Beginner's Guide to Personal Operational Security

Commonly termed as OpSec within the industry, operational security refers to the practice of securing your identity and other digital assets while being online.

OpSec is a graded approach guided by risk management principles and implemented as-needed based on individuals' context. Determining the "right" level of security tends to be a unique process to yourself since security measures always introduce inconvenience and you want to be sure that these inconveniences are justified.

Background

This piece unlike the many others that you can easily Google, assumes that you are a consumer of technologies instead of a user/administrator/compliance person and is meant for the everyday person to learn how to apply some sensible OpSec to their daily life online.

This piece is informed by 2+ years spent in the crypto/Web3 world where scams are more common than legitimate deals, and from being a platforms engineer in the cybersecurity industry. This means while it's not advice from a cybersecurity professional, it should still be useful enough for most people who aren't targetted by state-sponsored h4x0rs.

Planning

While I would prefer to avoid being cheesy/cliched, the 5Ws1H thingyis really a good model for framing concepts. When planning for security measures to implement, it is useful to consider:

  1. Who - Who might be interested in assuming my identity or stealing my assets?

  2. Why - Why might they be interested?

  3. What - What assets might be valuable to an attacker?

  4. When - When will an attacker attempt to carry out an attack?

  5. How - How could an attacker gain access to an asset?

The objective is to identify high risk + impact compromises which can happen, determine the most-likely path of an attacker, and then find measures to ensure that an attacker cannot carry out their plan.

Who

The "Who" are known in the industry as Threat Actors and can range from:

  1. Petty individuals who you've offended

  2. Spray-and-pray scammers

  3. Scam syndicates

  4. Corporate espionage

  5. State-sponsored hackers

In most situations and for most people, you'd only be worried about 1-3. If you're someone with lots of access rights in your organisation, you might have to consider 4 if you know the financial benefit for a successful attack could be huge.

Why

The motivation behind an attack is likely linked to the "who". In majority of cases, it would be financial gain. In some cases, this could also be to inflict damage on you or your organisation which can happen with corporate espionage.

For most people who are online, financial gain for the attacker is the reason they get compromised.

What

We talk about assets but what are they exactly? Assets refer to any artifact which can themselves be the goal of an attack, or an artifact which can be used to enable another attack.

Let's take an example of an asset as a social media account associated with you. Access to the social media account rarely grants the attacker any tangible financial gain. Successfully asking your friends for money via that account realises the financial gain. Selling access to that account could also result in financial gain for the attacker.

On the other hand, consider your banking credentials as an asset. Access to these credentials grants an attacker direct access to withdraw your money.

When

When would an attacker strike depends entirely on the persona of the attacker. If you're being targeted by well-resourced teams, you'd probably need to be on alert 24/7. For most of us though, attacks will most likely begin their journey as someone initiating a conversation with you which starts the process known as "social engineering".

How

How could an attacker get to you or your assets? This could be availability of your email address which is legitimately on a company website, or made available via an email dump on a pastebin document. It could also be your phone number

Questions to assess yourself in general

  1. Who is likely to want to own my identity or assets? In order of resources availability and capabilities, this can range from petty individuals you've offended to spray and pray scammers to scam syndicates to corporate spies to state-sponsored hackers

  2. Which of my accounts enable access to real life assets? Think bank accounts that can be used to withdraw/transfer money, seed phrases that enable access to a crypto wallet

  3. Which of my accounts are "trusted"? Think social media/email accounts which can be used to contact your friends on behalf of you, or any accounts that you may use to "Sign in with ..." on other sites

  4. Where are credentials to my accounts stored? Think pieces of paper, metal storage cabinets, password managers, in my mind.

Everyday threats

Avoid exposing PIIs online

As far as possible, avoid entering full names, birthdays, email addresses, phone numbers, and physical addresses into online databases. Always assume that the system has zero security and that these can be accessed by multiple people (in reality, they can and will be accessed by vendors and advertising partners - read your Privacy Policy!) who can sell your data to an attacker.

Prevention is better than cure and one way of preventing a social engineering attack on yourself is to obsecure your real identity online.

Asides from government and banking accounts, all other websites or services you use simply need to know "a name" which doesn't necessarily have to be your real name or even an alias you are known to friends by.

  • Email addresses can be obscured by using an email forwarding service (iOS provides one for free) or by using burner emails.

  • If you're constantly using services online, consider obtaining a second number with a prepaid card or a low-priced plan which you can easily replace. Use this secondary number for non-critical services to keep your primary number safe

  • Physical addresses usually only need to be revealed for deliveries. To keep yourself safe, pair it with a name that isn't yours so that your name cannot be linked to your physical address

Password protect your device

Use long passwords

Up to the 2010s we've been advised to change passwords regularly and to use complex passwords that include symbols and numbers and mixed-case alphabets. Both pieces of advice are dated.

  • Complex passwords are plain inconvenient, resulting in users continuously forgetting their passwords. Inconvenience breeds resentment and eventually users will find a way to game the system while breaking actual security. Think P@ssw0rd which satisifies the commonly found minimum-8-character rule, an uppercase letter, a symbol, and a number - but which is also definitely in a rainbow table.

  • Being forced to change your password regularly results in passwords like password2023q1 or password2023q2 which defeats the purpose of changing passwords regularly.

A scientifically better way of creating passwords is length. A long password you can remember is better than a complex one which you will forget. Alone it is not very secure, but together with multi-factor authentication (more on this later), this provides real security for your account.

Check this page out to see what I mean regarding password lengths:

Length matters because how passwords are cracked are typically through bruteforcing (running through every combination of characters) or rainbow tables (a giant file containing a list of common passwords or hashes of common passwords).

  • Every additional alphabet (read: easily remembered) character exponentially increases the processing needed by a bruteforcing tool by a factor of 26

  • Every number, if numbers are introduced, increases the minimum processing needed by a bruteforcing tool by a factor of 36 (accounting for alphabets too)

Use a password manager

Using a password manager ensures you don't leave scraps of paper with your username/password lying around. Sure, it becomes a single source of failure, but decent password managers will

Enable multi-factor authentication (MFA)

Enable authentication on your MFA

Enable auto-HTTPS

Use a VPN

VPNs

Destroy cookies on browser close

Install/enable an antivirus solution

Install/enable a firewall solution

Verify URLs before clicking

Remove query parameters from URLs before sharing/accessing

Corporate threats

Install a company administered MDM solution

Physically separate your MFA or use a hardware token

In theory, MFA should always be on a separate device so that it's "air-gapped". In reality, this rarely happens especially with accounts like personal email or social media accounts. When addressing corporate-target threats though, this becomes a necessity more than a good additional security measure.

Perform full encryption of your hard drive

Use company-administered VPN on public Wi-Fi

Commercial VPNs provide protection of your identity, with corporate threats, you can be sure your attacker isn't a scriptkiddie or a spray-and-pray attacker. Your attack will be an envelope with your name on it. This means

Disable USB access for non-HID devices on your computer

Destroy cookies on browser close

Authenticate someone with out-of-band channels

When receiving requests to perform critical actions, always confirm

Use different browsers for accessing information of different security levels

State threats

Use Signal for messaging

Use burner phones for calls and messages

PreviousWeb3 terminology

Last updated