1. August 2008 by Revelator.

Every organization I’ve ever assessed, military or civilian, spent an inordinate amount of time, money, manpower and resources protecting information that had already been compromised. I know it doesn’t make a lot of sense but here’s one way this happens. An organization has an outdated Critical Information List (CIL) - or one stolen from another…did I say “stolen”? I meant benchmarked. So they have a “benchmarked” CIL from another organization - either way, they find themselves (quite unwittingly) with a bad CIL. And then they go about trying to protect all the information on the CIL without giving any thought to the reality of the situation and they’re wasting time, money, manpower and resources.
But how do you know truly what is already known about your company or military organization? Get, or perform yourself, and Open Source assessment of your own organization. Start by looking in the mirror - cuz baby, you ain’t seen nothing yet if you haven’t done this. That’s right, start with looking at your own web sites. I’ve seen a lot of corporate (and military for some unknown reason) CIL’s that list items that are readily available on their web site. And I’ve got to ask; “Why are you telling your people to protect what is already available in open source?”
Now, civilian corporations are going to have a tough time with this because if you don’t advertise your products and capabilities you will lose customers. You’ve got to deal with your marketing and advertising departments don’t you? Yep - that’s a tough one.
I’ve sat in a number of assessment in-briefs where I’ve been told that the information I was about to receive was company proprietary and shouldn’t be talked about outside of the company and then they show me the exact information that I saw when I looked at their web site the night before! At this point, very early in the assessment process, it starts to get painful for them - this realization that we couldn’t get through the in-brief without highlighting a significant security concern.
So, whattaya gonna do now? Well, after you finish your Open Source assessment you most likely will need to rewrite your CIL so that it concentrates on protecting your truly sensitive or critical information that has yet to be compromised.
Can we hide that a military unit is deploying? Probably not. But can we protect where that unit is going and how long they anticipate being there? When hundreds of pizza’s start showing up a the Pentagon (or we keep the food court operating 24/7) can we deny that something is going on somewhere? No, but we can protect exactly what is going on and where it just might be happening. When a car company is developing a new model can they hide that this new model is coming out soon. Probably not. But we can paint the car in weird ways and add some plastic molding to that competing car companies won’t get any good pictures of the car. Can we totally protect that we’re holding contract discussions with another company? Most likely not, but we can protect exactly what that contract will be for and how much it’s going to cost and how long it’s going to last. Was Henry Ford II able to protect the fact that the Edsel was coming out? No way. But did he protect the design? Absolutely not! You’ve seen the car - there was no reason to protect the design. Same goes for the Pacer, the Gremlin and the Reliant K. Focus here folks…
Spend your time, money, manpower and valuable resources protecting what isn’t already known.

Keep the Faith!
Revelator

You Ain’t Seen Nothing Yet - Bachman - Turner Overdrive

Posted in Critical Information Lists, Assessments/Surveys | Print | 5 Comments »

20. May 2008 by Revelator.

Q:  How much money does a full-time OPSEC manager make annually?

A:  It’s not about the money you self-serving SOB.

Q:  Which really comes first; Critical Information Identification or Threat Analysis?

A:  Some say OPSEC is an iterative process and you can do whatever step in the process whenever the hell it feels right.  Others would argue that if you don’t have a threat then who cares what your critical information is.  But for me - Saint Ron (Pres Reagan) listed CI identification first and that’s good enough for me.

Q:  What is the best way to get leadership support for my OPSEC program?

A:  There is no “best” way but here are some suggestions: begging, bribery, coercion, blackmail, threats, acid filled water pistol, doctored photos, water-boarding, repeated viewing of Molly Shannon skits from Saturday Night Live.  Folks, I really don’t have a solid answer for this one.  Some times you just get lucky and have leadership that understands OPSEC and its importance to the mission.  Other OPSEC Managers are just real good salesmen who convince management of the need for OPSEC.  If any of you out there have a good idea or war story please click the comment link and I’ll get it to the masses.

Q:  OPSEC says to avoid stereotyped activities but there is validity in the thought that if it worked once it will work again.  So isn’t OPSEC really saying that even though it worked once we really want you to try something different that may or may not work?  And isn’t this harmful to the potential success of the mission?

A:  Helluva question.  I’ll leave this one to the readers to respond to - come on folks - send me your responses.

Q:  Why do all the posters tell me to “Think” OPSEC?  Wouldn’t it better if I “Acted” OPSEC? 

A:  Clearly.  “Thinking” something is great only of there is an action tied to the thought.  Why just the other day I “thought” drive the speed limit - but I didn’t actually drive the speed limit so what good was thinking it?  This morning I “thought” diet and then had four biscuits with about a quart of gravy.  And come Friday evening I’m pretty sure I’m gonna “think” about not having that next beer - I think y’all can tell where this is going.  Thinking OPSEC must be followed by performing some act of OPSEC.

Now I know that many of you have serious OPSEC questions.  This entry is just my way of getting the ball rolling.  If you have ANY questions about OPSEC that you would like answered please send them to me.  We’ll treat them seriously and try to get some good answers for you.  Of course we’ll also accept those sent in a humorous vain and do our best to respond in kind.

Keep the Faith!

Revelator

Posted in Awareness, Leadership Support, Countermeasures, Threat, Critical Information Lists | Print | 2 Comments »