Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.
Operations Security is typically applied by military and law enforcement organizations as part of their protection of operations their people and assets during an operation, but the same basic principles apply to any organization engaged with any operation under a security threat. In information operations there are always some set of threats, and as a result, operations security has its place in all organizations undertaking operations involving information or information systems.
The classical approach to operations security is a 5-step process:
In this month's article we are going to apply the OpSec process to a typical information protection scenario to help give an idea of how it might be used in a typical IT environment.
In our sample IT environment, we will assume a medium sized company with offices across a substantial region of a continent. Because operations security is typically about securing an operation, and because operations in the military parlance are typically associated with defined time frames, we will assume that this company gets together with major clients and potential clients for an annual conference in one of their major locations and that local team members host the meeting at a local major conference center and hotel.
The conference itself doesn't involve any trade secrets or confidential information, although meetings with clients, potential clients, and between team members from regional offices are commonplace and are of a sensitive nature. In addition, the conference will have a wireless network so that attendees can have access to their corporate computing environments over the Internet from anywhere in the conference center and its surroundings.
Finally, the conference is being held this year in a major city where many competitors and other potential threats are commonly found. As a result of the combination of wireless, a high potential threat environment, and the high profile of the affair, the company has wisely decided to do an OpSec assessment of the event.
The mission of this conference includes (1) giving clients a good experience that brings them back, (2) meeting with clients and potential clients to build up confidence, trust, and the business relationship, and (3) meeting with team members from across the region to improve operations of the company and keep the organization working together.
The critical information to these missions includes (1) open information that has to be delivered in an accurate and timely fashion to the attendees, (2) non-open information about client relationships and discussions between team members that have to be kept confidential, and (3) client-confidential information discussed with clients during the conference and related activities that has to be kept confidential.
The adversaries would like to know, and in some cases be able to reveal to the public, any of the confidential information, and would like to be able to corrupt or make unavailable the conference information, particularly during presentations and when people are trying to find their ways to meetings, dinners, and so forth.
It seems pretty clear that in this situation, threats include competitors, customers, the media, and those who like to make names for themselves by interfering with other peoples' computers. While there may be other threats, we will only consider these in this example.
These threats use a wide range of methods, predominantly consisting of perception management and similar human exploits, small and sometimes subtle bribes, and relatively simplistic off-the-Internet technical attacks.
This is not to be considered a formal threat assessment for this situation, but it serves the purposes of our example and gives a flavor for the sorts of things we might want to consider. A real threat assessment would be considerably more thorough and complex and would require several days of effort by experts looking at the specific issues involved.
It seems likely that the hotel registrant list will be exploitable, that lists of conference attendees will be sought and obtained by these threats, and that the open information from the conference will be examinable by anyone who wants to make the effort to find it. This will be a likely target of competitors and the media, and they will gain the information one way or the other. It is possible that those who wish to corrupt information will want to corrupt this content if they are given the chance.
Non-open information about client relationships and discussions between team members will be the target of competitors and the media, and to a lesser extent other conference attendees who are customers, both seeking relationship information and seeking ways to exploit the sponsors for information on other of their customers. The situation here will be greatly magnified by the use of the open network for much of the communications relating to this effort, and the threats will use some level of technical means to examine the traffic flowing over the wireless network and to attempt entry into systems on the conference network. They will also likely attempt to listen in on meetings using technical and non-technical means and seek to exploit human weaknesses for people who are away from home to gain insider access. Finally, they will seek to steal PCs, notebooks, and to exploit residual information from note pads, white boards, and similar technical support items. There is a reasonable chance that some of them will dress as servers or similar conference center employees as part of their effort and pay conference center employees for getting them useful information.
Client-confidential information will be sought by their competitors and by malicious outsiders. This will include the same technical means described above.
While no significant effort has been made to rank these examples, a ranking from most important to least important has been generated purely as an example:
1) Theft of customer confidential information. This would result in potential loss of major customers and loss of trust in the company and its conferences. The lost business could be very harmful, especially if widely publicized.
2) Theft of relationship information. This could be of substantial business harm and result in hurt customer feelings, demands for refunds or pricing changes, and similar problems.
3) Corruption of conference information. This could create unnecessary negative publicity and embarrassment and create confusion among conference attendees worsening their experience.
Because damage to customers and loss of their information is so highly ranked, and because the scenarios are likely to result in such loss with the identified threats, it will be prudent to implement several precautions to protect this information. The Wireless LAN is highly exposed, but because of the general weakness of the threat to technical countermeasures, LAN access be monitored and controlled so as to limit harm. WEP (encryption) will be required and all users will have to register to gain network access. The WAP will enforce authentication in the form of MAC addresses associated with authorized computers, and attendees will be warned against the potential for such losses in their network use. False non-WEP and WEP traffic will be generated to help detect attempted exploitation and a free software firewall will be offered to conference attendees to help them defend their systems against exploits. This will also provide good publicity for the company and the vendor of the firewall software (which we will take fees for). Rooms used for general meetings will be guarded against illicit entry by ID checks (identified as homeland security-related checks), but this will not have much affect on hotel staff or other likely threats. Attendees wishing to have private meetings will be set up with private meeting rooms that do not have employee entrances and are locked before and after meetings. The rooms will not be swept for listening devices and attendees will be warned about this as a possible (but unlikely) exploit. Unauthorized people will not be permitted within a perimeter area of these meeting rooms so as to limit listening effectiveness, and the rooms will be searched before and after meetings to remove any residual content, find lost briefcases and similar items, prevent leaving listening devices, and to reset the room setup for the next meeting. A check room will be provided for relatively secure storage of client and employee brief cases, computers, and similar valuables. This will be supervised at all times when valuables are present and no liability will be identified with its use. All of this will appear to be excellent service and highly polite and efficient behavior by support staff.
The second threat will be dealt with through training and awareness for employees on the nature of the situation and how it can be effectively managed. Team members will be given encrypted tunnel software to use company internal systems from the conference and have pre-configured firewalls in their systems to assure that their systems are not easily compromised. Only company computers will be used by employees at the conference, and these will be prepared by IT staff as part of the conference setup. Added network and physical security personnel will be used during the meetings using a trusted and bonded private investigative firm to supply this support. Employees will use the guarded storage area to place their equipment, computers, brief cases, etc. when they wish to go without them and this room will be protected exclusively by the private detective agency.
It seems prudent to publish the open information in paper form and perhaps on CD before and for the conference. This has the dual purpose of assuring its integrity during the conference and providing a pleasant and informative experience to the attendees. For the attendee lists, it will be helpful to add in a set of fake attendees with contact information that can be used to detect the exploitation of the lists and identify who is doing it and for what purpose. This is commonly done by mailing list companies to detect multiple list uses, and by conference companies to detect such exploitations.
This example shows, in a simplistic way, how operations security can be applied in a reasonable and cost effective fashion to an event such as a company conference. For attendees, it is low-profile protection cloaked as excellent service. For employees it is increased awareness and support for their valuable work. For the threats, it is a formidable barrier against the worst things they are likely to be able to do.
This OpSec assessment is a simplistic example, but hopefully it gives a sense of how the principles of operation security can be applied to a corporate setting in a reasonable manner and with positive impacts on both security and the perception of professionalism.
About The Author:
Fred Cohen is helping clients meet their information protection needs at Fred Cohen & Associates and Security Posture and doing research and education as a Research Professor in the University of New Haven's Forensic Sciences Program. He can be reached by sending email to fred at all.net or visiting http://all.net/