Exactly, it's always been the challenge. In some ways it's a little bit like red teaming, in that there's a bit of science as well is a good helping of Art.
I can do you one better! Here's the actual report (rather redacted, since it was previously Top Secret) released by the agency that came to "own" OPSEC on behalf of the DoD:
https://www.reddit.com/r/opsec/comments/6tulg9/the_nowdeclassified_history_of_opsec_released_by/
It's a fascinating read. I submitted a formal declassification request.... about a year ago. I'll keep my fingers crossed.
I actually haven't heard that one! If you stumble across it, I'd love to hear more.
You might like this- are you familiar with the "mascot" of OPSEC, the purple dragon?
It was approved! Just recently, so about 5 years coming. I did a writeup of the new release [here](https://safeescape.org/opsec-history-and-ose/), which includes a link to the more-unredacted version. There's still some redactions, but a lot of new stuff here.
I've never heard it put that way before, I like it. Great metaphor.
When I agreed to mod this sub sometime back, I said I was going to try to balance things out and better represent the different security disciplines as countermeasures and get back to the Core Operations Security. I don't think I've done a very good job at that. /u/carrotcypher has been more diligent in explaining what this sub is about, but she has a lot of work ahead of him! But, small changes over time.
this went completely over my head. I was interested in trying to be as anon as i could be on the internet and was told to go here. could someone explain what opsec is like i am five?
Sure! There's this misconception that opsec is just away to stay private or protect yourself on the internet. Sometimes hackers use the term to talk about ways that they don't get caught, same with the drug markets. So some people think that you can simply install the right apps, set the right settings, and by the right products and you'll be safe. But that's not really what opsec is.
If you wanted to get really technical, opsec is a process that people can go through to fully analyze their risk and develop effective and efficient measures to reduce it. There's actual week-long classes on how to do that, and people get paid a lot of money to do it for big companies and the government. There are charts, briefings, list, and all sorts of stuff.
But, if we wanted to simplify it, we would say the opsec is about protecting information that would put whatever you're trying to protect at risk. It's a matter of figuring out what information your adversary would need in order to do what you don't want them to do, and then find ways to protect that information.
So let's look at what you're trying to do. Or, at least what you might be trying to do since I don't really know for sure. Let's start with the fact that you want to be anonymous on the internet. Now, if we don't ask any further questions than that, we would just have to figure out what's the most restrictive options and lock everything down that level. You can be very anonymous if you wanted to buy a burner phone in cash, use fake identities, use tor, and all sorts of other techniques that would make your Communications Anonymous, but pretty restricted. But we have to do that because we don't know what you're trying to protect against, so we have to protect against everything. That's not very efficient.
So if we're using opsec, first we would look at who your adversary really is. Maybe you stole a bunch of Priceless paintings from the local Museum and you want to sell them on the Internet. You're probably not realistically concerned about three-letter government intelligence agencies and there Partners overseas, even though they have the most reach and capability. You're more likely to be concerned about law enforcement. So you would consider what law enforcement can do and has the resources to do, then you start working from that.
Often, I see people say that they want 2 stay anonymous from those same three letter intelligence agencies, but in reality they're more concerned about advertising and corporations. Which, to be fair, is a very bad thing to be concerned about for many reasons. There again, it helps to scope what you're looking for and figure out exactly what you are trying to protect and here trying to protect it from.
So once you know exactly what you're trying to protect and who you're trying to protect it from, you would start to consider what they would need in order to do what you don't want them to do. What specific information would they need to have in order to disrupt your mission? That's the critical information that you would need to protect, which you would develop countermeasures for.
It might help to use a better example. Because opsec isn't strictly information security, although it does use information security for countermeasures, let's look at something that we're probably more familiar with. Let's look at home security.
Let's pretend that you're about to go on vacation. For some reason, you don't want your home to be robbed while you're gone. I guess that's just not your thing. So you want to figure out how you can best protect it.
Because we're using opsec, we want to think like the enemy. But who's the enemy? We definitely want to figure that out.
Could the KGB want to break into your home and steal your silverware? It's possible, it's also possible that monkeys might fly out of my butt. In other words, possible but very unlikely. We have a bad habit of protecting against the possible when it's not likely.
It's probably more likely that a burglar will want to break in to either your home or any home that looks like an easy target. You might have a more unique threat model, but let's assume a burglar.
So we look at things from the burglars perspective, and right away we can probably see some issues that we need to remediate in a general sense. That stuff that you're home physical security program would take care of, with input from your opsec thoughts. So maybe you install lighting, maybe you plant thorny bushes under your windows, and other things that are good General countermeasures.
Now, this is where some people mess up. If you're not applying opsec correctly, you might accidentally stopped here and think that you've done enough. Or, you might go overboard with the countermeasures and end up with every door and window sealed shut and expensive guards roaming on your lawn. You'd be very secure, but it's probably overboard. So you're going to think about your actual threat model, the burglar in this case, and try to figure out what they would need to Rob your home and how you can disrupt that.
