Cyber opsec protecting_yourself_online


Published on

Published in: Self Improvement, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cyber opsec protecting_yourself_online

  1. 1. Cyber OpsecProtecting Yourself Online Think. Protect. OPSEC.
  2. 2. CYBER OPSEC: secti on 1 Internet Communication in General The Internet was designed to withstand nuclear Our carelessness makes the job easy for attack, not to be secure from its own users. the adversary. • Never assume security, assume it’s unsecured. • f adequate protection is unavailable, don’t send I • hen security is needed, have trained IT W it over the Internet. Evaluate other options and security people in your organization seek and work to get secure tools. implement proper tools. • f you have secure tools, actually use them. If I you don’t know how, find out. Laziness is the People can easily send fake e-mails that appear adversary’s best friend. to be from people you know/trust. • on’t let forwarded and repeatedly replied mes- D • Always digitally sign messages. sages snowball. Eliminate the unnecessary data so a lucky adversary can’t get the whole picture • Encourage everyone else to sign their messages. in one e-mail. • n all cases (even with signed messages) person- I • on’t use CC to send e-mails to a list of people D alize an e-mail enough so that it’s obvious a real unless you specifically want everyone to see person sent it.Our carelessness makes the job easy for everyone else’s e-mail address. In all other cases, • lways verify suspicious messages A send it to yourself (because everyone knowsthe adversary. before acting. who you are already) and use BCC (blind carbon copy) instead. Even e-mails that are legit can be captured and read/modified in transit. • Secure e-mails with digital encryption. • se file encryption or password protection U if e-mail encryption isn’t available. pag e 1
  3. 3. CYBER OPSEC: secti on 2 Browsing the Web Cookies make shopping carts and online Search engines track your search history and accounts work, but can be a risk in several ways. store it in databases; this can reveal a lot of information about you and your job in aggregate. • elete cookies regularly or disable cookies D through your browser. You can “whitelist” • se generic information when possible U cookies from sites you need/trust while still (e.g., zip codes instead of addresses). blocking all others. • lternate search engines to improve your results A • ever use the “remember me” function on Web N and prevent a single engine from getting the sites. This greatly increases your odds of having whole picture. your account hijacked. • f you use related services, always log out before I searching so they can’t tie your results to your Companies want to know where you go online account (e.g., Log out of Yahoo! Mail before and use a function called “Web bugs” or “beacons” to do it. They look like ordinary using Yahoo! Search). images and are activated simply by viewing a Web page or e-mail. Clicking any link online tells the target Web site which site you just came from. This can giveClicking any link online tells the target • TML bugs can only be blocked with special H away information you hadn’t intended.Web site which site you just came from. tools (hopefully being handled by your IT • hen clicking links in search results, ask if any W department). of the data (search terms) in your address bar • -mail bugs can be completely blocked by E give data away. If so, copy and paste a result’s selecting “text-only” in your e-mail settings or link to your address bar instead of clicking it. using an e-mail program that blocks images • hen posting links on a Web site you control, W from untrusted senders. ask if you want to broadcast to the linked sites the fact that you linked to them. If not, print the links, but don’t make them clickable so people have to cut and paste them instead. pag e 2
  4. 4. CYBER OPSEC: secti on 2 Browsing the Web Imposter sites will often mimic a legitimate site’s • ook for the HTTPS in the address bar to verify L URL through a common misspelling or by using that the transaction is secure—before entering another extension—like dot-com instead of dot- your username, password, or any other impor- net. Get into the habit of typing Web site names into a search engine instead of the address bar. tant information. If it’s not there, ask yourself if it’s OK to broadcast openly and think twice • any search engines pre-scan sites for M before clicking the “submit” button. malicious code and will warn you when you click them. Be cautious of fake alerts that look like legiti- mate warnings or system messages, but are not. • any anti-virus products have “site advisor” M functions that provide visual warning icons for • etermine if the alert is real by closing all D known bad sites. browser windows from the taskbar (don’t click • earch engines correct spelling, making it less S on or near the alert itself ). likely you’ll go to an unintended site. • f the alert remains, look to see if it mentions I a Web site to visit or tool to download. If so, Password security is key! perform a Web search on the site or tool. If theInstallation warnings are the last chance results show that the site/tool is bogus, ignore • ever use the same password from site to site. Nyou have to prevent bad code from getting The owners of one site can easily try that name the alert and ask your IT department to run virus and spyware scans on your machine.into your computer. and password at other popular sites and see if it works. Installation warnings are the last chance you • ever give any site any password for any N have to prevent bad code from getting into your reason. Most social networking sites ask computer. They claim to be a “video player up- date” or “critical patch,” but are often viruses. for e-mail passwords while others ask for banking and credit card passwords. No matter • ay no to any “active-x” control or install warn- S how much they promise to protect and not ing unless you are sure of who created it, what it misuse the information, history shows other- is, and what it will do once installed. wise. The consequences of disregarding this rule can be severe. pag e 3
