Chapter 7 Flashcards
What does OPSEC stand for?
Operations security, known in military and government circles as OPSEC
What is OPSEC?
a process that we use to protect our information
the use of _______ to protect data is only a small portion of the entire operations security process
encryption
According to George Washington (OPSEC):
The foundation of OPSEC is the focus on unclassified data that when correlated becomes data that should be classified
What is Competitive intelligence?
The process of intelligence gathering and analysis in order to support business decisions
What is Competitive counterintelligence?
Protecting a company against the competitive intelligence collection
What are the 5 steps of OPSEC?
1) Identify Critical Information
2) Analyze Threat
3) Analyze Vulnerability
4) Assess Risk
5) Apply Countermeasures
Identification of critical information involves…
Identify the most critical information assets, which may depend on the organization or business type (We need to protect those assets)
Analysis of Threats:
1) A threat is something that has the potential to cause us harm
2) What harm or financial impact might be caused by critical information being exposed, and who might exploit the exposure
3) Each critical item of information must be analyzed•Consider each competitor and use of our information
Example of a Software company (analyze threat):
Critical information: our source code
Threats: exposure to attackers (may create fake license keys) and competitors (may copy our features)
Analysis of vulnerabilities:
Vulnerabilities are weaknesses that can be used to harm our information assets
Thus, we will be looking at how the processes that interact with these assets are conducted, and where we might attack in order to compromise them
Example of a Software company (vulnerabilities):
oIt is possible to access, copy, delete, or alter the source code without any authorization, but accessing OS or Net
oNo policies on how the source code should be stored and protected
oNo infrastructure or skills to determine the damage in the case of a compromise
Assessment of risks:
Risk occurs when we have a matching threat and vulnerability
Example of a Software company (assessment of risk):
Treat: our source code might be exposed to our competitors or attackers
Vulnerability: Poor set of security controls
These two matching issues create risk
Application of countermeasures:
To mitigate risk we may deploy countermeasures
Atleast we need to mitigate either the threat or the vulnerability
Example of a Software company (Application of countermeasures):
Threat: our source code might be exposed to our competitors or attackers
Vulnerability: Poor set of security controls
Countermeasures: not much on threats but put measures in place to mitigate the vulnerability
We may improve access control and corresponding access policy
The entire OPSEC process is _____
iterative
Consider environment and factors cgange
We may introduce an additional step in the OPSEC process:
an evaluation of the effectiveness of our countermeasures
Haas’ First Law:
First law: “If you don’t know the threat, how do you know what to protect?”
You need to know both the actual and potential threats that your critical data may face
Thus, matches with the 2ndstep of OPSEC process
Each item of information may have a unique set of threats and may have multiple threats, each from a different source
Threats may be location dependent because of corresponding laws and access control policies
Haas’ Second Law:
Second Law: “If you don’t know what to protect, how do you know you are protecting it?”
We need to evaluate our information assets to determine what exactly we might consider to be our critical information
Thus, matches to the first step in the operations security process
In the vast majority of government environments, identification and classification of information is mandated
For example, document or file can have a label such as classified, top secret, and so forth
The practice of information classification is not common outside government organizations
Haas’ Third Law:
“If you are not protecting it (the information), . . . THE DRAGON WINS!”
This law is an overall reference to the necessity of the operations security process
Security breach could be the result of simple carelessness and noncompliance with the most basic security measures and due diligence
Example: oData breach occurred at Stanford University in 2013 simply because the sensitive data was on an unencrypted laptop
Operations security in our personal lives
When we are away from home for a couple of weeks, we have have following indicators that the house is unoccupied and vulnerable:
No lights on at night
Told everyone on Facebook we were going
Posts to twitter while we are on vacation about what we are doing
No noise coming from the house when we would normally be home
Newspapers building up in the driveway or stopped
Mail building up in the mailbox
No car in the driveway
No people coming and going•We may take some security measures to protect our assets.
Personal Information Protection
o Exposing geographical location to social media oIs not a good practice from security perspective
(•Personal information may flow across the networks)
o We may always not have control where our information will be exposed
(•We may try to monitor or follow the updates of our information)
(•Report any breaches to respective authority)
(•Revise security measures and policies)
(•In my opinion: we can follow OPSEC process to protect our personal information)
The operational security principles can be found…
In the writings of Sun Tzu in the sixth century BC, in the words of George Washington, in writings from the business community, and in formal methodologies from the US government
Sheer volume of our personal information moves through a variety of systems and networks and…
we need to identify critical information and planning out measures to protect it
The Laws of OPSEC was developed by
a. George Washington
b. Sun Tzu
c. Benjamin Franklin
d. Kurt Haas
d.Kurt Haas
Are steps of operation security process useful for protecting personal data?
a. Yes
b. No
c. They are not relevant.
a.Yes
When do we deploy countermeasures?
a. After identification of information leakage
b. After identification of critical information
c. After locating risks
d. None of the above
c.After locating risks
What is the purpose of competitive intelligence?
a. Supports business decisions
b. Support artificial intelligence
c. Provides intelligence in battle
d. All of the above
a.Supports business decisions
What is the first law of OPSEC?
Answer: “If you don’t know the threat, how do you know what to protect?”
Why might we want to use information classification?
Answer: Information classification is important to identify critical information
Why we need to go through the OPSEC process more than once?
Answer: OPSEC process is an iterative process, which needs more than one cycle to accommodate any changes in environments, policies, and other factors
A ____ is something that has the potential to cause us harm
threat
_________ are weaknesses that can be used to harm our information assets
Vulnerabilities
