This document is intended to be a guide or index of information and resources that you can use

to make your life a little bit more secure. As you read the information provided here you may

find things that are directly applicable to your life and that you will want to implement

immediately. Other things we will discuss here will be, perhaps, less applicable to you, but may

be very useful to someone else.

will implement against those threats.

Throughout this guide I have provided direct links to information and resources on the Internet.

Use these links to gather more information and to implement OPSEC and personal security

techniques that are applicable in your life.

On the day I published this guide, all of the links worked and returned the information

referenced. However, the Internet is constantly changing, and links that are good today may be

broken tomorrow. If a link appears to be broken when you click on it in this document, try

copying and pasting it into your browser. If that does not take you to the information you are

seeking, try searching for the topic with your favorite search engine. The information may still

be available at a new link. Of course, sometimes information and resources are removed from

someone else did, such as a data breach, or e-mail compromise. When more people in your life

regularly practice individual OPSEC and implement personal security in their own lives, there is

a cumulative effect increasing the overall security of everyone in the group.

There is no single solution for keeping yourself safe in cyberspace or in the physical world.

Individual OPSEC and Personal Security isn’t about which tools you use; rather, it’s about

understanding the threats you face and how you can counter those threats. To become more

1. What do you want to protect?

2. Who do you want to protect it from?

3. How likely is it that you will need to protect it?

4. How bad are the consequences if you fail?

5. How much trouble are you willing to go through in order to try to prevent those

consequences? (Electronic Frontier Foundation, 2015)

By increasing the effort required to target you it is often possible to cause an adversary to choose

a different target. Cyber-criminals, corporate spies, foreign agents, and even government

investigators frequently target the ‘low-hanging-fruit’, they go after the easiest, most cost-

effective targets. Even if you are the specific target an adversary is after; it is important to

be covered by the strengths of another.

Finally, remember that no security measure is of any value if it is not used. If security becomes

too difficult, it will not be used regularly. The human factor is often the greatest weakness in any

security program. When looking at the various security applications that we discuss here, choose

the ones that you can and will employ on a regular basis. Good security employed consistently is

better than great security employed occasionally.

Operations Security, or OPSEC, is the process by which we protect unclassified information that

can be used against us. OPSEC challenges us to look at ourselves through the eyes of an

adversary (individuals, groups, countries, organizations). Essentially, anyone who can harm

OPSEC should be used to protect information, and thereby deny the adversary the ability to act.

Nearly 90% of the information collected comes from "Open Sources". Any information that can

Our OPSEC objective is to ensure a safe and secure environment. OPSEC is best employed daily

Personal security is a general condition that results after adequate steps are taken to (a) deter, (b)

delay, and (c) provide warning before possible crime, (d) if such warnings occur, to summon

Work or school responsibilities, area of residence, family activities, and other factors influence

security needs. Some people may need to upgrade the security of homes; others of their

children; yet others of their travel, computing, and so forth. Each person should consider

selectively implementing the options most pertinent to their own needs.

http://www.dodea.edu/Offices/Safety/upload/pfpa_PersonalSecurity.pdf

The National Do Not Call Registry gives you a choice about whether to receive telemarketing

calls at home. Telemarketers should not call your number once it has been on the registry for 31

One of the most popular alternate telephone numbers is Google Voice, which lets you have one

telephone number that rings on multiple devices (i.e. home, work, mobile). Other services, some

of which are listed below, let you set up temporary telephone numbers that you can delete at any

time. By using one or more of these services you can protect the privacy of your personal

telephone numbers while still having a telephone number that you can provide to others when

needed.

