SUPPORTED DEVICES: Pixel 8/8 Pro, Pixel 9/9 Pro. Install guide: grapheneos.org/install/web

MINIMUM BASELINE CONTROLS (All Devices):

• Biometric + 10+ digit PIN (not 6-digit, not pattern lock)
• Auto-lock: 30 seconds
• Require authentication for USB data transfer
• Disable lock screen notifications (Settings - Notifications - Show Previews: When Unlocked)
• Enable "Find My" / "Find My Device" with remote wipe capability

7. Secure Communications: Why Telegram is Not Encrypted

THE TELEGRAM LIE: Telegram default chats use client-server encryption, NOT end-to-end encryption. Telegram can read your messages. Law enforcement can subpoena them. "Secret Chats" use E2E but are opt-in, device-specific, and not synced.

MANDATORY MESSENGER:

Signal (signal.org) - E2E encryption by default, open protocol (independently audited), metadata minimization, disappearing messages.

REQUIRED CONFIGURATION:

1. Enable Registration Lock: Settings - Account - Registration Lock (requires a PIN to re-register your number on new device, prevents SIM swap takeover)
2. Set Default Disappearing Messages: Settings - Privacy - Default Timer for New Chats (recommended: 1 week)
3. Verify Safety Numbers: For contacts that matter, tap contact - View Safety Number - compare in person or via trusted secondary channel.
4. Disable Message Requests from Strangers: Settings - Privacy - Sealed Sender - Allow from Anyone: OFF
5. Enable Screen Lock: Settings - Privacy - Screen Lock (requires biometric/PIN to open Signal)

BANNED: SMS, iMessage for sensitive communications (iMessage E2E but backdoor-able via iCloud backup unless you disable it), WhatsApp (owned by Meta, shares metadata with Facebook), Telegram default chats.

8. Browser Hardening: Manifest V3 is Killing Your Ad Blocker

THE CHROME PROBLEM: Google is forcing Manifest V3, which intentionally cripples ad blockers by limiting the number of blocking rules. uBlock Origin will be gutted in Chrome by June 2025. Chrome is an advertising company's browser.

MANDATORY BROWSER:

Firefox (mozilla.org/firefox) + uBlock Origin extension.

REQUIRED EXTENSIONS:

• uBlock Origin - Not "uBlock" (different project). Use default block lists + "Annoyances" lists.
• Firefox Multi-Account Containers - Isolates cookies/tracking by container (Personal, Work, Shopping, Banking).
• Bitwarden or 1Password browser extension (for autofill).

about:config HARDENING (Type "about:config" in address bar):

• privacy.resistFingerprinting = true (spoofs timezone, screen res, fonts to resist tracking)
• network.cookie.cookieBehavior = 5 (reject third-party trackers and cookies)
• privacy.firstparty.isolate = true (isolates cookies per-site)
• network.dns.disablePrefetch = true (stops pre-fetching DNS for links you haven't clicked)
• network.predictor.enabled = false (disables speculative connections)

ALTERNATIVE FOR ADVANCED USERS: LibreWolf (librewolf.net) - Firefox fork with privacy hardening pre-configured.

9. VPN Reality Check: Know What They Do NOT Protect

WHAT VPNs ACTUALLY DO:

• Hide your IP address from websites you visit
• Prevent your ISP from seeing which domains you access (DNS queries, HTTP host headers)
• Encrypt traffic on untrusted networks (coffee shop WiFi, hotel networks)

WHAT VPNs DO NOT PROTECT AGAINST:

• Cookie-based tracking (you're still logged into Google/Facebook)
• Browser fingerprinting (canvas, WebGL, font enumeration)
• Malware or phishing attacks
• The VPN provider seeing your traffic (you trade trust from ISP to VPN company)

IF YOU NEED A VPN, USE THESE:

• Mullvad (mullvad.net) - 5 EUR/month, anonymous account numbers, accept cash/crypto, no logs (proven in court), Swedish jurisdiction.
• IVPN (ivpn.net) - $6/month, open source clients, no logs, Gibraltar jurisdiction, multi-hop routing.

