SlideShare uma empresa Scribd logo

Cyber opsec protecting_yourself_online

Ftlwood Families
Ftlwood Families
Aperfeiçoamento pessoalTecnologia
1 de 8
Cyber Opsec Protecting Yourself Online Think. Protect. OPSEC. www.ioss.gov
CYBER OPSEC: secti on 1 Internet Communication in General The Internet was designed to withstand nuclear Our carelessness makes the job easy for attack, not to be secure from its own users. the adversary. • Never assume security, assume it’s unsecured. • f adequate protection is unavailable, don’t send I • hen security is needed, have trained IT W it over the Internet. Evaluate other options and security people in your organization seek and work to get secure tools. implement proper tools. • f you have secure tools, actually use them. If I you don’t know how, find out. Laziness is the People can easily send fake e-mails that appear adversary’s best friend. to be from people you know/trust. • on’t let forwarded and repeatedly replied mes- D • Always digitally sign messages. sages snowball. Eliminate the unnecessary data so a lucky adversary can’t get the whole picture • Encourage everyone else to sign their messages. in one e-mail. • n all cases (even with signed messages) person- I • on’t use CC to send e-mails to a list of people D alize an e-mail enough so that it’s obvious a real unless you specifically want everyone to see person sent it. Our carelessness makes the job easy for everyone else’s e-mail address. In all other cases, • lways verify suspicious messages A send it to yourself (because everyone knows the adversary. before acting. who you are already) and use BCC (blind carbon copy) instead. Even e-mails that are legit can be captured and read/modified in transit. • Secure e-mails with digital encryption. • se file encryption or password protection U if e-mail encryption isn’t available. pag e 1
CYBER OPSEC: secti on 2 Browsing the Web Cookies make shopping carts and online Search engines track your search history and accounts work, but can be a risk in several ways. store it in databases; this can reveal a lot of information about you and your job in aggregate. • elete cookies regularly or disable cookies D through your browser. You can “whitelist” • se generic information when possible U cookies from sites you need/trust while still (e.g., zip codes instead of addresses). blocking all others. • lternate search engines to improve your results A • ever use the “remember me” function on Web N and prevent a single engine from getting the sites. This greatly increases your odds of having whole picture. your account hijacked. • f you use related services, always log out before I searching so they can’t tie your results to your Companies want to know where you go online account (e.g., Log out of Yahoo! Mail before and use a function called “Web bugs” or “beacons” to do it. They look like ordinary using Yahoo! Search). images and are activated simply by viewing a Web page or e-mail. Clicking any link online tells the target Web site which site you just came from. This can give Clicking any link online tells the target • TML bugs can only be blocked with special H away information you hadn’t intended. Web site which site you just came from. tools (hopefully being handled by your IT • hen clicking links in search results, ask if any W department). of the data (search terms) in your address bar • -mail bugs can be completely blocked by E give data away. If so, copy and paste a result’s selecting “text-only” in your e-mail settings or link to your address bar instead of clicking it. using an e-mail program that blocks images • hen posting links on a Web site you control, W from untrusted senders. ask if you want to broadcast to the linked sites the fact that you linked to them. If not, print the links, but don’t make them clickable so people have to cut and paste them instead. pag e 2
CYBER OPSEC: secti on 2 Browsing the Web Imposter sites will often mimic a legitimate site’s • ook for the HTTPS in the address bar to verify L URL through a common misspelling or by using that the transaction is secure—before entering another extension—like dot-com instead of dot- your username, password, or any other impor- net. Get into the habit of typing Web site names into a search engine instead of the address bar. tant information. If it’s not there, ask yourself if it’s OK to broadcast openly and think twice • any search engines pre-scan sites for M before clicking the “submit” button. malicious code and will warn you when you click them. Be cautious of fake alerts that look like legiti- mate warnings or system messages, but are not. • any anti-virus products have “site advisor” M functions that provide visual warning icons for • etermine if the alert is real by closing all D known bad sites. browser windows from the taskbar (don’t click • earch engines correct spelling, making it less S on or near the alert itself ). likely you’ll go to an unintended site. • f the alert remains, look to see if it mentions I a Web site to visit or tool to download. If so, Password security is key! perform a Web search on the site or tool. If the Installation warnings are the last chance results show that the site/tool is bogus, ignore • ever use the same password from site to site. N you have to prevent bad code from getting The owners of one site can easily try that name the alert and ask your IT department to run virus and spyware scans on your machine. into your computer. and password at other popular sites and see if it works. Installation warnings are the last chance you • ever give any site any password for any N have to prevent bad code from getting into your reason. Most social networking sites ask computer. They claim to be a “video player up- date” or “critical patch,” but are often viruses. for e-mail passwords while others ask for banking and credit card passwords. No matter • ay no to any “active-x” control or install warn- S how much they promise to protect and not ing unless you are sure of who created it, what it misuse the information, history shows other- is, and what it will do once installed. wise. The consequences of disregarding this rule can be severe. pag e 3
