secure-me: Digital-OPSEC
HELPING YOU stay DIGITALLY SECURE
Are You a Very Important Person? Why yes, of course you are. But what this is asking is if you are important in the sense that someone, or some group, may wish to gain access to your computer systems. Would a hacker wish to either capture and/or control what you are directly working on? Might they wish to use you to get to other computer systems within your organisation because of your role, or someone you know and interact with? If yes, or even a maybe, then you likely need to be practicing some digital operational security (D-OPSEC). And even if you aren't really all that operationally critical in what you do, if you feel a heightened sense of digital threat of being personally hacked, and you are concerned, then the tactics and measures that follow could help you.
Operational Security, often referred to as OPSEC, involves the security practices used to keep an enemy from acquiring information, leverage, access, and control of things deemed vital to the safety, security, and operational integrity of the other side. [D]igital-OPSEC then, is the digital and cyber elements of Operational Security.
So, what qualifies as a Very Important Person? You are certainly considered V.I.P. if you are any one of the following for either a wealthy, powerful, information-rich, or a technologically or research unique (possibly critical) organization. This could be a company, part of government, or a non-profit. it could also be an organization or sole individual that provides important services to other more "unique" organizations or people. Below are some more specific example roles to consider:
Executive or Senior-level officer/employee.
Perform a key engineering or operational role ("key" being you have some perceived or actual involvement in primary activities of the organization).
Perform Executive Administration functions for Executive and Senior people.
Perform system administration and software development.
Involved in the Engineering, R&D, or Product Development areas of companies working on key technologies; or supporting services to those organizations.
The intent of this D-OPSEC guidance is not to keep you from getting caught doing something illegal and going to jail. It is to assist in keeping your digital life from being completely compromised when you are targeted as a known or potentially useful asset with needed information or access.
D-OPSEC PREMISE:
Human nature is egocentric and social; and people make mistakes, guaranteed. We also cannot help but to establish patterns of activity, and take the easier path. And it is difficult for us to maintain the big picture, external view of how are actions, broadly speaking, can be leveraged against us.
Even the most security conscious person can be eventually fooled or tricked - enough. So it is vital to try to mitigate these natural inclinations as much as possible; to plan for compromise while also making it more difficult, and to establish operations to contain and detect compromise along with protecting from it. It is vital to establish baseline security practices with these things in mind.
D-OPSEC Maxims:
If you are important given the information you have, the people you interact with, or the systems you have access to, then there is a decent chance of being targeted for compromise; if not directly, then in a net cast widely.
A person targeted for compromise by dedicated and/or determined attackers will be inspected for possible vulnerabilities with a fine toothed comb.
It's often not if, but when you will be compromised once targeted - SO, Mitigate, Mitigate, Mitigate the potential damage, and your capability to recover!
THE GREATEST THREATS TO YOUR SECURITY:
- Unencrypted or compromised WIFI connections where you live, work, or take with you or use while elsewhere. This can take many forms.
Browsing a web page that has been booby-trapped with malware that can automatically infect your system.
Being lured into clicking an email browser link that sends you to a web page that is booby-trapped.
Opening a file sent to you or that you come across that is booby-trapped with malware.
Using the same password across different services and systems that become compromised.
Not patching/updating your installed software diligently.
being digitally footprinted once targeted:
Once the target is identified, the next step is to footprint it. To find out everything about it so an attack profile can be developed. Footprinting takes into account all of the pieces and components involved with the function of the target. Then decomposing them into the Who, What, When, Where, Why, and How information details. Footprinting applies to [computer] systems as well as people directly. And in footprinting both people and systems, there is both a physical realm as well as a digital realm to consider. The physical realm and the digital realm will also often overlap. A few examples of these footprinting approaches are:
Identifying the locations where you live and work, even the car you drive/ride in now, will lead to being able to identify WIFI networks you use, which will identify locations to compromise where you will be connected electronically for further monitoring or attack.
Combing through Google and social networks you might be using to collect personal information about you, your close possible contacts who could also be targeted to reach you, and places you frequent day to day, your photos, the services you use.
Obtaining as much digital contact information about you as possible to continue building a digital dossier - email addresses, domains, IP addresses, digital photos (xif locations data), etc. There are free and professional tools to help conduct robust digital data link analysis of known target data.
Social engineering personal details from service providers, using background investigation services, obtaining credit reports, etc.
These footprinting activities will be conducted in order to facilitate three different primary attack approaches:
Compromising the networks you use to gain access to your communications for more information and broader access to be obtained.
