5. February 2010 by Revelator.

While reading “Hour Game” by David Baldacci I came upon a narrative that screemed OPSEC better than anything I’ve read or seen on TV lately. Never under estimate the threat - in any situation…

He watched the old couple totter out of the supermarket and ease into their Mercedes station wagon. He wrote down the license plate number. He would run it later on the Internet and get their home address. They were doing their own shopping, so they probably had no live-in help or grown children nearby. The make of the care was relatively new, so they weren’t surviving solely on Social Security. The man wore a cap with the logo of the local country club. That was another potential gold mine of information he might later tap.

He went over his list. He had her name, home address and the fact that she had a least three kids and was married. The mailing block had been addressed to both Jean and Harold Robinson. He also had her home phone number, cell phone number and the names and numbers of a host of others important to her as well as impressions of her house keys.

She and her lovely family belong to me now.

Keep the Faith
Revelator

Who Wrote The Book Of Love - The Monotones

Posted in Risk, Critical Information, Awareness, Vulnerabilities, Threat, Family OPSEC, Analysis, General OPSEC | Print | No Comments »

18. December 2009 by Revelator.

Today I want to share an interview I conducted with an OPSEC grey beard (GB) who insisted he remain nameless. Originally, I refused to do the interview with this particular stipulation but as you read on I think you’ll agree that even without identification the information shared is valuable enough to overlook the anonymity clause. We sat down in a small bar in a busy city near our nations capital. After ordering, I hit record and began the interview.

Rev: How long have you been in OPSEC?
GB: Since before they called it OPSEC.

Rev: What did they call it before they coined the term OPSEC?
GB: They didn’t call it anything - that’s the point isn’t it? It didn’t have a name. But we knew it as using your common sense - doing the right thing - being smart - protecting your ass from the guy trying to shoot it off.

Rev: Do you see OPSEC as primarily a wartime program?
GB: First, I don’t see it as a program - I see it as a way of life. But to answer your question up until very recently yes, it’s application was mainly in support of military operations - specifically wartime operations. But in the past ten years I think we have come to realize that every day is a wartime situation. Every conversation, every text, every tweet, every email could harm not only our all-volunteer military but also innocent civilians.

Rev: So would you say that in these times spreading the gospel is critical.
GB: Spreading the gospel, as you say, has always been critical. OPSEC can truly be a life saving art but if no one understands it and therefore no one uses it then its no more useful than the warnings on a pack of cigarettes. The most important step in the OPSEC process, as we know it now, isn’t even one of the five steps because it is a concept followed - if we’re lucky - by an action.

Rev: And what is that?
GB: Awareness! The most important OPSEC concept is awareness. If the people in your military unit or even your corporation don’t understand the “why” of OPSEC then you guys can take the OPSEC process and work it into the ground and it won’t be worth a damn because no one understands why you are doing it. And more importantly why they should use it. Listen; I’ve known guys who knew OPSEC cold…knew how to work each of the five steps, and could write an OPSEC plan so beautiful you would marvel at its magnificence. But some of these guys couldn’t sell the concept - they couldn’t show people how or why they should care about, much less use, OPSEC in their daily operations.

Rev: Is it true that the OPSEC process was at one time 12 steps and then 9 steps before we arrived at the five steps we have now?
GB: Absolutely. And it was 15 steps and 10 steps and one pretty highly placed, but ignorant, guy wanted it to be three steps.

Rev: Well, how many steps do you think it should be?
GB: To be honest, I wasn’t happy with the five steps when it first came out. I thought they left out two steps that I thought we’re pretty important.

Rev: Which were…?
GB: Not important now. People seem to be doing them just as a matter of course so I don’t want to upset those that are responsible for this process. But let me make another point before we move on; the average person in your organization doesn’t care how many steps it is. They don’t care about what you have to do to accomplish the five steps of the OPSEC process. You know what they care about if they care at all?

Rev: Tell me, please.
GB: Two things - what do I need to protect and how do I protect it. And that is all they should care about. The OPSEC Manager needs to do all the work and be able to answer those questions for the warfighter. If you can’t tell them what needs to be protected and how to protect it then what are you there for? To give the annual training? To fill the square? Bullshit. You are there to protect the mission and to protect life so if you can’t tell the trigger pullers what to protect and how to protect it then crawl back into your cubicle and work on your next PowerPoint presentation cuz brother they don’t need you.

Rev: Strong words sir.
GB: Yes they are. Look, I’ve worked at this too long and too hard to try to soften the blow of what I’ve learned over the years. You asked me so I’m telling you. I believe I’ve saved lives using OPSEC and if I couldn’t say that then why would I have stayed in OPSEC? For the glamour? For the glory? For the money? No, no and hell no! (long pause) In my military service I took lives… Since I laid down my weapon I have been trying to save lives and as I said I believe I have. (pause) OPSEC is important. It’s more than going to the conference once a year. It’s more than giving your annual briefing. It’s more than putting up a poster or two. Actually, it is all of that but so much more.

This is the end of part one of the interview. I’ll have part two for you soon.

Keep the Faith!
Revelator

Posted in History, General OPSEC | Print | No Comments »

17. December 2009 by Revelator.

OPERATIONS SECURITY - OPERATIONS SECURITY - OPERATIONS SECURITY - OPERATIONS SECURITY. Everyone - say it with me now: OPERATIONS SECURITY!

