Operations Security: What is it and why we need it

OPSEC (Operational Security) is a term derived from the US Military and is a process used to deny a potential adversary or a threat, any sort of critical intelligence that could jeopardize the confidentiality and/or the operational security of a mission. Lately, OPSEC is becoming prominent in the private sector as well. Things that fall under the OPSEC, include monitoring actions and habits on social media sites, and discouraging employees from sharing login credentials via email or text message.

Performing OPSEC not only hits a very important role in both offensive and defensive security strategies but also everyday life. One of the biggest reasons for having an OPSEC is to defend yourself from cyber-criminals, hackers, and governments from obtaining data that can disclose sensitive information about you, with doxing being the most prevalent attack used to unmask flaws in OPSEC.

Why is Personal OPSEC necessary

Adversaries constantly profile targets looking for potential weaknesses in personal OPSEC. It can take less than four hours of online recon using Open Source Intelligence (OSINT) techniques to gather enough intelligence on a target to learn about them:

• Full Name
• Location
• Social Security Number
• Date of Birth
• Email Accounts and Passwords
• Their Online Digital Footprint
• Employment & Financial Information
• Mobile/Work Telephone Numbers
• Social Media Information/Posts
• Family/Friends/Colleagues

Such information allows a motivated attacker to do some serious damage — especially if you reuse passwords, using the same email as a login for multiple web apps, or use an email/username that can identify something about you.

The Five Stages of OPSEC

We can classify the process required in OPSEC into five steps:

1. Identification of your sensitive data: This will consist of your relational information, financial information, personal information, and digital footprints. This will be the data you will need to focus your resources on protecting.
2. Identification of threats: For each group of information, you should establish what kinds of threats are present. Threats such as third-party companies, hackers, and cyber-criminals are a few.
3. Analyze security holes and other vulnerabilities: Determine your present safeguards and establish what loopholes remain that may be exploited to get access to your sensitive data.
4. Examine the level of risk associated with each vulnerability: Determine your risk using aspects. The more likely and damaging an attack is, the more you should prioritize mitigating the identified risk.
5. Take countermeasures in place: The last step of OPSEC is to establish and enforce a strategy of action to nullify threats and reduce risks. This could include updating/upgrading your hardware, using privacy oriented software, or change of passwords, etc.

Personal Security Checklist for OPSEC

This list is curated from Lizzy93’s Personal Security Checklist that is the best for application of OPSEC in personal as well as organizational standing:

For Authentication:

• Use a long, strong, and unique password for each of your accounts (see HowSecureIsMyPassword.net) and use a secure password manager, to encrypt, store and fill credentials, such as BitWarden or KeePass
• Enable 2-Factor authentication where available, and use an authenticator app or hardware token
• Sign up for breach alerts (with Firefox Monitor or HaveIBeenPwned), and update passwords of compromised accounts

For Browsing:

• Use a Privacy-Oriented Browser such as Brave or Firefox. Set your default search to a non-tracking engine, such as DuckDuckGo, and do not enter any information on a non-HTTPS website
• Block invasive 3rd-party trackers and ads using an extension like Privacy Badger or uBlock
• Consider using compartmentalization to separate different areas of your browsing (such as work, social, shopping, etc), to reduce tracking. This can be done with Firefox Containers, or by using separate browsers or browser profiles
• Don’t allow your browser to save your passwords or auto-fill personal details (instead use a password manager)

For Phone:

• Set a device PIN, ideally use a long passcode. If supported, configure fingerprint authentication, but avoid face unlock
• Encrypt your device, to keep your data safe from physical access.
• Keep device up-to-date. System updates often contain patches for recently-discovered security vulnerabilities. You should install updates when prompted
• Review application permissions. Don’t grant access permissions to apps that do not need it.
• Disable connectivity features that aren’t being used, and ‘forget’ WiFi networks that you no longer need

For Emails:

• Use a long, strong, and unique password and enable 2FA
• Consider switching to a secure and encrypted mail provider using, such as ProtonMail or Tutanota
• Use email aliasing to protect your real mail address, with a provider such as Anonaddy or SimpleLogin. This allows you to keep your actual address private, yet still have all messages land in your primary inbox
• Disable automatic loading of remote content, as it is often used for detailed tracking but can also be malicious

For Networks:

• Use a reputable VPN to keep your IP protected and reduce the amount of browsing data your ISP can log, but understand their limitations. Good options include ProtonVPN and Mullvad, see thatoneprivacysite.net for detailed comparisons
• Change your router’s default password. Anyone connected to your Wi-Fi can listen to network traffic, so to prevent people you don’t know from connecting, use WPA2 and set a strong password.

Linux Operational Security

Linux Operational Security differs from individual to individual. It’s generally based on what physical device you use i.e. Physical Standalone Device, Cloud-Based Device, USB Persistence Device, etc., the choice of Linux distribution, your preference of operations you want to conduct (offensive or defensive), and would it be our daily driver, or will it be an air-gapped device for a few specific tasks. This will shape our method on what we do with our setup, as that will alter what we do with the device.

Offensive Operations Threat Modelling

If you are aiming for only offensive operations for the device, the best bet would be to employ a non-persistent USB Linux. One of the initial considerations for any offensive operation is the identifiability of the device, meaning will it be rememberable if an individual were to see the device. The next major consideration is that what features of the device do we need. Do we need Bluetooth to be enabled all the time? Do we require certain devices connected always? As you have decided on a device, it is crucial to consider the physical operational security and the possible configuration issues.

Defensive Operations Threat Modelling

If you are planning on using the defensive operations, or even air gapping the device, then you will require to again follow the offensive operations threat modeling approaches and apply them to the device. But to add to that there are many other considerations we take when air gapping a device. Concepts such as how regularly you will bring the device online, and when you will update it. A lot of air-gapped devices are usually not kept up to date.

As a Daily Driver

If you plan to handle the device as a daily driver, you will have a very different approach after adopting the threat modeling of the device, as you will use the device for everyday tasks. You will most likely need your SD card reader, all your USB ports, and possibly Bluetooth.

Hardening

Most individuals assume Linux is already secure, and that’s an inaccurate assumption. It’s essential to realize that the Linux operating system has so many distributions and each one will vary from the command line perspective, but the logic is the same. Here are a few tips that will aid in hardening your device:

• BIOS Protection
• Hard Disk Encryption
• Disk Protection
• System Updates
• Checking Installed Packages and eliminating unneeded Packages
• disabling unneeded services
• Checking for Open Ports
• Secure your SSH
• Enabling SELinux
• Adding Password Policies
• Checking Permissions

Defensive Tactics

Defensive tactics will make you much better at evaluating a target than being purely offensive in your tactics. You are required to recognize the best practices and how they carry out in order to understand where the target might have had shortcomings in its implementations. Understanding the needs of the target and our own needs will yield us higher insight into threat modeling for defensive and offensive strategies against a system. Most of the hacking and even operational security is really understanding the threat modeling and how to handle drops when something happens to the security of your system and your operational security is compromised.

Further Reading

• https://the-parallax.com/2019/02/27/simple-nomad-opsec-tips-qa/
• https://linuxgazette.net/164/kachold.html
• https://www.tripwire.com/state-of-security/security-data-protection/opsec-everyone-not-just-people-something-hide/#:~:text=OPSEC%20(Operational%20Security)%20is%20a,operational%20security%20of%20a%20mission.
• https://www.pluralsight.com/blog/it-ops/linux-hardening-secure-server-checklist

I hope you enjoy the read. Till then happy learning.

Blog by Nerd of AX1AL. Join our Discord server.