Send you phishing emails to get malicious programs on your computers to gain broader access and information.
Compromise the computer systems you use through direct physical manipulation or acquisition.
D-OPSEC Best practices
Don't Be Naive
Operational Practices
Personal Details
Connectivity & Equipment
Passwords & Authentication
EMAIL
Web Browser
Compartmentalized Computing
Systems Security
Mobile Phones
Super Paranoid
Don’t Be Naïve
Create and use unique Passwords for everything at all important (online accounts and computers). Especially for important or vital services and systems administration - MAKE THEM ALL DIFFERENT - make it a habit!
Stay off of public, open (unencrypted) WIFI - unless you are only connecting through a secondary VPN you use while on it. And configure your computers and phones to not automatically connect to unencrypted hotspots.
Keep up with OS and Application Patching on your systems and phones - no really, don't be lazy here! And do not rely on applications telling you they have updates available. Get in the habit of periodically checking and updating. For Windows systems there is also the free Personal Software Inspector to help check what is out of date.
Have redundant backups that are encrypted; two separate types of backup solutions, and stored in separate locations ideally.
Do not use public computers (Internet cafes, hotels, etc.) for anything except simple browsing – e.g. news reading. Consider these computers to be compromised, and logging everything you type. Do not log-in to anything at all important or sensitive from unknown systems – including friends’ computers.
Do not plug unknown flash drives or other media into your computer. Found something? Given something? Great, just don’t stick it in your computer! You don’t know where it’s been or what it might have.
Do not install mobile applications from download links or attached files in messages or texts.
Practice safe porn use - do not surf porn on any system used for regular daily use – personal or business.
Operational Practices
Practice computer-to-activity segregation for PC/Laptop use - for example, use different computer systems (physical or virtual) for both email and Internet browsing, and for both Personal use / for Business use; as well as for general work Research possibly, if relevant. Most critically, do not surf the Internet and open email on the same system that you also use to manage/administer critical systems and online account services with. With enough effort you can get phished! You can be tricked - at least once, somehow, somewhere – possibly by someone you think is someone you know or trust. So limit your critical exposure by splitting up your computer activity among different physical and virtual systems. Above all, keep everything important that you log into and sensitive data/files you store on one physical or virtual computer, and do email and various Internet browsing from other, different ones.
Don't follow any links in received email to login to services you use. If you feel compelled to go to a site that is emailing you, then just open a new window yourself. Consider any email sending you a link to a site to login as potentially fake.
Do not open file attachments that you are not expecting, or cannot be verified sent through another channel – any file attachment received off of the corporate email server and network – don’t open it, or only open (from your email/browser VM) in an online file viewer of a secondary service like Box.com.
Only remotely manage systems securely using strong, unique passwords, two-factor authentication, and encrypted channels end-to-end.
Get in the habit of validating the HTTPS green lock/company icon bar in the browser URL address for your sensitive services. And that the URL’s primary domain address is correct.
Be instantly suspicious of out of the norm pop-up dialog boxes asking you to login again to the network you normally connect and have authenticated previously.
Periodically review all your Security & Privacy settings for your email and social network accounts. You have done that already, right? If not, then go do that; and limit the amount of personal information you let be available to others to dig up. The services change settings and capabilities over time also, so you need to periodically validate them.
Help friends and family members with a security audit and hardening. The easiest way to be tricked, or to still be monitored is for close friends, family, and acquaintances you regularly communicate with to be compromised. Extend this guidance to them also. And provide support and encouragement for reviewing their security settings and practices.
Take a Phishing Quiz - https://www.opendns.com/phishing-quiz/ - to give yourself an idea of the nuanced ways to get duped via email. Be informed, so you can consider future situations better.
Compartmentalized Computing
Virtualize both your browser and email clients on different OS instances from your base system and use those for your compartmentalized usage (e.g. business, personal, work).
Consider different combinations of Windows 10, Ubuntu 16, and even OSx (easily done with Parallels) at minimum to increase your attack surface. For example, a base Mac OSx system using Parallels or Veertu virtualization software, and running one or more instances of Windows 10, Ubuntu, or the newer Subgraph-OS.
Another excellent way to securely virtualize all of your email and web browsing activity on your computer is to use a security product like Bromium. www.bromium.com
Have you ever heard of a ChromeBook/Box having malware? Us either. That’s because they are built very secure out of the gate for special-purpose use – browser use. Consider using a Chromebook as one of your segregation systems to do specific browser-based computer activity from – e.g. your banking or generic Internet browsing and web mail.
