Operational Security (OPSEC) is a term that has its origins in the military. The US Department of Defense defines it as a “method of denying critical information to an adversary.” This is the act/action of identifying critical information/intelligence that needs to be protected from falling into the wrong hands (enemies, potential enemies or even members of one’s own military corps). OPSEC has a wide range of applications as it can be adapted to organizational and business processes and be used by individuals as well.
In today’s chaotic world, we as individuals (civilians) also need to be able to maintain security in our daily lives, whether it is in relation to ourselves, our family, our work, and most especially our finances. Maintaining security involves protecting critical information such as National Identification Number (NIN), bank details or BVN, medical information and even travel destinations. Adopting the OPSEC method can aid us in keeping these important assets safe from people who would look to do us financial harm (in this case scammers, hackers, and fraudsters).
Understanding the five-step operations security process
The thrust of the OPSEC process is identifying what you need to protect, analyzing threats and weaknesses that might impact it and then producing countermeasures to eliminate or lessen the impact.
Step 1 – Identify Critical Information. This first step is important because not all information has the same value, as such applying the same security measures to all information without distinction would be a waste of resources. For instance, the password to your mobile banking app is worth more in value than the password of an email account you rarely use. The best way to recognize critical information is to ask yourself the question “What information if it were to fall into the hands of fraudsters would cause me the most harm?
Step 2- Identify Threats. After cataloging your most critical information assets, the next step is to identify threats. A threat is something that has the potential to cause harm. Identify those who might exploit the information exposed in step 1 and what uses they might put it to.
Step 3 – Analyze Vulnerabilities. Vulnerabilities are weaknesses others can exploit to cause you harm. Vulnerabilities can exist in the way you interact with critical information assets or as critical information indicators. For the former, you would need to look at how you interact with the critical information identified in step 1 and how an adversary might exploit this process. As for critical information indicators, these are small portions of information that when put together can supply insight into an individual’s activity. For instance, your phone number, your email address and your bank account number, separately might not mean much but put together an attacker can use all these to mount a convincing attack.
Step 4 – Assess Risks. Risk is the likelihood that an adversary will exploit your critical information and thus have an impact on your activity. Assessing risks is the activity of assigning countermeasures to vulnerabilities based on the level of risk these vulnerabilities have.
Step 5 – Apply Countermeasures. Once you have discovered risks in step 4, then you can apply countermeasures to them. Countermeasures are activities designed to lessen or eradicate the impact of a risk by mitigating a threat or vulnerability.
Distilling the OPSEC process for scam prevention
While it might be necessary to walk through all the steps of the OPSEC process for business and organizations, individuals are free to adapt and use some of the steps as they see fit. We recommend that individuals identify critical information and review their actions to see how they might be inadvertently exposing such critical information or its indicators. A practical example of this would be your bank account details. Exposing such online under a giveaway post can be harvested by a tech savvy scammer who might then go ahead to send you a phishing email using the logos of your bank and account number. Below are several common ways critical information or its indicators are often exposed.
The Use of social media. Ovesharing and the careless use of social media is one of the major ways people mistakenly expose information about themselves. Activities like taking pictures of where you work, posting about your activities e.g., going to lunch and using location tagging features reveal too much about your movements. As a result of such actions scammers can easily check your activities, know your social connections, and even track your physical location. All this information can be used to craft a scam specifically targeting you. Also, social media users often reveal the names of their spouse, siblings, pets, favorite words, birthdays, all of which can be used by hackers to build a wordlist for a brute force (password hacking) attack.
Online Resumes and CVs. Posting your Resume or CV online is another way you can give out information to adversaries. These documents have work histories, skills, certifications, hobbies, and sometimes other information which can be used to set up a social engineering attack.
File Metadata. Metadata is simply data about data. Files such as images, videos and documents have metadata such as timestamps, version of software and device used in creating them, and owner information at the point of creation or when they are edited. Exif data which is metadate for videos and images can include camera settings and GPS information. Such files are often shared without removing metadata thereby leaking critical information.
Email Address and weak passwords. An email address can reveal a lot about a person, especially when the same email address is used to register on assorted services. There are several tools available on the internet that can list all the services to which a particular email address was used to register, from this a hacker or fraudster can enumerate the digital footprint of the owner and plot an attack. Another way emails can leak sensitive information is if they were part of a data breach. This occurs when cybercriminals compromise a website offering a service and obtain the emails and passwords of those who registered on the website. Since people often use the same email and passwords for numerous services, cybercriminals then use this information to compromise other accounts belonging to the victims on other services and obtain sensitive information.
Information revealed through interactions. Another way sensitive information can be leaked is through conversations, criminals can position themselves in places their targets are known to frequent in the hopes of eavesdropping on conversations. Other tactics can include fake questionnaires/surveys with some questions designed to elicit personal information and making phone calls impersonating reputable companies with a view to obtaining sensitive information.
Again, this is not an exhaustive list, and once you notice your actions are exposing or might expose critical information the onus is on you to take practical steps to address this. For example, you might review the privacy settings of your social media accounts with a view to limiting who can interact with your posts, remove metadata from files before sending them or uploading them, use different emails or burner emails, and hold sensitive discussion in private or secluded places.
In conclusion, keep in mind that operations security is all about keeping valuable information about yourself from those who will use it to do you harm. You will have to categorize information to know that which is enormously important and demands protection and then take the necessary steps to protect it which include not acting in ways that might reveal such information or its indicators.
Contributors:
- Chinonso Joshua Aguonye
- Enyinna Abazie