Digital security

Guidance notes

1. Consider the different types of information that you hold and seek to better understand both their value to your work and the harms to you and others that could result from an attacker accessing them. Put in place additional measures to protect those assets representing the greatest value or potential harms.

The reality is that it will not be possible to protect all your information from every possible way it could be compromised, and so you must prioritise. You should proceed systematically on the basis of risk. You should consider both the value of information to your work and the potential harms to you and others that could arise if it is compromised or lost. You can also consider how likely it is that the value will be realised or that a given harm will occur. This provides a rational basis for prioritising where you should focus your attention. In general, you might archive information that is both low value and low harm, delete information that is low value but high harm, and back up information that is high value and low harm. You can then focus in the first instance on rolling out security measures for information that represents both high value and high harm.

2. If it has to be shared, communicate sensitive information with co-workers face-to-face or using communication tools that allow end-to-end encryption and disappearing messages.

When you share information with others it gives your adversaries a greater chance of gaining access to it – either at the point of being sent, during the transfer itself or once the recipient has it. You can reduce the chances of a successful interception during the transfer by communicating sensitive information face-to-face – being mindful of your environment – or, if that’s not feasible, through tools that use end-to-end encryption (E2EE), such as Signal and ProtonMail.

When you use end-to-end encryption to send a message or email, it is signed (using your private key) and converted into a coded form (using the recipient’s public key) on your device before being transmitted via your and the recipient’s providers and on to the recipient’s device, where the signature is checked (using your public key) and the message or email is decrypted into readable text (using their private key). Neither the providers nor anyone who attempts to intercept the text during the transfer will be able to read the message without impractical effort.

There are still risks with end-to-end encryption. Your identity and that of the recipient – and the link between the two of you – will not be obscured, as the system needs to route the message or email between you correctly. The subject line of an email will also not be encrypted. Also, while the message or email may be secure during transfer, is still vulnerable on your device or that of the recipient if either has been compromised or is seized (disappearing messages may reduce this risk but copies could still exist). Furthermore, using end-to-end encryption may in itself raise suspicions with the authorities, particularly if there is a ban on using such technology in your country.

Remember, just as in face-to-face communication with someone you have not met before, it is vital that you verify that the person on the other end of the communication is most likely who you think they are and not an adversary. Different tools provide different ways of doing this; Signal, for example, allows you to verify unique safety numbers with each other face-to-face or through a different communications channel to help ensure that no man-in-the-middle attack is taking place.

3. Ensure that any computer or mobile device that you use:

a. Cannot be physically accessed by unauthorised persons.

One of the easiest ways an adversary can gain access to your information is to gain physical access to your devices. They can then create an exact copy of your drive, for example, or install a physical monitoring device, such as a key logger.

When it comes to preventing such access, there are no hard and fast rules. For example, bringing all your devices to a protest may be impractical and increases the risk that they will be seized by police. But leaving them at home gives an adversary the opportunity to gain access to them without your knowledge. You should consider your circumstances and the likely intentions and capabilities of your adversaries and make the best judgment that you can in each situation.

b. Requires a password or passcode to unlock.

It is essential to protect the accounts on your devices with passwords or passcodes that are complex enough to prevent an adversary from guessing them within a reasonable timeframe. You might also consider implementing an auto-wipe feature, where the device will delete the encryption keys for all its data if a password or passcode is entered incorrectly a certain number of times. But be mindful of the risk of accidently triggering this and losing your data.

Modern devices also typically allow some biometric input to unlock a device, such as fingerprint or facial recognition. While this may be useful, be mindful that you could easily be coerced into unlocking your device in this way without having to hand over your password or passcode. Device manufacturers have recognised this concern and implemented some simple ways to quickly disable biometric access if you need to.

You should be mindful that enabling a password or passcode may only prevent an adversary logging into your user account – it may not protect the actual data. An attacker could still take a copy of the storage medium and bypass the need for a password altogether. In order to address this, you should therefore ensure that full disk encryption is enabled. This is essential for laptops and desktops that may not implement full disk encryption by default.

c. Is running the latest available versions of the operating system and all installed apps/software.

Almost every piece of software running on a device provides a potential avenue for an attack. Accordingly, you should limit the software installed on your device to only that which you actually need. You should also frequently – and automatically – check for updates to your operating system and any installed software and apply them as soon as possible, as they may contain important security patches.

