**Here we collect and discuss the best DeFi,Blockchain and crypto-related OpSec researches and data terminals - contributions are welcome.** **Feel free to submit a pull request, with anything from small fixes to translations, docs or tools you'd like to add.** [![Support Project](https://img.shields.io/badge/Support-Project-critical)](https://github.com/OffcierCia/DeFi-Developer-Road-Map#support-project) [![Supported by GitCoin](https://img.shields.io/badge/Support%20via-GitCoin-yellowgreen)](https://gitcoin.co/grants/3150/defi-developer-roadmap) [![Research Base](https://img.shields.io/badge/Research-Base-lightgrey )](https://github.com/OffcierCia/ultimate-defi-research-base) [![Mail](https://img.shields.io/badge/Mail-offcierciapr%40protonmail.com-brightgreen)](mailto:offcierciapr@protonmail.com) ``` _________ __ ________ _________ .____ .__ __ \_ ___ \_______ ___.__._______/ |_ ____ \_____ \ ______ / _____/ ____ ____ | | |__| _______/ |_ / \ \/\_ __ < | |\____ \ __\/ _ \ / | \\____ \\_____ \_/ __ \_/ ___\ | | | |/ ___/\ __\ \ \____| | \/\___ || |_> > | ( <_> ) / | \ |_> > \ ___/\ \___ | |___| |\___ \ | | \______ /|__| / ____|| __/|__| \____/ \_______ / __/_______ /\___ >\___ > |_______ \__/____ > |__| \/ \/ |__| \/|__| \/ \/ \/ \/ \/ ``` > Note: OpSec is a term coming from the military, meaning operational security. It has been widely used to describe security precautions in various sensible activities, and more recently also in cryptocurrency management.
Translations
- [Portuguese-Brazilian](https://github.com/OffcierCia/Crypto-OpSec-SelfGuard-RoadMap/blob/main/TranslationsOpSec/Portuguese.md) - [Russian](https://github.com/OffcierCia/Crypto-OpSec-SelfGuard-RoadMap/blob/main/TranslationsOpSec/Russian.md)
# OpSec SelfGuard RoadMap **| Special Author's Notes:** - [All-about-NFT security ](https://graph.org/NFT-security-01-28) - [Browser leakage checkers ](https://graph.org/Checkers-01-19) - [All ETH security tools existing](https://graph.org/ETHSec-Tools-02-13) - [All good TG Dev communities ](https://graph.org/Crypto-Telegram-Channels--Chats-04-19) - [Known smart contract-side and user-side attacks](https://graph.org/Data-02-14) - [Solidity language cheatsheets, tools and references collection](https://graph.org/Solidity-Cheatsheets-Pack-03-20) - [All known smart contract-side and user-side attacks & attack vectors](https://graph.org/All-known-smart-contract-side-and-user-side-attacks-and-vulnerabilities-in-Web30--DeFi-03-31) - [All possible transaction analysis, crypto-forensics and investigation tools list & references in a single note](https://graph.org/TX-Analysis-tools-04-19) - [Key principles of storing crypto cold wallet attacks defense methods best practices](https://graph.org/Key-principles-of-storing-crypto-cold-wallet-attacks-defense-methods-best-practices--Bonus-04-23) #### Problem 1 Secure email provider like protonmail or tutanota. Use trused VPN like Mullvad or ProtonVPN. [Watch More](https://www.youtube.com/channel/UCYVU6rModlGxvJbszCclGGw) --- #### Problem 2 Different emails / different strong passwords. Store them in one place. Never use repeat passwords, especially for accounts with personally identifiable and sensitive information (e.g. Facebook, Gmail, AppleID, Twitter, banks/payments, crypto accounts). Use passwords that are randomly generated and 20+ characters long. If you see suspicious password activity or failed log-ins on any of your accounts, change all of your passwords, starting with sensitive and authorization accounts, such as your primary email and bank/crypto accounts. [Keepass](keepass.info) or BitWarden are good options. [Read More](https://blog.keys.casa/7-ways-to-level-up-your-bitcoin-opsec/) --- #### Problem 3 Never link phone numbers to crypto platforms. Use trusted multiple e-sims if you have to link the phone. To lock down your SIM, contact your mobile phone carrier. Ask them to NEVER make changes to your phone number/SIM unless you physically show up to a specific store with at minimum two forms of identification. This (should) prevent hackers from calling up AT&T or T-Mobile or Vodafone, claiming to be you, and asking them to port your phone number to a new phone. [Read More](https://medium.com/the-business-of-crypto/fundamentals-of-opsec-in-crypto-7844ba701b1d) --- #### Problem 4 Instead of SMS-based 2FA, use Google Authenticator (iOS/Android) or Authy apps for iOS or Android. Google Authenticator is quicker and easier to set up, but Authy offers more robust account recovery options. Keep in mind that the codes generated by 2FA apps are device specific. Your account is not backed up to Google cloud or iCloud, so if you lose your phone, you’ll need