Opsec Pros Share Overlooked Components of Operational Security Programs
A panel of infosec experts discuss what the most commonly overlooked components of operational security programs are.
Operational security is a prominent concern for business risk management. A robust OpSec program with the proper controls and systems in place helps ensure that your sensitive data and proprietary information won't fall into the hands of adversaries.
Many companies inadvertently overlook important components of a sound operational security program. To find out about these critical, overlooked components and help guide companies in developing all-encompassing OpSec programs, we reached out to a panel of experts and asked them:
"What are the most commonly overlooked components of operational security?"
Meet Our Panel of OpSec Experts:
Cody Littlewood is the founder of Boveda, a security tool that makes sharing passwords and other secret info as secure and convenient as possible.
"The most overlooked component of operational security is..."
Email. I’m consistently surprised that even the most technical of people still feel that email is a secure format to transmit sensitive data. Many people say, "Our corporate email is secure," and they believe it. However, most security and cryptography experts disagree – strongly. If you’re using end-to-end encryption software, then the fact that email is insecure is moot. However, for the vast majority of people, this software isn’t friendly to use. While it’s true that most email these days are sent over TLS, it’s still stored and accessed in plain-text, which makes the content extremely vulnerable to phishing – something that 85% of organizations suffered from. 91% of attacks begin on the email attack surface.
Mike Baker is Founder and Managing Partner at Mosaic451, a managed cyber security service provider (MSSP) with expertise in building, operating, and defending some of the most highly-secure networks in North America. Baker has decades of security monitoring and operations experience within the US government, utilities, and critical infrastructure.
"All the security precautions in the world mean nothing if your organization leaves the backdoor open..."
Too many organizations are vulnerable to hackers through their third-party vendors, which is becoming one of the most commonly overlooked components of operational security. An organization’s cyber security is often only as good as the security of its vendors, and the proof of this is being witnessed with alarming frequency.
For example, the 2013 Target breach comprised as many as 70 million customers, along with 40 million credit and debit card accounts, and it cost Target over $300 million by the end of 2015. In September of 2014, Home Depot was hacked, which allowed criminals to steal the information off 56 million credit and debit cards, along with 53 million email addresses. The breach cost Home Depot $62 million dollars, with the resulting class action lawsuit from affected customers totaling another $19.5 million.
These hacks did not originate from the failure of the corporation’s internal security protocols or systems. In both cases, hackers were able to gain access to systems by using the login credentials of a third-party vendor. In Target’s case, it was something as innocuous as an HVAC provider.
No matter how robust the cybersecurity of a healthcare organization, as long as criminals can gain legitimate login credentials through third-party vendors, they can still compromise the organization via the backdoor. Hackers can penetrate a site without gaining entry through the front-end login page.
But how can risk be addressed? One method is to create assessment and evaluation criteria that would ensure all vendors have adequate cybersecurity within their own enterprise. As part of the assessment process, organizations should subject their third-party vendors to vulnerability and penetration testing (VAPT) on both external and internet facing products, so that any vulnerabilities can be discovered and fixed before they can be exploited by hackers. Whether it is robust security software, up-to-date firewalls, or personnel training on security and data protection best practices, ensuring that all third-party vendors have the same robust standards of cybersecurity as your business is critical to minimize risk.
Dr. Ross Federgreen
Dr. Ross Federgreen is the CEO and founder at CSR Professional Services, Inc. His 35 years of experience include regulatory compliance, data life cycle management, and security of Personally Identifiable Information (PII) for the Fortune 50, financial institutions, non-profits, and governmental agencies. He is the inventor of CSR's Breach Reporting Service.
”Hackers mostly use social engineering techniques…“
And look for doors you have left open. Commonly overlooked things in OpSec are employee education and better procedures.
One of the most important things you can do to protect your organization is implementing a strict password policy:
- Change passwords on everything at least every 90 days – more often is better.
- Use strong passwords.
- Never repeat passwords between accounts.
- Don't write passwords down on little slips of paper next to your computer.