CYBER OPSEC: secti on 3 Posting Online Public visibility. Watch for metadata in files. • ost things posted online are visible to every- M • icrosoft Office documents typically have a M one online (good and bad alike). creator’s name and organization in the file prop- • emember that even things posted “privately” R erties. This can be shut off in the options, but is often become public by accident or due to weak usually on by default. site security. • hotos may also list names (if software was P • nything posted to your organization’s Web site A installed with the camera) and can also include that’s not protected by password or PKI authen- GPS coordinates where the photo was taken. tication is publicly visible. Several other meth- Photo editing software must be used to view ods of protection are commonly attempted, and remove “EXIF metadata” in photos. but can be bypassed easily (domain restriction, Photos often reveal too much. robots.txt file, etc.). • uildings or natural features in the background B Don’t rely on third parties sites to keep can give away location. information safe. It is hard and often impossible to remove • eflective surfaces may show people, names, or R information from the Web… • hird party sites may have been initiated or in- T other critical information. filtrated by adversaries putting your data at risk. • hotos of small animals or objects taken on a P • ata centers used by these sites may be in other D hand often provide palm and fingerprints to countries with weak data protection laws. the adversary. • hird parties are often hacked or sell user T data outright. It is hard and often impossible to remove infor- mation from the Web after it has been posted, so be careful in the posting process before it’s too late. pag e 4
CYBER OPSEC: secti on 4 Practice Good System Safety Keep your computer secure. Dispose of media properly. • Lock your computer when walking away. • ata recovery is very sophisticated. Learn and D • on’t use a government laptop on your per- D follow your organization’s media destruction sonal Internet or at hotspots unless instructed policy. by your security officer that you may do so. • emember that nearly all devices have data R • on’t leave laptops in hotels or cars unless it’s D storage. Treat any USB device (not just thumb- unavoidable, but use a locking cable or hide drives), floppies, CDs, phones, cameras, and them when you must. hard drives as a disposal risk. • ake sure your laptop has full disk encryption M Practice good password safety. installed before taking it out of secure spaces. • on’t e-mail or store any passwords unencrypt- D • on’t allow others to use your government D ed. Remember that a password to a classified computer without your direct oversight. system must be handled as classified itself. Be wary of devices. • on’t put passwords on sticky notes or note- D Remember that a password to a classified pads unless you physically secure them. • on’t connect any USB device, floppy disk, or D system must be handled as classified itself. CD to your computer unless it has been care- • earn how to create hard to guess, but easy to L fully scanned beforehand. Even store-bought remember passwords and change them often. products sometimes have viruses. • isable auto-run and auto-play functionality to D help limit the damage a media virus can do. pag e 5
CYBER OPSEC: secti on 5 Protect Your Portable Devices Wireless allows adversaries to connect at Portable wireless (particularly RFID in badges) distances of up to a mile or more. can be used for individual identification. These devices must include strong authentication and • Your movements can be tracked. encryption to deter these risks. • Stored or transmitted data can be stolen. • opying at a distance thus invalidating their use C • Stored or transmitted data can be modified. for keyless entry systems and personal identifi- cation (such as with US passcards). Many portable devices (phones, laptops, earpiec- • Tracking your movements. es) include wireless capability, but not security. • riggering cameras or even roadside bombs T • Turn off wireless if it’s not necessary. targeted for individuals. • f security is present, learn and activate all I security features appropriately. Portable devices are easily lost or stolen. • emember commercial security is weak and R • Always encrypt important data. shouldn’t be relied on in most cases. • ut strong lock-codes and passwords on your P M any portable devices (phones, laptops, • hen in doubt, pull the battery (where able) W devices to prevent tampering. and put the device in an RF shielded container. earpieces) include wireless capability, but • Keep them secure and out of adversary hands. • lways first ask if portable devices are neces- A not security. sary for your mission. They’re no risk if they’re not used. pag e 6
“ It is vital that we all understand that even information that is UNCLASSIFIED is still important and in need of proper protection.... The information we put out there is immediate and forever and it is incumbent upon all of us to strongly consider ” that before putting anything out in the public domain. —LTG Keith B . Alexander, USA Director, National Security Agency Executive Agent for Operations Security Think. Protect. OPSEC. www.ioss.gov

