This document provides guidance on protecting yourself when communicating and browsing online. Some key recommendations include:
- Assume all internet communication is unsecured and can be intercepted, so use tools like digital signatures and encryption when security is needed.
- Be wary of emails that appear to be from trusted sources, as senders can be faked, and verify any suspicious messages before acting.
- Delete cookies regularly and disable them when possible to prevent tracking, but whitelist those needed for essential sites. Never use "remember me" functions.
- Use generic search terms when possible and alternate search engines to avoid a single site getting a full picture of search history tied to accounts. Log out of related services before searching.
- Cl
This document discusses the evolution of mobile social networks and how they have changed people's lives. It uses two hypothetical people, Adrian and Ibrahim, to represent how social networks have progressed from online-only to incorporating mobile phones and computers. It argues that future mobile social networks should be more focused on physical social interactions and mobility rather than simply porting over online social features. They should leverage location data and physical proximity to better understand people's contexts and relationships.
The document provides an overview of the internet and the world wide web through a series of questions and answers:
1) It describes how the internet was invented by an American computer scientist to allow computers to share information. It works by connecting millions of computers around the world to instantly send and receive information.
2) By 2020, it is estimated there will be over 2 billion internet users, reaching 30% of the world's population. While convenient for accessing information quickly, there are safety concerns about not knowing who people actually are online.
3) The document outlines some tips for staying safe online, such as avoiding disturbing images, not giving out personal details to strangers, and not participating in cyberbullying.
The document discusses the concept of a digital footprint and how personal data is collected from various online activities and used by companies. It notes that an individual's digital footprint contains information about them that they share themselves as well as data about them from other sources, and this footprint can be analyzed to learn about the person. Control over personal data and digital footprints is important, as this information has value and privacy settings need to be managed to prevent unwanted access or use of people's data.
A decade ago, the higher education Web experience was segmented into walled gardens -- the public Web site, the course management system, online transactions, alumni communities, events calendars. The legacy of that structure was that our lifelong relationships with the college were interrupted as we students, faculty, staff, parents, and alumni moved from system to system.
The next-generation online ecosystem will let us re-organize these experiences, allowing for deepening engagement throughout our lives: from prospective student to elder alum. How will software like WordPress fit in? How can we evaluate, select, and configure systems to support our users' needs, rather than the other way around?
This Sendio-sponsored guide explores what a whitelist is, the distinction between sender source whitelists and sender address whitelists, the characteristcs of a good whitelist, the role of the user in managing a whitelist, and finally the role of the IT administrator in the whitelist management process.
How do people view employment? Does it differ for those who have jobs, want jobs or are discouraged? We identified 3 mental models that transcend age, gender, income, region and employment status. The findings challenge conventional notions of unemployment and point towards new directions for creating employment, policy and services. Study funded by SEI Center for Advanced Studies in Management at the Wharton School.
This document discusses the evolution of mobile social networks and how they have changed people's lives. It uses two hypothetical people, Adrian and Ibrahim, to represent how social networks have progressed from online-only to incorporating mobile phones and computers. It argues that future mobile social networks should be more focused on physical social interactions and mobility rather than simply porting over online social features. They should leverage location data and physical proximity to better understand people's contexts and relationships.
The document provides an overview of the internet and the world wide web through a series of questions and answers:
1) It describes how the internet was invented by an American computer scientist to allow computers to share information. It works by connecting millions of computers around the world to instantly send and receive information.
2) By 2020, it is estimated there will be over 2 billion internet users, reaching 30% of the world's population. While convenient for accessing information quickly, there are safety concerns about not knowing who people actually are online.
3) The document outlines some tips for staying safe online, such as avoiding disturbing images, not giving out personal details to strangers, and not participating in cyberbullying.
The document discusses the concept of a digital footprint and how personal data is collected from various online activities and used by companies. It notes that an individual's digital footprint contains information about them that they share themselves as well as data about them from other sources, and this footprint can be analyzed to learn about the person. Control over personal data and digital footprints is important, as this information has value and privacy settings need to be managed to prevent unwanted access or use of people's data.
A decade ago, the higher education Web experience was segmented into walled gardens -- the public Web site, the course management system, online transactions, alumni communities, events calendars. The legacy of that structure was that our lifelong relationships with the college were interrupted as we students, faculty, staff, parents, and alumni moved from system to system.
