@carrotcypherOpsec1012021

> Opsec101. <https://opsec101.org/>. Accessed 26 Oct. 2022. # Countermeasures come last ## Don't start with countermeasures A countermeasure literally means a measure of response to counter a threat. Without a rational threat or otherwise clear reason for a countermeasure, you end up spending time, energy, and even money for little to no benefit on a threat that may never materialize. Worse, in doing so you can increase your liability and attack surface. **==The countermeasure-first approach is unsustainable==, misleading, and fundementally ignores two critical paradigms**: 1. **Convenience is inversely proportional to safety and security.** The more secure we make things, the less convenient they become and the more liability or vulnerabilities may be introduced. 2. **The more you attempt to secure something, the more attention it can bring, potentially increasing threats.** Often, hiding in plain sight is more effective. To combat this, we put countermeasures in the back and focus on the rationale first. This is called the opsec process. The opsec process is a list of questions to help rationally assess a threat and judge the efficacy or even necessity of countermeasures against it. ## The Opsec process **Opsec is a practice or methodology based on ==rational assessments before action==.** Before deciding what countermeasure to use, first you need to assess if the threat is serious, or even practical. This is done by asking a series of questions in order. ### 1. What needs protecting? This could be information, a physical item, your personal health, or anything that has value or provides additional opportunity once accessed. For most of us, the answer to this question might be family, our home, any number of valuable belongings, our personally identifiable information, important financial information, or our passwords. All of these things need to be protected, but not all of them are always at risk in every situation. ### 2. What is the potential threat? Most people don't need help identifying common, obvious, physical threats. We encounter enough of those in the course of our daily lives that it becomes a second nature for most. While identifying them, we tend to internally ask ourselves questions to assess the potential threats. But not all potential threats are so obvious to everyone, especially abstract ones related to the effects of running certain software, performing certain actions on a computer, or trusting certain sources of information. These threats are all possible, but perhaps unlikely. Still, **it's important to try to brainstorm and identify potential threats as early as possible**: before you leave on that vacation, before you start your car, before you enter your information into that website's form. Without practicing opsec in this manner, the above threats will need to be learned from experience instead, sometimes at a potentially heavy price. ### 3. What are the potential vulnerabilities? Now that you know what you want to protect (e.g. your credit card on a plane) and what the potential threat is (e.g. the person behind you able to see the card's details or being stolen by other means during the flight), it can be quite straightforward to assess the vulnerabilities and whether they are credible or not. - Is this the best or most secure way to pay for this service? - Can someone see my card the way I'm holding it? - If I were in a different seat, what would I see? - Is this wifi payment portal really operated by the airline? - Is the website I'm entering this card information on using a secure (HTTPS) connection? - Does it share the information with any other services? Depending on the answers to these questions, you may find that you have none, few, or many potential vulnerabilities. Normally this kind of judgement is possible to do quite quickly, but the more technical the potential vulnerability is, the more experience and knowledge is required. How could someone who isn't aware of HTTPS know that not using it could leak their credit card number to a hacker? In this particular situation, we eliminate all unlikely or impractical vulnerabilities and focus on what remains. - Someone can see you typing the credit card information on your phone. - Someone can see your physical card. ### 4. What is the potential risk? It's important to know the difference between a vulnerability and a risk. Simply put, the vulnerability is **how** it might be possible to attack you. The risk is **what you could lose** if it succeeds. Now that you know the potential threat and potential vulnerabilities, you can ask the more practical questions about the realistic potential risk to you. This is where common sense, rationality, and statistics will serve you well. **There is no room for fear and paranoia in this step.** - How much money is on this card? - How much could be lost? - How much can I afford to lose if I make a mistake? - How difficult, time consuming, and inconvenient will it be if I need to order a replacement card if it's stolen? - Are there any passengers near me that could steal the information in the first place? - Is the risk worth the trouble for some wifi? Assuming a credible risk is perceived, the next step is to assess which countermeasures are most appropriate for the threat. ### 5. What are the countermeasures? Assuming a credible threat exists and there is perceived risk, the next thing to do is to apply the countermeasures to close up the vulnerabilities that will ultimately serve to neutralize the threat. In this particular situation, we have eliminated all unlikely or impractical vulnerabilities and focus on what remains. - Someone can you typing the credit card information on your phone. - Someone can see your physical card. The easiest countermeasure for these is likely the same for both: - Cover your phone and card with a coat, or hold it down in your lap away from the line of sight of any other passengers until the process is complete. The simplicity of assessing a specific threat and risk may lead one to believe the thought process isn't being used, but much like math, just because an easier equation doesn't need a calculator doesn't mean there isn't calculation occuring. The simplicity of the process can be deceiving and lead to the belief that applying a countermeasure-first approach is sufficient. That is the ["best practices" fallacy](https://opsec101.org/#best-practices-fallacy) addressed earlier. ## Good Opsec? Practice, practice, practice The previous examples were largely obvious and wouldn't necessarily need a guide or checklist to assess them. What's important is the thought process behind them: to be asking the right questions and learn how to find the right answers in a reproducible way.