| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
| « Apr | ||||||
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | 31 | ||
18 December 2009 by Revelator.
Today I want to share an interview I conducted with an OPSEC grey beard (GB) who insisted he remain nameless. Originally, I refused to do the interview with this particular stipulation but as you read on I think you’ll agree that even without identification the information shared is valuable enough to overlook the anonymity clause. We sat down in a small bar in a busy city near our nations capital. After ordering, I hit record and began the interview.
Rev: How long have you been in OPSEC?
GB: Since before they called it OPSEC.
Rev: What did they call it before they coined the term OPSEC?
GB: They didn’t call it anything - that’s the point isn’t it? It didn’t have a name. But we knew it as using your common sense - doing the right thing - being smart - protecting your ass from the guy trying to shoot it off.
Rev: Do you see OPSEC as primarily a wartime program?
GB: First, I don’t see it as a program - I see it as a way of life. But to answer your question up until very recently yes, it’s application was mainly in support of military operations - specifically wartime operations. But in the past ten years I think we have come to realize that every day is a wartime situation. Every conversation, every text, every tweet, every email could harm not only our all-volunteer military but also innocent civilians.
Rev: So would you say that in these times spreading the gospel is critical.
GB: Spreading the gospel, as you say, has always been critical. OPSEC can truly be a life saving art but if no one understands it and therefore no one uses it then its no more useful than the warnings on a pack of cigarettes. The most important step in the OPSEC process, as we know it now, isn’t even one of the five steps because it is a concept followed - if we’re lucky - by an action.
Rev: And what is that?
GB: Awareness! The most important OPSEC concept is awareness. If the people in your military unit or even your corporation don’t understand the “why” of OPSEC then you guys can take the OPSEC process and work it into the ground and it won’t be worth a damn because no one understands why you are doing it. And more importantly why they should use it. Listen; I’ve known guys who knew OPSEC cold…knew how to work each of the five steps, and could write an OPSEC plan so beautiful you would marvel at its magnificence. But some of these guys couldn’t sell the concept - they couldn’t show people how or why they should care about, much less use, OPSEC in their daily operations.
Rev: Is it true that the OPSEC process was at one time 12 steps and then 9 steps before we arrived at the five steps we have now?
GB: Absolutely. And it was 15 steps and 10 steps and one pretty highly placed, but ignorant, guy wanted it to be three steps.
Rev: Well, how many steps do you think it should be?
GB: To be honest, I wasn’t happy with the five steps when it first came out. I thought they left out two steps that I thought we’re pretty important.
Rev: Which were…?
GB: Not important now. People seem to be doing them just as a matter of course so I don’t want to upset those that are responsible for this process. But let me make another point before we move on; the average person in your organization doesn’t care how many steps it is. They don’t care about what you have to do to accomplish the five steps of the OPSEC process. You know what they care about if they care at all?
Rev: Tell me, please.
GB: Two things - what do I need to protect and how do I protect it. And that is all they should care about. The OPSEC Manager needs to do all the work and be able to answer those questions for the warfighter. If you can’t tell them what needs to be protected and how to protect it then what are you there for? To give the annual training? To fill the square? Bullshit. You are there to protect the mission and to protect life so if you can’t tell the trigger pullers what to protect and how to protect it then crawl back into your cubicle and work on your next PowerPoint presentation cuz brother they don’t need you.
Rev: Strong words sir.
GB: Yes they are. Look, I’ve worked at this too long and too hard to try to soften the blow of what I’ve learned over the years. You asked me so I’m telling you. I believe I’ve saved lives using OPSEC and if I couldn’t say that then why would I have stayed in OPSEC? For the glamour? For the glory? For the money? No, no and hell no! (long pause) In my military service I took lives… Since I laid down my weapon I have been trying to save lives and as I said I believe I have. (pause) OPSEC is important. It’s more than going to the conference once a year. It’s more than giving your annual briefing. It’s more than putting up a poster or two. Actually, it is all of that but so much more.
This is the end of part one of the interview. I’ll have part two for you soon.
Keep the Faith!
Revelator
Posted in History, General OPSEC | Print | No Comments »
17 December 2009 by Revelator.
OPERATIONS SECURITY - OPERATIONS SECURITY - OPERATIONS SECURITY - OPERATIONS SECURITY. Everyone - say it with me now: OPERATIONS SECURITY!
If I read one more article, speech or blog entry that defines OPSEC as Operational Security I’m gonna go Elvis on my computer monitor. People, this isn’t difficult. Operations Security is a different concept than operational security. I’m not gonna go into a long dissertation about the difference because you should know what the difference is. But even as I write those words I realize I’m wrong. Generals, Lt Col’s, Master Sergeants, CIO’s even OPSEC Managers have written, or spoken operational security when speaking of OPSEC. And not just in general but typically something like this: “OPSEC, or Operational Security, is a 5-step…”
I honestly don’t know why this happens or what to do about it - I just know that every time it happens it sets us back just a little bit. OPSEC has a hard enough time getting accepted without people who should know better defining it incorrectly. In the world of OPSEC there is much room for disagreement on a number of topics but this isn’t one of them.
Which comes first; Threat or Critical Information development? Argue that all you want.
How should you define risk? Take sides and come out swinging.
What is the best way to prioritize vulnerabilities? Jump into the octagon and figure it out.
But - “Is it Operations Security or operational security?” is not open to debate.
So, to all of you getting it wrong I say: STOP THAT!
Keep the Faith!
Revelator
All Shook Up - Elvis
Posted in BS, General OPSEC | Print | 1 Comment »
30 October 2009 by Revelator.
At my current job as OPSEC Manager I have somehow become the go-to-guy when an employee feels they are being scammed in one way or another. About once a week an employee will forward me a suspected scam email or bring in a letter they received at their home. Having become quite familiar with this stuff over the past year or two I do the research, confirm it is a scam and then write up an email that goes to all employees alerting them to the latest scam.
I’m not complaining - this is a good thing; but it got me to thinking. Most of us work in environments that place a high importance on security. Also, many of us work in positions that require a security clearance. Because of this we are particularly security conscious. But what about the vast majority of people out there? What about those who aren’t, for whatever reason, as security conscious as we are? Might they be much more susceptible to scams than we are?
I think of my parents, I think of my housewife sister, I think of my many friends who work at what we might call regular jobs in any number of fields that don’t come in almost daily contact with the many threats facing us day in and day out.
I think we have a responsibility to these people. We are in the know - we know of Nigerian bank scams, charity scams, mystery shopper scams, phishing scams, missing child email hoaxes, email lottery scams, internet dating scams, inheritance scams, and a host of others. Sure, we’re (relatively) safe from these nefarious hoaxes and scams but what about your family and friends?
