10 OPSEC Tips That Everyone Should Follow

Following in the footsteps of two great guides, “10 Commandments for a Safer Internet” and “0x0A Hack Commandments”, I was inspired to give something back to the community. For the average Joe, operational security – or OPSEC for short – is basically just about risk management through identifying specific pieces of information requiring protection, and employing measures to protect them. Sounds intimidating? Don’t worry, because you’re already doing it.

In no particular order:

1. Disable location sharing. These days our phones, tablets and PCs all tend to have GPS sensors in them, and what’s worse, those tend to be on and active by default. I recently wrote a bit about how Google and Android track your location, go check it out if you haven’t yet.
2. Check yourself before you wreck yourself on social media. Everything you put online will stay there forever in way or another, but on social media the repercussions can be immediate, extremely brutal, quickly spreading and far reaching in space and time. Don’t overshare, especially don’t put stuff as public thinking that “no one will look at it anyway”. Marketers often talk about how your social media presence is all about “personal branding”, but what they fail to cover is the fact that limiting that presence can be a positive factor as well. I personally use burner accounts on some platforms, random nicknames on others, and on those places where I’m with my real name (such as Twitter), I regularly delete old stuff and clean up the profile.
3. Moving to a bit older tech, but still just as ubiquitous: email. “Forward”, “CC” and “Reply all” are the most common OPSEC pitfalls most of us have either done or experienced from the receiving side. Also, be careful with the auto-complete features when adding a recipient. More of great email tips can be found in this piece by Troy Hunt. And yes, email is inherently insecure communication method – services like ProtonMail help to an extent, but all in all I’d put email into the “necessary evil” bucket in the context of this blog post.
4. Use a VPN. In the age of ever-increasing government and corporate surveillance, both domestic and international alike, there’s no reason not to use a VPN. And yes, it significantly boosts the security of your WiFi connection as well. When picking a VPN, stay away from the “free” ones and be aware that not all VPNs are equal . Based on my own experience, I’d recommend FREEDOME VPN for the average user and Algo for more technical people.
5. Protect your access card. A fellow called Tom Van de Wiele has been raising awareness about the issue of people hanging their ID badges in plain sight. That’s not a badge of honor, that’s a badge that can at minimum leak personal information about you (name, job title, employer, etc.) and at worst it can be copied or stolen! Check the pics with the hashtag #protectyouraccesscard and you’ll get the point. And never ever hang your work key(s) in that same lanyard. If you leave that sucker on a bus you just gave someone a completely free access to your employer’s facilities, because now that ID badge gives context to otherwise unidentifiable key(s).
6. Talking about protecting your physical things, it’s a good idea to get a wallet or at least a card sleeve with RFID blocking properties. You don’t want your cards scanned or wiped remotely! Personally, I roll with A. Eriksson 423-508 genuine leather wallet with full RFID shield sewn in it.
7. Lock your screen. So simple, yet so powerful way of drastically increasing the secureness of your data, i.e. your life. I learned to always sign out or lock a computer when leaving it out of my sight already in the elementary school (that’s what, almost 20 years ago?), yet I still see folks leaving their machines open all the time, even in public places! Lock your screens – PCs, tablets and phones alike – and always require password or at least a PIN code for sign-in. (In some cases, a PIN can be better than a password, in other cases, biometric IDs can be better.)
8. Encrypt your data. Pretty self-explanatory: just enable encryption on all of your devices. It’s easier than you think and there are plenty of guides available. However, encryption enough isn’t going to be enough if someone has a physical access to your device. It’s convenient enough to carry your phone with at all times, but how about a laptop? That gets usually left in the hotel room when travelling, and here’s where the possibility of an “evil maid attack” comes to play. There’s not much you can do against it (of course the good old glitter nail polish trick is at least an easy way to know if something has been tampered with), but this is just one of the things you’ll have to evaluate yourself – see tip #10.
9. This is a bit similar as the second one, but it’s good to extend the concept to all interactions, both digital and IRL: the number of members in a group correlates to its likelihood of being compromised. It’s is a fancy way of saying that the more people you share your information – no matter how they try to convince you that your secrets are safe with them – the more probable it is that someone of them, either by accident or purposefully, leaks that information. But be aware that this is also true in reverse: the more you say, the more likely you are to say something foolish.
10. Create your own personal threat model. This might sound a bit excessive or even intimidating, but it’s fairly easy to do and comes with many benefits. All the things I’ve listed above are not some definitive set of rules, but pointers for you to consider and adapt to your own lifestyle and potential threats. Your threat model is not my threat model. Basically, putting a lock on your bike is an action you’ve done based on the threat model of that bike getting stolen, right? Now apply the same thinking to all your digital devices, online behavior and communications. Start small and simple, go from macro to micro in those areas where needed. That’s it!

P.S.: I didn’t include anything about IM services. That’s because most of you already use WhatsApp or Messenger,  both of which have end-to-end encryption. Sure, both are operated by Facebook, which in itself is a serious blow to any credibility of actual privacy on those platforms – but I digress. Anyway, most messaging platforms we tend to use these days have some form of encryption capabilities, which is a good start. Note that there are a lot of variance between the actual security and privacy aspects of different IM apps. Personally I’ve found Wire to be the best option available at the moment.