Operational security is about protecting yourself and your activities. It’s about turning the tables, looking at things from an attacker’s point of view, and identifying where and how your own actions are making you vulnerable. When it comes to infosec, opsec is about the little precautions we take to protect our devices and information, and those of our company, day in and day out.
As Chief Information Security Officer of F-Secure, Erka Koivunen has a thing or two to say about opsec. In Episode number 6 of Cyber Security Sauna, Erka talks about why you should never trust your office network, his favorite epic opsec fail tale, plus tips for “spring cleaning” your opsec (potato chips and nail polish are recommended tools).
Janne: Welcome to the show, Erka.
Erka: Thanks for having me, Janne.
What does opsec mean for the context of this discussion? Are we keeping individuals safe or protecting orgs?
Typically I would start from protecting orgs. You can put a tinfoil hat on your head and try to assume that you’re going to be the last man standing and everybody would be against you, but in normal, everyday settings it is us working for a company, or we are part of a family or with friends and we have some assets that belong to someone else that we are entrusted to protect. So in most people’s point of view, the pragmatic approach to opsec is that we do sensible things to protect the assets that have been entrusted to us.
What are the keys to keeping your house secure?
We can start by assuming there are adversaries who want to harm us. And yet, on a pragmatic setting, you have to be aware of that you make mistakes as well. So the adversary might be something that you don’t even know, you don’t even see, you don’t even feel the effect, and you still will be leaking information, you will be making some hackers able to breach your company networks, and it would be impossible for you to know in which types of ways they will be harming you.
So, for a layperson it suffices to know that if I don’t plan my actions, if I’m not executing my plan, it might be that I make mistakes that someone else can take advantage of.
You’re talking about being under attack all the time, assuming breach, this ties into the ideas we’ve heard about Beyond Corp and zero trust networks, any thoughts on that?
In a corporate setting you will be given a set of tools. Your user accounts are managed user accounts, your laptop is often managed type, and you will be signing onto your local area network that is controlled by your IT management, and yet at the same time I would advise you to never trust any of these devices, never trust the network that you’re connected to. You just need to be aware that there are various levels of controls that the infrastructure security people can set up to help you, and yet, it may be that they are all breached. It might be that your computer, by your mistakes and your actions, might be breached and you are bringing the dangers to your corporate networks.
So in that sense the Beyond Corp philosophy is only a natural way to approach operational security. You don’t expect anything from the network you are connecting to. You don’t expect anything from the cloud service you are utilizing. You assume that they are breached, you assume that the information contained there might be tainted, and you double check the URLs before you click them.
Is that feasible? Can people live under a siege mentality like that?
That makes sense. So what should we as employees of organizations be concerned about? Should we be aware of what’s critical information about my organization and things like that?
Examples of business critical information would be customer information, something that is labeled classified by the customer, so you are not at the liberty of disclosing that. It could be personally identifiable data, and with GDPR looming on the horizon this is something that each and every organization is pretty sensitive about. And the financial nondisclosed information for a public listed company is something that should be treated as sensitive.
If you are assigned in an R&D project for a product that is not yet public, you should be aware that the naming conventions and some technology choices and the go-to-market plans should not be public. However, information about project names and key personnel, they tend to leak somewhere. So even when a person knows to address and initiate a discussion with you using those terms, that person might not necessarily be allowed to learn anything more. So an individual working for a company should always choose to either enter into that discussion and continue sharing those secrets, or to alert the organization about the potential breach. And I of course would always err on the side of stopping the discussion and alerting the project owners or the company leadership. And yet I know that people want to please, they want to feel like they are in the know, they want to feel camaraderie with the person who seems to be knowledgeable about things.
So we know people shouldn’t trust the office, but they’re even more exposed when they’re traveling, isn’t that right?
Sure, yeah, you are pretty much on your own, when you are in your hotel room and when you are going to a meeting and for that, we always advise that take as little gear as possible because otherwise you would end up spending quite a lot of time trying to secure your laptop and your tablet and your mobile phone and the darn papers that you brought with you. And there are going to be times and situations where you need to leave your gear behind you. When you go to swim you cannot take your gear to the pool with you.
