U.S. Military when it was engaged in Vietnam war, some of their efforts were being led by a team, named as Purple Dragon. This team, Purple Dragon, noticed a phenomenon that their adversaries were seemingly able to anticipate their battle-strategies and tactics successfully. The question arose, HOW?
They were able to established that Vietnamese warriors were neither able to decrypt US Military communications, nor they had any intelligence assets inside US Military to collect intelligence from inside. Then how the Vietnamese warriors were able to anticipate moves of US Military. In the end, the Purple Dragon team arrived at one conclusion, i.e., US forces themselves were revealing vital information to the enemy 'inadvertently.'
I hope that you haven't missed the word 'inadvertently' here.
-
What is Operational Security?
Purple Dragon coined the term 'Operations Security (OpSec) first and defined it as--
"The ability to keep knowledge of our strengths and weaknesses away from hostile forces."
Over time, this concept of Operations Security spread to other U.S. government departments and later into private sectors, and was developed in more detail. The Department of Energy, which is in charge of the U.S. nuclear arsenal, has its own definition of OPSEC, as given below:
"Operations security involves a process of determining UNCLASSIFIED or controlled CRITICAL information that may be an INDICATOR or PATHWAY to that classified information requiring protection, whether for a limited or prolonged time ... The purpose of opsec is to identify, control, and protect sensitive UNCLASSIFIED information about a mission, operation, or activity and to deny or mitigate an adversary’s ability to compromise that mission, operation, or activity."
-
Operations Security From Corporate PerspectiveIn the corporate world too, there have been a large number of instances where outsiders were able to piece together public information about the key people of the company or key users into a bigger picture that the subject of the information would have wanted to keep secret.
There are instances of even security-minded people or professionals leaving so many sort of social media clues behind. Indeed, Facebook or other social media sites can leave trails that may be highly damaging than you can imagine.
Your overzealous employee may tag himself in a post which reveals a training facility otherwise unknown to public.
You may be chatting with your wife and telling her that you are highly stressed because your company is launching a new concept product next month. What if your wife tells to some friends in online forum that her husband is nowadays so stressed out because his company is launching a new concept product next month.
You have an account on a innocuous website and the data of users/password of that website is breached. What if you are using the same set of username/password on your corporate website or other corporate servers? Don't you think that hackers will be damn happy to try out the same identities to your employers and see if it works?
What if the breach happens at your vendor or any third-party? What will happen if hackers have got the credentials of all of those employees who connects with your systems on routine basis?
Now it is time to come back to the moot point, i.e., All the security precautions in the world mean nothing if your organization leaves the backdoor open...
Things that fall under the OpSec umbrella include monitoring behaviors and habits on social media sites as well as discouraging employees from sharing login credentials or any other critical info via email or text message.
With these insights in mind, you can say that OpSec at corporates is a process that is concerned with identifying seemingly innocuous actions of your users or employees that could inadvertently reveal your critical or sensitive data to a cyber criminal.
-
Why Opsec Is So Vitally Important?
OpSec is both a process and a strategy!
That's why you should encourage your IT and security managers to view their operations and systems from the perspective of a potential attacker. For, it would include all sorts of analytical activities and processes like behavior monitoring, social media monitoring, and security best practices, etc you can deploy at your companies.
OpSec is important because it would literally force your organisation to closely assess the SECURITY RISKS it is facing and to spot all potential vulnerabilities your typical data-security processes or approach may not. OpSec would enable your security teams to fine-tune and refine their all 'technical' and 'non-technical' processes, resulting in much more cohesive security posture for your company.
You must have a clear OpSec Program, if you truly intend to prevent the inadvertent or unintended exposure of your classified or sensitive data. If you do that, it would literally guarantee that the details of your company's future activities, capabilities, and intentions do NOT get public by any mean.
IMPORTANT
You need to remember the most crucial fact from this post, i.e., the key to achieve right OpSec is clearly knowing WHAT this information (as mentioned just above) is about, WHERE it is located, what LEVEL of protection is applied to it, what the IMPACT would be IF it is compromised, and HOW your organisation would respond!
Indeed, OpSec is a security and risk management process that prevents your sensitive information from getting into the wrong hands. Right?
For that to happen in right earnest, you must use the RISK MANAGEMENT to discover all potential threats and vulnerabilities in your company's processes, the way these processes operates, and the Hardware/Software your employees use. The idea of looking at your systems and operations from the perspective of a third-party, would enable your security teams to discover issues they may have missed or overlooked. The same perspective can be extremely crucial when they would implement the appropriate COUNTERMEASURES to keep your most sensitive data secure.
Last but not the least, your OpSec must extend beyond your organization's walls to your third and fourth-party vendors. It needs to be part of your third-party risk management framework and vendor risk management programs.
-
5-STEPS OF OPERATIONAL SECURITY
The processes involved in operational security can be neatly categorized into five steps:
1. Identify Your Sensitive Data
As I have repeatedly said, understanding what data your organization have and where the sensitive data they store on their systems is a crucial first step to OpSec. Your sensitive data may include your product research & development, intellectual properties, financial statements, customers' information, and employees' information, etc. Once you have identified your sensitive data, you can then focus your resources to secure those.
2. Identify Possible Threats
For each category of information that you deem sensitive, you should identify what kinds of threats are presented to them. While you should be wary of third-parties or competitors trying to steal your information, you should also watch out for insider threats, such as negligent employees and disgruntled workers.
3. Analyze Security Holes And Other Vulnerabilities
You need to thoroughly analyze the potential vulnerabilities in your company's security defenses that could provide an opportunity for the threats to materialize. This involves assessing the processes and technology solutions that safeguard your sensitive data and identifying loopholes or weaknesses that attackers could potentially exploit.
4. Appraise The Level Of Risk Associated With Each Vulnerability
I would suggest you to RANK your vulnerabilities using factors such as the LIKELIHOOD of an attack happening, the EXTENT OF DAMAGE that you would suffer, and the amount of WORK AND TIME you would need to recover. The more likely and more damaging an attack is, the more you should prioritize mitigating the risk associated with it.
5. Get Countermeasures In Place
The last step of operational security is to create and implement a plan to eliminate threats and mitigate risks. This could include updating your hardware, creating new policies regarding sensitive data, or training employees on security best practice and corporate data policies. COUNTERMEASURES should be straightforward and simple. Employees should be able to implement the measures required on their part with or without additional training.
Overall, your OpSec Plan must be simple to understand, straightforward to implement and follow, and be updated as your security threat-landscape evolves.
-
As they say, Operations Security, in one form or another, has been around for as long as there were secrets that needed to be kept. It wasn’t always called OPSEC, but the core concepts of identifying and protecting critical information have always been a deciding factor in war, in business, and countless other ventures.
Kindly write 
your comments on the posts or topics, because when you do that you help me greatly in 
designing new quality article/post on cybersecurity.
your comments on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.You can also share with all of us if the information shared here helps you in some manner.
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
With thanks,
Meena R.
____
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM