30. May 2008 by Revelator.

     Firewall and system probing, Network File Systems application attacks, email attacks, vendor default password attacks, spoofing, sniffing, fragmentation and splicing attacks.  Where will it all end?  Since this is clearly our biggest security concern why can’t we fix it?  Why aren’t we throwing all our money, manpower and technical abilities at this problem?  Computer crimes cost us $32 million is 2006.  Boy, I’ll tell you what - somebody better do something quick.  Unless the computer isn’t our biggest security concern…

     But if (as I imply) the computer isn’t the biggest threat to the security of our organization or mission, then what is?  Here’s a clue - look above.  Didn’t you read all that stuff in the first paragraph?  Of course the computer is the biggest threat to the security of your organization/mission.  Or is it…

     Well, duh.  The computer and it’s evil spawn the INTERNET is just teeming with demon hackers who are trying to either crash or rape your system every minute of every day.  It’s all over the news!  Technology is killing security.  Punks who were born with Playskool See-n-Hack starter laptop kits are wreaking havoc all over the technosphere.  What’s an OPSEC Program Manager to do?  Hell, you’re not the IT Security dude.  You know nothing of firewalls routers and DMZ’s.  Face it partner - you’re screwed.  Unless…I mean, unless the computer is not the biggest threat to the security of your organization/mission…

    And here we are again.  What is, and will remain, the biggest threat to security in your organization is the person in the next cubicle, or the next stall, or the next chair, or sitting across from you at lunch asking you to pass the pink or yellow stuff that really isn’t sugar but will kill you just as fast.  Humans…whattaya gonna do?

     I can’t count the number of times I’ve been allowed into “secure” facilities by people who should have known better.  And you would be surprised how many buildings you can waltz right through when you’re wearing a UPS uniform and carrying a couple of boxes.  You can have the best physical security money can buy for your building but if smokers leave the back door propped open for convenience…establish a great password policy but if your people write their passwords down…carefully screen all information you put on your web page but if Marketing feels the need to publicize…

     The old saying is that we spend 80% of our security money protecting ourselves from outside threats while, in truth, 80% of our threat comes from within your own organization.  The next time you head over to the fridge to see if anyone has left a Klondike bar without a name on it take a look around - you are surrounded by people who will unmaliciously give away sensitive information at the drop of a hat.  They don’t mean to by the way.  They just haven’t been properly educated about how NOT to inadvertently give away sensitive and critical information.  That’s your job - now get to it!

Keep the Faith!

Revelator

Posted in Risk, Countermeasures, Critical Information, Vulnerabilities, Threat, Program Management, WWW, Computer Intrusions | Print | 1 Comment »

23. May 2008 by Revelator.

     When I was an OPSEC Program Manager in the military I can’t tell you how much I appreciated when the boss called me in and told me that the “secret” deployment was in two days and they needed me to give the OPSEC okay to the plan.  Yeah, that was always fun - and rewarding too.  And then while I was in the corporate world I really enjoyed being told by a corporate honcho that the new product will be released tomorrow and do I want to look over the press releases that have already been sent out.  You know…just to make sure they’re all OK from a security perspective.  Ahhhhh, good times - good times.  That always made the job worthwhile for me.  I mean, what can bring more job satisfaction than knowing that you’re being brought into a mission or project at the precise moment that anything you might do will be a total waste of time?  Boy, it doesn’t get much better than that.  Assuming you have caught all the sarcasm that’s dripping off these words then I guess you’ve been there - done that - got the t-shirt - wore it - washed it - gave it to the “Poor OPSECers Fund Drive” - claimed it on your taxes.

     But when should OPSEC be put into our processes or our missions?  Is it during the planning phase?  It is sandwiched between planning and execution?  Does it happen during market research?  Does it come after product release or deployment?  Boy, this is a complicated decision.  So many factors, issues and considerations.  So many things to deliberate, considerate, cogitate, meditate and contemplate.  Seriously, there are just too many variables for me to answer that question.  Except maybe this way…OPSEC begins at birth!

     Every concept, idea or plan has an inception.  And from there it has a defined life cycle.  OPSEC must be considered in every step of the life cycle.  We don’t wait until our children are five years old and then start to protect them.  We don’t wait a year before we buy car insurance and we don’t wait until we’re wheels up before we start to add in some OPSEC.

     Now, I understand that if you’re a regular reader of this blog you most likely are a fairly seasoned OPSECer and you’re probably hip to this little pearl of insight.  So your challenge now is to educate your leadership and develop ways to ensure that you, as the OPSEC Manager, get invited to all those planning meetings that you’ve been missing.  So get out there and bang down some doors.  You need to be there - OPSEC needs to be there.  Make it so.

Keep the Faith!

Revelator

Posted in OPSEC Plans, Planning, Program Management | Print | No Comments »

20. May 2008 by Revelator.

Q:  How much money does a full-time OPSEC manager make annually?

A:  It’s not about the money you self-serving SOB.

Q:  Which really comes first; Critical Information Identification or Threat Analysis?

A:  Some say OPSEC is an iterative process and you can do whatever step in the process whenever the hell it feels right.  Others would argue that if you don’t have a threat then who cares what your critical information is.  But for me - Saint Ron (Pres Reagan) listed CI identification first and that’s good enough for me.

Q:  What is the best way to get leadership support for my OPSEC program?

A:  There is no “best” way but here are some suggestions: begging, bribery, coercion, blackmail, threats, acid filled water pistol, doctored photos, water-boarding, repeated viewing of Molly Shannon skits from Saturday Night Live.  Folks, I really don’t have a solid answer for this one.  Some times you just get lucky and have leadership that understands OPSEC and its importance to the mission.  Other OPSEC Managers are just real good salesmen who convince management of the need for OPSEC.  If any of you out there have a good idea or war story please click the comment link and I’ll get it to the masses.

Q:  OPSEC says to avoid stereotyped activities but there is validity in the thought that if it worked once it will work again.  So isn’t OPSEC really saying that even though it worked once we really want you to try something different that may or may not work?  And isn’t this harmful to the potential success of the mission?

A:  Helluva question.  I’ll leave this one to the readers to respond to - come on folks - send me your responses.

Q:  Why do all the posters tell me to “Think” OPSEC?  Wouldn’t it better if I “Acted” OPSEC? 

A:  Clearly.  “Thinking” something is great only of there is an action tied to the thought.  Why just the other day I “thought” drive the speed limit - but I didn’t actually drive the speed limit so what good was thinking it?  This morning I “thought” diet and then had four biscuits with about a quart of gravy.  And come Friday evening I’m pretty sure I’m gonna “think” about not having that next beer - I think y’all can tell where this is going.  Thinking OPSEC must be followed by performing some act of OPSEC.

Now I know that many of you have serious OPSEC questions.  This entry is just my way of getting the ball rolling.  If you have ANY questions about OPSEC that you would like answered please send them to me.  We’ll treat them seriously and try to get some good answers for you.  Of course we’ll also accept those sent in a humorous vain and do our best to respond in kind.

Keep the Faith!

Revelator

Posted in Awareness, Leadership Support, Countermeasures, Threat, Critical Information Lists | Print | 2 Comments »

16. May 2008 by Revelator.

     Be they in high or low places you need friends if you want to do this thing we call OPSEC.  I guarantee you that your workload will go up and your success will go down without your own OPSEC professionals network.  People out there are doing some great and innovative things that you need to know about.  None of us should work in a vacuum.  Communicate with other OPSEC managers.  Join OSPA or the OPS.  You need to make a conscious effort to meet new people.  Go to the National OPSEC Conference or an OPSEC Forum.  Get out from behind your desk and get to a threat seminar.  When you get out to an event like a conference or formalized training you will meet people.  You can’t help it.  I make, at least, five good contacts at every event I attend.  That’s five more people I can call or email when I’ve got a question.  Five more people who I can share ideas with.  Five more people I can “benchmark” off of.

