Introduction to Frameworks

Welcome to the Security Frameworks by Security Alliance (SEAL), a curated resource for those seeking knowledge in the realm of blockchain security. Our organization, a collective of dedicated security specialists, is on a mission to spread awareness and educate the community about best practices and potential pitfalls in Web3 security.

Why We Created This Resource

We have noticed a growing need to address the various challenges and issues facing our field, some of which include security threats not specifically aimed at Web3 infrastructure. Recognizing that information is abundant but not always easily accessible, we've compiled and organized existing resources from around the internet and generated new content specifically with this purpose in mind.

Who Can Benefit

Regardless of your background—whether in Web2, Web3, or beyond—these guidelines are open to all who seek to learn and contribute. We aim to establish a comprehensive, high-level security framework for Web3 projects, providing best practices to development teams throughout the lifecycle of their projects. Consider this a one-stop shop for everything related to Web3 security.

How to Contribute

Read our Contribution Guide to learn how you can contribute to this project.

Who We Are

SEAL is a not-for-profit organization committed to enhancing security awareness, education, and specialized work as a public good for the Web3 ecosystem, its supporting technologies, and communities. Our efforts are driven by a shared desire to foster a safer, more informed digital landscape. We do this by designing innovative projects, engaging elite technologists, and coordinating on the social layer to ensure meaningful adoption.

How to Navigate the Website

Navigating the Security Frameworks by SEAL will be designed, in time, to be intuitive and user-friendly. We currently allow users to filter contents by role, but we're not quite there yet. Any feedback on how to improve the usage of frameworks in the future is appreciated.

Categories

The content is organized into different categories, each focusing on a specific aspect of security. Currently, we are under the introduction section, but you can explore the broader category of "Frameworks" below. Each framework is categorized to help you find relevant information quickly.

Filtering by Profile

This is currently being implemented, and we're currently looking for volunteers and collaborators for this specific task. The main objective is to allow users to filter the content by profile to focus on information relevant to their role within the organization. This feature allows them to bypass unnecessary reading and concentrate on what matters most.

Example roles:

• Developer
• Executive
• Security
• Finance
• Crypto
• Management
• Community
• Non-Technical

This targeted approach will ensure you get the most relevant information efficiently.

Overview of Each Framework

This document provides an overview of the various frameworks covered in the Security Frameworks by SEAL. Each framework addresses a specific aspect of Web3 security, providing best practices and guidelines to help secure your projects.

Infrastructure

This section covers the fundamental aspects of securing the underlying infrastructure of Web3 projects, including protection against attacks, system security, and network management.

Monitoring

This framework discusses the importance of continuous monitoring in Web3 projects, focusing on setting up effective monitoring systems and defining appropriate thresholds for alerts.

Front-End/Web App

This section addresses security considerations specific to the user-facing components of Web3 projects, including both web and mobile application security.

Community Management

This framework explores best practices for securing and managing online communities associated with Web3 projects, particularly on platforms like Discord and Twitter.

Key Management

This section delves into the crucial aspect of managing cryptographic keys in Web3 projects, discussing various wallet types and signing schemes.

Encryption

This framework covers various encryption methods and their applications in protecting data at rest and in transit for Web3 projects.

Incident Management

This section outlines protocols for handling security incidents, including detection, response, and post-incident analysis.

Operational Security

This framework addresses day-to-day security practices for Web3 teams, covering a wide range of topics from personal device security to insider threat mitigation.

DevSecOps

This section focuses on integrating security practices into the development and operations processes of Web3 projects.

Privacy

This framework explores tools and practices for maintaining privacy in the Web3 ecosystem, both for projects and individuals.

Vulnerability Disclosure

This section discusses best practices for handling and disclosing vulnerabilities in Web3 projects.

Supply Chain

This framework addresses the security implications of dependencies and third-party components in Web3 projects.

Awareness

This section covers strategies for fostering security awareness among team members and users of Web3 projects.

External Security Reviews

This framework provides guidance on conducting and preparing for external security audits and reviews.

Governance

This section addresses risk management, regulatory compliance, and security metrics for Web3 projects.

Security Automation

This framework explores ways to automate security processes in Web3 projects, including threat detection and compliance checks.

Threat Modeling

This section provides guidance on identifying and mitigating potential threats to Web3 projects.

IAM (Identity and Access Management)

This framework covers best practices for managing user identities and access control in Web3 projects.

Secure Software Development

This section focuses on integrating security practices throughout the software development lifecycle for Web3 projects.

Security Testing

This framework explores various methods of testing Web3 projects for security vulnerabilities.

User (Team) Security

This section addresses security practices and awareness for the team members working on Web3 projects.

Community Management

Communities might be the key of many Web3 projects, but they also represent a significant security challenge. From casual users to top-level executives, everyone within an organization can be targeted by social engineering tactics across platforms like Telegram, Discord, X (formerly Twitter), Google, and more. When a community channel is compromised—whether by phishing, fraudulent links, or account takeovers—it can quickly become a vehicle for wider attacks, putting both users and organizational reputations at risk.

Here, we present essential best practices to safeguard your community. In the following sections, we will explore platform-specific recommendations in more depth.

---

Best Practices for Community Security

Strong Passwords and Two-Factor Authentication (2FA)

• Use unique, complex passwords for each service and store them securely in a reputable password manager. Refer to the Operational Security Framework and Key Management Framework for more information on this.
• Secure the email account linked to your community platforms with a unique password and 2FA.
• Always enable 2FA. Prefer hardware-based tokens (e.g., Yubikey) or mobile authenticator apps over SMS-based methods, which are vulnerable to SIM-swapping.
• If you use an authenticator app like Authy, 1Password, or Aegis to generate time-based one-time passwords (TOTP). Ensure that the secret keys are stored encrypted and protected with robust security measures.
• Configure your app to require a password, PIN, or biometric authentication (e.g., fingerprint or face recognition) to unlock access to the tokens. This prevents unauthorized access and ensures the tokens remain secure even if someone gains physical or remote access to your device.
• Keep password generation and 2FA codes separate; do not use your password manager to generate 2FA codes. Otherwise, if the password manager is compromised, it could render the 2FA ineffective, allowing unauthorized access to your accounts.
• Encourage community members to adopt these practices as well.

Phishing Awareness

• Educate members on recognizing and reporting phishing attempts.
• Clearly communicate to community members that your team will never send the first direct message to them. This is important because attackers often impersonate team members and initiate direct messages to trick users into believing they are legitimate, thereby gaining their trust and potentially compromising their security.
• Publicly define all official communication channels used by your organization.

Refer to the Security Awareness framework to learn more about social engineering techniques and security training best practices.

Operational Security (OpSec)

• Be mindful of the devices you use to manage community channels. Malware or compromised hardware can give attackers an entry point.
• Regularly update software, run antivirus checks, and avoid installing untrusted applications that may compromise your security.

For a comprehensive understanding of Operational Security, including additional strategies and guidelines, please refer to the dedicated Operational Security framework.

Emergency Response Plan

• Prepare a clear protocol for handling security incidents, including how to quickly remove compromised accounts and warn community members.
• Adopt a proactive mindset: it's not a matter of if but when a breach will occur. Having a plan in place helps you act decisively and contain damage.

As part of the communication team, it is crucial to know when and how to communicate effectively during an incident. This involves understanding the appropriate timing and messaging to ensure clarity and prevent misinformation. For more insights on where this role fits within an incident, refer to the Incident Management framework.

Discord Security

Key Takeaway for Discord:
To secure your Discord server, focus on implementing robust access controls and enforcing two-factor authentication for all administrators. Regularly audit roles and permissions, and maintain vigilant moderation. Educate your community about security best practices to prevent unauthorized access and protect against potential threats.

Discord offers a variety of security features that are essential to use. Despite these, users should stay alert to threats like phishing, which can target server moderators. Such threats may appear as QR code scams, fake login screens, or misleading direct messages pretending to be from Discord support.

To enhance the security of your Discord server, take into account these suggestions. They cover important aspects like server settings, roles and permissions, moderation, bots, channels, invites, member screening, logging, and other security measures.

