Operations security (OPSEC): part of a balanced organisational security awareness diet

Summary:

  • The goal of OPSEC is to limit the adversaries capability to gather information about individuals or the organisation
  • Implement OPSEC just as you would for controls
  • Assess whether OPSEC could aid your existing information security program.

Authentication based on something you know is the easiest and cheapest way to prove someone’s identity, however it is also one of the most easiest to defeat. With personal privacy not being as private as it used to be, it is hard to establish a universal authentication system based on something you know.

The age of mass surveillance, Social media, Internet of Things (IoT) track individuals and record secrets. Continuous changes with social media features, IoT devices gathering detailed information provides a challenge with maintaining a high level of privacy. Criminals feasting on personal gain leverage lapses in privacy to exploit organisations relying on weak authentication to clean up innocent victims.

The absence of a suitable technological solution (at the moment) makes the security of something you know rest solely with the subject.

This is where Operations Security (OPSEC) comes in.

Operations security condition individuals to think about limiting the information that they disclose to the public. The military and other clandestine groups have employed OPSEC for many decades now and it serves to limit the effectiveness of reconnaissance on individuals.

Considering that offensive teams such as penetration testers, social engineers leverage intelligence as one of their first stages, information starvation would limit or prolong the opportunity of a successful ‘attack’.

Incorporating OPSEC into organisational security awareness does not require staff to undergo military style training, instead consider:

  • is there a gap that OPSEC could address (eg: organisational or private use of social media, job listings, etc)
  • the level of detail the program will cover. This needs to strike a balance between practicality, freedom and security.

Two examples where OPSEC in security awareness would be valuable include:

  • Compartments – defining boundaries between professional and private or segmentation within professional ie: secret vs internal
  • Need to know – Do you *have* to communicate this information? Is it necessary for them to function? Could the information be used against the individual or organisation? For example: security questions/password reset, does your online trader need to know your date of birth?

Before OPSEC can be deployed throughout the organisation, there are some considerations

  • OPSEC augments information security and should be part of an existing security awareness program
  • OPSEC may not be for everyone, some specific groups will benefit more from OPSEC more than others
  • Does the culture of the organisation allow for OPSEC to be implemented? Will staff allow for their organisation to interfere with their personal lives
  • People are human, mistakes happen. OPSEC serve to limit fallout.
  • OPSEC is expensive not only financially but continuously maintaining good OPSEC is quite hard to do.

There may be some debate as to the effectiveness and application of OPSEC however, a successful campaign could provide an adversary a run for their money.

If you are running an OPSEC campaign in your organisation, I’d like to hear about it.

Some information

http://www.dailymail.co.uk/news/article-3475126/Security-alert-NatWest-online-banking.html
https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet
http://www.dodea.edu/offices/safety/opsec.cfm

I’m back

After a hiatus (being anti social), I’m back on social media.

I’m aiming to blog once a week on strategy, infosec, security awareness.

Also caved in to twitter: @IAm0xEd

I’m quite new to using twitter and its idiosyncrasies so bear with me. If you have any suggestions on who to follow, etc feel free to let me know (or follow me on twitter). Constructive feedback is always welcome.

You are the weakest link…attacking the weakest link on a global level

When protecting a high value target, a single point of failure could be a catalyst for a catastrophic breach.

When securing multinationals, consideration must be made for the smaller subsidiaries. They are connected to the corporate network and as any good pentester can tell you, pivoting is a powerful concept.

Smaller subsidiaries may not have the same level of physical, network, endpoint security. Some subsidiaries may face different level of threats: political, socio-economic, domestic instability.

A quick example is an UK multinational operating in Argentina, or Taiwanese company operating in China, could there be repercussions?

On the other end of the spectrum, subsidiaries may not have faced the same level/intensity of threats as their parent company. Psychologically, citizens maintain the perception that being in a safe backwater nation, the developed world threats are not of major concern.

It is important to note that security is a global effort, consider the threat level and adjust to it.

http://www.databreachtoday.eu/interviews/targeted-attacks-how-ready-japan-i-2820

Using Endpoint Security Products against you

Pretty interesting read on several vulnerabilities relating to Symantec Endpoint Protection

http://codewhitesec.blogspot.be/2015/07/symantec-endpoint-protection.html

The article discuss various means to remotely compromise the management console and plant code in the distribution package.

There are several takeaways here:

  • Given that your security product is supposed to be securing your entire environment, your management console must be locked down, patched, etc.
  • If you haven’t performed an audit on your management console settings, you are asking for trouble. At the very least, explain why you have certain rules in place (file/folder exceptions come to mind)
  • Does your management console have a auditing function? Do you check it?
  • Are the endpoint packages that you create, verified and signed?
  • (To the vendors) Do services really require local SYSTEM to run?
  • If your endpoint product is compromised, you can no longer trust it or the system that it is protecting.