So we advise our travelers to take so-called tamper-evident bags with them. They seal gadgets inside, they record the individual number of that bag, and when they return to their hotel room they can check that nobody has been able to open the bag or insert or extract any material out of them. If you’re even more paranoid you can spray potato crisps on top of that tamper evident bag and take a photograph of that and it will be next to impossible for the uber security agency to put the crisps at exactly the same locations if they try to steal your stuff. We have also advised that if you want to be certain about the integrity of your laptop, you mark critical screws and critical hinges using glitter nail polish and again take a photograph because if somebody’s going to open up the laptop and insert keyloggers, they will break the glitter nail polish, if you will, that would be a seal, and you will at least notice about that.
None of that will prevent somebody from stealing your laptop, and it will not make it impossible for them to modify it, but at least the chances are that you will detect it. And you can alert and the back office crew can then start disabling your accounts and access.
You’re pretty deep into the infosec game, not like the kinds of people you and I both meet every day who say things like “I have nothing to hide” and ask me why they should care about opsec at all.
Everybody has things to hide, everybody has something to protect, and even though you don’t value those assets yourself, you are duty bound to protect those assets on somebody else’s behalf.
Right, and it’s not even about hiding stuff, it’s just that not everything about me is public.
Exactly, and you’re a custodian of something , you’re a custodian of integrity, availability, or confidentiality aspects of that data. My dear recently deceased father-in-law used to refuse to accept even a free copy of antivirus because he has nothing to hide. So we had lots of arguments and they ended when he finally got grandchildren, and I was telling him that if I’m not certain that you’re going to use a protected endpoint to view pictures of the grandchildren, I will not be sharing them through the cloud. And that was the point when he finally got that all right, it’s not just about him having his own secrets and his own assets, but that we genuinely don’t want our kids’ photographs to be leaked in the Internet.
Sure. so it’s you’re not just a target, you’re an attack vector towards people who trust you.
Yeah, you are part of the network, you are part of the value chain if you’re in a corporate environment, you know people, you can introduce people to people. And you might be used as a stepping stone when trying to either attack or in other ways to reach that ultimate target. And even if it’s not going to be that malicious, you don’t want to ruin your colleagues’ day by inviting every cold caller to harass them on a busy day. So you don’t want to give out the phone numbers and private address of your colleague.
Yeah, not even attackers, just cold callers. Let’s talk about attackers and attacks, how do I select an appropriate level of threat? What should a regular person’s threat model look like?
A regular person, when planning and executing their operational security, they probably don’t need to factor in threats to their life. So that gives us lots of degrees of freedom, and we can even fail in our opsec. Typically they would only lose moderate amounts of money in opsec fails so that again gives you some added degrees of freedom. So it is more about making your life a bit easier, being polite to your friends and family, so you want to understand that there are predatory marketing practices, there are people who might use information about you to talk behind your back and make your life at the workplace really difficult, and there are life changing moments like when you are planning to have children but don’t have yet, you definitely want to keep the relatives out of the loop until you have something to announce. They are pretty pragmatic, pretty mundane if you will, for a layperson, and that means that you can rely on access control mechanisms. You don’t need to start building bulletproof, hackproof systems. And you can rely on the authenticity and integrity of the information. You don’t need to test and digitally sign everything that you do. You choose people to trust, you choose computer systems to trust, and you be conservative about the information that you share. That should be enough for a layperson.
For a corporate user, this is something that I always tell to our own users, you will be breached, you will make mistakes. And believe it or not, we are working as an antivirus company and yet our people occasionally get compromised through malware. When you do get compromised, my advice is to get compromised using company assets, because that way we will detect it. You will have a team of investigators helping you to understand the root cause, and you will get the support that you need.
If you try to go it alone minding company business using your own laptop that used to be the gaming laptop of your kid, and if you choose to use nonauthorized, nonmanaged devices, we probably will not find out about the incident before it’s too late. I would be willing to sacrifice that you use the computers provided by the IT department, which every hacker knows that there are backdoors, at least the IT department backdoor is there. You will be using encryption keys that will be escrowed, by the IT management again. From purely an information security point of view they are already compromised systems, they are tainted systems, and they are systems that you cannot even secure the way you please. And yet I’m advising people to use them because we have a pretty good mechanism to detect when things go south.
So we are willing to accept some hits and we are willing to be compromised every now and then, if we just know about it in time.