---

Essential Security Measures

Server Settings

a) Enable 2FA Requirement for Moderation

• Go to Server Settings > Safety Setup > Moderation
• Toggle on "Require 2FA for moderation"
• This ensures all moderators have an extra layer of security

b) Set Appropriate Verification Level

• Go to Server Settings > Safety Setup > Verification Level
• Choose from: None, Low, Medium, High, Highest
• Recommended: "Moderate" for public servers (requires users are registered on discord for longer then 5 min.)
• Higher levels protect against spammers and raids

c) Enable Explicit Content Filter

• Go to Server Settings > Safety Setup > Content Filter
• Set to "Scan messages from all members"
• This automatically blocks messages containing explicit images in non-age-restricted channels
• Age-restricted channels are exempt from this filter

d) Enable Raid Protection and CAPTCHA

• Go to Server Settings > Safety Setup > Raid Protection and Captcha
• Activate all relevant settings to require CAPTCHA for new user actions
• This protection uses machine learning to detect and block bot-driven join-raids
• When activated:
  • Sends alerts to a specified channel
  • Requires CAPTCHA verification for new users for one hour after detection

Roles and Permissions

a) Implement Role Hierarchy

• Go to Server Settings > Roles

• Create roles like: Cold Admin, Team, Moderator, & Verified.

• Drag to reorder; higher roles override lower roles

• Restructure the role hierarchy by dragging roles higher or lower in the roles list:

  • Cold Admin
  • Team
  • Moderator
  • Verified

b) Restrict Administrative Permissions

• For each role, carefully review the 32 available permissions
• Key permissions to restrict: Administrator, Manage Webhooks, Manage Server, Manage Roles, & Manage Channels
• Never give Admin or Kick permissions to anyone you don't fully trust
• Good permissions for moderators: Manage Channels, Manage Roles, Manage Messages, Ban Members, Delete Messages
• Good permissions for members: View Channels, View audit logs, Create Invite, Manage Messages, Read Message History, Connect, Speak & Use Voice Activity, & Ban/Kick/Timeout

c) Use Channel-Specific Permissions

• Right-click on a channel > Edit Channel > Permissions
• Set custom permissions for roles or members in specific channels

d) Use the "View Server as Role" Feature

• Go to Server Settings > Roles > Select a role > View Server as Role
• This allows you to see what members with a certain role can see and access

Advanced Security Measures

Moderation

a) Set Up Auto-Moderation Rules

• Go to Server Settings > AutoMod
• Set up rules for: Spam, Harmful Links, Mention Spam, Inappropriate Words
• Configure custom keyword filters and exempted roles
• Customize the response to spam, like blocking the message, sending an alert, or timing out the member
• Add to the existing automod rule to block keywords in a users name, and put Support, Bot, Admin, Tech, Helpdesk, etc.

b) Configure Timeout Duration

• Go to Server Settings > Safety Setup > Timeout
• Set default duration (e.g., 60 minutes)
• Educate moderators on using timeouts effectively

c) Establish Clear Server Rules

• Create a #rules channel
• Use Discord's built-in rules screening feature
• Include sections on: Behavior, Content, Moderation Actions, Appeals Process

Extra Moderation Best Practices

a) Leverage "Default Notifications to Mentions Only"

• Go to Server Settings > Overview and set Default Notifications to Mentions Only.
• Reduces potential spam notifications for members, making them more vigilant about suspicious or phishing content.

b) Stay Alert to New Features & Potential Exploits

• Keep track of newly introduced features such as Threads, Scheduled Events, or Stage Channels.
• Configure their permissions carefully (e.g., who can start or join a Thread) to prevent abuse by spammers or scammers.

c) Regularly Check Third-Party Bot Security

• Ensure bots are from reputable sources and receive frequent updates.
• Review bot permissions after each significant update to avoid newly introduced vulnerabilities.

Bots

a) Audit Bot Permissions

• Go to Server Settings > Integrations
• Review each bot's permissions
• Remove unnecessary permissions
• Remove permissions for bots that ask for Admin or other permissions that aren't needed, use least privilege with permissions at the role level and channel level.

b) Remove Unnecessary Bots

• Uninstall any bots that aren't actively used or needed

c) Implement Security/Moderation Bots

• Consider bots like:
  • Dyno for advanced moderation and logging
  • Carl-bot for reaction roles and custom commands
  • Set up security Bots

Security-Specific Bots

Various third-party Discord bots offer valuable security and protection features, facilitating automated moderation for your server. In the sections below, we'll explore different categories of security bots and highlight popular options for each category.

Anti-Impersonation Bots

Set up custom rules to prevent other users from joining using the same username and PFP (profile picture) to impersonate you or other important members of the server. A popular bot in this category is Wick Bot.

Anti-Raid Bots

to prevent spam bots from joining your server all at once, an attack known as raiding, you can also set up bots with particular rules. Beemo is a good example of a bot in this category.

Anti-Nuke Bots

This is a monitoring system to observe and note any changes (spontaneous or planned) that take place in your discord server. Some key observation markers are channel and role creation/deletions, banning or kicking members, and webhook creation/deletion.

Moderation & Link Whitelisting Bots

Only allows approved links to be used in the discord server. A popular bot in this category is Goodknight Bot.

The bots above are not all-inclusive but rather a recommended list of bots to help protect your Discord server in these categories.

Enhanced Server Configuration

Channels

a) Organize Channels Logically

• Use categories to group related channels
• Suggested categories: Information, General, Voice Channels, Topic-Specific

b) Set Slow Mode Where Needed

• Channel Settings > Overview > Slow Mode
• Set appropriate cooldown (e.g., 5-30 seconds) for busy channels

c) Use Age-Restricted Channels Appropriately

• Channel Settings > Overview > Age-Restricted Channel
• Enable for channels with mature content

Invites

a) Disable Permanent Invites

• Server Settings > Invites
• Un-check "Allow anyone with administrative permissions to create invites"

b) Set Invite Expiration and Usage Limits

• When creating an invite: Set "Expire After" and "Max Number of Uses"
• Recommended: 24 hours expiration, 50-100 uses

c) Regularly Audit Active Invites

• Server Settings > Invites
• Review and delete unnecessary or old invites

Member Screening

a) Enable Membership Screening

• Server Settings > Safety Setup > Membership Screening
• Toggle on "Enable Membership Screening"

b) Set Up Screening Questionnaire

• Add questions about server rules, age verification, etc.
• Require members to agree to rules before joining

c) Set Up Membership Requirements

• Require users to react to a message or post an introduction
• This helps filter out bots and spam accounts from joining

Logging

a) Enable Audit Logs

• Ensure admin/mod roles have "View Audit Log" permission

b) Set Up a Private Logging Channel

• Create a private channel visible only to admins/mods
• Use a logging bot like Logger or Dyno to send detailed logs

Best Practices & Administrative Security

Regular Reviews

a) Conduct Periodic Permission Audits

• Monthly: Review all role permissions
• Use a spreadsheet to track changes and justifications

b) Review and Update Server Rules

• Quarterly: Assess if rules need updating
• Announce any changes in a dedicated announcements channel

c) Check for Unused Channels/Roles

• Bi-annually: Delete or archive inactive channels
• Remove roles that are no longer needed

Cold Admin Accounts

a) Set Up a "Cold" Admin Account

• Create a new account on a separate device never used for chatting or clicking links
• This account is highly resistant to phishing and provides an extra layer of security for the server owner

b) Secure the Cold Account

• Create a new email account for the cold account
• Factory reset the device used for this account

c) Use the Cold Account for Critical Actions

• Manage bots, modify server settings, and respond to compromises
• Never use this account for regular server activities

d) Disable QR Code Login on Cold Device

• In User Settings > Privacy & Safety, deselect any quick login or QR scan options.
• Prevents attackers from using QR phishing tactics to hijack this high-privilege account.

Additional Community Features

a) Enable the Community Feature (Newer Discord Update)

• Go to Server Settings > Community to activate the Community Feature.
• Unlocks tools like membership screening, server insights, welcome screen, and discovery settings.
• Helps maintain a structured, secure environment by surfacing official rules and critical info to newcomers.

b) Review Updated Discord Moderation Resources

• Consult the official Discord Moderator Academy for ongoing best practices and new features.
• Implement recommended strategies (e.g., improved spam filters, updated role recommendations).

Platform-Specific Security Considerations

Additional Security Measures

a) Verification Systems

• Implement a verification bot like Wick
• Require users to complete an in-channel captcha before accessing the server
• Advance Settings: Have verification bot filter based on account age, PFP set, and timeout for incomplete captcha

b) Raid Protection

• Use anti-raid bots like Wick or Dyno
• Configure automatic lock-down settings for suspicious activity

c) Privacy Settings

• Server Settings > Privacy Settings
• Disable "Allow direct messages from server members"

d) Integration Whitelisting

• Server Settings > Integrations > Allow new integrations to be added by:
• Set to "Only Administrators" to prevent unauthorized bot additions

e) Server Insights

• Enable Server Insights for detailed analytics
• Use this data to inform moderation strategies and server improvements

f) Backup Systems

• Use a bot like ServerBackup to regularly backup your server configuration
• Store backups securely off-platform

g) Audit New Integration/Link Safety Settings

• Regularly review Server Settings > Integrations for newly added apps or link shorteners.
• Disable suspicious integrations or automate link scanning with a bot that checks URLs against known phishing databases.

h) Enable Safe Direct Messaging for All Users

• In User Settings > Privacy & Safety, select Keep Me Safe for direct messages.
• Encourages moderators and community members to adopt the same setting to minimize phishing DMs.

Additional Resources

• Securing Your Server - Discord
• Four Steps for a Super Safe Server - Discord
• How to setup a Discord server securely

X (Twitter) Security

Key Takeaway for Twitter (X):
To secure your Twitter account, prioritize using an authenticator app or security key over SMS-based 2FA, remove your phone number, and regularly review third-party app permissions. Ensure your recovery settings are robust and frequently monitor account activity to safeguard your online presence and maintain community trust.

A compromised X account can harm not only you but also your community. Attackers often use phishing tactics—like SIM swaps or fake login screens—to seize control of your profile. A few simple steps can significantly reduce these risks.

Securing your Twitter account is not particularly hard or time consuming, so consider following the best practices below.

---

Essential Security Measures

Remove your phone number

There are no good reasons to keep a phone number attached to your account, and it's the easiest way for a hacker to get into your account after SIM swapping you. Getting verified requires you to add a phone number, but you can remove it afterward.

1. Go to: Phone Settings
2. Remove: Click Delete phone number if one is listed.

After removing your phone number, it's crucial to navigate to Settings > Security and Account Access > Security > Two-Factor Authentication > Backup Codes. Store these codes offline, just like your seed phrase. Anyone with these codes can bypass your 2FA, so it's extremely important to write them down and keep them secure. Remember, when you change your password, new backup codes are generated.

Configure 2FA

Two-factor authentication is a great way to keep hackers at bay, but it's not foolproof if you're relying on SMS 2FA and someone gets hold of your phone number. It's generally better to use an authenticator app or a security key. Also, ensure your backup codes are stored safely, ideally printed on paper rather than saved on your device.

1. Go to: Login Verification
2. Disable: Un-check Text message
3. Enable: Choose Authentication app and/or Security key
   1. If using an authentication app, store your secret (TOTP) in a reliable app (Authy, Google Authenticator), but disable syncing for added security.
   2. If using security keys, keep at least two (e.g., from Yubico) in case one fails.
4. Under Additional methods, below, select Backup codes and create a new backup code. Store this code securely, offline, ideally in a physical format like a printout, to ensure that if one device is compromised, the code remains safe.

Enable password reset protect

Twitter provides a feature that requires users to input their email or phone number linked to the account before they can initiate a password reset. This adds an extra layer of security by ensuring that hackers must know your email, rather than receiving a hint.

1. Go to: Security Settings
2. Toggle On: Check Password reset protect.

Advanced Security Measures

Revoke access from delegated accounts

It's possible to allow other accounts to access your Twitter account. If your account was previously compromised, attackers could exploit this feature to maintain access even after you've regained control.

1. Go to: Delegate Members
2. Review: Remove any unfamiliar accounts.

Revoke access from unnecessary apps

It's possible that you've linked your Twitter account to several apps, and some might have more permissions than necessary. To check and manage these permissions, follow these steps:

1. Go to: Connected Apps
2. Review: Check each app's permissions and Revoke if it's no longer needed or trusted.

Log Out of Unnecessary Sessions

It's possible you've accessed Twitter from devices you don't regularly use, like a friend's phone. Review your active sessions and log out of any that are unfamiliar or unnecessary.

Old sessions on unfamiliar devices can be risky.

1. Go to: Sessions
2. Log Out: For any device or session you don't recognize.

Verify Your Email is Current

If you've changed your email since creating your Twitter account, ensure your current email is linked to receive security alerts and updates.

1. Go to: Email Settings
2. Confirm: Update to your current email if needed.

Refresh Your Password

Using a unique password for Twitter is crucial. If you haven't set one, now is the time to do so.

1. Go to: Password Settings
2. Change: Select a long, complex password.

Best Practices & Additional Tips

• Disable Email and Phone Discoverability

  • Go to: Discoverability and Contacts
  • It is recommended to turn both email and phone discoverability off.

• Privacy & Safety Settings:

  • In Privacy & Safety, consider disabling "Allow message requests from everyone" to limit spam DMs and phishing attempts and enabling "Filter low-quality messages".

• Monitor for Suspicious Alerts:

  • X (Twitter) may notify you about unusual activity. If you suspect a breach, log out of all sessions, revoke suspicious apps, and change your password immediately.

• Use Unique Recovery Methods:

  • If you choose to use a recovery phone number, which we generally strongly advise against, make sure it isn't your main mobile number. Instead, use a separate VoIP or alternative line to minimize the risk of SIM swapping.

• If you received an email about any content moderation, login, or any email from "X"; ensure the email is from "@x.com"

Telegram Security

Key Takeaway: Stay vigilant with group chats on Telegram. Implement verification steps and secure communication practices to protect against sophisticated interception attacks.

While Telegram is widely used in the crypto community, it's crucial to understand its security limitations. Telegram does not offer end-to-end encryption (E2EE) by default, which means your messages could potentially be accessed by third parties. Additionally, Telegram's reliance on phone numbers for account creation can expose users to SIM swapping attacks, and its peer-to-peer call feature can reveal your IP address to other users. If E2EE is a priority, consider using Signal.

However, if you choose to use Telegram, the following best practices can help enhance your security.

---

Essential Security Measures

Configure 2FA

Telegram sign-ups require a phone number, but you can also enable two-factor authentication via a password—your main protection if you're ever SIM-swapped. Don't reuse this password anywhere else.

1. Go to: Settings > Privacy and Security > Two-Step Verification
2. Set: A strong password and recovery email (store both in a password manager)

Hide Your Phone Number

Making your phone number visible can expose you to unwanted contact or social engineering attacks. Restricting visibility helps safeguard your personal info.

1. Go to: Settings > Privacy and Security > Phone Number
2. Who can see my phone number?: Select Nobody
3. Who can find me by my number?: Select My contacts

Disable P2P Calling

By default, Telegram calls can connect you directly to the other user, potentially revealing your IP address.

1. Go to: Settings > Privacy and Security > Calls
2. Use peer-to-peer with: Select Nobody

Manage Inactive Sessions

Telegram supports auto-terminating inactive sessions. You can also manually review and end any suspicious active sessions.

1. Go to: Settings > Privacy and Security > Active sessions
2. Review: Delete any sessions you don't recognize
3. Auto-terminate: Set inactive sessions to end after 1 month

Implement Device-Level Security

Securing the device you use for Telegram is crucial for preventing unauthorized access to your account and messages.

