Protect critical assets in the cloud by applying Operations Security

Judith Myerson

Updated January 28, 2015 at 9:53 AM

Security tip from CNET: Enable 'Do Not Track' in your mobile web browser.

Image: Nicole Cozma/CNET

One way to stop nefarious users from accessing your company's critical data in the cloud is to apply the OPSEC (Operations Security) methodology. This methodology's origins go back to the Vietnam War. Admiral Ulysses Sharp, Commander-in-Chief, Pacific established the Purple Dragon team to investigate how the adversary was able to get advance information on U.S. military operations.

At the end of the war, OPSEC was adopted in the private sector to determine how business competitors could obtain critical information. Competitors can observe in a friendly manner:

What time, and how an executive goes to work;
What time the executive gets home; and
What cell phone or tablet the executive uses on way to work.

To protect critical information, OPSEC methodology uses analytic processes to:

Identify critical information
Analyze the threat
Analyze your vulnerabilities
Assess the risks
Apply the countermeasures

1: Identify critical information

All classified material are critical. You need to decide which unclassified information you would send to or receive from the cloud is critical and should not be obtained by an adversary.

2: Analyze the threat

Find out which individuals, groups, or nation states might be your cloud adversaries. Analyze resources, knowledge, or capabilities they could use to get critical information. From the analysis, determine the threat level of getting critical information.

In a simplistic scenario, an adversary goes into a public coffee shop where his intended victim goes every morning at the same time during a work break. At a safe distance, the adversary turns on a small device hidden inside his coat to record loud conversations between the victim and his fellow workers. When the victim leaves to return to work, the adversary listens to the recording device and hears the product prices the victim downloaded from the cloud. Then the adversary offers competitive prices that his victim can't meet.

Since the adversary finds critical information very useful, the threat is rated as critical, meaning that the adversary has demonstrated both strong intent and high capability to act aggressively against friendly objectives.

If the adversary were not able to offer competitive prices, the critical information he obtained would not be useful. As a result, the threat rating is the lowest, meaning that the adversary doesn't have the intent or the capability to act against friendly or similar objectives.

3: Analyze your vulnerabilities

Analyze your organization's vulnerabilities from the point of view of multiple adversaries. Determine how the adversaries might use critical information to disrupt or defeat a friendly activity. The adversaries take advantage of inherent weaknesses of physical, email, and social engineering safeguards.

Rate each vulnerability on a scale from critical to low, using from the sample vulnerability rating criteria provided by the Interagency OPSEC Support Staff (IOSS).

Criteria 1. A vulnerability is critical when it is proven that the vulnerability is exploitable by multiple adversaries.
Criteria 2. A vulnerability is high when it is potentially exploitable by multiple adversaries.
Criteria 3. A vulnerability is medium high when it is potentially exploitable by multiple adversaries with limited corroboration.
Criteria 4. A vulnerability is medium when it is potentially exploitable by multiple adversaries with significant corroboration.
Criteria 5. A vulnerability is medium low when it is potentially exploitable by one or two adversaries.
Criteria 6. A vulnerability is low when the potential for exploitation is negligible.

4: Assess the risks

The higher the risk is, the greater the chance the vulnerabilities would get exploited, and the greater the resulting impact would have on your organization. Determine the risk on a scale from critical to low, as follows:

Criteria 1. A risk is critical when an adversary has demonstrated they can exploit an existing vulnerability.
Criteria 2. A risk is high when it is no doubt an adversary could exploit an existing vulnerability.
Criteria 3. A risk is medium high when it is probable an adversary could exploit an existing vulnerability.
Criteria 4: A risk is medium when it is possible an adversary could exploit an existing vulnerability.
Criteria 5: A risk is medium low when it is unlikely an adversary could exploit an existing vulnerability. .
Criteria 6: A risk is low when it is improbable an adversary would exploit an existing vulnerability.

5: Apply the countermeasures

A countermeasure is anything that effectively mitigates an adversary's ability to exploit vulnerabilities, according to the Operations Security Professional's Association. Apply cost-effective countermeasures to reduce the risk to low-impact level. The countermeasures for lowest risk are not necessary.

Repeat these steps, as necessary

If critical information, vulnerabilities, threat level, risk assessment, and countermeasures change over time, repeat the OPSEC analytic processes as outlined in this article.

Disclaimer: TechRepublic and CNET are CBS Interactive properties.