I was being asked by a fellow that they are traveling to Russia, and they have now heard in the news that they are surveilling, to track you and he’s going there on a vacation so he feels it’s irresponsible to take company assets in the form of a laptop to a potentially hostile environment where it could be monitored or stolen. And yet at the same time he has KPI’s to meet and he has obligations towards customers. So he was thinking that if he takes his son’s laptop and uses that to then log on to let’s say Salesforce, would it be OK, and I was like “No no! Don’t mix private and company assets!”
The managed company workstation is designed to resist attempts to steal, and it features whole disk encryption and pretty good detection mechanisms, so please take that if you need. And we know it will be connected to a network that will be monitored, but Russia is not the only place in the world that monitors internet use. You probably will end up having a better vacation and if you lose the laptop we have plenty of them to replace. Just make sure that you give us a tip if it gets stolen.
As far as attackers go, you seem to be talking a lot about cybercriminals – is that the sort of the level of adversary we should be preparing for – I don’t have to worry about the NSA coming after me?
Or you end up living in a compound in central Pakistan and even that doesn’t work.
Exactly. So the master of operational security, Osama bin Laden, was eventually identified, and even though he had gunmen and he had a gun of his own, that didn’t’ save him. He probably was pretty well prepared to live like that for a number of years, but eventually he got killed as well.
Yeah, there’s no amount of opsec that will save you from a sun porch full of Navy seals.
Yeah, and the quality of life when you factor that kind of threat into your opsec is something that you don’t want to carry. So if you are just getting paid to do your work, don’t factor in the nation state and people trying to kill you.
Alright, we drifted into the area of opsec nightmares, do you have a favorite story of an opsec fail, or a cautionary tale for us?
Yeah, my personal favorite is – I was still working for the Finnish government at the time. A journalist called me in the middle of Finnish midsummer. And for NonFinnish and non Nordic listeners out there, midsummer is a, I would say, almost holy time of year. The whole of Finland grinds down to a halt, no businesses open, no people answering their phone, everybody just gets out of the town and most of us get extremely drunk in the process, so you don’t expect anybody to work during midsummer. And yet, a Microsoft executive was tweeting that he was now landing in Espoo, Finland, and he had a productive meeting with Nokia. Which, to the rest of the world, sounded like business as usual, and Finnish journalists who happened to find that tweet, immediately knew that this is big.
Something was up.
Nobody at Nokia headquarters would be working on midsummer with Microsoft. And that was the way that the planned merger of Nokia mobile phones with Microsoft was first leaked out. Social media is a public platform. The fact that this person was flying around the world negotiating business deals was not a secret in itself, but due to the cultural insensitivity if you will, he accidentally gave that otherwise innocent meeting a context that made it obvious for the Finnish audience that this is a big thing.
One of the problems with opsec is that once something is gone, it’s gone forever. But let’s still make an effort to keep ourselves safe, do a little spring cleaning. Do you have any advice on your pet peeves or any sort of opsec advice? What should people do today to be better off with their opsec in the future?
Typically when I’m using online services, I always create separate user accounts for each and every separate service, and I’ve taken the task to create those accounts on behalf of our family as well. So now I have a number of user accounts for Apple, for Facebook services, for Netflix. And I try to give as misleading information as possible to those services, so I don’t state the exact name of my children, I don’t state the true birthday and my age to the services, and I try to be really conservative about where we live. In most cases the address I give when I’m traveling when I’m registering for those services is F-Secure headquarters here in Ruoholahti, Helsinki. So please send the spam emails and spam mails to headquarters, we have people screening them.
So now, the pro tip when living your life and building the facade of lies, if you will, is to keep track of what is it that you lied to different service providers.
So when you create a false birthdate, write that down.
Exactly. And sometimes my supposed mother’s maiden name or the first brand of car will be asked when I lose track of that password. So I use a password manager not only to keep track of which user IDs I chose and passwords, but to also keep track of what is it I was less than truthful when answering.
Sometimes it leads to ludicrous situations. One time I was being asked to recite my mother’s maiden name by phone, and it had special characters, and the person speaking on the other side was a native English speaker and me being a Finn I didn’t even know how to pronounce half of those special characters. So that was a pretty long support call.
And they were thinking, this is an unbelievable name somebody has.
So password managers, and not everything you tell the internet has to be true. That’s some sound advice. Thanks for being with us today, Erka.
My pleasure, Janne.