November 2008
S	M	T	W	T	F	S
« Oct
	1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30

No Woman, No Cry

17. November 2008 by Revelator.

A lesson in indicators…

A man was shopping at his local supermarket where he selected one half-gallon of 2% milk, one carton of eggs, on quart of orange juice, one head of romaine lettuce, a small can of coffee, a package of bacon, a box of Band Aids and a bottle of unscented lotion.

As he was placing his items on the conveyor for check-out a beautiful woman standing behind him watched as he placed the items in front of the cashier. While the cashier was ringing up his purchases, the woman calmly stated matter-of-factly, “You must be single.”

The man was a bit startled by her rather bold (yet correct) statement but he was also intrigued by the woman’s keen intuition and (with any luck) interest in him. So he smiled at her and then looked at the items on the belt and saw nothing particularly unusual about his selections that could have given away his single status to this increasingly hot woman.

At this point curiosity (and lust if truth be told) got the better of him and he said: “Well, you know what? You are absolutely correct. But how on earth did you know that I was single?
The woman replied, “Cause you’re ugly.”

So, what is the lesson here?
Simple - beautiful women do not pick up single 40-ish men in the supermarket.

But what is the OPSEC lesson here?
There isn’t one. Sometimes life just sucks.

Keep the Faith!
Revelator

“No Woman, No Cry” - Bob Marley and the Wailers

Posted in BS, General OPSEC | Print | Comments Off

Won’t Get Fooled Again

17. October 2008 by Revelator.

Try this on for size: Us OPSECers are a bunch of paranoid freaks who run around trying to convince the world that the sky would fall if it wasn’t for our magic potion.
Don’t laugh and don’t get defensive - people do say this about us. Don’t believe me? Let me give you a hint of what we sound like sometimes:

Protect this!
Secure this!
You can’t do that!
You must do this!
Listen to me!
Come to my briefing!
THINK OPSEC! THINK OPSEC! THINK OPSEC!

If you don’t use OPSEC the world will come to an end in a horrible way and the remaining survivors will blame you and then burn you alive and then trade your baseball card collection for the June 1975 issue of OUI Magazine .

If you don’t use OPSEC you will personally lose the war but you’ll be around right up till the end and then you’ll get your’s too - right in your grill - just like Kimbo Slice (except that you will actually be hit and will most likely die).

If you don’t use OPSEC the competition will beat you to the shelves and your company will go bankrupt and you will be out of a job, the heel on your new too-small-for-your-big-feet Manolo’s will break, your husband will leave you for a successful toy manufacturer and then the economy will crash because you are a weak and worthless person.

If you don’t use OPSEC your identity will be stolen and your personal life will come crashing down around you. Your wife will leave you and your kids will hate you with a white-hot passion that will drive them to become lawyers and sue you for abandonment.

If you don’t use OPSEC your house will be broken into while you are on that two-week vacation and while in your house bad guys will put fish and Cheez Whiz in places you won’t be able to find them until it is much too late and on that exact date your in-laws will arrive unexpectedly for a three-week stay.

If you don’t use OPSEC Freddy Krueger will haunt your dreams…”1,2, freddy’s coming for you.
3,4 you better lock your door. 5,6 grab your crucifix. 7,8, stay up late. 9, 10, never sleep again.”

If you don’t use OPSEC bad guys will steal your PIN and take all your money and spend it on loose women, MadDog 20/20 and gambling - and not that good gambling you see on TV but that bad degenerate gambling that has no respect for the viewing audience.

If you don’t attend annual OPSEC training your are destined to be a high security risk for your unit/company. Everyone will hate you and you will hiccup for 4 years straight.

You need to understand that this is exactly how some of us come off. You can’t scare people into using OPSEC. But you may be able to convince them that OPSEC can be a force multiplier, can raise survival rates and can be incorprated into an operations or business plan without hurting the operation itself.
And if you can convince someone that lives and/or money can be saved…well then - you won’t have to try to scare then with threats, voodoo or your magic potion.

