Basic Online OPSEC
1. Never assume security, assume it is unsecured.
2. When security is needed, implement proper security practices.
3. Encrypt everything…
1. Always digitally sign messages.
2. Encourage peers to sign their messages.
3. Always verify suspicious messages before acting.
4. Secure emails with digital encryption such as PGP or GnuPG.
5. Use file encryption or password protection if email encryption is not available.
4. Use secure tools. If adequate protection is unavailable, don’t send it over the internet.
5. Repeat, actually use your secure tools, otherwise expect adversarial exploits.
6. Avoid informational “snowballing” in heavily replied to emails. Eliminate unnecessary data so an adversary is deprived of the whole picture from one email.
7. Avoid using CC to send emails, instead email yourself and BCC (blind carbon copy) instead.
8. Email bugs and other exploits can be blocked by sending and receiving email in “text-only” mode, or using an email program that blocks images from untrusted senders.
9. Never reply to spammers in any way, including with “REMOVE” in the subject line or by clicking “Unsubscribe.”
10. Keep a “clean” email address for use when emailing unknown parties, posting to newsgroups, mailing lists, chat rooms and other public spaces on the internet.
Browsing the Web
1. Disable cookies through your browser. “Whitelist” trusted sites while blocking all others.
2. Never use the “remember me” function on websites. Doing so increases risk of having your account hijacked.
Search engines track your search history and store it in databases; this can reveal a lot of information about you and your job in aggregate.
1. Use generic information when possible.
2. Alternate search engines periodically to prevent a single engine from getting the whole picture.
3. If using related services (e.g. Google & Gmail, etc.) log out before searching so they can’t tie your results to your account.
Clicking any link online tells the target website which site you just came from. This can give away information you hadn’t intended.
1. Browse in an private/incognito mode.
2. When clicking links in search results, ask if any of the data (search terms) in your address bar give data away. If so, copy and paste a result’s link to your address bar instead of clicking it.
3. When posting links on a Web site you control, ask if you want to broadcast to the linked sites the fact that you linked to them. If not, print the links, but don’t make them clickable so people have to cut and paste them instead.
4. Get into the habit of typing web site names into a search engine instead of the address bar to avoid illegitimate sites. Search engines correct spelling, making it less likely you will end up on an unintended site.
5. Many search engines and anti-virus programs pre-scan sites for malicious code and will warn you when you click them.
6. Never use the same password from site to site. Periodically changing passwords, using complex passwords or pass-phrases with special characters makes it much more difficult for potential attackers. Using a password manage such as Lastpass simplifies password management across multiple sites.
7. Do not email or store any passwords unencrypted.
8. Do not write down passwords on sticky notes or notepads unless you physically secure them.
9. Never give any site any password for any reason. The consequences of disregarding this
rule can be severe.
10. Look for HTTPS in the address bar of your browser to verify the transaction is secure before entering your username, password or any other important information.
Be Cautious of fake alerts that look like legitimate warnings or system messages but are not.
11. Determine if the alert is real by closing all browser windows from the taskbar, do not click on or near the alert itself.
12. If the alert remains, look to see if it mentions a web site to visit or tool to download. If so, perform a web search on the site or tool to gauge it’s validity.
13. Do not under any circumstances install a program unless absolutely sure of who created it, what it is and what it will do once installed.
1. Most things online are available to everyone, good and bad alike.
2. Be wary of private posts as they are often made public by accident or due to weak site security.
3. Anything posted on an organizations website that’s not protected is visible to the public. Several common protections can be bypassed easily.
Do not rely on third parties or the cloud to keep information safe.
4. Third party sites may have been initiated or infiltrated by adversaries.
5. Data centers used by these sites may be in countries with weak data protection laws.
6. Third parties are often hacked or sell user data outright.
Watch for metadata in files.
7. Documents typically have creators name and organization in the file properties.
8. Photos may also list names and GPS coordinates of where the photo was taken.
Photos reveal too much.
9. Buildings or natural features in background can give away location.
10. Reflective surfaces may show people, names or other critical information.
This text is not meant as a comprehensive list of online OPSEC, rather a basic outline of practices adapted from U.S. Department of Defense Cyber OPSEC slides and the EFF’s Top 12 Ways to Protect Your Online Privacy.