Simple OpSec Resolutions for Outside the Office

The New Year has citizens and organizations alike reviewing their operational security practices; the expectation is that privacy rights will diminish, government surveillance will increase, and yet attacks and breaches will continue unabated.  To protect yourself and to strengthen the human element of your organization, review the below list of 2017 operational security (OpSec) resolutions.  Improving organizational security maturity starts with you.

General Hygiene

  1. Browse privately: move to Firefox; it’s highly functional and Mozilla doesn’t track your web browsing; that said, Firefox does use Google Safe Browsing in the background, which means that Firefox checks sites for phishing risk before proceeding; the net result being that if you want truly private browsing, you need to turn safe browsing off.
  2. Protect your passwords: don’t keep them on a post-it, or use the same password over and over again.  It’s easy to get lazy with this one.  Use a password manager like KeePass, or if you can’t bring yourself to invest in a tool, at least make your common passwords more complicated (yet understandable); something like “thing#year#iD”.  We recommend that our clients use complex passwords, use long passwords, and rotate passwords.  Your corporate information security program is hopefully enforcing something similar already.
  3. Take care with sensitive searches: search companies make money by tracking what you search; if you have something sensitive to search for, even if it’s just something health related, use an alternative browser like DuckDuckGo.  The results are less targeted, but your privacy remains intact.
  4. Avoid public wi-fi: it’s free for a reason – large retailers and their wireless partners love your usage data; wi-fi networks of any sort are riskier, easier to spoof (and therefore hack), and cause your device to automatically broadcast to those connection points in the future, thus increasing your risk; if you must use public wi-fi, go through a VPN, or to avoid it, use a tethered smart phone connection.
  5. Treat PII like cash: be selective on when and who you disclose your personally identifiable information (PII) to, to avoid future headaches. For example, avoid disclosing your email or phone number to retailers in exchange for discounts; if you do, be aware that you’ve just become a permanent member of their database, to be marketed to and sold, over and over again, until you die (or change your identity).
  6. Beware of the shoulder surfers: if you are the kind of person who works in public places a lot, seriously consider investing in a privacy filter to protect yourself from prying eyes.
  7. Don’t get Phished: Although it’s 2017, phishing is still in style; it’s the single biggest attack vector, so be paranoid about every e-mail  you receive. Pay special attention to the ones with attachments and links; hover over the links and verify that the link is going to the address displayed in the message. Do not open attachments unless it is a trusted source.
  8. Anti-Virus (AV): Todays threat landscape is dynamic and while AV vendors are having a tough time keeping up, AV software will still protect you from a wide variety of known threat vectors.


  1. Wireless off, bluetooth off: unless your phone is actively in need of one or the other, turn it off.  Turning on wireless or bluetooth opens up your phone to eavesdropping and attack, and delivers extra (free) data to other parties on your whereabouts and activities by way of broadcasting the probe requests; i.e. the SSIDs to which you have previously connected.
  2. Delete unnecessary apps: keeping libraries of apps that sit unused not only takes up precious storage space on your phone, it’s liable to make it chatty and share more information than you ever realized; maybe you didn’t realize that Shazam is listening to you 24-7? Not using?  Delete it!  You’ll likely also regain some batter life as a result.
  3. Cloud connectivity to apps – be selective on what you upload to the cloud and the permissions you grant to various applications – they may be convenient, but this is still somebody else’s server.  Get familiar with your smartphone’s privacy and cloud sharing settings.

Social Media

  1. Be smart on social media: yes, the Arab Spring was started via Twitter; it’s a powerful tool for group organization and communication; that said, not only the good guys are watching – and even the “good guys” may not have your interests at heart (“we’re from the government and we’re here to help”); be careful with what you say where, or at least be aware of who might be watching
  2. Move to encrypted chat: WhatsApp is a crowd favorite, followed by Signal and Wickr.  Chat apps like Skype don’t offer end to end encryption at all (thank you Microsoft), whereas Facebook Messenger and Google Allo only offer it as an option.  Chat is also safer overall than email if you have something private to say.

You may find a number of these recommendations inconvenient to your online existence, and they are. Security is not about convenience, it is a state of mind; maintaining successful OpSec requires vigilance and situational awareness.  That said, the rewards are worth it – privacy is priceless.