Operations and Information Security

This article is a basic guide for user and organization operations and information security.

Operations security and information security are important, overlapping, and complementary facets of maintaining organizational opaqueness, user privacy, and anonymity. Due to the decentralized, distributed nature of the network and the diverse organizations and users it serves, operations and information security are especially important.

User privacy and security are of the utmost importance to the organization. Maintaining privacy and security of the network and the organization helps to ensure the privacy and security of the users. Network and organization integrity requires the active compliance and enthusiastic participation of all users.

If you see or suspect something, say something! Contact administration as soon as practicable in the event of any real or suspected data or security breach!

Operations Security

Operations security (OPSEC) is a major component of any organization. Operations security is not only important for the collective organization, but also important for the individual user. Despite all actions taken by an organization to ensure operational security and user privacy, ultimately, operations security comes down to the formation and enforcement of good habits that reduce transparency and enhance obfuscation.

OPSEC is the process of protecting individual pieces of data that could be grouped together to give the bigger picture (called aggregation) [emphasis added]. OPSEC is the protection of critical information deemed mission-essential from … management or other decision-making bodies. The process results in the development of countermeasures, which include technical and non-technical measures such as the use of email encryption software, taking precautions against eavesdropping, paying close attention to a picture you have taken (such as items in the background), or not talking openly on social media sites about information on the unit, activity or organization’s Critical Information List. — “Operations Security”. Wikipedia.

Operations security (OPSEC) is a process that identifies friendly actions that could be useful for a potential attacker if properly analyzed and grouped with other data to reveal critical information or sensitive data. — Tunggal, Abi Tyas. “What is Operations Security (OPSEC)?”. Upguard.

Forming and implementing good habits surrounding operations security can be difficult and take time. Learning how to develop good OPSEC means learning how to think like an enemy detective: what data volunteered by a user or an organization could be exploited to piece together an identity or affiliation? Pattern of behavior? Packet of confidential information? Or, gain internal organizational knowledge? And, what defenses can a user or an organization utilize to eliminate or limit access to data?

Contemplating what data or activities you, the user, have volunteered or allowed accessible (and how that information might be exploited by opposition entities) may help motivate the exercise of good OPSEC: What picture could an interested party develop of your life simply based on monitoring or interacting with you? What actions could you take to better disguise your identity or affiliations? Or, otherwise obstruct glimpses into your life?

Information Security

Information security (INFOSEC) is a primary consideration of any secure network or organization. Information security involves participation by all users of a network or organization to keep accessibility to information controlled. Information accessibility can include anything from direct access to textual, audio, and/or visual records to photograph metadata or inferred user data. Any device or software exposed to the network represents a potential threat to information security.

Information security, sometimes shortened to infosec, is the practice of protecting information by mitigating information risks [emphasis added]. […] It typically involves preventing or reducing the probability of unauthorized/inappropriate access to data, or the … use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation of information. It also involves actions intended to reduce the adverse impacts of such incidents. Protected information may take any form, e.g. electronic or physical, tangible (e.g. paperwork) or intangible (e.g. knowledge). Information security’s primary focus is the balanced protection of the confidentiality, integrity, and availability of data…

[Information security is] [t]he protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

Information security] [e]nsures that only authorized users (confidentiality) have access to accurate and complete information (integrity) when required (availability). — “Information Security”. Wikipedia.

Information security depends on both the users, the organization, and, collectively, the network to treat information and access controls responsibly. Individuals participate in INFOSEC every day: one does one carelessly display confidential documents for strangers, nor volunteer credentials or secrets to others. One does not use the same password for every login and may even implement multi-factor authentications. All examples demonstrate denials of access and good information security. INFOSEC goes further than this, however: is one’s device secure? Is one’s connection encrypted? Are one’s surroundings private? Are one’s contacts trusted? Is the network or organization uncompromised? Is information being stored or shared in ways genuinely inaccessible to entities determined to spy?

Implementing Good OPSEC/INFOSEC

Arguably, mastering good OPSEC and INFOSEC requires some degree of conditioned paranoid schizophrenia.

Security Tips

Ways in which users may enhance operations and information security include: