Why OPSEC Is for Everyone, Not Just for People with Something to Hide

Image

OPSEC (Operational Security) is a term derived from the U.S. military and is an analytical process used to deny an adversary information that could compromise the secrecy and/or the operational security of a mission. The very process of performing OPSEC or protecting yourself from an adversary not only plays a very important role in both offensive and defensive security strategies but also in everyday life. Examples of OPSEC that pertain to this article include protecting the real identity of someone who has chosen to create a pseudonym that black hat and white hat hackers most commonly will undertake online. The process of ensuring that critical information, such as IP addresses, language used, writing styles, email accounts, personal traits etc. cannot be used to unmask their real identity is a constant process. There are many reasons why having a healthy obsession with OPSEC is important. One of the biggest is protecting yourself from cyber-criminals, hackers and governments from obtaining data that can be used to disclose sensitive information about you, with doxxing the most common attack used to expose weaknesses in OPSEC.

Why is OPSEC important, and why should you care?

There’s a saying that goes, “If you have nothing to hide, you have nothing to fear.” The reality is that everyone has something they want to hide from the general public. The key is identifying what form this information is in, how well protected it is, and if compromised, what the personal/professional impact would be. Attackers are constantly profiling targets looking for potential weaknesses in OPSEC and from personal experience, it can take less than four hours of online recon using manual and automated Open Source Intelligence (OSINT) techniques to gather enough information on a target to learn their:

• Full Name
• Location
• SSN/NI number
• Date of Birth
• Email Accounts and Passwords
• Mother’s Maiden Name
• Online Digital Footprint
• Employment Information
• Financial Information
• Mobile/Work Telephone Numbers
• Social Media Information/Posts
• Family/Friends/Colleagues

Armed with the above information, a motivated attacker could do some serious damage – especially if you reuse passwords, using the same email as a login for multiple web apps, or use an email/username that can identify something about you. These basic mistakes are reported almost on a monthly basis in the media, including numerous examples of where criminal operations have been dismantled through leaving breadcrumbs of information that link a real person to their pseudonym(s). Interesting case studies include the recent takedown of the AlphaBay admin Alexandre Cazes aka Admin02. The admin of one of the largest dark markets was recently arrested by a joint operation led by by Interpol, the FBI, the NCA and other law enforcement agencies to take down marketplaces. LEA agents were able to piece together information on their target from small OPSEC mistakes. For example, early welcome emails from the site admin [email protected] included information about Cazes, including his year of birth and information that could be used to identify his national identity. He also cashed using a bitcoin account tied to his name, and his bank account is amongst the OPSEC sins he performed and ultimately what led to his arrest. The reality is that an attacker exploiting weaknesses in OPSEC is akin to a death by a thousand cuts. It’s not one “breadcrumb” of information that causes the damage; it’s the accumulated data over time that delivers the killer blow for the attacker. Being constantly aware of the information you are sharing with individuals, third-parties, online entities, and employers, not to mention the extent this exposes you, is vitally important if you want to stay safe in today’s constant information battle.

Reducing exposure through OPSEC

The pretext of this article might seem a little extreme for the average person who has nothing to hide. However, whether you work in IT, DevOps, infosec, or leadership, protecting your own, as well as your companies' critical assets, is vitally important. Here are the top three things you can do right now to dramatically improve you OPSEC:

1. Think before you share

As highlighted earlier, it’s the aggregation of information that can be gathered on a target that poses the greater threat. A common example is developer profiles on sites like GitHub. They are a goldmine of information for attackers, and they usually provide an idea of development styles and any bugs that could be replicated in corporate environments – not to mention lovely profile pictures. Before you post comments or share content on support forums, social media etc. think: does this give an attacker any information they could use to build a profile (or further build) on you or your company?

2. Create compartments

Building upon the message of not using same password across accounts, you want to make it difficult for an attacker to learn everything about you. Just as people reuse passwords (or variations of), the same can be said for usernames and email addresses. Limit the exposure of the information about you, make email addresses almost random and assign each a specific use. For example, create a separate email address for finance or sensitive information, another one for social media, and another for general use. Further, enhance the protection by using a password manager to generate strong passphrases for each, ensuring every account/online service has a unique password. Finally, for extra protection, it is highly recommended that you enable two-factor authentication for everything.

3. Perform personal risk assessments

Just as organisations regularly perform risk assessments or business impact assessments to understand exposure to certain threat scenarios, it is just as important to perform a personal risk assessment on oneself on a fairly regular basis. However, rather than looking at external threat vectors, this risk assessment should focus on the most important information you want to prevent being stolen, compromised, exposed etc. Questions to ask yourself include:

• What is this information?
• What form is this information in?
• Do I know exactly where it all is?
  • If not, how quickly can I find it all?
• Is it stored with a third-party?
  • Can I accept the risk if they get breached?
• Is my data encrypted? Is it secure?
• Who knows about my sensitive data?
  • Who has access?
  • Who has accessed it?
• What is the impact if the data is publicly disclosed/stolen? Can I accept the risk?

By performing the aforementioned three steps, you can greatly improve your operational security by protecting the information most critical to you and vastly risking not only personal exposure but being a weak link in the wider company operational security chain. To learn more about OPSEC, read part two of my series here: https://www.tripwire.com/state-of-security/security-awareness/why-opsec-is-for-everyone-part-2/ And to learn EVEN more about OPSEC, you can read part three here: https://www.tripwire.com/state-of-security/security-awareness/opsec-everyone-people-something-hide-part-3/ (I'd always advise you read part one, then two, and finish with three.)

Image

About the Author: From a background of threat intelligence, social engineering, and incident response, Stuart Peck is the Director of Cyber Security Strategy for ZeroDayLab. Stuart regularly delivers threat briefings to FTSE-level executives and directors throughout the UK and Europe. Passionate about educating organizations on the latest attacker trends facing business today and how to combat them, Stuart’s key areas of expertise include: the dark web, social engineering, malware and ransomware analysis & trends, threat hunting, OSINT, HUMINT and attacker recon techniques. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.