Recomendados

Kwame at Web 2.0 Expo Berlin
Kwame at Web 2.0 Expo BerlinKwame at Web 2.0 Expo Berlin
Kwame at Web 2.0 Expo Berlinguest28f4e7
 
Mobile Social Networks Presenation at Mobile Camp London 2007
Mobile Social Networks Presenation at Mobile Camp London 2007Mobile Social Networks Presenation at Mobile Camp London 2007
Mobile Social Networks Presenation at Mobile Camp London 2007Victor Szilagyi
 
The world at your fingertips mindmap
The world at your fingertips mindmapThe world at your fingertips mindmap
The world at your fingertips mindmapWei Xiang Ong
 
Who is the digital you
Who is the digital youWho is the digital you
Who is the digital youTony Fish
 
Crossing Web Boundaries with WordPress
Crossing Web Boundaries with WordPressCrossing Web Boundaries with WordPress
Crossing Web Boundaries with WordPressJay Collier
 
Designing Login Interfaces for Mobiles
Designing Login Interfaces for MobilesDesigning Login Interfaces for Mobiles
Designing Login Interfaces for MobilesRohit Ashok Khot
 
How to Reclaim your Email Using Whitelists
How to Reclaim your Email Using WhitelistsHow to Reclaim your Email Using Whitelists
How to Reclaim your Email Using WhitelistsSendio
 
Mental Models of Employment
Mental Models of EmploymentMental Models of Employment
Mental Models of Employmentquestioninginstitute
 

Recomendados

Kwame at Web 2.0 Expo Berlin
Kwame at Web 2.0 Expo BerlinKwame at Web 2.0 Expo Berlin
Kwame at Web 2.0 Expo Berlinguest28f4e7
 
Mobile Social Networks Presenation at Mobile Camp London 2007
Mobile Social Networks Presenation at Mobile Camp London 2007Mobile Social Networks Presenation at Mobile Camp London 2007
Mobile Social Networks Presenation at Mobile Camp London 2007Victor Szilagyi
 
The world at your fingertips mindmap
The world at your fingertips mindmapThe world at your fingertips mindmap
The world at your fingertips mindmapWei Xiang Ong
 
Who is the digital you
Who is the digital youWho is the digital you
Who is the digital youTony Fish
 
Crossing Web Boundaries with WordPress
Crossing Web Boundaries with WordPressCrossing Web Boundaries with WordPress
Crossing Web Boundaries with WordPressJay Collier
 
Designing Login Interfaces for Mobiles
Designing Login Interfaces for MobilesDesigning Login Interfaces for Mobiles
Designing Login Interfaces for MobilesRohit Ashok Khot
 
How to Reclaim your Email Using Whitelists
How to Reclaim your Email Using WhitelistsHow to Reclaim your Email Using Whitelists
How to Reclaim your Email Using WhitelistsSendio
 