My recommendation to you is that you make this your personal responsibility. Let your friends and family know that if they receive a “too good to be true” email or letter to contact you and you’ll research it to verify it’s legitimacy or (as will be the case 99.9% of the time) determine that it is a scam. We are paranoid by definition but the vast majority of our friends a family aren’t and I think you owe it to them to be the go-to person if they have any security questions of concerns. Just a thought.
Keep the Faith!
Revelator
For What It’s Worth - Buffalo Springfield
Posted in Awareness, Family OPSEC | Print | No Comments »
16 October 2009 by Revelator.
As we are all aware by now Operations Security, or OPSEC, has been around for ages. We first see it referred to directly in early Greek texts like this “ασφάλεια διαδικασιών.” Granted most of us don’t read Greek but perhaps this will aid in your understanding: OPSEC has it’s own Greek God - his name is Opus.
Opus was the brother of Calisto. After the overthrow of their Father Vasilios he drew lots with Calisto and four other brothers, for shares of the security world. Opus had the worst draw and was made lord of OPSEC. His wife was Iossa whom Opus abducted from the God Enesay. Opus may be the God of OPSEC but, security itself is another god, Seeiya.
This legend was first spoke of in Greek Mythology as dictated by Ospa; a Greek pre-classical poet and contemporary of Homer. His preliminary epic poems spoke through symbolism with a heavy dose of romanticism though some of his later works dealt directly with mysticism and the duality of God and man. In an early Ospa epic Opus was shown as both God and man as he does battle with the mythical 5-headed purple dragon, Tarasthretenstien. Opus, though expressly told not to seek out and attack Tarasthretenstein, set out one day with the express purpose of doing battle with, and ultimately defeating the dreaded purple dragon. It is written that he ignored the warnings of his father Vasilios as he suited up for battle knowing that as the God of OPSEC his failure would mean the loss of OPSEC to the world. As soon as he was suited up, the sky turned black and the purple dragon descended with each of its five mouths spewing fire.
As Tarasthretenstien drew closer Opus bent on his knees in a gesture of surrender. Tarasthretenstien thought Opus was begging for his life, so she did not attack immediately. Seeing his deception working Opus struck the dragon with his magic Sword of OPSEC cleanly severing one of her five heads.
Fearing defeat Tarasthretenstein begged for her life explaining that she had hatchlings all over the world that would die if she did not feed them. Opus, realizing that leaving Tarasthretenstien alive would result in unacceptable risk cut off her four remaining heads.
As we all know today, Tarasthretenstien’s hatchlings survived leaving us with a world of threats and adversaries to this day.
When times get tough, remember the OPSEC God Opus and attack those threats in any way you can.
Keep the Faith!
Revelator
Puff The Magic Dragon by Peter, Paul and Mary
Posted in BS, History | Print | No Comments »
8 October 2009 by Revelator.
So I’m searching “OPSEC” on YouTube yesterday, as I am wont to do from time to time, and I ran across a new video titled “Atomic OPSEC Part 1.” I noticed that it was from the Department of Energy’s Nevada Site Office and I took this as a good sign. I liked what they did with their “OPSEC Hunters” video so I thought I would check it out.
Well, I gotta tell you this new video is even…
Ok, I can’t do this anymore. Let the BS end right here…
We made the video. That’s right; I wrote it and acted in it - my fellow DOG of OPSEC directed it and the new guy plays the scientist. We think it’s pretty good and think y’all might like it also so go to YouTube and search “Atomic OPSEC” and watch parts 1 and 2. Total time is around 13 minutes. We hope you like it.
Keep the Faith!
Revelator
Posted in BS, Awareness, WWW, Media, Movies | Print | 2 Comments »
25 September 2009 by Revelator.
A young John Cougar used those words as the title to his fifth album. In those moments when I’m frustrated by the sometimes low OPSEC give-a-crap-factor I wonder about those words and my mind drifts to this thought: OPSEC doesn’t matter and what if it did? Generally speaking it appears to me that no one really cares about OPSEC.
If OPSEC “mattered” then why is it so hard to get people who should care about OPSEC to actually care about OPSEC?
If OPSEC “mattered” then why is it blown off in the planning cycle?
If OPSEC “mattered” then why is it so often on the chopping block when money is tight?
Oh man, I could go on and on.
But to what end? What would be the point? No one cares. And I can’t even assume that those of you who are part-time/additional duty OPSEC POCs care. I’ve done too many OPSEC assessments and have seen with my own eyes the reality of dormant OPSEC programs around the world. I’ve done the interviews of unit personnel as they stare blankly at me when I ask them who their OPSEC Manager is or what a Critical Information List is. I’ve listened to blow-hard OPSEC POC’s who rant and rave about their OPSEC program only to find that it’s all an illusion - that nothing real exists. I’ve read Critical Information Lists that are 10 pages long and totally useless or were “benchmarked” from another unit and they didn’t even bother to change the letterhead to letterhead from their own unit. I’ve listened to OPSEC briefings that would make you want to rip your eyelids off. I’ve listened to senior leaders who talk, talk, talk, OPSEC but can’t seem to get an OPSEC section in their plans of operation. I’ve seen young just appointed OPSEC guys and gals who are ripping their hair out cuz the program they just took over sucks and they are getting no support to make it any better. And I’ve seen really good people try their damdest to do really good things and get shut down and hammered by idiots who make more money than they do.
Good Lord, why even bother? Seriously. Why bother? Hey - I’m not leading up to any great epiphany here. I’m not setting you up to tell you why you should bother. I have no intention of trying to get your emotions roiling by extolling the virtues of OPSEC and it’s devout practitioners in a vain attempt to get you psyched about how great OPSEC is. Nope. Not today.
Today I’m just bummed. OPSEC sucks - that seems to be the prevailing attitude so I’m just gonna give into it. Come on now…aside from some small pockets of success, in the vast majority of places that OPSEC should matter it simply doesn’t. And that sucks.
Keep the Faith! (your gonna need it)
Revelator
Nothing Matters And What If It Did - John Cougar
Posted in BS, General OPSEC | Print | 1 Comment »
16 September 2009 by Revelator.
“I’ve called this meeting because, as we feared, our budget has been cut 14%. We’ve game-planned for this but now is the time to get serious about what we can slim down and what we can live without.”
“Sir, if I may…we do have one program that has absolutely no verifiable Return on Investment that I think we should consider.”
“You mean, we actually have a program that is costing us money that has absolutely no ROI?”
“Yes sir.”
“Frankly, I’m a little worried that this hasn’t come to my attention before. What program are you talking about Johnson?”
“OPSEC sir.”
“Op-what-now?”
“OPSEC sir; Operational Security. You know the one. That briefing we get once a year where they tell you to keep your mouth shut. Don’t talk about work in bars and stuff.”
