Red Teaming Yourself

A reader recently asked me if I can help him Red Team himself, to check his digital footprint and to know whether he was safe out there.

My answer was a list of things that he can check and that if any of these questions raised concerns then we could take it one step further.

Here's the list, I think it will help you threat-assess yourself:

Digital Life

  • Use passphrases instead of passwords
  • Use different passphrases for different accounts
  • Don’t reply to spam emails or click on links/pictures without verifying them, even when they came from friends
  • Don’t respond to emails coming from companies requesting more information about you, call them, and only to the number that you know it’s the real number
  • Don’t open PDF, office documents, GIF or JPEG files directly on the email client or browser.
  • Don’t run Windows. If you do, you at least have it hardened for security
  • For Windows users, you have at least a good personal firewall (not free) and a good anti-malware (not free) (they don’t really work, but they do catch the script kiddies)
  • Don’t use pirated software, most have backdoors
  • Your mobile devices (phone, tables, etc) are password protected.
  • your mobile devices are not rooted and you download apps from trusted sources
  • Install the latest updates on both the computers and mobile devices
  • Don’t download apps for your computer from “download” sites, but from their author’s site or the app store
  • Don’t use filesharing services (torrent, etc)
  • You clean the browser cache, cookies, history, etc, at least once a day
  • Use an ad block plugin for your browser. Ads a worthless and can contain redirects to malware sites
  • Don't use any other browser plugins, unless you wrote them yourself
  • Don’t use Internet Explorer
  • Don’t install Flash, Silverlight or Java
  • Don’t connect to public, unprotected wifi networks. If you do, do not login to any personal sites (bank, email, etc)
  • Harden your computer for security
  • Enter your own URL and not just click on the link
  • Lock the computer when you walk away
  • Don’t use public computers
  • Buy online ONLY from trusted sources
  • Do NOT let browsers store passwords for you
  • Read the error messages, don't just click OK

Personal information

  • Don’t reveal SSN or other personal identifying information (address, mother maiden, girlfriend name, identifying marks, tattoos, etc)
  • Don’t share you life on social media, in fact stay away from social media unless it’s needed for work and then only post very little.
  • Keep sensitive information such as bank accounts, ssn, medical, etc off your mobile devices and computer (at least the computer that you travel with)
  • You have training on social engineering and know how to spot someone trying it
  • Stay away from Facebook if possible
  • Shred anything that has your name on it
  • Digitally shred sensitive files
  • Wipe your HD when you want get rid of it

Red Teaming and Energy Grid Security Slides

The Three C’s of OPSEC