1. Enable Full Device Encryption:

   • Ensure your device has full disk encryption enabled
   • For iOS: This is enabled by default with a passcode
   • For Android: Go to Settings > Security > Encryption and follow instructions

2. Set Strong Device Passcodes:

   • Use alphanumeric passwords rather than simple PINs
   • Enable biometric authentication as a secondary measure

3. Keep Your Device Updated:

   • Install OS updates promptly to patch security vulnerabilities
   • Update Telegram to the latest version regularly

4. Install Security Software:

   • Use reputable anti-malware software on your device
   • Consider privacy-focused apps that detect network anomalies

5. Secure Your Backups:

   • Ensure any device backups containing Telegram data are encrypted
   • Be cautious about cloud backups that might store Telegram messages

Advanced Security Measures

Consider Using a Different Phone Number

Even if you implement all the recommended security measures, there are still valid reasons to use a separate phone number. For instance, it can help prevent your contacts from discovering your Telegram account or reduce the risk of accidental number exposure. This is particularly important because the "Share My Phone Number" option is enabled by default whenever you add a new contact.

Using a VoIP Number

Telegram restricts many VoIP providers, but services like Google Voice or Burner might work. Purchase a burner number solely for Telegram if you prefer additional anonymity.

Using an Anonymous Number

In December 2022, Telegram introduced support for anonymous numbers purchased through its TON blockchain infrastructure. You can also check out Fragment for such options.

Turn On Auto-delete Messages

Consider the photo you shared with a friend several months ago. While it might have slipped your mind, an attacker who gains access to your account could find such information quite valuable.

1. Go to: Settings > Privacy and Security > Auto-Delete Messages
2. Set: Choose a time frame (e.g., 1 week) based on your risk tolerance

Use Secret Chats for Enhanced Privacy

For conversations that require an extra layer of security, use Telegram's Secret Chats, which offer end-to-end encryption.

1. Start a Secret Chat: Open the chat with the desired contact, tap on their name, and select Start Secret Chat
2. Benefits:
   • Messages are encrypted and can only be read by you and the recipient
   • Offers self-destruct timers for messages
   • Prevents forwarding of messages to other chats

Regularly Update the Telegram App

Ensure you are always using the latest version of Telegram to benefit from the newest security patches and features.

1. Check for Updates: Visit your device's app store regularly
2. Enable Automatic Updates: If possible, turn on automatic updates to stay current

Be Cautious with Third-Party Bots and Integrations

Third-party bots can enhance functionality but may also introduce vulnerabilities.

1. Use Trusted Bots: Only add bots from reputable sources
2. Review Permissions: Limit the permissions you grant to bots
3. Regular Audits: Periodically review and remove unnecessary bots

Manage Group and Channel Admin Permissions

If you manage Telegram groups or channels, properly configuring admin permissions is crucial for maintaining security.

1. Limit Admin Privileges:

   • Go to your group/channel, tap the group name, select Administrators
   • Only grant necessary permissions to each admin
   • Avoid giving "Add Users" permission to untrusted admins

2. Implement Admin Verification:

   • Establish a verification process before promoting members to admin
   • Use separate channels (like voice calls) to confirm admin identities
   • Document when admin changes occur and why

3. Configure Group Settings:

   • Restrict member actions such as sending media or links
   • Enable "Slow Mode" for large groups to prevent spam
   • Use discussion groups for channels to control information flow

4. Audit Admin Activities:

   • Regularly review admin actions in the group
   • Remove inactive or suspicious admins
   • Consider using admin action logs if available

5. Handle Admin Transitions Securely:

   • Have protocols for transferring ownership if needed
   • Revoke admin rights immediately when team members leave

Enhanced Privacy Settings

Passcode Lock

• Settings > Privacy and Security > Passcode Lock: This feature adds a passcode to access your Telegram app after a period of inactivity. The default setting is "away for 1 hour."
  • Recommendations:
    • Store Passcode Securely: Do not lose this passcode—store it offline if needed.
    • Unique Passcode: Ensure it is different from your phone's unlock passcode.

Privacy and Security Settings

Go to: Settings > Privacy and Security

Security

Two-Step Verification

• Overview: Telegram does not require a login by default. However, you can set up a password that acts as a "second" 2FA method when logging in from a new device.
• Security Measures:
  • SMS Codes: Telegram sends a code via SMS, which is not secure.
  • Email Recovery: Offers email recovery, which is more secure but lacks options for authenticator apps or hardware keys.
• Important:
  • Backup Password: If you lose this password, access to your account may be compromised.
  • Secure Storage: Write it down offline and ensure it is not lost.

Additional Privacy Settings

Consider adjusting the following settings based on your country, usage, and purpose for using Telegram:

• Phone Number: Set to Nobody to prevent exposure.
• Last Seen & Online: Set to Nobody to enhance privacy.
• Profile Picture: Set to Everybody to stop scammers from impersonating your profile picture.
• Bio: Set to Nobody (depending on use of Telegram).
• Date of Birth: Set to Nobody.
• Forwarded Messages: Set to Nobody.
• Calls: Set to Nobody or Contacts Only (depending on use of Telegram).
• Voice Messages: Set to Contacts Only (depending on use of Telegram).
• Messages: Set to Everybody or Contacts Only (depending on use of Telegram).
• Invites: Set to Contacts Only or Nobody to prevent being added to random groups that may impersonate legitimate groups and lead to scams.

Data Settings

Go to: Settings > Privacy and Security > Data Settings

• Sync Contacts: Disable (depending on use of Telegram) to prevent syncing your contacts.
• Suggest Frequent Contacts: Disable (depending on use of Telegram) to avoid unsolicited contact suggestions.

Best Practices & Tips for Safe Use

• Use Secret Chats: When messaging someone, create a 'secret' chat to ensure encrypted 1:1 communication, providing end-to-end encryption for sensitive transactions.
• Verify Group Invites and Authenticity: Always triple-check group invitations and confirm the legitimacy of group chats through separate channels to avoid joining impostor groups that share malicious links.
• Beware of Unsolicited DMs: Never trust direct messages from anyone sending links or posing as "support," "exchanges," or "team" members.
• Double-Check Payment Details: Verify payment information through multiple methods before transferring funds to prevent fund redirection.
• Block and Report Scammers: Use the block function to prevent further contact, and report spammers/scammers instead of just deleting chats.
• Limit Group Permissions: Restrict who can add members to groups to prevent unauthorized cloning and protect against raids.

Educate Community Members on Security Practices

If you're managing a community on Telegram, educating your members about security is vital for collective protection.

1. Regular Security Announcements:

   • Schedule periodic reminders about security best practices
   • Pin important security announcements in your group/channel
   • Create dedicated security FAQ channels or posts

2. Clear Verification Procedures:

   • Establish and communicate how official communications will occur
   • Create verification steps for new members to follow
   • Document how to verify the authenticity of admins and official messages

3. Threat Awareness Training:

   • Share examples of common scams targeting your community
   • Post screenshots of phishing attempts (with sensitive info redacted)
   • Explain the "Man-in-the-Group Attack" and how to avoid it

4. Incident Reporting Protocol:

   • Create clear guidelines for reporting suspicious activity
   • Designate security-focused admins to handle reports
   • Acknowledge reports publicly (without specifics) to encourage vigilance

5. Security Resources:

   • Develop simple, accessible security guides for members
   • Share platform-specific security updates when Telegram releases them
   • Create a security checklist for new community members

• Exercise Caution with Mini Apps: Avoid logging in or providing information to mini apps that redirect outside of Telegram. Triple-check the username of the mini app to ensure its legitimacy, as Telegram lacks a bot verification system. Never download or run any commands from Telegram on your device.
• Enhance Privacy with a VPN: Advanced tip: Set up a proxy or VPN to hide your IP address while using the Telegram app.
• Stay Vigilant Against Scam Ads: Be aware that anyone can post ads in channels, with 99% being scam ads. Exercise caution when interacting with advertisements.