Keep the Faith!
Revelator

Won’t Get Fooled Again - The Who

Posted in Family OPSEC, General OPSEC | Print | 2 Comments »

Bad Moon Rising

9. October 2008 by Layne.

Folks I try to stay positive…I try to believe that those who should be protecting stuff are protecting that stuff. I try to avoid sarcasm as I write about certain aspects of security or OPSEC - but I lose the battle sometimes.
Case in point: Did you really think your personal information was protected?
Let me share something I read recently in the Washington Post:

“U.S. corporations, governments, and universities reported a record 516 consumer data breaches in the first nine months of this year, incidents prompted chiefly by hackers and employee theft. About 80 percent of the breaches involved digital records, while the remainder stemmed from the loss, theft or exposure of paper-based records. Some 30 million records on consumers have been exposed so far this year but there is currently no federal requirement for organizations that exprerience a data breach or loss to acknowledge precisely how many consumers nationwide may have been effected. More than 36 percent of the breaches so far this year have been at U.S. businesses, while educational institutions were the second most frequent source of incidents (21 percent).”

516 breaches - 30 million records exposed - 9 months - no reporting requirement

I am at a loss for words. Well, not actually a loss - many words are running through my mind. I just don’t want to put those words on this blog. This is just sick - I need a drink.

Keep the Faith! (even though it can be hard at times)
Revelator

Bad Moon Rising - Creedence Clearwater Revival

Posted in General OPSEC | Print | No Comments »

Insider

9. October 2008 by Revelator.

Exerpt from an article I recently read: “Organizations are shifting their focus to the threat posed by insiders and turning their attention to training and data protection, according to a recently released survey. The 2008 Global Information Security Workforce Study, conducted by analyst firm Frost and Sullivan for certification organization (ISC)2, surveyed 7,548 information security professionals worldwide. 51% of respondents said internal employees pose the biggest threat to their organizations. The finding represents an ongoing trend in the past two to three years, as the numbers of remote workers and portable storage devices have jumped in the enterprise, said Frost & Sullivan’s network security industry manager. ‘That increases the chance of something happening, whether it’s malicious employees or just someone with good intentions but walks out of the building with data so they can work at home,’ he said. The findings are supported by Information Security’s Priorities 2008 survey, in which 70% of participants said they are worried about detecting and thwarting internal attacks.”

‘Bout time people start understanding what us OPSEC Professionals have known for quite a long time - unless you are in battle (and sometimes even then), the internal threat is the biggest threat to your organization. I wrote a blog entry on 30 May titled “Welcome to the Jungle” that spoke to this very thing.

From my perspective this isn’t an on-going trend from the past 2 or 3 years - it’s an on-going trend period. And it will never stop. Certainly advancing technology has made it easier for the malicious insider to cause harm but it has also made it easier for our biggest threat - the unitentional insider - to screw up and cause harm. Either through ignorance, lazyness, or simple lack of caring the unintentional insider is the single most devastating threat to your organization. You can attempt to counter this with an aggressive awareness program and constant employee vigilence within the organization but the threat will remain. Understanding is half the battle - now act on this understanding.

Keep the Faith!
Revelator

Insider - Tom Petty and The Heartbreakers

Sample “Insider” lyrics…
It’s a circle of deception
It’s a hall of strangers
It’s a cage without a key
You can feel the danger
And I’m the one who oughta know
I’m the one you couldn’t trust
Yeah I’m the lonely silent one
I’m the one left in the dust

Posted in Media, Program Management, General OPSEC | Print | No Comments »

I Wanna Be Sedated

6. October 2008 by Revelator.

THE INAUGURAL QUADRENNIAL OPSEC ANVIL AWARDS

As I was preparing an award package for the National OPSEC Conference awards I got to thinking that it is pretty cool that our small community has an award program that recognizes people and programs that should be applauded and emulated. Recognizing personnel that have gone above and beyond what is expected is a great thing. Then I got to thinking that those who are performing below and behind should also be recognized as sterling examples of what not to do. With this in mind I give you the 2008 Inaugural Quadrennial OPSEC Anvil Awards.

The first person that comes to mind who deserves to have an OPSEC Anvil dropped on their head is: The dude who blasted out of the secure area without waiting for the door to said secure area to close behind him while I slipped in unnoticed and unescorted.

Our second award goes to: The lady on the airplane who just had to share her highly sensitive work for a government contactor with me.

