Operational Security Tips and Tricks

For my last blog of 2020, I wanted to share a short checklist for users and researchers to keep themselves secure on the internet. Many attackers cast a wide net and many of those that fail the basics get caught. Hopefully this guide will help those on the path to Operational Security (OPSEC):

Social Media:

  • Set social media accounts (e.g. Twitter, Facebook, Instagram, Tiktok) to private.
  • Avoid using your real name when creating accounts.
  • Avoid using identifiable personal pictures for profile pictures and cover pictures.
  • Leave bio details blank and avoid sharing identifiable information.
  • Do not check-in to locations or share your location for social media posts.
  • Have a vetted list of friends/contacts that you permit to view your social media content. 
  • Finally, personnel who work in cleared positions may often ask family members not to share pictures of you and prevent tagging. 

Personal Security (PERSEC):

  • Use more than one email account - ideally one for critical services like finances, online shopping etc, and one for social media and other non-essential platforms.
  • Setup Multi-factor Authentication (OTP SMS text or Auth App). [1]
  • Check the enabled permissions of mobile apps so that you do not unwittingly share your contact details, SMS log, notifications, and other sensitive information with marketing companies, adware, and malware. 
  • Only download applications from official sources, such as the Google Play Store for Android.
  • Check if a URL is malicious using these three services: Browserling, URLscan and VirusTotal. [2, 3, 4]
  • Have I been Pwned - VERY useful service to check if your email address has appeared in any breaches and where you may need to update your passwords, as well as notifying you if your email address is present in a new breach when it is uploaded to the platform. [5]
  • Password managers - one of the most useful programmes to organise accounts in an encrypted database that can only be accessed locally with one master password. [6]
  • Alway backup data for a plethora of reasons, potentially in multiple ways such as removable media, and cloud services that will do it for free such as Google Drive, OneDrive, or iCloud.

The goal of these tips are to become harder to track down and targeted by threat actors. The more time it takes them to attack you, the more likely it is they will give up and move on. 

Along with the above, those who are public facing personalities may not get the luxury to conceal their real names from the world. For this group of people they are forced to up their OPSEC game due to the increased threat level and the higher number of attacks. These are also recommended for any type of user that takes security seriously:

  • Firstly, if you require a proper security review, it will be worth it to ask a professional to check your OPSEC using OSINT and other other types of audits.
  • Credit monitoring to check for fraudulent transactions.
  • Setting up alert emails to check if you are mentioned on Twitter or in news articles can be done via Google Alerts or Warble Alerts. [7, 8]
  • Secure email services such as ProtonMail can be used to send encrypted email addresses to others with similar ‘@protonmail.com’ accounts. [9]
  • Any applications, software or services should be reviewed before use with their privacy policies reviewed.
  • Before you interact with someone online whether you know them or not, they should be vetted via a quick background research. 
  • Virtual Private Network (VPN) appliances are recommended for when surfing the web and in public WiFi to encrypt your traffic on networks you do not own and from websites. [10]
  • It may also be worth investigating the use of a Virtual Machine (VM) to run a Linux or Windows operating system (OS) inside your primary OS. [11]
  • End-to-end encrypted (E2EE) chatting applications for mobile and desktop are recommended such as Keybase, Telegram, or Signal for secure communications and file sharing. [12, 13, 14] 
  • A final interesting tool that many security engineers use are known as CanaryTokens - these are laid like traps that set off an alert if an intruder triggers them. [15]


Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks