OPSEC explained: Why you need it
Время чтения: 6 мин.
An ordinary day at your office. While chatting with colleagues, you take a group selfie. You post it on Instagram, but the next day, your boss calls you in for a quick chat. You learn that the flipchart in the background of the photo had the username and password of a sensitive database. OPSEC can help you avoid such situations.
What is OPSEC?
OPSEC (or operation security) is an analytical security process used in business to prevent sensitive information from being exposed or getting into the wrong hands. It supplements rather than replaces other security measures in a company. OPSEC identifies seemingly safe actions that could reveal critical and confidential information to cybercriminals. OPSEC activities may include social media monitoring, behavior monitoring, and security best practices.
The term OPSEC (“Operation security”) was coined by the US military during the Vietnam War. Commanders found that some operations failed because their adversaries were able to secure information about them. The military officials then codified preventive measures and recommendations to avoid such situations and called the process “Operation Security.”
The term is now widely used in cybersecurity and online privacy. More generally, it means the protection of data used in a process or operation that an adversary (e.g., a cybercriminal or a rival company) could gather and abuse.
A lot of things fall under this umbrella:
- A password that accidentally appeared in a photo
- Our digital footprints
- Personal data available in public
- Our metadata
- Personal connections in social media
- An image identifying our location, etc.
In the age of intense data collection and advanced hacker techniques, even the tiniest, most trivial details can be used against you. For example, an out-of-office email might tell a hacker that an important employee is out of the office and that it’s an excellent opportunity to initiate an attack. Your selfie’s background details might indicate your whereabouts and open the door to stalkers.
To prevent such leaks, companies usually ask their employees to sign non-disclosure agreements (NDA). NDAs often oblige them not to disclose even such seemingly innocent information such as the company’s address, products, relations to other companies, etc. In a non-corporate context, you should always watch whether your public info on social media does not expose too many personal details, reduce your digital footprint, always separate your personal and professional online selves, etc.
The OPSEC five-step process
OPSEC is a five-step process. An entity must carefully consider each step to identify and safeguard its information:
1. Identifying significant information
The first step is identifying data that might jeopardize the organization if it ends up in the wrong hands. This might be anything from financial records to social media metadata. Sometimes it is really difficult to determine which info might be harmful. Always stay up-to-date about new dangers and threats. Seemingly harmless things like a city skyline in the background, a job ad on LinkedIn or an out-of-office email might do damage.
2. Potential threat analysis
Identify external and internal threats for the organization. Name specific or general adversaries who might exploit the data mentioned in step 1. Consider what data would be the most interesting to them. For example, your adversaries might be:
- A rival company
- A group of unreliable employees
- Hackers.
3. Vulnerability analysis
Consider the main vulnerabilities your adversaries could abuse to access your data (e.g., loopholes, backdoor access, configuration weaknesses, potential data leaks, etc.). A few potential situations:
- A rival company might find out that certain employees leave their positions from their LinkedIn profiles.
- A group of unreliable employees might initiate privilege escalation attack by using their admin rights.
- Hackers might hack your Ring doorbell to see what comes to your office or even to get in themselves.
4. Risk assessment
When you discover your weak spots, you should evaluate the level of threat they pose. You should consider the probability of an attack, what sort of damage it would do, and how difficult it is to defend against. This will help you prioritize your efforts. For example, you might potentially ask whether a hacked Ring device might do more damage than a rival companies’ skim through your employees’ social media profiles.
5. Apply security measures
After identifying the vulnerabilities and their risks, you should identify the appropriate mitigation measures to protect yourself. This can include:
- New security practices and policies
- Employee training
- Updated security software, etc.
The OPSEC five-step process is helpful not only in corporate settings, but also for everyday users’ risk management. Each of us has critical information, like passwords or intellectual property. The OPSEC program can serve as a good cyber security guideline. Be one step ahead to avoid data breaches.