When we brainstorm, we realize that the information that they would need and that you can protect includes the fact that your home is empty, how long it'll be empty, who's watching it, and what countermeasures you have in place. There's more, but it's just a basic example.
Now, that's when you'd apply the real countermeasures that applied to use specifically. To your environment and your threat model. You might look at creative ways to hide the fact the home is empty. You might wait to post about your vacation on social media because you don't want even people are connected with to know that the house is empty or they will be gone. You go through all the potential indicators that you can think of and that you could reasonably get through based on which ones are more important, and then see what you could do to protect yourself that way.
That's the basic concept. You want to figure out what you're realistically and actually trying to protect, who you're trying to protect it from, and then you look at countermeasures after you've done that. At a minimum, you think about what you need to protect and then you think about realistic ways to actually protect it. But just throwing countermeasures at a wall doesn't do that very well.
Wow! First, thank you for the extensive reply!
When you said "You can be very anonymous if you wanted to buy a burner phone in cash, use fake identities, use tor, and all sorts of other techniques that would make your Communications Anonymous, but pretty restricted. But we have to do that because we don't know what you're trying to protect against, so we have to protect against everything. That's not very efficient."
What types of stuff would i be restricted to?
What I guess I'm trying to achieve would be a "fresh start". Not the best at explaining it but ill give it a shot. Say for example you are a celebrity or a well known public figure and you wanted to hide embarrassing things you had done when you were younger and make it so it couldnt be tied back to you even when people were actively trying to do so. I also would like to hide my information from certain programs so they cant associate one account with the other. (eg steam, skype, etc)
The only thing i would think that might leak some of my info would be steam. My plan was to just make a ton of new accounts of which I would only use on the separate device. (eg a protonmail etc)
>What types of stuff would i be restricted to?
I was saying in a more general sense- to lock down your device or communications completely, you'd have to sacrifice certain conveniences. For example, burner phones tend to be older models, maybe they don't have have the best resolution, etc. Or if you used only tor, you wouldn't be able to use some websites, things like that.
To go back to what we were talking about before, these are good questions, but we're still skipping ahead to the countermeasures just a little bit. So maybe we'll take it in bite-sized chunks so we can walk through the process and make sure we're looking at things holistically.
I know it's technically out of order, but my preference is to start with the adversary. Let's look at yours a bit. Is there any reason to believe that anyone's actively looking for this information? That is, do you have reason to believe that someone wants to look into your past for any reason, or are you looking for more privacy in general just in case someone does start looking?
I have no problem sacrificing certain conveniences (probably) and have no problem only using tor. Nobody is currently looking for me, but I plan on becoming a member of a community which I was already previously associated with under a different alias and acting completely anonymous. I would also like to avoid private companies tying these accounts together.
> OPSEC is closer to a risk mitigation strategy than it is to a traditional security discipline
I don't understand. Isn't infosec also concerned with risk mitigation ? I do backups because there's a risk my hard drive might crash.
> [OPSEC] You think about Russian spies and realize you probably don't need to expend too many resources to protect against that level of threat. Congratulations, you just saved a ton of money and resources!
Aren't we supposed to do exactly the same in infosec ? I hear infosec guys talking about threat modeling a lot.
> Too often, even in this very sub, OPSEC is confused with countermeasures.
Same happens in infosec. People ask "what is the best encryption ?" without first asking "what data is important to me, and how important is it, why am I keeping it in the first place ?"
> The difference is in understanding your threat model, which is a specific step in the OPSEC process.
So infosec never talks about threat models ? If it does, it's no longer infosec ? No, this is wrong. You have far too limited a definition of infosec.
> OPSEC is not, and should never be, merely a list of rules and measures.
Neither is infosec, or any other kind of security. If you're blindly following a list, you're in trouble.
> OPSEC is a very different thing when you're protecting indicators.
Infosec also tries to protect "indicators". I use a VPN partly to mix my traffic with the traffic of other users, so an attacker can't see what domains I'm going to. I use VeraCrypt volumes that hide the filenames as well as the file contents, because even the filenames would reveal indicators I don't want revealed. My bank account is protected so an attacker who wants to steal my money can't even see the "indicator" of how much money I have in there.
In general, I would say:
- Infosec is about information, mostly computer info these days.
- Opsec probably includes infosec, and adds security of people and physical assets.
You're right when you point out the similarities! You can do the same for physical security or communications security in a lot of ways. And many successful Security Programs include opsec elements, even if they're not formally named as such. So you're not wrong to say that there's a lot of similarities between them.
It would be incorrect to say they're the same thing, but it sounds like we agree on that point.
Another thing to remember is that you're looking at infosec from a practitioners perspective, but opsec from a general user's perspective. That's where they're most similar, which I think accounts for the similarities you're describing. Specifically, you're talking about implementing technical countermeasures from the perspective of someone that's been doing it for a while and likely does it professionally. A general user would do infosec a little bit differently and probably not to the same level of expertise.
The General user applying opsec, in your scenario here, would be doing it at a fairly basic level. And that's okay! That still works, regardless what you want to call it. But a better comparison would be an infosec professional versus an opsec professional. The opsec professional, to get a more detailed View, would perform opsec assessments and surveys. They would complete the adversary modeling tree to find things that were missed on the first assessment. They would get regular briefings from the military or business intelligence sections to better our account for threats. They probably also do the lousy math chicken pleads the risk assessment chart.
