OPSEC - What information is leaking out about you and your company?

Have you ever thought about what information is available about you and your company?  The internet has made finding this information so much easier, but don't forget about the non-technical means in which information can be gathered.

Information can be found using a company's website, Google, Social Media, and numerous other websites.  Information can also be found by digging through recycling baskets, garbage cans/dumpsters, or even just by looking at the back of someone's car.  Have you ever seen the decals of a stick family on someone's car?  How about a vanity license plate?  Or one of those "My child is an honor student at [fill in the blank] school!]?  All of this information by itself is probably pretty harmless, but when put together, can paint a pretty clear picture.

I was driving the other day and the car in front of me had a vanity license plate with two names on it.  I now know the names of the owners.  They also had an OBX sticker.  I now know they like to vacation in the Outer Banks.  They also had a magnet that said the name of a ballet school and another from a youth football team.  Accompanying all of this was a stick figure family that showed a father, mother, a boy, a girl, and a cat.  So I know the father's name, the mother's name, where they vacation, that they have two kids, and what those kids do for recreational activities.  That is quite a bit of information just from the back of someone's car!  

You can also look in the dumpster at your company and probably find out information that probably should not be there.  Things like company proprietary information or even passwords.  

So the question is, do you know what information is available about your company?  Taking an offensive approach by doing the dumpster diving, online "open-source" information gathering, and just walking around will help you determine what the risks are to your environment.  With those risks, you can determine ways to mitigate the risk.  You then can select what  risks to mitigate and implement controls.  After you implement the controls, you need to measure the effectiveness of those controls.  But your job is not done when you finish measuring the effectiveness.  You then need to start over and determine the remaining risks and continue with the cycle.  

Being on the offensive will help you better defend your organization, and even your family.  OPSEC is not just for government, military, or companies.  The same principles can be applied directly to your home.

Stay safe out there!

Popular Posts