OPSEC can apply to just about everything: family, home, business, work place, and, of course governments
and especially the military. However, OPSEC does not have to apply only to government and
military operations.
Whether they realize it or not, most people practice some sort of OPSEC in their private lives.
For example, when you choose not to divulge your social security number, phone number, or address to
someone who may inquire, you are practicing OPSEC in protecting your identity. If you notice
someone following you as you are walking home, do you go straight home and close and lock the door, or do
you detour to where there are a lot of people and perhaps a police officer and lose the individual before
proceeding home? If you do the latter, you are practicing OPSEC. You do not
want to show a potential crook where you live. Just as an animal never leads a predator back
to the nest or den, you should never lead a potential predator to your home or access to your private
information. This is one form of OPSEC.
As illustrated above, OPSEC can be applied at the personal level or it can be applied at the corporate level.
OPSEC at the personal level.
Using OPSEC to protect yourself, your family, your home, or your business.
Recently with all the emphasis and media attention on terrorism, identity theft, and protection of personal
information general awareness over OPSEC is higher amongst the public than it has ever been.
Nevertheless, one must take an active role to ensure that information does not fall into the wrong hands
that can leave you and your family members vulnerable. This is becoming an increasingly
difficult challenge with the Internet and all the information available on a global basis.
On-line phone directories, maps, satellite imagery, people searches, etc. readily provides very specific
information quickly, conveniently, and most of the time at no cost. It also provides the
information to anyone, anywhere, at anytime with no means to identify those who are inquiring.
OPSEC at the corporate level.
Any entity (personal as well as organizational) has what are known in the security world as essential elements
of friendly information (EEFI's). This is information that is not necessarily protected as
sensitive or confidential, although some information would be sensitive, but should not be made public.
Some EEFI's are available through simple observation, some via more sophisticated surveillance, some via
journals or magazines, the Internet, extracted via phone inquiries, etc.
At the corporate level, examples of a few EEFI's that may be of interest to a competitor in the business
world are as follows:
Personal weaknesses that can be exploited, such as indebtedness or drug dependency.
Company strength and adequacy of manning.
Information on code words and nicknames that tend to reveal projects or products or sensitive meanings or
that can be associated with specific locations, products, or special projects.
Shortages or deficiencies in equipment or personnel that impair operational capability.
Information that tends to confirm or deny public reports regarding business matters.
Future year financial plans and operating budgets, as well as any budgetary restraints projected or envisioned.
Percentage and numbers of resources expended in support of various project areas.
Employee experience levels.
Access of individuals, especially those working with special projects and products.
There are different methods and levels of obtaining information.
One of the easiest and most common is through human sources: befriending someone who works within the
target company and extracting information through social engineering.
Other ways include monitoring of phones and/or e-mail. This is much easier than what most people think.
Photography.
Open source information is the least intrusive. It is the gathering of information that is readily
available through the Internet, news media, libraries, etc.
On the average, about 90% of information about a particular target can be obtained through open sources.
You must know the threat. Are you or your business a target?
You must know your vulnerabilities. To know your vulnerabilities, you must know your EEFI's.
You must know what you need to protect -- what does your adversary need to know?
Know who your adversary is and what is their reality ? what are their challenges? You must
think outside the box ? put yourself in your adversary's position.
Given all this, one may ask, "So, how do I protect myself?"
That is what OPSEC Services.Com is for... E-mail: opsecservices.com.