2. CYBER OPSEC: secti on 1
Internet Communication in General
The Internet was designed to withstand nuclear Our carelessness makes the job easy for
attack, not to be secure from its own users. the adversary.
• Never assume security, assume it’s unsecured. • f adequate protection is unavailable, don’t send
I
• hen security is needed, have trained IT
W it over the Internet. Evaluate other options and
security people in your organization seek and work to get secure tools.
implement proper tools. • f you have secure tools, actually use them. If
I
you don’t know how, find out. Laziness is the
People can easily send fake e-mails that appear adversary’s best friend.
to be from people you know/trust.
• on’t let forwarded and repeatedly replied mes-
D
• Always digitally sign messages. sages snowball. Eliminate the unnecessary data
so a lucky adversary can’t get the whole picture
• Encourage everyone else to sign their messages.
in one e-mail.
• n all cases (even with signed messages) person-
I
• on’t use CC to send e-mails to a list of people
D
alize an e-mail enough so that it’s obvious a real
unless you specifically want everyone to see
person sent it.
Our carelessness makes the job easy for everyone else’s e-mail address. In all other cases,
• lways verify suspicious messages
A send it to yourself (because everyone knows
the adversary. before acting. who you are already) and use BCC (blind
carbon copy) instead.
Even e-mails that are legit can be captured
and read/modified in transit.
• Secure e-mails with digital encryption.
• se file encryption or password protection
U
if e-mail encryption isn’t available.
pag e 1
3. CYBER OPSEC: secti on 2
Browsing the Web
Cookies make shopping carts and online Search engines track your search history and
accounts work, but can be a risk in several ways. store it in databases; this can reveal a lot of
information about you and your job in aggregate.
• elete cookies regularly or disable cookies
D
through your browser. You can “whitelist” • se generic information when possible
U
cookies from sites you need/trust while still (e.g., zip codes instead of addresses).
blocking all others. • lternate search engines to improve your results
A
• ever use the “remember me” function on Web
N and prevent a single engine from getting the
sites. This greatly increases your odds of having whole picture.
your account hijacked. • f you use related services, always log out before
I
searching so they can’t tie your results to your
Companies want to know where you go online account (e.g., Log out of Yahoo! Mail before
and use a function called “Web bugs” or
“beacons” to do it. They look like ordinary
using Yahoo! Search).
images and are activated simply by viewing a
Web page or e-mail. Clicking any link online tells the target Web site
which site you just came from. This can give
Clicking any link online tells the target • TML bugs can only be blocked with special
H away information you hadn’t intended.
Web site which site you just came from. tools (hopefully being handled by your IT
• hen clicking links in search results, ask if any
W
department).
of the data (search terms) in your address bar
• -mail bugs can be completely blocked by
E give data away. If so, copy and paste a result’s
selecting “text-only” in your e-mail settings or link to your address bar instead of clicking it.
using an e-mail program that blocks images
• hen posting links on a Web site you control,
W
from untrusted senders.
ask if you want to broadcast to the linked sites
the fact that you linked to them. If not, print the
links, but don’t make them clickable so people
have to cut and paste them instead.
pag e 2
4. CYBER OPSEC: secti on 2
Browsing the Web
Imposter sites will often mimic a legitimate site’s • ook for the HTTPS in the address bar to verify
L
URL through a common misspelling or by using that the transaction is secure—before entering
another extension—like dot-com instead of dot-
your username, password, or any other impor-
net. Get into the habit of typing Web site names
into a search engine instead of the address bar. tant information. If it’s not there, ask yourself
if it’s OK to broadcast openly and think twice
• any search engines pre-scan sites for
M before clicking the “submit” button.
malicious code and will warn you when you
click them. Be cautious of fake alerts that look like legiti-
mate warnings or system messages, but are not.
• any anti-virus products have “site advisor”
M
functions that provide visual warning icons for • etermine if the alert is real by closing all
D
known bad sites. browser windows from the taskbar (don’t click
• earch engines correct spelling, making it less
S on or near the alert itself ).
likely you’ll go to an unintended site. • f the alert remains, look to see if it mentions
I
a Web site to visit or tool to download. If so,
Password security is key! perform a Web search on the site or tool. If the
Installation warnings are the last chance results show that the site/tool is bogus, ignore
• ever use the same password from site to site.
N
you have to prevent bad code from getting The owners of one site can easily try that name
the alert and ask your IT department to run
virus and spyware scans on your machine.
into your computer. and password at other popular sites and see if
it works. Installation warnings are the last chance you
• ever give any site any password for any
N have to prevent bad code from getting into your
reason. Most social networking sites ask computer. They claim to be a “video player up-
date” or “critical patch,” but are often viruses.
for e-mail passwords while others ask for
banking and credit card passwords. No matter • ay no to any “active-x” control or install warn-
S
how much they promise to protect and not ing unless you are sure of who created it, what it
misuse the information, history shows other- is, and what it will do once installed.
wise. The consequences of disregarding this
rule can be severe.
pag e 3
5. CYBER OPSEC: secti on 3
Posting Online
Public visibility. Watch for metadata in files.