Platform-Specific Risks: Man-in-the-Group Attack

Attackers can exploit Telegram's group chat features to intercept and manipulate communications between two parties. Here's a concise example of how such an attack might occur:

Scenario: Intercepting a Payment Deal

Step 1: Initial Communication

• Alice and Bob decide to finalize a cryptocurrency deal using a Telegram group chat named "Crypto Deals".

Step 2: Attackers Create Cloned Groups

• Attacker 1 creates Group A impersonating Alice.
• Attacker 2 creates Group B impersonating Bob.

Step 3: Replicating Conversations

• In Group A (Impersonating Alice):

  • The attacker, posing as Alice, relays Alice's messages from Group B to maintain the conversation.

• In Group B (Impersonating Bob):

  • The attacker, posing as Bob, mirrors Bob's messages from Group A, acting as a middleman without altering the content.

Step 4: Swapping Payment Details

• In Group A:

  • Fake Alice and Bob agree to the terms of the deal.
  • Bob shares his payment address.

• In Group B:

  • Fake Bob shares his swapped payment address.
  • The conversation continues normally, with neither Alice nor Bob aware of the swap.

Step 5: Execution of the Scam

• Alice sends the payment to what she believes are Bob's details but are actually those of Fake Bob.
• The attacker now controls both ends of the conversation, having successfully redirected the funds.

Google Security

Key Takeaway: Enhance your Google account security by implementing robust 2FA, eliminating redundant recovery options, and diligently overseeing third-party access.

Google provides a wide range of services—from email to file storage. Safeguarding your Google account is among the most critical steps you can take to protect your personal and professional data. Below are simple yet effective measures to improve your Google account security.

---

Essential Security Measures

This section does not include Google Suite or more advanced security configurations. For that, refer to the Operational Security Framework, under Google Suite Security.

Configure 2FA

Properly setting up two-factor authentication (2FA) is one of the most crucial steps you can take. Disable SMS 2FA to avoid SIM swaps, and instead use an authenticator app or a hardware security key (preferred).

1. Go to Google 2-Step Verification
2. Disable: "Voice or text message" if it's enabled
3. Enable: "Authenticator app" and/or "Passkeys and security keys". You can also can continue using Google prompts.
4. Store Backup Codes: Keep them offline in a secure place

Remove Recovery Methods

By default, Google allows account recovery using phone numbers and emails. Attackers can exploit these if they compromise your phone or email.

1. Go to: Google Recovery Phone
2. Remove: Any phone number listed
3. Optional: If you're confident you won't need standard recovery processes:
   1. Go to: Google Recovery Email
   2. Remove: Any recovery email present

Manage Active Sessions

Keeping track of active sessions helps you detect unauthorized access.

1. Go to: Google Device Activity
2. Terminate: Any session you don't recognize

Manage OAuth Applications

Some apps request extensive permissions (e.g., full inbox or file access). Regularly review these to minimize risks.

1. Go to: Google Connections
2. Review: Each connected app's permissions; remove if unnecessary or excessive

Hide Personal Information

Publicly visible personal info can aid attackers in impersonating you.

1. Go to: Google Profile
2. Check Visibility: If any info is set to "Anyone," switch it to private if unnecessary
   • Birthday: Consider making it private

Advanced Security Measures

Extended Security Settings

1. Start from: Google Security.
2. Go to:"Your connect to third-party apps & Services".
3. Revoke: all applications that should not be connected.
4. Go to: "Log out of all unknown devices"
5. Turn off: "skip password when possible" (below previous step)
6. Go to: "How you sign in with Google"
7. Setup: your 2FA or Security Key in this section
8. Ensure you do not have a recovery phone setup. No SMS 2FA or phone number on your account at all.

Once these steps are completed, please change your password. Remember to note down your backup codes.

If using Google Authenticator as a 2FA app on your phone, disconnect it from the cloud, as backup codes are then stored in the google cloud associated to email. Use it without an account and ensure backup codes are written down offline.

Advanced Protection Program

For those who are public figures or need heightened security, Google's Advanced Protection Program is worth considering. It requires the use of security keys, limits access to unverified apps, and makes the process of account recovery more challenging.

1. Go to Google Advanced Protection Program
2. Enroll: Follow the on-screen steps

Best Practices & Additional Tips

• Review Security Alerts: Pay attention to any email or phone notifications from Google regarding unusual sign-ins or account changes.
• Perform a Security Checkup: Regularly visit Google's Security Checkup to identify potential issues and resolve them.
• Consider using identity monitoring apps like Push Security.

Security Awareness

Key Takeaway Stay vigilant, your awareness is your strongest defense against cyber threats. Recognizing red flags and questioning unexpected requests can prevent costly breaches.

This framework is all about understanding the threat landscape, recognizing risk signals, and cultivating a security-aware mindset. It serves as a high-level guide to help individuals and organizations identify potential vulnerabilities and remain vigilant—without overlapping with the detailed, technical scenarios covered in other sections.

Introduction & Objectives

The modern digital landscape is filled with sophisticated attacks, including web3-specific threats like crypto drainers and rug pulls. This section lays the foundation for why a high level of security awareness is essential. It's about empowering you to notice, question, and respond appropriately when something feels off. Trust, but verify!

Objectives

• Recognize Threats: Understand common tactics used by cybercriminals, including both traditional and web3-specific attack vectors.
• Adopt a Proactive Stance: Learn how early recognition can stop an attack in its tracks.
• Foster a Security Culture: Build an organizational environment where security is everyone's responsibility.
• Implement Effective Training: Develop structured approaches to security education for all team members.
• Separate Awareness from Implementation: Focus here on "being aware" rather than the step-by-step controls, which are covered in other sections.

Contents

1. Core Awareness Principles - Foundational security concepts and mindsets that form the basis of security awareness
2. Understanding Threat Vectors - Comprehensive overview of attack methods, indicators, and preventive measures
3. Cultivating a Security-Aware Mindset - Behavioral practices and organizational strategies for building a security culture
4. Staying Informed & Continuous Learning - Training frameworks, educational approaches, and information sources
5. Resources & Further Reading - External tools, references, and resources for ongoing security education

1. Core Awareness Principles

🔑 Key Takeaway: Security awareness is built on fundamental principles like threat recognition, risk assessment, and zero trust verification. These principles form the foundation of a security-conscious culture where every individual plays a vital role in protecting organizational assets.

Key concepts

• Threat Recognition: Understand that threats come in various forms—phishing, social engineering, malware, and insider risks. For instance, a social media message urging immediate action might be a scam designed to exploit urgency.

• Risk Perception: Assessing risk means evaluating both the likelihood of an attack and the potential impact. For example, if you frequently receive messages from unknown sources on a platform like Twitter, you should view these interactions with increased skepticism.

• Zero Trust Mindset: Always verify before trusting. Even messages from familiar contacts should be confirmed if they involve unexpected requests or sensitive information.

• Filtering Credible Information: In an era of information overload, it's critical to identify and rely on reputable sources. This means following established security blogs, official alerts from cybersecurity agencies, or verified community channels.

• Organizational Responsibility: Security is a shared responsibility that requires commitment at all levels of the organization. Leadership must demonstrate strong commitment by prioritizing and investing in security initiatives, while every team member should understand their role in maintaining security.

Real-World Example: A company might receive a seemingly routine email from a "vendor" requesting updated banking details. An employee with a strong zero trust mindset will independently verify the request through known contact numbers or an established internal process, thereby avoiding a potential fraud.

2. Understanding Threat Vectors

🔑 Key Takeaway: Understanding the various ways attackers can target you and your organization is essential for effective defense. By recognizing common attack patterns like phishing, social engineering, and emerging threats in digital spaces, you can better protect yourself and your team from potential security breaches.

2.1. Traditional Attack Vectors

2.1.1. Social Engineering & Phishing

• Phishing Emails: Look for red flags like misspellings, odd URLs, and urgent language. Scenario Example: An email that claims "Your account will be locked in 24 hours" but uses a suspicious domain.

• SMS & Messaging Scams: Attackers may use text messages or direct social media messages to bypass email filters. Scenario Example: A text message that claims to be from a delivery service asking for a confirmation code.

