LinkedIn Hardening Best Practices

• Set profile visibility to "Connections only" or "2nd degree" — not public
• Disable "LinkedIn members" from seeing your activity feed
• Turn off "Share profile updates with your network" when making changes
• Disable profile viewing by search engines (Settings → Visibility → Search engine indexing)
• Review and revoke all third-party app permissions annually

• Apply the minimum necessary principle: share only what a recruiter needs to contact you
• Never list certifications that reveal privileged access (e.g. "CyberArk Vault Admin certified")
• Use a role-generic title for public-facing profiles in sensitive positions
• Avoid listing languages if they reveal nationality or origin in a sensitive context
• Do not list hobbies, volunteer work, or causes that create exploitable personal context

• Accept connection requests only from people you can verify
• Periodically audit your connections — remove unknowns
• Never connect with accounts that have no mutual connections, no photo, and no post history
• Be aware that your connections list, even if hidden, is partially inferrable through LinkedIn's "People Also Viewed" and mutual connection features
• Do not join open groups that signal your employer, role, or political/professional affiliations

• Treat every LinkedIn post as permanently public and attributable
• Never post from inside an office, conference room, or secure area — background metadata matters
• Strip EXIF data from any photo before uploading (use ExifTool or similar)
• Never post about incidents, outages, audits, or regulatory events — even obliquely
• Avoid congratulating colleagues on promotions that reveal internal org structure
• Do not tag your employer's account in posts — it cross-indexes you

• Enable two-factor authentication (authenticator app, not SMS)
• Use a dedicated email address for LinkedIn not linked to your real identity or employer domain
• Review active sessions monthly (Settings → Security → Where you're logged in)
• Enable login notifications
• Use a strong, unique password — LinkedIn has been breached before (2012, 2021 scrape)

For SOC analysts, CISOs, fraud investigators, pen testers, and compliance officers:

• Consider maintaining a deliberately sparse "decoy" profile with minimal operational detail
• Never list current investigations, active projects, or ongoing certifications
• Coordinate with your employer's communications/security team on what is acceptable to disclose
• Be aware that your LinkedIn activity (likes, comments, follows) is partially visible even on private profiles
• Assume nation-state and advanced threat actors actively monitor LinkedIn for target development

Run this checklist every 90 days:

• Search your own name on Google — what surfaces?
• Review your post history for operational leakage
• Audit third-party app permissions
• Check for fake profiles impersonating you or your colleagues
• Verify your email address is not in HaveIBeenPwned
• Review who viewed your profile — flag unknown corporate accounts