PDF version of this report
You must have Adobe Acrobat Reader to view, save, or print PDF files. The reader is available forfree downloads.
Copyright December 2021 Faulkner Information Services. All rights reserved.
In this report...
OPSEC objectives and processes
OPSEC best practices
wire resource(Video) Panel Discussion - The Modern Security Operations
Operational security (OPSEC) is a process used for security and risk management aimed at preventing sensitive information from falling into the hands of adversaries. It originated in the military and was first invented during the Vietnam War when the counterintelligence team realized that its adversaries did not need to decipher sensitive communications to steal data. It became apparent that members of the military were inadvertently leaking information that allowed enemy forces to assess the strengths and weaknesses of a military campaign. Over time, other US government agencies, including the Department of Defense, have adopted the OPSEC process to protect national security.
The official definition, according to the Dictionary of Military and Related Terms from the Ministry of Defence, is as follows:
"OPSEC is the process of identifying critical information and subsequent analysis of friendly actions accompanying military operations and other activities to:
- “Identify the operations that can be observed by adversary intelligence systems.
- “Determine what indicators adversary intelligence systems could receive that could be interpreted or compiled to extract critical information in time that would be useful to adversaries.
- "Select and implement measures that eliminate or reduce to an acceptable level the vulnerability of friendly operations to adversary exploitation."
In January 1988, the United States issued National Security Decision Directive 298, outlining its national OPSEC program. This defines how OPSEC is to be applied, its processes and actions to be taken.1
Why OPSEC is important to organizations
OPSEC is now also used by organizations to protect customer data and to deal with corporate espionage, information security and risk management. To achieve this, IT and security professionals are encouraged to view their operations and systems from the perspective of a potential attacker to uncover issues that could put the organization at risk. This will then inform them of the best countermeasures to take to mitigate these issues.
It is important because it takes a different security approach than traditional data security measures and includes both technical and non-technical processes to prevent the exposure of information, especially classified or sensitive information that can be used against them for nefarious actions such as malware attacks or security breaches, or which could be published, damaging the reputation and reputation of the organization.
Merges information together
Adversaries generally do not rely on a single piece of isolated information when planning their attacks, but rather seek to accumulate information over time to make their attacks more successful by accessing the bigger picture. Because this may include publicly available information, organizations should not only ensure that critical information found in their systems is protected, but also be aware of what information is shared by management, suppliers and employees, whether unintentionally or unintentionally. A particular problem can arise when employees reuse credentials to log into multiple services or share their credentials with others. When it comes to suppliers, OPSEC should be included as part of an organization's supplier risk management program.
OPSEC includes the use of technical and non-technical countermeasures. According to UpGuard, technical countermeasures can include protection against various types of malware, ransomware, vulnerabilities, email spoofing, identity theft, domain hijacking and other cyber attacks that can cause security incidents or breaches.
Non-technical measures include prohibiting users from posting an organization's sensitive information on social media sites, including photos from which an attacker could derive information, for example by examining objects in the background.
MilitaryBenefits.info, which provides information to the military community, states that the reconnaissance phase conducted by adversaries seeks to collect and process a large amount of seemingly unrelated information. It provides the following guidance on the type of information adversaries will seek to collect:
- Observe actions to determine patterns of behavior and situations where patterns are interrupted.
- Collection of data from social media.
- Interception of communications such as phone calls or emails.
- Using undercover individuals to eavesdrop on public conversations or to "social engineer" personnel such as administrative staff.
- Tracking people's movements using geolocation data.
OPSEC objectives and processes
According to Sandia, the following should be the main goals of an OPSEC program:
- Identify vulnerabilities in programs and activities.
- Determine the effect the loss of critical information may have on organizations.
- State OPSEC measures to protect information from accidental or intentional release or exposure, if applicable.
- Increase awareness of operational safety.
- Make it difficult for adversaries to gather information and intelligence.
- Avoid inappropriate access to confidential or sensitive information.
- Determine the overall risk associated with information loss as part of the risk management process.
It also states that an OPSEC program can be reduced to three steps: think, assess and protect.
- Meditateit's about understanding what information needs to be protected because it's most valuable to attackers.
- discretionrefers to considerations of how adversaries obtain information and the risk to the organization if it is lost.
- Protectrefers to the implementation of appropriate OPSEC measures to protect information.
At a more detailed level, the OPSEC process is defined in five steps. However, these steps were never meant to be followed in strict order, but rather to be considered more fluid. Those planning an OPSEC program should also seek to tailor the process to reflect the particular needs of a particular organization. The Joint Security Commission states that the overall goal should be to provide funding for the development of cost-effective security countermeasures tailored to address the identified threat. Such countermeasures may include changes to operational and administrative routines; use of cover, concealment and deception; and any other measures intended to impair the adversary's ability to exploit indicators of critical information.