If I read one more article, speech or blog entry that defines OPSEC as Operational Security I’m gonna go Elvis on my computer monitor. People, this isn’t difficult. Operations Security is a different concept than operational security. I’m not gonna go into a long dissertation about the difference because you should know what the difference is. But even as I write those words I realize I’m wrong. Generals, Lt Col’s, Master Sergeants, CIO’s even OPSEC Managers have written, or spoken operational security when speaking of OPSEC. And not just in general but typically something like this: “OPSEC, or Operational Security, is a 5-step…”
I honestly don’t know why this happens or what to do about it - I just know that every time it happens it sets us back just a little bit. OPSEC has a hard enough time getting accepted without people who should know better defining it incorrectly. In the world of OPSEC there is much room for disagreement on a number of topics but this isn’t one of them.
Which comes first; Threat or Critical Information development? Argue that all you want.
How should you define risk? Take sides and come out swinging.
What is the best way to prioritize vulnerabilities? Jump into the octagon and figure it out.
But - “Is it Operations Security or operational security?” is not open to debate.
So, to all of you getting it wrong I say: STOP THAT!

Keep the Faith!
Revelator

All Shook Up - Elvis

Posted in BS, General OPSEC | Print | 1 Comment »

25. September 2009 by Revelator.

A young John Cougar used those words as the title to his fifth album. In those moments when I’m frustrated by the sometimes low OPSEC give-a-crap-factor I wonder about those words and my mind drifts to this thought: OPSEC doesn’t matter and what if it did? Generally speaking it appears to me that no one really cares about OPSEC.

If OPSEC “mattered” then why is it so hard to get people who should care about OPSEC to actually care about OPSEC?
If OPSEC “mattered” then why is it blown off in the planning cycle?
If OPSEC “mattered” then why is it so often on the chopping block when money is tight?
Oh man, I could go on and on.

But to what end? What would be the point? No one cares. And I can’t even assume that those of you who are part-time/additional duty OPSEC POCs care. I’ve done too many OPSEC assessments and have seen with my own eyes the reality of dormant OPSEC programs around the world. I’ve done the interviews of unit personnel as they stare blankly at me when I ask them who their OPSEC Manager is or what a Critical Information List is. I’ve listened to blow-hard OPSEC POC’s who rant and rave about their OPSEC program only to find that it’s all an illusion - that nothing real exists. I’ve read Critical Information Lists that are 10 pages long and totally useless or were “benchmarked” from another unit and they didn’t even bother to change the letterhead to letterhead from their own unit. I’ve listened to OPSEC briefings that would make you want to rip your eyelids off. I’ve listened to senior leaders who talk, talk, talk, OPSEC but can’t seem to get an OPSEC section in their plans of operation. I’ve seen young just appointed OPSEC guys and gals who are ripping their hair out cuz the program they just took over sucks and they are getting no support to make it any better. And I’ve seen really good people try their damdest to do really good things and get shut down and hammered by idiots who make more money than they do.

Good Lord, why even bother? Seriously. Why bother? Hey - I’m not leading up to any great epiphany here. I’m not setting you up to tell you why you should bother. I have no intention of trying to get your emotions roiling by extolling the virtues of OPSEC and it’s devout practitioners in a vain attempt to get you psyched about how great OPSEC is. Nope. Not today.

Today I’m just bummed. OPSEC sucks - that seems to be the prevailing attitude so I’m just gonna give into it. Come on now…aside from some small pockets of success, in the vast majority of places that OPSEC should matter it simply doesn’t. And that sucks.

Keep the Faith! (your gonna need it)
Revelator

Nothing Matters And What If It Did - John Cougar

Posted in BS, General OPSEC | Print | 1 Comment »

16. September 2009 by Revelator.

“I’ve called this meeting because, as we feared, our budget has been cut 14%. We’ve game-planned for this but now is the time to get serious about what we can slim down and what we can live without.”

“Sir, if I may…we do have one program that has absolutely no verifiable Return on Investment that I think we should consider.”

“You mean, we actually have a program that is costing us money that has absolutely no ROI?”

“Yes sir.”

“Frankly, I’m a little worried that this hasn’t come to my attention before. What program are you talking about Johnson?”

“OPSEC sir.”

“Op-what-now?”

“OPSEC sir; Operational Security. You know the one. That briefing we get once a year where they tell you to keep your mouth shut. Don’t talk about work in bars and stuff.”

“Yeah, I know it. You mean that program costs us money? It can’t be very much can it?”

“Well sir, we have a full time guy who runs the program and then we have a group of people who have to spend a small percentage of their time on it as OPSEC Committee members.”

“Hmmm. So what do they actually do for us?”

“No one really knows sir. I think I’ve seen a report or two floating around but I’ve never read one and no one I’ve asked has either.”

“Let me make sure I understand…they give briefings that no one wants to go to, write reports that no one reads and take up valuable time from committee members who should be doing something else. Is that about right?

“I would say that about sums it up sir.”

“And how much will we save annually if we kill it?”

“Based on the projected cuts for this upcoming FY killing this program would save us .003% off the top.”

“Well that’s not much is it Johnson?”

“No it isn’t sir, but if we think we really don’t need it anyway then why not just kill it? It will show that we’re being proactive and not afraid to cut what some of our security professionals say is a critical program.”

Ladies and Gentlemen, this is happening today. OPSEC has already been reduced or just plain cut from a number of organizations. We know OPSEC is a viable program. We also know that it does not and will not ever bring in money. ROI is almost impossible to prove also. Did OPSEC save any lives today? Did a competitor not find what he was looking for when he went through our trash because of OPSEC? Did Johnny or Susie not say something critical or sensitive on the Internet today because of OPSEC? Beats me. I hope so - but we have no proof.

Sooner or later your OPSEC program will come into question. At that time you will need to be able to answer the question: “Why should we keep the program?”

The answers to that question are as varied as the individual programs and can’t be fully answered in this forum. But you need to be thinking about how to answer that question for your program and your organization. I guarantee you that sooner or later the question will be asked and I’ll bet you that if you don’t have the answer they’re looking for…

Let’s just say you and your program may be in danger.