“Yeah, I know it. You mean that program costs us money? It can’t be very much can it?”
“Well sir, we have a full time guy who runs the program and then we have a group of people who have to spend a small percentage of their time on it as OPSEC Committee members.”
“Hmmm. So what do they actually do for us?”
“No one really knows sir. I think I’ve seen a report or two floating around but I’ve never read one and no one I’ve asked has either.”
“Let me make sure I understand…they give briefings that no one wants to go to, write reports that no one reads and take up valuable time from committee members who should be doing something else. Is that about right?
“I would say that about sums it up sir.”
“And how much will we save annually if we kill it?”
“Based on the projected cuts for this upcoming FY killing this program would save us .003% off the top.”
“Well that’s not much is it Johnson?”
“No it isn’t sir, but if we think we really don’t need it anyway then why not just kill it? It will show that we’re being proactive and not afraid to cut what some of our security professionals say is a critical program.”
Ladies and Gentlemen, this is happening today. OPSEC has already been reduced or just plain cut from a number of organizations. We know OPSEC is a viable program. We also know that it does not and will not ever bring in money. ROI is almost impossible to prove also. Did OPSEC save any lives today? Did a competitor not find what he was looking for when he went through our trash because of OPSEC? Did Johnny or Susie not say something critical or sensitive on the Internet today because of OPSEC? Beats me. I hope so - but we have no proof.
Sooner or later your OPSEC program will come into question. At that time you will need to be able to answer the question: “Why should we keep the program?”
The answers to that question are as varied as the individual programs and can’t be fully answered in this forum. But you need to be thinking about how to answer that question for your program and your organization. I guarantee you that sooner or later the question will be asked and I’ll bet you that if you don’t have the answer they’re looking for…
Let’s just say you and your program may be in danger.
Keep the Faith!
Revelator
Fight The Power - Public Enemy
Posted in Leadership Support, Program Management, General OPSEC | Print | No Comments »
3 September 2009 by Revelator.
I’ll never forget the night - I think we were in Lubbock or was it Wentzville…either way. I remember that Miles - that’s Miles Anthony, the lead singer of Big Slick, was really hot for this babe in the fourth row and as his top roadie he expected me to make the deal with her. You know - get her backstage and well…you know. And this was unusual because normally he would choose three or four just in case one or two wouldn’t well…you know. So I watched her off and on during the concert just to see what I could see. Well, I could see quite a lot if you know what I mean and I suspect that is what made Miles want her so bad but that’s neither here nor there.
I word or two about me is in order I suspect: My name is Night Train. Actually my name is Lance but a long time ago outside of a little bar called The Cavern a drunken Ringo called me Night Train and the moniker just stuck with me over the years. At that time I had spent three years in college and was doing a summer vacation with the love of my life who’s name I just can’t seem to recall at the moment. One night we went to see this band at a bar in the red light district called the Cavern and while I was hanging out after the show this chap in a leather jacket asked if I could help them drag some equipment to their van. Turns out that chap was John Lennon and we struck up a friendship that lasted until that fateful night outside of the Dakota. But that is the short version of how I started at a roadie. The story about why I am still a roadie is much longer and not quite as enjoyable.
So - back to that night in Barstow…or was it Philly - either way. During the drum solo (I swear Smokestack was channeling Don Brewer of Grand Funk that night) Miles asked if I hooked it up yet and I had to tell him not yet. Miles really didn’t like that answer but it was the only one I had right then. After a quick line and a towel-off he was back on stage and I was back to my job - pimpin for rock stars. Not a job I recommend to young professionals but I’m pretty good at it by now and I’m pretty damn sure that at sixty-six years of age I won’t be going to truck drivers school if this doesn’t work out. But this was 17 years ago when I still thought I would get a real job when I grew up.
Back to LuAnn (her name as I was to find out later)…She had squeezed her way up to the second row by now and had just flashed her considerable attributes to Miles and he looked at me and gave me the signal - again. Rock stars and their roadies have a complicated series of signals that would make a third base coach proud. One signal means “she can come back stage but that’s all” another means “she can come back stage if she brings her friend/sister” another means “she can come back stage but only if she’ll ___________ (insert desire here)” and yet another meant “she can come backstage but make sure she’s not a dude first.” There are more but I’m sure you get the gist of it. The signal I had just received for the second time meant “if she’s willing she can come on tour with us for a week or two.” I didn’t get that signal too often so I took it seriously.
And so I watched her. I watched her because there is a level of trust between a roadie and a horny rock star and I have a solid reputation for never letting the rock star down - or getting him arrested. And that’s the key to this whole operation - keep the rock star safe from a multitude of potentially embarrassing situations. And so I watched her. I watched her on her cell numerous times - and not that happy about it. I watched her turn away dude after dude who hit on her. I watched her as her older friend brought her beer after beer. And I noticed she didn’t have any tattoos.
And I watched as she walked away after Miles sang the last lines to their hit at the time, “Big Leg Woman” (a decent version of the classic Muddy Waters tune). As she walked I chased. I didn’t expect her to bolt so fast. I figured she would stick around and slide toward the side of the stage to well…you know. But she didn’t. She was in a hurry and I knew I would be fired if I didn’t get her backstage to Miles.
I was about to catch up to her when she met her angry mother and father at the exit. And that is when all the indicators started springing to my mind. No tat’s for one. Sure you can get your parents to sign for you if you are under 18 but not many do. And all the text messages and phone calls that she wasn’t happy about. No doubt her mom or dad had sent those. And all those dudes she turned away - no sense hooking up when your angry mom is gonna meet you at the door. And finally, it was her older friend that was bringing her the beers. Something someone under 18 couldn’t have purchased without a fake ID.
And so I had to face a not too happy Miles backstage. I just had to tell him she was underage and we were good. No way he wants to mess with any jailbait - not again, at least. In the end he hooked up with a reporter for a local rag that was much more age appropriate for my aging rock star. I am happy to report some 17 years later that they have been married for 15 years now and have two kids. The boy is named Thor and the girls name is LuAnn. I guess even if you’ve had as many as Miles you never quite forget the one that got away.
OPSEC - keeping rock stars out of jail for 60 years.
Keep the Faith!
Revelator
Jail Bait - George Thorogood and The Delaware Destroyers
Posted in Indicators, BS, Risk | Print | No Comments »
31 August 2009 by Revelator.
From CNET News.com written by Elinor Mills:
“Here’s either a cautionary tale or an example of social-media paranoia. An Arizona man believes that his Twitter messages about going out of town led to a burglary at his home while he was away.
Israel Hyman posted to approximately 2,000 followers on Twitter that he and his wife were “preparing to head out of town,” that they had “another 10 hours of driving ahead” and later, that they “made it to Kansas City.”
