Tag: opsec

“Criminals don’t wear suits”

Once upon a time, in a land not-so-far-away, a small group of individuals walked to the doors of a multinational corporation, and walked out with millions of dollars worth of company secrets and assets.

Through days of patient research and study, they were well equipped to work their way through the company, obtaining small pieces of information and compiling it into unmitigated access. Could this happen to you?

First, they learned the names of key employees by calling Human Resources and social engineering the information from them. They would have preferred to find a company phone roster in the dumpster, but no one had thrown one away lately. Although the passwords and internal memos that they did find certainly helped cushion the blow.

This company had a very friendly climate, and prided itself on hiring friendly and courteous employees. The friendly employee at the entrance was more than happy to hold the door for one of the individuals when he jogged to catch the closing door. Why not? Criminals don’t wear suits and ties, right? They got inside the moat.

Another friendly employee was more than happy to help out the stressed out intern who lost his access badge on the first day, and just had to get the report to his boss before he gets fired! Why not? Were all on the same team, right?

No matter how strong a castles walls, it does no good once the enemy’s inside.

Inside the secure area, they found a gold mine of unshredded documents both in the trash and piled by the shredder. In a stroke of inspiration, a hastily scrawled note was placed on a busy shredder: Shredder out of order. Put materials in this box to be picked up by security. Also, traditional hacking techniques allowed unrestricted access to key computer systems, which is often superfluous if the password is written down and hidden. (No one would ever know that this is my password, even if they do look in the drawer!)

Lucky for them, the CEO had let them know (through his out of office auto reply) that he would be gone that day. His assistant was very helpful when the new janitor forgot his keys and had to stay on schedule!

Could it get worse than this? It very well could. There’s a good chance that your organization may never suffer a planned, organized intrusion such as this. But basic OPSEC, often at little or no cost to the organization, can help prevent such a disaster. Never forget how important you are!

What is EEFI?

Essential Elements of Friendly Information (EEFI) are defined as the answers to an intelligence agent’s questions about your system, support, deployments and force protection, otherwise known as the mission. Some examples of the questions they want to answer relates directly to your critical information listing (CIL). What is America’s space capability now and in the immediate future? Can Peterson Air Force base protect NORTHCOM? Does the Air Force care about its people? What measures will the Air Force take if their computer systems or installation are attacked? The program we all know as OPSEC is the program to deny your enemy the answers to these questions. OPSEC protects our official use and controlled unclassified information.

The purpose of the OPSEC program is to reduce the vulnerability of Air Force missions from successful collection and exploitation of your critical information providing the adversary answers to their critical questions surrounding Peterson AFB. OPSEC applies to all activities that prepare, sustain, or employ forces during all phases of your operations.

Do you post recall rosters in your cubicle? Do you post your retirement orders with your social on your overhead or desk in the open? Do you copy personal checks on the office copier and throw them into a recycle bin? Do you tear out your notes on a sensor system management meeting on future state space operations and put them into a dumpster or outdated recycle bin under your desk? Do you shred 100% of all official information? Do you shred your personal information at home? Do you have a unsecure router at home while you work on official business? Do you use a personal flash drive at work? Do you or your family members talk about your mission to your friends and young children at home with access to the internet? Do you allow your family to post deployment pictures on a social engineering sites located on the internet? Do you blog with unknown folks on the net and talk about the military and vent about weaknesses of leaders you witness on base? These are all examples of vulnerabilities that everyone in the Air Force must consider. I recommend a ready, aim fire approach to protecting information. The game Tic-Tac-Toe comes to mind. How does it apply to OPSEC?

OPSEC can be seen by your adversary as a game of tic-tac-toe. If you use OPSEC preventing collection of intelligence you place the “X” in the center square. Be smart, be a hard target. Make sure your folks use and think OPSEC and place that “X” in the center square. Ensure the answers to your enemy’s questions to go unanswered.

Nothing in the straw

Charlie worked at a factory that manufactured all sorts of things. He liked his job, and so did the gate guard, Albert.

One Friday, when everyone was getting ready to leave for the weekend, Charlie showed up at the gate with a wheelbarrow full of straw.

“Where’d you get the straw, Charlie?” Albert asked.

“Bought it,” Charlie answered, producing his receipt. Sure enough, he had bought the straw.

“What are you gonna do with all that straw?”

“Feed my horses,” Charlie replied.

Albert was suspicious. He was pretty sure Albert didn’t own any horses. “Mind if I take a look?” he asked.

Charlie waved his hand towards the wheelbarrow. “Help yourself.”

Albert poked through the straw, making sure nothing was hidden inside. Sure enough, he didn’t find a thing. “Have a good weekend,” he said, waiving Charlie through.

The following Friday, Charlie showed up once again at the gate with a wheelbarrow full of straw. Once again, he had a receipt and Albert didn’t find anything hidden in the straw. This went on for twenty years, with Charlie leaving with a wheelbarrow full of straw and nothing else. Albert was pretty sure Charlie was up to something, but he couldn’t ever figure out what it was.

Over the years, the two became close friends. One day, it was to be the final time they’d perform their weekly ritual. Charlie was retiring, and that Friday was going to be his last day.

Charlie came to the gate. Albert didn’t even bother checking the wheelbarrow; he knew he wouldn’t find anything hidden in the straw.

“Charlie,” he said. “I’ve seen you walk out of here every week for twenty years. I know you’ve been stealing something, but what? Now that you’re retired, tell me what it is. It’s driving me crazy.”

Charlie simply smiled and said. “Sure. Wheelbarrows.”

Wheelbarrow theft may or may not be your biggest concern, but even if it’s not this message still applies. Sometimes, the biggest threats are hiding in plain sight. Sometimes, what we assume is our biggest concern is actually only a distraction.

Vacation

Pop Quiz time fellow OPSECers:

Q: Which of the following is the BEST example of an out-of-office statement for your work email?

A: I’m not in. Don’t know where I’m going. Don’t know how long I’ll be gone. Don’t know when I’m coming back – and neither do you. OPSEC Baby! I will be checking email daily.

B: I am currently out of the office for 14 glorious days. I finally got my vacation approved and I’m taking the little woman, Junior and baby girl to the Atlantis Resort (and casino!!). For any security issues don’t even think about contacting me! Instead, please contact Regional Security Manager Susie Smith at (555)-555-1234. BTW: she is also the SAP coordinator. Assuming I actually come back to work (ha-ha) all emails will be addressed on my return.

C: I am currently out of the office. If you need immediate assistance please contact Joe Smith at (555)-555-1234.

D: I am on travel until the first of next month. I’m attending a classified conference which means I won’t have my laptop during the conference (8am – 5pm each day). I can’t even check during lunch so I’ll be leaving my laptop in my hotel room but I promise to get back to you after 5pm. If you really need to contact me call the Springfield Marriott and ask for me (room 209), Steve Jones (room 426) or Joey Smith (room 427) and they’ll put you through. For those of you working on Project Nighttrain – I won’t have access to JWICS or SIPR until I get back so don’t bother sending anything to those accounts. Have a great day.

Assuming I don’t have to actually give you the correct answer I surely hope you get the point. What you put in your out-of-office statement – or your voicemail message – must be free of sensitive information. This also speaks to need-to-know. There are a multitude of reasons why this is important and a multitude of ways an adversary could exploit your information – suffice to say that you need to heed this advice. Keep your out-of-office email statements and your voicemail recordings short and to the point. Don’t include any information that doesn’t absolutely need to be there.

Keep the Faith!
Revelator

Vacation – The Go-Go’s