One of the best ways to ensure your organization is protected from outside threats is to look at everything through the eyes of an enemy or adversary and then deny them the ability to act. This is often referred to as operations security or OPSEC. Also known as procedural security, operations security is a risk management process by which we protect critical information, whether it’s classified or unclassified that can be used against us.
In a more general sense, operations security is the process that protects individual pieces of data that could be grouped together to give the bigger picture. Operations security is the protection of critical information deemed mission-essential from senior leaders, management, or other decision-making bodies. The process results in the development of countermeasures, which include technical and non-technical measures, such as the use of email encryption software, taking precautions against eavesdropping, paying close attention to pictures you’ve taken, or not talking openly on social media sites about information that relates to yourself or the organization you work with.
To help you improve your organizational access control, consider the following tips:
1. Implement malicious and mobile code protection. Detection, prevention, and recovery controls should be implemented to protect against malicious software or malware. Any mobile code should be authorized prior to its installation and use. An approved configuration should be implemented to ensure that the authorized mobile code operates only as intended. Security technologies should be implemented to support the timely installation and upgrades of preventive measures. This includes the installation and regular or automatic updating of anti-virus, anti-spam, and anti-spyware software. Signature definition files should be updated whenever new updates are made available. Periodic reviews and scans should be required for all installed software. This is necessary to identify, and where possible, remove any unauthorized software or code.
2. Provide backups of information and configuration. Backup copies of information, software, and system configurations should be made at appropriate, recurring intervals. Backups should be tested regularly to ensure their fitness for use in accordance with an agreed-upon backup restoration process. It does not matter how many backups you have if they cannot be used to effectively recover the data they contain. Backups may be the only option your organization has to recover after a system failure, hard drive failure, or database corruption.
3. Ensure technical vulnerability management. Vulnerability scans of all information systems, including all infrastructure devices, should be performed at least monthly. Scans should also be performed when new vulnerabilities with potentially immediate impact (e.g., “zero-day” vulnerabilities) are identified or reported. This does not mean all systems need to be scanned at the same time. In fact, scanning all assets at the same time could have a negative impact on the performance of your networks. Specific information to support vulnerability management should include the software vendor, version number, and current state of deployment (e.g., what software is installed on what systems). Personnel within your organization that are responsible for the software should also be defined.
4. Conduct regular audit logging. Audit logs should be generated that record user activities, exceptions, and security events. Auditable event types should be specified along with the frequency of, or situation requiring, auditing for each identified event. Systems that process protected, or otherwise sensitive, information should create a secure audit record each time a user accesses, creates, updates, or archives sensitive or protected information via information systems. Systems that store logs should have adequate storage space for the logs that are generated. Audit records should be reviewed and analyzed on an organization-defined frequency for indications of inappropriate or unusual activity. Any findings from these reviews should be reported to appropriate security personnel.
5. Set protection of logging information. Access to auditing tools and audit logs should be limited to those with a job-related need to help preserve the confidentiality of logs. Logging systems, as well as audit log information, should be protected against tampering and unauthorized access to preserve the integrity of the audit log information. Both authorized and unauthorized access attempts to auditing tools and audit log information should be recorded. Security and IT personnel should receive automated alerts in the event of a failed access attempt to logging systems or upon an audit log processing failure.
6. Offer flaw remediation and fault logging. System flaws should be identified, reported, and corrected in a timely manner. Software and firmware updates related to flaw remediation should be tested for effectiveness and potential operational side effects prior to being implemented in your organization’s production environment. Automated mechanisms should be used to determine the operational state of system components, wherever possible. Corrective measures for fault logs should be reviewed to ensure that security controls have not been compromised because of a system flaw or fault. The detection of any unauthorized changes to software, firmware, and information systems should be coordinated with your organization’s incident response capability.
7. Install cybersecurity controls. Your organization should ensure that your technical security solutions are continually managed to help ensure the continued security protection and operational resilience of information systems. This includes critical applications and infrastructure devices. Information systems should be monitored to detect attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives. Your systems should be monitored to detect unauthorized local, network, and remote connections. Any identified anomalous activity should be investigated to ensure the potential impact of detected events is understood.
8. Perform regular penetration testing. A documented process should be implemented for penetration testing that includes how a full scope of testing, including blended attacks, will be performed for your organization. This process should include testing for network infrastructure, wireless access points, information system-based, and web application attacks. Regular external and internal penetration tests should be conducted at least annually to identify vulnerabilities and attack vectors that could be used to successfully exploit your information systems. Any finding identified during testing should be remediated as soon as practical, based on the criticality of the finding.
9. Utilize boundary defense solutions. Boundary defense solutions can protect your organization from the infiltration or exfiltration of data by bad actors. Boundary defense controls should also be used by organizations to protect against sabotage, espionage, data leakage, along with other insider threats. Communications with known malicious or unused Internet IP addresses should be denied. Access should be limited to only trusted and necessary IP address ranges at each of the network boundaries. All encrypted network traffic should be decrypted at the boundary proxy prior to analyzing the content. Whitelists of allowed sites that can be accessed through the proxy without decryption of the traffic can be used, if appropriate.
These are just a few tips to assist you and get you started. Your organization should ensure that a comprehensive Operations Security, or OPSEC, Program is developed and implemented consistently across the organization. Organizations that do not could potentially overlook a pivotal security function or leave a threat unaddressed. By developing a comprehensive Operations Security Program, supported by all organizational stakeholders, organizations can avoid key operational pitfalls for effective overall security.
