OPSEC For Everyone

 

Operational security (OPSEC) is not limited to the business sector; it can also be applied in our everyday lives. It's easy to forget how much people close to us know and share. Most of the time, we think of using OPSEC at work to protect our mission. But we can and should also use the OPSEC cycle at home to protect our families, our information, and our property. 

 

The first step we should do is figure out how dangerous the information found on our digital footprint might be. To do this, we should ask ourselves the following questions:

1. Should we make this available to the public or keep it private?
2. What does an adversary need? What kind of knowledge could put us at risk?
3. When did we post this information? When does this start to lead to trouble?
4. How could an adversary get into our system? How could we know?
5. Why would adversary want to compromise us?

 

The second step that we need to do is classify the information that is sensitive, that identifies us, that may be used to breach our accounts, or that would allow an adversary to construct a profile on us. The following are some examples:  

• Email(s)
• Phone number (mobile/cell, number could be at risk from SIM swapping)
• Home address
• Social media profiles
• Passwords
• Financial information
• Usernames/ handles / gamer tags
• IP address
• MAC address
• Images (i.e our house, family, or selfies).
• Date of birth
• Devices and Operating System versions these are captured by social media sites and are discoverable by adversaries
• Posts of movements (such as planning to attend someone's event in future)
• Location data shared with third parties, especially GPS and fitness apps
• Information friends,family or our colleagues have shared about us on their social media profiles
• Work information such as security badges, access passes, company devices
• Birth certificate, passport number, identification card
  

All of this information is highly valuable to an adversary, whether that adversary is a loan shark who is attempting to offer us money lending service by abusing our privacy and online tracking or an attacker who is attempting to steal our identity in order to utilize it in connection with any criminal action.

 

The third step we need to do is make an effort to put ourselves in the adversary's shoes in order to determine how they may use this information to their advantage and, more significantly, why they would do so. You can accomplish this by asking the questions that are listed below: 

• What would be the most likely way for an adversary to target me?
• How is my information exposed?
• What other steps can I take to prevent unauthorized access to my data?
• What steps can I take to prevent an adversary from acquiring my confidential information?
• How would I be able to tell if my security has been breached? How soon could I respond if I was in that situation?
• Why is this information useful to an adversary?

We need to make an effort to clarify how the information we provide could be used to learn more specifics about us or our routine of life. It is important to analyse all of our information by looking at what might be useful for an adversary in each photo, social media post, blog post, video streaming, gaming platform, etc.

The final step is to perform our own OPSEC is to prevent the adversary. There are few ways to accomplish this such as:

• Ensuring all passwords are completely unique using a password manager
• Using multiple password managers. Offline for critical accounts, online with 2FA for accounts we use on a daily basis
• Ensuring that email addresses do not contain any identifiable information about us, such as year of birth, gender, etc.
• Checking where emails or usernames have been found in breaches using sites such as https://haveibeenpwned.com/ , https://dehashed.com/ or Inoitsu.
• Use a VPN to mask our real IP address especially when signing up to any websites
• Careful about what apps we download and also change our Advertising ID under Google Settings in order to mess with the advertising algorithm if we are using an android phone.
• Turn off location tracking on phone, maps and all apps if we are not using it
• Use privacy settings to ensure that email addresses are made private from public
• Find and delete the online accounts we no longer use.
• If there is a social media account that we no longer use, it is better to delete a social media account than to deactivate it, because deactivating an account means that it is still open and can be searched.