• Voice Phishing (Vishing): Phone calls that pretend to be from a trusted organization, often using spoofed caller IDs. Scenario Example: A staff member receives a voicemail warning about a potential security breach and instructing them to call a specific number immediately.

• Pretexting: Attackers create a fabricated scenario to steal personal information or gain access. Scenario Example: Someone pretending to be a new contractor who needs urgent access to systems or information.

• Baiting: Offering something enticing to entrap the victim. Scenario Example: Leaving infected USB drives in public places or offering free downloads that contain malware.

• Tailgating: Physically following authorized personnel into restricted areas without proper credentials. Scenario Example: An unknown person following an employee through a secure door by claiming they forgot their access card.

• Shoulder Surfing: Observing someone's screen, keyboard, or device to gather information. Scenario Example: A threat actor monitoring your screen in a shared co-working space to capture sensitive information or credentials.

2.1.2. Malware & Technical Attacks

• Ransomware: Malicious software that encrypts files and demands payment for decryption. Scenario Example: An organization finds their critical files encrypted with a ransom note demanding cryptocurrency payment.

• Man-in-the-Middle Attacks: Intercepting communications between two parties. Scenario Example: An attacker on a public Wi-Fi network intercepts unencrypted traffic to steal credentials.

• Credential Stuffing: Using stolen username/password combinations to attempt access to multiple services. Scenario Example: After a data breach at one service, attackers try the same credentials on financial or email accounts.

2.2. Web3-Specific Threats

2.2.1. Crypto-Focused Attacks

• Crypto Drainers: A common attack where a threat actor suggests users can participate in an airdrop by visiting a provided link. Unsuspecting users who click the link are directed to a counterfeit website, where they are asked to authenticate their wallet and sign a transaction. Once signed, the threat actor gains access to steal funds from the wallet.

• Rug Pulls: In the context of web3 and cryptocurrencies, these scams typically involve fraudulent schemes designed to swindle individuals out of their digital assets. For example, an enticing new project may promise revolutionary technology and unprecedented returns. However, the project developers quickly vanish, leaving investors with worthless tokens and empty promises.

• Token Approval Exploits: Attackers may trick users into approving smart contracts that give unlimited access to tokens in their wallet. These "allowances" permit the approved contract to transfer any amount of a specific token without further permission. Always verify what permissions you're granting when signing transactions and set specific approval limits when possible.

2.2.2. Smart Contract Vulnerabilities

• Reentrancy Attacks: Exploiting a contract's execution flow to repeatedly withdraw funds. Scenario Example: A malicious contract calls back into the victim contract before the first execution is complete, draining funds with each call.

• Flash Loan Attacks: Using uncollateralized loans to manipulate market prices and exploit vulnerabilities. Scenario Example: An attacker borrows a large amount of cryptocurrency, manipulates a price oracle, exploits a vulnerability, and repays the loan in a single transaction.

2.3. Common Indicators & Red Flags

2.3.1. Behavioral Cues

• Inconsistencies: Look for changes in tone or style in communications from known contacts. Scenario Example: A normally formal manager sends a casual message with unexpected requests.

• Unusual Requests: Requests for urgent transfers of money, sensitive information, or changes in process should always trigger caution.

• Environmental Anomalies: Spotting unexpected logins or unfamiliar devices in account activity reports can indicate compromised accounts.

2.3.2. Technical Indicators

• Unexpected Authentication Prompts: Sudden requests to re-authenticate without clear reason. Scenario Example: Being asked to provide credentials on a site you're already logged into.

• Browser Certificate Warnings: Alerts about invalid or expired security certificates. Scenario Example: Your browser displays a warning that a connection is not secure when visiting a familiar website.

• Unusual System Behavior: Slowdowns, crashes, or unexpected pop-ups. Scenario Example: Your computer suddenly runs significantly slower or displays unfamiliar advertisements.

2.3.3. Checklist for Suspicious Communications

• Does the message contain spelling errors or unusual formatting?
• Is the sender's email or username slightly different from the norm?
• Are there requests for urgent action without proper verification channels?
• Does the message create a sense of fear, urgency, or excitement?
• Is there an unexpected attachment or link?
• Does the request bypass normal security procedures?

2.4. Preventive Measures

2.4.1. General Security Practices

• Double-Check Requests: Always verify the identity of individuals requesting sensitive information, especially if the request is unusual or urgent. Scenario Example: If you receive an email from your CEO asking for an urgent wire transfer, call them directly using a known phone number to confirm.

• Use Secure Channels: Communicate through official channels and avoid sharing sensitive information over unsecured methods. Scenario Example: Use your organization's established communication platforms rather than responding to external email links.

2.4.2. Web3-Specific Protections

• Check & Remove Token Approvals: Regularly check which smart contracts have approvals to handle funds in your wallet and revoke unnecessary approvals to improve your security posture. Useful Tools:

  • Unrekt
  • Etherscan Token Approval Checker

• Scrutinize Transaction Requests: Never sign a transaction unless you are completely sure exactly what you are signing. Be especially skeptical of offers that seem too good to be true.

• Hardware Wallets for Critical Assets: Use hardware wallets for storing significant cryptocurrency holdings. Scenario Example: Keeping your long-term investments on a hardware wallet while only maintaining small amounts in hot wallets for daily transactions.

3. Cultivating a Security-Aware Mindset

🔑 Key Takeaway: Developing a security-aware mindset is about building habits that prioritize caution and verification. By questioning unusual requests, pausing before acting, and leveraging peer support, you transform security from a set of rules into an intuitive approach to daily interactions.

3.1. Behavioral Best Practices

Practical Tips

• Question Unusual Requests: Always verify any request for sensitive information or financial transactions through a separate communication channel.

• Pause Before Reacting: Take a moment to think before clicking a link or downloading an attachment. Example: If you get an unexpected file from a colleague, call them directly to confirm they sent it.

• Peer Verification: Leverage your team by asking a colleague's opinion if something seems off.

Scenario Example A community manager receives a direct message on Discord that looks like it comes from a well-known project partner, asking for private credentials. Instead of immediately responding, they cross-check the message in a team meeting or via a known contact method.

3.2 Awareness in Community Settings

Unique Challenges on Social Platforms:

• Platform-Specific Red Flags: Each community platform—Discord, Twitter, Telegram—has its own quirks. Example: On Telegram, unsolicited group invites with suspicious usernames could be phishing attempts.

• Community Role Awareness: Moderators and administrators should be extra cautious since they have higher privileges. Example: A moderator on a crypto project Discord might notice a sudden spike in login attempts from an unfamiliar IP range.

• Culture of Reporting: Foster an environment where suspicious behavior is immediately reported and discussed, not brushed aside.

Scenario Example During a routine community chat, several members report receiving odd messages that urge them to click on a link. The community manager organizes a quick session to remind members of red flags and the correct reporting channels, reinforcing collective vigilance.

3.3 Organizational Strategies for Security Culture

• Leadership Commitment: Ensure that leadership demonstrates a strong commitment to security by prioritizing and investing in security initiatives. Leaders should model security-conscious behavior and allocate appropriate resources to security efforts.

• Regular Communication: Communicate the importance of security regularly through team meetings, newsletters, and other channels. Keep security topics visible and relevant to all team members.

• Security Policies and Procedures: Develop and enforce clear security policies and procedures that outline expectations and responsibilities for all team members.

• Encourage Reporting: Create an environment where team members feel comfortable reporting security incidents, suspicious activities, and potential vulnerabilities without fear of retribution.

• Recognition and Rewards: Recognize and reward team members who demonstrate exemplary security practices and contribute to the organization's security efforts.

• Continuous Improvement: Continuously assess and improve the project's security culture through feedback, assessments, and audits.

• Shared Responsibility: Instill a sense of responsibility for security at all levels of the project, emphasizing that security is everyone's job.

• Collaboration: Promote collaboration and information sharing among team members to enhance overall security awareness and response capabilities.

