OPSEC: VPNs only help stop your network from invading your privacy. The biggest threat is still you!

edited November 2 in General Privacy Discussion Posts: 79
Most users looking into a VPN are doing so because they want to try to mask their identity from obvious threats, whether that be online stalkers, hackers, or the threat of abuse and misuse of the legal system to ruin their life (by civilians and governments alike).

A VPN can be an easy and relatively simple chocie for masking the simplest of unknown threats, but the biggest threat is the actions we perform or the information we ourselves voluntarily share to the wrong eyes or ears.

The concept of protecting information from ears and eyes that aren't meant to see it is referred to as Information Security, or INFOSEC for short.

INFOSEC is a subset of Operations Security, or OPSEC for short. Since information alone is not all we need protecting, but also systems, environments, communication channels, and hardware, a greater understanding and appreciation of OPSEC is necessary to protect yourself completely. A VPN such as PIA or even Tor, is just a tool of a larger OPSEC strategy.

In the following posts of this thread, I will try to explain what OPSEC really means, how you can start to practice the OPSEC mindset and begin to implement it into your life for a safer existence, offline and on, in business and personal life.


As a member of the Operations Security Professional's Association (OSPA) ( https://www.opsecprofessionals.org/what-is-opsec/ ) I am always happy to help educate and promote the concept of OPSEC to the general public, and believe that proper OPSEC is something everyone should learn, not just military or members of a particular organization.

Post edited by sn0wmonster on
Tagged:

Comments

  • Posts: 570
    This is much needed. Too many PIA customers assume using a vpn service, of itself, makes them secure when online and then never go beyond that to secure themselves.

    Looking forward to what you can bring to the table.
  • Posts: 265
    Agreed @tomeworm. It goes further than just using a VPN and thinking they're protected too: I wish I could show you the amount of tickets we get from people that completely misunderstands what a VPN even does. We regularly have people that cancelled their regular ISP and are pissed PIA no longer connects, people that logs into their Facebook account on PIA and wonder why they're not anonymous. People that uses PIA and wonder why they still got banned on X forum/website. Or just the usual people that puts in the SOCKS proxy in their torrent application, never verify that their settings have any effect and then complain they still got copyright notices. We've even had people connect to the app once, see the green icon, close the app and never open it back up and then come back weeks later when they noticed they're unprotected. Duh!

    Too many people see VPNs as "ways to get US Netflix" or "the thing that lets you torrent without copyright notices"...
  • Posts: 453
    There are many SEC's that one must take into consideration. INFOSEC and OPSEC were already mentioned. But, for me, it is neither if one does not have good COMSEC. Without COMSEC, the others are vulnerable. Granted, everything is vulnerable, even the AES encryption we are using.

    Agree with Max-P, VPN is not efficient if one does not take into consideration many factors. Just can't turn on VPN and go about one's business. One has to be very aware of what their local machine is doing. It very well could be spilling all sorts of information outside the VPN tunnel.
  • Posts: 170
    Problem is that you dont need any training or a licence to use a computer ( especially not a mobile phone or tablet).
    Most people have no understanding of the technology nor are they interested in learning. They want it to "Just work" -(credit to Apple) and it generally does - but not necessarily in a secure way. Given that social media such as Facebook or Twitter are so open to abuse ( can you really trust your "Friends" ?) - I personally wont use social media, 'though my wife does to keep in contact with her overseas family members who have no hesitation in posting everything and anything - her account is accessed via PIA and a fake registration and a disposable email address, so problems are mostly limited to family posting her image and tagging her on their pages.
  • Max-P said:
     We regularly have people that cancelled their regular ISP and are pissed PIA no longer connects, people that logs into their Facebook account on PIA and wonder why they're not anonymous.
    I genuinely chuckled on that one. <span>:smiley:</span>
    Just goes to show how alarmed the general population is at their complete erosion of any semblance of privacy online.
    The exponential growth spurt in the last couple of years of people all over the world signing up for a VPN is not happenstance, it wasn't out of the blue and without reason.
    The out-of-control surveillance state complex globally has brought forth this response from the common people who are increasingly made to feel like criminals for daring to demand privacy in their online dealings.
    Signing up for a VPN is a great first step, but there is no shortcut around the fact that you really need to know what a VPN can and cannot do. If you are a novice user, there is no escaping reading tons of articles online about how VPN's work and how they protect you, and more importantly where they cant help you. 
  • edited November 5 Posts: 79

    Part II: Introduction to basic concepts

    If you are looking for a highly detailed and technical review and description of OPSEC, I encourage you to visit the OSPA (Operations Security Professionals Association) website at https://www.opsecprofessionals.org/what-is-opsec/ to get just that. This post and all posts in this thread will be geared towards layman's terminology, simplifications, and examples intended for the average person.


