4.1 Operations Security (OPSEC)

Question 1

Why is it important to identify your critical information?

Answer 1

So you are applying the right level of opsec to critcal info.

Question 2

What is the first law of OPSEC?

Answer 2

By Kurt Haase, “ If you don’t know the threat, how do you know what to protect?”

Question 3

What is the second law of OPSEC?

Answer 3

If you don’t know what to protect, how do you know you are protecting it?

Question 4

What is the third law of OPSEC?

Answer 4

By Kurt Haase, “If you are not protecting [the information]…..the dragon wins!

Question 5

What is the function of the IOSS?

Answer 5

Training and OPSEC Awareness - Interagency OPSEC Support Staff

Question 6

What part did George Washington play in the creation of operations security?

Answer 6

Understood that when small pieces of seemingly useless information is combined, it can become dangerous. (name, address, social sec number).
-Also understood importance of secrecy and establishing an intelligence gathering program, which he started.

Question 7

In the operations security process, what is the difference between assessing threats and assessing vulnerabilities?

Answer 7

Vulnerabilities are the gaps in infrastructure that a threat(or malicious event) could occur.

Question 8

Why might you want to use information classification?

Answer 8

This process helps to know what you have to protect, so you can actually protect it. Relates to the second Law and 1st step of the OPSEC cycle.

Question 9

When you have cycled through the entire operations security process, are you finished?

Answer 9

No this is an iterative process that takes repeating.

Question 10

From where did the first formal OPSEC methodology arise?

Question 11

What is the origin of operations security?

Answer 11

-During the Vietnam War - military realized spies were relaying troop movement. A survey was conducted to determine information lost and determined vulnerability. Coined OPSEC.
-Also Sun Tzu in the Art of War provides earliest OPSEC principles.

Question 12

Define competitive intelligence?

Answer 12

-Used in Business industry
-Gathering and analyzing intelligence to assist business decisions.

Question 13

Define competitive counterintelligence?

Answer 13

Opposite of competitive intelligence - employing OPSEC principles

Question 14

Operations security (OPSEC) is a risk management process that involves the ___________ of critical information, analysis of ___________and _________, _________assessments, and the application of _________. It aims to protect sensitive information from _________ and __________.

Answer 14

identification; threats and vulnerabilities; risk ; countermeasures

unauthorized access and disclosure.

Question 15

Haas’s Laws of OPSEC underline the fundamental principles such as…(2 statements.

Answer 15

“If you don’t know the threat, how do you know you’re secure?” and “Security is a state of mind.”

Question 16

-Finding potential threats and vulnerabilities is called?
-Assessing the level and impact of risks is called?
-Applying countermeasures to reduce risks is called?

Answer 16

• Risk Identification:
• Risk Analysis:
• Risk Mitigation:

Question 17

Identify the Layers of a Defense-in-Depth Strategy (3x)

Answer 17

Physical Controls: Access controls, surveillance cameras.
Logical Controls: Firewalls, encryption.
Administrative Controls: Policies, employee training.

Question 18

Compare Abilities of Physical, Logical, and Administrative Controls. What are each best for?

Answer 18

• Physical: Best for deterring unauthorized physical access.
• Logical: Effective for securing data and networks.
• Administrative: Helpful for creating a security-aware culture.

Question 19

Categorize Cybersecurity Principles According to Area of Impact
* Data Protection:
* Network Security:
* User Authentication:

Answer 19

• Data Protection: Encryption, backups.
• Network Security: Firewalls, VPNs. * User Authentication: MFA, strong passwords.

Question 20

What kind of attack does Encrytion mitigate?

Answer 20

Interception

Question 21

What type of attack do Firewalls protect against?

Answer 21

Mitigate interruption

Question 22

What do digital signatures mitigate?

Answer 22

fabrication and modification.

Question 23

Classify Attacks According to Cybersecurity Concept Violated- Phishing

Answer 23

Violates user authentication.

Question 24

Classify Attacks According to Cybersecurity Concept Violated- DDoS

Answer 24

Violates availability

Question 25

Classify Attacks According to Cybersecurity Concept Violated- Data Breach

Answer 25

Confidentiality

Question 26

Identify Cybersecurity Concepts that Protect Critical Information (3x)

Answer 26

• Data Encryption * Firewalls * Multi-factor Authentication

Question 27

Identify Types of Assets or Resources that Can be Secured

Answer 27

• Hardware: Servers, workstations. * Software: Applications, databases. * Data: Files, intellectual property.

Question 28

Categorize Security Principles According to Type of Asset Needing Protection - Software

Answer 28

Logical Controls

Question 29

Categorize Security Principles According to Type of Asset Needing Protection - Hardware

Answer 29

Physical Controls

Question 30

Categorize Security Principles According to Type of Asset Needing Protection - data

Answer 30

logical and administrative controls

Question 31

Classify Threats and Attacks According to CIA Triad
* Interception:

Answer 31

• Interception: Targets confidentiality.

Question 32

Classify Threats and Attacks According to CIA Triad
* Interruption:

Answer 32

• Interruption: Targets availability.

Question 33

Classify Threats and Attacks According to CIA Triad
* Modification:

Answer 33

• Modification: Targets integrity.

Question 34

Classify Threats and Attacks According to CIA Triad
* Fabrication:

Answer 34

• Fabrication: Targets both integrity and authenticity

Question 35

Categorize Control Mechanisms
* Physical Controls

Answer 35

• Physical Controls: Mitigate risks of unauthorized physical access.

Question 36

Categorize Control Mechanisms
* Logical Controls

Answer 36

• Logical Controls: Mitigate risks of data breaches.

Question 37

Categorize Control Mechanisms
* Administrative Controls

Answer 37

• Administrative Controls: Mitigate risks of human error.

Question 38

Align Types of Attacks to the Legs of the CIA Triad * Violates confidentiality.

Answer 38

Interception:

Question 39

Align Types of Attacks to the Legs of the CIA Triad* : Violates availability.

Answer 39

Interruption

Question 40

Align Types of Attacks to the Legs of the CIA Triad* : Violates integrity.

Answer 40

Modification

Question 41

Align Types of Attacks to the Legs of the CIA Triad* : Violates integrity and can lead to false data becoming available.

Answer 41

Fabrication

Question 42

What is a threat?

Answer 42

Identification of what harm to the company can occur if important information is released.

Question 43

What describes risk assessment?

Answer 43

Risk occurs when there is a matching threat and vulnerability. A risk assessment determines which risks require concern during the operations security process.

Question 44

What is the responsibility of the Cybersecurity and Infrastructure Security Agency (CISA).

Answer 44

Lead the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.