Category: Vulnerabilities

“That’s not OPSEC!”

“That’s not OPSEC!”

The scene is a small office. It’s day one of the OPSEC assessment. It’s John’s first time out with the team, so he’s still trying to feel out how they go about the process.

While the team is in the badging office waiting for their badges, John notices that there’s a computer screen with red SECRET stickers on the top and bottom. What’s more, the screen is facing the group at the customer service desk.

The assessment team wasn’t the only ones trying to gain facility access that day. Among the other people waited was a janitor, a few new employees, and other people- both cleared and uncleared. John turned to one of the senior members of the team and mentioned that they should identify that in their report, and the senior member replied simply: “that’s not OPSEC.”

John didn’t want to get into an argument about what is and isn’t OPSEC. But he did mention that he thought they had a responsibility to the office supervisor to tell him that he should turn the screen around, and to keep it turned around, so uncleared personnel couldn’t possibly see potentially secret information. But once again, he was told in no uncertain terms that it wasn’t OPSEC and therefore not their responsibility.

The Assessment Chief did later correct the problem, but the senior team member never once wavered from his stance.

So, what is OPSEC? Is anything OPSEC?

A strong case can be made that just about every item in an OPSEC Assessment report can be matched to the requirements of some other security program. The scenario above was clearly an Information Security issue. FOUO in the trash? Information Security again. Not locking the computer screen when you leave the desk? Computer security. Downloading attachments from unknown sources? Cybersecurity. Allowing people to piggyback into the facility? Physical Security. Give long time visitors the safe combo and then don’t change it when they leave?  Catching on yet?

There are many more examples, but you probably get the point. On the other hand, can you think of any instances that weren’t already covered? What about staging convoy vehicles at the same time in the same place? What about using the same routes every time? What security program covers business, mission, or even personal indicators? What do you call it when unclassified information that no one knew needed to be protected is pieced together to reveal details of a classified operation?

It’s ALL OPSEC when it comes to our responsibilities as an OPSEC Program Manager or a member of an assessment / survey team. Bottom line: our job is to make our organization more secure, and we don’t do that by arguing whether a vulnerability, indicator, or security violation is OPSEC or not. See a problem, fix a problem.

If it can track a thief…

The Coachella Valley Music and Arts Festival, generally referred to simply as “Coachella” is an annual festival held in Indio, California. People come from all over the country to listen to music on several stages, enjoy art exhibits, camp, and other recreational activities.

During the 2017 event, many festival-goers found that their cell phones were missing. Presumably, they had been stolen. The victims used their “find my phone” function (which are available on iDevices and Android) to locate the devices, eventually centering on attendee Reinaldo De Jesus Henao.

When the police arrived, they searched Henao and found more than 100 phones in his backpack. He was arrested on suspicion of grand theft and possession of stolen property.

This is exactly how the “find my phone” feature is supposed to work. The phones were stolen from the rightful owner, who were then able to locate them using the built-in features. But if those features can be used to track a thief, they may also be used to track you.

Be aware of your phone’s settings and features. Could someone access your Apple or Google account and track you that way? Are your pictures also recording location data? What does your phone tell someone that wants to find you?