These five steps are:
- Identification of critical information– Critical information can be information and factual data regarding intentions, capabilities, and activities that enable an adversary to plan and act to disrupt operations, such as organizational information and details of security measures. Organizational limitations and vulnerabilities should also be considered. This will allow an organization to focus its activities on information that is critical to its business, rather than trying to protect all classified or sensitive unclassified information that may not be available or accessible to hackers.
- Threat analysis– This step involves determining the threats posed by an adversary's ability to collect, process, analyze, and use the information it can collect. This is important so we know as much as possible about each potential adversary and their ability to target the organization. Its goal is to combine information about the adversary's intent and his ability to launch an attack. Sources outside the organization, including intelligence, law enforcement information, and publicly available information should be engaged to obtain sufficient information to identify likely adversaries and prioritize the threat level.
- Vulnerability analysis- This is where thinking like a striker comes in. Those charged with OPSEC should take an adversarial view of the activity requiring protection to identify exploitable vulnerabilities. Such weaknesses would be those that would reveal critical information that can then be compared to the threats analyzed in the previous step. This step involves identifying the type of information an adversary can gather and the organization-specific weaknesses that can be exploited.
- Risk assessment– Because OPSEC is primarily a security and risk management process, risk assessment is critical to the success of any program. This step involves comparing the threats and vulnerabilities that have been identified with the risk posed by adversaries and their capabilities to gather information. Risk levels can then be assessed based on whether they are high and require immediate action, or low enough that no protective measures need to be taken. This should be based on the likelihood of critical information being downloaded and the likely impact on the organization should this occur. A cost-benefit analysis will help determine the likely costs and effectiveness of the measures taken.
- Application of appropriate countermeasures– Countermeasures aim to protect an activity from abuse, such as removing a threat from an adversary or preventing exploitation of a vulnerability. While these countermeasures should be documented in the OPSEC plan, it is important that they are reviewed regularly to stay current with emerging threats. The effect of implementing countermeasures should also be assessed in relation to the impact on the organization of the loss of critical information in relation to the cost of implementing the measure. There may be alternatives available that provide the same protection at a lower cost while still being effective. If the costs of the countermeasure are judged to be too great, the organization may decide to change the way the activity is carried out or to eliminate it.
OPSEC best practices
There are a number of best practices that organizations should follow to protect themselves. Non-technical considerations include:
- Have a documented OPSEC plan whose effectiveness is regularly reviewed.
- Ensure that sensitive and critical information is securely stored and securely destroyed when no longer needed. For example, it should never be placed in an unsafe place, such as a recycling bin, but must be thoroughly deleted and destroyed. For physical documents, shredding can help.
- Raise awareness throughout the organization that communications can be intercepted, including phone calls, faxes, emails, and data on mobile devices that can be lost or stolen. Mandatory encryption will help with the latter. When in doubt, use the most secure method of communication available.
- Safety should come first for all employees in any action taken.
- All employees should be trained to be aware of unsolicited requests and requests for sensitive information. Adversaries will often use techniques involving social engineering in an attempt to extract valuable information, including through electronic means, over the phone, or by visiting a facility in person.
- Any badges that identify employees or provide access to facilities must be kept out of sight and should be removed when leaving the premises.
- It is especially important that staff are trained to be aware of the dangers of social media, websites and other applications to avoid the release of sensitive information. Only company approved apps should be allowed on mobile devices and the dangers of file sharing apps should be communicated.
- Implement the "need to know" principle and ensure that it is communicated throughout the organization.
It is also best practice to take a number of technical measures as part of the OPSEC program. Configuration and change management are subject to security concerns, so it is important to ensure that all changes are approved and tested. All changes should be controlled and recorded so that all changes and additions can be tracked and audited. Vulnerabilities that are identified should also be carefully monitored and managed to mitigate security issues.
Measures should also be put in place to monitor the technological property for possible attacks and unauthorized activities. Such measures should include monitoring and limiting who and what has access to critical information. Access should only be allowed to those users and devices that really need it. It is important that devices that gain access have appropriate security controls in place. As for users, least privileged access should be implemented; this is especially important since credentials that provide privileged access are a magnet for attackers. Users should have the minimum level of access required, and privileges should be granted as needed and removed when the task is complete. There should be no permanent administrator rights that provide general access to sensitive systems.
Incident management and response is another important topic so that you can recover from an incident and resume normal business as quickly as possible. Disaster planning and recovery is an essential part of any OPSEC program, with a plan in place that describes how the organization will respond to and mitigate any security incidents.
1Direktiv nr. 298 fra Department of National Security: "NATIONAL OPERATIONS SECURITY PROGRAM."White House. January 22, 1988.
About the author
Fran Howarthis a principal analyst at Bloor Research, a European IT research and consulting firm, and is also a frequent blogger. Her primary areas of focus are network and endpoint security, security intelligence and analysis, information governance and data security, advanced threat protection and identity management. She has worked as an analyst and consultant for over 25 years and has for many years contributed to Faulkner's publication Security Management Practices. You can get it by mail email@example.com.
Websiteindhold copyright 2021,Faulkner Information Services. All rights reserved.
Return to the Safety Management Practices home page