The tiniest piece of information could be that one piece of information that cracks the code. It could be an innocent post on a social media site, one sentence from a news article, or it could be a piece of trash that means nothing to you, but unlocks the door to a wealth of information for everyone else.
Operational Security (OPSEC) originated from the military. The military recognized that even the smallest piece of information collected by the threat could be pieced together, or the missing link, to the bigger picture. Whether the information is classified or unclassified, information could pose a significant threat to the success of the mission. You could go back to the beginning of warfare with Sun Tzu, or to the start of the American Revolution where General George Washington is quoted as saying, “Even minutiae should have a place in our collection, for things of a seemingly trifling nature, when enjoined with others of a more serious cast, may lead to valuable conclusion.”
Threats, adversaries, or competitors, whether they be nation-states or businesses, seek to gain a competitive advantage over others in any way possible. While there is an internal focus on themselves, they also identify information that they need to maintain that advantage and to ensure they are postured for long-term success and prosperity. They develop information requirements and a plan to collect that information. They pool their available resources and then determine the information each particular resource will collect it. For nation-states this type of intelligence collection comes from various intelligence disciplines – Signals Intelligence (SIGINT), Imagery Intelligence (IMINT), and Human Intelligence (HUMINT). An intelligence discipline often overlooked is Open Source Intelligence (OSINT).
OSINT developed out of what was available in plain sight. It was a way for those without the resources of big business or global powers to collect valuable information without much investment, or risk of compromise. Nation-states and individuals realized that some of the information that was needed could be simply collected by reading the news. Reporters have great access to insiders and they report what they hear to sell print or to gain viewers. One could ascertain feelings and attitudes of the population by reading the news. Why would an entity expend valuable resources then when that information was readily available. That was one arm of OSINT.
The next arm came as a combination of OSINT and HUMINT. It can, and probably should be, argued that employees are the greatest vulnerability within any organization. They can be manipulated, exploited, and can be extremely careless, and all without knowing it. They use lackadaisical security practices, even if the organization as a whole has strong ones. They value convenience. They don’t shred papers, they gossip around the water cooler, they post daily happenings and frustrations on social media, and they throw things away. They represent a weak link. So HUMINT collectors, or social engineers in the business world, find ways to collect in plain site and use OSINT as an invaluable weapon.
OSINT leads us back to OPSEC. OPSEC is defined generally as a process that identifies critical information (see earlier blog) to determine if friendly actions can be observed by threats or adversaries, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information and protect that information. To get more to the point, it’s looking at yourself through an adversary’s view in order to identify vulnerabilities and then enacting protective measures to reduce those vulnerabilities.
So how do you do this. The OPSEC model is relatively straight forward; identify critical information, identify and analyze threats/adversaries, analyze your vulnerabilities, assess the risks, and counter the threat. This five step model is used with varying degrees world-wide and it’s easy to throw up on the wall and say that you do. It’s quite another thing to actually do this. It is a deliberate process that requires the whole of your organization. All things being equal, this shouldn’t be something that a manager does isolated in his office. This requires dedicated time and energy. If you are a small business owner do not let this be a limiting factor. You can bring in mentors or confidants; perhaps have the person who helps with your finances; or outsource it. All businesses need this.
Identify Critical Information – see our previous blog post for more detail, but this is the process of determining what information is the most important to the success of your business. Everything is important of course, but critical information is the pieces of information that could make or break your business.
Identify and Analyze Threats/Adversaries – as it’s heading implies, you understand who your competition is and what their capabilities and weaknesses are. This is important because it helps you set your defense. Imagine you identify your critical information and you employ a protection technique only to realize that the defense was something that was easily defeated. Know your threat and what they are capable of.
Analyze Your Vulnerabilities – this comes with understanding your defense. Where are you vulnerable? How do you look from a holistic security review, to include personal, physical and information security. Where are your gaps? Do you have redundant coverage? What happens if that layer of security is breached?
Assess Your Risks – understanding your vulnerabilities, what risks do you incur? And where those risks are, how do evaluate them? If your security is breached, what information do they gain? How will this impact your business? Will it impact you?
Counter the Threat – now that you understand all the above, what measures will you put in place to counter that? Will you put measures in place? Will it be a top to bottom security overhaul or do you need to augment your existing infrastructure?
The point of OPSEC is to provide a process and decision making cycle to your protection. It’s designed to provide a comprehensive look at your business and determine where you might be have security problems. As a small business owner, or even a big business, you may have gotten through without any issues and you determine that you are not vulnerable, but until you go through the process how can you be sure?
Couple all of this with the OSINT threat and you can see how even the smallest amount of information could be valuable to your competition. Even implementing basic security policies such as shredding all documents; don’t allow employees to make judgement calls on what is and should be shredded – shred it all.