Subesquent (though no less significant anvils will be dropped on):

The person who left the uncleared visitor unescorted for an extended bathroom break.
The person who put the key in the STU-III but didn’t turn it.
The person who failed to erase sensitive information from the conference room white board.
The person who blogged deployment dates and locations.
The person talking about sensitive information on their cell phone in the cafeteria.
The person who emailed critical information to their home computer.
The person whose cell phone rang in the middle of a secure area.
The person who threw FOUO and Personal Privacy Information into the trash can.
The person who’s badge was stolen from their unlocked car.
The person overheard complaining about security vulnerabilities over a beer at a local drinking establishment.
The person who shares everything with their uncleared spouse.
The person emailing successful mission tactics to all his buddies.
The person who will talk to anybody about anything while in the smoking area.
The Manager/Commander/Leader who says the word “OPSEC” but doesn’t really use it.

The list of nominees this year was quite exhaustive and to tell you the truth we ran out of OPSEC Anvils long before we ran out of people who deserve to be sedated by the “award.”
This year we need to learn from the mistakes noted above and make next years award list non-existant - or at least a whole lot shorter.

Keep the Faith!
Revelator

I Wanna Be Sedated - The Ramones

Posted in General OPSEC | Print | 2 Comments »

Enter Sandman

26. August 2008 by Revelator.

An exerpt from SCIENTIFIC AMERICAN magazine, May 1908 (that’s right 1908 - 100 years ago…)

“Soon after the first reports were received regarding the flights being made by the Wright brothers in testing their aeroplane, a considerable number of newspaper correspondents visited the scene of the trials among the high and pointed sand dunes of the North Carolina coast south of Norfolk, Virginia. The brothers refused to make any flights, however, when the reporters were near at hand, and so the gentlemen of the press were obliged to keep in hiding nearly a mile away from the scene of operations, and to merely watch the machine from afar through spyglasses when it was flying.”

The term OPSEC may have been coined by the original Purple Dragon crew but many examples of OPSEC in action resound throughout history - this is but one more.

Keep the Faith!
Revelator

Enter Sandman - Metallica

THe Wright Brothers

Posted in History, Media, General OPSEC | Print | No Comments »

When Doves Cry

20. June 2008 by Revelator.

Dear OSPA Forum,

I’m just an average guy who hasn’t ever really had much luck with OPSEC. I’ve tried everything but nothing seems to work. I’ve bought OPSEC drinks, I’ve sent presents, I’ve sweet talked and cajoled but no luck. My friends are constantly busting on me cuz I can’t keep an OPSEC program for more than one date. Trust me, I know what it feels like when doves cry. Well, imagine my total surprise when just last week I met the OPSEC program of my dreams! There she was sitting across the room all by herself. I stole furtive glances in her direction but always turned away when she looked my way. My track record was so bad that I didn’t dare approach her. But then here she came - she was coming over to me. Oh my God! My mouth dried up and my tongue tied itself into knots. Butterfly’s were conducting strafing runs on my stomach and my palms began to sweat. Is she really coming over to me? What will I say? What will I do? She was so hot! Her dress left nothing to the imagination (and my imagination was screaming) and her eyes were boring through me right into my soul.

And then she sat down! I stared at her like a paralyzed deaf mute unable to do or say anything. I was sure she would realize her obvious mistake and leave - but she didn’t. And then she said something to me that I’d only heard in my fantasies; “Take me now or lose me forever.” Well, somehow I managed to get to my feet and get her back to my place without crashing my car - and that’s when it got real interesting…

Now you just know I’m not going to finish that story. Nope - I’ll leave that to your sordid imagination. All I wanted to do was give me a reason to mention the OSPA Forum. The OSPA Forum is a place where any OPSECer worldwide can come to catch up, ask a question or just see what’s been going on.

There are currently 20 members registered. Of the 20 registered there are a good couple of bonafide subject matter experts who can help you with any OPSEC question you might have. Currently there are 6 categories, 22 topic areas, 73 individual posts and well over 2000 views. These numbers may not seem overwhelming to you but OPSEC is a relatively small community and we’re doing everything we can to support you, the practicing OPSECer.