Burner - https://www.burnerapp.com/

CoverMe - http://www.coverme.ws/en/index.html

Hushed - https://hushed.com/

Sideline - https://www.sideline.com/

In their book, “The Complete Privacy & Security Desk Reference: Volume I: Digital” -

https://goo.gl/phtVCd - the authors Michael Bazzell and Justin Carroll point out that having just

"preapproved" offers - are based on information in your credit report that indicates you meet

criteria set by the offeror. Usually, prescreened solicitations come via mail, but you also may get

them in a phone call or in an email. If you decide that you don't want to receive prescreened

To opt out permanently: You may begin the permanent Opt-Out process online, but to complete

your request, you must return the signed Permanent Opt-Out Election form, which will be

provided after you initiate your online request.

https://www.catalogchoice.org/ and with the Direct Marketing Association

https://www.dmachoice.org/. By registering with these organizations your address will be

added to the delete list used by advertisers to scrub their mailing lists.

The National Do Not Mail List - http://www.directmail.com/mail_preference/ - is run by

DirectMail.Com, a private marketing firm. It is in the best interest of direct marketers not to send

advertising to people who are unlikely to respond to it. When you sign up with the National Do

Not Mail List, your name and address will be provided to direct mail marketers so that it can be

removed from their mailing lists.

You can opt-out of having the Yellow Pages Telephone Directory delivered to your home by

registering at https://www.yellowpagesoptout.com/.

Other on-line sources to opt-out of direct marketing include:

AARP - http://www.aarp.org/about-aarp/aarp-privacy-policy-opt-out1/

Epsilon - https://us.epsilon.com/consumer-information#Display

GEICO Marketing - https://www.geico.com/about/contactus/email/ (Select "Opt out of GEICO

marketing communications" from the drop down menu.)

LexisNexis Direct Marketing Services - http://www.lexisnexis.com/privacy/directmarketingopt-

out.aspx

Red Plum - https://www.redplum.com/tools/redplum-postal-addremove.html

SiriusXM E-mail Communications -

https://pc2.mypreferences.com/SiriusXM/Customer/StandaloneUnsubscribe

State Farm - http://online2.statefarm.com/forms/sf/doNotSolicitRequest.xhtml

ValPak - https://www.valpak.com/coupons/show/mailinglistsuppression

On-line directories and people finders gather data from public records and other sources and then

make the aggregation of that data available on-line. You can have your personal information

removed from these directories by following the opt-out procedures provided by these

LexisNexis - http://www.lexisnexis.com/privacy/

PeekYou - http://www.peekyou.com/about/contact/optout/

AnnualCreditReport.com is the official site to get your free annual credit reports. This right is

guaranteed by Federal law.

To help protect yourself against identity theft, stalking, and similar crimes it is important that

you never place intact documents containing your personal, private, or financial information in

the trash. A paper shredder is the best way of destroying sensitive documents before disposing of

allow community members to destroy personally sensitive documents for free.

operating environment.

unwanted programs to your computer.

can be found on ‘Social Media Smartcards’ (developed by Novetta in consultation with the FBI).

• Smartphone - http://security.arizona.edu/sites/securitysiab/files/smartphone_smartcard.pdf

Flyers on-line at: http://www.cid.army.mil/cciu-advisories.html.

http://dodcio.defense.gov/Social-Media/SMEandT/

The National Security Agency provides customers with a wealth of knowledge and assistance for

their Information Assurance (IA) goals. You can obtain a copy of "Best Practices for Keeping

Your Home Network Secure" here https://www.iad.gov/iad/library/ia-guidance/security-

tips/best-practices-for-keeping-your-home-network-secure-updated.cfm

Don’t allow "deleted" documents to be stored in the Recycle Bin. Consider setting the Recycle

Freeraser - http://www.freeraser.com/.

Provider (ISP) to find out if they provide anti-virus programs for their customers. Many ISP

their customers. There are also various on-line anti-virus scanners. For an on-line anti-virus

service, I like VirusTotal - https://www.virustotal.com/#/home/upload. When choosing an anti-

virus product, I recommend reviewing anti-virus testing sites such as AV Test and AV

Comparatives. Free anti-virus products will help protect your computer, but the paid versions of

these products offer greater functionality and more enhanced protection for your system. When

purchasing an anti-virus product, I recommend (in 2017) those offered by Bitdefender and

Kaspersky.

