Good OpSec vs. Bad OpSec

0
3301

“Hey Boss, we’ve suffered a breach.” 

“What?!”

“Someone got all of our data and now it’s all over the internet”

Having a bad day yet? While this might sound like something coming out of a fiction piece, it’s unfortunately all too common these days[1].  Data is becoming an increasingly valuable commodity; with very little data an individual can completely assume another person’s identity online. Having enough data about a company and its strategic plans, products or customers and competitors can bankrupt them[2].

How did we get here? Before the rapid rise of the internet, information was not as easy to access. Physical files could be locked behind big, heavy steel doors with only a select few having the key. Breaking into these vaults required skills that would have made you a star in the next Mission: Impossible film.

Now computers and large arrays of disk drives have taken over those duties and allowed us unprecedented convenience and capability to store and retrieve data. This has led to an increased appetite for even more data and even greater accessibility to that data, et voila, the modern internet as you know it, is born.

How OpSec can help keep your data safe

So how do we keep this data safe from the would-be bad guys? That’s where cybersecurity comes into play. If you ask your sysadmin or network engineer, you’re going to hear things like “We have to use a firewall with DPI and encrypt all of our data with PGP using AES256 and put our TLD portal on a CDN to prevent DDOS and our FTP server in the DMZ has to be air-gapped from the LAN.”  Oh my goodness, acronym hell! Well, that’s all well and good for your sysadmin, but what about you, the average office employee?

Well, as it turns out, there’s plenty you can do!

One area is called Operations Security, or OpSec. OpSec is a practice whereby you look for ways that your important information could be compromised by “the bad guys” and put in practices and processes to prevent it. For example, everyone knows not to allow people to follow through an access controlled door, but everyone does it anyway. This is poor OpSec. Similarly, having passwords clearly visible in the background while you’re on live TV is also an example of poor OpSec[i].  Let’s look at a couple more examples:

  • Changing your password regularly – Good OpSec
  • Writing down your new password on a sticky note and pasting it on your monitor – Bad OpSec
  • Talking about your new top secret project only to those who need to know in a controlled environment (e.g. meeting room) – Good OpSec
  • Talking about your new top secret project openly in a bar after a couple of drinks – Bad OpSec

While these might seem like obvious mistakes to avoid, sometimes it’s not so easy.  One technique that someone can use to get you to divulge information is called phishing. Phishing is an attempt by someone to gain confidential information (usually usernames and passwords) by posing as a trusted source.

For example, Bob receives an email from this Bank saying that there an issue with his account and that he needs to supply his online banking username and password right away to verify his identity and avoid his account be locked.

To: John Smith john.smith@gmail.com

From: Customer Service accountlockout@customerserviceyourbank.com

Subject: Your account has been locked

Dear customer,

We notice some suspicious activity on your account and locked it. You need to supply your username and password to unlock it right away or call us at 1-555-123-1234. Click here to unlock your account: http://yourbank.com@unlockme.org

WHOA. STOP RIGHT THERE. SAY WHAT?

A person who practices bad OpSec would immediately supply his or her information and then panic once they found out that their bank account has been drained. A good OpSec practice would be to call or visit your bank (not at the number provided in the email, but from the bank’s website) and inform them that you received this email and need help to clarify if it was legitimate.

But it says I need to take action right away! I don’t want my account locked!

Phishing emails typically include a sense of urgency in order to compel individuals to act. Imagine if it said to come by at your convenience and let’s talk. You’d probably file it under a to-do and not think about it again for several days, right?

OK, so how do I spot these fakes?

Phishing emails have been getting more and more sophisticated, using logos taken directly from the organization they are trying to impersonate. However, there are some tell-tale clues that can help you.

  • They sometimes contain spelling or grammar mistakes. While not always a strong indicator, most phishing campaigns have used some dubious word choices and wouldn’t normally pass the sniff test of how a corporation communicates to its customers, such as the incorrect use of  “You’re.
  • They aren’t personalized. Phishing emails typically start with Dear Customer, or Dear Account Holder and won’t have your name in there. So the question is, why would this company not know your name if you conduct business with them?
  • Suspicious URLs. Does that URL look right to you? Little known fact, any text appearing before the “@” sign in a URL is ignored. For the person not paying attention, it looks like it’s going back to your bank’s website but in fact, it will take you to an attacker controlled page at unlockme.org!

Oh but wait, these phishers have an even more dangerous weapon in their arsenal, and it’s called spear phishing. Spear phishing is a targeted communication where “the bad guy” has done their homework ahead of time and is impersonating someone that you know, with information on yourself that isn’t widely known.

An example would be something like this:

To: John Smith john.smith@gmail.com
From: Customer Service customer.service@yourbank.com
Subject: Suspicious activity on your account

Hi John,

This is Jane, your financial advisor.  How are you?

I’ve noticed that your chequing account (ending in 8764) has been having several suspicious withdrawals lately. In order to protect your assets, I’ve gone ahead and frozen your account until I hear from you. I’m sure everything is fine, but if you can go ahead and then enter your login credentials at the link below, we can unlock your account.

Unlock your account here WWW.Y0URBANK.COM/UNLOCK_ME

Thanks and have a great day John!

-Jane

See the difference? This one is personalized; the bad guy knew you had a chequing account at YourBank and even knew the last few digits. All that was needed was to set up a fake login page (did you notice the 0 in YOUR?) on a fake domain and boom goes the dynamite! John’s account details would have been his.

Spear phishing emails are much more difficult to detect as the bad guy has gone through a lot of trouble to do their homework and to specifically target you. However, it’s not a sure win for them. As a general rule, anytime you are asked any personal information via email or the phone, don’t provide it! Validate the authenticity of the email with the person or company that it supposedly came from.

Wait… how did they find out all of this info about me?

The internet is a wonderful place to get information. You would be surprised at how much personal information is revealed through social media sites, public profiles on professional networking sites, etc.  Have you ever Googled yourself to see what results come back? It can be quite humbling to see how much of your information is out there already. People can connect you by the usernames that you probably reuse between multiple sites, IP addresses that you’ve used to log in and tiny bits of personal data that you’ve left exposed, not to mention how much information can be spilled online if a company you’ve had business dealings with is breached.

Remember that on the internet, anyone can pretend to be anybody. Therefore, it’s imperative that we practice good OpSec. Don’t trust anyone with more information than is absolutely required. Always double check your privacy and security settings to make it harder for others to get your personal data. Use passwords that are easy for you to remember (more like passphrases) but hard for others to guess. Don’t reuse passwords for multiple sites! When possible, use two-factor or multifactor authentication (MFA).

There is saying that “a chain is only as strong as its weakest link,” and the same is true for cybersecurity.  Follow good OpSec practices, don’t get lazy or one day you might find someone else walking around with your identity.

[1] Equifax revealed that was breached in July 2017, revealing personal information for 143 million customers. https://investor.equifax.com/news-and-events/news/2017/09-15-2017-224018832

[2] Impairment Resources LLC file for Chapter 7 bankruptcy protection after it was breached and lost control of the medical records of 14,000 individuals

[i] https://www.theguardian.com/technology/2015/apr/10/tv5monde-isis-security-exposed-passwords-live-television