to spend some time proving your identity to restore your 2FA. The added security is worth the hassle! [Read More](https://www.threatstack.com/blog/five-opsec-best-practices-to-live-by) --- #### Problem 5 Cold storage, and separate “hot” wallet. Use multisig (gnosis-safe as example) or at least a hardware wallet. Never store your seed phrase digitally. Seed phrases are intended to be stored on the paper card included with hardware wallets! That means never type it up, store it online, or take a photo of the card. Store your key on hard device. [Read More](https://digitalguardian.com/blog/what-operational-security-five-step-process-best-practices-and-more) --- #### Problem 6 Offline back-ups. Store them in a safe. [Read More](https://www.gocivilairpatrol.com/programs/emergency-services/operations-support/operational-security-opsec) --- #### Problem 7 Never do anything you do not understand. Always check which token you approve, transaction you sign, assets you send, etc - be extremely accurate while making any financial operation. Keep in mind that one of possible attack vectors is to put you in a situation that will encourage you to do smth (login or anything like that). You can install malwarebytes or Comodo or DrWeb antivirus but it won't help you if you do not understand them. Keep up your basic set of defending tools up to date. [Read More](https://joelgsamuel.medium.com/how-to-keep-your-smartphone-safe-from-spying-d7d50fbed817) --- #### Problem 8 Be careful about using your real home address online for delivery purposes. Data breaches are now a daily occurrence, and many breaches include customer names and addresses. Your physical address is not as easily changeable as a phone number or email address, so be especially mindful about where you use it on the Internet. If you’re ordering pizza with crypto, order it for pickup instead of delivery. When online shopping, use a different (and publicly available) address for package delivery. Options here include your workplace or drop boxes at delivery service providers like FedEx and your local postal service. [Read More](https://www.cnbc.com/2017/11/02/heres-how-to-protect-your-bitcoin-and-ethereum-from-hacking.html) --- #### Problem 9 Remember: You Could Be a Target We are a natural target for all sorts of attacks — from garden-variety cybercriminals to competitive spying (sounds dramatic, but it’s real!). That said, it doesn’t really matter what industry you’re in. If you have any sensitive, proprietary information at all (and let’s face it, most people in crypto do), then you could very well be a target. This is a good thing to always keep in mind. [Read More](https://www.cnbc.com/2021/06/11/tips-to-help-keep-your-crypto-wallet-secure.html) [Read More](https://www.usenix.org/system/files/1401_08-12_mickens.pdf) --- #### Problem 10 Remain Vigilant - Create a culture of skepticism where they feel comfortable checking twice before clicking a link or responding to a request for sensitive information, and you’ll have a much more secure organization overall. [Read More](https://www.ledger.com/academy/security/hack-wifi) [Read More](https://anonymousplanet.org/guide.html) --- #### Problem 11 OpSec often comes into play in public settings. For example, if members of your team are discussing work-related matters at a nearby lunch spot, during a conference, or over a beer, odds are that someone could overhear. As they say, loose lips can sink ships, so make sure you don’t discuss any sensitive company information while out in public. Many OpSec missteps can be avoided by being more aware of your surroundings and the context in which you are speaking: what you’re saying, where you are, who you’re speaking to, and who might overhear. It’s a good idea to go over the “no-no’s” for your specific company during onboarding and to remind employees of them periodically. [Watch More](https://www.youtube.com/watch?v=hxHqE2W8scQy) --- #### Problem 12 Identify your sensitive data, including your product research, intellectual property, financial statements, customer information, and employee information. This will be the data you will need to focus your resources on protecting. [Watch More](https://www.youtube.com/watch?v=0aSQMeoz9ow) --- #### Problem 13 Identify possible threats. For each category of information that you deem sensitive, you should identify what kinds of threats are present. While you should be wary of third parties trying to steal your information, you should also watch out for insider threats, such as negligent employees and disgruntled workers. [Read More](https://datatracker.ietf.org/wg/opsec/documents/) --- #### Problem 14 Analyze security