31. August 2009 by Revelator.

From CNET News.com written by Elinor Mills:

“Here’s either a cautionary tale or an example of social-media paranoia. An Arizona man believes that his Twitter messages about going out of town led to a burglary at his home while he was away.

Personally, I don’t think it’s a good idea to advertise to the world that your home will be unoccupied for a period of time. I also don’t think it’s necessary to reveal too many other personal details on social media sites that could be used for identity fraud, like your birth date.”

A number of thoughts some to mind:
1. Yeah, that was stupid. People are putting waaaaaaaaaaaaaaay too much on social networking sites. But then we know that already don’t we? Which leads me to my second thought…

2. Most OPSEC professionals, even part-timers, have known this for quite some time now so I have to ask; are we just horrible at spreading the word or are people not listening? Personally, I think it’s both. Awareness is the key here and while some are doing a pretty decent job the majority of us are not. And yeah, I know, why waste the time when you just know people aren’t going to listen to you either way. That’s tough to overcome but you just have to Keep the Faith! and press on.

3. Was it just the tweets or did dude possibly not consider OPSEC and basic security prior to leaving on vacation? We’ve all done the “so you’re going on vacation for two weeks how do you protect your home while you’re away” exercise. (if you haven’t let me know - I’ll send it to you). I suspect he didn’t arrange to deal with his mail, newspaper, growing grass, lights, etc while he was away and just got nabbed by bad guys who know what to look for.

Your fellow employees are counting on us OPSEC and Security professionals to keep them informed and protected. Do your best to inform them and with any luck they can protect themselves.

Keep the Faith!
Revelator

Everything Is Broken - Bob Dylan

Posted in Awareness, Indicators, Countermeasures, Risk, WWW, Threat, Family OPSEC | Print | No Comments »

30. May 2008 by Revelator.

     Firewall and system probing, Network File Systems application attacks, email attacks, vendor default password attacks, spoofing, sniffing, fragmentation and splicing attacks.  Where will it all end?  Since this is clearly our biggest security concern why can’t we fix it?  Why aren’t we throwing all our money, manpower and technical abilities at this problem?  Computer crimes cost us $32 million is 2006.  Boy, I’ll tell you what - somebody better do something quick.  Unless the computer isn’t our biggest security concern…

     But if (as I imply) the computer isn’t the biggest threat to the security of our organization or mission, then what is?  Here’s a clue - look above.  Didn’t you read all that stuff in the first paragraph?  Of course the computer is the biggest threat to the security of your organization/mission.  Or is it…

     Well, duh.  The computer and it’s evil spawn the INTERNET is just teeming with demon hackers who are trying to either crash or rape your system every minute of every day.  It’s all over the news!  Technology is killing security.  Punks who were born with Playskool See-n-Hack starter laptop kits are wreaking havoc all over the technosphere.  What’s an OPSEC Program Manager to do?  Hell, you’re not the IT Security dude.  You know nothing of firewalls routers and DMZ’s.  Face it partner - you’re screwed.  Unless…I mean, unless the computer is not the biggest threat to the security of your organization/mission…

    And here we are again.  What is, and will remain, the biggest threat to security in your organization is the person in the next cubicle, or the next stall, or the next chair, or sitting across from you at lunch asking you to pass the pink or yellow stuff that really isn’t sugar but will kill you just as fast.  Humans…whattaya gonna do?

     I can’t count the number of times I’ve been allowed into “secure” facilities by people who should have known better.  And you would be surprised how many buildings you can waltz right through when you’re wearing a UPS uniform and carrying a couple of boxes.  You can have the best physical security money can buy for your building but if smokers leave the back door propped open for convenience…establish a great password policy but if your people write their passwords down…carefully screen all information you put on your web page but if Marketing feels the need to publicize…

     The old saying is that we spend 80% of our security money protecting ourselves from outside threats while, in truth, 80% of our threat comes from within your own organization.  The next time you head over to the fridge to see if anyone has left a Klondike bar without a name on it take a look around - you are surrounded by people who will unmaliciously give away sensitive information at the drop of a hat.  They don’t mean to by the way.  They just haven’t been properly educated about how NOT to inadvertently give away sensitive and critical information.  That’s your job - now get to it!

Keep the Faith!