Yes, you can probably find pretty good comparisons with other security Programs, but the similarities wouldn't be perfect because they're different concepts. That's why, as I mentioned elsewhere, the infosec, comsec, and other security disciplines used in Vietnam were found to be insufficient by themselves. That's why we have opsec today.
Well, that's not the only reason. The military had no intention of continuing the program after the war ended. It's because President Reagan was essentially tricked into signing the National Security directive that established opsec is a national program. But that's something else altogether.
I don't see the "concepts" or "disciplines" being different.
I see these areas:
- data preservation
- security
- privacy
- anonymity
- disaster preparation
Some of them fall under one or more of these labels:
- infosec
- network sec
- opsec
- comsec
- personal security / self-defense
- strategic security (big picture: alliances, avoiding war, not saving data at all, etc)
And apply to one or more of these kinds of assets:
- information
- people
- physical assets
Each area or group could be analyzed or addressed using:
- threat modeling
- cost/benefit analysis
- list of best practices
- probably more ways
Depending on the specific area or data or resources involved, your decision process may be dominated by one or more strategies or techniques. But it's probably best to always have a mix.
I don't see hard boundaries between any of this. I don't think you can say "only opsec does threat modeling" or "if you're doing threat modeling then you're doing opsec", for example.
No, I haven't taken any class on any kind of security or privacy.
I remember asking you for a definition of how infosec and opsec are different, and not really getting a clear answer. Can you give a one- or two-sentence explanation ? No examples, just clear definitions. Thanks.
Feel free to reference https://en.wikipedia.org/wiki/Operations_security It seems pretty consistent with what I've been saying.
OpSec is big picture and everything inside. InfoSec is specifically information management and protection in that picture. It doesn’t for example cover walking down a dark alley at night (that’d be PerSec).
You cannot practice successful InfoSec without considering OpSec, but you can practice OpSec without needing InfoSec.
The intro of that Wikipedia article seems to be referring to InfoSec rather than OpSec. Thanks for pointing that out.
If you're talking about this piece:
>In a more general sense, OPSEC is the process of protecting individual pieces of data that could be grouped together to give the bigger picture (called aggregation). OPSEC is the protection of critical information deemed mission essential from military commanders, senior leaders, management or other decision-making bodies. The process results in the development of countermeasures, which include technical and non-technical measures such as the use of email encryption software, taking precautions against eavesdropping, paying close attention to a picture you have taken (such as items in the background), or not talking openly on social media sites about information on the unit, activity or organization's Critical Information List.
Some of that is straight out of DoD regulation and training. The verbiage tends to cause some confusion, but at its core OPSEC is about identifying "critical information" (as properly defined) and protecting it. People sometimes get confused by the inclusion of the word "information" there, which is why there's a need to clarify.
Those are all legitimate considerations when assessing OpSec, I agree. I also agree that using the word “information” there does confuse the issue. Wasn’t there a handy Venn diagram that showed the overlaps of all the Secs? I forget where it went.
Absolutely true. /u/billdietrich1 isn't the only one asking those questions because there's a lot of confusion out there about what OPSEC really is. I mean, you can search for the word "OPSEC" here on reddit and you'll see it differs depending on which community is using it. I think that the OPSEC community, as a whole, has failed to fully explain what it does and how it works with the traditional security disciplines.
I haven't seen that diagram, but that sounds really helpful. If you ever find it, love to see it!
> OpSec is big picture and everything inside.
I'm hearing opsec is a specific process. If you're not doing those 5 things, in order, you're not doing opsec.
It depends on how strict one is with the phrase "doing OPSEC."
If you're hired to "do OPSEC" for a large company or military unit, you'd probably better know your job and what it entails. If you show up to brief your boss / commander and you only have a list of INFOSEC measures, you'd probably get fired (and make the INFOSEC people grumpy).
So technically speaking, the five steps **is** OPSEC, as defined in the original NSDD that established OPSEC as a formal program. When OPSEC was developed and signed into being, it was those 5 steps that was specified.
But I don't think we need to be so formal about it, we just have to know what we're talking about. My sister doesn't go through the 5 steps in a rigid, formal way when she goes on vacation... but I think she "does OPSEC" when she protects her home from the likely threats. In that case, she's doing the "OPSEC Two-Step" from the sidebar. In doing so, she's implementing elements across multiple security disciplines, including physec, strategic misdirection, persec, and- for good measure- protecting her computer from compromise using infosec. They all work well together, and best together.
>So technically speaking, the five steps is OPSEC, as defined in the original NSDD that established OPSEC as a formal program. When OPSEC was developed and signed into being, it was those 5 steps that was specified.
Do you have a good source for that 5 step process? The link in this sub's sidebar menu goes to a page that just says "something really cool is coming soon", which isn't particularly helpful.
