OpSec: A Vital Part of Any Cybersecurity Program
Reading time: 10 minutesWe all have something to hide. Even though humans are social beings, there are some things we want to keep to ourselves, and it's been like that since the beginning of humankind.
In the digital world, the format in which those secrets are kept is what we keep in focus, in contrast to the '40s or '50s, when discretion was governed by the belief, "Silence means security". Today, we need more than silence.
Operation Security, or OpSec, is a term known throughout the military to describe their strategies of identifying and protecting critical information that, if uncovered, can lead to enemy having an advantage over them.
In the cyber-realm, it's not that different.
In this article, we're going to uncover the world of OpSec, the role it plays in cybersecurity, how these strategies relate to our modern times and why it should be important to everyone—not only when it comes to defending ourselves against enemies, but also in our everyday lives.
What is OpSec?
As we mentioned, OpSec originated in the military, where it presented the strategies the military took to identify, classify and protect information that can be exploited by opponents and used to collect critical data about a certain mission, organization or an individual, to put them at a disadvantage.
It is both an analytical process and a strategy used in risk management to identify information that can be pieced together by an opponent and put in jeopardy a mission or an entire organization. The data is generally unclassified, but if it is deemed critical (meaning it can be used by enemies to uncover larger-scale data) adversaries are denied access to it.
One of the main objectives of OpSec is to observe the data you want to protect from the angle of an opponent, just as it's done by cybersecurity red teams who imitate real-world attacks to stay one step ahead of attackers. This way, it's possible to look through public and unclassified data and try to get to the background with only the available data. In other words, if you're able to figure out what the mission or "secret" is, then attackers will be able to do so as well.
Strategies at the core of OpSec result in the buildout of data that was previously classified as public, going as far as developing misinformation, encrypting data, creating lists of data that is protected and should not be shared, controlling of future sharing of information via email, social media, security software implementation and more.
As big data, data intelligence and data protection become increasingly important for all organizations throughout different industries, OpSec and its strategy are now getting their well-deserved spotlight. But where did it all start?
OpSec history
OpSec has been around as long as the need to keep secrets. We can trace it to confessions and vows of secrecy in Christian tradition, but the need to keep secrets—and leave some information out—has been with us for even longer than that.
Thanks (or no thanks) to social media, it’s easier than ever to collect private information about any individual.
The first notable modern practice of OpSec took place during World War II, as part of the rise of espionage and escalating public affairs. From that era, we can find many different posters, pamphlets and flyers telling people to stay quiet, as there is no guarantee that the enemy is not listening at all times.
During the Cold War, spying on enemies was the norm, and it still hasn't stopped. Just as we saw the end of Cold War, the Internet and the World Wide Web began to emerge, and the '90s were a big decade in the development of Internet and computer security. With that, the interest in and importance of OpSec didn't stop, it just shifted to different landscapes and took on new forms.
Even after we discovered that using someone's full name or sharing their location can be a big no-no in OpSec, the lines remain blurred today. With Facebook and other social media platforms making it easier than ever to share all of your information, people often divulge their most private details without the slightest concern. Being too open and careless with personal information and opinions has led to a lot of trouble for some people—jobs have been lost thanks to inappropriate opinions shared online, relationships have been ruined, and more.
But aside from the everyday complications of indiscretion, organizations are also on alert. Employees taking pictures in the workplace (a screen in the background can showcase protected data), sharing passwords, releasing any information about the work they do without regard to its classification, etc., can compromise the entire organization.
This is why more and more organizations are turning to NDAs (even if they have been proven as flawed) as a form of operation security, forbidding individuals to share information about the employer and the project they are working on. Aside from the NDA, as the most often utilized form for operation security, organizations set different "rulebooks" on the classification of internal data and implement specific strategies for handling sensitive data.
OpSec started as a military process, but over the years it has transformed into something bigger than that, something that is a vital part of cyber hygiene. It holds a high ranking in any cybersecurity audit or cyber investigation, and is a normal part of our digital lives.
OpSec in Cybersecurity
As we mentioned, OpSec has now changed the digital landscapes where it is most frequently applied, and found its way to cybersecurity. Now, we can't imagine one without the other.
Companies are setting up recovery plans for data breaches, getting cyber insurance and employing white hats to test their systems. Including an OpSec program in cybersecurity strategy helps to fill in the gaps that other programs leave out, and builds a much stronger defense line while working on the different attack surface reduction strategies.
