Resources for IT security

Digital Hygiene refers to basic cybersecurity practices everyone should adopt to protect their digital lives from common threats like phishing, ransomware, data breaches, and online tracking.

A) Accounts & Passwords:

• Divide accounts. Come up with random e-mail account names for personal use. Create separate accounts for financial transactions, social media registrations, and general purposes.
• Don’t repeat passwords. Use strong and unique passwords. Do not include words that are meaningful to you or related to the specific service. Also, do not create multiple passwords as variants of a main one.
• Password Manager. Use a password manager to generate random different passwords for each online service.
• 2FA. For additional protection, set up two-factor authentication.

B) Sharing your data:

• Do not share your info with strangers: Never provide your passwords, usernames, bank account details, and personal information to people who approach you via phone or email. This could be a scam attempt to steal your money, or to access personal information that can be then used to extort you.
• Do not download software by uncertain sources: One of the worst things you can do is downloading a remote desktop application that provides full access to and control of your personal computer to someone else. These attempts may be presented as security software against a virus or a supposed hacking attack. In any case, if you have been contacted by someone who supposedly wants to warn you of a hacking attack and to help you deal with it, it is most likely a hacker themselves.
• Delete metadata and hide geolocation.
• Reduce your social media presence - stay silent. The more content you upload on social media, especially if it is somewhat personal, the more vulnerable you become to potential attacks. Minimize your digital footprints and teach your family how to do the same.
• Confuse the algorithms with fake data. When registering in platforms that are not essential to your professional career or your personal life, it is preferable to fill the personal details (name, date of birth, photo) with manufactured data, ideally different for each account. This way, you reduce the potential connections that a hacker may exploit to gain access to the accounts you really care for.

C) Internet access:

• VPN. If you use public Wifi at coffee shops, hotels, or airports, use a Virtual Private Network (VPN).
• Encrypted services. Use encrypted email services such as Proton Mail and encrypted cloud storage like Proton Drive
• Use secure connections (HTTPS).

• Leak detectors: haveibeenpwned.com, SpyCloud, Google Passwords - with these services you can find if your email or other personal data have been found in databases that were leaked after a hacking attack.
• Canary Tokens: https://canarytokens.org/nest/ - with this service you can receive notifications when someone opens an account of yours and then track the IP address of the attacker’s DNS server.
• IP detectors: https://iplogger.org/
• Data deletion:
  • Delete unused accounts: JustDeleteMe is a tool that provides concise information on how to delete your account from multiple platforms
  • Delete your data from data broker sites: Vice published this detailed article on how to remove your data from each data broker in the USA.
  • Delete search results, social networks, and other sites: The first step is to contact the site owner / administrator and request that they remove the post that mentions you. If they accept, google search will also disappear. If they refuse, you can request Google to block some types of personal information from showing up in search. It is useful to know that such requests remain public because the request for removal and the article itself will appear in the Lumen Database. You can follow the same process for social media posts that mention you. If the person who tagged you refuses to untag you, you can report the violation to the platform and disable the option to tag people on a photo in the settings.

• Surveillance Self-Defense: In our daily life, we use multiple devices and software, all of which may share some common potential risks, while some may have specific aspects that create further vulnerabilities. An excellent and rich resource is the Surveillance Self-Defense (SSD; https://ssd.eff.org/). A website, funded by the Ford Institution, which contains multiple guides on how to enhance one's digital security and privacy. It contains basic principles guides (basics), security-enhancing tool guides (tools), various guides for using popular devices like iPhone and Android, as well as chatting services like Whatsapp and Signal in a secure way. It even includes a set of plausible security scenarios and how one should act in each case.

=> Further resources:

=> Further resources: If you want to take a deep dive into the world of OSINT, see the Sans Institute course on OSINT

The above digital hygiene recommendations comprise a concise set of tools, websites, and principles that people can use to enhance their digital safety and privacy no matter their individual level of risk. However, it can be argued that some of these options are useful for everyone while for others their value depends on the specific risk levels that each person faces. In contrast, OPSEC (Operational Security) involves a structured evaluation process and the development of advanced techniques and strategies designed to ensure extreme privacy and security against high-level threats such as government surveillance and targeted attacks. The approach of OPSEC suggests that one should first evaluate their actual risk levels and then decide which countermeasures should be used. As an illustrative example from physical reality, the necessary level of home security varies widely based on where one lives and their specific personal details that may render them more or less vulnerable. A farmer who lives in a small farmer village with a stable population where everyone knows each other might not even need to worry about shutting their front door, while a rich celebrity who lives in a big city with high crime rates will have to invest heavily in expensive and complex alarm systems, security personnel and dogs, etc. This example illustrates that increased safety often comes at economic cost (e.g. most trustworthy VPNs are not free), it can make everyday life more complicated (e.g. 2-factor authentication makes accessing a website or an app more time-consuming), and sometimes it can lead to different types of risks that would not have occurred otherwise (e.g. forgetting one's password for their IronKey hard drive or zip file used to lock a crypto wallet can lead to the permanent loss of access to the wallet, as highlighted by the infamous story of Stefan Thomas, the man who lost access to 7,002 Bitcoins).

OPSEC is a concise framework which recommends that individuals and institutions view their operations and projects from the perspective of competitors or enemies. This way, one can proactively identify potential vulnerabilities and address them before critical information is exposed. There are four main steps in the OPSEC process:

1. Identify sensitive data. Look for information about yourself or your institution from the eyes of an enemy.
   • Types of private personal data include: full name, date of birth, e-mail, personal and corporate phone numbers, address, profiles on social networks, and passwords.
2. Threat assessment.
   • Start by checking for your own data on the web by using the main search engines. Use advanced search operators for advanced keyword search.
   • Use reverse image search services (Google Images, Bing Images, Tineye) to identify which sites may have findable photos of you.
   • Search for your email accounts and passwords in leaks databases. Attackers use these databases to understand the logic of your password creation and take advantage of any potential recurring patterns. Useful tools include haveibeenpwned.com and SpyCloud (to identify instances in which your email was found in leaked databases), as well as Google Passwords (for identifying if your gmail or any connected accounts are compromised),
3. Vulnerability analysis.
   • Identify the vulnerabilities that could be used to gain access to sensitive data and assess the risk level for each of them. As suggested by Viktoria Sokurenko, CMO of Ukrainian start-up X-ray, "a practical way to do that would be to make a spreadsheet or chart with known accounts, usernames, and names. Write down telephone numbers and e-mail addresses provided during registration or as contact information. Factors to evaluate the level of risk include: probability of an attack, degree of damage, and the amount of work and time required for recovery. The more likely and dangerous the attack, the higher the priority of eliminating the vulnerability".
4. Risk assessment.
5. Apply countermeasures.

=> Further resources: For more information on OPSEC, see relevant articles by CyberdefenseMagazine, Informa TechTarget, Fortinet, Sans institute, and HackerNoob.

• Hacker Noob Tips (March 2025). Ultimate Guide to Digital Hygiene & Operational Security (OPSEC). https://www.hackernoob.tips/ultimate-guide-to-digital-hygiene-operational-security-opsec/
• SimeonOnSecurity (December 2023). Mastering OPSEC: 6 Essential Steps for Digital Security. https://simeononsecurity.com/articles/essential-opsec-steps-for-digital-security/
• Sokurenko, V. (June 2022). Operational Security: How to Get Rid of Digital Footprints On The Internet? https://www.cyberdefensemagazine.com/operational-security/