Operations and Information Security

This article is a basic guide for user and organization operations and information security.

Operations security and information security are important, overlapping, and complementary facets of maintaining organizational opaqueness, user privacy, and anonymity. Due to the decentralized, distributed nature of the network and the diverse organizations and users it serves, operations and information security are especially important.

User privacy and security are of the utmost importance to the organization. Maintaining privacy and security of the network and the organization helps to ensure the privacy and security of the users. Network and organization integrity requires the active compliance and enthusiastic participation of all users.

If you see or suspect something, say something! Contact administration as soon as practicable in the event of any real or suspected data or security breach!

Operations Security

Operations security (OPSEC) is a major component of any organization. Operations security is not only important for the collective organization, but also important for the individual user. Despite all actions taken by an organization to ensure operational security and user privacy, ultimately, operations security comes down to the formation and enforcement of good habits that reduce transparency and enhance obfuscation.

OPSEC is the process of protecting individual pieces of data that could be grouped together to give the bigger picture (called aggregation) [emphasis added]. OPSEC is the protection of critical information deemed mission-essential from … management or other decision-making bodies. The process results in the development of countermeasures, which include technical and non-technical measures such as the use of email encryption software, taking precautions against eavesdropping, paying close attention to a picture you have taken (such as items in the background), or not talking openly on social media sites about information on the unit, activity or organization's Critical Information List.
Operations security (OPSEC) is a process that identifies friendly actions that could be useful for a potential attacker if properly analyzed and grouped with other data to reveal critical information or sensitive data.

Forming and implementing good habits surrounding operations security can be difficult and take time. Learning how to develop good OPSEC means learning how to think like an enemy detective: what data volunteered by a user or an organization could be exploited to piece together an identity or affiliation? Pattern of behavior? Packet of confidential information? Or, gain internal organizational knowledge? And, what defenses can a user or an organization utilize to eliminate or limit access to data?

Contemplating what data or activities you, the user, have volunteered or allowed accessible (and how that information might be exploited by opposition entities) may help motivate the exercise of good OPSEC: What picture could an interested party develop of your life simply based on monitoring or interacting with you? What actions could you take to better disguise your identity or affiliations? Or, otherwise obstruct glimpses into your life?

Information Security

Information security (INFOSEC) is a primary consideration of any secure network or organization. Information security involves participation by all users of a network or organization to keep accessibility to information controlled. Information accessibility can include anything from direct access to textual, audio, and/or visual records to photograph metadata or inferred user data. Any device or software exposed to the network represents a potential threat to information security.

Information security, sometimes shortened to infosec, is the practice of protecting information by mitigating information risks [emphasis added]. […] It typically involves preventing or reducing the probability of unauthorized/inappropriate access to data, or the … use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation of information. It also involves actions intended to reduce the adverse impacts of such incidents. Protected information may take any form, e.g. electronic or physical, tangible (e.g. paperwork) or intangible (e.g. knowledge). Information security's primary focus is the balanced protection of the confidentiality, integrity, and availability of data…
[Information security is] [t]he protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
[Information security] [e]nsures that only authorized users (confidentiality) have access to accurate and complete information (integrity) when required (availability).

Information security depends on both the users, the organization, and, collectively, the network to treat information and access controls responsibly. Individuals participate in INFOSEC every day: one does one carelessly display confidential documents for strangers, nor volunteer credentials or secrets to others. One does not use the same password for every login and may even implement multi-factor authentications. All examples demonstrate denials of access and good information security. INFOSEC goes further than this, however: is one's device secure? Is one's connection encrypted? Are one's surroundings private? Are one's contacts trusted? Is the network or organization uncompromised? Is information being stored or shared in ways genuinely inaccessible to entities determined to spy?

Implementing Good OPSEC/INFOSEC

Arguably, mastering good OPSEC and INFOSEC requires some degree of conditioned paranoid schizophrenia.

Security Tips

Ways in which users may enhance operations and information security include:

  • Maintain organizational privacy.
    • Do not discuss organizational matters externally.
    • Do not discuss organizational membership or other affiliations.
    • Do not divulge user data nor any information which could identify users or affiliations.
  • Police data retention and dissemination.
    • Do not record nor disseminate internal organizational data or member information.
    • Be mindful of records which may include identifying or compromising information.
  • Maintain device integrity and connection security.
    • Only access organizational networks from secure, trusted devices and connections.
      • Utilize secure data connection technologies and location obfuscation tools, e.g.: encrypted and log-less virtual private networks.
      • Always ensure encrypted network connections via HTTP over TLS.
      • Scrutinize usage of public internet networks and non-secure domains.
    • Maintain device security and harden devices from attack.
      • Encrypt personal devices and external media devices.
      • Disable operating system and/or application location services; Police background services and device operating system or software telemetry.
      • Shut down and disconnect devices when not in use.
      • Regularly scan devices for malware.
      • Keep operating systems and applications regularly updated.
      • Unregister devices not routinely utilized.
      • Periodically expunge logins and device caches.
      • Be suspicious of foreign or transient applications or documents.
      • Delete or relocate to external media irregularly utilized applications or files.
      • Judiciously choose web browsers and be cautious installing web browser extension software.
      • Be vigilant when sharing devices.
        • Ensure data is adequately protected behind secure user accounts.
        • Always log out before leaving any shared device unattended.
  • Diversify and secure credentials and confidential data.
    • Do not reuse nor recycle passwords.
      • Use unique and complex passwords for each and every login credential.
    • Save and securely store confidential data.
      • Store confidential data in a safe place hardened against intrusion.
      • Distribute the storage of confidential data via distributed means.
      • Encrypt storage devices and databases.
    • Utilize multi-factor authentication solutions.
  • Remain anonymous.
    • Do not volunteer identifiable nor recognizable information.
    • Be conscientious regarding data which could be confidential and/or revealing, e.g.:
      • names or pseudonyms
      • ages, sexes, or locations
      • demographic information
      • known affiliations
      • academic, professional, or occupational information
      • contact information, e.g.:
        • user-names
        • physical or email addresses
        • telephone numbers
      • social media presences
      • plans or activities