Note that attackers can attempt to exploit this advice with fake alerts to install updates (through an unofficial channel) that will instead install malware on your device. You should treat any alert as an indication that you should perform an update in the normal way for your operating system, and, if an update is not in fact available, then you may have been the target of an attempted hack.

d. Has full disk encryption enabled, if legal in your country.

Full disk encryption (FDE) encrypts almost the entire hard drive of a device (or external storage media, such as USB flash drives), including the operating system and your data. This means that if your device is lost, stolen or seized, an adversary will not be able to gain access to your data by merely taking a copy of the storage. It is vital that you use a strong, unique password when enabling full disk encryption (and not the same password that you use to login to your device). However, be mindful that if you forget this password, you may lose access to your data. Also note that a strong FDE password will be undermined by a weak user account login password if this can also unlock the FDE key. The precise relationship between user account password and FDE decryption keys will depend on your device and operating system.

e. Has antivirus software and a firewall installed, updated and configured correctly.

A virus is a type of malicious code or program that alters the way a computer operates. Antivirus software will traditionally scan for patterns that are indicative of known viruses and other malware. In order for this to work effectively, the antivirus must be updated with the patterns it needs to look for and the malware in question must be written to the storage device. While improvements have been made to complement this signature-based approach with heuristic checking, which checks programs for suspicious behaviour that may indicate a new, unknown virus, this is not robust enough.

A firewall is used to manage the connections and flow of data inbound to your device and outbound to other devices. A firewall can detect a malicious inbound connection attempt and block it. However, it is less desirable to automatically block outbound connection attempts, as they are usually initiated by the user or legitimate programs. Attackers can exploit this by sending you a virus and tricking you into activating it. Once activated, the malware will trigger an outbound connection to a server to receive commands, additional malicious code, and to transfer your data.

Like every security measure, these limitations mean that both up-to-date antivirus and a properly-configured firewall are necessary, but not sufficient on their own.

f. Is not rooted or jailbroken and does not have any pirated software installed on it.

Many mobile devices have security restrictions in place; however, these are not always wanted or appreciated by users. You may be tempted to circumvent them through rooting (Android) or jailbreaking (iOS), for example, which elevate the user’s privileges on the device to the maximum available (rooting) or removes some of the restrictions on the commands that they can run (jailbreaking). This puts the device in a state that the designers had not considered, which may result in the device becoming less stable, security measures being undermined, and leaving it vulnerable to malware.

g. Is shut down and powered off as frequently as possible, rather than just put into sleep or hibernate state.

There are two key elements that dictate what an attacker can do in relation to your information: the attack surface (space) and the attack window (time).

The attack surface is comprised of all the devices, external storage media and written or printed materials where your information is located. It also includes you and other people who know the information. The more copies of the information that exist, the greater the attack surface and the more opportunities there are for an attacker to be successful. To limit this, you can restrict where your information is located and what forms it takes.

The attack window refers to the time when each component of the attack surface is vulnerable. The information contained in handwritten notes that are destroyed after a day are only vulnerable for that day (provided that you do not retain the information in your head). The same is true for your devices; a remote attacker will only have an opportunity to attack a device when it is switched on and running. By fully turning off your devices when they are not in use, the attack window is reduced.

There is an additional security benefit gained from turning off your devices. A virus can only perform actions for as long as the software it has exploited is running. To get around this, attackers will try to gain persistence on the compromised device so that the virus is active whenever the device is running. By turning off your devices, it means that only more sophisticated malware that can attain persistence may be effective against you over the long term. You should also consider wiping your devices and reinstalling everything as often as you can in order to remove most – but not all – persistent malware. Frequent wiping will also encourage you to limit the software installed on your device to only that which you actually need.

4. Ensure that any online service that you use:

a. Requires a complex, unique password to access.

Online services, such as cloud storage, can ensure that your data is always available when you need it. However, they potentially increase both the attack surface and attack window by replicating your data in multiple locations and being always on.

Like with your devices, it is therefore important to use a strong, unique password for every online service. Each password must be unique – otherwise a password for one account that is compromised can be exploited by an attacker to gain access to all other services that you have used the same password for. Even any pattern that you use to generate passwords can be useful to an attacker. (You can check if you have an account that has been compromised in a data breach at Have I Been Pwned?.)

