markn.ca
Archive 6 min read

Operational Security

Connecting with others is critical but it can also pose a risk. It's important not to "leak" information needlessly. This is a practice know as operational security. It's critically important...and often ignored.

Operational Security

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Good morning everybody. How's it going today? Um It's been a little while. Um, it was a long weekend, um, then a little bit of travel back and forth. Um, but I'm back, uh, episode 93 Mornings with Mark. We're gonna talk about operational security reason why I want to talk about.

This is uh I'm attending black hat, as you can tell by the wonderful new business hotel background. Uh I am on the road. I'm here in Las Vegas, um, attending my first black hat. Actually, I've never been to Black Hat before. Um, normally I don't travel that much in August, so I always kind of stay home and look from afar but this time, um, I came down, um, already having a great time but on the plane down, couple things happened and it was, uh, kind of tweaked a little bit of an idea, um, for today's episode which comes around operational security, like I said, or OPSEC.

So operational security is, um, there are technical sides to it, but there's a lot of processing people involved and it's very much, um, trying to keep uh, information from leaking out, um, either intentionally or unintentionally it is um the security of the operation itself, obviously by the name.

Um But realistically, it's, you know, um best summed up by the old World War Two poster loose lips sink ships. So, um it's making sure that you're not giving away things needlessly. So, a good example here is on the, on the vlog.

Um and I'll describe it for you on the podcast. Uh You know, I'm sitting in a hotel room, I'm broadcasting from one of the rooms. And behind me, you can see a bit of one of the doors, a closet door, a bit of the window, but nothing significant or distinct to actually identify what room I'm in or even what hotel I'm in unless you had happened to stay here.

So there's a slight possibility that it could leak that, you know what hotel I'm in. But I evaluate that information and know that, you know, that's not critical because I just told you I'm in Las Vegas for black hat. But if I was trying to keep my location um uh undisclosed, then these aspects behind me, this background um could potentially give away information.

It's a low possibility, but if anybody had stayed in this hotel, they might recognize it and say I know what hotel that is. Um And there, I've had an unintentional leak. So, you know, to go behind, uh instead what I should have done is gone behind.

Uh There's a flat uh painted wall on the other side of the room, less of an engaging background for a vlog, um, podcast listeners, you guys wouldn't mind. Um But the, that would have been a much better um background if I was trying to keep my location absolutely secret because it's just a generic beige wall and a beige wall could be anywhere.

So that's a piece of operational security and the reason why this, um, tweaked as a topic for today was on the flight down. Um There was a number of people also obviously attending this conference because you're flying to Vegas. So um lots of folks come to black hat.

Um What surprised me was the amount of information I learned, especially from the two people sitting behind me and I'm not gonna call them out. Um because that's not what this is about. But what was amazing was they were just having a conversation getting to know each other, which in its own is absolutely great.

It's nice to see people on planes in travel trying to talk to each other um trying to, you know, pass the time, be friendly. That's wonderful. But the content of their discussion um over the several hour flight was absolutely shocking to me.

They were describing how um their customer networks. Uh So they both work for different companies and they were uh one of them was describing how his customer, their network, how it just how it functioned, how their change advisory board worked um the process to get a change through the challenges, specific teams that were problems in that process.

Um He named off a number of technologies used to defend that network, the problems he saw with those tech. Um The other person was also describing some of the activities that they were undertaking on behalf of their customers. I mean, again, way too much detail, like way too much detail.

If I had been a malicious actor, I could have simply recorded all that information, written it down and had a great um first sweep of sort of enumerating this particular um network and they named the network and unfortunately, it was a rather large and interesting target for a lot of people.

So something like that was quite surprising or at least it should have been quite surprising except I hear these kind of snippets all the time. Now, I expect it from a developer conference. Um I expect it in different contexts, but at a security conference for people to be actively discussing uh discussing these types of details is worrisome because it's a massive failure in operational security.

And that happens time and time again. Now, a positive example, I met somebody last night who gave me the classic, uh you know, I asked them what they did and they said I can't tell you. Oh, ok. A that could have just been uh I'm trying to be interesting move um which, you know, I wouldn't put it past for people.

Um But from a operational security perspective, hey, that's pretty solid. Um Now I would suggest you come up with a better answer than I can't tell you. Um Just, you know, very generic uh simple answer like, oh, I'm an it admin done.

Um but that was much better um operational security and this happens time and time again where people explain very specific details about what they're working on. Excuse me, very specific details about they're working on very specific details about the networks they're engaged in.

Um And it could be a risk. Now, I don't want to make people paranoid. I don't want you not to talk to people. Um especially since, you know, we've talked so much on the show about how talking to people is absolutely critical to move security forward.

Um You need to be out there, you need to be social, but you also need to be smart about what you're sharing. Um So most people know not to share their password. Duh. Right. You would hope duh. Um But you know, explaining your network layout is almost as bad, if not worse.

Um explaining uh the security controls at different gates and sort of their weaknesses and, and, and cons um their weaknesses and, and sort of where their strengths um that's bad. Um There's a number of things that you need to worry about for operational security is share but share, not share generically if you need to.

Um But don't just blab about there because you never know who is listening, especially at a conference that there is a black hat. Um If that conversation like a it was on a plane full of people. So there's already a couple of 100 people on the plane.

Um B if it was in the hallways of a conference like this, there are always people listening. Um And there's a devices that could potentially be recording you and I don't want to make you paranoid. However, operational security is something that you need to talk to your team about.

It's something that you need to remind yourself about. It's something you need to practice, you need to be well aware of it. Um, because you could be leaking information that could put you or your customers, um, at risk. Um, needlessly and totally accidentally so interesting topic.

Um, I'm sure we'll cover it more. Uh, just wanted to touch base on it today because it's uh day one for me, a black hat. Well, they like one. If we started at zero, I had a bit of activities yesterday. Um, and you know, it's something that's gonna pop up again and again.

So what do you think? Hit me up online at marknca in the comments down below for those of you on the vlog. And as always by email me@markn.ca, I'd love to hear your thoughts. Um What kind of crazy opsec stories do you have to share?

Um Do you have experience in this? Do you have um positive experiences you can share with the rest of the audience on how you've helped drill operational security practices into um team members and employees without being that people, you know, that that person where you're like, oh God, here he comes.

He's gonna talk to us about this, that and the other thing again, um positive examples to get people on board. Um Let me know. Uh as always, I hope you're set up for a fantastic day. I will be broadcasting again tomorrow before taking a short break for holidays.

So uh talk to you online and I'll see you on the show tomorrow.

Share Tweet Share Share Email

Read next