Chapter 7

Question 1

What does OPSEC stand for?

Answer 1

Operations security, known in military and government circles as OPSEC

Question 2

What is OPSEC?

Answer 2

a process that we use to protect our information

Question 3

the use of _______ to protect data is only a small portion of the entire operations security process

Answer 3

encryption

Question 4

According to George Washington (OPSEC):

Answer 4

The foundation of OPSEC is the focus on unclassified data that when correlated becomes data that should be classified

Question 5

What is Competitive intelligence?

Answer 5

The process of intelligence gathering and analysis in order to support business decisions

Question 6

What is Competitive counterintelligence?

Answer 6

Protecting a company against the competitive intelligence collection

Question 7

What are the 5 steps of OPSEC?

Answer 7

1) Identify Critical Information
2) Analyze Threat
3) Analyze Vulnerability
4) Assess Risk
5) Apply Countermeasures

Question 8

Identification of critical information involves…

Answer 8

Identify the most critical information assets, which may depend on the organization or business type (We need to protect those assets)

Question 9

Analysis of Threats:

Answer 9

1) A threat is something that has the potential to cause us harm
2) What harm or financial impact might be caused by critical information being exposed, and who might exploit the exposure
3) Each critical item of information must be analyzed•Consider each competitor and use of our information

Question 10

Example of a Software company (analyze threat):

Answer 10

Critical information: our source code

Threats: exposure to attackers (may create fake license keys) and competitors (may copy our features)

Question 11

Analysis of vulnerabilities:

Answer 11

Vulnerabilities are weaknesses that can be used to harm our information assets

Thus, we will be looking at how the processes that interact with these assets are conducted, and where we might attack in order to compromise them

Question 12

Example of a Software company (vulnerabilities):

Answer 12

oIt is possible to access, copy, delete, or alter the source code without any authorization, but accessing OS or Net

oNo policies on how the source code should be stored and protected

oNo infrastructure or skills to determine the damage in the case of a compromise

Question 13

Assessment of risks:

Answer 13

Risk occurs when we have a matching threat and vulnerability

Question 14

Example of a Software company (assessment of risk):

Answer 14

Treat: our source code might be exposed to our competitors or attackers

Vulnerability: Poor set of security controls

These two matching issues create risk

Question 15

Application of countermeasures:

Answer 15

To mitigate risk we may deploy countermeasures

Atleast we need to mitigate either the threat or the vulnerability

Question 16

Example of a Software company (Application of countermeasures):

Answer 16

Threat: our source code might be exposed to our competitors or attackers

Vulnerability: Poor set of security controls

Countermeasures: not much on threats but put measures in place to mitigate the vulnerability

We may improve access control and corresponding access policy

Question 17

The entire OPSEC process is _____

Answer 17

iterative

Consider environment and factors cgange

Question 18

We may introduce an additional step in the OPSEC process:

Answer 18

an evaluation of the effectiveness of our countermeasures

Question 19

Haas’ First Law:

Answer 19

First law: “If you don’t know the threat, how do you know what to protect?”

You need to know both the actual and potential threats that your critical data may face

Thus, matches with the 2ndstep of OPSEC process

Each item of information may have a unique set of threats and may have multiple threats, each from a different source

Threats may be location dependent because of corresponding laws and access control policies

Question 20

Haas’ Second Law:

Answer 20

Second Law: “If you don’t know what to protect, how do you know you are protecting it?”

We need to evaluate our information assets to determine what exactly we might consider to be our critical information

Thus, matches to the first step in the operations security process

In the vast majority of government environments, identification and classification of information is mandated

For example, document or file can have a label such as classified, top secret, and so forth

The practice of information classification is not common outside government organizations

Question 21

Haas’ Third Law:

Answer 21

“If you are not protecting it (the information), . . . THE DRAGON WINS!”

This law is an overall reference to the necessity of the operations security process

Security breach could be the result of simple carelessness and noncompliance with the most basic security measures and due diligence

Example: oData breach occurred at Stanford University in 2013 simply because the sensitive data was on an unencrypted laptop

Question 22

Operations security in our personal lives

Answer 22

When we are away from home for a couple of weeks, we have have following indicators that the house is unoccupied and vulnerable:

No lights on at night

Told everyone on Facebook we were going

Posts to twitter while we are on vacation about what we are doing

No noise coming from the house when we would normally be home

Newspapers building up in the driveway or stopped

Mail building up in the mailbox

No car in the driveway

No people coming and going•We may take some security measures to protect our assets.

Question 23

Personal Information Protection

Answer 23

o Exposing geographical location to social media oIs not a good practice from security perspective
(•Personal information may flow across the networks)

o We may always not have control where our information will be exposed
(•We may try to monitor or follow the updates of our information)
(•Report any breaches to respective authority)
(•Revise security measures and policies)
(•In my opinion: we can follow OPSEC process to protect our personal information)

Question 24

The operational security principles can be found…

Answer 24

In the writings of Sun Tzu in the sixth century BC, in the words of George Washington, in writings from the business community, and in formal methodologies from the US government

Question 25

Sheer volume of our personal information moves through a variety of systems and networks and…

Answer 25

we need to identify critical information and planning out measures to protect it

Question 26

The Laws of OPSEC was developed by

a. George Washington
b. Sun Tzu
c. Benjamin Franklin
d. Kurt Haas

Answer 26

d.Kurt Haas

Question 27

Are steps of operation security process useful for protecting personal data?

a. Yes
b. No
c. They are not relevant.

Answer 27

a.Yes

Question 28

When do we deploy countermeasures?

a. After identification of information leakage
b. After identification of critical information
c. After locating risks
d. None of the above

Answer 28

c.After locating risks

Question 29

What is the purpose of competitive intelligence?

a. Supports business decisions
b. Support artificial intelligence
c. Provides intelligence in battle
d. All of the above

Answer 29

a.Supports business decisions

Question 30

What is the first law of OPSEC?

Answer 30

Answer: “If you don’t know the threat, how do you know what to protect?”

Question 31

Why might we want to use information classification?

Answer 31

Answer: Information classification is important to identify critical information

Question 32

Why we need to go through the OPSEC process more than once?

Answer 32

Answer: OPSEC process is an iterative process, which needs more than one cycle to accommodate any changes in environments, policies, and other factors

Question 33

A ____ is something that has the potential to cause us harm

Answer 33

threat

Question 34

_________ are weaknesses that can be used to harm our information assets

Answer 34

Vulnerabilities