After you have run the anti-virus scan on your computer, the next step is to download three

additional programs: CCleaner - http://www.piriform.com/ccleaner, Malwarebytes Anti-Malware

- https://www.malwarebytes.com/, and Spybot Search & Destroy - https://www.safer-

programs.

protects your system from outside attacks, but more robust protection can be obtained by running

an advanced firewall. Install either the Comodo Firewall - https://personalfirewall.comodo.com/

or the Zone Alarm Firewall - https://www.zonealarm.com/software/free-firewall/. Both of these

firewalls are free.

Google, Bing, Yahoo, Yandex - all the major search engines track your search history and build

profiles on you, serving different results based on your search history. Usually your searches are

saved along with the date and time of the search, some information about your computer (e.g.

DuckDuckGo - https://duckduckgo.com/

Startpage - https://www.startpage.com/

Oscobo - https://oscobo.co.uk/

If you access your e-mail using MS Outlook or Mozilla Thunderbird

https://www.mozilla.org/en-US/thunderbird/ you will be able to install a digital certificate that

allows you to digitally sign and encrypt your e-mail. You can obtain a free digital certificate

from Comodo https://www.comodo.com/home/email-security/free-email-certificate.php. Once

you have your digital certificate installed you can digitally sign all for your e-mail and encrypt e-

mail sent to other people who also have their own digital certificate installed.

Open PGP is an unofficial Internet standard for e-mail encryption, and anyone seriously

Extension or a Firefox add-on. Install Mailvelope as an add-on to your Firefox browser. Once

encrypted messages with other Mailvelope and Open PGP users.

GPG4USB combines a text editor and an Open PGP key manager into a small file. You can

generate key sets, import external keys (such as the keys you generated in Mailvelope), and

encrypt / decrypt messages in the text editor.

Gmail, Hotmail (Outlook), Yahoo Mail, and similar e-mail providers all provide good quality

web-based e-mail services. What they don’t provide however is strong security for your e-mail

messages. By using a privacy focused web-based e-mail service you still have good quality e-

Lavabit - https://lavabit.com/

Sendinc - https://www.sendinc.com/

Tutanota - https://tutanota.com/

Unseen - https://www.unseen.is/

Location security can be added to your e-mail by creating and always accessing the account on

the TOR network. Examples of e-mail services accessible on the TOR network include:

ProtonMail – http://protonirockerxow.onion

TorBox - http://torbox3uiot6wchz.onion

It must be understood however that TOR does not protect the content of your e-mail from data

breaches, or if the actual e-mail servers are compromised. A comment from the Reddit web-site

or client list is compromised, so too is your personal information if it was part of the

compromised data. Sites such as Breach Alarm, Have I Been Pwned, and Hacked-Emails keep

Have I Been Pwned - https://haveibeenpwned.com/

If you find that your e-mail address was part of a data breach, it is likely that other information

credit card information).

terms (such as your name) and have Google send you an e-mail any time there are new

occurrences of those terms cataloged by Google. Google Alerts can contain all of the parameters

allowed in a Google search, so you can design alerts to watch specific sites, or to watch for your

name in combination with other information such as your place of employment.

also encrypt your DNS traffic. DNSCrypt - http://dnscrypt.org/ - is a lightweight program that

Spoofing and safeguards against an adversary monitoring your DNS requests. DNS Crypt works

in a manner that is similar to how SSL/TSL encrypts HTTP/HTTPS traffic, except that DNS

Crypt uses elliptic-curve cryptography. By running DNS Crypt on your computer, you can help

to protect yourself against spoofing, man-in-the-middle attacks, and monitoring of your DNS

requests.