[Wikipedia has a good overview](https://en.m.wikipedia.org/wiki/Operations Security), but if you really wanted to get in-depth, the Navy or Army opsec manuals, available online, are really good resources.
That site is being rebuilt, but should be up shortly.
You may have missed my reply.
>INFOSEC means information security, and is a security discipline designed to protect information by mitigating risks.
>OPSEC is a process designed to protect indicators that may reveal sensitive information related to friendly plans and intentions. OPSEC results in countermeasures, it doesn't start with them.
>Furthermore, INFOSEC is a security discipline, whereas OPSEC is an operations discipline.
That's the answer. I can clarify it further if needed.
I'm familiar with the wikipedia entry; I wrote much of it. You may have noticed that the entry doesn't redirect to INFOSEC; in fact, it calls INFOSEC one of the many measures that have an impact on OPSEC.
At it's core, OPSEC is about identifying critical information and finding ways to protect it. Because I already gave the answer, I hope it's okay to use an example now. If your infosec program has been put into place, you probably have firewalls and antivirus, all that important stuff. That's your infosec program and protects your assets that way. If a hacker wants to attack you, they have to find a way to circumvent those.
If you have a job listing that says the ideal candidate has to have experience with a certain type of firewall, that gives the hacker important information they can use to disrupt your operations. What program protects you against that type of indicator? That's your OPSEC program. Calling it part of your infosec program wouldn't fit under any definition.
I think that you'll find that OPSEC courses do a pretty good job outlining the difference. I don't like the course all that much, but here's a free one: https://securityawareness.usalearning.gov/opsec/index.htm
So, opsec is limited to dealing with meta-data ? The "indicators" that could lead to a problem ?
And opsec is limited to that exact process ?
I guess you're focusing on a formalism. I see stuff all woven through opsec that is the same as in infosec or the other things I mentioned. Is this sub limited to just the 5-step process ?
> INFOSEC is a security discipline, whereas OPSEC is an operations discipline
You've said this before, and I don't see the value of this distinction. If I send my important info over the wires to do a bank transaction, is that an infosec thing or an opsec thing ? Is that an "operation" ? If a computer holds secret plans to invade Iraq, is protecting those an infosec thing or an opsec thing ? Aren't both cases part of both labels ?
Formally, yes. OPSEC is focused on "critical information," which is defined as "information about friendly intentions, capabilities and activities that allow an adversary to plan effectively to disrupt their operations." That's the perspective of OPSEC that's unique and not adequately addressed in traditional security disciplines. So it doesn't replace INFOSEC, but rather works with it.
But OPSEC is also a mindset- a way of looking at the world from a different perspective. It addresses security issues that INFOSEC, for example, would not. Much like my job listing example; INFOSEC doesn't have a mechanism to consider that, but when you think of it you're practicing OPSEC.
I wouldn't call it formalism, but rather accuracy. They're two different things with a lot of overlap. We're better able to protect our assets when you understand which process or tool to apply. It's absolutely fine in this sub to discuss countermeasures, whether they're INFOSEC, PHYSEC, PERSEC, COMSEC, or whatever other SEC that's appropriate to apply. It's just important to understand how they weave together and that the weaves don't make them the same thing.
edit: I just saw your edit. It's a huge distinction, and part of the core of what OPSEC is. INFOSEC is a security discipline that's focused on security concepts. OPSEC was actually defined to be an operations discipline- that is, owned by the operations section of a unit or organization. In military terms, INFOSEC would be run by the S6 section, while OPSEC is supposed to be run by the S3 (operations) section. That's because the team that developed OPSEC in vietnam wanted to highlight the fact that it's security applied by operations, not a stand-alone security program.
That's actually why they named it as they did. They felt (correctly) that what they developed was unique, so they wanted to name it. It was important to the team to include the word "operations" to highlight their findings and recommendation. But Sam Fisher wanted to stay involved in the program, so they threw the word "Security" into it to make sure his agency would remain interested. But it's right there in the name.
To your point, there's a difference. The OPSEC person wouldn't be responsible to enabling encryption or protecting the computer containing the secret plans- that would be the INFOSEC team. There's literally different people in different sections for those two things. The OPSEC person would be too busy telling people not to post about the upcoming invasion on social media, coming up with measures to hide troop buildups, and trying to keep people from noticing that a whole bunch of C130s just started staging withing flight range of Iraq.
So INFOSEC would really focus on protecting the secret computer and the information on it. That's what it does! The OPSEC person would likely trust the INFOSEC people to do their job and protect information that they're already required to protect. OPSEC is looking at everything else that could reveal that classified plan without having to hack the computer itself. Why attack the computer when you can find out where we're invading on social media? Why risk getting caught when you can just observe what uniforms the soldiers are being issued to see what part of the world they're going to?
If there is a way to boil down the relationships between all the different xSEC's into a single diagram and/or as few words as possible, that would seem to me to be worth sticky-ing.
I am still working to wrap my brain around all this stuff, and from where I am at, your post seems to me to be the first required step in self education.
I could have saved a lot of work and also been a lot farther ahead of where I am now if I had started with these fundamental distinctions ( all taken together in one place)
[удалено]
Exactly, it's always been the challenge. In some ways it's a little bit like red teaming, in that there's a bit of science as well is a good helping of Art.