When he came home, he found that someone had broken into his house and stolen thousands of dollars worth of video equipment he used for his video business, IzzyVideo.com, which he uses for his Twitter account.
“My wife thinks it could be a random thing, but I just have my suspicions,” he told the Associated Press. “They didn’t take any of our normal consumer electronics.”
Personally, I don’t think it’s a good idea to advertise to the world that your home will be unoccupied for a period of time. I also don’t think it’s necessary to reveal too many other personal details on social media sites that could be used for identity fraud, like your birth date.”
A number of thoughts some to mind:
1. Yeah, that was stupid. People are putting waaaaaaaaaaaaaaay too much on social networking sites. But then we know that already don’t we? Which leads me to my second thought…
2. Most OPSEC professionals, even part-timers, have known this for quite some time now so I have to ask; are we just horrible at spreading the word or are people not listening? Personally, I think it’s both. Awareness is the key here and while some are doing a pretty decent job the majority of us are not. And yeah, I know, why waste the time when you just know people aren’t going to listen to you either way. That’s tough to overcome but you just have to Keep the Faith! and press on.
3. Was it just the tweets or did dude possibly not consider OPSEC and basic security prior to leaving on vacation? We’ve all done the “so you’re going on vacation for two weeks how do you protect your home while you’re away” exercise. (if you haven’t let me know - I’ll send it to you). I suspect he didn’t arrange to deal with his mail, newspaper, growing grass, lights, etc while he was away and just got nabbed by bad guys who know what to look for.
Your fellow employees are counting on us OPSEC and Security professionals to keep them informed and protected. Do your best to inform them and with any luck they can protect themselves.
Keep the Faith!
Revelator
Everything Is Broken - Bob Dylan
Posted in Awareness, Indicators, Countermeasures, Risk, WWW, Threat, Family OPSEC | Print | No Comments »
24 July 2009 by Revelator.
My friends, it is time once again for a guest blogger to put in his two-cents. This entry has a significantly higher military quotient than most of mine and I must say it brings back good memories for this retired GI. The gentleman who wrote this is a good friend (and an ex-boss) - and I consider him one of the premier OPSEC Planners on the planet. Read and heed my friends…Rev
“Everything I learned about really good OPSEC planning for a big operation I learned from dipping snuff,” he said. Not quite sure he was serious, I responded, “You’ve got to be kidding me!” The lack of expression on Sam’s face, as he removed the black plastic lid and spit into his McDonalds’ coffee cup, led me to believe he was serious.
We were on a break from the Joint Planning Group session at a particular US combatant command headquarters, hanging around in the break room engaged in professional Information Operations (IO) discourse and partly solving dilemmas elsewhere on the planet.
Born Samuel T. Cogley five decades ago in rural Arkansas, “Books,” as he was known throughout the IO and Naval Aviation communities, was the most experienced military planner I had ever known. He had been brought in from a “Center of Excellence” to provide electronic warfare subject matter expertise to the combatant commander’s core joint planning group. Now retired, he was working as a defense contractor and did his best to impart IO knowledge on anyone who showed any interest in becoming enlightened.
I was this combatant command’s OPSEC Officer and doubled as the OPSEC planner for the J3’s IO Cell. With most of the folks in the IO Cell away TDY, I actually just happened upon this planning group by shear accident and had no idea that a plan was in work. That is until I heard the constant throat clearing voice of brand new Lieutenant Colonel McClin.
“Major! Major Patrick!”
I had just walked past one of our many conference rooms – which were seemingly always in use – and turned my head. Looking down at a clipboard, Lieutenant Colonel McClin pushed his glasses up the bridge of his nose and asked, “Are you”…ah-hem…“Major Jonathan Patrick”…ah-hem…”Jonathan Patrick IV,”…ah-hem…”the OPSEC dude?”
Not sure where this was going, I hesitated in responding. “Yes, I am. But you can call me JP4, everyone else does.”
“Okay…ah-hem…JP4; I am Lieutenant Colonel McClin, everyone calls me…ah-hem…Chilly Mac, but since I am a Lieutenant Colonel…ah-hem…in the United States Army, and you…ah-hem…are just a Major, you should call me…ah-hem…Colonel. Please go in and have a seat, the Joint…ah-hem…Planning Group is getting ready to start. I could…ah-hem…cover the OPSEC stuff since… ah-hem…I have done it Iraq before, but since you are here…ah-hem…you can be the OPSEC planning rep.”
As I entered the conference room, I heard someone from the back corner calling out in a loud whisper, “JP4, over here!” It was Books. I went over and sat next to him. “Man, it’s a good thing you showed up, I was afraid I was going to have to cover for your sorry rear end and do the OPSEC planning duties,” Books said. “Hey, give me a break! I didn’t even know about this. Besides, what about that Chilly Mac guy? He told me he could do it, he knows OPSEC…at least he says he’s done it before.”
“Oh, please!”
So, after about an hour, we went on our first break, initially arguing about how zombies were not getting a fair shake in the entertainment world, especially when compared to vampires and werewolves, but somehow came back to OPSEC planning.
I responded to Books’ comment, “What exactly do you mean? How on earth can anyone compare smokeless tobacco to OPSEC planning? Besides, it is such a disgusting habit!
“What, OPSEC planning?”
“No! That stuff you are putting in your mouth!”
“Oh.”
“Wait a minute, how can you even contemplate that OPSEC planning is disgusting?”
“Um, well, not exactly that way, I was actually thinking that most of the time I’ve seen planners wait until the plan is almost complete and ready for execution or the boss’s signature before someone thinks about OPSEC. Kind of like, ‘oh, can you OPSEC folks “sprinkle” a little OPSEC on this before we go to print?’ That’s disgusting from a professional standpoint; kind of sad really.”
“So what do you mean?” I inquired.
Books began his lesson on dipping snuff and equating it to OPSEC planning. “Getting in on the beginning is the key. I need to do my analysis and find out what is allowed in the planning room and what is not. Usually, the command will allow beverages. I mean how can you really do effective military planning without caffeinated beverages?
Sometimes, there will be signs posted that forbid the use of tobacco products. So, I show up with a coffee cup – with a lid – and overtly show everyone that I drink coffee. I mingle, sit in on working groups, I want everyone to recognize I am a coffee drinker. Later, when the time is right, I go away and put in a dip and return with my coffee cup and lid.”
“For me, and I hate to admit this, I cannot do effective military planning without my nicotine, especially if we are doing 12+ hour sessions. If I show up with the regular observable indicators of a dipper of snuff, then I am at risk of getting busted.”
I interrupted, “You mean like Major Sweet, that Marine that walks around everywhere with that old, worn-out, plastic Ozarka water bottle full of spit juice?”
“Yep, exactly!” Books said. “He is never a happy camper when the anti-tobacconists ask him to leave.”