Creating and remembering numerous strong, unique passwords using traditional advice would be impossible with the number of online services you likely use. Instead, you can use an encrypted password manager, such as 1Password or LastPass, to both generate suitable passwords and store your login credentials. Be mindful that an attacker gaining access to your password manager data may gain access to all your online accounts. You must therefore ensure that the password that you use to login to your password manager is itself strong, unique and memorable and that you enable two-factor authentication. As you cannot use the password manager itself to store this password, you can use one of two similar methods to manually create a strong but memorable password. You can also use these methods to create the passwords for your device user accounts and full-disk encryption:

• The passphrase method: Choose a set of four to six unrelated words that you can create a mental image from. Then substitute numbers or symbols for some of the letters in these words (though avoid common substitutions, known as ‘leetspeak’, such as 4 for A and 3 for E).

• The sentence method: Choose a long sentence that you can create a mental image from. Construct the password from the first letter of each word and then substitute numbers or symbols for some of these letters as above (again, avoiding common substitutions).

Be mindful that if you have enabled biometric access to your password manager using your fingerprint or face, this may also permit an attacker to gain access without the password.

b. Has two-factor authentication (2FA/2SV) enabled, if available.

Two-factor authentication (2FA) is an additional security measure that requires two separate, distinct forms of authentication in order to access something. For online services that support 2FA, the first factor is something you know (your password) with either something you have (a numerical code from an authenticator app) or something you are (biometrics using your fingerprint, face or voiceprint). It adds a layer of security to your online accounts, as an attacker should not be able to gain access with just your password.

Strictly speaking, when you are sent the numerical code in a text message (rather than using an authenticator app), this is two-step verification (2SV), as it is something you are sent not something you have. It is vulnerable to interception, and you should always choose to use an authenticator app, such as Authy, rather than SMS if given the option. But two-step verification is still more secure than password protection alone.

5. Use a privacy-focussed VPN if accessing the internet through a public or untrusted network.

When you access the internet, your internet service provider (ISP) can log the websites that you visit and may share information with the authorities. You can use software, called a VPN or virtual private network, such as Mullvad, to send your internet traffic through an encrypted tunnel from your device to one of the VPN provider’s servers and then onwards to the websites that you are visiting. This will obscure your IP address from those websites, your ISP and some network-based surveillance (though you may still be tracked in other ways, such as device fingerprinting and website trackers).

VPNs may be useful when you are accessing the internet over a public or untrusted network, such as in a cafe or hotel. If the network provider is malicious, they may be able to monitor your online traffic and even gain the passwords for your online accounts. Since the VPN provides a secure tunnel from your device to one of the VPN provider’s servers, the network operator should not be able to monitor your other online activities.

Be mindful that the VPN provider or any third-party data centres (and their ISPs) that they use might maintain traffic logs and other data that could be used to identify and/or track you. The VPN server may also be located in a jurisdiction that has a mass surveillance or bulk collection regime in place that could also unmask you and your activities through data analysis. You should also be mindful that using a VPN could in itself trigger an alert or suspicion about you and that VPNs are illegal or government controlled in several countries.

6. Securely delete sensitive information in all its forms and variations as soon as it is no longer needed, and ensure that it is not recoverable.

When you delete information from your devices or external storage media, the effectiveness of this may vary. A hard disk drive (HDD) can be mostly erased by repeatedly writing random data to the entire storage area; however, this is not possible on modern solid-state drives (SSDs). On an SSD, a significant amount of data is held in an area that is kept spare to limit the wear and tear on the drive. This means that secure deletion of storage media containing unencrypted data may not be possible with software alone; proper physical destruction of the drive may be the only secure option. If you are using full disk encryption on a device – including those with SSDs – then the need for secure deletion is reduced but still present.

Be mindful that not all your information will be stored on electronic devices. You should securely store any physical media containing sensitive information, such as notebooks or print outs. When the information is no longer needed or if its continued existence presents too great a risk, you should destroy it by shredding with a cross-cut shredder and incinerating it, though the most-effective method will vary from medium to medium. The destruction must result in waste from which the original material cannot practically be recreated. Never put sensitive information in the rubbish or trash, as it is very common for the authorities to search the refuse of houses and offices to uncover documents and other compromising information.