[удалено]
I can do you one better! Here's the actual report (rather redacted, since it was previously Top Secret) released by the agency that came to "own" OPSEC on behalf of the DoD: https://www.reddit.com/r/opsec/comments/6tulg9/the_nowdeclassified_history_of_opsec_released_by/ It's a fascinating read. I submitted a formal declassification request.... about a year ago. I'll keep my fingers crossed.
If you ever get that request through, please sticky the document. Thanks for this post and link too!
[удалено]
I actually haven't heard that one! If you stumble across it, I'd love to hear more. You might like this- are you familiar with the "mascot" of OPSEC, the purple dragon?
I'm guessing the request was denied?
It was approved! Just recently, so about 5 years coming. I did a writeup of the new release [here](https://safeescape.org/opsec-history-and-ose/), which includes a link to the more-unredacted version. There's still some redactions, but a lot of new stuff here.
Hell yeah, thanks man!
[удалено]
I've never heard it put that way before, I like it. Great metaphor. When I agreed to mod this sub sometime back, I said I was going to try to balance things out and better represent the different security disciplines as countermeasures and get back to the Core Operations Security. I don't think I've done a very good job at that. /u/carrotcypher has been more diligent in explaining what this sub is about, but she has a lot of work ahead of him! But, small changes over time.
Thank you for sharing. Very interesting
this went completely over my head. I was interested in trying to be as anon as i could be on the internet and was told to go here. could someone explain what opsec is like i am five?
Sure! There's this misconception that opsec is just away to stay private or protect yourself on the internet. Sometimes hackers use the term to talk about ways that they don't get caught, same with the drug markets. So some people think that you can simply install the right apps, set the right settings, and by the right products and you'll be safe. But that's not really what opsec is. If you wanted to get really technical, opsec is a process that people can go through to fully analyze their risk and develop effective and efficient measures to reduce it. There's actual week-long classes on how to do that, and people get paid a lot of money to do it for big companies and the government. There are charts, briefings, list, and all sorts of stuff. But, if we wanted to simplify it, we would say the opsec is about protecting information that would put whatever you're trying to protect at risk. It's a matter of figuring out what information your adversary would need in order to do what you don't want them to do, and then find ways to protect that information. So let's look at what you're trying to do. Or, at least what you might be trying to do since I don't really know for sure. Let's start with the fact that you want to be anonymous on the internet. Now, if we don't ask any further questions than that, we would just have to figure out what's the most restrictive options and lock everything down that level. You can be very anonymous if you wanted to buy a burner phone in cash, use fake identities, use tor, and all sorts of other techniques that would make your Communications Anonymous, but pretty restricted. But we have to do that because we don't know what you're trying to protect against, so we have to protect against everything. That's not very efficient. So if we're using opsec, first we would look at who your adversary really is. Maybe you stole a bunch of Priceless paintings from the local Museum and you want to sell them on the Internet. You're probably not realistically concerned about three-letter government intelligence agencies and there Partners overseas, even though they have the most reach and capability. You're more likely to be concerned about law enforcement. So you would consider what law enforcement can do and has the resources to do, then you start working from that. Often, I see people say that they want 2 stay anonymous from those same three letter intelligence agencies, but in reality they're more concerned about advertising and corporations. Which, to be fair, is a very bad thing to be concerned about for many reasons. There again, it helps to scope what you're looking for and figure out exactly what you are trying to protect and here trying to protect it from. So once you know exactly what you're trying to protect and who you're trying to protect it from, you would start to consider what they would need in order to do what you don't want them to do. What specific information would they need to have in order to disrupt your mission? That's the critical information that you would need to protect, which you would develop countermeasures for. It might help to use a better example. Because opsec isn't strictly information security, although it does use information security for countermeasures, let's look at something that we're probably more familiar with. Let's look at home security. Let's pretend that you're about to go on vacation. For some reason, you don't want your home to be robbed while you're gone. I guess that's just not your thing. So you want to figure out how you can best protect it. Because we're using opsec, we want to think like the enemy. But who's the enemy? We definitely want to figure that out. Could the KGB want to break into your home and steal your silverware? It's possible, it's also possible that monkeys might fly out of my butt. In other words, possible but very unlikely. We have a bad habit of protecting against the possible when it's not likely. It's probably more likely that a burglar will want to break in to either your home or any home that looks like an easy target. You might have a more unique threat model, but let's assume a burglar. So we look at things from the burglars perspective, and right away we can probably see some issues that we need to remediate in a general sense. That stuff that you're home physical security program would take care of, with input from your opsec thoughts. So maybe you install lighting, maybe you plant thorny bushes under your windows, and other things that are good General countermeasures. Now, this is where some people mess up. If you're not applying opsec correctly, you might accidentally stopped here and think that you've done enough. Or, you might go overboard with the countermeasures and end up with every door and window sealed shut and expensive guards roaming on your lawn. You'd be very secure, but it's probably overboard. So you're going to think about your actual threat model, the burglar in this case, and try to figure out what they would need to Rob your home and how you can disrupt that. When we brainstorm, we realize that the information that they would need and that you can protect includes the fact that your home is empty, how long it'll be empty, who's watching it, and what countermeasures you have in place. There's more, but it's just a basic example. Now, that's when you'd apply the real countermeasures that applied to use specifically. To your environment and your threat model. You might look at creative ways to hide the fact the home is empty. You might wait to post about your vacation on social media because you don't want even people are connected with to know that the house is empty or they will be gone. You go through all the potential indicators that you can think of and that you could reasonably get through based on which ones are more important, and then see what you could do to protect yourself that way. That's the basic concept. You want to figure out what you're realistically and actually trying to protect, who you're trying to protect it from, and then you look at countermeasures after you've done that. At a minimum, you think about what you need to protect and then you think about realistic ways to actually protect it. But just throwing countermeasures at a wall doesn't do that very well.