The second most important thing you can do is keep all of your software up-to-date on your desktops, servers, and other systems like phones. Turn on automatic updates to your OS and major software packages. Always have multiple backups over time. Most malware, viruses, and ransomware like WannaCry and NotPetya spread via unpatched software – known vulnerabilities that should have been fixed if you had applied updates.
Finally, you need to both vet and audit your 3rd party vendors, and include data protection requirements in their contract. 60% of data breaches are now coming from trusted users outside of the organization.
Kris Fannin is the CEO and founder of Intelivate, a consulting firm.
"For companies large and small, the biggest risks to operational security are..."
Poor process documentation and securing the data improperly. I am shocked at the number of organizations that do not make business process documentation and data loss prevention a top priority. Many don't do it at all. Because processes are the core of any business operation, documenting and securing business processes are important for many reasons including:
- Operational redundancy, which reduces risk in the event that key talent leaves or is unavailable
- Business process improvement, which can be done with accurate process documentation
- Operational consistency by documenting, auditing, and enforcing processes
- Operational efficiency by reducing performance variance through operational consistency
- Meeting acquisition requirements, which often include detailed process documentation
- Meeting client requirements, which often include process documentation and data security, especially for outsourcing in regulated industries
- Risk mitigation to enforce and show compliance with industry requirements such as HIPAA
- Building a case for and defending patents and trade secrets, which need detailed process documentation
Inevitably, some of the challenges businesses experience are linked to process.
Jose Hernandez is the SVP of Technology and Engineering at Zenedge Inc. He started his professional career at Prolexic Technologies (now Akamai) in DDOS, fighting attacks for Fortune 100 companies. While working at Splunk Inc. as a Security Architect, he built and released an auto-mitigation framework that has been used to automatically fight attacks in large organizations. In the past, he has helped build security operation centers as well as run a public threat intelligence service.
"The most overlooked components in OPSEC include but are not limited to..."
Digital trails, compartmentation of data, and thinking like an adversary. Digital trails can be found in every single social media tool. Each time a user posts a tweet on Twitter and has their geolocation enabled, that person can be traced to their exact location. Humans are animals of habit, and with this information an adversary can predict exactly where someone works, lives, and even exercises. If it is on the Internet, assume it is known to everyone forever. Always remember that even public cloud services are part of the Internet.
Compartmentation can be narrowed to the dividing and categorization of what is being secured. An excellent example of this is passwords. It is unwise for a user to use the same password for email services as for a bank account. These systems should never share critical information and should be considered separate and different trust groups. If a user has different passwords for each system, then an attacker will not have immediate access to all credentials.
Lastly, the most obvious overlooked component of OPSEC is thinking like an adversary. This is the first step in defense in order to avoid becoming a target of convenience (a.k.a. soft target). Thinking like an adversary means having trust groups and analyzing every aspect of critical and non-critical information as well asking how that information can be exploited. If you can think like an adversary, you can defend yourself and avoid becoming a target of attack.
Dennis Chow is the CISO at SCIS Security, a Houston-based Cyber Security Consulting Firm. He has led a nation-wide threat information sharing architecture and design grant with the health and human services department. Dennis is an active practitioner who focuses on penetration testing and network forensics.
"We've commonly seen OPSEC aspects often left ignored or underfunded because they lack appeal..."
We often find companies just throwing money at a specific set of tools without building out a program around how the tool should align to their needs first. The top 5 pain points we've run into are:
- Proper Staffing - Many large-scale organizations end up buying tons of tools and perhaps even pro services that deploy them, but they either don't have enough security analysts and engineers to maintain those tools or they don't use them effectively. Sometimes these organizations end up hiring or converting one of their network IT staff members to a dual-hat role without proper training or guidance.
- Security Awareness Program - I can't stress enough that this is one of the most overlooked and under-appreciated aspects of a security infosec ops program. Many of your penetration tests' levels of success or failure come down to a social engineering-based attack. In my own personal experience, I've never seen an organization pass at a 100% on every basic email phish test submitted at random intervals.
- Using Their Own Documentation - There are many organizations that simply don't follow or maintain their documentation including policies, standards, procedures, runbooks, etc. It's hard work and sometimes it's just more exciting to jump into and start immediately investigating an alert without adhering to a structured document.
