Nothing in the straw

Charlie worked at a factory that manufactured all sorts of things. He liked his job, and so did the gate guard, Albert.

One Friday, when everyone was getting ready to leave for the weekend, Charlie showed up at the gate with a wheelbarrow full of straw.

“Where’d you get the straw, Charlie?” Albert asked.

“Bought it,” Charlie answered, producing his receipt. Sure enough, he had bought the straw.

“What are you gonna do with all that straw?”

“Feed my horses,” Charlie replied.

Albert was suspicious. He was pretty sure Albert didn’t own any horses. “Mind if I take a look?” he asked.

Charlie waved his hand towards the wheelbarrow. “Help yourself.”

Albert poked through the straw, making sure nothing was hidden inside. Sure enough, he didn’t find a thing. “Have a good weekend,” he said, waiving Charlie through.

The following Friday, Charlie showed up once again at the gate with a wheelbarrow full of straw. Once again, he had a receipt and Albert didn’t find anything hidden in the straw. This went on for twenty years, with Charlie leaving with a wheelbarrow full of straw and nothing else. Albert was pretty sure Charlie was up to something, but he couldn’t ever figure out what it was.

Over the years, the two became close friends. One day, it was to be the final time they’d perform their weekly ritual. Charlie was retiring, and that Friday was going to be his last day.

Charlie came to the gate. Albert didn’t even bother checking the wheelbarrow; he knew he wouldn’t find anything hidden in the straw.

“Charlie,” he said. “I’ve seen you walk out of here every week for twenty years. I know you’ve been stealing something, but what? Now that you’re retired, tell me what it is. It’s driving me crazy.”

Charlie simply smiled and said. “Sure. Wheelbarrows.”

Wheelbarrow theft may or may not be your biggest concern, but even if it’s not this message still applies. Sometimes, the biggest threats are hiding in plain sight. Sometimes, what we assume is our biggest concern is actually only a distraction.

Vacation

Pop Quiz time fellow OPSECers:

Q: Which of the following is the BEST example of an out-of-office statement for your work email?

A: I’m not in. Don’t know where I’m going. Don’t know how long I’ll be gone. Don’t know when I’m coming back – and neither do you. OPSEC Baby! I will be checking email daily.

B: I am currently out of the office for 14 glorious days. I finally got my vacation approved and I’m taking the little woman, Junior and baby girl to the Atlantis Resort (and casino!!). For any security issues don’t even think about contacting me! Instead, please contact Regional Security Manager Susie Smith at (555)-555-1234. BTW: she is also the SAP coordinator. Assuming I actually come back to work (ha-ha) all emails will be addressed on my return.

C: I am currently out of the office. If you need immediate assistance please contact Joe Smith at (555)-555-1234.

D: I am on travel until the first of next month. I’m attending a classified conference which means I won’t have my laptop during the conference (8am – 5pm each day). I can’t even check during lunch so I’ll be leaving my laptop in my hotel room but I promise to get back to you after 5pm. If you really need to contact me call the Springfield Marriott and ask for me (room 209), Steve Jones (room 426) or Joey Smith (room 427) and they’ll put you through. For those of you working on Project Nighttrain – I won’t have access to JWICS or SIPR until I get back so don’t bother sending anything to those accounts. Have a great day.

Assuming I don’t have to actually give you the correct answer I surely hope you get the point. What you put in your out-of-office statement – or your voicemail message – must be free of sensitive information. This also speaks to need-to-know. There are a multitude of reasons why this is important and a multitude of ways an adversary could exploit your information – suffice to say that you need to heed this advice. Keep your out-of-office email statements and your voicemail recordings short and to the point. Don’t include any information that doesn’t absolutely need to be there.

Keep the Faith!
Revelator

Vacation – The Go-Go’s

Even if it quacks like a duck…

…it might not be a duck.

Your adversary isn’t going to be honest about who they are or what they’re after. If they were, they wouldn’t be in business for very long! Instead, they’re often going to pretend to be something you trust or expect.

