31. October 2007 by Revelator.

Once upon a time, in a land not-so-far-away, A small group of individuals walked to the doors of a multinational corporation, and walked out with Millions of dollars worth of company secrets and assets.

Through days of patient research and study, they were well equipped to work their way through the company, obtaining small pieces of information and compiling it into unmitigated access. Could this happen to you?

First, they learned the names of key employees by calling Human Resources. They would have preferred to find a company phone roster in the dumpster, but no one had thrown one away lately. Although the passwords and internal memos that they did find certainly helped cushion the blow. 

This company had a very friendly climate, and prided itself on hiring friendly and courteous employees. The friendly employee at the entrance was more than happy to hold the door for one of the individuals when he jogged to catch the closing door. Why not? Criminals don’t wear suits and ties, right? They got inside the moat.

Another friendly employee was more than happy to help out the stressed out intern who lost his access badge on the first day, and just had to get the report to his boss before he gets fired! Why not? We’re all on the same team, right?

No matter how strong a castle’s walls, it does no good once the enemy’s inside.

Inside the secure area, they found a gold mine of unshredded documents both in the trash and piled by the shredder. In a stroke of inspiration, a hastily scrawled note was placed on a busy shredder: “Shredder out of order. Put materials in this box to be picked up by security”. Also, traditional hacking techniques allowed unrestricted access to key computer systems, which is often superfluous if the password is written down and hidden. (”No one would ever know that this is my password, even if they do look in the drawer!”)

Lucky for them, the CEO had let them know (through his out of office auto reply) that he would be gone that day. His assistant was very helpful when the new janitor forgot his keys and had to stay on schedule!

Could it get worse than this? It very well could. There’s a good chance that your organization may never suffer a planned, organized intrusion such as this. But basic OPSEC, often at little or no cost to the organization, can help prevent such a disaster. Never forget how important you are!

Posted in Computer Intrusions, General OPSEC | Print | No Comments »

29. October 2007 by Revelator.

I saw something the other day that disturbed me. I live near a military post, and I saw a fellow parent dropping their child off at school. As they were in front of me, I was only able to see the two stickers that were in their back window:

The first was one of those stickers that you can buy in the PX (BX for you Air Force folks) showing their rank. 

The second was one of those “family stickers” that you can get just about anywhere, showing three stick figures labeled “Dad”, “Mom” and “Hannah” (name changed, of course)

Which brings up the oh-so-important point of family OPSEC. Without ever meeting the driver (believe me, I would love to), I know their branch, rank and child’s name and school. It would be a simple matter for a “bad guy” to fill in the blanks from there.

The sad fact is that family’s can be targets, too. Don’t let them be a soft target

Posted in Family OPSEC | Print | 1 Comment »

25. October 2007 by Revelator.

It’s a common misconception that OPSEC “belongs” to the military. In reality, the OPSEC, the process of denying an adversary critical information, saves lives in the battlefield, dollars and jobs in the corporate world, and safety and security on the personal level.

At the same time that I was creating an OPSEC plan at work, my wife was practicing OPSEC at home by leaving a light and the TV on.

OPSEC is for everybody, everywhere.

Posted in Family OPSEC, General OPSEC | Print | 3 Comments »

25. October 2007 by Revelator.

Welcome to the official OSPA OPSEC blog! Semi-daily postings will discuss any issues relating to Operations Security, commonly known as OPSEC.

Posted in Uncategorized | Print | No Comments »