BANNED: Any VPN that advertises on YouTube/podcasts (NordVPN, ExpressVPN, Surfshark, PIA). If they spend millions on ads, they're selling your data to pay for it.

USE CASE REALITY: Most people do not need a VPN. Use DNS-over-HTTPS (see Section 3) and HTTPS Everywhere. VPNs are for:

• Bypassing geographic content restrictions
• Untrusted network access (airports, hotels, conferences)
• Censorship circumvention

10. Password Manager (Revisited): Specific Implementation Requirements

Since this is critical, additional technical requirements:

Bitwarden Configuration:

• Enable Two-Step Login with hardware key (Security - Two-Step Login - FIDO2 WebAuthn)
• Set Master Password Re-prompt for high-value passwords (Edit item - Options - Master Password Re-prompt)
• Enable Auto-fill only on HTTPS pages (Settings - Auto-fill - Default Auto-fill Setting: On Page Load - HTTPS Only)
• Set Vault Timeout to 15 minutes (Settings - Security - Vault Timeout: 15 minutes)
• Disable browser integration on shared computers (Settings - turn off browser extension access)

1Password Configuration:

• Enable Travel Mode (hide vaults you mark before crossing borders) - Settings - Travel Mode
• Set up Emergency Kit - print, store in fireproof safe
• Enable Watchtower for breach monitoring (monitors haveibeenpwned)
• Configure item-level 2FA (premium feature - adds TOTP to password entries)

11. Network Segmentation: Your IoT Devices Are Backdoors

THE THREAT: Every smart TV, Alexa, Ring camera, smart thermostat, and Wi-Fi lightbulb is manufactured with security as an afterthought. Default credentials, unpatched firmware, cloud dependencies that phone home to Chinese servers. These devices do not need access to your tax documents or laptop backups.

MANDATORY NETWORK SEGMENTATION:

Consumer Router Setup:

1. Enable Guest Network on router
2. Disable "Guest Isolation" if option exists (allows IoT devices to talk to each other but not main network)
3. Connect ALL IoT devices to Guest Network: Smart TVs, streaming boxes, smart speakers, cameras, thermostats, appliances
4. Main network: Only laptops, desktops, phones, tablets

Prosumer Gear (UniFi, pfSense, OPNsense):

1. Create separate VLANs:
   • VLAN 10 - Trusted (laptops, phones)
   • VLAN 20 - IoT (smart home devices)
   • VLAN 30 - Guest (visitors)
2. Firewall Rules:
   • VLAN 20 to VLAN 10: DENY ALL
   • VLAN 10 to VLAN 20: ALLOW (so you can control IoT devices)
   • VLAN 30 to VLAN 10/20: DENY ALL

12. Backup Strategy: The 3-2-1 Rule is Non-Negotiable

THE RULE:

• 3 copies of your data (original + 2 backups)
• 2 different media types (e.g., internal drive + external drive + cloud)
• 1 copy offsite (cloud or physical location away from primary site)

MANDATORY IMPLEMENTATION:

Local Backup (Copy 1):

• macOS: Time Machine to encrypted external drive (Preferences - Time Machine - Select Disk - Encrypt Backup)
• Windows: File History to external drive (Settings - Update & Security - Backup)
• Linux: Restic (restic.net) to encrypted local repository

Cloud Backup (Copy 2, Offsite):

• Backblaze (backblaze.com/cloud-backup) - $9/month unlimited, automatic, encrypted, supports versioning
• Restic + Backblaze B2 - Manual setup, encryption client-side, approximately $0.60/month per 100GB

VERSIONING REQUIREMENT: Ransomware encrypts your files over days/weeks before revealing itself. Your backup must support versioning (restore from 30/60/90 days ago). Both Time Machine and Backblaze do this automatically.

TESTING REQUIREMENT: Perform a test restore quarterly. Set calendar reminder. Untested backups are useless. Restore a random folder/file and verify integrity.

DISASTER RECOVERY SCENARIO: Your house burns down. Can you restore your data? If "no," your backup strategy is incomplete.