Books continued, “And speaking of the anti-tobacconists, the next part of my analysis of this “threat” – still taking advantage of showing up early – is to scope out the room where we will be planning and find the optimum location to sit and be out of easy purview of the folks looking for dippers.”
“Like where we’re sitting in the conference room today?” I asked. “You’re catching on, JP4, you’re catching on.” “But I never see you spit in there!” I charged. “Ha! You don’t know when to look. Or rather, I know the times when the “bad guys” aren’t looking. Like during slide transitions or when someone asks a question. Their “collection capabilities” are diverted elsewhere and I take advantage of the moment.”
I was still somewhat puzzled. “Okay, so what does this have to do with OPSEC?”
“I’m getting there,” Books responded. “In the grand scheme of things, Major Sweet takes a risk of getting caught, or better yet, doesn’t acknowledge the vulnerability his observable indicators create nor does he appreciate the risk of being seen by the anti-tobacconists. You would probably agree with me that his risk would be rated as HIGH.”
“I, on the other hand, take simple, cost effective mitigation measures to protect my indicators based on a current and thorough threat analysis.”
“The same thing goes for OPSEC planning. If you can get in on the planning early, and see where the plan is headed, you can then take measures and assign tasks far enough in advance to effectively mitigate indicators that reveal friendly intent, capabilities, timing, etc.” “If you show up late to the planning effort, OR, if you get the proverbial request to sprinkle some OPSEC fairy dust on the plan at the last minute, you’re out of position to make anything happen and the bad guys will pick up on the indicators.”
“We know the bad guys look for changes in our routines. We need time to adjust events to keep routines from highlighting what we are up to and you can’t just simply do that on the eve of the operation and you definitely can’t do it after the fact.”
“If I walk in on the last day of planning, I won’t be able to get an optimum seat; all eyes will be on me; and I will either have to go with just drinking coffee or…” “Or take the risk and just go about with your nasty habit ala Major Sweet,” I imparted. I think I’m getting it now…so if a plan depended on moving a specific unit out of particular location, say using C-17s…”
It was Books’ turn to interrupt now, “And the only time C-17s showed up was to move that unit, then that would be a huge indicator. That is unless you set up “random” C-17 flights earlier in the timeline, prior to actual execution.” “That kind of sounds like a military deception plan to me,” I said “Is it?” Books asked.
After a pregnant pause, he continued. “Remember the definition of MILDEC, and who the target audience is. OPSEC has a much broader target audience, and in your example we are not doing it necessarily to cause someone to take, or not take, action. However, you do bring up a valid point; and I must add that I am impressed with the way you think.”
“We can talk the finer points of MILDEC planning and execution later, but in a way you’re correct because OPSEC can use MILDEC as a mitigator to help make it harder for the bad guys to find the real indicators. I guess it really depends who initiates the task and if it was tasked as part of a larger MILDEC plan.”
“You can also kind of make the same correlation with Electronic Warfare and conditioning jamming before an operation. Is that MILDEC? Or is it OPSEC? The EW planner would tell you he is just being the consummate EW professional. Either way, it goes to not highlighting a routine that would give something away to the bad guys. I would like to think that a good OPSEC planner that got in on the planning early would be in a good position to help that EW guy and that deceptionist mitigate those kind of things.”
“Okay, okay, I get it,” I said. But I still had a few more questions.
“Books, I have to ask; why is the lid so important?”
Books smiled as he took another spit. “Cost effective mitigation to overhead surveillance – passersby to you JP4 – plus it doubles as a safety device. I wouldn’t want this to spill. I do have some couth you know!”
“Good point,” I replied. “But is there a tie in with snuff and the Critical Information List? Does dipping itself make you a better OPSEC planner?”
About this time Chilly Mac walked into the break room. Books noticed him before I did and slowly turned to avoid any eye contact with him.
Sensing his desire to stay clear of Chilly Mac, Books softly spoke, “Let’s get back into the conference room. We can talk about Critical Information on the next break.”
Don Sidro
The Godfather of OPSEC
Keep the Faith!
Revelator
Posted in Indicators, OPSEC Plans, Planning | Print | No Comments »
21 July 2009 by Revelator.
In yesterdays blog I listed a series of questions that I had hoped to have answered once I received my security clearance. I also stated that I didn’t ever get the answers to most of those. Well, it turns out that one of my faithful readers actually has the answers and is kind enough to share them with the rest of us. Because of the nature of the information and the sensitivity of the sources I cannot provide his/her name - suffice to say that he/she is known to many of you. Enjoy…
Revelator: Hope this helps…
Who really killed Kennedy?
- LBJ.
Did we land on the moon or was that all filmed in a soundstage in Burbank?
- We landed. Myth busters just proved it last night.
What is really going on in Area 51?
- It’s part of the current ‘Air Force Partying System’ - the Air Force had too many wild parties and broke the stereo systems in Areas 1 thru 50.
Is Elvis still alive?
- Yes he is. I just asked him.
Is there really a Hanger 18 and/or a Project Bluebook?
- Yes. It’s between Hangars 17 and 19. Yes. It was a joke. Or joke book.
Is there actually a government warehouse for freaky secret stuff? And if so, is the Arc of The Covenant there?
- Yes. It’s called the Pentagon. And no - God has more sense than to leave his scribbled down notes with a bunch of idiots.
Just who/what the hell is/are the Illuminati?
- Started out as a bunch of free-thinkers in Bavaria circa 1776. Recent Wanna-be’s took the name and supposedly comprise the New World Order…good luck to them.
Are we alone?
- No. If you need proof, just call 555-1212.
Who are the “Nine Unknown Men?”
- No one knows. That’s why we call them ‘Unknown’. But I think at least one’s named ‘Bob’.
Do the Grays really exist - and if they are running the world shouldn’t they be doing a better job of it?
- Yes they do. And yes, they should be; they need all the help they can get. Please call 8675…309. Ask for ‘Jenny’.
What the hell is going on in the Bermuda Triangle - and if it’s so jacked up there why do boats and planes still go there?
- Scientists determined that it’s a weather thing. A confluence of location and jet streams. Boats still go there because of what they saw on either the Adam’s Family movie or Unsolved Mysteries.
Where is Sasquatch and why do we never see more than one at a time?
- He resides at the Holladay Park Plaza, a Portland, Ore. assisted living center. You never see more than one at a time because he’s the only one. He’s classified as a cryptid.
Was that really a weather balloon in Roswell?
- Yes. But they were inadvertently popped by a gang of extra-terrestrials who were subsequently shot down and dismembered by some angry scientists who were really counting on getting that weather data.
What’s up with Stonehenge?
- A grouping of really big rocks which are the property of the English Crown and not the reigning monarch. It’s a place of burial; a domain of the dead.
