opsec operation name sgt artemis o’conan operations center
TRANSCRIPT
OPSEC OPSEC
Operation NameOperation Name
SGT Artemis O’Conan SGT Artemis O’Conan
Operations CenterOperations Center
80%+ of all intelligence is from unclassified 80%+ of all intelligence is from unclassified sourcessources
Tidbits of information are pieces of a puzzleTidbits of information are pieces of a puzzle
Even Even youryour tidbits help complete the picture tidbits help complete the picture
Objective: make yourself & your mission the hard target. Let the bad guys find a softer target somewhere else!
Information and Value
Foreign NationalsForeign Nationals Drug CartelDrug CartelTerroristsTerrorists HackersHackers CriminalsCriminals
The Adversaries
You and Your FamilyYou and Your Family
Your Friends & Neighbors Your Friends & Neighbors
Your fellow soldiersYour fellow soldiers
Your JobYour Job
Your MissionYour Mission
Your UnitYour Unit
Your CountryYour Country
“The Manchester Document”A Terrorist Handbook
Consider YOURSELF a Target
So What Is OPSEC?So What Is OPSEC?“Operations Security”“Operations Security”
OPSECOPSEC deals primarily with protecting sensitive but deals primarily with protecting sensitive but unclassified information that can serve as unclassified information that can serve as
indicators about our indicators about our missionmission, , operationsoperations and and capabilitiescapabilities
A Five Step ProcessA Five Step Process 1. Identify 1. Identify Critical InformationCritical Information (CI) (CI) 2. Analyze the threat to the CI2. Analyze the threat to the CI 3. Determine OPSEC vulnerabilities3. Determine OPSEC vulnerabilities 4. Determine the acceptable level of risk 4. Determine the acceptable level of risk 5. Implement appropriate countermeasures5. Implement appropriate countermeasures
The OPSEC ProcessThe OPSEC Process
COUNTERMEASURECOUNTERMEASUREAPPLICATIONAPPLICATION
CRITICAL CRITICAL INFORMATIONINFORMATION
THREAT THREAT ANALYSISANALYSIS
VULNERABILITY VULNERABILITY ANALYSISANALYSIS
RISK ASSESSMENTRISK ASSESSMENT
PROGRAM REVIEWPROGRAM REVIEW
You already practice OPSEC at You already practice OPSEC at homehome
When most of us leave home for vacation, we When most of us leave home for vacation, we take actions to protect our homes while we’re take actions to protect our homes while we’re away.away.
We may:We may: Stop newspaper deliveriesStop newspaper deliveries Have the yard mowedHave the yard mowed Buy light timersBuy light timers Have a neighbor get the mailHave a neighbor get the mail In short, we want our houses to look like In short, we want our houses to look like
someone is homesomeone is home
What is Critical Information?What is Critical Information?
Critical Information (CI) is information which Critical Information (CI) is information which can potentially provide an adversary with can potentially provide an adversary with knowledge of our intentions, capabilities or knowledge of our intentions, capabilities or limitations. It can also cost us our technological limitations. It can also cost us our technological edge or jeopardize our people, resources, edge or jeopardize our people, resources, reputation and credibility. reputation and credibility.
Controlled unclassified information, is often Controlled unclassified information, is often
identified as Critical Information.identified as Critical Information.
Information DesignationsInformation Designations
For Official Use Only (FOUO)For Official Use Only (FOUO) Sensitive But Unclassified (SBU)Sensitive But Unclassified (SBU) Law Enforcement Sensitive (LES)Law Enforcement Sensitive (LES) Trusted Agent – Eyes Only, etc.Trusted Agent – Eyes Only, etc.
Control of Critical Control of Critical InformationInformation
• Regardless of the designation, the loss or compromise of Regardless of the designation, the loss or compromise of sensitive information could pose a threat to the sensitive information could pose a threat to the operations or missions of the agency designating the operations or missions of the agency designating the information to be sensitive.information to be sensitive.
• Sensitive information may not be released to anyone who Sensitive information may not be released to anyone who does not have a valid “does not have a valid “need to knowneed to know”.”.
Examples of Critical Examples of Critical InformationInformation
Where are the TXSG Soldiers living during the Where are the TXSG Soldiers living during the deployment deployment
What is the make and model of the soldiers vehiclesWhat is the make and model of the soldiers vehicles
What is the capabilities of the OperationWhat is the capabilities of the Operation
What type of technology does the Operation haveWhat type of technology does the Operation have
Who are participationsWho are participations
Location of law enforcement Location of law enforcement
Locations of ResourcesLocations of Resources
The ThreatThe Threat
Others constantly study us Others constantly study us to determine our weaknessesto determine our weaknesses
Their Tools:Their Tools: HUMINTHUMINT
Human Intelligence Human Intelligence SIGINTSIGINT
Signals IntelligenceSignals Intelligence COMMINTCOMMINT
Communications IntelligenceCommunications Intelligence ELINTELINT
Electronic IntelligenceElectronic Intelligence Many more “INTs”Many more “INTs”
HUMINT – You could be a HUMINT – You could be a target!target!
