Friday 5 June 2015

Understanding the significance of Operations Security (OPSEC) in a fast evolving threat landscape

It is not the first time a military term is being used by the Information Security community in order to describe an Information Assurance process. Operations Security (OPSEC) is a military term referring to the protection of different types of unclassified information which could end up exposing the security of an entity if put together and combined. In other words, in information security OPSEC describes the process by which publicly available information (unclassified) can be used against us if taken advantage by cyber criminals and/or adversaries with malicious intent.

Effectively, OPSEC challenges us to step into the shoes of cyber criminals or in general our adversaries, whoever those might be, and assess ourselves. The main objective is to ensure that we are security minded and that we realise that any little piece of information released in the public domain about the business and ourselves, is becoming instantly available to anyone who wants to have access to it. Every little piece of information that we put in an email, the amount of information that we might be sharing over the phone, information posted on social media which might seem insignificant to the untrained eye, information that our employees are sharing about themselves and the business, is valuable to a cybercriminal.

In other words, we might be exposing the business to a number of threats ourselves, without realising it. 

There are five steps during the OPSEC process that we need to be aware of.
  1. Identification of Critical information
  2. Analysis of Threats
  3. Analysis of Vulnerabilities
  4. Assessment of Risks
  5. Application of Appropriate Countermeasures
OPSEC planning requires a clear understanding of the organisational activities as it must be integrated into them. The personnel responsible for OPSEC integration need to be able to identify all the necessary countermeasures required for protecting an organisation.

The best way to understand the risks involved when we operate without an OPSEC mind-set, is by outlining a number of examples from the real world. Cybercriminals utilise social engineering techniques in order to exfiltrate information from non-security minded/aware employees.
In one occasion, a fraudster called the front desk of a business pretending to be an employee which had stuck in a meeting without access to the WiFi. The front-desk was tricked into revealing the WiFi key to an unauthorised third party who was trying to access the wireless network from outside the building.

In a different situation, a number of employees were celebrating the birthday of a colleague. It was fairly easy for an attacker to pretend to be a man delivering a cake and some balloons in order to gain unauthorised access to the premises. During the previous months, the same person was gathering intelligence about the employees using popular social portals. The employees had collectively posted on their online profiles enough photos from the work place which made it fairly easy for the man in question to draw a detailed layout of the offices. Most importantly, in one of the photos it was clear where the server room was and what type of lock it had, allowing the individual to know which set of bump keys to use in order to open the locked door when inside the premises.

Another very interesting case was during a discussion with one of the employees of a company, it was disclosed unintentionally that the business was using an online task-tracking portal. This portal was capable of adding tasks to the list by simply sending an email to the service. More specifically, the service checks if the incoming email is originating from a registered email address to the service and it adds the incoming email to the appropriate person’s tasks list. The attacker was able to spoof a number of emails sent to that online service from email address harvested from the company’s online profile. Due to the spoofed email addresses, new tasks were added to the employees’ profiles. However those spoofed newly added tasks, contained malicious links and redirects waiting to be visited by the employees using the company’s terminals.

The aforementioned are simple and brief examples of how unintentionally disclosed information may be used against a business and its employees who do not have an information protection mind-set. OPSEC is not only an important prerequisite for achieving Cyber Security across all levels of businesses but also a necessary mind-set for the on-going process of information security. Consider the threat when you use the phone to disclose sensitive business or client information, when answering questions from strangers especially over the phone, when discussing work related tasks in public places, when engaging in social networking and when discarding documents with sensitive information instead of securely shredding them.

From the smallest business (e.g. merchants) all the way up to large organisations (e.g. acquirers, payment processors, corporations, etc.) OPSEC can be an invaluable ally when it comes to protecting our assets against fraudsters, cybercriminals or even malicious insiders.

-- This is a blog post I created for Sysnet and I am reposting it here for historical purposes. This was originally posted here.

No comments:

Post a Comment