System Security
Use newer computer CPU technology that has the latest hardware virtualization, secure boot, and encryption features built-in. An example Intel processor is the X5-Z8xxx series.
Use an operating system that can utilize the CPU secure boot and virtualization capabilities.
Use a hypervisor that makes use of the CPU hardware virtualization technology.
Harden the operating system configuration. There are numerous resources for the different OS flavors around. Some are the CIS Benchmarks, the OSX Security & Privacy Guide, and Harden Windows 10 – A Security Guide.
Do not operate your computer continuously while logged in under the Administrator/Root account. Create a standard User account and log into this account for general use. Use the administrative only for specific administration needs/actions, then switch back to standard User.
Enable operating system drive/file encryption – and/or use secondary encryption such as Veracrypt.
Run next generation anti-malware and exploitation software such as: MalwareBytes Anti-Exploit, Microsoft EMET, Cylance Protect, SentinelOne Endpoint to name a few.
Firewall block inbound connections/services, then allow through as needed temporarily.
For Mac OSx; consider using helper security tools like LockDown, KnockKnock, and TaskExplorer from Objective-See.
For Mac/Linux/Unix; consider using Lynis (Free and Professional versions) for system auditing & security.
Use a DNS security service such as OpenDNS (Umbrella - Small Teams - Prosumer version) to help block and alert you to Internet dangers and possible compromise. Also configure it at your WIFI gateway and mobile devices.
Consider also adding the DNScrypt client to your base system for encrypted DNS communications. OpenDNS also offers a free DNScrypt client for Mac and Windows.
Personal Details
Take a minimalist approach with your Social Network profiles - and/or enter false (or slightly inaccurate) information for some things, such as Birthdates, location, etc. Keep real personally identifiable information out of your online profiles, and guard them as sensitive, close friends only - e.g. addresses, birthdates, phone numbers, core email addresses, family details, etc. Yes, this is a bit challenging. Yes, it goes against everything Facebook et al – and it's exactly why you are their product. But make no mistake that people get profiled and targeted from social network profiles and friending/linking.
For further guidelines on social network security and privacy visit the helpful guidelines at Security In A Box.
Turn off Exchangeable Image File Format (EXIF) data on your smartphone for photos you take - and also on phones that your friends and family use. See more about this HERE and HERE.
Only accept software updates (other than operating system ones) that initiate from directly checking for updates using the applications update checking function, or when the application has just started. And if you are Nation State paranoid, then mitigate the threat even further with DNScrypt and VPN connections when updating. But even these additional measures may not provide any guarantees of the “right” software update coming back.
Connectivity & Equipment
Use an LTE-only Cellular Modem (no 2G) for Mobile/Public Internet use - and use either a USB plugin modem, or a mobile phone/tablet tethered by USB cord, not WIFI.
Use a VPN service (e.g. VyperVPN, Private Internet Access, or Mullvad) over untrusted or even semi-trusted connections, and especially over any public WIFI. Use on computers and phones. And in addition to using a cellular modem for increased security and privacy needs.
Turn off WIFI and Bluetooth on your phone and computer when not using it directly.
Avoid using wireless keyboards; and especially cheap, non-Bluetooth ones, as they can be monitored within rock throwing distance, and are not always encrypted.
Store important cryptographic keys and passwords manager database backups encrypted on a hardware security token/module. Then lock these away somewhere safe and static. The Kangaroo Defender USB 300 is a great solution for portable secure file storage.
At home, use a good WIFI Access Point like the Google OneHub. It is based on ChromeOS, uses a trusted platform module to secure itself, and gets automatic software updates from Google.
Mobile Phones
Use a smartphone that gets reliable software updates from its maker regularly, and takes security seriously using secure hardware design (e.g. iPhone, Nexus. Windows Phone). Then make sure to check for and then take the software updates in a timely manner.
Communicate securely on your phone. Use a secure messenger like Signal (also does voice).
Enable secondary PIN codes on your cellular carrier accounts. It is not a robust protection, but better than nothing for customer service reps being fooled by someone impersonating you to change your phone forwarding. More on this HERE.
Do not install mobile apps from outside of first-level app stores like Google Play, iTunes and Windows Phone app stores.
Do not use a rooted or jailbroken phone, as the phones security model is now broken and even more susceptible in this state.
