Operations Security Essentials: Be Suspicious!
Updated: Jan 5
The world is changing. The line between physical and digital worlds has blurred, with most activities by companies and individuals now occurring online. Technology may be progressing, but users are not adapting to this new world in which cyberthreats and risks are growing exponentially.
The lack of understanding of operations security (OPSEC) is exploited by attackers of all kinds on a daily basis. C-level executives are an obvious target as they traffic in high-level and sensitive information more frequently than frontline staff. Less obvious, however, is the attack vector – exploiting OPSEC mistakes may even extend to disrupting their personal lives and those of their loved ones.
Is an attacker adding your relatives to his social media circle to track you? Anything you should know about that brand new router delivered to your home last week? What about when you bring your laptop with you on vacation to keep an eye on emails?
Operations security will teach you to be aware of the risks and minimize your exposure to them. A set of practices used with the right tools will make your online and offline presence safer, not only for your employer but also for you and your inner circle.
So what are the main OPSEC steps to staying safe?
#1 Awareness, understanding. Be suspicious!
This is the first step – being aware of your trail of data, how attackers might abuse it and what can be done to prevent it. Remember that lures to elicit more information than you want to give can come from a variety of sources. Is that latest opportunity too good to be true? Then it most probably is the case. The people interested in engaging with you are professionals who know how to make things look too good to resist, but their only objective is to benefit at your expense.
#2 Think about whether you really need to share that info. Most of the time you don’t.
This applies both to the analog and digital worlds – the less you say the better. However, sometimes we’re unaware of how much we are saying and sharing through our devices. There is one well-known example of a hacker who was arrested thanks to data he provided in a forum years before he committed any crime. The lesson to learn here is that all the digital data we provide will be around forever.
#3 Discipline over tools
Conducting effective OPSEC is a combination of tools and habits. Tools are definitely an important aspect, but if we have to prioritize one of these factors over the other, it would have to be habits. And habits need discipline to be successfully applied. Even if this may sound hard, a few simple behaviors repeated over time in different situations will put you in that hard-to-get layer instead of the piece-of-cake one.
#4 Preparation – do your homework
As with most things in life, OPSEC requires some effort if you want to do it right. A little bit of preparation will make a huge difference when you find yourself in a tricky situation. For instance, when traveling to a foreign country, make sure your travel devices are ready, avoid bringing any sensitive data with you and be prepared for any unpleasant surprises. When stopped and asked to present your devices for checking, it will be a lot less nerve-racking for you if the devices don’t contain any confidential data.
#5 Learn the rules of disengagement
Unfortunately, unpleasant situations occur and we need to be ready for them. You may suddenly find yourself in a bizarre conversation with someone you don't know very well and who’s interested in paying you well to answer some simple questions about your employer. Is that a recruitment engagement? First, we need training to detect situations like these, calibrate our options and decide what to do. There are basic engagement rules to help you out of most tricky situations quickly and effectively.
Christian Martorella, Board Director, itrainsec: “Cybercriminals and other attackers use a wide range of technologies and strategies to access valuable data through individuals. Most of the time these individuals aren’t even aware they are leaving an undeletable data trail. The results can be catastrophic for the company, trying to understand what failed from the technical side when the hack happened at the human level.”
This itrainsec course invites businesses to observe operations from the point of view of the attackers so that you can understand and minimize the risks, and learn how to react to them.
We provide greater awareness based on real-life examples, both technical and non-technical. We show you how to be OPSEC-aware, perform a risk assessment, determine the threats and implement a realistic action plan that minimizes exposure to current and future attacks by advanced adversaries.
Key Takeaways of Operations Security Training:
Learn the relevance of OPSEC
Implement practical measures based on your needs
Learn how to use technical tools and how to implement mitigations
Real-world scenarios: what to do
Physical security and course of action
About the trainer
Christian Martorella has been working in the field of information security for the last 17 years. He is currently working as Head of Product Security for Skyscanner. He has also worked as Principal Program Manager in the Skype Product Security team at Microsoft, and Practice Lead of Threat and Vulnerability for Verizon Business, where he led a team of consultants delivering security testing services in EMEA for a wide range of industries, including financial services, telecommunications, utilities and government. Christian has been exposed to a wide array of technologies and industries, giving him the opportunity to work in most areas of IT security and gain experience from both sides of the fence. All this provides him with a unique set of cybersecurity skills and insights.