So take a moment and check it out. Like the commercial jingle says… “And like a good neighbor, OSPA is there.” http://www.opsecprofessionals.org/forum

Keep the Faith!

Revelator

“When Doves Cry” - Prince

Posted in Program Management, OSPA, General OPSEC | Print | 2 Comments »

The Message

13. June 2008 by Revelator.

Hear ye! Hear ye! Hear ye! I’ve got a message for you. It’s not the most important one I’ll ever give or the best written one I’ve ever given but it does go to the heart of an argument that has been raging since the early ’70’s. And the question is this: How long should a Critical Information List (CIL) be?

The best CIL I’ve ever seen was in an organization that required all personnel to wear badges within the confines of the building. The organization took their 12-item CIL - I say again their 12-item CIL - put it on a card and laminated it for all personnel to wear with their identification badge. Each person in the organization had access to the CIL at all times. This is about as good as it gets folks.

On the other hand, a good number of seasoned OPSEC professionals disagree with me on this subject. They’ll tell you that a “comprehensive” CIL is the only way to ensure that all of your critical information will be protected. Sound logic to be sure. Unless you take into account the human factor. I don’t know how many of you have photographic memories and can remember a 73, or 103 or 276 item CIL, but I sure can’t. 276 items! Are you freaking kidding me? How is this usable? My personal experience is that when I’m shown a CIL with more items than my wife’s grocery list I tend to ignore it. I know I can’t memorize it and if I’m on the phone or typing an email I most likely won’t consult the “Big Book of CILs” to see if I should be communicating the information. But if you show me a list that I can wrap my brain around, say about 20 items, then I’ll study that sucker and be able to commit most of it to memory. And even if I can’t memorize it I can pin it up somewhere in my cubicle where I can actually consult it quickly if need be.

There are too many things in our complicated lives to remember already. I’m forever writing things on sticky’s so I don’t forget them. Then I’ve got the task list in my Microsoft Outlook so I don’t forget anything. I’ve also got a long to-do list in my 7-Habits Daily Planner which is also loaded onto my Blackberry and then as a fail safe, I’ve got my wife around who is constantly reminding me of things I’ve already forgotten. And when I do make it to the grocery store my wife will make a list for me because she just knows I’ll forget something.

And finally on the subject of short CIL’s - remember the KISS Principle - Keep It Simple Stupid. The shortest Critical Information List I ever saw had only one item. “We are a military organization charged with protecting the freedom of the American peoples and their allies - keep your damn mouth shut!” I could argue that there should probably me a couple of more items but damn it - I like their attitude.

Keep the Faith!

Revelator

Posted in Program Management, General OPSEC | Print | 2 Comments »

Friends In Low Places

16. May 2008 by Revelator.

Be they in high or low places you need friends if you want to do this thing we call OPSEC. I guarantee you that your workload will go up and your success will go down without your own OPSEC professionals network. People out there are doing some great and innovative things that you need to know about. None of us should work in a vacuum. Communicate with other OPSEC managers. Join OSPA or the OPS. You need to make a conscious effort to meet new people. Go to the National OPSEC Conference or an OPSEC Forum. Get out from behind your desk and get to a threat seminar. When you get out to an event like a conference or formalized training you will meet people. You can’t help it. I make, at least, five good contacts at every event I attend. That’s five more people I can call or email when I’ve got a question. Five more people who I can share ideas with. Five more people I can “benchmark” off of.

Since our program here at the National Nuclear Security Administration, Nevada Site Office won the Organizational Achievement Award at the National Conference last month I get two or three calls or emails a week from people asking for assistance/help/guidance for some area of their program. Trust me when I tell you there is no way this program would be where it is today without the help and valued assistance from people I now call friend (starting with Wayne Morris who built the program I was fortunate enough to inherit). As for the calls for assistance, I do everything I can for these people. When you’ve been as blessed as I have then you understand that you must give back to the community in any way you can. Plus I feel I need to honor folks like Tom Ariosto, Wayne Morris, Lynne Clark, Dan Wilkinson, Joan Hellon, Scott Milliman, Bill Feidl and Pat Sipes who have helped and guided me so much over the years. I just hope that some day you are as fortunate as me to have such a fine OPSEC support network to reach out and touch when you’re in need.