The next-generation online ecosystem will let us re-organize these experiences, allowing for deepening engagement throughout our lives: from prospective student to elder alum. How will software like WordPress fit in? How can we evaluate, select, and configure systems to support our users' needs, rather than the other way around?
This Sendio-sponsored guide explores what a whitelist is, the distinction between sender source whitelists and sender address whitelists, the characteristcs of a good whitelist, the role of the user in managing a whitelist, and finally the role of the IT administrator in the whitelist management process.
How do people view employment? Does it differ for those who have jobs, want jobs or are discouraged? We identified 3 mental models that transcend age, gender, income, region and employment status. The findings challenge conventional notions of unemployment and point towards new directions for creating employment, policy and services. Study funded by SEI Center for Advanced Studies in Management at the Wharton School.
Tech navigator summarizes several common types of cyber crimes. These include unauthorized access to computer systems like hacking, email bombing which overwhelms systems with messages, spreading viruses and malware, data diddling which alters stored information, cyber stalking which uses technology to harass victims, and child pornography which preys on vulnerable children online. While cyber crimes may not have physical effects, they can still cause psychological and emotional harm, and policing these new forms of crime presents challenges for law enforcement.
This document provides an introduction to discrete probability and some key concepts:
- Probability distributions assign probabilities to outcomes in a finite sample space. The probabilities of all outcomes must sum to 1.
- Events are subsets of the sample space, and their probability is the sum of the probabilities of the outcomes they contain.
- Random variables are functions that map outcomes to random outcomes in another set. They induce a probability distribution on the range.
- Independence means the joint probability of two events or random variables is the product of their individual probabilities.
- The XOR of two strings performs bitwise addition modulo 2. XORing a value with a random string yields a random result.
- The birthday paradox shows that the
This document summarizes a research study investigating non-verbal communication between children in two virtual worlds, Pixie Hollow and Club Penguin. The researchers are examining how factors like gender, social status, and avatar form influence interactions. They have identified constraints on communication like typing ability. The researchers plan to analyze communication patterns and conduct focus groups with children using simulated scenarios to understand how children interpret interactions in these virtual worlds.
The M Word: Marketing in a Developer WorldDelyn Simons
Developers today must understand the fundamentals of lean marketing and growth hacking in order to get more users, more revenue, more funding--or even a better job. Marketing is useful. Badly executed marketing, just like poorly written code, can leave lasting scars. In this session, developers will learn how to identify and partner with marketers who "get it." Marketers will learn to get their geek on and address developer painpoints before promising benefits.
This document summarizes key points about mobile application privacy based on an analysis of over 53,000 applications:
1) Many applications request unnecessary permissions like location tracking and SMS access without proper disclosure to users.
2) Code reuse through third party libraries introduces privacy risks as the libraries' data practices are often unknown.
3) Developers should securely store sensitive data, encrypt data in transit, analyze all reused code for flaws, and avoid hardcoded secrets to better protect user privacy.
This document discusses operational security (OPSEC) best practices for security researchers. It begins by defining OPSEC and noting its importance for protecting sensitive work from adversaries. It then outlines various adversary threats, including common cybercriminals, organized groups, government agencies, and massive surveillance capabilities. The document provides guidance on implementing OPSEC at both individual and group levels, including compartmentalizing information, training others, and being careful about digital identities and tools. Key recommendations include encrypting all communications and data, using secure email, chat and phones, avoiding metadata leaks, and maintaining high OPSEC standards even internally. The overall message is that while OPSEC is difficult, researchers should start applying basic practices to protect their work and avoid becoming
This document discusses operational security (OPSEC) considerations for using social media. It provides tips for safe social media use such as being careful about what personal information is posted, using privacy settings, disabling geotagging, and being aware that even seemingly harmless posts can potentially put soldiers, families and missions at risk if they provide too many details to adversaries. Specific concerns are outlined for units, families, family readiness groups and children using social media. The document emphasizes that OPSEC should always be the top priority for anyone in the Army community using social media.
The document discusses operational security (OPSEC) and defines it as a process of denying adversaries information about capabilities and intentions. It involves identifying critical information, indicators, adversaries, vulnerabilities, and implementing protective measures. The document emphasizes that OPSEC is everyone's responsibility and involves practicing common sense measures to mitigate risks from real threats.