     Since our program here at the National Nuclear Security Administration, Nevada Site Office won the Organizational Achievement Award at the National Conference last month I get two or three calls or emails a week from people asking for assistance/help/guidance for some area of their program.  Trust me when I tell you there is no way this program would be where it is today without the help and valued assistance from people I now call friend (starting with Wayne Morris who built the program I was fortunate enough to inherit).  As for the calls for assistance, I do everything I can for these people.  When you’ve been as blessed as I have then you understand that you must give back to the community in any way you can.  Plus I feel I need to honor folks like Tom Ariosto, Wayne Morris, Lynne Clark, Dan Wilkinson, Joan Hellon, Scott Milliman,  Bill Feidl and Pat Sipes who have helped and guided me so much over the years.  I just hope that some day you are as fortunate as me to have such a fine OPSEC support network to reach out and touch when you’re in need.

     And when, not if but when, you attend one of these events don’t be afraid to walk up to someone and say “Hi, I’m Joe from Colorado Springs.  How are you today?”  You can start with me.  I’ll be your first contact (if it is me though and I just finished a 90-minute speech, please just follow me to the smoking area and chat me up there instead of keeping me away from the post-speech nicotine fix I need to bad).  Whatever you do, just get the hell out there and talk to someone new and get that network working.

Keep the Faith!

Revelator

Posted in Conferences, Program Management, General OPSEC | Print | No Comments »

15. May 2008 by Revelator.

     Everything is affected by OPSEC.  I say again, EVERYTHING is affected by OPSEC!  Just think about it.  The basic premise of OPSEC is that we’re trying to protect some…thing.  Be that information, physical possessions, or ourselves.  Whether we’re at work or at play.  So we unconsciously fill our daily lives chock full of countermeasures to the myriad of threats constantly raining down on us.  We wear sun block - we use unlisted telephone numbers - we lock our doors - we wear seat belts - we monitor our kids online activities - we wear girdles and butt-shapers - we have curfews for our children - we wear hairpieces and toupee’s and wigs and extensions - we make sure our hotel room isn’t on the ground floor - we dress our kids in full body armor so they can go ride their bikes, and we use industrial size shredders at home.

     Countermeasures are everywhere!  OPSEC is everywhere!  For the next minute or so I want you to try to come up with an example of an area of your mission or your business that isn’t affected by OPSEC.  At the risk of being redundant - everything in your organization is affected by OPSEC.  Financial, personnel, admin, ops, logistics, maintenance, Human Resources, contracting, supply.  From the Administrative Specialist you just hired to your CEO - from the lowest ranking enlisted member to your commander - from the number of cars in your parking lot to the sites you visit on the INTERNET - from your recall roster to that emergency supply order form - from contract rumors to merger scuttlebutt - it is all affected by OPSEC.  Or more to the point - by a lack of OPSEC.

     Go ahead - I dare you.  Think of something right now that isn’t affected by OPSEC.  When you think you’ve got one, click on the comments link and let the rest of us know.

Keep the Faith!

Revelator

Posted in Countermeasures, Risk | Print | 2 Comments »

13. May 2008 by Revelator.

     As some of you know I am blessed to have the honor and pleasure of travelling around this great country of ours giving speeches about OPSEC and Security Awareness.  At each and every stop on my tour I get asked about Ray Semko, AKA “The Diceman” or simply “Dice”.  I must admit it’s starting to get annoying when after each speech some well meaning audience member comes up and says something like; “Great speech!  You educated and entertained me and we don’t get that around here to often.  The last time was when that guy Diceman was in town.  He’s great - do you know him?” 

    Yeah, I know him.  I mean, we’re not swapping love notes in gym class but we’ve had a beer or two together over the years.  Hell, he was the guy who convinced me to spend $300 on a custom robe and do my ”Revelator” speeches as they were intended - full out.  I first saw Ray speak at a National OPSEC Conference almost 10 years ago and he not only inspired me in my new chosen field but he also showed me that with enough knowledge and passion one single person could have an impact on many.  I set some significant goals that day and later that night he encouraged me to persue these goals with all my heart.  Each of those goals has been met and I thank the Lord for putting Ray in my life on that day and night. 

