Strengthening Operational Security | Secure Messaging with MicrosoftВ® Exchange Server 2003 (Pro-Other)

To the military, operational security can be the difference between success and failure. Maintaining operational security means not leaking information about what, when, where, how, why, and with whom you re doing something. Most businesses already have an understanding of this, because they understand that competitors would love to learn more about their internal operations. Understanding good operational security principles and putting them into practice are two different things, though. The basic goal behind these improvement efforts is simple: you want to reduce the amount of information leakage inside and outside your company.

The Five Principles of OPSEC

The OPSEC principles followed by the U.S. military-industrial complex bear examining; they arguably provide the best overall framework for us to understand how to apply OPSEC protection to our own efforts. National Security Decision Directive (NSDD) 298 (see http://www.fas.org/irp/offdocs/nsdd298.htm ) sets out the U.S. government s position on OPSEC and explains a few of its core principles. There are five key principles to follow when constructing an OPSEC plan, all of which will be familiar to anyone who read the preceding chapter:

Identify the critical information to be protected. For messaging systems, this normally includes messaging and directory data, but it can extend to other data types (including private key material, backup tapes, and so forth). NSDD 298 describes critical information as information that, if available to adversaries, would harm an organization s ability to accomplish its mission. Although this sounds awfully military, think about it in another context: your critical information is the stuff that would put you out of business if your competitors got access to it.
Analyze potential threats to determine what adversaries or competitors exist, and what specific data items they might like to have. A complete threat analysis should include thinking about a particular adversary s efforts to collect, process, and analyze your information.
Analyze vulnerabilities in your system architecture, normal work practices, and configuration. This is often fertile ground, because most organizations have processes designed to be efficient, not secure. It s axiomatic in the OPSEC field that policies only work well if they re uniformly applied, which means you need to pay careful attention to policy application throughout your environment. Branch and remote offices are often a terrific way to exploit organizational or policy vulnerabilities.
Assess the risks associated with the threats and vulnerabilities. As with the STAVE and STRIDE models discussed in Chapter 4, building a competent OPSEC plan requires you to match specific threats and vulnerabilities so you can decide what threats and vulnerabilities to address first.
Apply countermeasures. Of course, your choice of countermeasures must be informed by a careful analysis of the benefit and impact of particular measures.

Keeping Your Secrets Secret

The phrase loose lips sink ships became famous during World War II, but it s still true: if your operational security is lax, attackers can get valuable data about your operations. There are a wide variety of operational security attacks that an attacker can choose from. Passive attacks don t require any direct contact with your network or people. They include the following:

Watching through windows or glass doors (possibly with binoculars or other optical devices) to capture password or account information.
Dumpster-diving to recover sensitive but unshredded documents. This might sound unlikely , but a number of high-profile companies (including BellSouth and Mykotronx, a contractor for the U.S. National Security Agency) have been burned by this type of attack.
Passive eavesdropping of wireless network traffic.

Active attacks are more interesting; they include social engineering stunts like calling a user and masquerading as the information technology or help desk staff ( You need to tell me your password so we can reset it ), stealing directory or organizational data, or even the occasional information-gathering break-in.

Operational security attacks are difficult to block; after all, your people have to have the information they need to do their jobs. You can help stop these attacks by sanitizing materials that leave your physical control: shred documents before they go into the trash, be careful with outbound hardware, and so forth. On the people side, make it easier for people to do the right thing (for example, by encouraging them to report suspicious behavior) and harder to do the wrong thing (for example, by limiting or compartmentalizing access to your sensitive data). Here are a few additional things to consider:

When you print confidential documents, where do they go? At most companies, they go to the same print queues and printers that are used for ordinary documents, leading to increased risk of accidental disclosure. Keep confidential materials confidential by printing, filing, and maintaining them separately.
Many companies enforce clean desk policies that require employees to clear their desks and lock up anything sensitive before they leave for the day. These policies are hated by employees and probably outside your mandate as a messaging administrator. However, you can implement a similar clean desktop policy by ensuring that you scrub machines of confidential material before sending them out for repair, selling them, or donating them. Remember, a sufficiently determined attacker might be able to use forensic scanning tools to recover information from drives that have been reformatted, so for critical data, make sure you smash the drives yourself ”don t let them out the door.