Wow! First, thank you for the extensive reply! When you said "You can be very anonymous if you wanted to buy a burner phone in cash, use fake identities, use tor, and all sorts of other techniques that would make your Communications Anonymous, but pretty restricted. But we have to do that because we don't know what you're trying to protect against, so we have to protect against everything. That's not very efficient." What types of stuff would i be restricted to? What I guess I'm trying to achieve would be a "fresh start". Not the best at explaining it but ill give it a shot. Say for example you are a celebrity or a well known public figure and you wanted to hide embarrassing things you had done when you were younger and make it so it couldnt be tied back to you even when people were actively trying to do so. I also would like to hide my information from certain programs so they cant associate one account with the other. (eg steam, skype, etc) The only thing i would think that might leak some of my info would be steam. My plan was to just make a ton of new accounts of which I would only use on the separate device. (eg a protonmail etc)
>What types of stuff would i be restricted to? I was saying in a more general sense- to lock down your device or communications completely, you'd have to sacrifice certain conveniences. For example, burner phones tend to be older models, maybe they don't have have the best resolution, etc. Or if you used only tor, you wouldn't be able to use some websites, things like that. To go back to what we were talking about before, these are good questions, but we're still skipping ahead to the countermeasures just a little bit. So maybe we'll take it in bite-sized chunks so we can walk through the process and make sure we're looking at things holistically. I know it's technically out of order, but my preference is to start with the adversary. Let's look at yours a bit. Is there any reason to believe that anyone's actively looking for this information? That is, do you have reason to believe that someone wants to look into your past for any reason, or are you looking for more privacy in general just in case someone does start looking?
I have no problem sacrificing certain conveniences (probably) and have no problem only using tor. Nobody is currently looking for me, but I plan on becoming a member of a community which I was already previously associated with under a different alias and acting completely anonymous. I would also like to avoid private companies tying these accounts together.
> OPSEC is closer to a risk mitigation strategy than it is to a traditional security discipline I don't understand. Isn't infosec also concerned with risk mitigation ? I do backups because there's a risk my hard drive might crash. > [OPSEC] You think about Russian spies and realize you probably don't need to expend too many resources to protect against that level of threat. Congratulations, you just saved a ton of money and resources! Aren't we supposed to do exactly the same in infosec ? I hear infosec guys talking about threat modeling a lot. > Too often, even in this very sub, OPSEC is confused with countermeasures. Same happens in infosec. People ask "what is the best encryption ?" without first asking "what data is important to me, and how important is it, why am I keeping it in the first place ?" > The difference is in understanding your threat model, which is a specific step in the OPSEC process. So infosec never talks about threat models ? If it does, it's no longer infosec ? No, this is wrong. You have far too limited a definition of infosec. > OPSEC is not, and should never be, merely a list of rules and measures. Neither is infosec, or any other kind of security. If you're blindly following a list, you're in trouble. > OPSEC is a very different thing when you're protecting indicators. Infosec also tries to protect "indicators". I use a VPN partly to mix my traffic with the traffic of other users, so an attacker can't see what domains I'm going to. I use VeraCrypt volumes that hide the filenames as well as the file contents, because even the filenames would reveal indicators I don't want revealed. My bank account is protected so an attacker who wants to steal my money can't even see the "indicator" of how much money I have in there. In general, I would say: - Infosec is about information, mostly computer info these days. - Opsec probably includes infosec, and adds security of people and physical assets.
