The first part of this clip from the movie “Home Alone” has a few good “OPSEC’ points.

For starters, Kevin obviously took a quick look at his operation (meaning his situation at home) from the perspective of an adversary- in this case, a burglar. Realizing that the deviation from an established profile (meaning signs of an occupied home) is itself an indicator (that something has changed, in this case, that the home is now unoccupied), Kevin implemented a countermeasure, which was to simulate a party.

For all appearances, the home was occupied.

Later, in a convenient plot device, Kevin overhears the burglars talking about their plans in very specific detail. Talking about their plan. Within earshot of those involved. Right before zero-hour.

Don’t you wish is was only the bad guys that do that?

YouTube - Home Alone Xmas.

According to Federal Computer Week (http://fcw.com/articles/2009/06/11/army-social-media.aspx?s=fcwdaily_120609), the US Army has directed network managers across the country to stop blocking certain Web 2.0 sites, such as Flickr and Twitter. Photobucket, MySpace and Live365 are to be blocked.

The rationale, as reflected in the order, is that: “The intent of senior Army leaders to leverage social media as a medium to allow soldiers to ‘tell the Army story’ and to facilitate the dissemination of strategic, unclassified information, the social media sites available from the Army homepage will be made accessible from all campus area network.”

Many of us OPSEC’ers may have mixed feelings about this. While it is an opportunity to leverage emerging technologies and foster technical development within the military, there always remains the possibility of an inadvertent release of information.

But, at the same time, the reality is that it’s not the technology that’s the problem, and it’s certainly not going away. The problem lies within the users, and a relatively small number at that. The problem, to put it in it’s most basic terms, is not “what” the technology allows, but “how” it is used.

So, once again, it comes down to training. And with this recent order, it will be especially critical for all of you “Army OPSEC’ers” out there. Training and awareness are the two greatest tools in an OPSEC professional’s arsenal, and it’s the focus and dedication of each one of you that will keep OPSEC effective and relevant to today’s threats.

While unsung, you’re the last line of defense between your critical information and an adversary that wants it.

Tags: Army OPSEC, OPSEC social media, OSPEC Blog

Well, it’s been a while since I’ve blogged here. No good reason, really, sometimes things get busy, and… well, you just forget that you even have a blog. You know how it goes.

Since my last post, a lot has happened. The National OPSEC Conference was a lot of fun, and OSPA had a very siccessful presence. As a result, OSPA has started working with the UN, NATO, several Law Enforcement Agencies, and a few Neighborhood Watch groups. It’s great to see OPSEC spreading like it is!

Updated the home page- it was time for another change!

Anyways, thanks for reading; more soon!

Chris

If you’re currently using Internet Explorer, please be aware that Microsoft has issued a warning about a current security flaw in all versions that is currently affecting around 2 Million users.

According to PC World Magazine, “So far most of the attacks have been geographically centered on China and have been used for the purposes of stealing computer game passwords. But with a flaw as gap-toothed as this, the possibilities of nefarious action could include the massive theft of personal information such as administrative computer passwords and financial data.”

Although workarounds are available, Microsoft has suggested using an alternate browser, such as Firefox, in the meantime. For certain government systems, which are still required to use Internet Explorer, workarounds are available. Your IT/IMO staff should have more information.

Please see http://www.washingtonpost.com/wp-dyn/content/article/2008/12/16/AR2008121601022.html for more information.

Tags: Internet, Microsoft, Security Warning

With Thanksgiving right around the corner, it makes me think of my family when I was coming up. We’d spend all day cooking the turkey, and the yams with those tiny marshmallows, and then we’d all sit around the table and watch George C. Scott in Patton.

No, not really. But it was a convenient way to segue into an incident that was briefly covered in the movie, but required a great deal of complexity in order to be successful, and an excellent example of OPSEC (and strategic misinformation!) in action.

If you’ve seen the movie, you’re familiar with the “slapping incident” of 1943, in which General Patton slapped a Soldier by the name of Charles Kuhl who was weeping in the infirmary. (For history buffs, it turned out that Kuhl had malaria at the time. Dispite the incident, however, he later recounted Patton as a “Great General”)

When the stateside public and press learned of the incident, President Eisenhower was pressured to send Patton home in disgrace. However, Eisenhower and George Marshall came up with an alternate plan.

Patton was removed from any major command, but kept in theater. The German High Command was familiar with (and some say afraid of) Patton, so his location was closely watched for any sign of impending attack. As such, his extended stay in Sicily was seen as clear indicator of an upcoming invasion through France. At a later time, his visit to Cairo caused additional resources to be misdirected towards repelling an attack from the Balkans.

.

In the months before the 1944 Normandy Invasion, Allied forces launched “Operation Fortitude”, which was a major military disinformation campaign that involved controlled leaks of information, fake (even inflatable!) military equipment, message traffic and double agents. Perhaps most effective, however, was Patton’s public leadership of the (non-existent) First US Army Group (FUSAG).

A culmination of this effort, and a memorable event for all involved, was when Patton shouted across a crowded reception hall to Eisenhower, “I’ll see you in Calais!”, which surely upset those that weren’t in on the ruse.

The efforts were highly successful and turned the tide of the war. The German Army had everything that they needed, and the Allies appeared to be practicing very poor OPSEC. This story applies today. Remember that when something seems “too perfect” or “obvious”… It just might be intentional.

…And now you know… The rest of the story.

Tags: case study, patton, WWII

The Information Age and OPSEC

By Victor Duckarmenn

In 1941, we had our first real computer called the Z-3.  By 1971, we had E-mail, in 1989, the world- wide -web, (WWW) and wireless devices by the year 2000. Additional wonders of technology increase every decade. What are the consequences of all this “progress” and technological change?  Did personal or mission related information become more secure?  Did space operations Essential Elements of Friendly Information (EEFI) become more or less important or just disappear in the advent of our space business?  I am afraid our technical information, space mission secrets, our personal and space system data are all under attack every moment of the day.  What information do you need to protect?  Let’s look at critical information and its nature.

The nature of critical information is defined in one word “vulnerable”.  With advancing technology we find ourselves bracing for insider and hacker-cracker attacks, our systems are open to increased access via commercial Off -The -Shelf (COT) purchases without the need identified to protect our internal information.  Identity theft activity is on the rise. The crime of 21^st century will obviously be the theft of personal information.  Data-mining, war-driving, and the lack of attention to our privacy and 1972 Privacy Act, has become the “white noise” behind our wireless vulnerabilities.  Consider if you will, the tempo of information flow today.  There is so much information available on the “net” or “grid” it scares Information Assurance (IA), Operations Security (OPSEC), computer security (COMPUSEC) and Info-Security (INFOSEC) subject matter experts (SME) to death.  What are the “points of information contact” we need to watch for?  What are the four OPSEC arenas in the information protection battle?  They are the physical, administrative, action and technical. In 1941 we began the information age and the  “Info-war”.  What can you, the information warrior do? Let’s look at generic measures in the four OPSEC arenas.

In order to combat the physical issues in protecting space operations information it is very simple, lock up mission sensitive, controlled unclassified, “For Official Use Only” (FOUO) and Privacy Act information.  Implement double locks where possible to eliminate corporate and individual liabilities. The lack of consequences for our failures in the past for violations of the Privacy Act, or leaving mission critical controlled unclassified in the trash caused the death of this very simple measure.  Apathy and complacency is your adversary’s tools in the information war. I call them the “gruesome two-some”. What about administration?

Don’t leave your private information, recall rosters or sensitive data out in the open, on your desk or transmit it into the airwaves for all to receive.  Administration has many natural controls to include 100% cross cut shredding, both and home and at work, the sanitization of the voice mail and out of office replies.  Just a simple clean desk policy without posting retirement orders or system information could win the OPSEC “info-war”.  What about actions?

Conversations are a form of action. Stopping off base conversations about the mission failure or success, which can also be electronic, or talking out loud where local people do not have a “need to know” can be key to the denial of information to your intelligence enemies.  What about the technical area?

One recommendation is to ensure success in the technical arena is to simply restrict your wireless usage during government business. Use a landline to discuss command and control information.  A cell phone or personal assistant device (PAD) is like lighting up a cave with a halogen flashlight – the bats know you’re in the cave!  It is important not to lose a cell phone or government thumb drive that is filled with critical information.  So what?

The information age is still growing and the value of protecting our space operations information is more “value added” everyday.  Protect your wingman’s personal information.  Protect your missions’ operation information. Your personal OPSEC has come of age; the information age!

Tags: playstation, video games, xbox

The Oregon Newspaper “The Oregonian” reported the following on August 19, 2008:

Two men made off with hundreds of dollars in cash by dressing as security guards, standing outside a bank’s night deposit slot and persuading people to hand over their money because the slot was broken.

The men offered to make the deposits for customers at the Washington Square branch of Wells Fargo Bank the next day when the bank reopened, said Jim Wolf, a Tigard Police Department spokesman.

“Wells Fargo had absolutely no idea who these men were,” Wolf said.

He said the men wore uniforms and had badges and guns. The night deposit slot was covered by a blue engraved sign saying it was out of order.

The men offered to collect the deposits by putting them in a black box they had, Wolf said. The deposits came from businesses that normally use the slot to deposit the day’s receipts from their tills.

Two people who gave deposits to the men said the sign over the slot read “Out of Service.”

These men had many factors in their favor. Generally, people trust those that appear to have authority. Also, many people consider it “rude” to question someone who’s “just doing their job”, and many people have very low standards for correlation; in this case, the sign said the deposit box was out of order, and there was a guard nearby- “it must be true!”

The same threats exist against your organization. A “Social Engineer” will rely on those same assumptions, and several more, when attempting to infiltrate or obtain information to which they wouldn’t normally have access. Remember that enforcing security isn’t “rude”, and following proper procedures isn’t being “paranoid”!

