There’s what you learn in books, and what you learn from experience. Sometimes they match up. Other times, not so much. This is why getting as hands-on with real-world examples is a big focus for us. And for our next Worcester event (ORH v2019.1), we’re bringing in a new element to the Treasure Hunt related to opsec.
So, what exactly is opsec?
It’s short for operational security, and like many terms in cyber security, it has a military origin. In the context of cyber security, it basically means not sharing, intentionally or otherwise, what you don’t want the rest of the Internet to know. For example, excited parents sharing photos of their kids’ shiny new driver’s license? Bad opsec. The license has those kids’ home addresses on them, for one. Driver’s license numbers could also be used for identity theft, such as creating a fake license with a kid’s real info to open a student credit card, perhaps.
Now, take a look at this photo that a (fictitious) employee submitted online for a Messy Desk Makeover contest run by a legit (fictitious) company. Just by this one photo, what could you learn about this person? What’s the employee’s name? What training did this employee complete? What could you learn about the employee’s reading habits that you could then use to create a spear phishing attack?