Mental Models of Employment
Mental Models of EmploymentMental Models of Employment
Mental Models of Employmentquestioninginstitute
 
TEL Developments & Trends
TEL Developments & TrendsTEL Developments & Trends
TEL Developments & Trendstimku
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber CrimeGerard Sylvester
 
File+upload+test
File+upload+testFile+upload+test
File+upload+testtheextraaedge
 
Research Day Poster
Research Day PosterResearch Day Poster
Research Day PosterLindsey Krabbenhoft
 
The M Word: Marketing in a Developer World
The M Word: Marketing in a Developer WorldThe M Word: Marketing in a Developer World
The M Word: Marketing in a Developer WorldDelyn Simons
 
Avoiding the Pandora Pitfall
Avoiding the Pandora PitfallAvoiding the Pandora Pitfall
Avoiding the Pandora PitfallTyler Shields
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
OPSEC for hackers
OPSEC for hackersOPSEC for hackers
OPSEC for hackersgrugq
 
Smr week 23 opsec and safe social networking
Smr week 23 opsec and safe social networkingSmr week 23 opsec and safe social networking
Smr week 23 opsec and safe social networkingFort Rucker FRSA
 
Conley Group Opsec Presentation
Conley Group Opsec PresentationConley Group Opsec Presentation
Conley Group Opsec PresentationThe Conley Group, Inc.
 
Analogic Opsec 101
Analogic Opsec 101Analogic Opsec 101
Analogic Opsec 101vicenteDiaz_KL
 
OPSEC for OMBUDSMEN
OPSEC for OMBUDSMENOPSEC for OMBUDSMEN
OPSEC for OMBUDSMENNaval OPSEC
 
OPSEC Case Study - Bush In Iraq
OPSEC Case Study - Bush In IraqOPSEC Case Study - Bush In Iraq
OPSEC Case Study - Bush In IraqDepartment of Defense
 
OPSEC / PERSEC
OPSEC / PERSECOPSEC / PERSEC
OPSEC / PERSECRmd Frg
 
OPSEC for Kids
OPSEC for KidsOPSEC for Kids
OPSEC for KidsDepartment of Defense
 
OPSEC for Families
OPSEC for FamiliesOPSEC for Families
OPSEC for FamiliesDepartment of Defense
 
PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Sou...
PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Sou...PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Sou...
PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Sou...Puppet
 
Invasive species commanders_guide
Invasive species commanders_guideInvasive species commanders_guide
Invasive species commanders_guideDepartment of Defense
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@R_Yanus
 
Preventing and Detecting Fraud in the Workplace
Preventing and Detecting Fraud in the WorkplacePreventing and Detecting Fraud in the Workplace
Preventing and Detecting Fraud in the WorkplaceDecosimoCPAs
 
4 Operations Security
4 Operations Security4 Operations Security
4 Operations SecurityAlfred Ouyang
 
Part II: Teaching and Parenting in a Digital Age
Part II: Teaching and Parenting in a Digital AgePart II: Teaching and Parenting in a Digital Age
Part II: Teaching and Parenting in a Digital AgeCaroline Cerveny
 

Mais conteúdo relacionado

Mais procurados

TEL Developments & Trends
TEL Developments & TrendsTEL Developments & Trends
TEL Developments & Trendstimku
 
The M Word: Marketing in a Developer World
The M Word: Marketing in a Developer WorldThe M Word: Marketing in a Developer World
The M Word: Marketing in a Developer WorldDelyn Simons
 
Avoiding the Pandora Pitfall
Avoiding the Pandora PitfallAvoiding the Pandora Pitfall
Avoiding the Pandora PitfallTyler Shields
 

Mais procurados (6)

TEL Developments & Trends
TEL Developments & TrendsTEL Developments & Trends
TEL Developments & Trends
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
 