When you’re contractually/legally required to do something, you better do it…

If you happen to be a company in the field of protecting personal information (PI), you would think that you’d take precautions. If your shop cannot do what it says on the tin, customers will flock to others that can.

Especially when you have a court order to do so.

Lifelock an ID Theft protection company received a court order in 2010, quoted by Wired:

Lifelock had been ordered to remedy that situation, but according to the complaint filed today, it has failed to do so.

Not ground breaking news but protecting information involves people, processes and technology. Encryption, password management, need to know, patching are all basic measures not followed.

http://www.wired.com/2015/07/lifelock-failed-one-job-protecting-data/

Importance of Trust and Security as Sales Differentiators

The world is embracing the golden age of knowledge. Delivery of information is approaching instantaneous, volume of data is increasing and the computation/conversion of data to human digestible information can be presented in many different ways.

Goods vs Services

During the industrial revolution, sales were based on goods. Now, sales are based on services and information.

The transition from a goods to an information/knowledge based market have several few major differences.

A goods based offering would usually involve a transaction with the delivery of a product. A information/knowledge based offering does not always result in a physical product.

QA processes, reliability, function are all traditional elements used to establish trust in a product. How does this all function in a information/knowledge based world?

With a physical product, the warranty and the length of time a company has been in service are indicators of the commitment of the company to it’s product. Reliability, service, QA are all criteria used to provide consumers an understanding to the level of standard offered by the company. Longevity of the company underwrites the warranty, level of standard and performance/growth of the company. Naturally, poor governance, inadequate disaster recovery, etc could bring a company down faster than you can say trust.

Some criteria are not as important, have a different meaning/context or no longer relevant such as installation, logistics and delivery times.

Where as other criteria are new or have become very important such as availability, response times.

As a result, an information/knowledge based offering will have a heavier dependency on several traditional consumer criteria.

While the list is not comprehensive, Consumers will apply greater weighting on the following requirements when considering a information/knowledge based offering:

  • Value of goods
    The value of the good/service provided will determine the importance of all requirements. For small ticket items, the criteria isn’t as important as compared to a large, multi-year service offering. Further scrutiny would be made on a high value product.
  • Length of engagement
    Goods would follow a short engagement life cycle. There is the marketing to entice consumers to the product and once the product is purchased, the engagement ends (unless if it’s a high value good, see below). With information/knowledge based services, there is a longer engagement as the consumer would subscribe to the service for the life of the information or until such time the service is no longer required.
  • Consumer Risk appetite
    How dependent is the consumer on the good/service? If the consumer requires the service for their business or livelihoods, then further scrutiny would be made on the service.
  • Effectiveness of transition
    A company that used to be successful selling goods may not successfully transition over to the digital age (Borders, Kodak are two examples). How aware is the organization in it’s direction towards the new age, this is evident in their offerings and differentiators. More on this later.

Given key consumer criteria, it’s time to make the sale.

Selling in the golden age

All good sales people know that when you have competition, you need to differentiate yourself from your competitors. What is your unique selling point?

As mentioned, services and information are no longer physical rendering lots of traditional sales criteria obsolete.

Some differentiators remain the same but in different forms.

As mentioned, a company which has been successful selling goods may not be as successful selling services/information. A company which is aware of this will be required to diversify to capture the market as well as build on the new market to secure and grow.

The New Business Road Test by John W Mullins, assesses a business opportunity and establishes if it is worth pursuing or if an existing opportunity is viable. The book is an excellent book which goes into a lot of detail which unfortunately we won’t be able to cover here. It describes several domains for consideration and one domain noted is found at the Micro level. Two of the five questions to consider are:

  • Is there a clear and compelling benefit for the offering?
  • Are the benefits from the customer perspective different and superior in some way?

If a service offers no benefit to the consumer or if it is no different to any other service then your opportunity is not going to stand the test of time, the opportunity is over even before it started.

A service must be able to offer clear a benefit to the customer and/or is superior to any other offering from your competitors. The benefits are made up of some of the criteria mentioned previously and the missing link are the differentiators that puts your offering ahead of any competitors.

Understanding differentiators

Moving from a goods based industry have a different set of differentiators to a service/information industry.

Diversification is not without risk. Knowledge of the new market, identification of USPs and opportunities in the new market and so on will lead a solid footing in the new market place.

Just because you might be good at executing with meeting customer demands it doesn’t mean that it will be the same for eternity, look at Borders, Kodak, etc. Their failure to successfully transition lead to their downfall. As consumers no longer want the pain of managing their resources in a time poor society, they turn to offerings which ease their pain, this is where services and convenience comes in.

Ok, even if an organization has transitioned, their competition will seek ways to meet consumer demands and therefore other criteria is required to differentiate themselves as an organization with a superior and competitive offering.

What makes your offering better than the competition, that difference is called a differentiator.

Trust and security as two powerful differentiators.

All your competitors have met the basic consumer requirements, now what…products are no longer physical, there is nothing to physically show that an offering is superior, how does an organization show it is superior?

This is where trust and security comes in.