Keep the Faith!
Revelator

Fight The Power - Public Enemy

Posted in Leadership Support, Program Management, General OPSEC | Print | No Comments »

21. July 2009 by Revelator.

In yesterdays blog I listed a series of questions that I had hoped to have answered once I received my security clearance. I also stated that I didn’t ever get the answers to most of those. Well, it turns out that one of my faithful readers actually has the answers and is kind enough to share them with the rest of us. Because of the nature of the information and the sensitivity of the sources I cannot provide his/her name - suffice to say that he/she is known to many of you. Enjoy…

Revelator: Hope this helps…

Who really killed Kennedy?
- LBJ.

Did we land on the moon or was that all filmed in a soundstage in Burbank?
- We landed. Myth busters just proved it last night.

What is really going on in Area 51?
- It’s part of the current ‘Air Force Partying System’ - the Air Force had too many wild parties and broke the stereo systems in Areas 1 thru 50.

Is Elvis still alive?
- Yes he is. I just asked him.

Is there really a Hanger 18 and/or a Project Bluebook?
- Yes. It’s between Hangars 17 and 19. Yes. It was a joke. Or joke book.

Is there actually a government warehouse for freaky secret stuff? And if so, is the Arc of The Covenant there?
- Yes. It’s called the Pentagon. And no - God has more sense than to leave his scribbled down notes with a bunch of idiots.

Just who/what the hell is/are the Illuminati?
- Started out as a bunch of free-thinkers in Bavaria circa 1776. Recent Wanna-be’s took the name and supposedly comprise the New World Order…good luck to them.

Are we alone?
- No. If you need proof, just call 555-1212.

Who are the “Nine Unknown Men?”
- No one knows. That’s why we call them ‘Unknown’. But I think at least one’s named ‘Bob’.

Do the Grays really exist - and if they are running the world shouldn’t they be doing a better job of it?
- Yes they do. And yes, they should be; they need all the help they can get. Please call 8675…309. Ask for ‘Jenny’.

What the hell is going on in the Bermuda Triangle - and if it’s so jacked up there why do boats and planes still go there?
- Scientists determined that it’s a weather thing. A confluence of location and jet streams. Boats still go there because of what they saw on either the Adam’s Family movie or Unsolved Mysteries.

Where is Sasquatch and why do we never see more than one at a time?
- He resides at the Holladay Park Plaza, a Portland, Ore. assisted living center. You never see more than one at a time because he’s the only one. He’s classified as a cryptid.

Was that really a weather balloon in Roswell?
- Yes. But they were inadvertently popped by a gang of extra-terrestrials who were subsequently shot down and dismembered by some angry scientists who were really counting on getting that weather data.

What’s up with Stonehenge?
- A grouping of really big rocks which are the property of the English Crown and not the reigning monarch. It’s a place of burial; a domain of the dead.

And what about the Nazca Lines in Peru? Is this “Chariots of the Gods” stuff true?
- Just animal doodles on a large scale. A precursor to crop circles.
- Of course it’s true. It’s how we got Energizer batteries and keep our razor blades sharp.

And now you know…the rest of the story.

Keep the Faith!
Revelator

Posted in BS, Critical Information, General OPSEC | Print | No Comments »

20. July 2009 by Revelator.

Way back in 1978 I started the process for my Department of Defense security clearance. I’ve had this thing for long about 32 years now so I’m fairly versed in how we handle, store, transmit, disseminate, and otherwise protect classified information. But I must say that as an 18 year-old waiting on my clearance I was pretty damn naive.

I actually thought that once I got my clearance I would be able to see all the Top Secret information the government had on file. I was pumped! I was finally gonna get the answers to some of the nagging questions that my government wouldn’t share with those so unfortunate as to not be cleared.

Here is my list of things I wanted to know:

Who really killed Kennedy?
Did we land on the moon or was that all filmed in a soundstage in Burbank?
What is really going on in Area 51?
Is Elvis still alive?
Is there really a Hanger 18 and/or a Project Bluebook?
Is there actually a government warehouse for freaky secret stuff? And if so, is the Arc of The Covenant there?
Just who/what the hell is/are the Illuminati?
Are we alone?
Who are the “Nine Unknown Men?”
Did Jesus have a wife?
Do the Greys really exist - and if they are running the world shouldn’t they be doing a better job of it?
Is Paul McCartney dead?
What the hell is going on in the Bermuda Triangle - and if it’s so jacked up there why do boats and planes still go there?
Where is Sasquatch and why do we never see more than one at a time?
Was that really a weather balloon in Roswell?
What’s up with Stonehenge?
Is Yoko Ono the Antichrist?
And what about the Nazca Lines in Peru? Is this “Chariots of the Gods” stuff true?

As you may know, or certainly must have guessed, I didn’t find the answers I was seeking once I got my clearance. Well, that’s not entirely true…I have been to Area 51 (didn’t see one stinking alien) and it looks like Paul is alive and well and I’m pretty sure Yoko Ono is not the Antichrist though I have no evidence to back that up either way. But the fact remains that once I got my clearance there was very little classified information that the government would let me get my hands on.

For those of you who have never had a clearance you may be asking why this is; three simple words - Need To Know. I didn’t have the Need to Know any of the information I was seeking (if it even exists - which I doubt).

Most of us understand and properly use Need to Know when dealing with classified information but I ask you now - how are you with unclassified information? Do you still apply Need to Know principles when someone asks you for unclassified sensitive or critical information? If someone you work with were to ask you to let them read a “For Official Use Only” document would you give it to them without much thought?

Sadly, most of us would. I mean, it’s unclassified for Heavens sake. If it was worthy of protection someone would have made it classified wouldn’t they? And therein lies our problem. A good number of us don’t really think anything unclassified requires any type of protection. Well, if that were true may I be so bold as to suggest that we don’t need OPSEC.

If we’re not going to bother seeing “For Official Use Only” or “Sensitive But Unclassified” or “Unclassified Controlled Nuclear Information” or “Law Enforcement Sensitive” or “Sensitive Homeland Security Information” or “Administratively Controlled Information” or “Security Sensitive Information” or “Critical Infrastructure Information” or “Personally Identifiable Information” or “Controlled Unclassified Information” as information requiring protection then why bother with any of these identifiers?