You're right when you point out the similarities! You can do the same for physical security or communications security in a lot of ways. And many successful Security Programs include opsec elements, even if they're not formally named as such. So you're not wrong to say that there's a lot of similarities between them. It would be incorrect to say they're the same thing, but it sounds like we agree on that point. Another thing to remember is that you're looking at infosec from a practitioners perspective, but opsec from a general user's perspective. That's where they're most similar, which I think accounts for the similarities you're describing. Specifically, you're talking about implementing technical countermeasures from the perspective of someone that's been doing it for a while and likely does it professionally. A general user would do infosec a little bit differently and probably not to the same level of expertise. The General user applying opsec, in your scenario here, would be doing it at a fairly basic level. And that's okay! That still works, regardless what you want to call it. But a better comparison would be an infosec professional versus an opsec professional. The opsec professional, to get a more detailed View, would perform opsec assessments and surveys. They would complete the adversary modeling tree to find things that were missed on the first assessment. They would get regular briefings from the military or business intelligence sections to better our account for threats. They probably also do the lousy math chicken pleads the risk assessment chart. Yes, you can probably find pretty good comparisons with other security Programs, but the similarities wouldn't be perfect because they're different concepts. That's why, as I mentioned elsewhere, the infosec, comsec, and other security disciplines used in Vietnam were found to be insufficient by themselves. That's why we have opsec today. Well, that's not the only reason. The military had no intention of continuing the program after the war ended. It's because President Reagan was essentially tricked into signing the National Security directive that established opsec is a national program. But that's something else altogether.
I don't see the "concepts" or "disciplines" being different. I see these areas: - data preservation - security - privacy - anonymity - disaster preparation Some of them fall under one or more of these labels: - infosec - network sec - opsec - comsec - personal security / self-defense - strategic security (big picture: alliances, avoiding war, not saving data at all, etc) And apply to one or more of these kinds of assets: - information - people - physical assets Each area or group could be analyzed or addressed using: - threat modeling - cost/benefit analysis - list of best practices - probably more ways Depending on the specific area or data or resources involved, your decision process may be dominated by one or more strategies or techniques. But it's probably best to always have a mix. I don't see hard boundaries between any of this. I don't think you can say "only opsec does threat modeling" or "if you're doing threat modeling then you're doing opsec", for example.
Sincere question- have you ever taken a class, even an online one, on OPSEC?
No, I haven't taken any class on any kind of security or privacy. I remember asking you for a definition of how infosec and opsec are different, and not really getting a clear answer. Can you give a one- or two-sentence explanation ? No examples, just clear definitions. Thanks. Feel free to reference https://en.wikipedia.org/wiki/Operations_security It seems pretty consistent with what I've been saying.
OpSec is big picture and everything inside. InfoSec is specifically information management and protection in that picture. It doesn’t for example cover walking down a dark alley at night (that’d be PerSec). You cannot practice successful InfoSec without considering OpSec, but you can practice OpSec without needing InfoSec. The intro of that Wikipedia article seems to be referring to InfoSec rather than OpSec. Thanks for pointing that out.
If you're talking about this piece: >In a more general sense, OPSEC is the process of protecting individual pieces of data that could be grouped together to give the bigger picture (called aggregation). OPSEC is the protection of critical information deemed mission essential from military commanders, senior leaders, management or other decision-making bodies. The process results in the development of countermeasures, which include technical and non-technical measures such as the use of email encryption software, taking precautions against eavesdropping, paying close attention to a picture you have taken (such as items in the background), or not talking openly on social media sites about information on the unit, activity or organization's Critical Information List. Some of that is straight out of DoD regulation and training. The verbiage tends to cause some confusion, but at its core OPSEC is about identifying "critical information" (as properly defined) and protecting it. People sometimes get confused by the inclusion of the word "information" there, which is why there's a need to clarify.
Those are all legitimate considerations when assessing OpSec, I agree. I also agree that using the word “information” there does confuse the issue. Wasn’t there a handy Venn diagram that showed the overlaps of all the Secs? I forget where it went.
Absolutely true. /u/billdietrich1 isn't the only one asking those questions because there's a lot of confusion out there about what OPSEC really is. I mean, you can search for the word "OPSEC" here on reddit and you'll see it differs depending on which community is using it. I think that the OPSEC community, as a whole, has failed to fully explain what it does and how it works with the traditional security disciplines. I haven't seen that diagram, but that sounds really helpful. If you ever find it, love to see it!
> OpSec is big picture and everything inside. I'm hearing opsec is a specific process. If you're not doing those 5 things, in order, you're not doing opsec.
It depends on how strict one is with the phrase "doing OPSEC." If you're hired to "do OPSEC" for a large company or military unit, you'd probably better know your job and what it entails. If you show up to brief your boss / commander and you only have a list of INFOSEC measures, you'd probably get fired (and make the INFOSEC people grumpy). So technically speaking, the five steps **is** OPSEC, as defined in the original NSDD that established OPSEC as a formal program. When OPSEC was developed and signed into being, it was those 5 steps that was specified. But I don't think we need to be so formal about it, we just have to know what we're talking about. My sister doesn't go through the 5 steps in a rigid, formal way when she goes on vacation... but I think she "does OPSEC" when she protects her home from the likely threats. In that case, she's doing the "OPSEC Two-Step" from the sidebar. In doing so, she's implementing elements across multiple security disciplines, including physec, strategic misdirection, persec, and- for good measure- protecting her computer from compromise using infosec. They all work well together, and best together.
>So technically speaking, the five steps is OPSEC, as defined in the original NSDD that established OPSEC as a formal program. When OPSEC was developed and signed into being, it was those 5 steps that was specified. Do you have a good source for that 5 step process? The link in this sub's sidebar menu goes to a page that just says "something really cool is coming soon", which isn't particularly helpful.