The document discusses operational security (OPSEC) best practices for security analysts. It warns that adversaries are not necessarily enemies and have varying levels of resources. It advises analysts to be wary of mass surveillance by agencies and to use encrypted communication tools. When meeting suspicious people, analysts should not go alone, plan an exit, and have a dead man's switch. At borders, analysts should be collaborative with officers but not consent to searches or help without a warrant. Overall the document stresses preparation, having alternatives, and maintaining discipline over relying solely on tools when doing their work.
The document discusses operational security (OPSEC) best practices for social media. It provides tips for identifying critical information exposed on social media, understanding what enemies could learn about you and your family online, and developing countermeasures. The document emphasizes that information shared online is at risk of being made public and used against individuals by enemies. It recommends only sharing information that would be told directly to enemies and assuming any online information could become public.
1) The document describes moving the President of the United States from his ranch in Texas to Baghdad for Thanksgiving in secret.
2) Only a few key officials like the Vice President, Chief of Staff, and National Security Adviser were told the day before, while the First Lady was told hours before departure.
3) Deception tactics were used like telling the press the President was staying in Texas, flying without lights under cover of darkness, and using a phony identification code to replicate a civilian transport plane.
This document provides information on operations security (OPSEC) and personal security (PERSEC) for families of deployed service members. It advises keeping routines and displays normal to avoid signaling an absence, avoiding sharing sensitive information via communication or social media, and practicing safety measures like situational awareness in public. Maintaining security protects operations and prevents adversaries from gaining information that could endanger service members or their families.
This document discusses the importance of operational security (OPSEC) for children with loved ones who are deployed. It explains that OPSEC involves keeping certain information secret, such as details about a loved one's location, mission, departure/return dates. Children are advised not to disclose such details to strangers or in public online spaces. Maintaining OPSEC helps keep deployed loved ones safe from potential threats seeking information.
OPSEC is operational security that denies useful information to enemies. While specific rules cannot cover every situation, any piece of information could aid enemies by helping them build profiles of organizations. Spouses and families play an important role in protecting information and should be careful about what they share online or in public to avoid inadvertently revealing details like future unit activities or vulnerabilities that could endanger service members.
PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Sou...Puppet
Here are the slides from Peter Souter's PuppetConf 2016 presentation called Nice and Secure: Good OpSec Hygiene With Puppet!. Watch the videos at https://www.youtube.com/playlist?list=PLV86BgbREluVjwwt-9UL8u2Uy8xnzpIqa
This document discusses invasive species and their impacts. It acknowledges that invasive species pose significant challenges for the Department of Defense (DoD) by threatening military training lands and activities. The document provides background on invasive species and their costs, outlines key issues for military installation commanders to consider regarding invasive species, and summarizes Executive Order 13112 which created the National Invasive Species Council and reinforces DoD's role in addressing invasive species.
The document provides an overview of an employee information security awareness training. It summarizes key topics covered in the training including identifying security risks, developing good security practices, protecting classified and sensitive company information, securing workstations and mobile devices, safe email practices, and guarding against social engineering. It emphasizes the importance of protecting company information and passwords at all times.
The document discusses the Operations Security domain of the CISSP Common Body of Knowledge, including defining the domain, identifying resource protection needs, threats to information operations, and security controls and countermeasures used in operations security. Personnel security, physical security, and technical controls are discussed as ways to reduce vulnerabilities and protect organizational assets from both internal and external threats.
Part II: Teaching and Parenting in a Digital AgeCaroline Cerveny
Exploring the challenges around technology use, practical proactive strategies, and where to find support and resources to better understand these issues.
Tech navigator summarizes several common types of cyber crimes. These include unauthorized access to computer systems like hacking, email bombing which overwhelms systems with messages, spreading viruses and malware, data diddling which alters stored information, cyber stalking which uses technology to harass victims, and child pornography which preys on vulnerable children online. While cyber crimes may not have physical effects, they can still cause psychological and emotional harm, and policing these new forms of crime presents challenges for law enforcement.
This document provides an introduction to discrete probability and some key concepts:
- Probability distributions assign probabilities to outcomes in a finite sample space. The probabilities of all outcomes must sum to 1.
- Events are subsets of the sample space, and their probability is the sum of the probabilities of the outcomes they contain.
- Random variables are functions that map outcomes to random outcomes in another set. They induce a probability distribution on the range.