     And now we come to this - as I was searching the web in support of some far-flung OSPA initiative I ran across a web page dedicated to my friend Ray http://cicentre.com/dice/feedback.html.  Scanning the tabs on the left of the page I ran across one titled “D*I*C*E Store.  We’ll I just had to click on it didn’t I?  And as I scanned the list of D*I*C*E articles available for purchace I ran across these:                                                                                                                  D*I*C*E Boxer Shorts - a bargain at $19.99.  I was told that I could “enjoy the roomy comfort of our sexy boxers as underwear or sleepwear.  They’re 100% cotton, open fly…for thinking outside the boxers.  Boxers, because you don’t want to be brief.” 

     Now I have mad respect for Ray Semko and happen to think he is a true American Patriot but dude - no way can I buy these.  I see myself one day in a crowded bar where earlier I, and then Ray, wowed and inspired the audience with high-fever speeches and I’m yelling, “Hey Ray!  I’m wearing your underwear!”  Can you hear the deafening silence as every head in the bar turns to look at me with a mixture of distain and humor?  I can.  And for this reason you can all rest assured that that sentence will never cross my lips.

    And for those of you who keep asking me when Ray is coming to your town/base for a presentation check out the link above and ask him yourself.  Better yet - invite him out.  And one last thing - I’ve got a favor to ask; the next time you see a D*I*C*E speech go up to Ray afterwards and ask him if he knows when I’m coming to town again.

Keep the Faith!

Revelator

Posted in Awareness, Conferences, Media | Print | No Comments »

13. May 2008 by Revelator.

“Leaders are busy doing the things critics say can’t be done.”  You may have seen this quote before.  I read it in a book last week.*

As OPSEC Managers your creativity and the ability to see the road ahead are paramount if you wish to have any level of a successful OPSEC Program.  Beyond that is the fortitude to not only see the vision but to act on that vision.  As an OPSEC Manager you are frequently alone in your passion to push the program but you must not let this stop you.  You’ve got to be like The Bandit and have that “..we’re gonna do what they say can’t be done” attitude.  Rare is the unit/company who shouts Hallelujah! when the new OPSEC Manager shows up.  Rare are the times you will walk into a meeting and all will hail you as the savior of the mission.  Rarer still is the man or woman who can keep running into this wall of denial until it is broken down.

The sad fact is that you just may be the only one who truly cares about OPSEC.  At least this is the attitude that you need to have.  Don’t let people fool you - they don’t care…not really.  I’ve interviewed a number of OPSEC Managers who are quite sure they have the support of the people in their organization.  And I’ll ask them; “How’s your program working?  And they’ll go on and on about all the great stuff they’ve done.  Unfortunately, I get a different story when I interview people within the organization.  Invariably, members of the unit have no idea who their OPSEC Manager is and if they do actually know a name, they have no idea what the OPSEC program means to their mission.  What about you?  What about those of you who may have been hired or hand-picked as the OPSEC Manager?  Surely, you care about OPSEC.  Right?  Well, maybe.  And maybe not.  I’ve seen a lot of people get burned out by OPSEC because of the abnormally high frustration levels associated with repeatedly trying to accomplish something you know is right and getting beat down by leadership or those who run the mission.  I mean, you are just the OPSEC guy or gal, right?  Not only have I seen this - I’ve experienced it first hand, and it’s not pretty. 

You try to do a good job and you either don’t have the support of the big dogs or you’re kept too busy doing other “more important” tasks or, maybe, just maybe, you don’t really care about OPSEC at all.  Maybe it’s just a paycheck or a silly little additional duty.  I’ve met these people and I can see it in their eyes.  You can tell they just don’t have a passion for this stuff.  I can’t explain it but I’ll be honest with you - the passionate people are in the minority.  And it’s rather sad because you can’t be a half-assed OPSEC Manager.  You can’t simply satisfy the minimum requirements and expect to have a positive effect on the mission or the lives of those executing that mission.  You can’t send out an 18-slide PowerPoint presentation as your annual training and expect it to mean anything.  You can’t walk up to a group of shooters about to execute a mission and tell them they can’t do something because you say so.  You can’t be so removed from the leadership that they never think to call on you when they are making long-range plans.  You can’t stick your head in a sales or marketing meeting and shout “Think OPSEC” and expect it to positively effect the outcome of the meeting.  You can’t wait until all the jobs are posted and then run to HR and beat them down for putting too much information in job postings.  And you can’t expect your coworkers to give a you-know-what about OPSEC and how it effects the mission and their lives if you haven’t repeatedly told them - if you haven’t made it personal to them - if you haven’t fully demonstrated how it effects the personally.

