Written in late 2020
Threat modelling
- Have you spent some time thinking about your and your organisation’s threat models?
- Have you made a (mental or physical) list of possible situations, such as searches of border crossings, where you might be at particular risk?
Here's two great introductions to threat modelling: one by Ars Technica and one by the EFF.
Messengers
- Are you using a messenger such as Signal, WhatsApp, or Wire that has solid end-to-end encryption?
- If you are sharing sensitive content or messages, do you regularly delete them so that they aren’t stored on your phone?
- If you are sharing sensitive content or messages, have you disabled cloud sync?
It might be good practice to have several messengers or message groups installed, for different use cases. So you could for example have an instance of Signal, with disappearing messages enabled and no backups being made, for secure communication, and an instance of WhatsApp where you share and keep happy memories, holiday photos, and are willing to do backups or cloud sync.
Passwords and authentication
- Have you installed a password manager?
- Are all your passwords/ passphrases unique and hard to guess?
- Have you enabled two factor authentication, wherever possible?
- For your key accounts (email, social), have you enable authentication via a physical or Bluetooth security key?
When it comes to two factor authentication:
Physical/ Bluetooth keys > Authenticator apps > Text message authentication > Nothing
Apps and updates
- Have you checked the permissions (microphone, camera, SMS) on the apps you have installed on your devices and only enabled those you really need?
- Have you removed apps you might no longer need?
- Are your operating systems (computer and mobile devices) up to date?
It is unfortunately not possible to always install the latest versions of mobile or desktop operating systems on older hardware. If software updates are no longer available for your device, it's time to upgrade.
Secure browsing
- Have you opted to use a VPN? If yes, then is it from a reliable provider?
- If you are not using a VPN, do you use a technology such as DNS-over-HTTPS or DNS-over-TLS?
- If you are doing something extremely sensitive, have you thought about how a VPN might not be enough to protect you and that something like a specially configured TOR browser (with enhanced security configurations) might be needed?
When it comes to web browsing, it is easy to hide in a crowd but almost impossible to be fully anonymous. If you are going to try to the latter and use TOR, make sure you've spent time reading up about things like scripts, browser fingerprints, and the like. It's best to seek outside advice from a trusted security contact if you're working on something extremely sensitive.
Basic operational security
- Whom are you sharing data with? Are you safer if you share data with lots of other people (that way, if someone confiscates your phone or stops you from working, your work won’t be stopped) or if you don’t share it (that way, the chances of others falling victim to security breaches is lower)?
- Have you done an audit of who in your organisation has access to your webpage, social media pages, and the like? Who can post and read content? Do you trust them?
- What procedures do you as an organisation take to make sure that everyone follows good security practices?
One of the most difficult aspects of operational security is the fact that it might feel like we aren't trusting friends and colleagues within our organisation, for example by not giving them admin access to its Facebook page or not sharing all information with them. But don't forget that security breaches and phishing can happen to the very best of us. You are not distrusting people as much as minimising attack surface when only sharing information with a limited group. Make sure that everyone in your organisation knows and understands this.