Many people run a home wireless (WiFi) network. This allows connection of laptops, tablets,

smartphones, and other devices from anywhere within and around your home. However, if you

leave your home WiFi network unsecured it is available to anyone close enough to receive your

password for your particular make and model of router on-line. A good place to find most router

default passwords is http://www.routerpasswords.com/. Now that you have logged into your

router, change the admin password to something other than the default you were able to look up

(i.e. don’t set your SSID as your name). You may also choose to hide your SSID so that it is not

broadcast. In this way, someone scanning for WiFi networks won’t see your home network in the

list of those present in the area.

Google location services maps publicly broadcast WiFi data, including the SSID and MAC

address of the router. This can result in Google collecting and data-basing information about

your home router. If you don't want Google to map your home WiFi router you can opt-out by

appending a nomap suffix to your SSID name. If your router name is "MYROUTER" you will

need to change it to "MYROUTER_nomap". This will result in Google not mapping your router

through Google Location Services, or if it is already in the database it will be dropped the next

consolidates all of your chat programs in one place. Using OTR Encryption

https://otr.cypherpunks.ca/ , a plug-in for Pidgin, you can encrypt your chats to protect your

personal privacy. The Electronic Frontier Foundation has detailed instructions on how to use

Other secure chat programs include Cryptocat https://crypto.cat/ and Ricochet IM

With standard SMS text messaging, your communications are neither secure nor private. Your

A secure messaging app encrypts your private communications, preventing them from being read

Signal Private Messenger - https://whispersystems.org/

Wickr Me - https://www.wickr.com/

Using Dropbox - https://www.dropbox.com/ - you can share large files and collaborate on

projects with others who have access to your Dropbox account. You can share files with anyone,

even people who do not have a Dropbox account, by getting a link to the file in your Dropbox

Dropbox users with a paid account (i.e. Dropbox Plus or Dropbox Business) can password

protect the files they share, requiring users to both have the link to the file and know the

password protected document) and then share that document from your Dropbox account.

shareable link. Next to "Anyone with the link," click the Down Arrow to choose what someone

can do with your file: view, comment, or edit. You don’t have the option to password protect this

link, but as with Dropbox, you can always password protect your documents before uploading

and sharing them on Google Drive.

Of course, sites like Dropbox and Google Drive aren’t just for sharing items on-line. These sites

are primarily Cloud storage for your documents, photos, and similar digital records. As a best

practice, everything you upload to the Cloud should be encrypted. Boxcryptor -

https://www.boxcryptor.com/en/ - is a program designed to encrypt the things you store in the

Cloud, and with its ‘Whisply’ - https://whisp.ly/en - service allows you to send files with end-to-

end encryption right from your browser.

In 2015, Amnesty International recommended the program MiniLock to encrypt files and protect

your privacy on-line. MiniLock uses your e-mail address and a long passphrase to generate a key

(MiniLock ID) that is used to encrypt files. You provide your MiniLock ID to others so that they

can encrypt to you, and you use their MiniLock ID to encrypt messages to them. A MiniLock ID

e-mail address or passphrase) will generate a completely different MiniLockID. I like MiniLock,

but note that it is only available as an add on for the Chrome Browser, which limits its usefulness

keystrokes to whomever planted the logger on your computer. A simple and effective program

for defeating keystroke loggers is KeyScrambler - https://www.qfxsoftware.com/. KeyScrambler

encrypts your keyboard input at the Windows kernel (keyboard driver) level, making it very

application; with KeyScrambler installed keystroke loggers can only record encrypted text.

