Developing personal OPSEC plans: 10 tips for protecting high-value targets

Criminal hackers are targeting a wide range of employees, from administrative assistants to the C-suite executives they serve. As cybersecurity firm Proofpoint puts it, the hackers’ goals are to “trick your workers into opening an unsafe attachment or clicking on a dubious web link. They impersonate your CEO and order your finance department to wire money. And they con your customers into sharing login credentials with a website they think is yours.”

Most enterprise IT systems are well protected against, though not invulnerable to, cyberattacks. But the personal devices and online tools employees use after hours can be less secure, providing a potential bypass around enterprise security.

At the same time, crooks are increasingly targeting specific individuals such as Chief Financial Officers because these executives have high-level access to sensitive enterprise data, says Stephanie Carruthers, Chief People Hacker of IBM’s X-Force Red team of veteran white-hat hackers. Other potential targets are often employees with access to sensitive information, such as IT and cybersecurity, human resources, and legal department team members.

“Who is targeted really comes down to what they have access to,” Carruthers says. Such targeting is on the rise because, simply put, it can be more efficient, she adds. “Targeting high-risk employees helps criminals go straight to the source for what they want to obtain, rather than digging around in the weeds.”

Criminal hackers can piece together information about someone and their organization from public social media accounts or other online sources, which supply the open source intelligence (OSINT) needed to impersonate people for criminal purposes, notes Chester Wisniewski, Principal Research Scientist for Sophos.

At the same time, because so much communication is digital, it’s harder to spot imposters. “If someone you know calls you on the phone, you can authenticate them by their voice,” Wisniewski adds. “But that’s not always so easy to do online.”

In an effort to block targeted attacks against employees, some organizations are beginning to develop personal OPSEC plans for high-risk individuals, to better safeguard them both at work and in their personal lives. Such plans go beyond standard enterprise security protocols, practices and tools in order to provide individualized cybersecurity training and protection.

“Security is always hard for companies, and too many of them just offer security awareness training for all employees,” Carruthers says. “The next step is developing OPSEC plans for high-risk employees, which I think more companies should be doing. It would make my job (as a white-hat hacker) a lot more difficult.”

The following are 10 tips and best practices for developing the most effective personal OPSEC plans for high-risk workers at all levels.

Include enterprise and personal accounts and devices

“Too often, OPSEC plans only focus on work accounts and not the personal accounts that the executive or employee actually uses a lot of the time,” notes Alex Hamerstone, Practice Lead for Governance, Risk Management and Compliance at information security consultancy TrustedSec. “The personal accounts can be an entry point into the work accounts in many ways, whether through password reuse or executives logging into enterprise services on their personal equipment.”

Executives are easier to target today because they use so many more devices than in the past, including laptops, smartphones, tablets, smartwatches, and other internet of things (IoT) devices, Hamerstone adds. “Connected cars are also an emerging area that will become more significant in the coming years,” he adds. “An OPSEC plan has to account for this by hardening the actual devices, limiting what enterprise data the devices can store or access, and taking into consideration which accounts could be compromised and exploited from those devices.”

In addition, corporate security programs often don’t reach beyond the actual office building. “But that’s a huge oversight,” Hamerstone says. “The executive’s home network has to be hardened with a layered defense put in place. The executive should also use a dedicated IP at home that’s isolated from the rest of the home network. What type of data they store or have access to from their home needs to be either limited, blocked, or hardened with strong encryption.”

Get high-risk employees on board with the plan

Often, the biggest obstacle to an OPSEC plan’s success comes the person it’s intended to protect, according to Hamerstone. “It’s common for these executives to push back on an OPSEC plan’s recommendations or to completely ignore them when it comes to their own personal behavior,” he says. For example, Hamerstone recalls a CEO who was advised not to take his personal laptop on business trips to China — but he did it anyway, potentially compromising the security of the company’s data.

Hamerstone recommends giving executives specific examples or published news stories that illustrate how they might be targeted. Also, an OPSEC plan needs to be as simple as possible for executives to follow. “It’s like having an airbag in a car,” he explains. “Designing and installing that airbag was tons of work for engineers and manufacturers behind the scenes. But the user doesn’t even notice it.”

Have specific social media policies and procedures

Social media sites such as LinkedIn, Twitter, Facebook and Instagram can expose OSINT about high-risk employees that can be pieced together and exploited for social engineering purposes, peripheral targeting, tracking physical locations, and finding weaknesses in the corporate IT system, Hamerstone says.