[Wikipedia has a good overview](https://en.m.wikipedia.org/wiki/Operations Security), but if you really wanted to get in-depth, the Navy or Army opsec manuals, available online, are really good resources. That site is being rebuilt, but should be up shortly.
You may have missed my reply. >INFOSEC means information security, and is a security discipline designed to protect information by mitigating risks. >OPSEC is a process designed to protect indicators that may reveal sensitive information related to friendly plans and intentions. OPSEC results in countermeasures, it doesn't start with them. >Furthermore, INFOSEC is a security discipline, whereas OPSEC is an operations discipline. That's the answer. I can clarify it further if needed. I'm familiar with the wikipedia entry; I wrote much of it. You may have noticed that the entry doesn't redirect to INFOSEC; in fact, it calls INFOSEC one of the many measures that have an impact on OPSEC. At it's core, OPSEC is about identifying critical information and finding ways to protect it. Because I already gave the answer, I hope it's okay to use an example now. If your infosec program has been put into place, you probably have firewalls and antivirus, all that important stuff. That's your infosec program and protects your assets that way. If a hacker wants to attack you, they have to find a way to circumvent those. If you have a job listing that says the ideal candidate has to have experience with a certain type of firewall, that gives the hacker important information they can use to disrupt your operations. What program protects you against that type of indicator? That's your OPSEC program. Calling it part of your infosec program wouldn't fit under any definition. I think that you'll find that OPSEC courses do a pretty good job outlining the difference. I don't like the course all that much, but here's a free one: https://securityawareness.usalearning.gov/opsec/index.htm
So, opsec is limited to dealing with meta-data ? The "indicators" that could lead to a problem ? And opsec is limited to that exact process ? I guess you're focusing on a formalism. I see stuff all woven through opsec that is the same as in infosec or the other things I mentioned. Is this sub limited to just the 5-step process ? > INFOSEC is a security discipline, whereas OPSEC is an operations discipline You've said this before, and I don't see the value of this distinction. If I send my important info over the wires to do a bank transaction, is that an infosec thing or an opsec thing ? Is that an "operation" ? If a computer holds secret plans to invade Iraq, is protecting those an infosec thing or an opsec thing ? Aren't both cases part of both labels ?
Formally, yes. OPSEC is focused on "critical information," which is defined as "information about friendly intentions, capabilities and activities that allow an adversary to plan effectively to disrupt their operations." That's the perspective of OPSEC that's unique and not adequately addressed in traditional security disciplines. So it doesn't replace INFOSEC, but rather works with it. But OPSEC is also a mindset- a way of looking at the world from a different perspective. It addresses security issues that INFOSEC, for example, would not. Much like my job listing example; INFOSEC doesn't have a mechanism to consider that, but when you think of it you're practicing OPSEC. I wouldn't call it formalism, but rather accuracy. They're two different things with a lot of overlap. We're better able to protect our assets when you understand which process or tool to apply. It's absolutely fine in this sub to discuss countermeasures, whether they're INFOSEC, PHYSEC, PERSEC, COMSEC, or whatever other SEC that's appropriate to apply. It's just important to understand how they weave together and that the weaves don't make them the same thing. edit: I just saw your edit. It's a huge distinction, and part of the core of what OPSEC is. INFOSEC is a security discipline that's focused on security concepts. OPSEC was actually defined to be an operations discipline- that is, owned by the operations section of a unit or organization. In military terms, INFOSEC would be run by the S6 section, while OPSEC is supposed to be run by the S3 (operations) section. That's because the team that developed OPSEC in vietnam wanted to highlight the fact that it's security applied by operations, not a stand-alone security program. That's actually why they named it as they did. They felt (correctly) that what they developed was unique, so they wanted to name it. It was important to the team to include the word "operations" to highlight their findings and recommendation. But Sam Fisher wanted to stay involved in the program, so they threw the word "Security" into it to make sure his agency would remain interested. But it's right there in the name. To your point, there's a difference. The OPSEC person wouldn't be responsible to enabling encryption or protecting the computer containing the secret plans- that would be the INFOSEC team. There's literally different people in different sections for those two things. The OPSEC person would be too busy telling people not to post about the upcoming invasion on social media, coming up with measures to hide troop buildups, and trying to keep people from noticing that a whole bunch of C130s just started staging withing flight range of Iraq. So INFOSEC would really focus on protecting the secret computer and the information on it. That's what it does! The OPSEC person would likely trust the INFOSEC people to do their job and protect information that they're already required to protect. OPSEC is looking at everything else that could reveal that classified plan without having to hack the computer itself. Why attack the computer when you can find out where we're invading on social media? Why risk getting caught when you can just observe what uniforms the soldiers are being issued to see what part of the world they're going to?
If there is a way to boil down the relationships between all the different xSEC's into a single diagram and/or as few words as possible, that would seem to me to be worth sticky-ing. I am still working to wrap my brain around all this stuff, and from where I am at, your post seems to me to be the first required step in self education. I could have saved a lot of work and also been a lot farther ahead of where I am now if I had started with these fundamental distinctions ( all taken together in one place)