File+upload+test
File+upload+testFile+upload+test
File+upload+test
 
Research Day Poster
Research Day PosterResearch Day Poster
Research Day Poster
 
The M Word: Marketing in a Developer World
The M Word: Marketing in a Developer WorldThe M Word: Marketing in a Developer World
The M Word: Marketing in a Developer World
 
Avoiding the Pandora Pitfall
Avoiding the Pandora PitfallAvoiding the Pandora Pitfall
Avoiding the Pandora Pitfall
 

Destaque

Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
OPSEC for hackers
OPSEC for hackersOPSEC for hackers
OPSEC for hackersgrugq
 
Smr week 23 opsec and safe social networking
Smr week 23 opsec and safe social networkingSmr week 23 opsec and safe social networking
Smr week 23 opsec and safe social networkingFort Rucker FRSA
 
OPSEC for OMBUDSMEN
OPSEC for OMBUDSMENOPSEC for OMBUDSMEN
OPSEC for OMBUDSMENNaval OPSEC
 
OPSEC / PERSEC
OPSEC / PERSECOPSEC / PERSEC
OPSEC / PERSECRmd Frg
 
PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Sou...
PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Sou...PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Sou...
PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Sou...Puppet
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@R_Yanus
 
Preventing and Detecting Fraud in the Workplace
Preventing and Detecting Fraud in the WorkplacePreventing and Detecting Fraud in the Workplace
Preventing and Detecting Fraud in the WorkplaceDecosimoCPAs
 
4 Operations Security
4 Operations Security4 Operations Security
4 Operations SecurityAlfred Ouyang
 

Destaque (15)

Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
 
OPSEC for hackers
OPSEC for hackersOPSEC for hackers
OPSEC for hackers
 
Smr week 23 opsec and safe social networking
Smr week 23 opsec and safe social networkingSmr week 23 opsec and safe social networking
Smr week 23 opsec and safe social networking
 
Conley Group Opsec Presentation
Conley Group Opsec PresentationConley Group Opsec Presentation
Conley Group Opsec Presentation
 
Analogic Opsec 101
Analogic Opsec 101Analogic Opsec 101
Analogic Opsec 101
 
OPSEC for OMBUDSMEN
OPSEC for OMBUDSMENOPSEC for OMBUDSMEN
OPSEC for OMBUDSMEN
 
OPSEC Case Study - Bush In Iraq
OPSEC Case Study - Bush In IraqOPSEC Case Study - Bush In Iraq
OPSEC Case Study - Bush In Iraq
 
OPSEC / PERSEC
OPSEC / PERSECOPSEC / PERSEC
OPSEC / PERSEC
 
OPSEC for Kids
OPSEC for KidsOPSEC for Kids
OPSEC for Kids
 
OPSEC for Families
OPSEC for FamiliesOPSEC for Families
OPSEC for Families
 
PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Sou...
PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Sou...PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Sou...
PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Sou...
 
Invasive species commanders_guide
Invasive species commanders_guideInvasive species commanders_guide
Invasive species commanders_guide
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@
 
Preventing and Detecting Fraud in the Workplace
Preventing and Detecting Fraud in the WorkplacePreventing and Detecting Fraud in the Workplace
Preventing and Detecting Fraud in the Workplace
 
4 Operations Security
4 Operations Security4 Operations Security
4 Operations Security
 

Semelhante a Cyber opsec protecting_yourself_online

Part II: Teaching and Parenting in a Digital Age
Part II: Teaching and Parenting in a Digital AgePart II: Teaching and Parenting in a Digital Age
Part II: Teaching and Parenting in a Digital AgeCaroline Cerveny
 
Computer Security
Computer SecurityComputer Security
Computer Securitytonik
 
Internet safety slides
Internet safety slidesInternet safety slides
Internet safety slidesEric Castro
 
Online reputation
Online reputationOnline reputation
Online reputationesl2m
 
Participant Guide for INROADS Social Networking Training
Participant Guide for INROADS Social Networking TrainingParticipant Guide for INROADS Social Networking Training
Participant Guide for INROADS Social Networking TrainingAngela Siefer
 