An organization must now prove that it is even more trustworthy than its competitors.

  • How does a customer know that they are getting value for money for a particular service?
  • How does a customer know that the organization they are dealing with will be there for the long haul?
  • How does a customer know that the organization will be there for their business or livelihoods?
  • How does a customer know that the organization’s offerings are future aware?

To answer these questions, consider the following as differentiators:

  • Trustworthy, otherwise the deal is not worth the paper it’s written on. Remember, there is no physical element, the deal better be good for the long haul.
  • Secure, if your business or livelihood relies on confidentiality, privacy, integrity, you expect that the organization you’re dealing with also does the same. Your customers do not care if your service provider is not up to par, your customer is dealing with you and therefore the buck stops with you.
  • Transparent, the last thing you want is an organization beating around the bush or worse still, covering things up.
  • Assurance, has the organization been assessed by others to ensure that what they are doing is in line with what other professionals are saying? After all, a second pair of eyes is not a bad thing.

If you are running a service, your competitors are competing on cost and offerings but are they in line with what your customers are asking?

Project Management Fundamentals

One of the tools required for a consultant is the ability to project manage. The entire engagement may have sub projects, involve a lot of staff and stakeholders all of which increases complexity. Complexity increases the risk profile for engagements, hence any reduction in complexity is always welcome.

Having said that, the core items relating to basic project management are often overlooked. There are legitimate reasons behind this but the truth remains that there is no excuse for not getting things right in the first place. Yes, I’ve been here but hopefully have learnt something from the experience and will not do it again.

This is a short list of common mistakes that some PMs make and tips which I have learnt or have gained from working with some brilliant PMs.

You might ask: What does this have to do with Security?

Security is a rapidly changing area. All security professionals work to very short delivery dates. Mistakes, job reworking, delays are extremely costly, especially in a recovery situation. The importance of ‘getting it right’ the first time is critical!

Define and enforce Scope

Scope creep is a project killer. It happens and could be one of the following (not an exhaustive list): poor planning, inadequate requirement analysis, lack of funding.

Define the boundaries and stick to the scope at all costs, enforce the scope. Don’t allow scope creep to set in. It is a matter of pride, both yours and the project sponsor.

Going the extra mile: if it changes, get the person requesting the scope to justify the change. Discuss alternatives and embed a ‘penalty option’ for the requester. The penalty provides contrast to the alternatives as you will need more resources to get the job done and provides a balanced view of the scope change.

Metrics for everything

How do you know if you hit a milestone if you have no way of measuring it?

Anything that impacts on the project: time, resources, funding, etc. must have a metric.

It provides tangible evidence for a lot of things: due diligence, coverage, costs, elapsed time, you name it.

Going the extra mile: If there is no metric, think of what the goal of the metric is, think of a suitable metric, keep it simple and create one. Sometimes, you can’t retrospectively create a metric. There is no such thing as a small task that should not be measured. Finally, repeatable automation of metrics gathering is a lifesaver!

Do not underestimate the power of the Subject Matter Expert (SME)

Assumptions are risks!

Unless if you are the SME, the SME is your friend. More often than not, they will have a better idea on what is possible (or impossible).

Iterate through each assumption and ask for their input. Where possible and if appropriate, go through the entire plan and show them the bigger picture.

They may also have a better way of doing the task which may improve on delivery. Win-win situation.

Going the extra mile: Engaging SMEs as early as possible will make them feel important and their input would be valuable. Keep in mind, they are SMEs and may not have a PM mindset, so get them to think like a PM, take them to an area free of distractions and ask them, ‘what is required to get the task done? What do you need to get the job done? etc…’.

Dreaded Deadlines

Like scope, stick to it. Enforce a dead line for your subordinates. Deadlines make people accountable. Deadlines are more important when tasks are on the critical path. As mentioned, slippage is expensive.

Don’t consider the deadline as the end of the task, try to get the task done before the deadline, even if you have included contingency time.

Going the extra mile: be people friendly when defining deadlines, don’t call it a deadline. Importantly, to get them to be part of ‘the team’, you have to understand their deadlines, constraints! when you relate to their world, it builds rapport, they are more likely to proactive.
They could also go the extra mile by getting extra resources, re-prioritising your task as a high priority, etc.

Importance of communications

Communication is core to getting everyone working in unison.

Is a phone call necessary, is an e-mail necessary? Consider the criticality of the message you’re trying to send across. Scheduling a meeting, can be done via e-mail and chased by phone if an urgent response is required.

Think closely about the aim of the communication, articulate that clearly.

Everyone is time poor, unless if they really need to know, avoid paragraphs full of information.

Mass communication should be structured in a way that a primary school kid should be able to understand and importantly, acknowledge/follow.

Going the extra mile: important points first (including actions), what the goal is, what is involved, keep it positive, be short and succinct.

While there are may other areas of improvement and each point can be explained in much detail, consider this to be the start of a well oiled consulting/project management experience.