13. Email Aliases: Every Leak Traces Back to Source

THE PROBLEM: When you give Amazon your email, you have no idea if they leaked it or sold it when spam appears. Email aliases let you use unique addresses per service and disable the alias if it's compromised.

MANDATORY SERVICES:

• SimpleLogin (simplelogin.io) - Free tier: 15 aliases. Premium: $30/year unlimited. Custom domains supported.
• AnonAddy (anonaddy.com) - Free tier: 20 aliases. Pro: $12/year unlimited.

USAGE PATTERN:

• amazon.shop@youralias.simplelogin.com - forwards to your real email
• linkedin.job@youralias.simplelogin.com - separate alias
• sketchy-retailer.2024@youralias.simplelogin.com - disable after purchase

BENEFIT: When you receive spam to "amazon.shop@..." you know Amazon (or a partner/breach) is the source. Disable that alias. Create new one.

14. Device Encryption: Unencrypted Drives Are Malpractice

THE THREAT: Laptop stolen from car. Hard drive removed. All files readable in 60 seconds. This includes: saved passwords (if you ignored Section 1), tax returns, client data, photos, browser history, email archives.

MANDATORY FULL-DISK ENCRYPTION:

• macOS: FileVault (System Settings - Privacy & Security - FileVault - Turn On)
• Windows Pro: BitLocker (Control Panel - System and Security - BitLocker Drive Encryption - Turn on BitLocker). Note: Windows Home does not include BitLocker. Use VeraCrypt.
• Linux: LUKS (configure during OS installation - "Encrypt the new Debian installation" or equivalent)
• Mobile: Encrypted by default when you set a passcode (iOS 8+, Android 5+). Verify: Settings - Security - Encryption status.

RECOVERY KEY STORAGE: Write down recovery key. Store in fireproof safe or bank safety deposit box. Do NOT store on same device. Do NOT email to yourself.

15. Incident Response: You Will Be Compromised. Plan for It.

ACCOUNT COMPROMISE PLAYBOOK:

1. Change password IMMEDIATELY from a DIFFERENT device (assume keylogger on compromised device)
2. Revoke all active sessions: Google (myaccount.google.com/device-activity), Facebook (Settings - Security - Where You're Logged In - Log Out of All Sessions)
3. Enable MFA if not already enabled (hardware key per Section 2)
4. Review account activity: Email forwarding rules (common persistence mechanism), connected apps/OAuth grants, recent logins
5. Check haveibeenpwned.com to identify breach source

FINANCIAL FRAUD PLAYBOOK:

1. Call bank fraud line (use number on back of card, NOT number from email/text)
2. Dispute charges immediately (Regulation E gives you 60 days for electronic fraud, 30 days optimal)
3. Request new card with new number
4. File FTC Identity Theft Report: IdentityTheft.gov (creates affidavit for creditors/bureaus)
5. Check credit reports: AnnualCreditReport.com (free, federally mandated)
6. Freeze credit if not already frozen (see Section 5)

RANSOMWARE PLAYBOOK:

1. DO NOT PAY. Payment does not guarantee decryption. Payment funds criminal infrastructure.
2. Isolate infected system: Disconnect from network (unplug Ethernet, disable Wi-Fi). Do NOT power off (preserves volatile memory for forensics).
3. Identify ransomware variant: nomoreransom.org/crypto-sheriff - upload ransom note for identification
4. Check for decryptors: nomoreransom.org has free decryption tools for some variants
5. Restore from backups: Wipe infected system, reinstall OS, restore from OFFSITE backup (Section 12)
6. Report to FBI IC3: ic3.gov - required for insurance claims, helps track campaigns

DEVICE THEFT/LOSS PLAYBOOK:

1. Remote wipe immediately: iCloud Find My (iCloud.com/find) or Google Find My Device (google.com/android/find)
2. Change passwords for accounts logged in on device (from separate device)
3. Revoke device from account sessions (Apple ID - Devices, Google - Device Activity)
4. Contact carrier to suspend service (prevent SIM swap attacks)
5. File police report (required for insurance claims)