- Independence means the joint probability of two events or random variables is the product of their individual probabilities.
- The XOR of two strings performs bitwise addition modulo 2. XORing a value with a random string yields a random result.
- The birthday paradox shows that the
This document summarizes a research study investigating non-verbal communication between children in two virtual worlds, Pixie Hollow and Club Penguin. The researchers are examining how factors like gender, social status, and avatar form influence interactions. They have identified constraints on communication like typing ability. The researchers plan to analyze communication patterns and conduct focus groups with children using simulated scenarios to understand how children interpret interactions in these virtual worlds.
The M Word: Marketing in a Developer WorldDelyn Simons
Developers today must understand the fundamentals of lean marketing and growth hacking in order to get more users, more revenue, more funding--or even a better job. Marketing is useful. Badly executed marketing, just like poorly written code, can leave lasting scars. In this session, developers will learn how to identify and partner with marketers who "get it." Marketers will learn to get their geek on and address developer painpoints before promising benefits.
This document summarizes key points about mobile application privacy based on an analysis of over 53,000 applications:
1) Many applications request unnecessary permissions like location tracking and SMS access without proper disclosure to users.
2) Code reuse through third party libraries introduces privacy risks as the libraries' data practices are often unknown.
3) Developers should securely store sensitive data, encrypt data in transit, analyze all reused code for flaws, and avoid hardcoded secrets to better protect user privacy.
This document discusses operational security (OPSEC) best practices for security researchers. It begins by defining OPSEC and noting its importance for protecting sensitive work from adversaries. It then outlines various adversary threats, including common cybercriminals, organized groups, government agencies, and massive surveillance capabilities. The document provides guidance on implementing OPSEC at both individual and group levels, including compartmentalizing information, training others, and being careful about digital identities and tools. Key recommendations include encrypting all communications and data, using secure email, chat and phones, avoiding metadata leaks, and maintaining high OPSEC standards even internally. The overall message is that while OPSEC is difficult, researchers should start applying basic practices to protect their work and avoid becoming
This document discusses operational security (OPSEC) considerations for using social media. It provides tips for safe social media use such as being careful about what personal information is posted, using privacy settings, disabling geotagging, and being aware that even seemingly harmless posts can potentially put soldiers, families and missions at risk if they provide too many details to adversaries. Specific concerns are outlined for units, families, family readiness groups and children using social media. The document emphasizes that OPSEC should always be the top priority for anyone in the Army community using social media.
The document discusses operational security (OPSEC) and defines it as a process of denying adversaries information about capabilities and intentions. It involves identifying critical information, indicators, adversaries, vulnerabilities, and implementing protective measures. The document emphasizes that OPSEC is everyone's responsibility and involves practicing common sense measures to mitigate risks from real threats.
The document discusses operational security (OPSEC) best practices for security analysts. It warns that adversaries are not necessarily enemies and have varying levels of resources. It advises analysts to be wary of mass surveillance by agencies and to use encrypted communication tools. When meeting suspicious people, analysts should not go alone, plan an exit, and have a dead man's switch. At borders, analysts should be collaborative with officers but not consent to searches or help without a warrant. Overall the document stresses preparation, having alternatives, and maintaining discipline over relying solely on tools when doing their work.
The document discusses operational security (OPSEC) best practices for social media. It provides tips for identifying critical information exposed on social media, understanding what enemies could learn about you and your family online, and developing countermeasures. The document emphasizes that information shared online is at risk of being made public and used against individuals by enemies. It recommends only sharing information that would be told directly to enemies and assuming any online information could become public.
1) The document describes moving the President of the United States from his ranch in Texas to Baghdad for Thanksgiving in secret.
2) Only a few key officials like the Vice President, Chief of Staff, and National Security Adviser were told the day before, while the First Lady was told hours before departure.
3) Deception tactics were used like telling the press the President was staying in Texas, flying without lights under cover of darkness, and using a phony identification code to replicate a civilian transport plane.
This document provides information on operations security (OPSEC) and personal security (PERSEC) for families of deployed service members. It advises keeping routines and displays normal to avoid signaling an absence, avoiding sharing sensitive information via communication or social media, and practicing safety measures like situational awareness in public. Maintaining security protects operations and prevents adversaries from gaining information that could endanger service members or their families.