Tags: social engineering

When you think of the term “OPSEC Superstar”, there are probably a few specific individuals that stand out in your mind. Some of them may be humorous characters, while others might be quietly toiling away to keep their organizations safe.

You, too, can be an OPSEC superstar.

First, you need to know the material. When you hit that red carpet at OPSEC events, you’ll encounter some tough questions. And given the nature of OPSEC, most of the questions will rely on your opinion and experience, rather than facts and figures. For instance, an employee isn’t likely to come up to you asking, “Say, what’s the fourth step in the OPSEC Process?”, but you will most likely hear, “Is it ok to publish this?” more than once. Understanding not only the “concepts” of OPSEC, but also the “philosophies” of OPSEC will allow you to give an informed and relevant reply. Failing to understand the material will destroy your credibility.

You also need to know yourself. Know your teaching style or styles of communication. If you’re not a comedian, don’t rely on the jokes. If you’re a gifted artist, skip the built-in clipart in favor of custom art. Everyone has some sort of talent. The important part is to figure out how you can use yours in your OPSEC program.

To be a true OPSEC superstar, you need to be visible. This works on two different levels. You need to be visible (most importantly) within your organization as you deliver presentations, reminders, and generally make yourself available for questions and issues. The OPSEC Officer/Manager/Professional is a critical part of any organization, and successful ones utilize them heavily. You need also to be visible within the OPSEC community as a whole. This is not to suggest shameless self promotion, but networking, advocacy and mentorship. In a small, close-knit community like the OPSEC community, each is extremely important and highly attainable.

Equally important is to know your audience. OPSEC Awareness campaigns and material need to be tailored to the particular level of the addressees, including technical level and responsibilities. It makes no sense to overwhelm a delivery driver with the full weight of a CIL generation briefing, OPSEC history, etc. Focus on the most important OPSEC aspects for their job or areas of responsibilities, and build on that. That’s not to say that you have to maintain dozens of OPSEC orientation briefings, but you do need to focus on the “most important” areas for each group whenever possible.

Know OPSEC, know yourself, be active in the OPSEC community and know your audience. Meet each of those criteria, and you’re on your way to OPSEC fame and fortune.

Tags: OPSEC, opsec program

Awareness campaigns are one of the most important tools in the OPSEC Professional’s Arsenal. Ranging from an Army OPSEC Training Program to local Schools or community centers, the OPSEC Awareness program is an opportunity for creativity and employee involvement.

The following list provides ideas for elements of an OPSEC Awareness Program, assuming management support:

Use the company newsletter

Placing regular articles in the company newsletter, such as short, attention getting mini-articles in a box are sure to grab the attention of readers. If you have an artist on hand, you can create a regular cartoon strip.

Naming and honoring the ‘OPSEC Employee of the Month (Quarter, Year, etc)’

The recognition, such as a plaque or a posted picture, would be a motivating factor, especially if you could get management support for some sort of reward.

Posting OPSEC Awareness posters

Mounting eye-catching, relevant reminders in common areas help to get the message out. Rotate the posters frequently for maximum effect.

Use of the employee bulletin board

Short reminders and tips should be rotated frequently.

Mailing inserts with paychecks

The paycheck is one piece of mail that’s always opened. Chances are that any inserts are read, or at least glanced at.

Sending E-mail reminders

Depending on management support, the OPSEC Manager or Officer may be able to send periodic reminders to a distribution list.

Use of security-related screen savers

It’s possible to control screen savers via centralized management, especially in a large organization. Your IT department may be able to help you implement and rotate OPSEC screen savers, such as the one on the OSPA website.

A catchy character

NNSA/NSO has the ‘Revelator’ and the ‘Security Health Professional’, and there’s always the Dice-Man. Don’t be afraid to do something that would stand out. If you stand out, so will your message.

Stickers

Reminder stickers can be affixed to telephones (‘Is your caller who he says he is?’), trash cans (‘Should that be shredded?’), shredders (‘shredder full? Another shredder is located at…’), etc.

Computer login banners

Banners can show an OPSEC reminder prior to logging in, and can be rotated as needed. The shorter the message, the more likely that it will be read. Note: This may not be possible in environments, such as DoD systems, which require a specific banner.

Performance reports and annual reviews

Consider adding OPSEC Awareness as an item on performance reports and annual reviews, as specific to your organization.

Professional membership

Offer employees membership in an OPSEC professional organization, such as OSPA (http://www.opsecprofessionals.org) or OPS (http://www.opsecsociety.org)

Electronic display

Electronic message boards can be used in the cafeteria or common areas and display security reminders, tips or notices.

Fliers or brochures

Fliers or brochures can be made available in conference rooms, break rooms, even rest rooms. Whatever gets the message out.

Gimmicks

People love gimmicks. Consider OPSEC Messages in fortune cookies, keychains, toys, etc. Try to use items that will be used frequently and kept, such as pens or mousepads.

Now, a million OPSEC-points to anyone that’s done all of them.

Tags: awareness, tips