Operations security, or opsec, is a process by which organizations assess and protect public data about themselves that could, if properly analyzed and grouped with other data by a clever adversary, reveal a bigger picture that ought to stay hidden. It's a discipline of military origins that in the computer age has become vital for government and private organizations alike — and every CSO ought to be thinking about what steps they can take to improve their opsec posture.
The term operations security was first coined in the U.S. military during the Vietnam War, as a result of an effort led by a team dubbed Purple Dragon. This team noticed that America's adversaries seemed to be able to anticipate their strategies and tactics. It was known that North Vietnam and the Viet Cong hadn't managed to decrypt U.S. communications and didn't have intelligence assets who could gather data from the inside; the conclusion was that U.S. forces themselves were inadvertently revealing vital information to the enemy. Purple Dragon coined the first military opsec definition: "The ability to keep knowledge of our strengths and weaknesses away from hostile forces."
Over time, the concept spread from the military to other U.S. government departments and into private industry, and was developed in more detail. The Department of Energy, which is in charge of the U.S. nuclear arsenal, has its own definition of opsec: "Operations security involves a process of determining unclassified or controlled critical information that may be an indicator or pathway to that classified information requiring protection, whether for a limited or prolonged time ... the purpose of opsec is to identify, control, and protect sensitive unclassified information about a mission, operation, or activity and to deny or mitigate an adversary’s ability to compromise that mission, operation, or activity."
So far this, is all pretty abstract. Perhaps one of the best ways to understand what opsec involves in practice is by looking at some high-profile opsec failures — instances where people were able to piece together public information into a bigger picture that the subject of the information would have wanted to keep secret.
We'll start with a high-profile case of someone who should have known better. In March 2017, when James Comey was still FBI Director, Gizmodo writer Ashley Feinberg was able to track down his Instagram and Twitter accounts using only a few bits of publicly available data, in a tale that offers a master class for following clues on social media. She knew that Comey's son Brien was an athlete at Kenyon College, and she found a video of him on the Kenyon Athletics Department Instagram account in which someone in the comments had tagged Brien's own private Instagram. She used a burner account to put in a follow request to Brien, knowing that Instagram reacts to such requests by offering suggested accounts related to the one you just tried to follow. In Feinberg's case, those included a locked account called "reinholdniebuhr," named after a theologian that James Comey wrote his senior thesis about; this, she assumed, was Comey's account. There were only a few Twitter accounts that used variations of "niebuhr" — including one with the handle "@projectexile7," seemingly named after a gun violence reduction program Comey helped start in the '90s. @projectexile7 had a single follower, legal blogger Benjamin Wittes, who was Comey's personal friend. By October it was clear that Feinberg was correct in her IDs.
This is a fantastic example of the sort of social medial clues that even security-minded people aren't aware that they're leaving behind; and indeed Facebook, and other social media sites can leave trails that are even more damaging than this in military contexts. For instance, despite the official Russian government line that the pro-Russian insurgency in eastern Ukraine is home-grown and not armed by the Russian military, Russian soldiers have repeatedly given themselves away on social media, sometimes accidentally geotagging their Instagram photos to make it clear they're on the Ukrainian side of the border. In a not dissimilar case, Strava, the manufacturer of a popular fitness tracker that uploads data to the cloud, released a detailed worldwide map of its users' jogging routes — and, due to the product's popularity among American soldiers, revealed a number of secret U.S. military bases in the process.
Opsec failures at the corporate level may not put national security at risk, but they are still potentially catastrophic for the companies involved. A number of opsec pros shared problems they had seen with the Digital Guardian DataInsider blog. Entrepreneur Shy Bredewold explains how corporate details can leak out: "An overzealous employee tags themselves in a post which reveals a training facility otherwise unknown to the public. A chat with your spouse ends up in a forum saying how their husband is so stressed due to the new insert conceptual product release next month." Another potential vector is in the humble password: with website password breaches becoming commonplace, many username/password combos are now public knowledge, and hackers are happy to try to match those identities to employers and see if they can find reused passwords they can exploit.
The U.S. military has established a five-step process by which organizations can assess their data and infrastructure and draw up a plan to protect it. The SecurityTrails blog has a particularly readable explanation, but here's a quick summary:
- Assess opsec critical information. You need to begin by determining what data, if acquired or accessed by an adversary, would cause harm to your organization. This data could range from client information to financial records to intellectual property.
- Determine types of opsec threats. The next question to ask yourself is: Who are our adversaries? These can range from criminal hackers to business competitors. Keep in mind that different enemies might be targeting different data.
- Opsec analysis of vulnerabilities. This is a step that should be central to any organization's security posture: performing a complete security audit to reveal weak points in your infrastructure
- Opsec assessment of risk. This step determines your threat levels by determining how any vulnerabilities revealed in step 3 expose critical data identified in step 1 to threat actors identified in step 2. You need to figure out how much damage someone exploiting an external vulnerability could cause, along with how probable such an attack would be.
- Making an opsec plan. With all this information in hand, your next step is to create the plan for locking down your vulnerabilities and keeping your data secure.
Operations security measures
Again, that's all a little abstract. What are specific security measures you can take to implement your opsec plan? HackerCombat outlines a number of best practices, including:
- Implementing change management processing
- Restricting access to network devices on a "need to know" basis
- Giving employees minimum necessary access and practicing the principle of least privilege
- Automating tasks to remove human weak links
- Planning for incident response and recovery
SecurityTrails breaks down the areas that opsec planning should focus on. You'll, of course, want to be extremely aware of any sensitive personally identifying data, including names, IP addresses, languages, emails, and the like. But you'll also need to deal with people — specifically, your own people, for whom an opsec mindset needs to become second nature. They'll need to be trained on a number of practices, including encrypting data and devices, monitoring the transfer of data, and limiting access to certain data. They also need to be made aware of all the kinds of blunders we discussed earlier, especially when it comes to social media. "Loose lips sink ships" was a proto-opsec slogan for World War II, but it applies to your organization as well (and extends to Facebook posts).
Who has oversight of the opsec program?
The final question you might be contemplating is who, exactly, should be in charge of opsec at your organization. The truth is that this is an area that's still in flux, and often the best candidate will be the person with the most interest and ability within your company, regardless of where they sit on the org chart.
The Operations Security Professional's Association is a nonprofit professional org dedicated to supporting opsec pros. Their "What works in opsec" series profiles a number of people working in this space, which offers a great opportunity to see the career path many took to get there, as well as the job duties they take on. Some focus their whole energies on opsec, while for others it's just one task out of many on their plates. You need to determine how best to implement opsec concepts in your own organization.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.