Saturday, November 24, 2018

A personalized OpSec guide.

I believe a lot of us, including myself, skip this step before embarking down the rabbit hole. I've seen some phenomenal guides out there, after lots of reading, I ended up adapting and personalizing one for me. It helped me figure out what's worth protecting and I did a write up it. I hope to share here in case it helps anyone else.

GTE8LVL0 OPERATIONS SECURITY

Operations Security (OpSec) in my most simplistic interpretation, is the process of protecting and/or controlling our data output in order to prevent possible misuse by unauthorized factors. The OpSec process consist of 5 steps:

  1. Identify Critical Information:

Write down a list of the information that you want to protect/control. Try to group items in the list that are similar and give each a numerical value from 1 to 5, with 5 being the most important information to you.

  1. Analysis of Threats:

I use the acronym F.A.C.T.O.R. as a trigger word to remind me that OpSec has to be continuous. It also encompasses the plethora of threats to privacy in our reality.

Family or Friends

-Possibly tags you in everything exposing your location, gossips about your secrets, your personal ideologies or other stuff you might want to keep private. May do this inadvertently.

Authorities

-Cops, Feds, Librarian, School employees or Work superiors, basically anyone that has been given “authority” to tell you what you can or cannot do.

Conspirators

-If you didn’t think someone was or could be watching, you wouldn’t be reading this. From Facebook ad targeting algorithms to Lizard People, it probably fits in this category.

Thieves

-They choose to steal and it is up to you to stop them from doing it to you. Consider “Targets of Opportunity”. Not everyone is a thief, but a bag of money left unattended might make someone consider it.

Oppressors

-Governments, regimes, abusive partners, etc...

Re-evaluate

-It is important that as you assign each factor, you give serious consideration to capability and intent. Grandma and a thief might both want your sweet Bitcoin, but their desire and ability to actually steal it is vastly different (Grandma boots Kali!)

  1. Analysis of Vulnerabilities:

We now know the bad guys. We have to start thinking like them. How exactly are they trying to get to our data.

In the list of Critical Information, for each item, consider which factor applies as unauthorized and subtract 1 from the original value.

List how each FACTOR can access unauthorized data.

  1. Assessment of Risk:

The value that results corresponds to one of five Risk Levels:

  1. CRITICAL – Take care of it yesterday!

  2. HIGH

  3. MEDIUM

  4. LOW

  5. MAINTAIN – Don’t neglect things just because they are secure at the moment.

The lower the value, the more urgent the need to “fix the leak”

  1. Application of Appropriate Countermeasures:

We currently have a comprehensive analysis of our Critical Information, its possible threats, how they can attack us, and in what order we should start plugging holes. Keeping this mindset, we can start looking for the right tools and behaviors to protect our data appropriately ( From simple browser add-ons like privacy badger or certbot, to Whonix, TOR and Tails OS, etc...)



No comments:

Post a Comment