Protecting Your Valuable and Critical Information : OpSec
Protecting valuable and critical information – OpSec: A look at operational security
Loose lips sink ships
Author: Steve Hanafi (Silat Sharaf Practitioner, Malaysia)
Nowadays, it’s easy to get information and if you know what you are doing, getting information is laughably easy. It’s widely available on social networks, smartphones, a click while doing online searches, using unsecured Wi-Fi, printed resources - all these make it possible for someone, anyone, to find out just about anything on you.
5 Part to Operational Security
1. Identify critical information
What are the information or details that if leaked, can cause you the most harm or damage?
2. Analyze threat
Who can find your information, why would they want it and what will they use it for?
3. Analyze vulnerabilities
What are the weakness or mistakes that you or your family members have been committing for so long?
4. Assess risk
What is the worst case scenario if the information falls into the wrong hand?
5. Apply countermeasures
Taking proactive & preventive measures on a daily basis.
Just Who the Hell Would Want the Information Anyway?
For the military, their biggest threats are hackers, nation states, foreign spies, anarchist, terrorist groups that will use the information to plan their next move, use it to intercept their next move or a cyber-attack on the military force and their respective nation.
For average Joes like us, our threat comes from identity thieves, sexual predators and commonplace criminals that are looking for the opportunity to use this opportunity to commit crime - identity theft, phishing, break-ins, or kidnapping.
Just because you don’t think the information is useful, doesn’t mean someone else isn’t looking for it
How YOU Risk Leaking Your Own Information
Unlike in popular movies, there’s no spy that’s going to sneak into your room, “Mission Impossible” style, plug in a pen drive and steal all your data, that’s too much work for them, too much resource used and with too little in return. Instead they’ll use a few methods, that will use your unsuspicious-ness to get your data.
One thing to keep in mind; obtaining sensitive information can be as simple as asking a question or nabbing a discarded receipt from the garbage can. It can be even as simple as looking over your shoulder when you’re logging in to your many accounts on a public space.
1. Phishing
Phishing uses mail or other communication method that is made to lure a victim. The message is made to look as unsuspicious as possible, as if it is the real deal – except it’s not. The victim is usually asked or coaxed to fill in a form, provide confidential information often on a scam website which gives them your credit card information, personal data login data or other details. Sometimes permission or access is asked, and when allowed, malware is downloaded into the computer. Basically, no single cybersecurity measure, not even your antivirus can prevent this attack, as the “permission” is granted by the victim themselves.
2. Man in the middle (MitM)
Also known as eavesdropping attacks where the attacker inserts themselves into a two-party transaction, where they interrupt the traffic, filter and steal the data. Two ways where this can happen: 1, the visitor uses an unsecured public wi-fi / network connection, or 2, breaching the device using a malware, then installing a software to process all of the victim’s information.
3. “Juice Jacking”
Plugging into a public USB port is kind of like finding a toothbrush on the side of the road and deciding to stick it in your mouth.
Happens when someone interferes with your USB charging outlet by hijacking it with malware that will infect your device once you plug it in. You could possibly give out access to all of your information without you knowing about it at all, or worse having them hold your device hostage with ransomware. All this can happen just with you plugging in into that free public USB charging port.
Oh, and that cool looking 50 GB pen drive you found laying on the street? Do the right thing and give it to the authorities or best yet, just leave it there. Don’t even consider plugging it into your USB. Consider that you can start up an operating system from a USB drive. This means that it can access your hardware directly. And what that means is that your monthly 50 dollar anti-virus subscription can’t do much about it.
Consider buying your own datablocker, or even wiser, use your own portable charger—a wise investment, considering how inexpensive they are
4. Putting up details online
We get it, you’re proud of where you went to high school and college and can’t help updating your location on various platforms. But with a few searches and clicks and a bit of wisdom in using Google Map and Street View, people can easily locate where you live. And yeah, this includes anyone you’ve upset online over a few arguments online – giving them a genuine way to hurt you.
Left unmonitored, your kids can reveal critical information to strangers
What’s the Worst that Can Happen?
1. Losing your identity and having it being used by illegals on fake ids, and also the risk of having someone else using your credit card for their personal spending or even worse, your bank accounts being emptied.
2. Information on operations coordinated – For military, even companies, the risk of having your tactics, networks, procedures exposed, enabling your competitor or enemy to sabotage your operations by means of disrupting your network, ambushing your force, and hack into available infrastructure. All from to the login data that they got from you filling in that inconspicuous form.
3. Break ins. Well, thanks to your sweet Instagram post telling that you’re away for the whole weekend now people know that no one will be in the house. And thanks to you constantly updating your location, it is now easier to pinpoint where you live.
4. Having your data, information and projects that you are working on your laptop stolen by those that sees it as an opportunity for them to make money, remember the Man in the Middle? Yeah, him. That ugly bastard.
5. People using it as a leverage against you – manipulating, deceiving and betraying you using the information that YOU willingly gave.
Countermeasures
There’s a saying that goes:
“3 things you should keep private: your love life, income, next move”
If you think about it for a moment, you wouldn’t be telling the stranger behind you at Walmart that you’re going on a vacation and your house would be empty for the whole weekend, or would you be telling the suspicious looking guy across the street of your social security number, your password or the answer to the security question to your bank account? Or would you tell everyone at the mall of your house address, and the new diamond ring you bought your wife last week? Supposedly you wouldn’t do that in real-life, but to no surprise most of us are doing that online.
1. Be aware what you put out for the public to see
Be aware of what you put out online, the more you post, the more you expose and risk your information. If you still want to put things up online as much, then keep it to your close circle of trusted people. Be a little “less friendly” online. That “hot girl” randomly texting you could just be a middle-aged guy pretending to be a girl so he can install malware into your device.
A friendly advice, careful when you brag online. You see it as a way to show off or attract attention, while some see it as an opportunity to well, make money.
2. Be wary of the details you give out
Being extra cautious and aware when you fill in survey or forms online can really be helpful. Don’t simply trust someone who come up to you online, just like you wouldn’t trust a total stranger coming out of nowhere asking for your details and information. As scam mail, text and calls are getting rampant, do not hesitate to do a double check with the officials or with the authorities first. It never hurts to be sceptical of the calls that you receive.
When someone comes to you for no reason, they usually have something they want, keep that in mind.
3. An antivirus will do wonders for normal daily civilians
Your antivirus is usually your friend and it will have your back. When you download something, you shouldn’t have or browse somewhere you shouldn’t have browsed. Keep it fed with regular updates and find one that is cheap / free. Or spend money on it, if you want.
Choose a web browser that you can be moderately sure won’t send data back to its maker. Open source browsers are a good starting point, but always do a bit of homework before you settle on any single one for heavy-duty web browsing. If you’re particularly security savvy. Tor Browser comes with many privacy and security features pre-set and easily configurable.
4. Passwords
Long, non-verbal “gibberish” passwords with lots of weird characters to give the brute force algorithm some trouble (and make all those accesses easier to bust) are your friends. Write them down in a paper and hide it under your mattress if you have trouble remembering, For security questions, like the name of your pet, or the first school you went to, you can simply spell them backwards, just to thwart off any attempts of someone trying to figure it out.
To sum things up, there is always a risk of putting things on the net and the best place for your critical and valuable information is obviously off the grid. But we get it, some have to be on the device for ease of use, and basically that’s the only way. Be aware of hackers and opportunity seekers and their malicious intent-malware, they can creep up on you real fast. Take proactive and preventive measures, you’ll be fine.