Back to the point: Need to Know needs to be applied to unclassified sensitive information (in all its forms) in the same way we apply it to classified information. If coworkers Bob or Janet want to see that “For Official Use Only” document then you need to verify that they have a Need to Know the information - that they need this information to do their job. And if you can’t verify that then you can’t let Bob or Janet see the information.

Pretty simple really.

And I hate to be the one to break this to you but yeah…Elvis is dead. Sorry man.

Keep the Faith!
Revelator

“I Am The Walrus” - The Beatles

Posted in Critical Information, General OPSEC | Print | No Comments »

5. December 2008 by Revelator.

SIGINT (n) - intelligence information gathered from communications intelligence or electronics intelligence or telemetry intelligence.
COMINT (n) - technical and intelligence information derived from foreign communications by other than the intended recipients.
IGNORINT (n) - intelligence gathered by the direct exploitation of stupid people.

If you will grant that the biggest threat to the information you are trying to protect is the unintentional insider then you have to agree that IGNORINT collection is the biggest threat to the security of your operations. And yes, I know there is a difference between ignorance and stupidity but in the final analysis INGORINT exploits both so I’m not going to split hairs.

Whether the information lost is because of one persons inability to think beyond a third grade level or because the person wasn’t properly briefed doesn’t matter to the IGNORINT collector. And when it comes right down to it many properly trained and briefed individuals will let stupid overide their training when put to the test. For example, otherwise intelligent and security savvy men seem to zoom right to stupid when confronted with a beautiful woman or large quantities of alcohol. And if you combine stupid inducing amounts of alcohol with a friendly female then you have the perfect storm for IGNORINT collectors.

But don’t let me mislead you - many of us can call up stupid at will even without the aid of alcohol or other stupid inducing products or situations and therein lies the problem. IGNORINT collectors know this and are available to exploit this known weakness at a moments notice. Whether it’s picking up our discarded trash, or collecting a ton or two of recycled whole white paper, or hanging out at the local watering hole, or listening to a speech at a professional symposium, or exploiting personal blogs, or…well, you get the point. We just give so much away that it blows my mind sometimes.

Humans as a species are designed to make mistakes and consistantly do things that are generally considered not that bright. But what are we to do about it? Well, if you’re looking for The Revelator to enlighten you then you just might be in for a long wait. About all you can do is acknowledge this vulnerability and fight against it in anyway you can. Good luck with that. And if you come up with a way to somehow defeat even a small amount of IGNORINT collection you let me know.

Keep the Faith!
Revelator

Chain of Fools - Aretha Franklin

Posted in Awareness, Vulnerabilities, Threat, General OPSEC | Print | No Comments »

17. November 2008 by Revelator.

A lesson in indicators…

A man was shopping at his local supermarket where he selected one half-gallon of 2% milk, one carton of eggs, on quart of orange juice, one head of romaine lettuce, a small can of coffee, a package of bacon, a box of Band Aids and a bottle of unscented lotion.

As he was placing his items on the conveyor for check-out a beautiful woman standing behind him watched as he placed the items in front of the cashier. While the cashier was ringing up his purchases, the woman calmly stated matter-of-factly, “You must be single.”

The man was a bit startled by her rather bold (yet correct) statement but he was also intrigued by the woman’s keen intuition and (with any luck) interest in him. So he smiled at her and then looked at the items on the belt and saw nothing particularly unusual about his selections that could have given away his single status to this increasingly hot woman.

At this point curiosity (and lust if truth be told) got the better of him and he said: “Well, you know what? You are absolutely correct. But how on earth did you know that I was single?
The woman replied, “Cause you’re ugly.”

So, what is the lesson here?
Simple - beautiful women do not pick up single 40-ish men in the supermarket.

But what is the OPSEC lesson here?
There isn’t one. Sometimes life just sucks.

Keep the Faith!
Revelator

“No Woman, No Cry” - Bob Marley and the Wailers

Posted in BS, General OPSEC | Print | No Comments »

17. October 2008 by Revelator.

Try this on for size: Us OPSECers are a bunch of paranoid freaks who run around trying to convince the world that the sky would fall if it wasn’t for our magic potion.
Don’t laugh and don’t get defensive - people do say this about us. Don’t believe me? Let me give you a hint of what we sound like sometimes:

Protect this!
Secure this!
You can’t do that!
You must do this!
Listen to me!
Come to my briefing!
THINK OPSEC! THINK OPSEC! THINK OPSEC!

If you don’t use OPSEC the world will come to an end in a horrible way and the remaining survivors will blame you and then burn you alive and then trade your baseball card collection for the June 1975 issue of OUI Magazine .

If you don’t use OPSEC you will personally lose the war but you’ll be around right up till the end and then you’ll get your’s too - right in your grill - just like Kimbo Slice (except that you will actually be hit and will most likely die).

If you don’t use OPSEC the competition will beat you to the shelves and your company will go bankrupt and you will be out of a job, the heel on your new too-small-for-your-big-feet Manolo’s will break, your husband will leave you for a successful toy manufacturer and then the economy will crash because you are a weak and worthless person.

If you don’t use OPSEC your identity will be stolen and your personal life will come crashing down around you. Your wife will leave you and your kids will hate you with a white-hot passion that will drive them to become lawyers and sue you for abandonment.

If you don’t use OPSEC your house will be broken into while you are on that two-week vacation and while in your house bad guys will put fish and Cheez Whiz in places you won’t be able to find them until it is much too late and on that exact date your in-laws will arrive unexpectedly for a three-week stay.

If you don’t use OPSEC Freddy Krueger will haunt your dreams…”1,2, freddy’s coming for you.
3,4 you better lock your door. 5,6 grab your crucifix. 7,8, stay up late. 9, 10, never sleep again.”