By tracking the digital footprint an organization leaves, you're putting yourself in the shoes of an attacker who is gathering the info needed for an attack. Gaining insights into what data is publicly available and how it can be used against you will help you re-group, invest in and strengthen your company's security.
Saving and securing sensitive information such as first names, IP addresses, languages, emails and other potentially compromising details is an ongoing process, something that needs to stay constant in the ever-changing cybersecurity environment. Training employees in cybersecurity practices, encrypting data and devices, monitoring the transfer of data, limiting access to certain data, and other actions you take to protect against a data breach can all be considered part of OpSec.
Remember, the prime goal of cybersecurity is to protecting yourself against cybercriminals, hackers, or anyone who tries to obtain data that can be used to reveal sensitive information. OpSec is there to put you one step closer to that goal.
Thanks (or no thanks) to social media, it's easier than ever to collect private information about any individual. It can be done in only a few hours of good targeting and intel gathering. There are even widely-available Facebook OSINT tools that are used in cyber investigations.
Gathering intel about organizations is also easy for the experienced attacker; targeting, gathering and analyzing publicly available data is mostly done with OSINT tools and, again, it can take no more than few hours for an attacker to find critical data that can later be exploited.
With just a few clicks, it's possible to discover email addresses, IP addresses, domain names, servers, utilized technology and much more about an organization. With all this data in the wrong hands, there is high potential for serious damage.
This is why constant work with data, monitoring its transfer, and looking at it through the eyes of an attacker, will put you one step ahead of the threats, and one step closer to a better security system altogether.
[widget=bookdemo/]
The OpSec process
The OpSec process is mostly categorized as a 5-step process. Each step can be represented by a question that needs to be answered so the process can continue without drawbacks and result in success. One of the first questions asked in the OpSec process is: Who would want access to the data in question?
1. What needs to be protected?
The first question we need to ask is: What data, if obtained by an opponent, can cause harm to the organization? By identifying the data, which can be anything from personal information about employees to information about clients, financial records or even intellectual property, a logical first step is knowing what are you protecting.
2. Who is my enemy?
The next step is determining who are threats to the organization. Are there opponents who may try to obtain particular sets of data for their own use, as possible competitors in the industry, or is it a group of hackers who have been trying to get into your system for some time? It's important to know who poses a threat so that the appropriate countermeasures can be taken.
Since there may be different adversaries, they may go after different data; it's important to protect data from all sides, and all possible ways to exploit it.
3. What are my vulnerabilities?
This is an important step in any security audit, DNS forensics and cybersecurity profiling. Assessing the potential vulnerabilities is important so proper security measures can be taken (patching the vulnerabilities, additional security training, implementation of new software, encryption of not only data, but also devices). Finding and analyzing vulnerabilities includes the discovery of any potential backdoors and holes that make the attack surface bigger, patching them, changing the processes around said vulnerabilities and setting in place new programs to better protect data.
4. What is the threat level?
Once the vulnerabilities are discovered, the next step is to determine how much of a threat each of them poses. It's mostly tied to the level of damage exploiting that vulnerability will bring, and how high is the possibility of said exploit.
Assessing the threats and having a list of priorities gives the organization a clearer picture of what to focus on first, and also finds possible patents in those vulnerabilities; it may point to a common backdoor that always comes up as a vulnerability, so it's important to find a permanent solution, or to develop a different strategy for handling that vulnerability.
5. How should we combat the threats?
The last step of OpSec process is in prescribing specific countermeasures that will take note of all risks and threats and protect against them. It consists of a clear OpSec plan that works on handling the biggest risks first. Here we can see the use of misinformation, restriction of data, and other above-mentioned strategies implemented for maximizing security.
Conclusion
Long forgotten are the days of espionage, and plotting against your enemies by sending undercover troops, but the need for keeping some secrets "secret" never stops. Whether you are an organization that needs to protect special patterns, a food chain desperate to keep a secret ingredient to yourself, or just an individual not wanting to have your private information easily available, Operation Security plays an important role in all of our lives.
Let's face it, we all have something to hide. So why would you make it easy for someone to find out exactly what exactly you're hiding?
SecurityTrails has come forward as the OSINT tool for professionals looking to stay on top of their digital footprint. SurfaceBrowser is a tool that helps you find out all the information about a target in matter of seconds, and it doesn't stop there! Book a demo with our team, so you can learn how you can use SecurityTrails in your OpSec strategy.