And when, not if but when, you attend one of these events don’t be afraid to walk up to someone and say “Hi, I’m Joe from Colorado Springs. How are you today?” You can start with me. I’ll be your first contact (if it is me though and I just finished a 90-minute speech, please just follow me to the smoking area and chat me up there instead of keeping me away from the post-speech nicotine fix I need to bad). Whatever you do, just get the hell out there and talk to someone new and get that network working.

Keep the Faith!

Revelator

Posted in Conferences, Program Management, General OPSEC | Print | No Comments »

Thunder Road

13. May 2008 by Revelator.

“Leaders are busy doing the things critics say can’t be done.” You may have seen this quote before. I read it in a book last week.*

As OPSEC Managers your creativity and the ability to see the road ahead are paramount if you wish to have any level of a successful OPSEC Program. Beyond that is the fortitude to not only see the vision but to act on that vision. As an OPSEC Manager you are frequently alone in your passion to push the program but you must not let this stop you. You’ve got to be like The Bandit and have that “..we’re gonna do what they say can’t be done” attitude. Rare is the unit/company who shouts Hallelujah! when the new OPSEC Manager shows up. Rare are the times you will walk into a meeting and all will hail you as the savior of the mission. Rarer still is the man or woman who can keep running into this wall of denial until it is broken down.

The sad fact is that you just may be the only one who truly cares about OPSEC. At least this is the attitude that you need to have. Don’t let people fool you - they don’t care…not really. I’ve interviewed a number of OPSEC Managers who are quite sure they have the support of the people in their organization. And I’ll ask them; “How’s your program working? And they’ll go on and on about all the great stuff they’ve done. Unfortunately, I get a different story when I interview people within the organization. Invariably, members of the unit have no idea who their OPSEC Manager is and if they do actually know a name, they have no idea what the OPSEC program means to their mission. What about you? What about those of you who may have been hired or hand-picked as the OPSEC Manager? Surely, you care about OPSEC. Right? Well, maybe. And maybe not. I’ve seen a lot of people get burned out by OPSEC because of the abnormally high frustration levels associated with repeatedly trying to accomplish something you know is right and getting beat down by leadership or those who run the mission. I mean, you are just the OPSEC guy or gal, right? Not only have I seen this - I’ve experienced it first hand, and it’s not pretty.

You try to do a good job and you either don’t have the support of the big dogs or you’re kept too busy doing other “more important” tasks or, maybe, just maybe, you don’t really care about OPSEC at all. Maybe it’s just a paycheck or a silly little additional duty. I’ve met these people and I can see it in their eyes. You can tell they just don’t have a passion for this stuff. I can’t explain it but I’ll be honest with you - the passionate people are in the minority. And it’s rather sad because you can’t be a half-assed OPSEC Manager. You can’t simply satisfy the minimum requirements and expect to have a positive effect on the mission or the lives of those executing that mission. You can’t send out an 18-slide PowerPoint presentation as your annual training and expect it to mean anything. You can’t walk up to a group of shooters about to execute a mission and tell them they can’t do something because you say so. You can’t be so removed from the leadership that they never think to call on you when they are making long-range plans. You can’t stick your head in a sales or marketing meeting and shout “Think OPSEC” and expect it to positively effect the outcome of the meeting. You can’t wait until all the jobs are posted and then run to HR and beat them down for putting too much information in job postings. And you can’t expect your coworkers to give a you-know-what about OPSEC and how it effects the mission and their lives if you haven’t repeatedly told them - if you haven’t made it personal to them - if you haven’t fully demonstrated how it effects the personally.

Understand this; as a OPSECer you are outgunned and under-equipped for the job you’ve been asked to accomplish. Boldness under such circumstances may seem almost foolish, yet boldness may be the one advantage to have. Unlike those who lead in battle, your life may not be on the line as the OPSEC Manager - but lives, jobs, your co-workers welfare, and their families’ welfare may be. Your program may have less muscle, so you will need more brains. You have to reorient your thinking, behavior and strategy. Pull off the sunglasses of pride and arrogance, and drop them in the nearest trash can - you’ll see the road ahead and the obstacles more clearly without them. Then get yourself our on that road and kick some OPSEC ass!