Watch what you say to:Watch what you say to: The public/mediaThe public/media FriendsFriends Professional Colleagues in and outside of TXSGProfessional Colleagues in and outside of TXSG
Places to be especially waryPlaces to be especially wary At schoolAt school Bars and restaurantsBars and restaurants Conventions/symposiumsConventions/symposiums
Don’t try to impress people with your knowledgeDon’t try to impress people with your knowledge Loose Lips Sink Ships!Loose Lips Sink Ships!
SIGINT, COMMINT, ELINTSIGINT, COMMINT, ELINT
TXSG is perform a non-combat TXSG is perform a non-combat military missionmilitary mission and is and is operating operating on state communications systemson state communications systems
TXSG is being entrusted with more sensitive information TXSG is being entrusted with more sensitive information than you may thinkthan you may think
Don’t assume we’re immune because we’re out of the Don’t assume we’re immune because we’re out of the mainstream presence mainstream presence
For that reason we can actually be For that reason we can actually be MOREMORE vulnerable vulnerable Watch what you transmit on:Watch what you transmit on:
Radios, phones, Fax, and emailRadios, phones, Fax, and email
Marking DocumentsMarking Documents
Documents containing FOUO info should be markedDocuments containing FOUO info should be marked
UNCLASSIFIED//FOR OFFICIAL USE ONLYInformation contained in this document is designated by the
State of Texas as For Official Use Only (FOUO) and may not be released to anyone without the prior permission of the and/or
the
Documents containing LES info should be markedDocuments containing LES info should be marked UNCLASSIFIED//LAW ENFORCEMENT SENSITIVE
Information contained in this document is designated by theState of Texas as Law Enforcement Sensitive (LES) and may
not be released to anyone without the prior permission of the and/or the
Marking DocumentsMarking Documents
Material other than paper documents (for example, Material other than paper documents (for example, slides, computer media, films, etc.) shall bear markings slides, computer media, films, etc.) shall bear markings that alert the holder or viewer that the material contains that alert the holder or viewer that the material contains FOUO or LES information. FOUO or LES information.
Each part of electrically transmitted messages Each part of electrically transmitted messages containing FOUO of LES information shall be marked containing FOUO of LES information shall be marked appropriately. appropriately.
Protection of FOUO & LES Protection of FOUO & LES InformationInformation
FOUO & LES information should be stored in locked FOUO & LES information should be stored in locked desks, file cabinets, bookcases, locked rooms, or similar desks, file cabinets, bookcases, locked rooms, or similar items, unless Government or Government-contract items, unless Government or Government-contract building security is provided.building security is provided.
FOUO & LES documents and material may be FOUO & LES documents and material may be transmitted via first-class mail, parcel post or -- for bulk transmitted via first-class mail, parcel post or -- for bulk shipments -- fourth-class mail.shipments -- fourth-class mail.
Electronic transmission of FOUO & LES information Electronic transmission of FOUO & LES information (voice, data or facsimile) should be by approved secure (voice, data or facsimile) should be by approved secure communications systems whenever practical.communications systems whenever practical.
It’s Everyone’s ResponsibilityIt’s Everyone’s Responsibility
The purpose of the security program is to protect The purpose of the security program is to protect against unauthorized disclosure of official against unauthorized disclosure of official information. Keep your information secure at all information. Keep your information secure at all times.times.
OPSEC is mostly common sense. If we all take the OPSEC is mostly common sense. If we all take the time to learn what information needs protecting, and time to learn what information needs protecting, and how we can protect it, we can continue to execute how we can protect it, we can continue to execute our mission effectively. our mission effectively.
Disclosure of InformationDisclosure of Information
Disclosure of information, quite simply is when information passes from one party to another.
When dealing with sensitive information, it is the responsibility of the party possessing the information to ensure it is not disclosed to parties who do not have a need for or a right to the information.
Authorized DisclosureAuthorized Disclosure
Disclosure of sensitive information is authorized only when the party receiving the information can be properly identified and has a “need to know.”
“Need to Know” does not mean, because a person holds a high management position, he or she automatically needs access to the information.
Unauthorized DisclosureUnauthorized Disclosure
Unauthorized disclosure of sensitive information is when the party receiving the information does not have a “Need to Know.”
In most cases, unauthorized disclosures are unintentional and due to poor planning or a failure to think by the possessing party.
Unaware of SurroundingsUnaware of Surroundings
One of the leading causes of unintentional disclosures is simply people not being aware of what is happening around them.
Discussing sensitive information when you are unsure or unaware of your surroundings can quickly lead to this information being disclosed to the wrong people.
Awe Of PositionAwe Of Position
We all want to please our commanders, and work very hard each day to do so.
However, even if a superior officer requests something that is sensitive in nature, we must still make sure they meet all the requirements for access to this information just like everyone else.
Unclassified
OPSEC and the WebOPSEC and the Web
Photos (with captions!)
