The Basics of Operations Security (OPSEC)

If you’re happy with your security, so are the bad guys.

Operations security (OPSEC) is evaluating the flow of information from the perspective of security. In the most basic terms, this is the protection of sensitive data; loose lips sink ships. But in a connected world where information holds an ever increasing value, "operations" can take to mean activity which you wish to keep sensitive.

The formal process identifying and protecting sensitive information that falls under OPSEC is reasonable and common sense.

1. Identify Critical information: What is sensitive and needs to be protected? What is your "OP"? A practical way to look at this is to break things into categories; work, shopping, banking/financial, social media, etc.
2. Threat Analysis: What are the sources of opposition? Do you want to protect your online privacy? Do you fear government censorship?
3. Analysis of Vulnerabilities: What activities and behaviors do you engage in that will compromise your operations?
4. Assess Risk: Based on previous analysis results, identify and categorize what information, threats, and vulnerabilities has the most risk, and what can be mitigated with OPSEC.
5. Application of Appropriate OPSEC Measures: Start running operations with OPSEC. Control how your infornmation is handled and by whom. Compartmentalize. Use one email for shopping and one for finance, use Chrome for streaming, Firefox for social media, etc. Keep your software up to date, use adblock and tracking blocker software, use proxies, VPNs, and Tor.

Learn to control your metadata. Learn how browse the web securely and learn about Tor. Keep your operations secure.

If you have a secret, the best thing is to keep it to yourself. The second-best is to tell one other person if you must. There is no third best.

Chronic0ps