October 2008
S	M	T	W	T	F	S
« Sep		Nov »
	1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Archive for October 2008

Me & Mrs. Jones

28. October 2008 by Revelator.

For years I’ve been trying to work this song into one of my presentations at the National OPSEC Conference but I haven’t had any luck yet. Unfortunately, the draft of the 2009 speech doesn’t look good for it either so I’m gonna see of I can do something with it here in this forum. It’s such a kick-ass song I have to do something with it - if for no other reason than to honor Billy Paul and the song that made him an R&B Icon. So it is finally time that we look at this song from an OPSEC perspective…

Me and Mrs. Jones
We got a thing goin’ on - Critical Information List item # 1 “Knowledge of an Affair.”
We both know that it’s wrong - CIL item # 2 “Personnel Vulnerabilities.”
But it’s much too strong to let it go now - CIL item # 3 “Operational Commitment to Objective.”

We meet every day at the same café - Huge vulnerability.
Six-thirty and no one knows she’ll be there - Oh, they know Dude - they know.
Holding hands, making all kinds of plans - OPSEC Cardinal rule # 1 – Don’t talk shop in public.
While the juke box plays our favorite songs - An extra indicator for those blind agents out there who are only going on sound and were too far away to hear them “making all kinds of plans.”

Me and Mrs. Jones - On the plus side, her real name is Mary Smith.
We got a thing goin’ on - Not for long if Dude and “Mrs. Jones” don’t start using OPSEC.
We both know that it’s wrong
But it’s much to strong
To let it go now

We gotta be extra careful - See? Some people just talk OPSEC without actually using it.
That we don’t build our hopes up to high - At this rate Dude, you’ll never get to that promised land
Because she’s got her own obligations
And so, and so, do I - Even though he is “talking around” the subject it would be easy for a trained analyst to decipher. For example “Obligation” translates to “husband and seven kids.”

Me and Mrs. Jones
We got a thing goin’ on - Oh, now he’s just getting cocky. And can’t we assume he is singing this to a friend? A friend perhaps without a “need to know?”
We both know that it’s wrong - Trust me, when you know it’s wrong you really, really need to lay some OPSEC on it.
But it’s much to strong
To let it go now
Well it’s time for us to be leaving - Seriously? More stereotyped activities?
It hurts so much, it hurts so much inside - Your enemy is about to walk in and make it hurt on the outside Dude.
Now she’ll go her way and I’ll go mine - Any one wanna bet they take the same route home every day?
Tomorrow we’ll meet - At a new place? A new time? No juke box? No talking about plans?
The same place, the same time - Figures – some people just never learn.

Me and Mrs. Jones
We got a thing goin’ on
We both know that it’s wrong
But it’s much to strong
To let it go now

Epilog: It seems that “Mr. Jones” was cheating on “Mrs. Jones” also and couldn’t care less about her and Dude. He knew about it of course – EVERYONE knew about it…but no one cared. You see, “Mr. Jones” was “Mrs. Jones” 5th husband. “Mrs. Jones” had seven kids, had done time in Joliet on several Domestic Abuse and Fraud charges and three of her husbands had passed away under suspicious circumstances. So, uh…no – “Mr. Jones” was pretty cool with “Mrs. Jones” doing Dude every day at the café. Three days later Dude disappeared never to be heard from again. This brings me to something I’ve said all along…the biggest threat to your security is the insider threat.

Keep the Faith!
Revelator

Me and Mrs. Jones – Billy Paul

Posted in Uncategorized | Print | 2 Comments »

Won’t Get Fooled Again

17. October 2008 by Revelator.

Try this on for size: Us OPSECers are a bunch of paranoid freaks who run around trying to convince the world that the sky would fall if it wasn’t for our magic potion.
Don’t laugh and don’t get defensive - people do say this about us. Don’t believe me? Let me give you a hint of what we sound like sometimes:

Protect this!
Secure this!
You can’t do that!
You must do this!
Listen to me!
Come to my briefing!
THINK OPSEC! THINK OPSEC! THINK OPSEC!

If you don’t use OPSEC the world will come to an end in a horrible way and the remaining survivors will blame you and then burn you alive and then trade your baseball card collection for the June 1975 issue of OUI Magazine .

If you don’t use OPSEC you will personally lose the war but you’ll be around right up till the end and then you’ll get your’s too - right in your grill - just like Kimbo Slice (except that you will actually be hit and will most likely die).

If you don’t use OPSEC the competition will beat you to the shelves and your company will go bankrupt and you will be out of a job, the heel on your new too-small-for-your-big-feet Manolo’s will break, your husband will leave you for a successful toy manufacturer and then the economy will crash because you are a weak and worthless person.