Installation maps with highlights of designated points of interest (sleep/work, CDR, chow hall, etc)
Security Operating Procedures
Tactics, Techniques and Procedures
Our capabilities
The morale of you and the soldiers in your unit
Undermining your senior leadership Sensitive Information?Sensitive Information?
Web Log Vulnerabilities
This photo can be used against us both from the adversary and our own people. Perceptions can be your WORST enemy. If you were a bad guy, could you use this?
A US soldier stands guard as a suspected looter begs to be released after they were caught while fleeing a building on fire in Baghdad, Iraq (news - web sites) Saturday June 28, 2003. The suspects were allegedly looting gasoline from the building. 12-year old Mudhr Abdul Muhsin, bottom, was released later
Web Log Vulnerabilities
COULD YOUR FAMILY BE A A TARGET?
(JOURNAL OF A MILITARY HOUSEWIFE)
INFORMATION WAS OBTAINED FROM A FAMILY WEBSITE:1. HUSBAND’S NAME, HOMETOWN, UNIT,
AND DATES OF DEPLOYMENT.2. PICTURE OF SPOUSE3. EXPECTING THEIR FIRST CHILD ON
DECEMBER 8, 2005.4. BABY SHOWER SCHEDULED FOR
OCTOBER 22, 20055. DATE SPOUSE FAILED HER DRIVER’S
TESTA GOOGLE SEARCH ON INFORMATION
OBTAINED FROM WEBSITE REVEALED:1. SPOUSE’S A.K.A. (Screen Name)2. COUPLE’S HOME ADDRESS3. SPOUSE’S DATE OF BIRTH4. HUSBAND’S YEAR OF BIRTH5. DATE SPOUSE OBTAINED HER DRIVER’S
LICENSE.
Web Log Targeting
Personal web pages can expose something the Personal web pages can expose something the unit would like to protectunit would like to protect
A picture is worth a thousand wordsA picture is worth a thousand words
We enlisted – our families didn’tWe enlisted – our families didn’t
Individuals expose information because:Individuals expose information because:
• They’re proud of their workThey’re proud of their work
• They’re marketing the unit or they want public They’re marketing the unit or they want public supportsupport
• They’re miffed or frustratedThey’re miffed or frustrated
Personal Web Page Vulnerabilities
Lets go GooglingLets go Googling
Time: No more than 10 minTime: No more than 10 min Info: First and Last Name’sInfo: First and Last Name’s Info: RankInfo: Rank
Now let see what we can seeNow let see what we can see
Rank NameRank Name
Who: Who: Home: Home: Hometown: Hometown: Children:Children: E-mail:E-mail:
InterestsInterests Favorite Music: Favorite Music:
Favorite Books:Favorite Books:
Favorite Movies:Favorite Movies:
Favorite TV Shows, Actors: ‘Favorite TV Shows, Actors: ‘
Interests and Activities:Interests and Activities:
AffiliationsAffiliations
Political Affiliation:Political Affiliation:
Religious Affiliation:Religious Affiliation:
Employers:Employers:
Colleges:Colleges:
Major:Major:
High Schools:High Schools:
Other Affiliations:Other Affiliations:
Anything that effectively
negates or reduces an
adversary’s ability to exploit
our vulnerabilities.
If the answer is NO, DON’T PUT IT ON THE WEB!
Countermeasures
Would you want the
enemy to read this?
• Post information that has no significant value to the adversary
• Consider the audience when you’re posting to a blog, personal web page or EMail
• Always assume the adversary is reading your material
• Believe the bad guys when they threaten you
• Work with your OPSEC Officer – follow policies and procedures!
What YOU Can Do
Think like the bad guy
beforebefore you post your
photographs and
information in a blog, a
personal web page, or
in your EMail
Sometimes we can be our own worst enemies
The Challenge
The “Message”The “Message”
Operations Security is everyone’s businessOperations Security is everyone’s business Good OPSEC saves lives and resourcesGood OPSEC saves lives and resources Always use common sense and stay alertAlways use common sense and stay alert Only release info to those with a valid need-to-knowOnly release info to those with a valid need-to-know Identify vulnerabilities to your commanderIdentify vulnerabilities to your commander
The Bottom LineThe Bottom Line
OPSEC is a time-tested process that analyzes threats, OPSEC is a time-tested process that analyzes threats, identifies identifies Critical InformationCritical Information, and develops appropriate , and develops appropriate countermeasurescountermeasures
OPSEC is used by all of us in everyday life OPSEC is used by all of us in everyday life
OPSEC is not so much a bunch of security rules, but a OPSEC is not so much a bunch of security rules, but a common-sensecommon-sense approach to viewing your operations approach to viewing your operations through the adversary’s eyesthrough the adversary’s eyes
OPSEC increases opportunities for mission OPSEC increases opportunities for mission successsuccess by by protecting protecting Critical InformationCritical Information
You are the key to making OPSEC work!You are the key to making OPSEC work!
Vulnerabilities: Weaknesses the adversary can exploit to get to the
critical information
Are You the Weakest Link?
QUESTIONS ?