Scenario Example A project implements a monthly "Security Spotlight" where different aspects of security are highlighted, and team members can share their experiences or ask questions. This regular touchpoint keeps security top-of-mind and encourages ongoing dialogue about best practices.

3.4 Essential Security Practices

3.4.1. Password Management

• Strong, Unique Passwords: Use complex, unique passwords for each account to prevent credential stuffing attacks. Example: A passphrase like "correct-horse-battery-staple" (with four random words) is both strong and memorable, while being more secure than shorter passwords with special characters like "P@ssw0rd!".

• Password Managers: Utilize a reputable password manager to securely store and generate complex passwords. Example: Tools like Bitwarden, 1Password, or KeePassXC can generate and store unique passwords for all your accounts.

3.4.2. Multi-Factor Authentication (MFA)

• Enable MFA Everywhere Possible: Add an extra layer of security beyond just passwords. Example: Even if someone obtains your password, they still can't access your account without the second factor.

• Choose Secure MFA Methods: Hardware tokens and authenticator apps are more secure than SMS-based verification. Example: Use YubiKeys or authenticator apps like Authy instead of SMS, which can be vulnerable to SIM swapping attacks.

3.4.3. Secure Communication

• End-to-End Encryption: Use messaging platforms with end-to-end encryption for sensitive communications. Example: Signal provides strong encryption for messages, ensuring only the intended recipient can read them.

• Verify Communication Channels: Be cautious of unexpected platform changes for important communications. Example: If a colleague suddenly asks to switch from your company's official channel to a personal messaging app for work discussions, verify this request directly.

3.4.4. Device Security

• Keep Systems Updated: Regularly update your operating system and applications to patch security vulnerabilities. Example: Schedule automatic updates or set a weekly reminder to check for and install updates.

• Secure Your Workspace: Be mindful of physical security in shared or public spaces. Example: Use privacy screens when working in public and lock your device when stepping away.

3.5. Incident Response Awareness

3.5.1. Recognizing Security Incidents

• Know the Warning Signs: Understand what constitutes a potential security incident. Example: Unexpected account lockouts, strange system behavior, or unusual access requests could indicate a breach.

• Immediate Actions: Know what steps to take when you suspect a security incident. Example: Disconnect from networks, document what happened, and report to your security team immediately.

3.5.2. Reporting Procedures

• Clear Reporting Channels: Ensure everyone knows how and where to report security concerns. Example: Have a dedicated email address or communication channel specifically for security reports.

• No-Blame Culture: Encourage prompt reporting by focusing on solutions rather than blame. Example: Acknowledge and thank team members who report potential issues, even if they turn out to be false alarms.

Scenario Example A team member notices unusual login attempts to their account. Instead of ignoring it or feeling embarrassed, they immediately report it to the security team, who can then investigate whether this is part of a larger attack pattern affecting other users.

4. Staying Informed & Continuous Learning

🔑 Key Takeaway: Security is not a one-time achievement but an ongoing journey of learning and adaptation. By establishing regular training routines, staying current with emerging threats, and fostering a culture of continuous improvement, you ensure your security awareness remains effective against evolving challenges.

4.1. Comprehensive Security Training Framework

4.1.1. Training Approaches

• Bite-Sized Learning: Security training doesn't need to be lengthy or overwhelming. Short, focused sessions of relevant information can be more effective than infrequent, lengthy presentations. Example: Weekly 5-minute security tips delivered via team chat or email.

• Role-Based Training: Tailor security training to specific roles and access levels within your organization. Example: Developers might need more in-depth training on secure coding practices, while community managers might focus more on social engineering awareness.

• Recurring Schedule: Make security training a regular, ongoing activity rather than a one-time event. Example: Monthly security topics with quarterly refreshers on critical subjects.

• Practical Application: Include hands-on exercises that allow people to apply what they've learned. Example: Conduct simulated phishing tests followed by immediate feedback and learning opportunities.

• Interactive Training Methods: Use interactive training methods, such as SEAL Wargames or workshops to engage team members and enhance learning.

• Real-World Scenarios: Incorporate real-world scenarios and case studies to illustrate the impact of security breaches and the importance of preventive measures.

• Assessments and Quizzes: Use assessments and quizzes to evaluate the effectiveness of training and identify areas where additional training may be needed.

4.1.2. Training Delivery

• Regular Awareness Sessions: Schedule quarterly webinars or short training refreshers focusing on the latest trends and emerging threats.

• Interactive Simulations: Participate in phishing simulations or scenario-based exercises that allow you to practice identifying and responding to threats in a risk-free environment.

• Security Awareness Campaigns: Implement periodic campaigns that focus on specific security themes to reinforce key messages. Example: A "Phishing Awareness Month" with targeted activities and resources.

4.1.3. Measuring Training Effectiveness

• Baseline Assessments: Conduct assessments before and after training to measure improvement.

• Behavioral Metrics: Track security-related behaviors such as reporting rates for suspicious emails or incidents.

• Feedback Collection: Gather participant feedback to continuously improve training content and delivery methods.

4.2. Essential Training Topics

• Phishing and Social Engineering: Educate team members on recognizing and responding to phishing attacks and social engineering tactics, with special focus on web3-specific threats.

• Password Management: Provide best practices for creating and managing strong passwords and using password managers.

• Data Protection: Teach methods for protecting sensitive data, including encryption, access controls, and secure data handling practices.

• Incident Reporting: Instruct team members on how to report security incidents and suspicious activities promptly.

• Secure Coding Practices: For developers, provide training on secure coding practices and common vulnerabilities in web3 environments.

• Device and Account Security: Cover best practices for securing devices and accounts, including updates, encryption, and access controls.

• Emerging Threats: Keep team members informed about new and evolving security threats relevant to your organization.

4.3. Trusted Information Sources

4.3.1. Security Newsletters

• Industry News: Subscribe to newsletters from sources such as FIRST.org for broader cybersecurity trends. Example: The SANS NewsBites provides twice-weekly summaries of the most important security news.

• Vendor Updates: Follow security updates from the software and hardware vendors in your project stack. Example: Subscribe to security bulletins from cloud providers, operating system vendors, and key software dependencies.

4.3.2. Security Communities

• Online Forums and Groups: Join online communities dedicated to security topics. Example: The SEAL Discord provides a space to discuss security challenges specific to web3 projects.

• Local and Virtual Meetups: Attend security-focused events to network and learn. Example: Conferences like DeFi Security Summit offer insights into emerging threats and defenses.

4.3.3. Security Blogs and Podcasts

• Technical Blogs: Follow security researchers and organizations that regularly publish detailed analyses. Example: Trail of Bits blog provides in-depth technical security content.

• Security Podcasts: Listen to podcasts that cover current security topics. Example: The Daily Stormcast from FIRST.org offers brief daily updates, while Darknet Diaries provides longer-form stories about notable security incidents.

4.4. Implementing a Learning Culture

• Share Knowledge: Create channels for team members to share security articles, news, and insights. Example: A dedicated Slack channel for security-related content.

• Recognize Vigilance: Acknowledge and reward security-conscious behavior. Example: Highlight team members who identify and report potential security issues.

• Learn from Incidents: Use security incidents (both internal and external) as learning opportunities. Example: After major industry breaches, conduct brief sessions to discuss what happened and how similar issues could be prevented in your organization.

5. Resources & Further Reading

🔑 Key Takeaway: Expanding your security knowledge requires reliable resources and continuous engagement with the security community. By leveraging curated learning materials, self-assessment tools, and professional networks, you can deepen your expertise and stay ahead of emerging threats.

5.1. Additional Learning Materials

• Security Awareness Blogs: Subscribe to blogs like "Security Week" or "Dark Reading" for the latest on cyber threat trends.

• Self-Assessment Tools: Use downloadable checklists and online quizzes to periodically test your awareness.

• Community Forums & Discussion Groups: Engage with professional security communities on platforms such as Reddit's r/cybersecurity or specialized Discord groups.

• Case Studies and Whitepapers: Read detailed incident reports and analysis (available from sources like Verizon's Data Breach Investigations Report) to learn from past events.