And what about the Nazca Lines in Peru? Is this “Chariots of the Gods” stuff true?
- Just animal doodles on a large scale. A precursor to crop circles.
- Of course it’s true. It’s how we got Energizer batteries and keep our razor blades sharp.
And now you know…the rest of the story.
Keep the Faith!
Revelator
Posted in BS, Critical Information, General OPSEC | Print | No Comments »
20 July 2009 by Revelator.
Way back in 1978 I started the process for my Department of Defense security clearance. I’ve had this thing for long about 32 years now so I’m fairly versed in how we handle, store, transmit, disseminate, and otherwise protect classified information. But I must say that as an 18 year-old waiting on my clearance I was pretty damn naive.
I actually thought that once I got my clearance I would be able to see all the Top Secret information the government had on file. I was pumped! I was finally gonna get the answers to some of the nagging questions that my government wouldn’t share with those so unfortunate as to not be cleared.
Here is my list of things I wanted to know:
Who really killed Kennedy?
Did we land on the moon or was that all filmed in a soundstage in Burbank?
What is really going on in Area 51?
Is Elvis still alive?
Is there really a Hanger 18 and/or a Project Bluebook?
Is there actually a government warehouse for freaky secret stuff? And if so, is the Arc of The Covenant there?
Just who/what the hell is/are the Illuminati?
Are we alone?
Who are the “Nine Unknown Men?”
Did Jesus have a wife?
Do the Greys really exist - and if they are running the world shouldn’t they be doing a better job of it?
Is Paul McCartney dead?
What the hell is going on in the Bermuda Triangle - and if it’s so jacked up there why do boats and planes still go there?
Where is Sasquatch and why do we never see more than one at a time?
Was that really a weather balloon in Roswell?
What’s up with Stonehenge?
Is Yoko Ono the Antichrist?
And what about the Nazca Lines in Peru? Is this “Chariots of the Gods” stuff true?
As you may know, or certainly must have guessed, I didn’t find the answers I was seeking once I got my clearance. Well, that’s not entirely true…I have been to Area 51 (didn’t see one stinking alien) and it looks like Paul is alive and well and I’m pretty sure Yoko Ono is not the Antichrist though I have no evidence to back that up either way. But the fact remains that once I got my clearance there was very little classified information that the government would let me get my hands on.
For those of you who have never had a clearance you may be asking why this is; three simple words - Need To Know. I didn’t have the Need to Know any of the information I was seeking (if it even exists - which I doubt).
Most of us understand and properly use Need to Know when dealing with classified information but I ask you now - how are you with unclassified information? Do you still apply Need to Know principles when someone asks you for unclassified sensitive or critical information? If someone you work with were to ask you to let them read a “For Official Use Only” document would you give it to them without much thought?
Sadly, most of us would. I mean, it’s unclassified for Heavens sake. If it was worthy of protection someone would have made it classified wouldn’t they? And therein lies our problem. A good number of us don’t really think anything unclassified requires any type of protection. Well, if that were true may I be so bold as to suggest that we don’t need OPSEC.
If we’re not going to bother seeing “For Official Use Only” or “Sensitive But Unclassified” or “Unclassified Controlled Nuclear Information” or “Law Enforcement Sensitive” or “Sensitive Homeland Security Information” or “Administratively Controlled Information” or “Security Sensitive Information” or “Critical Infrastructure Information” or “Personally Identifiable Information” or “Controlled Unclassified Information” as information requiring protection then why bother with any of these identifiers?
Back to the point: Need to Know needs to be applied to unclassified sensitive information (in all its forms) in the same way we apply it to classified information. If coworkers Bob or Janet want to see that “For Official Use Only” document then you need to verify that they have a Need to Know the information - that they need this information to do their job. And if you can’t verify that then you can’t let Bob or Janet see the information.
Pretty simple really.
And I hate to be the one to break this to you but yeah…Elvis is dead. Sorry man.
Keep the Faith!
Revelator
“I Am The Walrus” - The Beatles
Posted in Critical Information, General OPSEC | Print | No Comments »
23 December 2008 by Revelator.
It’s Christmas time again and instead of thinking about what presents to buy all I can think about is our military forces overseas. Spending the holidays defending your country is a supremely righteous thing to do and deserves the utmost respect from your fellow countrymen and women. But I can’t help but picture some 20 year old G.I. manning his post thinking about his family and wishing he was 10 years old again. Ten years old and sitting wide awake in bed on Christmas morning wondering if it’s still too early to wake up Mom and Dad so he can get to that tree and rip open all those presents with his name on them. How does he deal with that memory and still do his job of keeping us free?
And I think about that mom out there escorting a convoy on Christmas day… How does she do what her country has asked her to do knowing that she won’t be there when her kids wake up to see what Santa brought them?
And I ask myself; Where do we get these Soldiers, Sailors, Airmen and Marines who volunteer to protect this country in such dangerous times? I signed up in 1978 during a time of peace and retired in 2000 without suffering any damage. If I were 18 today could I still make such a commitment? I honestly don’t know - but I thank God that there are fellow countrymen and women out there who will.
Every year about this time that poem about the lone G.I. standing his watch in the snow on Christmas Eve (and every other day) circulates and every year I read it and every year I get somewhat emotional about it. There are many versions of this poem but I’m gonna share just part of the one credited to Lance Corporal James M. Schmidt, USMC, written in 1986. When you’re done reading this please say a prayer for all those vigilantly guarding our freedoms in faraway lands.
The Very Thought
Brought A Tear To My Eye,
I Dropped To My Knees
And Started To Cry.
The Soldier Awakened
And I Heard A Rough Voice,
“Santa Don’t Cry,
This Life Is My Choice;
I Fight For Freedom,
I Don’t Ask For More,
My Life Is My God,
My Country, My Corps.”
Keep the Faith!
Revelator
Posted in Uncategorized | Print | No Comments »
5 December 2008 by Revelator.
Regular readers of this blog may remember that I went on quite a rant some time ago about what some are passing off as fortune cookies. You know the ones; you open it and the words inside are not a fortune but some lame quote or some inisight about you, the cookie eater.
Well - here’s the latest “fortune” I recieved: “You have a flair for adding a fanciful dimension to any story.”
Ladies and gentlemen this is NOT a fortune - it’s a statement! And not even a true statement. Reread it and I’ll explain: “You have a flair for adding a faciful dimension to any story.” Did you get it that time? No? Well then allow me to put this into plain english for you - “You are a liar.” That is what this “fortune” told me…I am a liar. I mean, what else would you call someone who has the ability to add fanciful dimensions to a story? That’s right - you call that person a liar.
So not only did I not get a fortune from my fortune cookie (again) the damn thing called me a liar. At least it said I have a “flair” for it so presumably I’m a good liar - so I got that going for me…which is nice.
Keep the Faith!