  • Be wary when receiving unsolicited phone calls, emails, or visits, especially if the person contacting you is asking for information you wouldn’t reveal to a stranger. Verify their identity before giving them anything
  • Don’t give out personal information about employees or non-public information about your company. Both are common targets for corporate spies or competitors
  • Don’t respond to emails asking for financial information or prompting you to log in, and don’t trust links in emails. If you feel the email may be legitimate, contact the sender using their public contact information to confirm
  • Make sure that websites are secure before sending any sensitive information. Whenever possible, encrypt it first
  • Double-check the URL before submitting information via the web. There’s a big difference between www.yourbank.com and www.yourbank.co.
  • Keep your antivirus and antimalware software up-to-date. Install and use a firewall

Social engineers rely on the mental shortcuts that we tend to form. We see someone with a clipboard, and we assume they’re here on official business. We get an email or phone call with very dire warnings (“The IRS is going to have me arrested??”), and we naturally want to solve those problems as quickly as possible.

Whenever someone seems to want you to feel or act a certain way, especially when it’s with a sense of urgency, stop and think about what they’re actually trying to get you to do. When you do that, you break the social engineer’s script and are less likely to fall victim to their techniques.

 

Who we are

Our Mission: To foster the development of the Operations security discipline; to enable collaboration and advancement of the tradecraft of OPSEC, while simultaneously advancing for the profession within the government, private and public sectors. OSPA also promotes adoption of the process in other areas not traditionally covered by existing OPSEC programs. Education, sharing of best practices, and providing subject matter assistance are the pillars of OSPA.

The Operations Security Professional’s Association (OSPA) is a tax exempt, Non-profit organization dedicated to improving awareness of Operations Security in both the public and the private sector. We believe that OPSEC is a tool that can benefit everyone, from neighborhood watch programs to military missions.

We provide free resources, tools, education, and collaboration for a wide variety of applications. Our website serves as a repository for information that anyone can adapt and use.

OSPA members work together towards creating and sharing information on a wide range of subjects, such as information security, OPSEC briefings, Security Briefings, OPSEC program management and more.

OSPA takes its commitment to members very seriously, and stands firm to a commitment of service, transparency and ethical behavior.

In order to meet this commitment, OSPA will always strive to keep members informed of all internal workings, and will always be available for direct contact.

The official OSPA Constitution and Bylaws (pdf): OSPA Constitution and Bylaws

Ethics are of the highest concern for both OSPA and the OPSEC Community, as a whole. In keeping with this high ethical standard, OSPA observes the following code of ethics:

  1. Perform all professional activities and responsibilities with due diligence and honesty.
  2. Maintain the highest ethical standards in professional and personal conduct.
  3. Employ the OPSEC Process to protect critical and sensitive information.
  4. Promote the concepts of Operations Security within Government and Private Industry.
  5. Maintain professional competence at all times and continually seek out opportunities for self development and collaboration with other OPSEC professionals.
  6. Provide mentorship to other OPSEC professionals.
  7. Refrain from any activity or act which might imply a conflict of interest with professional duties or which would damage the reputations of other professionals, employers, the OPSEC profession and the OSPA.
  8. Adhere to the bylaws of OSPA, use OSPA and OPSEC Academy materials as intended, and respect fellow professionals

Something for Everyone

Material for members and non-members alike

OSPA believes that everyone deserves to be given the information that they need to keep them and those around him safe. OSPA also recognizes that OPSEC is an important tool in your goal to protect lives and livelihoods. We make information, programs and material available for free to all and constantly strives to meet the needs of the growing OPSEC community, which includes military, government, families, communities, corporations and more.

OSPA is proud to count among its members some of the most accomplished and experienced OPSEC professionals in the world. And this is the real strength of the Association; members that are willing to reach out and help each other in their own OPSEC programs.

  • OPSEC Awareness material
  • The OPSEC Correlation Analysis Tool
  • Member’s chat and forums
  • OSPA project tracking
  • Critical Information List (CIL) generator
  • OPSEC plan creation tools
  • Direct access to a stable of Subject Matter Experts
  • Direct access to the OSPA board and committees
  • OPSEC analysis tools
  • On-line and real world events exclusive to OSPA members
  • New releases of beta programs and material
  • Access to the OPSEC Support Request Form
  • Open Source Intelligence (OSINT) Assessment Tool
  • OPSEC Continuity Book Template