Keep the Faith!

Revelator

*The Centurian Principles by Colonel Jeff O’Leary (Ret)

Posted in Program Management, General OPSEC | Print | No Comments »

It’s All OPSEC

5. March 2008 by Revelator.

“That’s not OPSEC.” The scene is day one of an OPSEC assessment. This is my first time out with this team so I’m still trying to feel out how they go about the process. While the team is in the badge office waiting for badges I notice there is a computer screen with red ”SECRET” stickers top and bottom facing the gathered group at the customer service desk. Mind you, we’re not the only ones there trying to gain facility access. Among those waiting with us were gardeners, janitors, plumbers and other uncleared day workers. So, I turn to one of the senior members of the team and mention that we should identify this in our report and was told; “That’s not OPSEC.” While I didn’t want to get deep into what is and isn’t “OPSEC” I did mention that I thought we had a responsibility to the office supervisor to tell him that he should turn that screen around, and keep it turned around, so that uncleared couldn’t possibly see potentially “SECRET” information. I was told in no uncertain terms that this was not “OPSEC” and therefor not our responsibility. The Assessment Chief later corrected this problem but the individual in question never once waivered from his stance.

So what is OPSEC? Is anything OPSEC? A strong case can be made that every item in an OPSEC Assessment report can be traced back to requirements of some other security program. The scenario above was clearly a Computer Security issue but it is also an Information Security issue. FOUO in the trash? - Information Security. Not locking your computer screen when you leave your desk? - Computer Security. Privacy Act info in the recycle? - Information Security. Allowing people to piggyback into the facility? - Physical Security. Organization member talking about sensitive information during a speech at a conference or putting sensitive information in a professional publication? - Information Security. Talking around sensitive or classified on the phone or email? - Communications Security, Computer Security, Information Security. Cell phone in a secure area? - Physical Security. Public release of new product or emerging technology? - Information Security, Personnel Security. Give long time visitors the safe combo and then don’t change it when they leave? Catching on yet?

There are many more examples I could give but hopefully you get the point. On the other hand, did you think of instances that weren’t covered by my examples? What about always marshaling convoy vehicles at the same time in the same place? What about using the same routes? What security program covers mission or business indicators? Who is the security rep responsible when your unit doesn’t have a program in place to change its call-signs? What program to you call on to stop the intel dissemination capabilities of the spouses club?

I’ve spent many hours in debate with people I respect and while we may disagree in one or two of the gray areas we all (but one) agree that it is essentially ALL OPSEC when it comes to our responsibilities as OPSEC Program Managers or members of an assessment/survey team. Bottom line: Our job is to make our unit or company more secure. And we don’t do this by arguing over weather a vulnerability, indicator or security violation is OPSEC or not. See a problem - fix a problem.

One last thought - if you see me at the National Conference and I hear you say “That’s not OPSEC” - you owe me a cold one.

Keep the faith!

Revelator

Posted in General OPSEC | Print | 1 Comment »

The WOF

29. February 2008 by Revelator.

My OPSEC Brothers and Sisters! I am happy to be back in your arms once again. Time to catch up…

For the uninitiated the WOF is the Western OPSEC Forum put on by the IOSS, sponsored by OSPA and hosted by the DOGS of OPSEC (NNSA/NSO OPSEC Program Office). Over a week has passed since the event but let’s see if I can remember the highlights.

As usual the IOSS packed the three-day forum with outstanding speakers giving truly outstanding presentations. I’m not gonna get into each speaker and presentation so you are just gonna have to trust me - there was mad info available from all corners of the military and civilian world. If you have yet to attend an Eastern or Western OPSEC Forum I suggest you keep an eye on the IOSS web page for announcements. Even if you typically get to the National Conference I still strongly suggest you consider getting to one of the Forums - good information - good networking - good times.