Yahoo Sports
Former NBA guard Darius Morris dies at 33
Former NBA guard Darius Morris has died at the age of 33. He played for five teams during his four NBA seasons. Morris played college basketball at Michigan.
Yahoo Finance
The FDIC change that leaves wealthy bank depositors with less protection
Affluent Americans may want to double-check how much of their bank deposits are protected by government-backed insurance. The rules governing trust accounts just changed.
Yahoo Sports
Phil Mickelson on the majors: 'What if none of the LIV players played?'
Phil Mickelson hints that big changes could be coming to LIV Golf's rosters, and the majors will need to pay attention.
Yahoo Sports
Heat's Pat Riley unhappy with Jimmy Butler's remarks on Celtics and Knicks, implies he needs to play more
Miami Heat president Pat Riley rebuked comments Jimmy Butler made about the Boston Celtics and New York Knicks, while also implying that his star needs to play more.
Yahoo Sports
Blockbuster May trade by Padres, MVP Ohtani has arrived, Willie Mays’ 93rd birthday & weekend recap
Jake Mintz & Jordan Shusterman discuss the Padres-Marlins trade that sent Luis Arraez to San Diego, as well as recap all the action from this weekend in baseball and send birthday wishes to hall-of-famer Willie Mays.
Yahoo Finance
Social Security just passed Medicare as the government's most pressing insolvency risk
An annual government report offered a glimmer of good news for Social Security and a jolt of good news for Medicare even as both programs continue to be on pace to run dry next decade.
Yahoo Sports
No one was airing Angel Reese and Kamilla Cardoso's WNBA preseason debuts, so an X user livestreamed it
The quality was choppy, but it was better than what the WNBA had.
Yahoo Sports
NBA playoffs: Predictions for Celtics-Cavaliers and every second-round series
Our NBA staff makes its picks for Knicks-Pacers and every second-round series.
Yahoo Sports
The Scorecard: Andy Pages looks set to go down as one of the best fantasy baseball waiver wire pickups of 2024
Fantasy baseball analyst Dalton Del Don delivers his latest batch of hot takes as we enter Week 6 of the season.
Yahoo Sports
NFL Power Rankings, draft edition: Did Patriots fix their offensive issues?
Which teams did the best in the NFL Draft?
Yahoo Sports
2024 NFL Draft grades: Denver Broncos earn one of our lowest grades mostly due to one pick
Yahoo Sports' Charles McDonald breaks down the Broncos' 2024 draft.
Yahoo Sports
Formula 1: Miami Grand Prix sends cease and desist letter to prevent Donald Trump fundraiser during race
Race organizers say they'll revoke a Trump fundraiser's suite license if he holds an event for the former president on Sunday at the race.
Yahoo Sports
The best RBs for 2024 fantasy football according to our analysts
The Yahoo Fantasy football analysts reveal their first running back rankings for the 2024 NFL season.
Yahoo Sports
Monday Leaderboard: Brooks Koepka is ready to slow the Scottie Scheffler train
A dominant LIV win and a heartbreaking PGA Tour loss headline this week's top golf stories
Yahoo Sports
Timberwolves' Rudy Gobert out for Game 2 vs. Nuggets due to birth of his child; Jamal Murray to play
Rudy Gobert may not play due to the birth of his first child.
Yahoo Celebrity
Dwayne Johnson is difficult to work with, report claims. The star has 'mountains of public goodwill' to offset negativity, expert says.
Once named the “Most Likable Person in the World,” the actor is under fire in a new report, accused of showing up to work late on the film “Red One,” irritating the crew and causing the budget to balloon.
Yahoo Sports
2024 NBA offseason previews: Teams' needs, free agents, draft picks, cap space and more
The 2023-024 NBA season isn't yet over. A number of teams are still dreaming of championship glory. But for those that have been bounced from the playoffs, it's time to reassess and re-evaluate for next season.
Yahoo Finance
CVS stock plunges after earnings numbers one analyst 'did not even believe'
CVS warns it could cede Medicare Advantage market share as reimbursement rates pressure the company.
Yahoo Sports
Victor Wembanyama wins NBA Rookie of the Year via unanimous vote after delivering on unprecedented hype
Victor Wembanyama did everything for the Spurs as a rookie.
Yahoo Sports
Kentucky Derby: Mystik Dan wins in three-horse photo finish, outruns favorite Fierceness in stunning upset
The 150th Kentucky Derby produced yet another magnificent two-minute spectacle.

News

Life

Entertainment

Finance

Sports

New on Yahoo

Protect critical assets in the cloud by applying Operations Security

1: Identify critical information

2: Analyze the threat

3: Analyze your vulnerabilities

4: Assess the risks

5: Apply the countermeasures

Repeat these steps, as necessary

Recommended Stories

Former NBA guard Darius Morris dies at 33

The FDIC change that leaves wealthy bank depositors with less protection

Phil Mickelson on the majors: 'What if none of the LIV players played?'

Heat's Pat Riley unhappy with Jimmy Butler's remarks on Celtics and Knicks, implies he needs to play more

Blockbuster May trade by Padres, MVP Ohtani has arrived, Willie Mays’ 93rd birthday & weekend recap

Social Security just passed Medicare as the government's most pressing insolvency risk

No one was airing Angel Reese and Kamilla Cardoso's WNBA preseason debuts, so an X user livestreamed it

NBA playoffs: Predictions for Celtics-Cavaliers and every second-round series

The Scorecard: Andy Pages looks set to go down as one of the best fantasy baseball waiver wire pickups of 2024

NFL Power Rankings, draft edition: Did Patriots fix their offensive issues?

2024 NFL Draft grades: Denver Broncos earn one of our lowest grades mostly due to one pick

Formula 1: Miami Grand Prix sends cease and desist letter to prevent Donald Trump fundraiser during race

The best RBs for 2024 fantasy football according to our analysts

Monday Leaderboard: Brooks Koepka is ready to slow the Scottie Scheffler train

Timberwolves' Rudy Gobert out for Game 2 vs. Nuggets due to birth of his child; Jamal Murray to play

Dwayne Johnson is difficult to work with, report claims. The star has 'mountains of public goodwill' to offset negativity, expert says.

2024 NBA offseason previews: Teams' needs, free agents, draft picks, cap space and more

CVS stock plunges after earnings numbers one analyst 'did not even believe'

Victor Wembanyama wins NBA Rookie of the Year via unanimous vote after delivering on unprecedented hype

Kentucky Derby: Mystik Dan wins in three-horse photo finish, outruns favorite Fierceness in stunning upset