- Inventory of Critical Assets - In general, keeping up-to-date inventory is hard. However, it is necessary to keep critical assets as part of the CIS controls standard and other frameworks security teams align to. Without it, analysts can't find or locate ownership of systems or applications, and you can't really architect security controls around what you don't know you have.
- Testing Proper BCP/DR (Business Continuity Planning/Disaster Recovery) - Very few businesses are testing or assessing how well their own operations or the business operations can be managed during a critical failure. It's tedious work and it's not fun, but it's part of a sec ops program often swept under the rug.
Andrew is a UK technology entrepreneur and app developer. He's the CEO of Scorchsoft, which is a web app and mobile app development company, and the CTO of MODL App, a disruptive platform enabling people to book agency-represented professional models. Andrew is a founding director of both companies.
"Every organisation has a policy on passwords..."
They mandate length and protocols around changing them. However, very few provide guidance to their users about which web services they can use, or how to check if they can be trusted. It's all well and good having policies to keep people safe at work, but if people are using the same passwords in their personal lives, then a personally-targeted exploit could put that person's business data at risk. You can't protect this so easily using a company firewall.
When you register for any website, you have to place some trust in them that they are storing your personal data securely. Given that most users reuse passwords, what do you think the implications are of a dodgy website storing yours? It would be fairly easy to try your password and email into other sites too, or even try [email protected] to see if they can gain access to your work emails.
Users need to be educated in the techniques they can use to protect against this nature of exploit both in and outside of work, including making them aware of the potential risks. One tip is to always sign up using a unique insecure password, go through the websites forgotten password process, and see if they email you your password back to you. If they do, then this means they aren't storing your data securely, so you cannot trust the service. If they ask you to reset your password with a series of links that you need to click then the chances are that they are taking some steps to keep your data safe. This isn't a green-flag that the website is trustworthy, but it certainly helps to rule out the dodgiest ones.
Xu Zou is the CEO and Co-founder of ZingBox. Before starting ZingBox in 2014, Xu was Senior Director of Aerohive Networks, where he launched Aerohive's cloud-based Bring-Your-Own-Device (BYOD) security product. Prior to Aerohive, Xu was senior director of Aruba Networks, where he managed Aruba's industrial and carrier product line. Xu also holds 10 international patents on security and networking.
"When it comes to operational security..."
Many people overlook the specificity of securing internet-connected devices. These IoT devices are interconnecting on the network at an astonishing rate, from smart thermostats to hands-free light switches. With the simple focus of extending device usability, security has often been overlooked, opening up these devices to attacks. Many IoT devices, however, are not designed to be user-serviceable.
IoT devices are purpose-built to perform specific tasks. As such, their behaviors can be analyzed by select analytics tools to detect compromise or malfunction. When these behavior analytics tools interoperate with solutions such as firewalls and SIEMs, they can effectively quarantine and isolate the suspect device.
Tim Platt has 25 years of experience in multiple areas of computer technology including programming, networking, databases, cloud computing, security, and project management. He currently works at Virtual Operations, LLC, providing technology consulting in the Orlando, FL area.
"The most overlooked component is ongoing employee education and training..."
The person is always the weak link – and knowledge and skills within an organization can "decay" – because of turnover in staff. An ongoing training program that includes orientation of new hires, as well as refresher training for current employees is essential. It’s also the item that’s overlooked the most. Security can be handled like a project – implement policy, procedures, and technology and system, and then it’s "done." What’s most important for success is a deep organizational commitment to security as a core value of the company – and that includes the appropriate resources to maintain that commitment to security.
Justin Davis is a Technology Sales Leader for Enterprise Business. He resides in San Francisco, CA, and specializes in Data Security, Disaster Recovery & Business Continuity and Predictive Analytics.
"Hands down, one the most overlooked components of operational security is..."