• ost things posted online are visible to every-
M • icrosoft Office documents typically have a
M
one online (good and bad alike). creator’s name and organization in the file prop-
• emember that even things posted “privately”
R erties. This can be shut off in the options, but is
often become public by accident or due to weak usually on by default.
site security. • hotos may also list names (if software was
P
• nything posted to your organization’s Web site
A installed with the camera) and can also include
that’s not protected by password or PKI authen- GPS coordinates where the photo was taken.
tication is publicly visible. Several other meth- Photo editing software must be used to view
ods of protection are commonly attempted, and remove “EXIF metadata” in photos.
but can be bypassed easily (domain restriction,
Photos often reveal too much.
robots.txt file, etc.).
• uildings or natural features in the background
B
Don’t rely on third parties sites to keep can give away location.
information safe.
It is hard and often impossible to remove • eflective surfaces may show people, names, or
R
information from the Web… • hird party sites may have been initiated or in-
T other critical information.
filtrated by adversaries putting your data at risk.
• hotos of small animals or objects taken on a
P
• ata centers used by these sites may be in other
D hand often provide palm and fingerprints to
countries with weak data protection laws. the adversary.
• hird parties are often hacked or sell user
T
data outright. It is hard and often impossible to remove infor-
mation from the Web after it has been posted,
so be careful in the posting process before it’s
too late.
pag e 4
6. CYBER OPSEC: secti on 4
Practice Good System Safety
Keep your computer secure. Dispose of media properly.
• Lock your computer when walking away. • ata recovery is very sophisticated. Learn and
D
• on’t use a government laptop on your per-
D follow your organization’s media destruction
sonal Internet or at hotspots unless instructed policy.
by your security officer that you may do so. • emember that nearly all devices have data
R
• on’t leave laptops in hotels or cars unless it’s
D storage. Treat any USB device (not just thumb-
unavoidable, but use a locking cable or hide drives), floppies, CDs, phones, cameras, and
them when you must. hard drives as a disposal risk.
• ake sure your laptop has full disk encryption
M Practice good password safety.
installed before taking it out of secure spaces.
• on’t e-mail or store any passwords unencrypt-
D
• on’t allow others to use your government
D
ed. Remember that a password to a classified
computer without your direct oversight.
system must be handled as classified itself.
Be wary of devices. • on’t put passwords on sticky notes or note-
D
Remember that a password to a classified pads unless you physically secure them.
• on’t connect any USB device, floppy disk, or
D
system must be handled as classified itself. CD to your computer unless it has been care- • earn how to create hard to guess, but easy to
L
fully scanned beforehand. Even store-bought remember passwords and change them often.
products sometimes have viruses.
• isable auto-run and auto-play functionality to
D
help limit the damage a media virus can do.
pag e 5
7. CYBER OPSEC: secti on 5
Protect Your Portable Devices
Wireless allows adversaries to connect at Portable wireless (particularly RFID in badges)
distances of up to a mile or more. can be used for individual identification. These
devices must include strong authentication and
• Your movements can be tracked. encryption to deter these risks.
• Stored or transmitted data can be stolen. • opying at a distance thus invalidating their use
C
• Stored or transmitted data can be modified. for keyless entry systems and personal identifi-
cation (such as with US passcards).
Many portable devices (phones, laptops, earpiec-
• Tracking your movements.
es) include wireless capability, but not security.
• riggering cameras or even roadside bombs
T
• Turn off wireless if it’s not necessary. targeted for individuals.
• f security is present, learn and activate all
I
security features appropriately. Portable devices are easily lost or stolen.
• emember commercial security is weak and
R • Always encrypt important data.
shouldn’t be relied on in most cases.
• ut strong lock-codes and passwords on your
P
M
any portable devices (phones, laptops, • hen in doubt, pull the battery (where able)
W devices to prevent tampering.
and put the device in an RF shielded container.
earpieces) include wireless capability, but • Keep them secure and out of adversary hands.
• lways first ask if portable devices are neces-
A
not security. sary for your mission. They’re no risk if they’re
not used.
pag e 6
8. “ It is vital that we all understand that even information that
is UNCLASSIFIED is still important and in need of proper
protection.... The information we put out there is immediate
and forever and it is incumbent upon all of us to strongly consider
”
that before putting anything out in the public domain.
—LTG Keith B . Alexander, USA
Director, National Security Agency
Executive Agent for Operations Security
Think. Protect. OPSEC.
www.ioss.gov