As more software and hardware vulnerabilities are discovered every day, the digital world becomes more unsafe to interact with. The practice of a doctrine while handling interactions is required to ensure optimal security. Operational security (OPSEC) provides the elements for implementing cyber security- sensitive culture, a draft prepared by Idaho National Laboratory states.
This practice is known as operation security, and is one of the most fundamental aspects of cybersecurity. It is a method to strive for data ownership and privacy, with a focus on preserving sensitive information.
What Is Operational Security?
Operational Security, more commonly known as OpSec, was a practice developed for use by the military. It then rose in popularity in the private sector, with many cybersecurity practitioners adopting it to stay safe in an evolving digital world.
OpSec involves various behaviours such as monitoring where personal identifiable information is distributed, taking ownership of data shared online, and practicing general safety measures.
OpSec practitioners will often look for possible areas from which threats may emerge, and practice general hygiene when interacting online. OpSec is both versatile and large in its scope, due to the sheer amount of attack vectors that are present in a place such as the Internet.
There are many practices every individual can enforce while using the Internet.
Identify Where Your Data Is Available
Personally identifiable information, otherwise known as PII, is one of the most valuable resources a user can have. This is data or metadata that can be accurately traced back to decipher the real world identity of the individual in question.
This creates a lot of issues, with the first being that privacy is completely compromised. Depending on the degree of PII given out, threats can range from exposes known as doxxing, all the way up to identity theft and financial fraud.
Moreover, every post that is made in a location that is accessible to every user on the Internet, such as social media, needs to be scanned for sensitive PII. This includes data such as passwords, PIN numbers, card numbers and location data.
Financial data should never be posted on the Internet, as this is one of the most sensitive forms of PII. Intellectual property, research or code should not be shared widely without requisite security measures to dissuade theft.
Look For Possible Attack Vectors
AS practioners of OpSec, users must maintain constant vigilance regarding possible security compromise attack vectors. This includes phishing attacks, Trojans, and malicious software such as rootkits and keyloggers.
Using an antivirus is strictly necessary for Windows machines, although the built-in Defender utility does the job without bloat. However, it is always recommended to switch to a Linux or UNIX-based operating system due to the reduced likelihood of malicious software installations. These include OS such as MacOS or Ubuntu.
Any and all email should ideally be screened for symptoms of suspicious behaviour, such as requests for financial information or bank transfers. One should also be cautious of changed domain names in case of spear phishing attacks.
Whenever accessing a website, the domain as well as security certificates must be checked beforehand so as to not give PII to sites which are not the official ones.
General Digital Hygiene And Data Protection
This is, by far, the most far-reaching aspect of OpSec and the most difficult to ensure. This can also take the form of a checklist, which can be used to eliminate potential security pitfalls.
Primarily, PII should not be given out unless absolutely necessary. It is also important to not trust anything, instead verifying it. Many proponents have also advocated moving away from centralized data silos such as those seen in Google and Facebook.
Instead, cloud environments must be self-hosted, social media is not to be used and email servers must be either self-run or encrypted by a trusted party.
This also includes to messaging applications, with end-to-end encryption being a dependable way to ensure that third parties, even those managing the network, cannot access the messages.
Added to all of this, passwords and emails must be used responsibly. One password must never be reused more than once, and emails that can potentially tie into PII must not be used.
Passwords must be over 32 characters in length to exponentially increase the amount of time required to crack them. A random string generator can be used for this purpose.
The random passwords must never be stored as plaintext anywhere. They must instead by encrypted, either by an algorithm developed by the user or one which is not used widely. This ensures that the method to crack it is not widely available.
Passwords must be updated regularly, and checked against a database such as Have I Been Pwned to ensure that they are not lost in data breaches.
A VPN must be used everywhere that the Internet is accessed, as the IP address is one of the most dangerous forms of PII. Tracker blocking must be implemented, either at the browser level or the OS level. Ad blockers or obfuscators must be used in order to avoid giving information on clicks to advertisers.
While this might sound like the most paranoid outlook on using the Internet, it is one of the most dependable ways to ensure that users’ data is not stolen, held ransom or misused.