What is OpSec and why is it Useful?

There is no denying that nearly all businesses nowadays store sensitive information that would cause a catastrophe to said businesses if it were leaked. Nowadays, in any respectable company, this information is well-protected with countless security measures that are almost unbreachable.  With that said, all the security precautions in the world mean nothing if your organization leaves the backdoor open. That is where OpSec comes into play.

 

What is OpSec?

OpSec (i.e. operational security) is a risk management process that encourages to look at a company’s operations from the perspective of an adversary or the competition in order to protect sensitive information from falling into the wrong hands.

The term, first coined by the US military during the Vietnam War, is the result of an effort led by the team code-named Purple Dragon. They noticed that the opposing forces were able to anticipate America’s strategies and tactics, all while being unable to decrypt US communications and without inside intelligence. The conclusion was that US forces themselves were inadvertently revealing important information to the enemy.

Over time, the concept of operational security has spread from the military to other US government departments and eventually the private sector. With the rise of the internet and online businesses, OpSec became an important part of good cybersecurity measures.

Operational security includes both the analytical process and a strategy used in risk management to identify information which although unclassified, is deemed critical, and can be pieced together by opponents in a way that can put sensitive information or even the entire business in jeopardy.

The main goal of OpSec is to observe the data you wish to protect from the viewpoint of an adversary, as it is done by cybersecurity red teams who imitate real-world attacks to test the security measures of a company.

 

The five steps of OpSec

All of the processes involved in operational security can be neatly organized into 5 different steps. Each step is easiest to represent with a question that needs to be answered.

 

1. What is in need of protection?

The first question that needs to be asked is what data can bring negative consequences if it were to fall into the hands of an opponent? This data can be anything from the personal information about employees to your clients’ login credentials, financial records or even intellectual property. The first step in successfully protecting something is identifying what exactly it is that you need to protect.

 

2. Who is the adversary?

Once you know what you need to protect, you should find out who or what you need to protect the data from. Determining the threat to your organization is critical to figuring out how to deal with it. Since there can be different possible threats, it is important to protect data from all sides. For example, your competitors in the market might want to know the designs of your products, while hackers will probably be after the financial credentials of your clients.

 

3. What are my weaknesses?

To know how your adversaries can hurt you, first, you’ll need to know where you can get hurt the most. his is an important step in any information risk management process. Analysis of vulnerabilities is important so you know what security measures need to be taken to mitigate the potential attack surface.

 

4. How severe is the threat?

This step determines your threat levels by determining how any vulnerabilities revealed in step 3 expose critical data identified in step 1 to threat actors identified in step 2. You need to figure out how much damage someone exploiting an external vulnerability could cause, along with how probable such an attack would be.

 

5. How to get rid of these threats?

This is the step where you plan out and develop a security program that should describe the specific countermeasures to each serious possible risk. This could include updating your hardware, creating new policies regarding sensitive data, or training employees on sound security practices and company policies. Countermeasures should be straightforward and simple.

 

Best Practices for top-notch OpSec

Here are the best practices a business and its employees should stick to in order to have a successful operational security program.

• Implement precise change management processes that your employees should follow when network changes are performed. All changes should be logged and controlled so they can be monitored and audited.
• Restrict access to network devices using AAA authentication. In the military and other government entities, a “need-to-know” basis is often used as a rule of thumb regarding access and sharing of information.
• Give your employees the minimum access necessary to perform their jobs. Practice the principle of least privilege.
• Implement dual control. Make sure that those who work on your network are not the same people in charge of security.
• Automate tasks to reduce the need for human intervention. Humans are the weakest link in any organization’s operational security initiatives because they make mistakes, overlook details, forget things, and bypass processes.
• Incident response and disaster recovery planning are always crucial components of a sound security posture. Even when operational security measures are robust, you must have a plan to identify risks, respond to them, and mitigate potential damages.

The main purpose of risk management is to have the ability to identify threats and vulnerabilities before they turn into actual problems. This is best achieved by looking at the company’s operations from a third-party perspective (that has malicious intent).