If you don’t use OPSEC bad guys will steal your PIN and take all your money and spend it on loose women, MadDog 20/20 and gambling - and not that good gambling you see on TV but that bad degenerate gambling that has no respect for the viewing audience.

If you don’t attend annual OPSEC training your are destined to be a high security risk for your unit/company. Everyone will hate you and you will hiccup for 4 years straight.

You need to understand that this is exactly how some of us come off. You can’t scare people into using OPSEC. But you may be able to convince them that OPSEC can be a force multiplier, can raise survival rates and can be incorprated into an operations or business plan without hurting the operation itself.
And if you can convince someone that lives and/or money can be saved…well then - you won’t have to try to scare then with threats, voodoo or your magic potion.

Keep the Faith!
Revelator

Won’t Get Fooled Again - The Who

Posted in Family OPSEC, General OPSEC | Print | 3 Comments »

9. October 2008 by Layne.

Folks I try to stay positive…I try to believe that those who should be protecting stuff are protecting that stuff. I try to avoid sarcasm as I write about certain aspects of security or OPSEC - but I lose the battle sometimes.
Case in point: Did you really think your personal information was protected?
Let me share something I read recently in the Washington Post:

“U.S. corporations, governments, and universities reported a record 516 consumer data breaches in the first nine months of this year, incidents prompted chiefly by hackers and employee theft. About 80 percent of the breaches involved digital records, while the remainder stemmed from the loss, theft or exposure of paper-based records. Some 30 million records on consumers have been exposed so far this year but there is currently no federal requirement for organizations that exprerience a data breach or loss to acknowledge precisely how many consumers nationwide may have been effected. More than 36 percent of the breaches so far this year have been at U.S. businesses, while educational institutions were the second most frequent source of incidents (21 percent).”

516 breaches - 30 million records exposed - 9 months - no reporting requirement

I am at a loss for words. Well, not actually a loss - many words are running through my mind. I just don’t want to put those words on this blog. This is just sick - I need a drink.

Keep the Faith! (even though it can be hard at times)
Revelator

Bad Moon Rising - Creedence Clearwater Revival

Posted in General OPSEC | Print | No Comments »

9. October 2008 by Revelator.

Exerpt from an article I recently read: “Organizations are shifting their focus to the threat posed by insiders and turning their attention to training and data protection, according to a recently released survey. The 2008 Global Information Security Workforce Study, conducted by analyst firm Frost and Sullivan for certification organization (ISC)2, surveyed 7,548 information security professionals worldwide. 51% of respondents said internal employees pose the biggest threat to their organizations. The finding represents an ongoing trend in the past two to three years, as the numbers of remote workers and portable storage devices have jumped in the enterprise, said Frost & Sullivan’s network security industry manager. ‘That increases the chance of something happening, whether it’s malicious employees or just someone with good intentions but walks out of the building with data so they can work at home,’ he said. The findings are supported by Information Security’s Priorities 2008 survey, in which 70% of participants said they are worried about detecting and thwarting internal attacks.”

‘Bout time people start understanding what us OPSEC Professionals have known for quite a long time - unless you are in battle (and sometimes even then), the internal threat is the biggest threat to your organization. I wrote a blog entry on 30 May titled “Welcome to the Jungle” that spoke to this very thing.

From my perspective this isn’t an on-going trend from the past 2 or 3 years - it’s an on-going trend period. And it will never stop. Certainly advancing technology has made it easier for the malicious insider to cause harm but it has also made it easier for our biggest threat - the unitentional insider - to screw up and cause harm. Either through ignorance, lazyness, or simple lack of caring the unintentional insider is the single most devastating threat to your organization. You can attempt to counter this with an aggressive awareness program and constant employee vigilence within the organization but the threat will remain. Understanding is half the battle - now act on this understanding.

Keep the Faith!
Revelator

Insider - Tom Petty and The Heartbreakers

Sample “Insider” lyrics…
It’s a circle of deception
It’s a hall of strangers
It’s a cage without a key
You can feel the danger
And I’m the one who oughta know
I’m the one you couldn’t trust
Yeah I’m the lonely silent one
I’m the one left in the dust

Posted in Media, Program Management, General OPSEC | Print | No Comments »

6. October 2008 by Revelator.

THE INAUGURAL QUADRENNIAL OPSEC ANVIL AWARDS

As I was preparing an award package for the National OPSEC Conference awards I got to thinking that it is pretty cool that our small community has an award program that recognizes people and programs that should be applauded and emulated. Recognizing personnel that have gone above and beyond what is expected is a great thing. Then I got to thinking that those who are performing below and behind should also be recognized as sterling examples of what not to do. With this in mind I give you the 2008 Inaugural Quadrennial OPSEC Anvil Awards.

The first person that comes to mind who deserves to have an OPSEC Anvil dropped on their head is: The dude who blasted out of the secure area without waiting for the door to said secure area to close behind him while I slipped in unnoticed and unescorted.

Our second award goes to: The lady on the airplane who just had to share her highly sensitive work for a government contactor with me.

Subsequent (though no less significant anvils will be dropped on):

The person who left the uncleared visitor unescorted for an extended bathroom break.
The person who put the key in the STU-III but didn’t turn it.
The person who failed to erase sensitive information from the conference room white board.
The person who blogged deployment dates and locations.
The person talking about sensitive information on their cell phone in the cafeteria.
The person who emailed critical information to their home computer.
The person whose cell phone rang in the middle of a secure area.
The person who threw FOUO and Personal Privacy Information into the trash can.
The person who’s badge was stolen from their unlocked car.
The person overheard complaining about security vulnerabilities over a beer at a local drinking establishment.
The person who shares everything with their uncleared spouse.
The person emailing successful mission tactics to all his buddies.
The person who will talk to anybody about anything while in the smoking area.
The Manager/Commander/Leader who says the word “OPSEC” but doesn’t really use it.