If you don’t use OPSEC your identity will be stolen and your personal life will come crashing down around you. Your wife will leave you and your kids will hate you with a white-hot passion that will drive them to become lawyers and sue you for abandonment.

If you don’t use OPSEC your house will be broken into while you are on that two-week vacation and while in your house bad guys will put fish and Cheez Whiz in places you won’t be able to find them until it is much too late and on that exact date your in-laws will arrive unexpectedly for a three-week stay.

If you don’t use OPSEC Freddy Krueger will haunt your dreams…”1,2, freddy’s coming for you.
3,4 you better lock your door. 5,6 grab your crucifix. 7,8, stay up late. 9, 10, never sleep again.”

If you don’t use OPSEC bad guys will steal your PIN and take all your money and spend it on loose women, MadDog 20/20 and gambling - and not that good gambling you see on TV but that bad degenerate gambling that has no respect for the viewing audience.

If you don’t attend annual OPSEC training your are destined to be a high security risk for your unit/company. Everyone will hate you and you will hiccup for 4 years straight.

You need to understand that this is exactly how some of us come off. You can’t scare people into using OPSEC. But you may be able to convince them that OPSEC can be a force multiplier, can raise survival rates and can be incorprated into an operations or business plan without hurting the operation itself.
And if you can convince someone that lives and/or money can be saved…well then - you won’t have to try to scare then with threats, voodoo or your magic potion.

Keep the Faith!
Revelator

Won’t Get Fooled Again - The Who

Posted in Family OPSEC, General OPSEC | Print | 3 Comments »

Bad Moon Rising

9. October 2008 by Layne.

Folks I try to stay positive…I try to believe that those who should be protecting stuff are protecting that stuff. I try to avoid sarcasm as I write about certain aspects of security or OPSEC - but I lose the battle sometimes.
Case in point: Did you really think your personal information was protected?
Let me share something I read recently in the Washington Post:

“U.S. corporations, governments, and universities reported a record 516 consumer data breaches in the first nine months of this year, incidents prompted chiefly by hackers and employee theft. About 80 percent of the breaches involved digital records, while the remainder stemmed from the loss, theft or exposure of paper-based records. Some 30 million records on consumers have been exposed so far this year but there is currently no federal requirement for organizations that exprerience a data breach or loss to acknowledge precisely how many consumers nationwide may have been effected. More than 36 percent of the breaches so far this year have been at U.S. businesses, while educational institutions were the second most frequent source of incidents (21 percent).”

516 breaches - 30 million records exposed - 9 months - no reporting requirement

I am at a loss for words. Well, not actually a loss - many words are running through my mind. I just don’t want to put those words on this blog. This is just sick - I need a drink.

Keep the Faith! (even though it can be hard at times)
Revelator

Bad Moon Rising - Creedence Clearwater Revival

Posted in General OPSEC | Print | No Comments »

Insider

9. October 2008 by Revelator.

Exerpt from an article I recently read: “Organizations are shifting their focus to the threat posed by insiders and turning their attention to training and data protection, according to a recently released survey. The 2008 Global Information Security Workforce Study, conducted by analyst firm Frost and Sullivan for certification organization (ISC)2, surveyed 7,548 information security professionals worldwide. 51% of respondents said internal employees pose the biggest threat to their organizations. The finding represents an ongoing trend in the past two to three years, as the numbers of remote workers and portable storage devices have jumped in the enterprise, said Frost & Sullivan’s network security industry manager. ‘That increases the chance of something happening, whether it’s malicious employees or just someone with good intentions but walks out of the building with data so they can work at home,’ he said. The findings are supported by Information Security’s Priorities 2008 survey, in which 70% of participants said they are worried about detecting and thwarting internal attacks.”

‘Bout time people start understanding what us OPSEC Professionals have known for quite a long time - unless you are in battle (and sometimes even then), the internal threat is the biggest threat to your organization. I wrote a blog entry on 30 May titled “Welcome to the Jungle” that spoke to this very thing.

From my perspective this isn’t an on-going trend from the past 2 or 3 years - it’s an on-going trend period. And it will never stop. Certainly advancing technology has made it easier for the malicious insider to cause harm but it has also made it easier for our biggest threat - the unitentional insider - to screw up and cause harm. Either through ignorance, lazyness, or simple lack of caring the unintentional insider is the single most devastating threat to your organization. You can attempt to counter this with an aggressive awareness program and constant employee vigilence within the organization but the threat will remain. Understanding is half the battle - now act on this understanding.