This document discusses the importance of operational security (OPSEC) for children with loved ones who are deployed. It explains that OPSEC involves keeping certain information secret, such as details about a loved one's location, mission, departure/return dates. Children are advised not to disclose such details to strangers or in public online spaces. Maintaining OPSEC helps keep deployed loved ones safe from potential threats seeking information.
OPSEC is operational security that denies useful information to enemies. While specific rules cannot cover every situation, any piece of information could aid enemies by helping them build profiles of organizations. Spouses and families play an important role in protecting information and should be careful about what they share online or in public to avoid inadvertently revealing details like future unit activities or vulnerabilities that could endanger service members.
PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Sou...Puppet
Here are the slides from Peter Souter's PuppetConf 2016 presentation called Nice and Secure: Good OpSec Hygiene With Puppet!. Watch the videos at https://www.youtube.com/playlist?list=PLV86BgbREluVjwwt-9UL8u2Uy8xnzpIqa
This document discusses invasive species and their impacts. It acknowledges that invasive species pose significant challenges for the Department of Defense (DoD) by threatening military training lands and activities. The document provides background on invasive species and their costs, outlines key issues for military installation commanders to consider regarding invasive species, and summarizes Executive Order 13112 which created the National Invasive Species Council and reinforces DoD's role in addressing invasive species.
The document provides an overview of an employee information security awareness training. It summarizes key topics covered in the training including identifying security risks, developing good security practices, protecting classified and sensitive company information, securing workstations and mobile devices, safe email practices, and guarding against social engineering. It emphasizes the importance of protecting company information and passwords at all times.
The document discusses the Operations Security domain of the CISSP Common Body of Knowledge, including defining the domain, identifying resource protection needs, threats to information operations, and security controls and countermeasures used in operations security. Personnel security, physical security, and technical controls are discussed as ways to reduce vulnerabilities and protect organizational assets from both internal and external threats.
Part II: Teaching and Parenting in a Digital AgeCaroline Cerveny
Exploring the challenges around technology use, practical proactive strategies, and where to find support and resources to better understand these issues.
Computer security involves protecting information from threats like malware, hacking, and social engineering. Malware like viruses, trojans, bots, and spyware can disrupt systems or steal private information. Social engineering tricks people into sharing confidential details. To stay safe, use strong, unique passwords, avoid suspicious emails and links, and practice cybersecurity best practices like keeping software updated.
This e-safety brochure provides tips for safely using the internet and social networking sites. It advises kids to be careful not to share personal information online and to only meet internet contacts in person with parental permission. The brochure also recommends keeping passwords private, using online nicknames, adjusting privacy settings, thinking before posting, and telling an adult about any concerning online content or interactions.
This document provides internet safety tips in 7 sections:
1. Create a positive digital footprint and leave only positive information online.
2. Protect your privacy by not revealing personal information, using secure passwords, and being aware of security risks.
3. Protect yourself from identity theft by destroying private records, securing your mail, and monitoring credit reports.
4. Protect yourself from bullies by not engaging in bullying behavior, saving evidence of bullying, and telling a trusted adult.
5. Protect yourself from predators by being wary of emotionally vulnerable situations online and only interacting with people you know.
6. Protect yourself from yourself by avoiding posting anything online that could have negative consequences.
7. Overall, the tips
1. The document provides tips for safely using Facebook including friending only people you know, learning how to use privacy settings to control what information is shared, and avoiding bullying or inappropriate behavior online.
2. It recommends managing posts, tags, and information others share about you as well as limiting time spent on Facebook and keeping contact details private.
3. Key advice includes creating a strong password, knowing when to use private messages versus public posts, and reporting any harassment or issues to Facebook.
Cryptography and digital certificates can be used to securely encrypt electronic communications and authenticate digital identities. A public key infrastructure (PKI) manages the lifecycle of digital certificates, including credentialing, generating certificates, distributing public keys, revoking certificates, and more. Secure email protocols like S/MIME use public/private key encryption and digital signatures to authenticate senders and ensure message integrity.
Cryptography and digital certificates can be used to securely encrypt electronic communications and authenticate digital identities. A public key infrastructure (PKI) manages the lifecycle of digital certificates, including credentialing, generating certificates, distributing public keys, revoking certificates, and more. Secure email protocols like S/MIME use public/private key encryption and digital signatures to authenticate senders and ensure message integrity.