The list of nominees this year was quite exhaustive and to tell you the truth we ran out of OPSEC Anvils long before we ran out of people who deserve to be sedated by the “award.”
This year we need to learn from the mistakes noted above and make next years award list non-existent - or at least a whole lot shorter.

Keep the Faith!
Revelator

I Wanna Be Sedated - The Ramones

Posted in General OPSEC | Print | 2 Comments »

26. August 2008 by Revelator.

An exerpt from SCIENTIFIC AMERICAN magazine, May 1908 (that’s right 1908 - 100 years ago…)

“Soon after the first reports were received regarding the flights being made by the Wright brothers in testing their aeroplane, a considerable number of newspaper correspondents visited the scene of the trials among the high and pointed sand dunes of the North Carolina coast south of Norfolk, Virginia. The brothers refused to make any flights, however, when the reporters were near at hand, and so the gentlemen of the press were obliged to keep in hiding nearly a mile away from the scene of operations, and to merely watch the machine from afar through spyglasses when it was flying.”

The term OPSEC may have been coined by the original Purple Dragon crew but many examples of OPSEC in action resound throughout history - this is but one more.

Keep the Faith!
Revelator

Enter Sandman - Metallica

Posted in History, Media, General OPSEC | Print | No Comments »

20. June 2008 by Revelator.

     Dear OSPA Forum,

       I’m just an average guy who hasn’t ever really had much luck with OPSEC.  I’ve tried everything but nothing seems to work.  I’ve bought OPSEC drinks, I’ve sent presents, I’ve sweet talked and cajoled but no luck.  My friends are constantly busting on me cuz I can’t keep an OPSEC program for more than one date.   Trust me, I know what it feels like when doves cry.  Well, imagine my total surprise when just last week I met the OPSEC program of my dreams!  There she was sitting across the room all by herself.  I stole furtive glances in her direction but always turned away when she looked my way.  My track record was so bad that I didn’t dare approach her.  But then here she came - she was coming over to me.  Oh my God!  My mouth dried up and my tongue tied itself into knots.  Butterfly’s were conducting strafing runs on my stomach and my palms began to sweat.  Is she really coming over to me?  What will I say?  What will I do?  She was so hot!  Her dress left nothing to the imagination (and my imagination was screaming) and her eyes were boring through me right into my soul.

     And then she sat down!  I stared at her like a paralyzed deaf mute unable to do or say anything.  I was sure she would realize her obvious mistake and leave - but she didn’t.  And then she said something to me that I’d only heard in my fantasies; “Take me now or lose me forever.”  Well, somehow I managed to get to my feet and get her back to my place without crashing my car - and that’s when it got real interesting…

   Now you just know I’m not going to finish that story.  Nope - I’ll leave that to your sordid imagination.  All I wanted to do was give me a reason to mention the OSPA Forum.  The OSPA Forum is a place where any OPSECer worldwide can come to catch up, ask a question or just see what’s been going on.

     There are currently 20 members registered.  Of the 20 registered there are a good couple of bonafide subject matter experts who can help you with any OPSEC question you might have.  Currently there are 6 categories, 22 topic areas, 73 individual posts and well over 2000 views.  These numbers may not seem overwhelming to you but OPSEC is a relatively small community and we’re doing everything we can to support you, the practicing OPSECer.

     So take a moment and check it out.  Like the commercial jingle says… “And like a good neighbor, OSPA is there.”   http://www.opsecprofessionals.org/forum

 Keep the Faith!

Revelator

“When Doves Cry” - Prince

Posted in Program Management, OSPA, General OPSEC | Print | 2 Comments »

13. June 2008 by Revelator.

     Hear ye!  Hear ye!  Hear ye!  I’ve got a message for you.  It’s not the most important one I’ll ever give or the best written one I’ve ever given but it does go to the heart of an argument that has been raging since the early ’70’s.  And the question is this: How long should a Critical Information List (CIL) be?

     The best CIL I’ve ever seen was in an organization that required all personnel to wear badges within the confines of the building.  The organization took their 12-item CIL - I say again their 12-item CIL - put it on a card and laminated it for all personnel to wear with their identification badge.  Each person in the organization had access to the CIL at all times.  This is about as good as it gets folks.

     On the other hand, a good number of seasoned OPSEC professionals disagree with me on this subject.  They’ll tell you that a “comprehensive” CIL is the only way to ensure that all of your critical information will be protected.  Sound logic to be sure.  Unless you take into account the human factor.  I don’t know how many of you have photographic memories and can remember a 73, or 103 or 276 item CIL, but I sure can’t.  276 items!  Are you freaking kidding me?  How is this usable?  My personal experience is that when I’m shown a CIL with more items than my wife’s grocery list I tend to ignore it.  I know I can’t memorize it and if I’m on the phone or typing an email I most likely won’t consult the “Big Book of CILs” to see if I should be communicating the information.  But if you show me a list that I can wrap my brain around, say about 20 items, then I’ll study that sucker and be able to commit most of it to memory.  And even if I can’t memorize it I can pin it up somewhere in my cubicle where I can actually consult it quickly if need be.

     There are too many things in our complicated lives to remember already.  I’m forever writing things on sticky’s so I don’t forget them.  Then I’ve got the task list in my Microsoft Outlook so I don’t forget anything.  I’ve also got a long to-do list in my 7-Habits Daily Planner which is also loaded onto my Blackberry and then as a fail safe, I’ve got my wife around who is constantly reminding me of things I’ve already forgotten.  And when I do make it to the grocery store my wife will make a list for me because she just knows I’ll forget something.