Revelator
Voodoo Child (Slight Return) - Jimi Hendrix
Posted in BS | Print | No Comments »
5 December 2008 by Revelator.
SIGINT (n) - intelligence information gathered from communications intelligence or electronics intelligence or telemetry intelligence.
COMINT (n) - technical and intelligence information derived from foreign communications by other than the intended recipients.
IGNORINT (n) - intelligence gathered by the direct exploitation of stupid people.
If you will grant that the biggest threat to the information you are trying to protect is the unintentional insider then you have to agree that IGNORINT collection is the biggest threat to the security of your operations. And yes, I know there is a difference between ignorance and stupidity but in the final analysis INGORINT exploits both so I’m not going to split hairs.
Whether the information lost is because of one persons inability to think beyond a third grade level or because the person wasn’t properly briefed doesn’t matter to the IGNORINT collector. And when it comes right down to it many properly trained and briefed individuals will let stupid overide their training when put to the test. For example, otherwise intelligent and security savvy men seem to zoom right to stupid when confronted with a beautiful woman or large quantities of alcohol. And if you combine stupid inducing amounts of alcohol with a friendly female then you have the perfect storm for IGNORINT collectors.
But don’t let me mislead you - many of us can call up stupid at will even without the aid of alcohol or other stupid inducing products or situations and therein lies the problem. IGNORINT collectors know this and are available to exploit this known weakness at a moments notice. Whether it’s picking up our discarded trash, or collecting a ton or two of recycled whole white paper, or hanging out at the local watering hole, or listening to a speech at a professional symposium, or exploiting personal blogs, or…well, you get the point. We just give so much away that it blows my mind sometimes.
Humans as a species are designed to make mistakes and consistantly do things that are generally considered not that bright. But what are we to do about it? Well, if you’re looking for The Revelator to enlighten you then you just might be in for a long wait. About all you can do is acknowledge this vulnerability and fight against it in anyway you can. Good luck with that. And if you come up with a way to somehow defeat even a small amount of IGNORINT collection you let me know.
Keep the Faith!
Revelator
Chain of Fools - Aretha Franklin
Posted in Awareness, Vulnerabilities, Threat, General OPSEC | Print | No Comments »
17 November 2008 by Revelator.
A lesson in indicators…
A man was shopping at his local supermarket where he selected one half-gallon of 2% milk, one carton of eggs, on quart of orange juice, one head of romaine lettuce, a small can of coffee, a package of bacon, a box of Band Aids and a bottle of unscented lotion.
As he was placing his items on the conveyor for check-out a beautiful woman standing behind him watched as he placed the items in front of the cashier. While the cashier was ringing up his purchases, the woman calmly stated matter-of-factly, “You must be single.”
The man was a bit startled by her rather bold (yet correct) statement but he was also intrigued by the woman’s keen intuition and (with any luck) interest in him. So he smiled at her and then looked at the items on the belt and saw nothing particularly unusual about his selections that could have given away his single status to this increasingly hot woman.
At this point curiosity (and lust if truth be told) got the better of him and he said: “Well, you know what? You are absolutely correct. But how on earth did you know that I was single?
The woman replied, “Cause you’re ugly.”
So, what is the lesson here?
Simple - beautiful women do not pick up single 40-ish men in the supermarket.
But what is the OPSEC lesson here?
There isn’t one. Sometimes life just sucks.
Keep the Faith!
Revelator
“No Woman, No Cry” - Bob Marley and the Wailers
Posted in BS, General OPSEC | Print | 2 Comments »
28 October 2008 by Revelator.
For years I’ve been trying to work this song into one of my presentations at the National OPSEC Conference but I haven’t had any luck yet. Unfortunately, the draft of the 2009 speech doesn’t look good for it either so I’m gonna see of I can do something with it here in this forum. It’s such a kick-ass song I have to do something with it - if for no other reason than to honor Billy Paul and the song that made him an R&B Icon. So it is finally time that we look at this song from an OPSEC perspective…
Me and Mrs. Jones
We got a thing goin’ on - Critical Information List item # 1 “Knowledge of an Affair.”
We both know that it’s wrong - CIL item # 2 “Personnel Vulnerabilities.”
But it’s much too strong to let it go now - CIL item # 3 “Operational Commitment to Objective.”
We meet every day at the same café - Huge vulnerability.
Six-thirty and no one knows she’ll be there - Oh, they know Dude - they know.
Holding hands, making all kinds of plans - OPSEC Cardinal rule # 1 – Don’t talk shop in public.
While the juke box plays our favorite songs - An extra indicator for those blind agents out there who are only going on sound and were too far away to hear them “making all kinds of plans.”
Me and Mrs. Jones - On the plus side, her real name is Mary Smith.
We got a thing goin’ on - Not for long if Dude and “Mrs. Jones” don’t start using OPSEC.
We both know that it’s wrong
But it’s much to strong
To let it go now
We gotta be extra careful - See? Some people just talk OPSEC without actually using it.
That we don’t build our hopes up to high - At this rate Dude, you’ll never get to that promised land
Because she’s got her own obligations
And so, and so, do I - Even though he is “talking around” the subject it would be easy for a trained analyst to decipher. For example “Obligation” translates to “husband and seven kids.”
Me and Mrs. Jones
We got a thing goin’ on - Oh, now he’s just getting cocky. And can’t we assume he is singing this to a friend? A friend perhaps without a “need to know?”
We both know that it’s wrong - Trust me, when you know it’s wrong you really, really need to lay some OPSEC on it.
But it’s much to strong
To let it go now
Well it’s time for us to be leaving - Seriously? More stereotyped activities?
It hurts so much, it hurts so much inside - Your enemy is about to walk in and make it hurt on the outside Dude.
Now she’ll go her way and I’ll go mine - Any one wanna bet they take the same route home every day?
Tomorrow we’ll meet - At a new place? A new time? No juke box? No talking about plans?
The same place, the same time - Figures – some people just never learn.
Me and Mrs. Jones
We got a thing goin’ on
We both know that it’s wrong
But it’s much to strong
To let it go now
Epilog: It seems that “Mr. Jones” was cheating on “Mrs. Jones” also and couldn’t care less about her and Dude. He knew about it of course – EVERYONE knew about it…but no one cared. You see, “Mr. Jones” was “Mrs. Jones” 5th husband. “Mrs. Jones” had seven kids, had done time in Joliet on several Domestic Abuse and Fraud charges and three of her husbands had passed away under suspicious circumstances. So, uh…no – “Mr. Jones” was pretty cool with “Mrs. Jones” doing Dude every day at the café. Three days later Dude disappeared never to be heard from again. This brings me to something I’ve said all along…the biggest threat to your security is the insider threat.
Keep the Faith!