OSPA at the WOF: In attendance were Wayne Morris (Exec VP) and yours truly (VP) as well as Board Members Scott Milliman and Joan Hellon not to mention many OSPA members. One member, August Schellhase (DOG of OPSEC) was critically instrumental in making sure that this event went off with a minimum of unpleasantries. And then to our eyes what did we behold? Well, none other than Chris and Evie - our President and Secretary and their two handsome boys. They were only able to stay about an hour before scooting back to beautiful downtown Barstow but they brought us a host of gifts and OSPA handouts for WOF attendees. By the way - this was the first time anyone in OSPA ever had a chance to lay eyes on our reclusive President and his lovely wife. I’m happy to report that he isn’t nearly as unpleasant looking as I was led to believe. I don’t have the exact numbers but we signed up 20 or so new members bringing our total membership up to somewhere in the 130 range. This is great news for our fledgling Association.

In the “I ain’t braggin - just sharing” department: IOSS Director Marty Quick announced the winner of the National OPSEC Organizational Achievement Award and I’m proud and happy to say that it was the DOGS of OPSEC here at NNSA/NSO. August and I thank those of you who have sent your congratulations. But wait - there more…we also won 2nd place in the Multi-media (electronic/video) for our “OPSEC 24/7″ video. As contractors we can’t actually be awarded the cup or the plaque but we eagerly look forward to watching the Department of Energy accept the award at the National Conference.

I have at least 28 more interesting/funny/embarrassing stories I could relate about the WOF but - as the saying goes; what happens in Vegas - stays in Vegas.

Keep the Faith!

Revelator

Posted in Conferences, OSPA, General OPSEC | Print | 1 Comment »

OPSEC In The Movies

19. November 2007 by Revelator.

Does Hollywood do a good job of portraying OPSEC in the movies? Can anyone provide a movie and describe a scene where OPSEC comes into play? Was it good OPSEC or was it poor OPSEC? I don’t really care if it was good or poor acting.

One that comes to mind for me is the movie “MIDWAY” which came out in the summer of 1976 and is available on DVD. It tells the tale about “the most decisive naval battle in U.S. history” which turned the tide of the war in the Pacific. Directed by Jack Smight, it has an ALL STAR cast: Charlton Heston, James Coburn, Henry Fonda, Glenn Ford, Hal Holbrook, Pat Morita, Robert Mitchum, Cliff Robertson, Robert Wagner, Toshiro Mifune, James Shigeta, Christina Kokubo, Edward Albert (the son of Eddie Albert), and - if you look close enough - Tom Selleck (a.k.a. Magnum P.I.).

At the risk of turning this into a movie critic forum or movie trivia challenge, I thought the movie did a pretty good job of historically portraying this watershed event. It was also really fun if you got to see it in theaters enabled with “SENSOR-ROUND!”

Two items of OPSEC significance come to mind:

“AF is Midway” Does anyone know the movie well enough to know what I am referring to? Some might call this a feedback loop. The scene is where we employ poor OPSEC in a smart manner…in a “Measurement of Effectiveness” sort of way…to use to our advantage. When we get to this scene, the film establishes that we are “copying the Japanese mail” but the US is not quite sure what their intentions are for Midway. Maybe it would all become clear if they could just figure out what the two letter abbreviation “AF” refers to in the enemy’s message traffic.

Commander Joseph Rochefort, a US Navy Intel officer (a crypie) played by Hal Holbrook, convinces Admiral Nimitz, played by Henry Fonda, to buy off on a little ploy to have the comms center on Midway Island send out a “fake message” in the clear about a degrading fresh water situation on Midway. Admiral Nimitz gives the okay. Ultimately – just a minute or so in movie time, Commander Rochefort and his personnel intercept and de-code a Japanese message that confirms that “AF” is indeed Midway.

Could you consider this a nice OPSEC coup? Maybe a small victory for OPSEC? If nothing else, it clearly demonstrates that the enemy was listening…and something like that could be useful in reinforcing OPSEC awareness; then and now.

“Admiral Nimitz is notified” What happens next is my favorite OPSEC moment in the film. Just seconds after CDR Rochefort – Hal Holbrook - gets the news confirming “AF” is Midway, he turns to Charlton Heston, playing the fictional character of Captain Matt Garth, and relays the information. Charlton Heston is then sprayed with water from a fire hose and exclaims that the place is a “madhouse!”

Oops, sorry; wrong movie.