Configure the OpenDNS service on your mobile devices also. See System Security section above for more details.
Passwords & Authentication
Use a smartphone and PC based password manager like mSecure, 1Password, LastPass, Dashlane, and TrueKey. This will help you actually create unique, strong passwords. And be sure that you maintain a backup - encrypted - and ideally on a hardware security module you physically lock away.
Create complex passwords - at a minimum 12 characters long for important accounts. Can't remember it? Good! That's what your password manager is for. Is it a bit of a hassle? Yes, yes it is. But, again, your password manager can help you generate complex passwords to use, then record them. And like anything, you get used to it after doing it; so then it becomes no big deal.
Turn on two factor authentication, such Google Authenticator, everywhere you can for account management and access. But most especially for any sensitive, critical, or highly personal accounts. Seriously, this together with unique passwords is like an Internet security superpower! It will not guarantee a win over evil, but it will get you a lot farther. To easily see if services you use offer two-factor authentication check out list handy list HERE.
Side Note - while the Google Authenticator mobile apps are a great tool for services that support this two-factor authentication method, be warned that you cannot migrate your registered sites in the app to another phone! You need to re-register each one separately. Yes, this is really lame when you change your phone - as backups do not restore these accounts. Because of this, consider that other password and two-factor apps like 1Password (also a password manager) and Authy also support Google Authenticator supported one-time-password services integrated; and they allow you to manage these registrations between devices.
Have a core-personal-email address as your one password reset email address for all of your online services. Harden/restrict this email account using the security and privacy settings; enable two-factor on this account as well. You can use Google Gmail with the free Google Authenticator app (also Authy and 1Password) for two-factor authentication as a good example. This mobile app is often able to be used across many other services also.
Using your core-personal-email address, set recovery email addresses in all other online service account settings.
Create a root-recovery-email account using Google Gmail or similar - this is the one email account used ONLY as the recovery email for your core-personal email account. This account is not logged into regularly, given out, or used as an actual email account inbox/outbox. It is a Password recovery safety mechanism for your core-personal-email account. Also configure it with two-factor authentication, and lock down the security and privacy settings. You can also setup SMS alerts on your phone when new email arrives at this account; more on how HERE. But in general, this account does not need ongoing access until needed.
If setting up Google email accounts with the enabled two-factor authentication verification activated, now you can also add a secondary two-factor physical key to your accounts. It's called the Google Security Key; and it can be used along with the Authenticator app. You can also register more than one physical key - like the Yubico FIDO U2F Security Key or the higher end Yubikey 4 - so that backups can be stored, in a safe of course. Lose a key and you can still use you mobile Authenticator app for secondary verification. The Google Security Key is a great added physical security layer for your core accounts.
Setup a Google Voice or Hangouts phone number and use this number only as your Recovery Phone Number used to reset for the core and reset email accounts described previously. This is all this number should be used for. And not listed or given out anywhere else. Keep this in your mobile phone password safe also, and you won’t forget it.
Use a secure email client or service for transmitting sensitive email communications end-to-end. The standard PGP is always a tried and true for the technical crowd. Info on PGP and its different forms can be found on Phil Zimmermann’s page HERE. There are also some easier to use services capable of sending encrypted email to others who are themselves not using that particular service; some with mobile apps as well: Mailfence, Protonmail , HushMail.
Web Browser
Use the Google Chrome browser. It is arguably still the most secure currently. You should also be running web browsers in virtual machine layers.
Review your web browser settings and consider adding these extensions and changes:
Disable Java Runtime and Flash plugins & and any other plugins unknown/unneeded
Use the HTTPS Everywhere plugin
Consider NoScript plugin for Firefox to strip out script content as desired - or possible ScriptSafe for Chrome. Though both are a giant pain in general
Use the AdBlock Plus plugin
Keep “Recommended” browser settings or stricter
Keep the browser updated regularly - make checking for updates a regular habit
Super Paranoid
Consider laptops and phones traveling with you as highly vulnerable if you're targeting-worthy.
Do not travel abroad with your sensitive work/personal laptops and phones if you do not need to; to include your SIM card. Use disposable/rented/returnable versions abroad, then consider them compromised and stop using them on returning.
Keep you work phone and laptop turned off when not using it, and store them in RF protected pouches.
When locking up electronics in hotel safes, enclose them in tamper-evident bags for one-time storage.
Consider all of your voice conversations and online activity to be monitored. There are too many ways for this to be the case, so just limit the communication of sensitive information to an absolute minimum.