Tying in the business. If you put together a conference room filled with IT & Security subject matter experts, invariably you'll have a list of projects and initiatives that everyone agrees are important to the security of the organization and that have been on hold for ages with no end in sight. Every initiative, if valuable, is valuable because it impacts the business. As such, every system needs to have an owner assigned on the business side of the house. Someone to quantify the impact to the business should the system fail or the data be compromised. Missing this step will leave teams with the headache of critical tasks falling on deaf ears, then scrambling to remediate once disaster strikes. Too frequently I hear CIOs say, "We are woefully underprepared on security, and I'll never get the budget approved." Tie in the business, get their skin in the game, and the to-do list will get much shorter. Plus, it will increase the likelihood of end users following correct procedures when the why is understood.
Shy is an entrepreneur, and owns and operates an online travel agency, Odyssean Travel.
"The most commonly overlooked OPSEC principle is..."
Complacency. When we start to see something every day, it becomes familiar, and we let our guard down. It is during this time that we have unwittingly allowed a breach or overlooked something, feeling perhaps we ourselves risk breaking the trust barrier. For instance, I managed an access point for a number of months that held three teams on a rotation – an individual had been friendly with some of the staff on one of the teams and was accessing the site to use the gym and other facilities. During the first few weeks or months, this individual had been accessing the site legitimately. After some time, one rotation stopped asking for ID – they just recognized his face and he walked on in. It was several weeks before someone notified the access staff on that rotation that this individual's access had been revoked some weeks prior. In allowing the familiarity and trust to build to the point that the staff stopped asking for current identification, they had exposed the site to potential hazard. In this instance, it was relatively harmless, but it's a very commonplace example. My first civilian job post-Services was with a security firm, and I ended up as a mobile supervisor during the PanAm games. During the introductory training, the trainer listed "recognize someone as legitimate" as a means of identification.
Social media in particular is a fantastic vector for such complacency. It may not even be directly from employees, but from the friends and families of those individuals with access to information. People don't always separate their work from their home life. In sharing (or allowing to be shared) seemingly harmless details, staff and colleagues may unwittingly give away too much. The complacency here is in overtrusting. Consider that the families and friends of your employees might also release information. An overzealous employee tags themselves in a post which reveals a training facility otherwise unknown to the public. A chat with your spouse ends up in a forum saying how their husband is so stressed due to the new insert conceptual product release next month.
Ranjeet Vidwans has spent over 20 years with security startups in various spaces spanning single sign-on, provisioning and governance, authorization, IDaaS, mobile security, and DevSecOps. He currently serves as a strategy advisor to several different emerging startups and focuses on marketing, business development, and other go-to-market initiatives.
"The single most overlooked aspect of operational security is..."
Also by far the most obvious one – the storage of passwords, API keys, and other "secrets" in cleartext configuration files or in GitHub and other source code repositories. This critical mis-step has led to numerous high-profile data breaches and is fairly straightforward to mitigate. There is a wave of emerging technology that provides Privileged Access Management (PAM) capabilities but is highly optimized for the elasticity, performance, and programmatic access requirements of the modern DevOps or DevSecOps environment.
Joanna Fields, CEO & Founding Principal of Aplomb Strategies is an expert on market structure, capital markets, cybersecurity, and regulatory technology (RegTech).
"The most commonly overlooked component of operational security entails..."
Protection of client information while moving from the company to another party. While vendor management has become a focus of regulators, it is still worth considering the amount of Personally Identifiable Information (PII) often sent through email, technology vendors, or data cloud stores that is not currently being assessed for risks and vulnerabilities by existing threat and protection monitoring tools.
Fernando Leon is the Vice President of Sales/Marketing for Single Point of Contact, an IT Managed Service Provider.
"Open Sources of information are commonly overlooked..."
Such as social networking, tweets, texts, blogs, videos, photos, and even GPS locations and emails. What can be gained from talking to a person and gathering information is what is commonly overlooked. Users need to be aware of what communications they are using and how to safeguard information.
Jonathan Rodriguez is the President and Chief Executive Officer of BitMar Networks.
"The most commonly overlooked component of operational security is training..."
The biggest security weak point – to this day – is the Human Element. Most organizations empower their IT departments to look out for the wellbeing of their systems, without properly instructing the rest of their staff about potential security and liability issues – which can mostly be avoided by simply making their staff just a little more aware and savvy.
Businesses should have mandatory monthly meetings to keep their staff fully compliant with company IT policy.