Operations Security

Operations security (OpSec, OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by adversary intelligence systems, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information. Translated this means that encrypting stuff may not be enough to avoid leaking information. OpSec is a series of measures and mindsets helping you to keep yourself, your data and others secure (i.e. free from threats).

OpSec can be hard or easy, it depends to a great deal on the threats you have to counter. To give you an example, let's take a look at someone communicating via e-mail using the same infrastructure. This can be an e-mail client configured with different accounts used by the same person. Even if you encrypt all your e-mail content, you will still be generating transaction logs with addresses in clear. These logs can be on your local machine and very likely on machines belonging to your ISP(s). This graph shows the communication structure. Addresses are anonymised. Links between nodes denote communication. Thicker lines mean that more e-mails have been sent. You see two central nodes which are probably the two most used accounts to send e-mails. Recipients overlap, so both accounts have common contacts. There is a lone pair of nodes on the right which indicates a third account being used to send e-mails to a single recipient. Now imagine that the data is anonymised. Logs contain the full e-mail addresses! Everyone accessing these transaction logs can create these graphs very easily.

OpSec aims to avoid information leaks of this kind (which is a simple example, OpSec is about much more!).

OpSec also helps to think in different contexts and to grasp the threats behind the technologies used. „I use TOR on my cell phone.“ turns into „I use TOR on my ankle monitor.“. Try not to get too attached to gadgets and tools when thinking about OpSec. Once the power goes out, it's good to know what low-tech and the KISS principle was all about.

OpSec is about attracting the right amount of attention and not to raise any suspicion. You want to act like a real person with a non-threatening agenda. Attracting attention increases your exposure and the chance for Bad Things™ to happen. Remember, not being a target is the best way to avoid trouble.

Resources