Example Resources:

• Personal security checklist: Digital Defense (we are currently developing a version of this based on frameworks, will be available at https://check.frameworks.securityalliance.dev).
• Interactive phishing simulation: Phishing Dojo.
• SEAL's blog on frameworks.

5.2. Recommended Security Newsletters

• SANS NewsBites - Twice-weekly summaries of the most important security news
• FIRST.org - Forum of Incident Response and Security Teams newsletters and resources
• The Hacker News - Cybersecurity news and analysis
• Krebs on Security - In-depth security news and investigation

5.3. Security Podcasts and Media

• Daily Stormcast - Daily 5-10 minute updates from SANS Internet Storm Center
• Darknet Diaries - Stories from the dark side of the internet
• Security Now - Weekly deep dives into security topics
• Risky Business - Weekly information security podcast

5.4. Security Training Resources

• OWASP - Open Web Application Security Project resources and guides
• Cybrary - Free and premium cybersecurity training
• SANS - Professional information security training
• Phishing.org - Anti-phishing training and awareness resources

5.5. Web3-Specific Security Resources

• DeFi Security Summit - Conference focused on DeFi security
• SEAL news & SEAL Discord - Security Alliance's initiatives related to news and events
• Immunefi - Educational resources about web3 security
• Consensys Diligence - Smart contract security blog
• Blockthreat - Web3 security news and analysis
• The Red Guild - Web3 security awareness and education

5.6. Web3 Security Tools

• Token Approval Management:

  • Unrekt - Check and revoke token approvals
  • Etherscan Token Approval Checker - Monitor smart contract approvals

• Wallet Security:

  • Software Wallets comparison - Compare security features of different crypto wallets
  • Hardware Wallets comparison - Compare security features of different hardware wallets
  • Hardware Wallet Resources - Educational content about hardware wallet security

5.7. Security Tools and Services

• Password Managers:

  • Bitwarden - Open-source password management
  • 1Password - Premium password management solution
  • KeePassXC - Free, open-source, cross-platform password manager

• Two-Factor Authentication:

  • Authy - Multi-device 2FA application
  • YubiKey - Hardware authentication device

• Secure Communication:

  • Signal - End-to-end encrypted messaging
  • ProtonMail - Encrypted email service

What Is It

This resource is a collection of best practices written in an abstract or general fashion to be applicable regardless of the specific technology. It serves as a comprehensive guide to help you secure various aspects of your Web3 projects and build resilience against potential threats.

This guide aims to centralize existing information, so you might not see novel features but rather a well-organized compilation of security-related topics, from simpler ones to more complex ones. The goal is to provide a comprehensive resource that brings together diverse security insights and practices into one accessible place.

Our hope is that these resources will help expand your security skill set.

What It Isn't

This resource isn't just a compilation of existing information. While it may initially seem like a collection of curated content, its primary focus is on providing in-depth, practical guidance.

Unlike other curations, compilations, or blog posts that often focus on the latest technologies, this guide delves into underlying concepts and technical aspects essential for securing Web3 projects. It’s not meant to be read like a "story" but rather used as a reference to enhance your understanding and application of security practices.

The content may not always follow the latest state-of-the-art technologies, as its focus is on fundamental security principles that are broadly applicable. Our aim is to provide valuable insights and practical advice to help you secure your projects effectively.

This guide is not intended to be offensive, though it might include strong examples to illustrate particular points. Our goal is to ensure clarity and effectiveness in conveying security best practices.

Contribute to the Security Framework

The Security Framework is an open and collaborative project. Whether you are part of the Security Alliance or not, we welcome your contributions! Help us to build the documentation and improve security in the ecosystem.

This mdBook-style handbook is designed for easy collaboration and automatic deployment through continuous integration. If you'd like to join our effort, feel free to fix typos, contribute new sections, or propose enhancements.

To contribute you can either:

• Fork this repository, switch to the develop branch, and submit a pull request.
• On each page, you will find a "Suggest an edit" button at the top-right corner. Clicking this sends you to the GitHub.com where you can suggest edits using their web interface.

Contributing

Before you start editing, adding or removing content, please read the code of conduct and make yourself familiar with the overall structure.

The source is hosted in github repository at github.com/security-alliance/frameworks.

The content of the Frameworks comes from the main branch, and when contributing we would like to you open a PR into the development branch.

Once a new update is warranted, the content from development is merged into main.

You may explore existing issues or open a new one for missing content, although a PR is preferred. If you identify missing or unfinished content, feel free to open a PR. First, check existing PRs or branches to make sure your work is not redundant.

Structure and collaboration

The wiki is supposed to cover all important parts of security for web3 projects. For contributors, we recommend focusing on specific topics contained in corresponding documents. It's best to own a single topic and work out all the details. Create a new document and add the topic to the sidebar if it's not there yet. Join the discord server, let others know what you are working on in the group channel and collaborate with other contributors writing about related topics. If you are working with multiple people on a significant piece of content, you can have a dedicated branch in the repo for easier coordination.

Style guide

Wiki pages follow standard Markdown with some extensions by mdBook.

The audience of this wiki is technical and the content should reflect that. There are many guides on technical and documentation writing you can learn from, for example you can check this lecture to get started.

Here are main guidelines to follow when writing this wiki:

• Write in an objective, clear and explanatory tone
• Avoid unnecessary simplifications, describe the technical reality
• Avoid using too long and complex sentences or paragraphs
  • Use concise and clear statements
  • Break down your text using block-quotes, bullet points or images
• Always link your resources and verify them
• Use bullet points or tables for topics which require enumerating
• Highlight keywords to support scanning and skimming through the article
• Provide visualizations to explain the topic better
• When using acronyms or a technical jargon, make sure to introduce it first
• Web3 is changing fast, write the content to be as much future proof as possible
• Don't use LLMs to generate the text
  • We don't accept texts fully generated by AI, however we recommend using it to fix grammar or phrasing
• Consider creating tutorials and hands-on guides documenting technical steps
• Add recommended reading at the top, point to topics which are dependencies of yours
• You can use mermaid diagrams for visualizations

Goal is to produce a credible neutral text which is formal, well-structured, and maintains a clear progression of ideas. The content should be purely technical and shouldn't waste space on introducing high level/well known concepts. Introductory topics are necessary and can use comparisons, historical anecdotes, and concrete examples to make complex concepts more accessible.

Content standardization

The wiki uses American English over British spelling. Terminology, capitalization and nomenclature should match across all pages. Use Ethereum.org guide for the reference.

Usage of images and visualizations is encouraged. If you are using an image created by a third party, make sure its license allows it and provide link to the original. For creating your own visualizations, we suggest excalidraw.com.

Feel free to use emojis or icons where it fits, for example in block-quotes.

Linking resources

When adding an external link, you can use it directly in the text or on the bottom of the page in "Resources" section.

When linking resources use descriptive names, such as inevitableeth.com instead of generic phrases like this wiki.

Don't overwhelm reader with too many resources within the text.

When linking a page within this framework, use a relative path and if it references specific topic within the page, use a link to heading IDs.

For other important links, add a section on the bottom of the page with list of resources. Resources should have a name or short description with a link and alternative link to its archived mirror. We strongly suggest adding a link to the latest snapshot from archive.org.

In-page notices

We use block-quote notices at the top of the page to provide readers with appropriate context regarding the content of the page.

Incomplete pages

Pages with minimal content which need more work to cover the topic need to include a notice:

:warning: This article is a stub, help the framework by contributing and expanding it.

Anything else?

This page is also opened for contributors! Suggest improvements to our style and guidelines in the github repo.

Attribution

A lot of the content of this page comes from the Ethereum Protocol Fellows

Contributors

Contributors that made a substantial amount of contribution will be listed below.

Core team

Matías Aereal Aeón (@mattaereal) Fredrik Svantes (@fredriksvantes) Mehdi Zerouali (@zedt3ster)

Collaborations

Jorge de los Santos (@tebayoso)

Feedback

Patrick Collins (@patrickcollins) Sebastián Fernández (@snf)