Creating An Online Threat Model: Best Practices For Personal OpSec

JBM’s guides to online subterfuge inspired me to write this starter guide to creating a personal threat model. I hope you enjoy it and learn something from it. Good OpSec involves both online hygiene and forming good habits. This list isn’t final, but it’s a good place to start. Everyone’s threat model is different. You should only use this as a basic outline for creating your own. I’ve only listed a few best practices everyone should follow.

What is a threat model?

I imagine it like locking your car doors. Just about everyone does that. Or maybe putting a lock on your bicycle when you leave it unattended. Why? Because you know it will likely be stolen if you don’t. That’s a basic threat model that just about all of us follow. So think of this like locking your car doors.

Outline for a personal threat model

These are best practices that everyone should already be doing to protect themselves. The list below will prevent most people from being the “easy target” online.

1. Don’t underestimate social media and what you share online. Don’t believe that “no one is reading this” or that it will disappear in a short time. Everything you put online is stored and therefore retrievable forever. It’s a good idea to use burner accounts. If your account needs age or clout before you can post, you may want to purchase an account. There are several websites like PlayerUp or AccsMarket.com where you can purchase accounts for just about every social media platform.
2. Always use a VPN. Especially when traveling. In the ever increasing age of government and corporate spying from both domestic and international organizations, there is no good reason not to use a VPN. You should assume Hotel and AirBNB WiFi is not secure and your connection is being monitored. VPN’s boost the security of your communications, especially local radio communications like WiFi. Avoid free VPN providers and pay for one that does not log connections. I like NordVPN. Most VPN providers have both a desktop and mobile VPN app.
3. Email is insecure. It doesn’t matter what provider you use, just assume anything you send in an email has been compromised. Don’t say anything, or attach anything to an email that you don’t want public. If a company asks you to email documents with personal information, like a credit application for example. Refuse. Ask them for another method.
4. Lock your phone screen. Get in the habit of locking it before your set it down. If you aren’t looking at it, lock it. Use a good PIN number, not 0100 or 1112. Something that requires you to type with 2 thumbs quickly is best as it makes it more difficult for someone looking over your shoulder to see your keypresses.
5. Encrypt your data. There is no reason not to. Mac, Windows, and Linux all have it built in. In the event your laptop/desktop/device is stolen your data is safe. Keep the recovery phrase in a safe location like a Keypass database or Veracrypt container.
6. Hide your company ID badges. It’s not a medal of honor at the coffee shop. That badge can leak personal information about you including your name, job title and employer. It can also be stolen from you. Check out photos with the hashtag #protectyouraccesscard to see what I mean. Don’t put your work keys and your badge on the same lanyard. If you accidentally left it in an Uber or on the bus you just gave them context to go with the keys.
7. Purchase a wallet or credit card sleeve with RFID blocking. Credit cards can be remotely scanned, or worse remotely wiped, even accidentally. This can put you in a position for you to need someones help and for them to be able to take advantage of that fact.

Create your own personal threat model

These are just a few good suggestions to protect yourself. You should create your own personal threat model. While this may sound a little paranoid, it’s fairly easy, a little fun and it comes with a lot of real life benefits. The list above is not definitive and should be considered pointers for you to consider and adapt to your own personal threat model. I hope this helps you stay safe.