Merge pull request #4 from Ibranum/main

Fixed Grammar, Added NIST recommendations, Links, etc.
This commit is contained in:
Cia Officer 2022-07-14 15:42:57 +03:00 committed by GitHub
commit d4673f985d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -48,17 +48,19 @@ _________ __ ________ _________
#### Problem 1
Secure email provider like protonmail or tutanota. Use trused VPN like Mullvad or ProtonVPN.
Use a secure email provider like Protonmail or Tutanota. Also use trused VPN like Mullvad or ProtonVPN. E2E (end-to-end) encryption is only as secure as the service you are sending the email to. For example, if a Protonmail user sends an email to a GMail user, the email is encrypted with TLS, but Google can still read and hand over any data that passes through their server. E2E can be re-established by using features such as the password-protected email feature from Protonmail.
[Watch More](https://www.youtube.com/channel/UCYVU6rModlGxvJbszCclGGw)
[Read More on Email Encryption with Proton](https://proton.me/support/proton-mail-encryption-explained)
---
#### Problem 2
Different emails / different strong passwords. Store them in one place. Never use repeat passwords, especially for accounts with personally identifiable and sensitive information (e.g. Facebook, Gmail, AppleID, Twitter, banks/payments, crypto accounts). Use passwords that are randomly generated and 20+ characters long. If you see suspicious password activity or failed log-ins on any of your accounts, change all of your passwords, starting with sensitive and authorization accounts, such as your primary email and bank/crypto accounts. [Keepass](keepass.info) or BitWarden are good options.
Use different emails and different strong passwords. Store them in one place like a password manager. Never reuse passwords, especially for accounts with personally identifiable and sensitive information (e.g. Facebook, Gmail, AppleID, Twitter, banks/payments, crypto accounts). Use passwords that are at least 8 characters in length, but a minimum of 12 is generally recommended for memorization. Along with that, if using memorization, ensure that a minimum complexity requirement is met: which means having an uppercase character, a lowercase character, a digit, and a non-alphabetic character. Using a string of unrelated words while still meeting the dictionary requirement makes it easy to have an extremely secure password while still being able to remember it. If fully relying on a password manager, a password of 20+ characters in length that is randomly generated can be used. If you see suspicious password activity or failed log-ins on any of your accounts, change all of your passwords, starting with sensitive and authorization accounts, such as your primary email and bank/crypto accounts. [Keepass](keepass.info) or BitWarden are good options.
[Read More](https://blog.keys.casa/7-ways-to-level-up-your-bitcoin-opsec/)
[NIST 800-63b Password Guidelines and Best Practices](https://specopssoft.com/blog/nist-800-63b/)
---
@ -72,7 +74,9 @@ Never link phone numbers to crypto platforms. Use trusted multiple e-sims if you
#### Problem 4
Instead of SMS-based 2FA, use Google Authenticator (iOS/Android) or Authy apps for iOS or Android. Google Authenticator is quicker and easier to set up, but Authy offers more robust account recovery options. Keep in mind that the codes generated by 2FA apps are device specific. Your account is not backed up to Google cloud or iCloud, so if you lose your phone, youll need to spend some time proving your identity to restore your 2FA. The added security is worth the hassle!
Instead of SMS-based 2FA, use Authy or Aegis OTP for iOS or Android. Google Authenticator is generally not recommended anymore in order to stay out of the Google ecosystem, and Authy offers more robust account recovery options (Aegis does not offer the same level of account recovery options). Keep in mind that the codes generated by 2FA apps are device specific. If your account is not manually backed up to Google cloud or iCloud and you lose your phone, youll need to spend some time proving your identity to restore your 2FA. The added security is worth the hassle!
Hardware-based 2FA options are regarded as more secure than phone-based OTP options since the keys are stored on the YubiKey device itself, not on your phone, or in the cloud, or on your computer.
[Read More](https://www.threatstack.com/blog/five-opsec-best-practices-to-live-by)
@ -88,9 +92,9 @@ Cold storage, and separate “hot” wallet. Use multisig (gnosis-safe as exampl
#### Problem 6
Offline back-ups. Store them in a safe.
Offline back-ups. Store them in a safe. Can be written on paper, but recommended to be etched or laser-printed into metal. Always be sure to have a backup stored somewhere safe if your threat model allows for that. Ask yourself, what happens if my house catches on fire? What temperature is my safe rated to? Some individuals find a safety deposit box handy.
[Read More](https://www.gocivilairpatrol.com/programs/emergency-services/operations-support/operational-security-opsec)
[Read More]([https://www.gocivilairpatrol.com/programs/emergency-services/operations-support/operational-security-opsec](https://unchained.com/blog/how-to-store-bitcoin-seed-phrase-backups/))
---
@ -112,7 +116,7 @@ Be careful about using your real home address online for delivery purposes. Data
#### Problem 9
Remember: You Could Be a Target We are a natural target for all sorts of attacks — from garden-variety cybercriminals to competitive spying (sounds dramatic, but its real!). That said, it doesnt really matter what industry youre in. If you have any sensitive, proprietary information at all (and lets face it, most people in crypto do), then you could very well be a target. This is a good thing to always keep in mind.