Revelator
Me and Mrs. Jones – Billy Paul
Posted in Uncategorized | Print | 4 Comments »
17 October 2008 by Revelator.
Try this on for size: Us OPSECers are a bunch of paranoid freaks who run around trying to convince the world that the sky would fall if it wasn’t for our magic potion.
Don’t laugh and don’t get defensive - people do say this about us. Don’t believe me? Let me give you a hint of what we sound like sometimes:
Protect this!
Secure this!
You can’t do that!
You must do this!
Listen to me!
Come to my briefing!
THINK OPSEC! THINK OPSEC! THINK OPSEC!
If you don’t use OPSEC the world will come to an end in a horrible way and the remaining survivors will blame you and then burn you alive and then trade your baseball card collection for the June 1975 issue of OUI Magazine .
If you don’t use OPSEC you will personally lose the war but you’ll be around right up till the end and then you’ll get your’s too - right in your grill - just like Kimbo Slice (except that you will actually be hit and will most likely die).
If you don’t use OPSEC the competition will beat you to the shelves and your company will go bankrupt and you will be out of a job, the heel on your new too-small-for-your-big-feet Manolo’s will break, your husband will leave you for a successful toy manufacturer and then the economy will crash because you are a weak and worthless person.
If you don’t use OPSEC your identity will be stolen and your personal life will come crashing down around you. Your wife will leave you and your kids will hate you with a white-hot passion that will drive them to become lawyers and sue you for abandonment.
If you don’t use OPSEC your house will be broken into while you are on that two-week vacation and while in your house bad guys will put fish and Cheez Whiz in places you won’t be able to find them until it is much too late and on that exact date your in-laws will arrive unexpectedly for a three-week stay.
If you don’t use OPSEC Freddy Krueger will haunt your dreams…”1,2, freddy’s coming for you.
3,4 you better lock your door. 5,6 grab your crucifix. 7,8, stay up late. 9, 10, never sleep again.”
If you don’t use OPSEC bad guys will steal your PIN and take all your money and spend it on loose women, MadDog 20/20 and gambling - and not that good gambling you see on TV but that bad degenerate gambling that has no respect for the viewing audience.
If you don’t attend annual OPSEC training your are destined to be a high security risk for your unit/company. Everyone will hate you and you will hiccup for 4 years straight.
You need to understand that this is exactly how some of us come off. You can’t scare people into using OPSEC. But you may be able to convince them that OPSEC can be a force multiplier, can raise survival rates and can be incorprated into an operations or business plan without hurting the operation itself.
And if you can convince someone that lives and/or money can be saved…well then - you won’t have to try to scare then with threats, voodoo or your magic potion.
Keep the Faith!
Revelator
Won’t Get Fooled Again - The Who
Posted in Family OPSEC, General OPSEC | Print | 3 Comments »
9 October 2008 by Revelator.
Exerpt from an article I recently read: “Organizations are shifting their focus to the threat posed by insiders and turning their attention to training and data protection, according to a recently released survey. The 2008 Global Information Security Workforce Study, conducted by analyst firm Frost and Sullivan for certification organization (ISC)2, surveyed 7,548 information security professionals worldwide. 51% of respondents said internal employees pose the biggest threat to their organizations. The finding represents an ongoing trend in the past two to three years, as the numbers of remote workers and portable storage devices have jumped in the enterprise, said Frost & Sullivan’s network security industry manager. ‘That increases the chance of something happening, whether it’s malicious employees or just someone with good intentions but walks out of the building with data so they can work at home,’ he said. The findings are supported by Information Security’s Priorities 2008 survey, in which 70% of participants said they are worried about detecting and thwarting internal attacks.”
‘Bout time people start understanding what us OPSEC Professionals have known for quite a long time - unless you are in battle (and sometimes even then), the internal threat is the biggest threat to your organization. I wrote a blog entry on 30 May titled “Welcome to the Jungle” that spoke to this very thing.
From my perspective this isn’t an on-going trend from the past 2 or 3 years - it’s an on-going trend period. And it will never stop. Certainly advancing technology has made it easier for the malicious insider to cause harm but it has also made it easier for our biggest threat - the unitentional insider - to screw up and cause harm. Either through ignorance, lazyness, or simple lack of caring the unintentional insider is the single most devastating threat to your organization. You can attempt to counter this with an aggressive awareness program and constant employee vigilence within the organization but the threat will remain. Understanding is half the battle - now act on this understanding.
Keep the Faith!
Revelator
Insider - Tom Petty and The Heartbreakers
Sample “Insider” lyrics…
It’s a circle of deception
It’s a hall of strangers
It’s a cage without a key
You can feel the danger
And I’m the one who oughta know
I’m the one you couldn’t trust
Yeah I’m the lonely silent one
I’m the one left in the dust
Posted in Threat, Media, Program Management, General OPSEC | Print | No Comments »
9 October 2008 by Revelator.
Here are the titles of some articles I’ve come across lately. I haven’t included the full content of the articles but I think that, just based on the titles, you’ll see why I’m a bit concerned…
“Internet Flaw Could Let Hackers Take Over The Web” - I think that if this is true they might not want to detail how this could actually happen - which they did. Yeah, the article spoke very specifically about exactly what the flaw was and how to exploit it. Cool, huh?
“Airports Vulnerable to Attack” - While I suspect we all agree that yes, there are still some vulnerabilities that reality and budget constrains won’t allow us to directly address but this article explained how our airports were vulnerable and how bad guys could exploit these vulnerabilites.
“Billions More Needed to Secure U.S. Embassies” - Well then, please tell me what we need to spend this money on exactly and further I would like to know how not having these things can immediately put these embassies at risk. And while you’re at it go ahead and tell me which embassies are the most vulnerable so I don’t waste my time trying to blow up the wrong one. Anybody want to guess if the article actually did this?
“Research Reveals Patterns of Terrorist Preparation” - While, as a citizen, I am very happy that our law enforcement agencies have found patterns that may tip them off to terrorist activities, I am not real happy that we told the terrorists this. Seems to me that Terry Terrorist might begin to change his/her tactics and prepare for their activities in a whole new way thereby negating the intelligence advantage we had until this article came out.
Folks, I’m no arbiter of what is right or wrong to put into print and I have no educational background to argure the public’s “right to know” but as an OPSEC Professional it just seems to me that we are making waaaaaaaaaaaaaaaaaaaaaaaaaaaaay too much sensitive information available. For those of you out there actively practicing OPSEC, this is just one of the reasons you need to do Open Source searches on your own organization. It’s always good to know what the bad guy already knows about you - then you can focus your protection efforts on what is not known and you can also be proactive about dealing with what is known about your organization, mission or specific activities.
Keep the Faith!
Revelator
Bring The Noise - Public Enemy
Posted in WWW, Media | Print | No Comments »