  5. 5. CYBER OPSEC: secti on 3 Posting Online Public visibility. Watch for metadata in files. • ost things posted online are visible to every- M • icrosoft Office documents typically have a M one online (good and bad alike). creator’s name and organization in the file prop- • emember that even things posted “privately” R erties. This can be shut off in the options, but is often become public by accident or due to weak usually on by default. site security. • hotos may also list names (if software was P • nything posted to your organization’s Web site A installed with the camera) and can also include that’s not protected by password or PKI authen- GPS coordinates where the photo was taken. tication is publicly visible. Several other meth- Photo editing software must be used to view ods of protection are commonly attempted, and remove “EXIF metadata” in photos. but can be bypassed easily (domain restriction, Photos often reveal too much. robots.txt file, etc.). • uildings or natural features in the background B Don’t rely on third parties sites to keep can give away location. information safe.It is hard and often impossible to remove • eflective surfaces may show people, names, or Rinformation from the Web… • hird party sites may have been initiated or in- T other critical information. filtrated by adversaries putting your data at risk. • hotos of small animals or objects taken on a P • ata centers used by these sites may be in other D hand often provide palm and fingerprints to countries with weak data protection laws. the adversary. • hird parties are often hacked or sell user T data outright. It is hard and often impossible to remove infor- mation from the Web after it has been posted, so be careful in the posting process before it’s too late. pag e 4
  6. 6. CYBER OPSEC: secti on 4 Practice Good System Safety Keep your computer secure. Dispose of media properly. • Lock your computer when walking away. • ata recovery is very sophisticated. Learn and D • on’t use a government laptop on your per- D follow your organization’s media destruction sonal Internet or at hotspots unless instructed policy. by your security officer that you may do so. • emember that nearly all devices have data R • on’t leave laptops in hotels or cars unless it’s D storage. Treat any USB device (not just thumb- unavoidable, but use a locking cable or hide drives), floppies, CDs, phones, cameras, and them when you must. hard drives as a disposal risk. • ake sure your laptop has full disk encryption M Practice good password safety. installed before taking it out of secure spaces. • on’t e-mail or store any passwords unencrypt- D • on’t allow others to use your government D ed. Remember that a password to a classified computer without your direct oversight. system must be handled as classified itself. Be wary of devices. • on’t put passwords on sticky notes or note- DRemember that a password to a classified pads unless you physically secure them. • on’t connect any USB device, floppy disk, or Dsystem must be handled as classified itself. CD to your computer unless it has been care- • earn how to create hard to guess, but easy to L fully scanned beforehand. Even store-bought remember passwords and change them often. products sometimes have viruses. • isable auto-run and auto-play functionality to D help limit the damage a media virus can do. pag e 5
  7. 7. CYBER OPSEC: secti on 5 Protect Your Portable Devices Wireless allows adversaries to connect at Portable wireless (particularly RFID in badges) distances of up to a mile or more. can be used for individual identification. These devices must include strong authentication and • Your movements can be tracked. encryption to deter these risks. • Stored or transmitted data can be stolen. • opying at a distance thus invalidating their use C • Stored or transmitted data can be modified. for keyless entry systems and personal identifi- cation (such as with US passcards). Many portable devices (phones, laptops, earpiec- • Tracking your movements. es) include wireless capability, but not security. • riggering cameras or even roadside bombs T • Turn off wireless if it’s not necessary. targeted for individuals. • f security is present, learn and activate all I security features appropriately. Portable devices are easily lost or stolen. • emember commercial security is weak and R • Always encrypt important data. shouldn’t be relied on in most cases. • ut strong lock-codes and passwords on your PM any portable devices (phones, laptops, • hen in doubt, pull the battery (where able) W devices to prevent tampering. and put the device in an RF shielded container.earpieces) include wireless capability, but • Keep them secure and out of adversary hands. • lways first ask if portable devices are neces- Anot security. sary for your mission. They’re no risk if they’re not used. pag e 6
  8. 8. “ It is vital that we all understand that even information that is UNCLASSIFIED is still important and in need of proper protection.... The information we put out there is immediateand forever and it is incumbent upon all of us to strongly consider ” that before putting anything out in the public domain. —LTG Keith B . Alexander, USA Director, National Security Agency Executive Agent for Operations Security Think. Protect. OPSEC.