Strengthening Operational Security

To the military, operational security can be the difference between success and failure. Maintaining operational security means not leaking information about what, when, where, how, why, and with whom you’re doing something. Most businesses already have an understanding of this, because they understand that competitors would love to learn more about their internal operations. Understanding good operational security principles and putting them into practice are two different things, though. The basic goal behind these improvement efforts is simple: you want to reduce the amount of information leakage inside and outside your company. Here are some things to consider:

• When you print confidential documents, where do they go? At most companies, they go to the same print queues and printers that are used for ordinary documents, leading to increased risk of accidental disclosure. Keep confidential materials confidential by printing, filing, and maintaining them separately.

• Many companies enforce “clean desk” policies that require employees to clear their desks and lock up anything sensitive before they leave for the day. These policies are hated by employees and probably outside your mandate as a messaging administrator. However, you can implement a similar “clean desktop” policy by ensuring that you scrub machines of confidential material before sending them out for repair, selling them, or donating them. Remember, a sufficiently determined attacker might be able to use forensic scanning tools to recover information from drives that have been reformatted, so for critical data, make sure you smash the drives yourself—don’t let them out the door.

Keeping Your Secrets Secret

The phrase “loose lips sink ships” became famous during World War II, but it’s still true: if your operational security is lax, attackers can get valuable data about your operations. There are a wide variety of operational security attacks that an attacker can choose from. Passive attacks don’t require any direct contact with your network or people. They include the following:

• Watching through windows or glass doors (possibly with binoculars or other optical devices) to capture password or account information.

• Dumpster-diving to recover sensitive but unshredded documents. This might sound unlikely, but a number of high-profile companies (including BellSouth and Mykotronx, a contractor for the U.S. National Security Agency) have been burned by this type of attack.

• Passive eavesdropping of wireless network traffic.

Active attacks are more interesting; they include social engineering stunts like calling a user and masquerading as the information technology or help desk staff (“You need to tell me your password so we can reset it”), stealing directory or organizational data, or even the occasional information-gathering break-in. (French intelligence services are legendary for mounting this style of attack against visiting American executives.)

Operational security attacks are difficult to block; after all, your people have to have the information they need to do their jobs. You can help stop these attacks by sanitizing materials that leave your physical control: shred documents before they go into the trash, be careful with outbound hardware, and so forth. On the people side, make it easier for people to do the right thing (for example, by encouraging them to report suspicious behavior) and harder to do the wrong thing (for example, by limiting or compartmentalizing access to your sensitive data).