Understand this; as a OPSECer you are outgunned and under-equipped for the job you’ve been asked to accomplish.  Boldness under such circumstances may seem almost foolish, yet boldness may be the one advantage to have.  Unlike those who lead in battle, your life may not be on the line as the OPSEC Manager - but lives, jobs, your co-workers welfare, and their families’ welfare may be.  Your program may have less muscle, so you will need more brains.  You have to reorient your thinking, behavior and strategy.  Pull off the sunglasses of pride and arrogance, and drop them in the nearest trash can - you’ll see the road ahead and the obstacles more clearly without them.  Then get yourself our on that road and kick some OPSEC ass!

Keep the Faith!

Revelator

*The Centurian Principles by Colonel Jeff O’Leary (Ret)

Posted in Program Management, General OPSEC | Print | No Comments »

9. May 2008 by Revelator.

That’s right - Internet blogging is indeed the 9th revolution.  I’ve done all the research and historians have succinctly reported that out of all the revolutions throughout history blogging is the 9th.  That or I made all that up just so I could continue my recent habit of song titles as blog titles - you’re call.  Number nine.  Number nine.  Number nine.  Number nine…

From the Wikipedia Blog page:  A blog (an abridgment of the term web log) is a website, usually maintained by an individual, with regular entries of commentary, descriptions of events, or other material such as graphics or video. Entries are commonly displayed in reverse chronological order. “Blog” can also be used as a verb, meaning to maintain or add content to a blog.  Many blogs provide commentary or news on a particular subject; others function as more personal online diaries. A typical blog combines text, images, and links to other blogs, web pages, and other media related to its topic. The ability for readers to leave comments in an interactive format is an important part of many blogs.

Current estimates say there are in the neighborhood of 15 - 20 million blogs out there for your enjoyment.  Teenagers have created the majority of blogs.  Blogs are currently the province of the young, with 92.4% created by people under the age of 30.  Half of bloggers are between the ages of 13 and 19. Following this age group, 39.6% of bloggers are between the ages of 20 and 29.  (http://www.caslon.com.au/weblogprofile1.htm)

If you are even marginally in touch you’ve no doubt heard of the problems the military has had with military based, military support and personal blogs of military throughout the blogosphere.  Thousands of bloggers are putting information out there that from an OPSEC, or even a common sense perspective, should not be there.  On the plus side, the majority of these blogs are now espousing OPSEC and demanding that sensitive information not be put in comments on the blog.  Certainly this is a very good thing and while we’ve still got some problems out there it is good for an old OPSECer to see that the problem is correcting itself.  Here are some examples:

“The U.S. Army has ordered soldiers to stop posting to blogs or sending personal e-mail messages, without first clearing the content with a superior officer, Wired News has learned. The directive, issued April 19, is the sharpest restriction on troops’ online activities since the start of the Iraq war. And it could mean the end of military blogs, observers say. “  By Noah Shachtman

Operational Security:  If you know where a soldier is deployed, the return date, or any other information, please never give this information out to anyone, ever. The enemy loves to search for pieces of the puzzle of how to hurt us any way they can. Never post last name, location, contact information, unit details, morale status or even rank of someone you know who’s deployed. In today’s world of terrorism, this is especially important.  http://www.honorguardbugler.com/2008/04/notes-on-opsec.html

