Ask HN: Can you recommend any OPSEC resources/books/guides? - philippnagel
======
equalunique
I can tell you about the resources, books, and guides that I'm familiar with -
they are specific to the United States public sector. Not all of it is
specific to Operational Security, but one could say that it is all related.
Many federal departments and agencies must implement security programs based
on guidelines and recommendations from Department of Commerce's National
Institute of Standards and Technology, who created the Special Publication 800
Series for Computer Security, also the Special Publication 1800 Series for
Cybersecurity Practice Guidelines.
([http://csrc.nist.gov/publications/PubsSPs.html](http://csrc.nist.gov/publications/PubsSPs.html))
These departments and agencies are also required to report their cyber
security incidents to the United States Computer Emergency Readiness Team (US-
CERT) so that security events, incidents, and responses may be coordinated
across departments and agencies. ([https://www.us-cert.gov/government-
users/compliance-and-repo...](https://www.us-cert.gov/government-
users/compliance-and-reporting)) Today's federal departments and agencies are
connected to trusted internet connections (TICs) that are all held up to high
standards of incident reporting and security management.
([https://www.dhs.gov/trusted-internet-
connections](https://www.dhs.gov/trusted-internet-connections)) Same goes for
the providers of their PKI infrastructure
([https://www.idmanagement.gov/IDM/servlet/fileField?entityId=...](https://www.idmanagement.gov/IDM/servlet/fileField?entityId=ka0t0000000TNYYAA4&field=File__Body__s)
). Other key pieces of computing and communications infrastructure are also
held to standards, such as the ones published by Federal Network Resilience
group, but are not made available publicly. The CAESARS Framework
([http://csrc.nist.gov/publications/drafts/nistir-7756/Draft-N...](http://csrc.nist.gov/publications/drafts/nistir-7756/Draft-
NISTIR-7756_second-public-draft.pdf)) is the best example of a highly-
integrated continuous monitoring program which integrates security operations
with executive-level risk management. Lots of money has been invested in
creating great frameworks, but many agencies and departments struggle to
implement these in practice.

~~~
equalunique
I know about this because I started my career helping an agency achieve a
CAESARS-like program, which was based more on NIST's Risk Management Framework
(RMF) - The basis of it is to define your systems, their
Confidentiality/Integrity/Availability impact levels, a chain of management
who has authority over the systems, security controls to protect the systems,
continual evaluation of the security controls, and expedient management of
risks associated with failure to implement security controls properly.
([http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800...](http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf))
The best security operations people I've worked with are the ones who are very
curious. They scour over the configuration management, patch management, and
defense systems - always checking to see if they do the things they're
actually meant to do. Alerts on security events are very useful. Having
multiple tools to cross-reference pays off when the results are different and
it reveals an underlying problem that nobody expected.