David Troy - Presentation at Emerging Communications Conference & Awards (eCo...
David Troy - Presentation at Emerging Communications Conference & Awards (eCo...David Troy - Presentation at Emerging Communications Conference & Awards (eCo...
David Troy - Presentation at Emerging Communications Conference & Awards (eCo...eCommConf
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewYury Chemerkin
 

Semelhante a Cyber opsec protecting_yourself_online (12)

Part II: Teaching and Parenting in a Digital Age
Part II: Teaching and Parenting in a Digital AgePart II: Teaching and Parenting in a Digital Age
Part II: Teaching and Parenting in a Digital Age
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
E-safety leaflet
E-safety leaflet E-safety leaflet
E-safety leaflet
 
Internet safety slides
Internet safety slidesInternet safety slides
Internet safety slides
 
Facebook poster
Facebook posterFacebook poster
Facebook poster
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography
CryptographyCryptography
Cryptography
 
Online reputation
Online reputationOnline reputation
Online reputation
 
Online reputation
Online reputationOnline reputation
Online reputation
 
Participant Guide for INROADS Social Networking Training
Participant Guide for INROADS Social Networking TrainingParticipant Guide for INROADS Social Networking Training
Participant Guide for INROADS Social Networking Training
 
David Troy - Presentation at Emerging Communications Conference & Awards (eCo...
David Troy - Presentation at Emerging Communications Conference & Awards (eCo...David Troy - Presentation at Emerging Communications Conference & Awards (eCo...
David Troy - Presentation at Emerging Communications Conference & Awards (eCo...
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 

Mais de Ftlwood Families

Social Media Guide - TRADOC FLW
Social Media Guide - TRADOC FLWSocial Media Guide - TRADOC FLW
Social Media Guide - TRADOC FLWFtlwood Families
 
We were spouses... once and young.
We were spouses... once and young.We were spouses... once and young.
We were spouses... once and young.Ftlwood Families
 

Mais de Ftlwood Families (8)

PCS checklist
PCS checklistPCS checklist
PCS checklist
 
VMIS Registration
VMIS RegistrationVMIS Registration
VMIS Registration
 
Assesment checklist
Assesment checklistAssesment checklist
Assesment checklist
 
Social Media Guide - TRADOC FLW
Social Media Guide - TRADOC FLWSocial Media Guide - TRADOC FLW
Social Media Guide - TRADOC FLW
 
Veterans day restaurants
Veterans day restaurantsVeterans day restaurants
Veterans day restaurants
 
Newcomer CD Order Form
Newcomer CD Order FormNewcomer CD Order Form
Newcomer CD Order Form
 
We were spouses... once and young.
We were spouses... once and young.We were spouses... once and young.
We were spouses... once and young.
 
Frp page instructions
Frp page instructionsFrp page instructions
Frp page instructions
 

