Planning is key but you can also respond

Recently I was helping a friend out when they were being targeted by a criminal online. I thought I’d put some notes down to try and help people. This isn’t a “how to” it’s more like thoughts and ideas. It’s UK centric, but probably works in lots of places.

One thing to note, preparation is greater than response, the more prepared you are, the less vulnerable you may be, the more prepared the smaller the attack surface.

You may for a variety of reasons become under heightened threat from an internet perspective. The information on here is not a catch all, a detailed guide to personal (PERSEC) and operational security (OPSEC).

• PERSEC is about your personal security and data
• OPSEC is about day-to-day operational security of activities

This post is to help give food for thought for people to help improve their attack surface largely relating to PERSEC.

Cyber Realities when under active threat

• Opsec (operational security) is hard
• Persec (personal security) is hard
• You can’t time travel
• People leak lots of data on the internet
• You can be proactive regardless of the lifecycle
• Doing something is better than doing nothing
• You can only defend what you know about
• Cyber defence is not impossible
• Keep a record of everything
• Remember someone can’t hack a system that is air gapped and not online!
• You may be attacked via proxies (family, friends, work, associates)

Threat Landscape

The typically type of threats online can vary from classic financially motivated cybercrime through to disgruntled ex-partner or other known/unknown private individuals. Scammers, criminals etc. have time and reach. You might have had contact with the person, or you may just be caught up in a wide net.

Defensive Actions to take

• If you own a company, check if you have any personal information on company’s house (UK) (or relevant to your country) – https://www.gov.uk/stop-companies-house-from-publishing-your-address
• Deploy a password manager, there are lots of choose from, the major choice concern is Cloud based vs Offline
• Install MFA applications (e.g. Microsoft or Google authenticator)
• Talk to your mobile/cell provider to see if you can have additional protections set on your account against SIM swapping
• Check if voicemail is enabled on your phone, if it is ensured there is a unique PIN
• Enable multi factor authentication on your online accounts e.g.
  • Email (Outlook/Hotmail/Gmail/AOL)
  • Facebook
  • LinkedIn
  • Instagram
  • Twitter
  • TikTok
• Conduct OSINT on yourself
  • As a first step search/google your name
  • Search/google your mobile number
• Review Information on platforms you use and have used historically
• Review the data in services and where appropriate obfuscate or deploy deception measures
• Set strong passwords/passphrases for online services
  • Ensure each service has a unique password
• Consider email multiple email accounts
• Consider using email aliases (e.g., [email protected])
• Consider removing historic social media posts that give away details such as:
  • Address
  • Location of residence
  • Sensitive Personal information
• If you are under threat, it may be wise to contact local law enforcement
• If you are under threat, it may be wise to advise your place of work
• Consider changing mobile phone number (whilst keeping hold of the existing number) for primary contact information
• Consider deploying a pay as you go SIM

Summary

As our lives are so intertwined with the digital world, the more we face novel attacks and have risks to consider which are quite different from the physical world. The reach of the internet is global, it’s wise to get ahead of the game. It’s not easy, but you can do work to prepare but also respond if you are wanting to defend or respond against online harms.