     And finally on the subject of short CIL’s - remember the KISS Principle - Keep It Simple Stupid.  The shortest Critical Information List I ever saw had only one item.  “We are a military organization charged with protecting the freedom of the American peoples and their allies - keep your damn mouth shut!”  I could argue that there should probably me a couple of more items but damn it - I like their attitude.

Keep the Faith!

Revelator

Posted in Program Management, General OPSEC | Print | 2 Comments »

16. May 2008 by Revelator.

     Be they in high or low places you need friends if you want to do this thing we call OPSEC.  I guarantee you that your workload will go up and your success will go down without your own OPSEC professionals network.  People out there are doing some great and innovative things that you need to know about.  None of us should work in a vacuum.  Communicate with other OPSEC managers.  Join OSPA or the OPS.  You need to make a conscious effort to meet new people.  Go to the National OPSEC Conference or an OPSEC Forum.  Get out from behind your desk and get to a threat seminar.  When you get out to an event like a conference or formalized training you will meet people.  You can’t help it.  I make, at least, five good contacts at every event I attend.  That’s five more people I can call or email when I’ve got a question.  Five more people who I can share ideas with.  Five more people I can “benchmark” off of.

     Since our program here at the National Nuclear Security Administration, Nevada Site Office won the Organizational Achievement Award at the National Conference last month I get two or three calls or emails a week from people asking for assistance/help/guidance for some area of their program.  Trust me when I tell you there is no way this program would be where it is today without the help and valued assistance from people I now call friend (starting with Wayne Morris who built the program I was fortunate enough to inherit).  As for the calls for assistance, I do everything I can for these people.  When you’ve been as blessed as I have then you understand that you must give back to the community in any way you can.  Plus I feel I need to honor folks like Tom Ariosto, Wayne Morris, Lynne Clark, Dan Wilkinson, Joan Hellon, Scott Milliman,  Bill Feidl and Pat Sipes who have helped and guided me so much over the years.  I just hope that some day you are as fortunate as me to have such a fine OPSEC support network to reach out and touch when you’re in need.

     And when, not if but when, you attend one of these events don’t be afraid to walk up to someone and say “Hi, I’m Joe from Colorado Springs.  How are you today?”  You can start with me.  I’ll be your first contact (if it is me though and I just finished a 90-minute speech, please just follow me to the smoking area and chat me up there instead of keeping me away from the post-speech nicotine fix I need so bad).  Whatever you do, just get the hell out there and talk to someone new and get that network working.

Keep the Faith!

Revelator

Posted in Conferences, Program Management, General OPSEC | Print | No Comments »

13. May 2008 by Revelator.

“Leaders are busy doing the things critics say can’t be done.”  You may have seen this quote before.  I read it in a book last week.*

As OPSEC Managers your creativity and the ability to see the road ahead are paramount if you wish to have any level of a successful OPSEC Program.  Beyond that is the fortitude to not only see the vision but to act on that vision.  As an OPSEC Manager you are frequently alone in your passion to push the program but you must not let this stop you.  You’ve got to be like The Bandit and have that “..we’re gonna do what they say can’t be done” attitude.  Rare is the unit/company who shouts Hallelujah! when the new OPSEC Manager shows up.  Rare are the times you will walk into a meeting and all will hail you as the savior of the mission.  Rarer still is the man or woman who can keep running into this wall of denial until it is broken down.

The sad fact is that you just may be the only one who truly cares about OPSEC.  At least this is the attitude that you need to have.  Don’t let people fool you - they don’t care…not really.  I’ve interviewed a number of OPSEC Managers who are quite sure they have the support of the people in their organization.  And I’ll ask them; “How’s your program working?  And they’ll go on and on about all the great stuff they’ve done.  Unfortunately, I get a different story when I interview people within the organization.  Invariably, members of the unit have no idea who their OPSEC Manager is and if they do actually know a name, they have no idea what the OPSEC program means to their mission.  What about you?  What about those of you who may have been hired or hand-picked as the OPSEC Manager?  Surely, you care about OPSEC.  Right?  Well, maybe.  And maybe not.  I’ve seen a lot of people get burned out by OPSEC because of the abnormally high frustration levels associated with repeatedly trying to accomplish something you know is right and getting beat down by leadership or those who run the mission.  I mean, you are just the OPSEC guy or gal, right?  Not only have I seen this - I’ve experienced it first hand, and it’s not pretty. 

You try to do a good job and you either don’t have the support of the big dogs or you’re kept too busy doing other “more important” tasks or, maybe, just maybe, you don’t really care about OPSEC at all.  Maybe it’s just a paycheck or a silly little additional duty.  I’ve met these people and I can see it in their eyes.  You can tell they just don’t have a passion for this stuff.  I can’t explain it but I’ll be honest with you - the passionate people are in the minority.  And it’s rather sad because you can’t be a half-assed OPSEC Manager.  You can’t simply satisfy the minimum requirements and expect to have a positive effect on the mission or the lives of those executing that mission.  You can’t send out an 18-slide PowerPoint presentation as your annual training and expect it to mean anything.  You can’t walk up to a group of shooters about to execute a mission and tell them they can’t do something because you say so.  You can’t be so removed from the leadership that they never think to call on you when they are making long-range plans.  You can’t stick your head in a sales or marketing meeting and shout “Think OPSEC” and expect it to positively effect the outcome of the meeting.  You can’t wait until all the jobs are posted and then run to HR and beat them down for putting too much information in job postings.  And you can’t expect your coworkers to give a you-know-what about OPSEC and how it effects the mission and their lives if you haven’t repeatedly told them - if you haven’t made it personal to them - if you haven’t fully demonstrated how it effects them personally.

