What is OPSEC?
Operational security (OPSEC) refers to the measures taken to conceal your Digital Footprints from a potential adversary. In other words, keeping secrets from bad guys. The term originates in US military history, and is often summed up in the adage “loose lips sink ships.” Soldiers and their families are trained to give away as little information as possible in their correspondences and keep quiet on military matters because enemy spies will intercept communications and piece together scraps of leaked data. Journalist Geraldo Rivera provided a stellar example of bad OPSEC during Operation Iraqi Freedom. While acting as a war correspondent, he drew a map of Iraq in the sand and indicated the position of the 101st Airborne relative to Baghdad for all his television viewers—including potentially Saddam Hussein. This is an extreme example, but civilians routinely broadcast information that could be used by burglars, scam artists, and cybercriminals.
There are many OPSEC strategies. Concealment involves hiding information, like using a privacy screen with your monitor at work. Compartmentalization involves the segregation of information. An example would be limiting how many employees are provided the combination code for a storage locker. Deception can involve lying, but more often it means disguising information to look like something else. Using light timers to make an unoccupied house appear occupied would be an example of deception. The point is there are many ways to practice OPSEC, and people with greater security needs can employ a combination of strategies. This article will focus on one strategy in particular: emission control, or limiting the amount of information that is broadcast.
Think About your Digital Footprints Before You Post
We live in a world where we are constantly asked to share information about our lives. Perhaps you have a friend enjoying a vacation somewhere sunny, and he is documenting every hour of this jealousy-inducing adventure on social media. Aside from sharing photos of sunsets and fruity drinks, he is effectively announcing that his house will be unoccupied for anyone that might want to rob him. He is also advertising his location to any potential kidnappers in this exotic land. A con artist pretending to be him might call his relatives saying he was arrested while on vacation, and request they send a wire transfer for “bail.” These dangers could be avoided if he simply delayed posting photos until after the vacation was over and he was safely home. This is a very common example of everyday OPSEC. But vacationers aren’t the only ones broadcasting potentially useful information to crooks.
Software developers, IT specialists, and other technology professionals on LinkedIn are encouraged to share what tools they work with. This facilitates recruiters searching for new employees. But this also makes it significantly easier for hackers trying to figure out what programs a company uses. Other users might feel the urge to update their profiles the moment they are hired for new positions. This makes them easy targets for social engineers looking for newbies to prey on. A better approach might be to speak more broadly about skills. For example, instead of saying “I have experience with Check Point,” say “I have experience with firewalls.” Suppressing the urge to update your LinkedIn profile for a period of six months will give you the necessary time to learn the ins-and-outs of your new job and reduce the likelihood that a social engineer will target you during that vulnerable period.
There are also numerous examples where social media users will unintentionally share information. The GPS, for all the convenience it provides, presents a vulnerability if the wrong people can learn your location. Many smartphones and digital cameras will automatically geotag photos taken with them. This means digital footprints about where the picture was taken will be embedded in the image file itself. Some smartphones will record all the locations that phone has been. An adversary with access to a stolen or hacked phone can potentially learn a target’s routine, workplace, and usual hangouts. Apps like Foursquare that broadcast a user’s location can be abused by stalkers. Location-based games like Pokemon Go have been abused to lure users to unsafe places. Simply denying an app permission to use “location services” and implementing a little common sense is usually enough to mitigate these risks.
None of this should be interpreted as a blanket condemnation of social networking sites or the social media butterflies that inhabit them. Platforms like Facebook, Twitter, and LinkedIn can provide a great way to connect with friends and family. They also provide a way to build your personal brand and reach thousands of potential customers. But oversharing can put you at risk. Be a responsible extrovert. Before you post anything, consider the following acronym and WARN yourself:
W – Why am I sharing this? It is necessary to let the world know?
A – How could an adversary use this information to harm me?
R – Would I regret it if the wrong person saw this?
N – Is it important to post this now, or can it wait?
Author: Louis Papa
Silent Storm Security Contributor | Security Engineer