Cyber opsec protecting_yourself_online

  • 1. Cyber Opsec Protecting Yourself Online Think. Protect. OPSEC. www.ioss.gov
  • 2. CYBER OPSEC: secti on 1 Internet Communication in General The Internet was designed to withstand nuclear Our carelessness makes the job easy for attack, not to be secure from its own users. the adversary. • Never assume security, assume it’s unsecured. • f adequate protection is unavailable, don’t send I • hen security is needed, have trained IT W it over the Internet. Evaluate other options and security people in your organization seek and work to get secure tools. implement proper tools. • f you have secure tools, actually use them. If I you don’t know how, find out. Laziness is the People can easily send fake e-mails that appear adversary’s best friend. to be from people you know/trust. • on’t let forwarded and repeatedly replied mes- D • Always digitally sign messages. sages snowball. Eliminate the unnecessary data so a lucky adversary can’t get the whole picture • Encourage everyone else to sign their messages. in one e-mail. • n all cases (even with signed messages) person- I • on’t use CC to send e-mails to a list of people D alize an e-mail enough so that it’s obvious a real unless you specifically want everyone to see person sent it. Our carelessness makes the job easy for everyone else’s e-mail address. In all other cases, • lways verify suspicious messages A send it to yourself (because everyone knows the adversary. before acting. who you are already) and use BCC (blind carbon copy) instead. Even e-mails that are legit can be captured and read/modified in transit. • Secure e-mails with digital encryption. • se file encryption or password protection U if e-mail encryption isn’t available. pag e 1
  • 3. CYBER OPSEC: secti on 2 Browsing the Web Cookies make shopping carts and online Search engines track your search history and accounts work, but can be a risk in several ways. store it in databases; this can reveal a lot of information about you and your job in aggregate. • elete cookies regularly or disable cookies D through your browser. You can “whitelist” • se generic information when possible U cookies from sites you need/trust while still (e.g., zip codes instead of addresses). blocking all others. • lternate search engines to improve your results A • ever use the “remember me” function on Web N and prevent a single engine from getting the sites. This greatly increases your odds of having whole picture. your account hijacked. • f you use related services, always log out before I searching so they can’t tie your results to your Companies want to know where you go online account (e.g., Log out of Yahoo! Mail before and use a function called “Web bugs” or “beacons” to do it. They look like ordinary using Yahoo! Search). images and are activated simply by viewing a Web page or e-mail. Clicking any link online tells the target Web site which site you just came from. This can give Clicking any link online tells the target • TML bugs can only be blocked with special H away information you hadn’t intended. Web site which site you just came from. tools (hopefully being handled by your IT • hen clicking links in search results, ask if any W department). of the data (search terms) in your address bar • -mail bugs can be completely blocked by E give data away. If so, copy and paste a result’s selecting “text-only” in your e-mail settings or link to your address bar instead of clicking it. using an e-mail program that blocks images • hen posting links on a Web site you control, W from untrusted senders. ask if you want to broadcast to the linked sites the fact that you linked to them. If not, print the links, but don’t make them clickable so people have to cut and paste them instead. pag e 2
  • 4. CYBER OPSEC: secti on 2 Browsing the Web Imposter sites will often mimic a legitimate site’s • ook for the HTTPS in the address bar to verify L URL through a common misspelling or by using that the transaction is secure—before entering another extension—like dot-com instead of dot- your username, password, or any other impor- net. Get into the habit of typing Web site names into a search engine instead of the address bar. tant information. If it’s not there, ask yourself if it’s OK to broadcast openly and think twice • any search engines pre-scan sites for M before clicking the “submit” button. malicious code and will warn you when you click them. Be cautious of fake alerts that look like legiti- mate warnings or system messages, but are not. • any anti-virus products have “site advisor” M functions that provide visual warning icons for • etermine if the alert is real by closing all D known bad sites. browser windows from the taskbar (don’t click • earch engines correct spelling, making it less S on or near the alert itself ). likely you’ll go to an unintended site. • f the alert remains, look to see if it mentions I a Web site to visit or tool to download. If so, Password security is key! perform a Web search on the site or tool. If the Installation warnings are the last chance results show that the site/tool is bogus, ignore • ever use the same password from site to site. N you have to prevent bad code from getting The owners of one site can easily try that name the alert and ask your IT department to run virus and spyware scans on your machine. into your computer. and password at other popular sites and see if it works. Installation warnings are the last chance you • ever give any site any password for any N have to prevent bad code from getting into your reason. Most social networking sites ask computer. They claim to be a “video player up- date” or “critical patch,” but are often viruses. for e-mail passwords while others ask for banking and credit card passwords. No matter • ay no to any “active-x” control or install warn- S how much they promise to protect and not ing unless you are sure of who created it, what it misuse the information, history shows other- is, and what it will do once installed. wise. The consequences of disregarding this rule can be severe. pag e 3