Charlton Heston quickly rushes to the nearest telephone…still within easy earshot of the Intel crew who just broke the message traffic…to call Admiral Nimitz.

Can you say “phone’s up” or “this line is not secure”? Well, neither could Mr. Heston or Mr. Fonda; maybe it just wasn’t in the script. Captain Garth tells Admiral Nimitz that Intel has confirmed that “AF is Midway” over the telephone. Was this poor OPSEC? I don’t think so; this was a security violation plain and simple not to mention just poor headwork. Of course CDR Rochefort was too busy celebrating with his shipmates to admonish the good Captain on his security procedures.

Upon hearing the news, Admiral Nimitz requests that Captain Garth assemble the staff at a particular time the next morning to begin planning. Was this critical information? I’d say sure! This part of the scene is an example of poor OPSEC.

Anyway, I doubt Hollywood was thinking about the finer points of good OPSEC when they were striving for historical accuracy combined with dramatic effect. The take-away here is that you can use this 2 – 3 minute scene to improve your own organization’s OPSEC awareness thanks to Hollywood’s literary license.

For those of you who have seen the movie, what do you think? Please share other films and movie scenes that directly or indirectly involve OPSEC.

You can get more details about the “AF is Midway” ploy, by searching Commander Joseph Rochefort on the web.

Don Sidro - The GodFather of OPSEC

Posted in Movies, General OPSEC | Print | 3 Comments »

Could this happen to you?

31. October 2007 by Revelator.

Once upon a time, in a land not-so-far-away, A small group of individuals walked to the doors of a multinational corporation, and walked out with Millions of dollars worth of company secrets and assets.

Through days of patient research and study, they were well equipped to work their way through the company, obtaining small pieces of information and compiling it into unmitigated access. Could this happen to you?

First, they learned the names of key employees by calling Human Resources. They would have preferred to find a company phone roster in the dumpster, but no one had thrown one away lately. Although the passwords and internal memos that they did find certainly helped cushion the blow.

This company had a very friendly climate, and prided itself on hiring friendly and courteous employees. The friendly employee at the entrance was more than happy to hold the door for one of the individuals when he jogged to catch the closing door. Why not? Criminals don’t wear suits and ties, right? They got inside the moat.

Another friendly employee was more than happy to help out the stressed out intern who lost his access badge on the first day, and just had to get the report to his boss before he gets fired! Why not? We’re all on the same team, right?

No matter how strong a castle’s walls, it does no good once the enemy’s inside.

Inside the secure area, they found a gold mine of unshredded documents both in the trash and piled by the shredder. In a stroke of inspiration, a hastily scrawled note was placed on a busy shredder: “Shredder out of order. Put materials in this box to be picked up by security”. Also, traditional hacking techniques allowed unrestricted access to key computer systems, which is often superfluous if the password is written down and hidden. (”No one would ever know that this is my password, even if they do look in the drawer!”)

Lucky for them, the CEO had let them know (through his out of office auto reply) that he would be gone that day. His assistant was very helpful when the new janitor forgot his keys and had to stay on schedule!

Could it get worse than this? It very well could. There’s a good chance that your organization may never suffer a planned, organized intrusion such as this. But basic OPSEC, often at little or no cost to the organization, can help prevent such a disaster. Never forget how important you are!

Posted in Computer Intrusions, General OPSEC | Print | No Comments »

Who is OPSEC for?

25. October 2007 by Revelator.

It’s a common misconception that OPSEC “belongs” to the military. In reality, the OPSEC, the process of denying an adversary critical information, saves lives in the battlefield, dollars and jobs in the corporate world, and safety and security on the personal level.

At the same time that I was creating an OPSEC plan at work, my wife was practicing OPSEC at home by leaving a light and the TV on.

OPSEC is for everybody, everywhere.

Posted in Family OPSEC, General OPSEC | Print | 3 Comments »

Archive for the General OPSEC Category

No Woman, No Cry

Won’t Get Fooled Again

Bad Moon Rising

Insider

I Wanna Be Sedated

Enter Sandman

When Doves Cry

The Message

Friends In Low Places

Thunder Road

It’s All OPSEC

The WOF

OPSEC In The Movies

Could this happen to you?

Who is OPSEC for?