    OPSEC, to put it very simply, is a practice and a mindset, much like that of a gardener.


    When a gardener wants to grow, they don't just throw seeds on the ground and come back the following year. They figure out first what they want to accomplish (e.g. grow corn), what the typical risks are (e.g. floods, animals, bugs, drought), the conditions in which the seed grows best (e.g. weather, soil, fertilizer, sunlight), and just what the return on investment would be (e.g. 2 bushels of Corn, 2 acres of Tomatoes, 200 bottles of grape wine). Then and only then do they move forward. This allows not only a greater chance of success, but enables them to react in a quick and concise manner, free from doubt.


    OPSEC is much like this, except instead of planting seeds, we plant ourselves into situations with specific desired outcomes.


    What does OPSEC look like?


    For those like me who learn best from examples, let me draw a picture for you.



    • You've just been invited to an interview for a job you didn't imagine would call on you. How exciting is this!

    • The interview begins and you're asked to provide your Facebook login details so they can get a good sense of your character.

    • Uh-oh!

    • You provide it because otherwise you'd look guilty and suspicious.

    Can you pinpoint the exact moment that you endangered yourself unnecessarily and took your future out fo your own control? Was it when you agreed to the interview without giving it proper consideration? Or how about when you didn't properly prepare for it? Was it when you were introduced with a request you weren't expecting?


    The exact moment you failed at OPSEC was when you applied for the job in first place without understanding that the employer would likely require access to Facebook. This kind of information was critical to your chances of employment, and now you've handed over your Facebook password so that your every movement can be critiqued and used against you.


    Test your instincts

    Let's try an exercise. In this example, which of the following did you practice poorly?



    1. OPSEC (Operations security)
    2. INFOSEC (Information security)
    3. COINTEL (Counterintelligence)



    If you answered "All of the above", you're right!


    Practicing proper OPSEC is not just for military with missions to accomplish, it's all for your personal safety and wellbeing, and the success of any endeavor.


    The above was mostly an example of poor INFOSEC and COINTEL (counterintelligence).



    How complex is OPSEC?

    OPSEC is like a martial art in that it's not just kicking, punching, blocking, or grappling, it's all those things as tools used in a specific arrangement that serves to eliminate the threat and beat the bad guy. And just as you wouldn't block someone swinging a baseball bat at you by punching it, there is a logical and reasoned response for every situation that requires a unique assessment each time. This is called risk assessment or theat modeling. "What threatens me? What will it likely do? Am I safe from that? Can I counter attack and succeed or should I run? If I'm not safe from it, how can I be? What do I risk losing if I fail?"

    OPSEC is split up into major categories too that are themselves entire fields of study, some of which you don't need to be concerned about mostly because you are not likely to be in a position to control them.


    • INFOSEC - This one comes down to keeping information secret from those who don't need to know it. You practice INFOSEC by having a password on your Facebook, sharing posts only with friends and families, or making sure your uploaded photos don't contain your GPS coordinates in the EXIF metadata.

    • APPSEC - This one could be summed up easiest by talking about the mobile apps most people download so trustingly, and those pesky permissions given without thought of consequence. Why does your calculator need internet access and to use your camera?

    • NETSEC - This is what PIA helps protect. It's also what Tor is for, and firewalls! It refers to the security around networks, connecting to them, using them -- we practice good NETSEC by not connecting to Wifi spots we don't trust as it may spy on our data.

    • SYSSEC - This is overall systems security, things like running a virus scanner, not plugging in random friends' USB sticks that probably have trojans on them, and using an operating system that is more secure than Windows XP. If you're still using XP, you're practicing poor SYSSEC already!
    • PHYSEC - Did you guess this one is about physical security? It's not about your body, but about physical access to things and protecting against it. Door locks, safes, or hiding a USB stick with sensitive documents in a secure location are all examples of PHYSEC.
    • PERSEC - This is one that everyone practices when they make the conscious decision to not walk down a dark alley alone on the bad side of town, but it can get much more intricate than that, such as keeping minimum distance from others, taking a different route home everyday, or as simplistc as washing your hands after riding public transportation.
    • (CO)INTEL - This is where creativity in lying is rewarded! Remember the interviewer who wanted your facebook credentials? What if you instead providing a separate account that you had purposely curated ahead of time to make you look less reckless? This would be providing false intelligence to the interviewer, and thus counterintel. Using a VPN in some ways could be considered COINTEL.

    Others you will likely never hear about much less need to be concerned about are:

    • COMSEC

    • TRANSEC

    • SIGSEC

    • EMSEC.

    Stay tuned

    In the next section, I will explore in simple terms how INFOSEC can not only guide your success, but paint your demise as well.

    Post edited by sn0wmonster on
Sign In or Register to comment.