I think it’s worth reminding OmniNerd users (many of whom have military affiliations through service, family or acquaintance) to be cognizant of the information posted.   OmniNerd received a news post on 5 August from the Army of the Mujahideen containing links to graphic videos depicting death and violence to US service members. This means OmniNerd’s content was profiled by terrorists either for the user base or the types of hosted discussions. While initially rejected, I posted the content here to serve as a reminder of who may be reading your posts and the threat still facing Western states.  http://www.omninerd.com/blogs/OPSEC_Awareness

OPSEC is the reason that organizations like Soldiers Angels or Anysoldier.com  don’t just post the addresses of deployed soldiers for everyone in the blogosphere to see. You have to join those organizations and be approved by them, to receive addresses.  OPSEC is the reason that I did not post the address of my fiancee’s son on this blog, when he deployed.  The people who wish to support him (and our unending Thanks! to all those great folks who have been sending him letters and care packages! are people I know, and feel comfortable giving his address.  OPSEC is the reason that Soldiers Angels says “Please do not post the name, etc. of your soldier, without his permission.” And it’s the reason that I usually redact the identifying information from any part of a note I receive that I do repost on here.  Http://journals.aol.com/kasee267/SupportingtheTroops/entries/2008/01/28/just-a-reminder…opsec/1542

And finally:  We’ve had quite a bit of OPSEC violation on the community recently. Just a reminder that you just can’t post dates, times, travels, discuss particulars about weapons, locations, etc. here. There ARE people out there who join communities like this to gather information. Don’t kid yourself.  Will it get someone killed? You don’t know. The safest bet is just don’t do it. If you’re not sure if you should say it, err on the side of caution and just don’t say it.                                                                                         So here’s a basic list of what not to say or do: 

DON’T post specific dates your SO goes on deployment, leaves for R&R, redeploys, PCS’s, or moves from one place to the next.

DON’T post specifics discussing weaponology, though that has not been an issue here, I’m just saying.

DON’T post where your husband is stationed if he is in a combat zone (i.e. what base he’s at in Iraq or Afghanistan).

DON’T post the times your husband will be in transit from base to base in a combat zone, or travel times, period.

DO black out or otherwise blur nameplace, unit and branch patches if posting pictures.

Those are the main infractions.

FROM HERE ON OUT I WILL DELETE WITHOUT WARNING ANY POST THAT VIOLATES OPSEC TERMS. 

I’m tired of reminding people. Call me bitchy, I don’t care. Read and follow the rules.   http://community.livejournal.com/militarylove/706293.html

Keep the Faith!

Revelator

Posted in Critical Information, WWW, Family OPSEC | Print | No Comments »

6. May 2008 by Revelator.

     As I sit and try to come up with thoughts on the National OPSEC Conference a literary quote comes to me - “It was the best of times, it was the blurst of times.”  Did I say literary?  I meant cinematic.  And by cinematic, I meant The Simpson’s.

     As an OPSEC Conference it indeed was an outstanding event.  Great speakers, honored original Purple Dragons, record attendance, deserving award winners, fantastic location, free Starbucks coffee, snow, trinkets galore, OPSECers dancing on the “Coyote Ugly” bar, the Final Four at the ESPN zone and a chance to see old and dear friends.  As OSPA Vice President thought it was the second most stressful week of my life.

     And yet - here I am.  Here we are.  Still bloody from the battles but healing from the hurt.  Warm embraces come not in the light of day but in the shadows of the night.   Encouragement is not shouted from the mountain tops but whispered on the wind.  And yet; we fight on.

     As Goethe said “Encouragement after censure is as the sun after a shower.”   So I stand in the sun now; drenched in the encouragement of those of who care - showered in the strength of the true believers - lifted up by those in need.  And the OPSEC world spins on…

     Big Mama IOSS still rules the roost.  Big Daddy OPS is still the biggest and baddest society in OPSEC and OSPA is still that paradigm battling punk in the torn “Anarchy” t-shirt who just won’t go the $#&@ away.

      And the question isn’t where your loyalties lie.  Nor is it who side are you on.  No; the question that remains is this: What have you done for your OPSEC Brothers and Sisters today?   

Keep the Faith!

Revelator

Posted in Conferences, OSPA | Print | No Comments »