holes and other vulnerabilities. Assess your current safeguards and determine what, if any, loopholes or weaknesses exist that may be exploited to gain access to your sensitive data. | Example: Use [AirGap](http://airgap.it), [OpenSource Wallet](http://alphawallet.com), [OpenSource Password storage](http://keepass.info), multi-sig, [Selfhosted link system](https://obsidian.md), read this [Sheet](https://github.com/jlopp/physical-bitcoin-attacks/blob/master/README.md), use [OpSec Services](https://github.com/x13a/Duress) - (you can also use [tenderly.co](https://tenderly.co) contract/address alerts + SMS). For deals use [escrow](github.com/JackBekket/escrow-eth/blob/master/contracts/EscrowAdvansed.sol) and [tx alarm clock](github.com/ethereum-alarm-clock/ethereum-alarm-clock) and with special services like [safient.io](https:safient.io), [sarcophagus.io](https://sarcophagus.io), [safehaven.io](https://safehaven.io). Never forget about non-trivial defence methods like one I shared [here](https://twitter.com/officer_cia/status/1516181065634824203) and [here](https://twitter.com/officer_cia/status/1516581048792289280). [Read More](https://www.lopp.net/bitcoin-information/security.html) --- #### Problem 15 Appraise the level of risk associated with each vulnerability. Rank your vulnerabilities using factors such as the likelihood of an attack happening, the extent of damage that you would suffer, and the amount of work and time you would need to recover. The more likely and damaging an attack is, the more you should prioritize mitigating the associated risk. [Read More](https://www.reddit.com/r/opsec/) --- #### Problem 16 Get countermeasures in place. The last step of operational security is to create and implement a plan to eliminate threats and mitigate risks. This could include updating your hardware, creating new policies regarding sensitive data, or training employees on sound security practices and company policies. Countermeasures should be straightforward and simple. Employees should be able to implement the measures required on their part with or without additional training. [Read More](https://hackernoon.com/5-tips-to-prevent-hackers-from-stealing-your-crypto-assets-e2243zig) --- #### Problem 17 Implement dual control. Make sure that those who work on your network are not the same people in charge of security. [Read More](https://arxiv.org/abs/2106.10740) --- #### Problem 18 Automate tasks to reduce the need for human intervention. Humans are the weakest link in any organization’s operational security initiatives because they make mistakes, overlook details, forget things, and bypass processes. [Read More](https://web.mit.edu/smadnick/www/wp/2019-05.pdf) [Read More](https://medium.com/immunefi/how-not-to-get-hacked-on-telegram-2db2b93a5fa2v) --- #### Problem 19 Incident response and disaster recovery planning are always crucial components of a sound security posture. Even when operational security measures are robust, you must have a plan to identify risks, respond to them, and mitigate potential damages. [Read More](https://airgapcomputer.com) [Read More](https://trustwallet.com/blog/how-to-stay-safe-on-the-internet-crypto-guide) --- #### Problem 20 Risk management involves being able to identify threats and vulnerabilities before they become problems. Operational security forces managers to dive deeply into their operations and figure out where their information can be easily breached. Looking at operations from a malicious third-party’s perspective allows managers to spot vulnerabilities they may have otherwise missed so that they can implement the proper countermeasures to protect sensitive data. The most important thing here is to conventionally understand the process of attack. Their vector. As an example: hacker delivered you some RAT (remote access trojan) on your computer and now the hacker has two ways. If the hack is "fan", i.e. massive, then the stealer will steal your cookies, and other information, so that later data will be sold on the secondary market for the processing of these logs by lamers. Classic opsec mentioned in 1-10 should help from it. Or the second option is a direct attack in which a hacker will make a phishing page on your router, through which you enter your password (poisoning of the DNS server). That is, to prevent an attack, ideally you need to separate machines and networks. You should also check certificates. Hacker can also make an attack on the clipboard when you copy the address of sending and it will change to the address of the hacker. Moreover, the beginning and the end will coincide with the original address, which will be a mix of attack vectors - social engineering vector, phishing and classic malware. [Watch More](https://www.youtube.com/watch?v=pGcerfVqYyU) [Read More](https://medium.com/@cryptochatjoe/remaining-anonymous-in-todays-crypto-market-a-101-guide-for-the-badass-not-so-techies-7091edffa9aa) --- #### Problem 21 Your level of opsec usually depends on your threat model and which adversary you're up against. So it's hard to define how good your opsec is. But I'd say it sounds pretty okay.I recommend watching: [Watch More](https://www.youtube.com/watch?v=9XaYdCdwiWU) [Watch More](https://www.youtube.com/watch?v=ixLuRvYlrlw) --- #### Problem 22 If you use smartphone be extremely aware. [Read More](https://joelgsamuel.medium.com/how-to-keep-your-smartphone-safe-from-spying-d7d50fbed817) --- #### Problem 23 Only Interact with DeFi Protocols You Trust - Take your time to read up on some previous concepts we’ve covered such as staking, yield farming, NFT farming, and research any other new terms you may come across before depositing crypto into a DApp that deploys any of these investment strategies. [Read More](https://github.com/OffcierCia/ultimate-defi-research-base) [Read More](https://assets.website-files.com/5ffef4c69be53b44bd10b438/6012f54022181b0d0a3a948c_CryptoCurrency%20Security%20Standards%20Checklist.pdf) --- #### Problem 24 Use trusted services. Using a secure, easy-to-use crypto wallet to interact with DeFi applications is essential to a safe and user-friendly DeFi experience. Interacting with smart contracts can be tricky for first-time users, so using a beginner-friendly crypto wallet with DApp support is a smart way to mitigate risks stemming from accidental errors on the side of the user. [Read More](https://github.com/OffcierCia/DeFi-Developer-Road-Map) [Read More](https://blog.eduonix.com/cryptocurrency/cryptocurrency-security-checklist-investors-adopt/) --- #### Problem 25 Be aware of most common attacks. Follow hacker websites, latest security standarts, check out what Nitrokey and Yubikey do and why. As a conclusion - read what is OSINT and counterOSINT so possible criminals wont be able to collect needed data. [Read More](https://github.com/jlopp/physical-bitcoin-attacks/blob/master/README.md) [Read More](https://cryptosec.info/checklist/) ### Table of contents | Watch | |----------------------------------------------| | https://www.youtube.com/watch?v=hxHqE2W8scQy | | https://www.youtube.com/watch?v=0aSQMeoz9ow | | https://www.youtube.com/watch?v=pGcerfVqYyU | | https://www.youtube.com/watch?v=9XaYdCdwiWU | | https://www.youtube.com/watch?v=ixLuRvYlrlw | | Read | |------------------------------------------------------------------------------------------------------------------------------------------| | https://blog.keys.casa/7-ways-to-level-up-your-bitcoin-opsec | | https://medium.com/the-business-of-crypto/fundamentals-of-opsec-in-crypto-7844ba701b1d | | https://www.threatstack.com/blog/five-opsec-best-practices-to-live-by | | https://digitalguardian.com/blog/what-operational-security-five-step-process-best-practices-and-more | | https://www.gocivilairpatrol.com/programs/emergency-services/operations-support/operational-security-opsec | | https://joelgsamuel.medium.com/how-to-keep-your-smartphone-safe-from-spying-d7d50fbed817 | | https://www.cnbc.com/2017/11/02/heres-how-to-protect-your-bitcoin-and-ethereum-from-hacking.html | | https://www.cnbc.com/2021/06/11/tips-to-help-keep-your-crypto-wallet-secure.html | | https://www.ledger.com/academy/security/hack-wifi | | https://datatracker.ietf.org/wg/opsec/documents/ | | https://www.lopp.net/bitcoin-information/security.html | | https://www.reddit.com/r/opsec/ | | https://hackernoon.com/5-tips-to-prevent-hackers-from-stealing-your-crypto-assets-e2243zig | | https://arxiv.org/abs/2106.10740 | | https://web.mit.edu/smadnick/www/wp/2019-05.pdf | | https://airgapcomputer.com | | https://joelgsamuel.medium.com/how-to-keep-your-smartphone-safe-from-spying-d7d50fbed817 | | https://assets.website-files.com/5ffef4c69be53b44bd10b438/6012f54022181b0d0a3a948c_CryptoCurrency%20Security%20Standards%20Checklist.pdf | | https://blog.eduonix.com/cryptocurrency/cryptocurrency-security-checklist-investors-adopt/ | | https://github.com/jlopp/physical-bitcoin-attacks/blob/master/README.md | | https://cryptosec.info/checklist/ | ## Support Project: Support is **very** important to me, with it I can spend less time at work and do what I love - educating DeFi & Crypto users :sparkling_heart: If you want to support my work, you can send me a donation to the address: **0xB25C5E8fA1E53eEb9bE3421C59F6A66B786ED77A** — ERC20 & ETH (officercia.eth) **17Ydx9m7vrhnx4XjZPuGPMqrhw3sDviNTU** - BTC