What is OPSEC (Operational Security)?

In this post, we are going to learn about OPSEC or operational security. This post is aimed at Freedom Fighters, journalists, whistleblowers, and others without justice needing serious Privacy and non-attribution.

OPSEC refers to the habits and behaviors you perform to enforce proper security. This is probably the most underrated security control and if done poorly, is the most likely to destroy your security, privacy, and anonymity. So let's define Privacy and ultimately and pseudo-anonymity, so Privacy is nobody's seeing what you do but potentially knowing who you are. 

 

Privacy is about content, Privacy is about maintaining the confidentiality and keeping secrets. "Anonymity is nobody knowing who you are, but potentially seeing what you do and amity is keeping your actions and activities separate from your true identity. 

 

Anonymity concerns your identity; it is when out of a set of all possible people there is an equal chance it could be anyone." You may desire this for viewing content but not for making it. Anonymity means non-attribution to your actions to be nameless to be faceless and finally, pseudo-anonymity is when you wish to retain a reputation against an identity.

A common example is having an alias for social accounts or forums online. An adversary may not know who the user is, but they can attribute posts and activities to him or her. This is an alias Kovar a false identity. This action is aimed more for those who want anonymity and non-attribute to their actions.

OPSEC is as important as your adversary is well-resourced and the consequences of your actions are high if not attribution really matters then OPSEC must not be skipped. If your adversary is a law enforcement agency or nation, state this section is particularly relevant to you.

So here's a quote from The Wall Street Journal from a gentleman called James Kilpatrick, one of the HSI agents who is or was part of Operation Rountree. This emphasizes the need for OPSEC.

This is what he said

"There's not a magic way to trace people so we typically capitalize on human error looking for whatever clues people leave in their wake. Capsulize on a human error."

Another quote-

"Most people don't have the discipline not to make a mistake."

Kilpatrick continues

"The average person is too worried about doing their business never to make a mistake. Waiting for mistakes is part of good old fashion. Standard police work and law enforcement investigations traditionally rely on people making mistakes."

Fundamental OPSEC failures are not about decrypting your encryption or finding you through tunnels and anonymity. It's about basic OPSEC failures. That's what's more likely to get you. People are usually caught because of activities they performed in the early stages that were non-anonymous and tied back to their real identity, not realizing the Internet never forgets and you are being watched. sound OPSEC is required from the beginning to counter any serious adversary

 

 Also Read: The Golden Rules for OPSEC