OPSEC (1): Introduction to Operational Security
Welcome to the first chapter of what will be a series dedicated to Operational Security, one of the topics I’m most passionate about. Let’s start from the beginning, what does this term refer to?
What is OPSEC
Operational Security is the process of identifying and protecting critical information that may be targeted by an adversary. The goal is to prevent sensitive information from getting into the wrong hands.
Let's face it, this definition sounds straight out of a military manual, not exactly what you'd use in everyday convo. But here's the deal: an adversary is basically anyone or anything that poses a threat to you, your possessions, your rights or something you're trying to protect. Simple as that.
When we’re talking about OPSEC for individuals, we're focusing on personal-level security, not the big organization-level procedures and measurements. It’s all about your privacy and anonymity. It’s about keeping your personal info under wraps so you’re not an easy target for scammers, corporations, or even government mass-surveillance.
"Privacy is a fundamental human right, essential to the exercise of freedom and democracy." — Ban Ki-moon
Importance of OPSEC
Bad OPSEC could lead to suspects discovering an investigator's identity, compromising ongoing investigations, or putting a target on their back. It could result in companies fingerprinting you and selling your data, on impersonation attacks if you are a VP…
I could write an endless list of “why’s” and get philosophical (or conspiratorial) about it, but I think you get the point. OPSEC is mainly about protecting your privacy and anonymity, which is crucial no matter who you are or what you do.
You may think, what is even the point of caring about this now if my data is already exposed and the internet never forgets, right? Even if that’s true, we are still able to delete part of our fingerprint, and specially obfuscate it. Our goal should be to minimize the chance of success of an adversary to find and/or exploit our real information. It is much different to shoot a target 5cm tall 500 meters away, that shooting a 2m tall. Apply this same logic to your OPSEC.
Levels of OPSEC for Levels of Threats
OPSEC needs to be tailored to the level of threat an individual or organization faces. Here is a general overview of the primary levels, but take it just as an example, we will be covering these measures separately in different chapters.
Low-Level Threats
Casual internet users or hobbyist OSINT practitioners. Basic digital hygiene, such as using strong, unique passwords and enabling two-factor authentication, is essential. Adjust social media privacy settings to limit what is publicly visible, and always be mindful of what information you share online.
Medium-Level Threats
Professional OSINT practitioners, journalists, or activists need more robust measures. Use encrypted communication tools like Signal or Tutanota, and regularly use a reputable VPN to mask your IP address. Keep your devices updated. Separate personal and professional online identities and devices to avoid cross-contamination of information or identities.
High-Level Threats
Individuals investigating organized crime, state actors, or those living in hostile environments require advanced encryption tools like PGP (read more here) for email encryption and anonymous browsing tools like Tor. Use dedicated, encrypted hardware for sensitive investigations, isolated systems like Tails, regularly update your threat model, and adjust your OPSEC measures accordingly. Implement physical security measures, such as secure office locations and personal safety protocols.
If you are low or medium level, I still suggest to step up your game to the highest level you possibly can. The “bad guys” are not only the ones sending you phishing emails or blackmailing with fake pictures of you. Big Tech companies and government entities can also become adversaries for the normal citizen. Don’t underestimate their ability to collect, analyze, and potentially misuse your data. Trust me when I say you may not see it today, but mass surveillance and control will become a real problem in the near future, initiatives like CBDC (Central Bank Digital Currency) shows that.
What is Required to Have Good OPSEC
Sit down for a minute, and think about this: “If someone would want to pose a threat to me or anything I care to protect, could they do it and how”.
When asking yourself this question, what you are doing is creating your own Threat model, based on your own needs, on who you are and what you are trying to protect. You will identify who could be your adversary, which information or attack vectors your adversary might exploit or is capable of exploiting, and then finding a way to mitigate and/or prevent it from happening.
The next chapter will be dedicated to create this Threat Model.
Important OPSEC rules
Let’s end up with some important rules to always keep in mind when dealing with Operational Security:
OPSEC is mainly about prevention, not reaction. You lock your house every day even if it’s never been robbed, and probably that’s the reason why. Always be proactive.
In the current era, there is no such thing as 100% anonymity or 100% security, so don’t get obsess about it.
OPSEC can seem overwhelming at first. Start by taking small steps toward achieving the level of privacy appropriate for you. As Michael Bazzell says, Privacy is a marathon, not a sprint.
Things will change, now quicker than ever. Be ready to adapt your strategies.
There is almost nothing free in this world. “Free PDF convertor”, “Accept cookies and read for free”, “Cheap Chinese intelligent light bulb”… remember, you are always paying, maybe with your data or even the chance of being infected. Zero trust always, develop your own things, pay for quality or support open source projects.
Use encryption, for your disks, for your sensitive data, for your communications.
Always backup important information. And please, don’t back up your devices on third party clouds…
Enable two-factor authentication (2FA) whenever possible.
And last, stop oversharing. The world don’t need to know who is your family, where have you been last week or who are you planning to vote. Remember, the internet never forgets.