This document discusses online reputation and internet safety. It notes that there are over 1.7 billion internet users worldwide, including 57.4 million in the Arab world and 13 million in Egypt. It emphasizes the importance of online reputation and discusses how what users post online can affect their employment, social lives, and relationships. The document provides tips for maintaining online safety, including being cautious of what personal information is shared, using privacy settings, and thinking before posting content. It also outlines best practices for computer security, such as using firewalls, antivirus software, and strong passwords.
This document discusses online reputation and internet safety. It notes that there are over 1.7 billion internet users worldwide, including 57.4 million in the Arab world and 13 million in Egypt. It emphasizes the importance of online reputation and discusses how what users post online can affect their employment, social lives, and relationships. The document provides tips for maintaining online safety, including using privacy settings, expressing opinions wisely, and not sharing personal information or forwarding unverified content. It outlines threats like phishing, viruses, and identity theft and recommends defenses like firewalls, antivirus software, and strong passwords. The document stresses protecting devices while mobile and connecting securely to wireless networks.
Participant Guide for INROADS Social Networking TrainingAngela Siefer
The document discusses converting social networks from personal to professional use. It explains that keeping social and professional networks separate is difficult and less beneficial than having some overlap. The challenges of intentionally integrating social and professional networks online are addressed. Guidelines are provided for developing networks, focusing on relationships, experimenting, maintaining privacy, and being genuine when using social networks for both personal and professional purposes.
David Troy - Presentation at Emerging Communications Conference & Awards (eCo...eCommConf
Dave Troy proposes rethinking email by starting from first principles and introducing new design constraints. He argues that email has stagnated while other communication platforms advanced. Shortmail launches with a 500 character limit per message to reduce cognitive load and encourage conciseness while remaining interoperable with existing email infrastructure and standards. Troy hopes Shortmail will spur innovation and improve communication.
Why is password protection a fallacy a point of viewYury Chemerkin
This document discusses vulnerabilities in password protection and login security. It provides tips for creating strong passwords but notes that passwords are not fully secure due to vulnerabilities like keylogging malware, screen capturing of password entry, and login spoofing attacks. On Windows systems, replacing files like utilman.exe that activate alternate login screens can enable unauthorized password changes. iPhones also had login bugs exposing passwords through unexpected screen transitions. In summary, while passwords provide some protection, they have significant limitations and vulnerabilities that can be exploited by attackers.
Similar to Cyber opsec protecting_yourself_online (12)
The document provides instructions for volunteers to register for an online volunteer management system website, apply for volunteer positions, and record volunteer hours. It explains how to register for the website, search and apply for positions at Fort Rucker, accept or decline applications as an organization point of contact, and log volunteer hours by position. Contact information is provided for the Army Volunteer Corp Coordinator to assist with using the system.
The document provides guidance on setting up and managing social media pages for different groups of military families. It recommends:
- Creating a public "Fan" page on Facebook for families of soldiers in training, managed at the company level.
- Creating a private "Group" page on Facebook for cadre families, managed at the battalion level.
- Including families of students and geographically separated families in the cadre family page due to their transient nature.
- Following Army social media guidelines and designating a social media manager to monitor the page and provide accurate information to families.
This document provides information and resources for army commanders and family readiness group leaders on an AKO administrative support page. The page includes downloads and links to help establish and maintain FRGs in accordance with army regulations. It also provides program assessment templates, tools for FRGs, and contact information for questions. The page can be accessed through the provided link or by searching "Leaders Family Readiness" on AKO.
2. CYBER OPSEC: secti on 1
Internet Communication in General
The Internet was designed to withstand nuclear Our carelessness makes the job easy for
attack, not to be secure from its own users. the adversary.
• Never assume security, assume it’s unsecured. • f adequate protection is unavailable, don’t send
I
• hen security is needed, have trained IT
W it over the Internet. Evaluate other options and
security people in your organization seek and work to get secure tools.
implement proper tools. • f you have secure tools, actually use them. If
I
you don’t know how, find out. Laziness is the
People can easily send fake e-mails that appear adversary’s best friend.
to be from people you know/trust.
• on’t let forwarded and repeatedly replied mes-
D
• Always digitally sign messages. sages snowball. Eliminate the unnecessary data
so a lucky adversary can’t get the whole picture
• Encourage everyone else to sign their messages.
in one e-mail.
