OPSEC, or Operational Security, is one of those terms that has been around for ages, but hasn’t really seeped into the public consciousness until recently. Perhaps we get to thank things such as Snowden documentaries and book for it, but OPSEC tips and OPSEC related stories can be found even on mainstream publications these days. However, often those stories seem to revolve around INFOSEC, or even more narrowly around “countermeasures”. To clarify this topic, we did publish recently an article titled “What is OPSEC?“. In my opinion, the easiest way to understand it is to view it through this five-step process:
1. Identify the information you need to protect
2. Analyze the threats
3. Analyze your vulnerabilities
4. Assess the risk
5. Apply countermeasures
When we understand that OPSEC is an iterative process then it all starts to make a lot more sense. Similarly, questions such as “Is this tool good for OPSEC?” start to make less sense. OPSEC is not a binary state. There’s no magic bullet that suddenly gives you OPSEC.
In December, we ran “OPSEC Advent Calendar” on Twitter with the hashtag #OPSEC24. Based on the responses we got, there were clearly three OPSEC tips that resonated most with our followers. So let’s take those top 3 OPSEC tips and look at them through the lenses of the OPSEC process as explained above.
7/24 Shoulder surfing, eavesdropping, or accidentally CC'ing email to a wrong participant are still among the most common OPSEC pitfalls. Be aware of your surroundings and think before you click! #OPSEC #OPSEC24 pic.twitter.com/awekbAYLJe
— F-Secure (@FSecure) December 7, 2019
This one is probably a familiar scenario to all of us! You’ve identified that the information you have on your screen is something that’s not meant to be seen by everyone. In other words, it needs some level of protection. Let’s say it’s some business confidential information, and you are working remotely from a cafe. You’ve taken care of the unsecure WiFi by running a trustworthy VPN, but you don’t have a privacy screen filter. So now you’ve narrowed your most likely threat vector being physical instead of digital. Shouldersurfing is done by everyone from a nosy passerby to corporate spies. So in the case of this first example, your countermeasure might be relocating to a more private table or simply continuing working with the sensitive material from somewhere else. See, OPSEC might sound daunting, but it’s really just a combination of common sense and healthy security hygiene.
Let’s look at another popular OPSEC tip:
Hardening your social media accounts
— F-Secure (@FSecure) December 8, 2019
“Hardening” your social media accounts is highly recommended for everyone. Even if you wouldn’t consider your account(s) being a high value target for cyber criminals. Social media accounts are, after all, an extension of your online identity. So if the accounts get compromised, so does your identity. Account takeovers can be used for example to spread false information, paint the individual in bad light or simply just to delete the account and all associated information. The threats get exponentially worse if you’ve used same email address and password combination for other services too.
Final OPSEC tip is about something many of us have probably done, without realizing the risks:
Don’t wear your ID badge outside the office
— F-Secure (@FSecure) December 19, 2019
F-Secure fellow Tom Van De Wiele has been preaching for years about the importance of hiding your ID badge. And what better way to raise awareness of this issue than taking covert photos and then publishing them on Twitter (with important badge details blurred, of course).
In case it’s not obvious, if someone can get a photo of your badge it means they can clone it and use it to access your workplace. Or it can be again used as another tool in the process of identity theft. And if someone is close enough to take a photo of the badge, they probably can also scan the badge’s RFID chip as well. So next time you’re heading out of the office, remember to tuck your badge inside your shirt or purse!
For the full list of our #OPSEC24 tips, check out this Twitter Moment we made:
— F-Secure (@FSecure) January 20, 2020