Remember: You Could Be a Target! We are a natural target for all sorts of attacks — from garden-variety cybercriminals to competitive spying (sounds dramatic, but its real!). That said, it doesnt really matter what industry youre in. If you have any sensitive, proprietary information at all (and lets face it, most people in crypto do), then you could very well be a target. This is a good thing to always keep in mind.
[Read More](https://www.cnbc.com/2021/06/11/tips-to-help-keep-your-crypto-wallet-secure.html)
@ -187,7 +191,7 @@ Get countermeasures in place. The last step of operational security is to create
#### Problem 17
Implement dual control. Make sure that those who work on your network are not the same people in charge of security.
Implement separation of duties. Make sure that those who work on your network are not the same people in charge of security.
[Read More](https://arxiv.org/abs/2106.10740)
@ -208,7 +212,7 @@ Automate tasks to reduce the need for human intervention. Humans are the weakest
Incident response and disaster recovery planning are always crucial components of a sound security posture. Even when operational security measures are robust, you must have a plan to identify risks, respond to them, and mitigate potential damages.
[Read More](https://airgapcomputer.com)
[Read More on Incident Response Plans](https://www.crowdstrike.com/cybersecurity-101/incident-response/)
[Read More](https://trustwallet.com/blog/how-to-stay-safe-on-the-internet-crypto-guide)
@ -217,13 +221,16 @@ Incident response and disaster recovery planning are always crucial components o
#### Problem 20
Risk management involves being able to identify threats and vulnerabilities before they become problems. Operational security forces managers to dive deeply into their operations and figure out where their information can be easily breached. Looking at operations from a malicious third-partys perspective allows managers to spot vulnerabilities they may have otherwise missed so that they can implement the proper countermeasures to protect sensitive data. The most important thing here is to conventionally understand the process of attack. Their vector.
Risk management: The process of identifying, assessing and controlling threats to an organization's capital and earnings. These risks stem from a variety of sources including financial uncertainties, legal liabilities, technology issues, strategic management errors, accidents and natural disasters.
As an example: hacker delivered you some RAT (remote access trojan) on your computer and now the hacker has two ways. If the hack is "fan", i.e. massive, then the stealer will steal your cookies, and other information, so that later data will be sold on the secondary market for the processing of these logs by lamers. Classic opsec mentioned in 1-10 should help from it.
Many individuals from an organization can be in charge of different parts of the risk management process. Through this process, they can discover potential areas for a data breach or other threats. Understanding potential threat vectors is central to this process, as it allows them to be seen before they can be exploited.
Or the second option is a direct attack in which a hacker will make a phishing page on your router, through which you enter your password (poisoning of the DNS server). That is, to prevent an attack, ideally you need to separate machines and networks. You should also check certificates.
For example:
A hacker delivered a RAT (remote access trojan) onto the computer of an employee. If the RAT has a variety of capabilities, it could steal the cookies from the web browser, sift through files on the computer, and then exfiltrate that data to be sold on a darkweb market at a later date. The operational security steps mentioned in problems 1 through 10 should help prevent this from happening.
Hacker can also make an attack on the clipboard when you copy the address of sending and it will change to the address of the hacker. Moreover, the beginning and the end will coincide with the original address, which will be a mix of attack vectors - social engineering vector, phishing and classic malware.
Another potential attack is called "DNS Poisoning". It is a "highly deceptive cyber attack in which hackers redirect web traffic toward fake web servers and phishing websites". A web page could appear that looks like a normal login page for a business like GMail, Kraken, etc., but in reality it could be a phishing site made to steal your login information (email/username/password). Separate machines on the same network will not prevent this, as the traffic passes through the router for both machines, so the solution is to have separate networks and to verify website certificates. Some VPN providers use their own DNS servers through the software pakcage they provide, so this could prevent this type of attack as well.
Malware can also have the functionality to "attack" a computer's clipboard. The malware could check the clipboard at a set interval to see if any cryptocurrency addresses are detected in it. If they are, it would then replace the one in the clipboard with one of the hacker's cryptocurrency addresses, which means the cryptocurrency would then be sent to the hacker. The beginning and end may match, but this requires extra functionality on the part of the malware, as it would need to generate wallets on the fly and exfiltrate the keys to the hacker.
[Watch More](https://www.youtube.com/watch?v=pGcerfVqYyU)
@ -235,7 +242,7 @@ Hacker can also make an attack on the clipboard when you copy the address of sen
#### Problem 21
Your level of opsec usually depends on your threat model and which adversary you're up against. So it's hard to define how good your opsec is. But I'd say it sounds pretty okay.I recommend watching:
Your level of opsec usually depends on your threat model and which adversary you're up against. So it's hard to define how good your opsec is. But I'd say it sounds pretty okay. I recommend watching:
[Watch More](https://www.youtube.com/watch?v=9XaYdCdwiWU)