• n all cases (even with signed messages) person-
I
• on’t use CC to send e-mails to a list of people
D
alize an e-mail enough so that it’s obvious a real
unless you specifically want everyone to see
person sent it.
Our carelessness makes the job easy for everyone else’s e-mail address. In all other cases,
• lways verify suspicious messages
A send it to yourself (because everyone knows
the adversary. before acting. who you are already) and use BCC (blind
carbon copy) instead.
Even e-mails that are legit can be captured
and read/modified in transit.
• Secure e-mails with digital encryption.
• se file encryption or password protection
U
if e-mail encryption isn’t available.
pag e 1
3. CYBER OPSEC: secti on 2
Browsing the Web
Cookies make shopping carts and online Search engines track your search history and
accounts work, but can be a risk in several ways. store it in databases; this can reveal a lot of
information about you and your job in aggregate.
• elete cookies regularly or disable cookies
D
through your browser. You can “whitelist” • se generic information when possible
U
cookies from sites you need/trust while still (e.g., zip codes instead of addresses).
blocking all others. • lternate search engines to improve your results
A
• ever use the “remember me” function on Web
N and prevent a single engine from getting the
sites. This greatly increases your odds of having whole picture.
your account hijacked. • f you use related services, always log out before
I
searching so they can’t tie your results to your
Companies want to know where you go online account (e.g., Log out of Yahoo! Mail before
and use a function called “Web bugs” or
“beacons” to do it. They look like ordinary
using Yahoo! Search).
images and are activated simply by viewing a
Web page or e-mail. Clicking any link online tells the target Web site
which site you just came from. This can give
Clicking any link online tells the target • TML bugs can only be blocked with special
H away information you hadn’t intended.
Web site which site you just came from. tools (hopefully being handled by your IT
• hen clicking links in search results, ask if any
W
department).
of the data (search terms) in your address bar
• -mail bugs can be completely blocked by
E give data away. If so, copy and paste a result’s
selecting “text-only” in your e-mail settings or link to your address bar instead of clicking it.
using an e-mail program that blocks images
• hen posting links on a Web site you control,
W
from untrusted senders.
ask if you want to broadcast to the linked sites
the fact that you linked to them. If not, print the
links, but don’t make them clickable so people
have to cut and paste them instead.
pag e 2
4. CYBER OPSEC: secti on 2
Browsing the Web
Imposter sites will often mimic a legitimate site’s • ook for the HTTPS in the address bar to verify
L
URL through a common misspelling or by using that the transaction is secure—before entering
another extension—like dot-com instead of dot-
your username, password, or any other impor-
net. Get into the habit of typing Web site names
into a search engine instead of the address bar. tant information. If it’s not there, ask yourself
if it’s OK to broadcast openly and think twice
• any search engines pre-scan sites for
M before clicking the “submit” button.
malicious code and will warn you when you
click them. Be cautious of fake alerts that look like legiti-
mate warnings or system messages, but are not.
• any anti-virus products have “site advisor”
M
functions that provide visual warning icons for • etermine if the alert is real by closing all
D
known bad sites. browser windows from the taskbar (don’t click
• earch engines correct spelling, making it less
S on or near the alert itself ).
likely you’ll go to an unintended site. • f the alert remains, look to see if it mentions
I
a Web site to visit or tool to download. If so,
Password security is key! perform a Web search on the site or tool. If the
Installation warnings are the last chance results show that the site/tool is bogus, ignore
• ever use the same password from site to site.
N
you have to prevent bad code from getting The owners of one site can easily try that name
the alert and ask your IT department to run
virus and spyware scans on your machine.
into your computer. and password at other popular sites and see if
it works. Installation warnings are the last chance you
• ever give any site any password for any
N have to prevent bad code from getting into your
reason. Most social networking sites ask computer. They claim to be a “video player up-
date” or “critical patch,” but are often viruses.
for e-mail passwords while others ask for
banking and credit card passwords. No matter • ay no to any “active-x” control or install warn-
S
how much they promise to protect and not ing unless you are sure of who created it, what it
misuse the information, history shows other- is, and what it will do once installed.
wise. The consequences of disregarding this
rule can be severe.
pag e 3
5. CYBER OPSEC: secti on 3
Posting Online
Public visibility. Watch for metadata in files.