Revelator

Posted in Risk, Countermeasures, Critical Information, Vulnerabilities, Threat, Program Management, WWW, Computer Intrusions | Print | 2 Comments »

20. May 2008 by Revelator.

Q:  How much money does a full-time OPSEC manager make annually?

A:  It’s not about the money you self-serving SOB.

Q:  Which really comes first; Critical Information Identification or Threat Analysis?

A:  Some say OPSEC is an iterative process and you can do whatever step in the process whenever the hell it feels right.  Others would argue that if you don’t have a threat then who cares what your critical information is.  But for me - Saint Ron (Pres Reagan) listed CI identification first and that’s good enough for me.

Q:  What is the best way to get leadership support for my OPSEC program?

A:  There is no “best” way but here are some suggestions: begging, bribery, coercion, blackmail, threats, acid filled water pistol, doctored photos, water-boarding, repeated viewing of Molly Shannon skits from Saturday Night Live.  Folks, I really don’t have a solid answer for this one.  Some times you just get lucky and have leadership that understands OPSEC and its importance to the mission.  Other OPSEC Managers are just real good salesmen who convince management of the need for OPSEC.  If any of you out there have a good idea or war story please click the comment link and I’ll get it to the masses.

Q:  OPSEC says to avoid stereotyped activities but there is validity in the thought that if it worked once it will work again.  So isn’t OPSEC really saying that even though it worked once we really want you to try something different that may or may not work?  And isn’t this harmful to the potential success of the mission?

A:  Helluva question.  I’ll leave this one to the readers to respond to - come on folks - send me your responses.

Q:  Why do all the posters tell me to “Think” OPSEC?  Wouldn’t it better if I “Acted” OPSEC? 

A:  Clearly.  “Thinking” something is great only of there is an action tied to the thought.  Why just the other day I “thought” drive the speed limit - but I didn’t actually drive the speed limit so what good was thinking it?  This morning I “thought” diet and then had four biscuits with about a quart of gravy.  And come Friday evening I’m pretty sure I’m gonna “think” about not having that next beer - I think y’all can tell where this is going.  Thinking OPSEC must be followed by performing some act of OPSEC.

Now I know that many of you have serious OPSEC questions.  This entry is just my way of getting the ball rolling.  If you have ANY questions about OPSEC that you would like answered please send them to me.  We’ll treat them seriously and try to get some good answers for you.  Of course we’ll also accept those sent in a humorous vain and do our best to respond in kind.

Keep the Faith!

Revelator

Posted in Awareness, Leadership Support, Countermeasures, Threat, Critical Information Lists | Print | 2 Comments »

15. May 2008 by Revelator.

     Everything is affected by OPSEC.  I say again, EVERYTHING is affected by OPSEC!  Just think about it.  The basic premise of OPSEC is that we’re trying to protect some…thing.  Be that information, physical possessions, or ourselves.  Whether we’re at work or at play.  So we unconsciously fill our daily lives chock full of countermeasures to the myriad of threats constantly raining down on us.  We wear sun block - we use unlisted telephone numbers - we lock our doors - we wear seat belts - we monitor our kids online activities - we wear girdles and butt-shapers - we have curfews for our children - we wear hairpieces and toupee’s and wigs and extensions - we make sure our hotel room isn’t on the ground floor - we dress our kids in full body armor so they can go ride their bikes, and we use industrial size shredders at home.

     Countermeasures are everywhere!  OPSEC is everywhere!  For the next minute or so I want you to try to come up with an example of an area of your mission or your business that isn’t affected by OPSEC.  At the risk of being redundant - everything in your organization is affected by OPSEC.  Financial, personnel, admin, ops, logistics, maintenance, Human Resources, contracting, supply.  From the Administrative Specialist you just hired to your CEO - from the lowest ranking enlisted member to your commander - from the number of cars in your parking lot to the sites you visit on the INTERNET - from your recall roster to that emergency supply order form - from contract rumors to merger scuttlebutt - it is all affected by OPSEC.  Or more to the point - by a lack of OPSEC.

     Go ahead - I dare you.  Think of something right now that isn’t affected by OPSEC.  When you think you’ve got one, click on the comments link and let the rest of us know.

Keep the Faith!

Revelator

Posted in Countermeasures, Risk | Print | 2 Comments »