It is important to safeguard sensitive information stored on your computer. An effective way of

doing this is to use an encrypted drive or encrypted container to secure your files when they are

not in use. For a long time TrueCrypt https://www.grc.com/misc/truecrypt/truecrypt.htm was

completed in April 2015, found no significant cryptographic weaknesses, and many people still

For individuals with doubts about the current security of TrueCrypt there is a replacement called

VeraCrypt https://www.veracrypt.fr/en/Home.html that functions in much the same way as

A study conducted by the University of North Carolina at Charlotte: "Understanding Decisions

to Burglarize from the Offenders Perspective" (2012) http://airef.org/wp-

content/uploads/2014/06/BurglarSurveyStudyFinalReport.pdf found that: “Indicators of

Burglar Deterrent- http://goo.gl/hLRp86, and Heavy-Duty Motion Sensor Security Lights -

http://goo.gl/uwM9BG all add even more security to your home.

A Wireless Driveway Alarm - https://goo.gl/MzyRbv - can signal you whenever someone

accesses your property, and a Video Doorbell - https://goo.gl/G5LuJv - allows you to see anyone

If you can’t afford a home security system, placing a Yard Sign - https://goo.gl/qzZoJU -

warning of a security system, and installing a couple of fake security cameras -

There are several personal safety apps that you can download to your smartphone. These apps

will send alerts to contacts that you designate or call the police when specified conditions are

Google offers a street level view of much of the world on its Google Maps site. This street level

view may include pictures of your home if it is visible from a public street. Google gives you the

option of having things such as your face, car/license plate, and home blurred in Google Maps

state abbreviation followed by number: Example: CA-B1234567

2. Inventory your marked property on a form with descriptions including brand, model number,

to your home or if you live in a remote area with few or no alternate routes to your home,

surveillants have no need to follow you all the way to your residence.

You should:

• Vary your routes and times of travel.

• Be familiar with your route and have alternate routes.

• Check regularly for surveillance.

Stationary surveillance is most commonly used by terrorist organizations. Most attacks take

place near the victim’s residence, because that part of the route is least easily varied. People are

generally most vulnerable in the morning when departing for work because these times are more

of innocence. Try to check the street in front of your home from a window before you go out

each day.

If you suspect that you are being followed, drive to the nearest police station, fire station, or the

U.S. mission. Note the license numbers, color and make of the vehicle, and any information

Don't wait to verify surveillance before you report it.

Be alert to people disguised as public utility crews, road workers, vendors, etc., who might

station themselves near your home or office.

Whenever possible, leave your car in a secured parking area. Be especially alert in underground

parking areas.

Always check your vehicle inside and out before entering it. If you notice anything unusual, do

Household staff and family members should be reminded to look for suspicious activities around

mechanisms in your home--use them to your advantage.

While there are no guarantees that these precautions, even if diligently adhered to, will protect

becoming a victim. (Surveillance - US Department of State, p.21)

The Washington, DC Metropolitan Police Department offers an on-line firearms safety course -

https://dcfst.mpdconline.com/. There is no cost for taking this course and it should take

approximately 30 minutes to complete. Even if you don’t own a firearm, understanding how

According to U.S. Bureau of Justice Statistics data, having a gun and being able to use it in a

defensive situation is the most effective means of avoiding injury (more so even than offering no

of defensive uses of firearms are wide ranging, from a low of 65,000 to 82,000 annual defensive

gun uses (DGUs) reported to the U.S. Department of Justice's National Crime Victimization

(http://www.bjs.gov/content/pub/pdf/fv9311.pdf)

If you choose to carry a firearm for personal protection, get training from an NRA Certified

Instructor http://www.nrainstructors.org/search.aspx. Obtain legal guidance on the proper use of

https://iase.disa.mil/eta/Pages/index.aspx

and are available to the general public. Security awareness courses include:

• Personally Identifiable Information (PII)

• Portable Electronic Devices / Removable Storage Media

the Federal Emergency Management Agency (FEMA) in conjunction with Texas A&M

• AWR-175-W Information Security for Everyone

• AWR-174-W Cyber Ethics

Cyber 301 Managers and Business Professionals

• AWR-176-W Business Information Continuity

• AWR-177-W Information Risk Management

• AWR-169-W Cyber Incident Analysis and Report

https://securityawareness.usalearning.gov/ - offers several security awareness courses that are

available to the general public.