• ost things posted online are visible to every-
M • icrosoft Office documents typically have a
M
one online (good and bad alike). creator’s name and organization in the file prop-
• emember that even things posted “privately”
R erties. This can be shut off in the options, but is
often become public by accident or due to weak usually on by default.
site security. • hotos may also list names (if software was
P
• nything posted to your organization’s Web site
A installed with the camera) and can also include
that’s not protected by password or PKI authen- GPS coordinates where the photo was taken.
tication is publicly visible. Several other meth- Photo editing software must be used to view
ods of protection are commonly attempted, and remove “EXIF metadata” in photos.
but can be bypassed easily (domain restriction,
Photos often reveal too much.
robots.txt file, etc.).
• uildings or natural features in the background
B
Don’t rely on third parties sites to keep can give away location.
information safe.
It is hard and often impossible to remove • eflective surfaces may show people, names, or
R
information from the Web… • hird party sites may have been initiated or in-
T other critical information.
filtrated by adversaries putting your data at risk.
• hotos of small animals or objects taken on a
P
• ata centers used by these sites may be in other
D hand often provide palm and fingerprints to
countries with weak data protection laws. the adversary.
• hird parties are often hacked or sell user
T
data outright. It is hard and often impossible to remove infor-
mation from the Web after it has been posted,
so be careful in the posting process before it’s
too late.
pag e 4
6. CYBER OPSEC: secti on 4
Practice Good System Safety
Keep your computer secure. Dispose of media properly.
• Lock your computer when walking away. • ata recovery is very sophisticated. Learn and
D
• on’t use a government laptop on your per-
D follow your organization’s media destruction
sonal Internet or at hotspots unless instructed policy.
by your security officer that you may do so. • emember that nearly all devices have data
R
• on’t leave laptops in hotels or cars unless it’s
D storage. Treat any USB device (not just thumb-
unavoidable, but use a locking cable or hide drives), floppies, CDs, phones, cameras, and
them when you must. hard drives as a disposal risk.
• ake sure your laptop has full disk encryption
M Practice good password safety.
installed before taking it out of secure spaces.
• on’t e-mail or store any passwords unencrypt-
D
• on’t allow others to use your government
D
ed. Remember that a password to a classified
computer without your direct oversight.
system must be handled as classified itself.
Be wary of devices. • on’t put passwords on sticky notes or note-
D
Remember that a password to a classified pads unless you physically secure them.
• on’t connect any USB device, floppy disk, or
D
system must be handled as classified itself. CD to your computer unless it has been care- • earn how to create hard to guess, but easy to
L
fully scanned beforehand. Even store-bought remember passwords and change them often.
products sometimes have viruses.
• isable auto-run and auto-play functionality to
D
help limit the damage a media virus can do.
pag e 5
7. CYBER OPSEC: secti on 5
Protect Your Portable Devices
Wireless allows adversaries to connect at Portable wireless (particularly RFID in badges)
distances of up to a mile or more. can be used for individual identification. These
devices must include strong authentication and
• Your movements can be tracked. encryption to deter these risks.
• Stored or transmitted data can be stolen. • opying at a distance thus invalidating their use
C
• Stored or transmitted data can be modified. for keyless entry systems and personal identifi-
cation (such as with US passcards).
Many portable devices (phones, laptops, earpiec-
• Tracking your movements.
es) include wireless capability, but not security.
• riggering cameras or even roadside bombs
T
• Turn off wireless if it’s not necessary. targeted for individuals.
• f security is present, learn and activate all
I
security features appropriately. Portable devices are easily lost or stolen.
• emember commercial security is weak and
R • Always encrypt important data.
shouldn’t be relied on in most cases.
• ut strong lock-codes and passwords on your
P
M
any portable devices (phones, laptops, • hen in doubt, pull the battery (where able)
W devices to prevent tampering.
and put the device in an RF shielded container.
earpieces) include wireless capability, but • Keep them secure and out of adversary hands.
• lways first ask if portable devices are neces-
A
not security. sary for your mission. They’re no risk if they’re
not used.
pag e 6
8. “ It is vital that we all understand that even information that
is UNCLASSIFIED is still important and in need of proper
protection.... The information we put out there is immediate
and forever and it is incumbent upon all of us to strongly consider
”
that before putting anything out in the public domain.
—LTG Keith B . Alexander, USA
Director, National Security Agency
Executive Agent for Operations Security
Think. Protect. OPSEC.
www.ioss.gov