Keep the Faith!
Revelator

Insider - Tom Petty and The Heartbreakers

Sample “Insider” lyrics…
It’s a circle of deception
It’s a hall of strangers
It’s a cage without a key
You can feel the danger
And I’m the one who oughta know
I’m the one you couldn’t trust
Yeah I’m the lonely silent one
I’m the one left in the dust

Posted in Media, Program Management, General OPSEC | Print | No Comments »

Bring The Noise

9. October 2008 by Revelator.

Here are the titles of some articles I’ve come across lately. I haven’t included the full content of the articles but I think that, just based on the titles, you’ll see why I’m a bit concerned…

“Internet Flaw Could Let Hackers Take Over The Web” - I think that if this is true they might not want to detail how this could actually happen - which they did. Yeah, the article spoke very specifically about exactly what the flaw was and how to exploit it. Cool, huh?

“Airports Vulnerable to Attack” - While I suspect we all agree that yes, there are still some vulnerabilities that reality and budget constrains won’t allow us to directly address but this article explained how our airports were vulnerable and how bad guys could exploit these vulnerabilites.

“Billions More Needed to Secure U.S. Embassies” - Well then, please tell me what we need to spend this money on exactly and further I would like to know how not having these things can immediately put these embassies at risk. And while you’re at it go ahead and tell me which embassies are the most vulnerable so I don’t waste my time trying to blow up the wrong one. Anybody want to guess if the article actually did this?

“Research Reveals Patterns of Terrorist Preparation” - While, as a citizen, I am very happy that our law enforcement agencies have found patterns that may tip them off to terrorist activities, I am not real happy that we told the terrorists this. Seems to me that Terry Terrorist might begin to change his/her tactics and prepare for their activities in a whole new way thereby negating the intelligence advantage we had until this article came out.

Folks, I’m no arbiter of what is right or wrong to put into print and I have no educational background to argure the public’s “right to know” but as an OPSEC Professional it just seems to me that we are making waaaaaaaaaaaaaaaaaaaaaaaaaaaaay too much sensitive information available. For those of you out there actively practicing OPSEC, this is just one of the reasons you need to do Open Source searches on your own organization. It’s always good to know what the bad guy already knows about you - then you can focus your protection efforts on what is not known and you can also be proactive about dealing with what is known about your organization, mission or specific activities.

Keep the Faith!
Revelator

Bring The Noise - Public Enemy

Posted in WWW, Media | Print | No Comments »

I Wanna Be Sedated

6. October 2008 by Revelator.

THE INAUGURAL QUADRENNIAL OPSEC ANVIL AWARDS

As I was preparing an award package for the National OPSEC Conference awards I got to thinking that it is pretty cool that our small community has an award program that recognizes people and programs that should be applauded and emulated. Recognizing personnel that have gone above and beyond what is expected is a great thing. Then I got to thinking that those who are performing below and behind should also be recognized as sterling examples of what not to do. With this in mind I give you the 2008 Inaugural Quadrennial OPSEC Anvil Awards.

The first person that comes to mind who deserves to have an OPSEC Anvil dropped on their head is: The dude who blasted out of the secure area without waiting for the door to said secure area to close behind him while I slipped in unnoticed and unescorted.

Our second award goes to: The lady on the airplane who just had to share her highly sensitive work for a government contactor with me.

Subsequent (though no less significant anvils will be dropped on):

The person who left the uncleared visitor unescorted for an extended bathroom break.
The person who put the key in the STU-III but didn’t turn it.
The person who failed to erase sensitive information from the conference room white board.
The person who blogged deployment dates and locations.
The person talking about sensitive information on their cell phone in the cafeteria.
The person who emailed critical information to their home computer.
The person whose cell phone rang in the middle of a secure area.
The person who threw FOUO and Personal Privacy Information into the trash can.
The person who’s badge was stolen from their unlocked car.
The person overheard complaining about security vulnerabilities over a beer at a local drinking establishment.
The person who shares everything with their uncleared spouse.
The person emailing successful mission tactics to all his buddies.
The person who will talk to anybody about anything while in the smoking area.
The Manager/Commander/Leader who says the word “OPSEC” but doesn’t really use it.

The list of nominees this year was quite exhaustive and to tell you the truth we ran out of OPSEC Anvils long before we ran out of people who deserve to be sedated by the “award.”
This year we need to learn from the mistakes noted above and make next years award list non-existent - or at least a whole lot shorter.

Keep the Faith!
Revelator

I Wanna Be Sedated - The Ramones

Posted in General OPSEC | Print | 2 Comments »