Operations security (OPSEC) is a process that identifies friendly actions that could be useful for a potential attacker if properly analyzed and grouped with other data to reveal critical information or sensitive data. OPSEC uses countermeasures to reduce or eliminate adversary exploitation.
OPSEC is both an analytical process and a strategy used in risk management to identify information that can be exploited by an attacker and used to collect critical information that could damage an organization's plans or reputation.
Where Did OPSEC Come From?
The term operations security was coined by the United States military during the Vietnam War, as a result of military operations led by a team dubbed Purple Dragon.
Purple Dragon noticed America's adversaries were able to anticipate their strategies and tactics despite North Vietnam and the Viet Cong's inability to decrypt U.S. communications and no real intelligence collection assets on the inside.
The conclusion was that the U.S. was inadvertently revealing unclassified information to the enemy that was being grouped together and exploited.
Today, this concept has spread from the military to other parts of the U.S. government and Department of Defense (DoD) to protect national security, as well as trade secrets and customer data in private industry.
What is the Purpose of OPSEC?
OPSEC is concerned with protecting individual pieces of data that can be aggregated to form a bigger picture.
While OPSEC is generally concerned with protecting against non-sensitive data being aggregated together, it often still uses technical countermeasures that are used to protect sensitive data.
Common technical countermeasures include protecting against different types of malware like the WannaCry ransomware, vulnerabilities, email spoofing, phishing, domain hijacking and other cyber attacks that lead to data breaches and data leaks.
Non-technical countermeasures include paying attention to pictures you have taken (such as items in the background) and not talking openly on social media about your organization's sensitive information.
Why is an OPSEC Program Important?
Implementing an effective operational security program prevents the inadvertent exposure of sensitive or classified information concerning your organization's activities, intentions or capabilities.
The reality is every organization has things they need or want to hide from the general public. The key is identifying what this information is, how well it is protected, what the impact will be when compromised and how your organization will respond.
Armed with publicly accessible information, motivated attackers can do serious damage especially if your organization or its employees are reusing login credentials across services.
Without OPSEC your organization may be suffering from death by a thousand cuts. It's not that one piece of information causes damage, it's the accumulated data over time that allows attackers to gather enough information in order to launch a cyber attack.
Being aware of what information is being shared by management, vendors and employees is vitally important.
What are the Five Steps of OPSEC?
An OPSEC plan is a five step risk assessment process that assists an organization in identifying what information requires protection and what security measures should be employed to protect them.
- What information needs to be protected? The first step is to understand what data could cause harm to your organization. By identifying the data, which could be personally identifiable information (PII), financial records or intellectual property.
- Who is my enemy? The next step is to determine who is the likely to target your organization. Who may find a particular set of data useful? This could be competitors in your industry or a group of hackers who want to hold your organization at ransom. By knowing who poses a cyber threat, you can make an assessment of risk based on the potential adversary's ability.
- What are my vulnerabilities? This is an important step in any information risk management process. Analysis of vulnerabilities is important so you know what security measures need to be taken to mitigate the potential attack surface. This is generally done with a mix of automated vulnerability scanning of CVE and manual technical and non-technical security assessments such as SOC 2.
- What is the threat level? Once you have assessed how much risk each threat poses by tying the potential damage of a leak to the possibility of a successful exploit, you can begin to prioritize what to focus on first.
- How should we mitigate or eliminate these threats? Now you can begin to develop a security program that prescribes specific countermeasures that account for all unacceptable risks and how to protect against them. It's important to also have an incident response plan in the event of a data breach or data leak, this may include digital forensics or counterintelligence like IP attribution.
What is an Example of an OPSEC Failure?
The best way to understand what OPSEC involves is to walk through an example of what people are able to piece together with public information.
In March 2017, Ashley Feinberg from Gizmodo was able to track down FBI Director James Comey's Instagram and Twitter account using publicly available information gathered on social media.
Feinberg was able to find Comey's Twitter account by searching Twitter for his son Brien, who is a college basketball player at Kenyon college.
A tweet about Brien featured a now-dead Twitter account called "@twittafuzz". Feinberg then searched Instagram for the same handle and requested to follow Brien. Once she tapped the follow button, she was algorithmically suggested an account called "reinholdniebuhr" named after a theologian that James Comey wrote his senior thesis about.
The account also happened to have 9 followers which was the exact number Comey's instagram account was rumoured to have:
— Kevin Rincon (@KevRincon) March 30, 2017
Feinberg then searched Twitter for "reinhold niebuhr" and found one handle "@projectexile7" which seemed to be named after a gun violence reduction program Comey help start in the '90s. @projectexile7 has one follower, legal blogger Benjamin Wittes, who happened to be a personal friend of Comey.
By October 2017, it was confirmed that Feinberg was correct.
This is an example of how even the most security-conscious individuals can expose themselves with publicly available information.
And while this example is relatively benign, it's not hard to see how damaging this information gathering process could be for government agencies and other organizations.
Keep in mind, OPSEC must extend beyond your organization's walls to your third and fourth-party vendors. It needs to be part of your third-party risk management framework and vendor risk management programs.