- The goal of OPSEC is to limit the adversaries capability to gather information about individuals or the organisation
- Implement OPSEC just as you would for controls
- Assess whether OPSEC could aid your existing information security program.
Authentication based on something you know is the easiest and cheapest way to prove someone’s identity, however it is also one of the most easiest to defeat. With personal privacy not being as private as it used to be, it is hard to establish a universal authentication system based on something you know.
The age of mass surveillance, Social media, Internet of Things (IoT) track individuals and record secrets. Continuous changes with social media features, IoT devices gathering detailed information provides a challenge with maintaining a high level of privacy. Criminals feasting on personal gain leverage lapses in privacy to exploit organisations relying on weak authentication to clean up innocent victims.
The absence of a suitable technological solution (at the moment) makes the security of something you know rest solely with the subject.
This is where Operations Security (OPSEC) comes in.
Operations security condition individuals to think about limiting the information that they disclose to the public. The military and other clandestine groups have employed OPSEC for many decades now and it serves to limit the effectiveness of reconnaissance on individuals.
Considering that offensive teams such as penetration testers, social engineers leverage intelligence as one of their first stages, information starvation would limit or prolong the opportunity of a successful ‘attack’.
Incorporating OPSEC into organisational security awareness does not require staff to undergo military style training, instead consider:
- is there a gap that OPSEC could address (eg: organisational or private use of social media, job listings, etc)
- the level of detail the program will cover. This needs to strike a balance between practicality, freedom and security.
Two examples where OPSEC in security awareness would be valuable include:
- Compartments – defining boundaries between professional and private or segmentation within professional ie: secret vs internal
- Need to know – Do you *have* to communicate this information? Is it necessary for them to function? Could the information be used against the individual or organisation? For example: security questions/password reset, does your online trader need to know your date of birth?
Before OPSEC can be deployed throughout the organisation, there are some considerations
- OPSEC augments information security and should be part of an existing security awareness program
- OPSEC may not be for everyone, some specific groups will benefit more from OPSEC more than others
- Does the culture of the organisation allow for OPSEC to be implemented? Will staff allow for their organisation to interfere with their personal lives
- People are human, mistakes happen. OPSEC serve to limit fallout.
- OPSEC is expensive not only financially but continuously maintaining good OPSEC is quite hard to do.
There may be some debate as to the effectiveness and application of OPSEC however, a successful campaign could provide an adversary a run for their money.
If you are running an OPSEC campaign in your organisation, I’d like to hear about it.