several emergency management courses on-line. Among these courses are security awareness

courses, including:

• IS-916 Critical Infrastructure Security: Theft and Diversion - What You Can Do

annual training required for all DOD personnel. The course is also available to the general

that you have access to JKO - https://jkodirect.jten.mil/ - and provides good personal security

information for those who can access the training. The purpose of this five-hour course is to

https://www.iad.gov/ioss/ - The primary responsibility of the Interagency OPSEC Support Staff

(IOSS) is to act as a consultant to other U.S. government departments or agencies by providing

contractor who supports a government contract which has an OPSEC requirement or Public

• ARS Teschica: A beginner’s guide to beefing up your privacy and security online

• Electronic Privacy Information Center: EPIC Online Guide to Practical Privacy Tools

• Advanced DIY Privacy for Every Woman

• Consumer Reports: 66 Ways to Protect Your Privacy Right Now

• Security & Counter-Surveillance: Information Against the Police State

• Electronic Frontier Foundation: Surveillance Self-Defense

• Privacy Tools

• Heimdal Security: 131 Cyber Security Tips that Anyone Can Apply

• Security Culture: A Comprehensive Guide -

Encryption works by taking data (text, pictures, video, audio files, etc.) and scrambling that data

so that it becomes unintelligible. Decryption is the reversal of the encryption process, thereby

returning the encrypted data back to its original form so that it can once again be understood. The

and return them to an intelligible form.

government issued common access card (CAC) or personal identity verification (PIV) card your

digital certificate is contained in the chip on the card. (A common access card (CAC) is a smart

card used by service members and employees of the United States Department of Defense

If you already possess a CAC you can use it to send and receive encrypted e-mail and access

CAC restricted web-sites and programs (such as ActivClient, AKO, OWA, DKO, JKO, NKO,

Smart Card Readers: http://amzn.to/2wvTjKR / http://amzn.to/2vDkR4E

In many cases, your CAC reader will be plug-and-play, allowing you to access CAC restricted

web-sites and send and receive encrypted e-mail without additional installations. However, if

you have trouble getting your CAC to work from home, detailed instructions are available at

https://militarycac.com/ that explain how to set up your home computer to work with your CAC.

access to government computer networks, but it does allow you to send digitally signed and

encrypted e-mail between yourself and anyone else using S/MIME certificates (such as those

contained on the CAC and PIV card). Comodo offers a free personal digital certificate, while

though the content of the message is protected by encryption, the fact that only some e-mail is

encrypted can indicate when you are engaged in a sensitive conversation. When everything is

Once you have a digital certificate installed on your computer, and have obtained the public keys

clicking a button on your e-mail toolbar. The installation of digital certificates and exchange of

encryption keys will most likely be handled by your IT Department for your official / business e-

mail accounts. For your personal e-mail account, you will have to handle installation of your

specific record-keeping and archiving requirements. Federal guidance released by the National

You may need to exchange information with someone who does not have a digital certificate,

and thus you are unable to encrypt an e-mail to that person. You should still ensure that the

content of your message is protected, and this is where AMRDEC SAFE comes in. AMRDEC

that is produced from the collection, processing, and analysis of information as part of the

intelligence cycle - https://www.fbi.gov/about/leadership-and-structure/intelligence-branch.

may be subject to additional vetting before being granted access. However, posting to a web-

portal alone does not ensure security of your communications. You must choose a web-portal

that is appropriate to your activity, and recognize that while secure web-portals help secure the

Some examples of secure web-portals can be found below.

issued cell-phones and Blackberries will only be used to communicate UNCLASSIFIED

information, once captured in a traditional text message or third-party messaging system, likely

The Electronic Frontier Foundation (EFF)

(https://ssd.eff.org/en/index), the leading nonprofit

organization defending civil liberties in the digital world,