  • 5. CYBER OPSEC: secti on 3 Posting Online Public visibility. Watch for metadata in files. • ost things posted online are visible to every- M • icrosoft Office documents typically have a M one online (good and bad alike). creator’s name and organization in the file prop- • emember that even things posted “privately” R erties. This can be shut off in the options, but is often become public by accident or due to weak usually on by default. site security. • hotos may also list names (if software was P • nything posted to your organization’s Web site A installed with the camera) and can also include that’s not protected by password or PKI authen- GPS coordinates where the photo was taken. tication is publicly visible. Several other meth- Photo editing software must be used to view ods of protection are commonly attempted, and remove “EXIF metadata” in photos. but can be bypassed easily (domain restriction, Photos often reveal too much. robots.txt file, etc.). • uildings or natural features in the background B Don’t rely on third parties sites to keep can give away location. information safe. It is hard and often impossible to remove • eflective surfaces may show people, names, or R information from the Web… • hird party sites may have been initiated or in- T other critical information. filtrated by adversaries putting your data at risk. • hotos of small animals or objects taken on a P • ata centers used by these sites may be in other D hand often provide palm and fingerprints to countries with weak data protection laws. the adversary. • hird parties are often hacked or sell user T data outright. It is hard and often impossible to remove infor- mation from the Web after it has been posted, so be careful in the posting process before it’s too late. pag e 4
  • 6. CYBER OPSEC: secti on 4 Practice Good System Safety Keep your computer secure. Dispose of media properly. • Lock your computer when walking away. • ata recovery is very sophisticated. Learn and D • on’t use a government laptop on your per- D follow your organization’s media destruction sonal Internet or at hotspots unless instructed policy. by your security officer that you may do so. • emember that nearly all devices have data R • on’t leave laptops in hotels or cars unless it’s D storage. Treat any USB device (not just thumb- unavoidable, but use a locking cable or hide drives), floppies, CDs, phones, cameras, and them when you must. hard drives as a disposal risk. • ake sure your laptop has full disk encryption M Practice good password safety. installed before taking it out of secure spaces. • on’t e-mail or store any passwords unencrypt- D • on’t allow others to use your government D ed. Remember that a password to a classified computer without your direct oversight. system must be handled as classified itself. Be wary of devices. • on’t put passwords on sticky notes or note- D Remember that a password to a classified pads unless you physically secure them. • on’t connect any USB device, floppy disk, or D system must be handled as classified itself. CD to your computer unless it has been care- • earn how to create hard to guess, but easy to L fully scanned beforehand. Even store-bought remember passwords and change them often. products sometimes have viruses. • isable auto-run and auto-play functionality to D help limit the damage a media virus can do. pag e 5
  • 7. CYBER OPSEC: secti on 5 Protect Your Portable Devices Wireless allows adversaries to connect at Portable wireless (particularly RFID in badges) distances of up to a mile or more. can be used for individual identification. These devices must include strong authentication and • Your movements can be tracked. encryption to deter these risks. • Stored or transmitted data can be stolen. • opying at a distance thus invalidating their use C • Stored or transmitted data can be modified. for keyless entry systems and personal identifi- cation (such as with US passcards). Many portable devices (phones, laptops, earpiec- • Tracking your movements. es) include wireless capability, but not security. • riggering cameras or even roadside bombs T • Turn off wireless if it’s not necessary. targeted for individuals. • f security is present, learn and activate all I security features appropriately. Portable devices are easily lost or stolen. • emember commercial security is weak and R • Always encrypt important data. shouldn’t be relied on in most cases. • ut strong lock-codes and passwords on your P M any portable devices (phones, laptops, • hen in doubt, pull the battery (where able) W devices to prevent tampering. and put the device in an RF shielded container. earpieces) include wireless capability, but • Keep them secure and out of adversary hands. • lways first ask if portable devices are neces- A not security. sary for your mission. They’re no risk if they’re not used. pag e 6
  • 8. “ It is vital that we all understand that even information that is UNCLASSIFIED is still important and in need of proper protection.... The information we put out there is immediate and forever and it is incumbent upon all of us to strongly consider ” that before putting anything out in the public domain. —LTG Keith B . Alexander, USA Director, National Security Agency Executive Agent for Operations Security Think. Protect. OPSEC. www.ioss.gov