There are several steps you can take to better protect high-risk individuals on social media:

• Develop clear, easy-to-follow guidelines on what’s acceptable for sharing and what can put the organization at risk. For example, a post commenting on a recent news event is usually safe, while a selfie taken inside an operations center isn’t, explains Sean Goodwin, senior consultant, IT assurance for accounting firm Wolf & Company, P.C. “Be realistic with your policy, as an outright ban is nearly impossible to enforce,” he adds. “Also, explain what side channel attacks are and how some attackers go after personal social media accounts to get into corporate accounts.”
• Keep personal accounts private. Ideally, C-suite executives and other high-risk employees should keep their personal social media accounts private, Carruthers says. In addition, the social media accounts the executive links to should also be private. “A lot of times when a social media account is private, you can still find out things about the executive from the images and posts that their children, spouses or friends share about them,” she explains. “The ideal is to ensure that everyone the executive connects to with their personal accounts keeps their accounts private, too.”
• Maintain separate, public social media profiles. High-level executives should have public accounts on Twitter, LinkedIn, Facebook and other prominent social media networks, Wisniewski advises. “It’s important that you claim and use those accounts, to prevent a criminal from assuming your identity on social media.” High-level executives often have their company’s marketing team manage and post to their public accounts, he adds.

Provide frequent ‘white glove’ security training 

“High-risk employees should receive constant, additional training that’s geared specifically for them,” Carruthers says. “Everyone from the janitor to the CEO has a different threat model, so they need training relevant to their threat model.”

High-risk employees should be trained about mobile security risks in particular, Carruthers adds. Some people believe their mobile devices are fairly secure, especially compared to their computers, and therefore they lower their guard when using a smartphone or tablet. “When I send phishing messages to smartphones (as a white-hat hacker), my success rate is much higher compared to phishing messages sent to desktop computers,” she adds. And yet, mobile threats such as smishing (SMS phishing) and vishing (voice phishing) are on the rise. 

Require two-factor authentication and password managers

Enterprises should require all high-risk employees to use two-factor authentication (2FA) on their personal accounts, such as Gmail or Dropbox, as well as the corporate accounts they use, Carruthers says.

In addition, high-risk employees should use password manager apps such as 1Password and Dashlane for their personal logins as well as professional ones. “So many data breaches that we see happen because attackers have gained access to passwords that people reuse across multiple accounts,” Carruthers adds.

Lie in your security question responses

Often, websites ask users to answer three or more security questions, such as ‘What is the name of your first pet?’, when establishing an account and password. But given how much information can be gleaned about individuals from social media, Carruthers advises high-risk employees to provide false answers to those security questions. Be sure to write down the false answers in a secure place, such as the notes area in a password manager app.

Make it easy to authenticate information 

Whenever managers at Sophos need to share information with employees, they post it first to the secure, internal Sophos wiki and then send it out via email, says Wisniewski. That way, recipients can easily verify that the information from managers is legitimate.

Establish clear procedures for verifying requests

Crooks often use OSINT to impersonate a specific executive, then send an unwitting employee an email that appears to be from that executive. The email might give the employee one or more reasons to wire money to an account that differs from the one normally used for similar transactions.

Therefore, your OPSEC plan should have a simple procedure for verifying that such a request is legitimate. “If a request exceeds a certain dollar amount and/or involves a change in procedure, your OPSEC policy might require an employee to seek both verbal and digital confirmation that the request is legitimate,” says Wisniewski. “The goal is not to burden people with too many security layers but get them to take extra steps when they’re truly needed.”

Have a process for reporting suspicious activities

With voice phishing, criminal hackers may impersonate an organization’s IT or other department team members and call the company’s employees one by one, hoping someone will unwittingly give the hacker their username and password. Too often, an employee may realize that something about a call feels odd — but they hang up and take no further action. “Have an established procedure so that employees know where to report something suspicious, whatever it is, so you can get the word out quickly to others in the company,” Wisniewski says.

Regularly test high-risk employees

High-risk employees should be tested frequently on all aspects of security, especially social engineering attacks, says Carruthers. “Send them fake phishing emails and see if they report them to your cybersecurity team or if they click the link embedded in the email. See if they’ll give a legitimate-sounding stranger their password over the phone. The point is to help high-risk employees see what targeted attacks against them look like — and how susceptible they might be to them.”