What is operational security?
Operational security refers to the habits and behavior you perform to enforce good security. It is a procedure of risk management. This encourages people to view security in order to protect sensitive information. OPSEC was originally was a military strategy which then was opted by the private sector as well.
The 8 rules of operational security
Keep your mouth shut
This means never revealing your operational details. What kind of operating system you use, kind of network at your private space, etc should not be revealed. For example, if you complain a friend who is also an employee that tor is slow. This implies that you are revealing your operational details. If you don’t say it, you don’t need to encrypt your sensitive information.
Trust no one
Use the zero-trust model, or assume that everything or everyone cannot be trusted. Operate from this perspective by mitigating the risks through security controls and distributing trust. Information should be given out on a need to know basis only. The smaller groups of co-conspirators, the better you are.
Never contaminate identities
Never share anything between aliases. For example, email addresses, IP addresses, operating system information, etc. You shouldn’t even have the same passwords among both identities. Contaminating identities refers to using cross identities for the same purposes. For example, using the same tor identity to post something on your personal identity social media network. Don’t go on your personal email or Facebook while on tor as your personal identity. This might result in your adversary finding your original identity by tracing back your original IP address on clear-net. Always use aliases, separated through isolation and compartmentalization domains.
Be uninteresting
When using technology, always use techniques like steganography. This results in concealing the user’s security controls. Always be under the radar. For example, don’t be always on hacker forums, don’t always be on political forums. Also, don’t maintain accounts if at all possible. If you want to post on hacker forums, keep your identity anonymized. Don’t attract the attention of a well-resourced adversary whenever possible. This could shine a light on you for further investigation. Establish an average or believable identity. Don’t do anything longer than expected. The longer you do something, the more lightly it could be co-related.
Be paranoid now
If You Have An Active Adversary And You Know It, You Should Be Paranoid. Spend Time To Think Of All The Perspectives From The Angle Of Your Adversary. They Will Always Try The Simplest Way Of Catching You, So Always Cover It First. Be Aware At All Times To Plan To Mitigate Your Risks. Use Fail-Safe Or Fail Close Technology Like A VPN Kill Switch. If Something Fails, It Should Fail In Way That It Should Protect You. Disable Or Remove Wireless, Blue-Tooth, Webcams, Etc. Don’t Use Wireless Keyboards Or Wireless Earphones And Mikes. If You Are Going To Talk Something Sensitive, Keep Your Phone Switched Off. If Using Someone Else Wireless Connection, Maintain Same Security And Anonymity Posture. Never Use Your Device’s Screens Unlocked Or In Standby Mode When Not In Use.
Know your limitations
Operate at the level of your abilities. If you don’t understand completely what you are about to do, then don’t do it. The lack of knowledge would get you caught. Keep your technology simplest as possible to avoid complexity. Physical security domains can be simpler. For example, you can preferably have a separate USB stick with tails installed on it.
Minimize information
No logs equal no security breach. Keep off logging into anything if possible. Keep operational information that you need only. For example, browser history is not required. Better to not leave it, and if on purpose if you want to leave it, better leave it encrypted. Minimize what people can find, even if it is protected.
Protect your assets
Don’t send data without end to end encryption. Use security control processes, tools, etc to maintain your security, privacy, and anonymity. Based on your level of risk acceptance, use your adversary in the consequences.