Understand this; as a OPSECer you are outgunned and under-equipped for the job you’ve been asked to accomplish.  Boldness under such circumstances may seem almost foolish, yet boldness may be the one advantage to have.  Unlike those who lead in battle, your life may not be on the line as the OPSEC Manager - but lives, jobs, your co-workers welfare, and their families’ welfare may be.  Your program may have less muscle, so you will need more brains.  You have to reorient your thinking, behavior and strategy.  Pull off the sunglasses of pride and arrogance, and drop them in the nearest trash can - you’ll see the road ahead and the obstacles more clearly without them.  Then get yourself our on that road and kick some OPSEC ass!

Keep the Faith!

Revelator

*The Centurian Principles by Colonel Jeff O’Leary (Ret)

Posted in Program Management, General OPSEC | Print | No Comments »

5. March 2008 by Revelator.

     “That’s not OPSEC.”  The scene is day one of an OPSEC assessment.  This is my first time out with this team so I’m still trying to feel out how they go about the process.  While the team is in the badge office waiting for badges I notice there is a computer screen with red ”SECRET” stickers top and bottom facing the gathered group at the customer service desk.  Mind you, we’re not the only ones there trying to gain facility access.  Among those waiting with us were gardeners, janitors, plumbers and other  uncleared day workers.  So, I turn to one of the senior members of the team and mention that we should identify this in our report and was told; “That’s not OPSEC.”  While I didn’t want to get deep into what is and isn’t “OPSEC” I did mention that I thought we had a responsibility to the office supervisor to tell him that he should turn that screen around, and keep it turned around, so that uncleared couldn’t possibly see potentially “SECRET” information.  I was told in no uncertain terms that this was not “OPSEC” and therefor not our responsibility.  The Assessment Chief later corrected this problem but the individual in question never once waivered from his stance.

     So what is OPSEC?  Is anything OPSEC?  A strong case can be made that every item in an OPSEC Assessment report can be traced back to requirements of some other security program.  The scenario above was clearly a Computer Security issue but it is also an Information Security issue.  FOUO in the trash? - Information Security.  Not locking your computer screen when you leave your desk? - Computer Security.  Privacy Act info in the recycle? - Information Security.  Allowing people to piggyback into the facility? - Physical Security.  Organization member talking about sensitive information during a speech at a conference or putting sensitive information in a professional publication? - Information Security.  Talking around sensitive or classified on the phone or email? - Communications Security, Computer Security, Information Security.  Cell phone in a secure area? - Physical Security.  Public release of new product or emerging technology? - Information Security, Personnel Security.  Give long time visitors the safe combo and then don’t change it when they leave?  Catching on yet?

     There are many more examples I could give but hopefully you get the point.  On the other hand, did you think of instances that weren’t covered by my examples?  What about always marshaling convoy vehicles at the same time in the same place?  What about using the same routes?  What security program covers mission or business indicators?  Who is the security rep responsible when your unit doesn’t have a program in place to change its call-signs?  What program to you call on to stop the intel dissemination capabilities of the spouses club? 

     I’ve spent many hours in debate with people I respect and while we may disagree in one or two of the gray areas we all (but one) agree that it is essentially ALL OPSEC when it comes to our responsibilities as OPSEC Program Managers or members of an assessment/survey team.  Bottom line: Our job is to make our unit or company more secure.  And we don’t do this by arguing over weather a vulnerability, indicator or security violation is OPSEC or not.  See a problem - fix a problem.

One last thought - if you see me at the National Conference and I hear you say “That’s not OPSEC” - you owe me a cold one.

Keep the faith!

Revelator

Posted in General OPSEC | Print | 1 Comment »

29. February 2008 by Revelator.

My OPSEC Brothers and Sisters!  I am happy to be back in your arms once again.  Time to catch up…

For the uninitiated the WOF is the Western OPSEC Forum put on by the IOSS,  sponsored by OSPA and hosted by the DOGS of OPSEC (NNSA/NSO OPSEC Program Office).  Over a week has passed since the event but let’s see if I can remember the highlights.

As usual the IOSS packed the three-day forum with outstanding speakers giving truly outstanding presentations.  I’m not gonna get into each speaker and presentation so you are just gonna have to trust me - there was mad info available from all corners of the military and civilian world.  If you have yet to attend an Eastern or Western OPSEC Forum I suggest you keep an eye on the IOSS web page for announcements.  Even if you typically get to the National Conference I still strongly suggest you consider getting to one of the Forums - good information - good networking - good times.

OSPA at the WOF:  In attendance were Wayne Morris (Exec VP) and yours truly (VP) as well as Board Members Scott Milliman and Joan Hellon not to mention many OSPA members.  One member, August Schellhase (DOG of OPSEC) was critically instrumental in making sure that this event went off with a minimum of unpleasantries.  And then to our eyes what did we behold?  Well, none other than Chris and Evie - our President and Secretary and their two handsome boys.  They were only able to stay about an hour before scooting back to beautiful downtown Barstow but they brought us a host of gifts and OSPA handouts for WOF attendees.  By the way - this was the first time anyone in OSPA ever had a chance to lay eyes on our reclusive President and his lovely wife.  I’m happy to report that he isn’t nearly as unpleasant looking as I was led to believe.  I don’t have the exact numbers but we signed up 20 or so new members bringing our total membership up to somewhere in the 130 range.  This is great news for our fledgling Association.

In the “I ain’t braggin - just sharing” department:  IOSS Director Marty Quick announced the winner of the National OPSEC Organizational Achievement Award and I’m proud and happy to say that it was the DOGS of OPSEC here at NNSA/NSO.  August and I thank those of you who have sent your congratulations.  But wait - there more…we also won 2nd place in the Multi-media (electronic/video) for our “OPSEC 24/7″ video.  As contractors we can’t actually be awarded the cup or the plaque but we eagerly look forward to watching the Department of Energy accept the award at the National Conference.

I have at least 28 more interesting/funny/embarrassing stories I could relate about the WOF but - as the saying goes; what happens in Vegas - stays in Vegas.

Keep the Faith!

Revelator

Posted in Conferences, OSPA, General OPSEC | Print | 1 Comment »