What is OpSec and why do you need it?
Back in the '60s, OpSec was an essential ingredient to victory. It helped the U.S. military to prevent leaks of confidential information to their enemy camps. In today’s cyber-realm, it’s not that different. The need for keeping secrets never disappeared. Luckily, the OpSec found its way to the modern cybersecurity world. It transformed into a vital cyber hygiene doctrine available to any netizen. Therefore, let us uncover the world of OpSec. Why should it be necessary — not only to defend against enemies — but also in our everyday lives?
As mentioned before, the origins of OpSec (Operations security) belong to the U.S. military. During the Vietnam War, the team behind military operations noticed that the opponents somehow anticipated their tactics and strategies. The conclusion was that the forces themselves were unwittingly leaking vital information to the enemies. Soon they established the OpSec doctrine — to identify, classify, and protect critical information that can be exploited by their rivals. They defined Operations security as “the ability to keep knowledge of strengths and weaknesses away from hostile forces.”
When the World Wide Web began to emerge, the interest in OpSec didn’t stop. Instead, it shifted to different landscapes and took on new forms. It gradually became a more user-friendly process of assessing and protecting sensitive information. Now, the OpSec is a strategy of safeguarding data that an adversary (e.g., a hacker) could potentially exploit.
Thanks (but not really) to social networking platforms, it’s too easy to collect information about anyone. Personal connections, images identifying our whereabouts, and places we work: we often divulge these footprints without the slightest concern. Even if you don’t publish private details, an advanced attacker can obtain your precise location by looking at your selfie’s metadata. Luckily, OpSec can put you one step ahead of the lurking dangers.
The process of OpSec
The U.S. military established a five-step process by which organizations can assess their data and plans to protect it. Each step represents a different question that needs to be answered so that the final result would be successful. Although the OpSec five-step process slightly differs in a corporate context, here’s how individual users can adapt it:
1. What do I need to protect?
Got nothing to hide? Maybe not. But you probably have something to protect. You should consider things that might damage your reputation or identity. It might be your financial, intellectual property records, or publicly available information on social media. Make them all count.
2. Who is my potential adversary?
Try to think of who could use your information and how. Are there vicious rivals in the industry you work in? Or is it a hacker that might want your private data? List the things that would be potentially interesting to different adversaries.
3. What are my weakest spots?
Assess the potential backdoors, loopholes, or weaknesses on your devices, operating systems, and programs. In other words, think of how the adversary could potentially get access to your private data.
4. What is the threat level?
Once you discover the vulnerabilities, determine the level of threat each of them pose. Also, consider the severity of the potential attack and applicable defense strategies. As a result, you can prioritize your efforts for each weak spot. For instance, unpatched software may be riskier than the information accessible on your social media profile.
5. How can I combat the threats?
The last step of OpSec is taking specific countermeasures to protect against the threats you find. These can include:
- Staying up-to-date about new online dangers and risks;
- Practicing cyber hygiene;
- Installing security programs, such as VPN and antivirus, on your devices;
- Making sure that your operating systems and applications are always updated;
- Restricting the information you share online, etc.
OpSec is a robust doctrine to be one step ahead of our digital world ‘enemies.’ It’s a way of thinking about how we handle our information and what we do to protect it. OpSec is not a one-time exercise, though. If you are serious about your privacy online, you should apply its teachings regularly.