Provided by OSPA www.opsecprofessionals.org

1
Vulnerabilities and Indicators
The OPSEC Process, step 3
Presented by (Presenters Name)
Provided by OSPA (www.opsecprofessionals.org)
2
Definitions

• Indicator
• Points to vulnerability or critical information??
• Vulnerability
• Weakness the adversary can exploit to get to
  critical information

3
Indicators

• Pathways or detectable activities that lead to
  specific information that, when looked at by
  itself or in conjunction with something else,
  allows an adversary to obtain sensitive
  information or identify a vulnerability

4
Profiles and Signatures

• Adversaries look for Patterns and Signatures to
  establish a Profile
• Patterns are the way things are done, arranged,
  or have occurred
• Signatures are the emissions that are the result
  of, or caused by, what is or was done
• Profiles are collected on all our activities,
  procedures and methodologies

5
Vulnerability Areas

• Operations
• Physical Environment
• Personnel
• Finance
• Administrative
• Logistics
• Public Affairs
• Family

6
Common Vulnerabilities

• Discussion of sensitive information in unsecured
  areas.
• Lack of policy/enforcement
• Cameras
• Cell Phones
• Internet Usage
• Shredding
• Training/Awareness

7
Stereotyped Operations

• Same Time
• Same Place
• Same People
• Same Route
• Same Way
• PREDICTIBILITY

8
Examples of Vulnerabilities

• Publications
• Press Releases
• Unencrypted Email
• Organization Website
• Non-Secure Telephone

9
Examples of Vulnerabilities

• Trash
• Employee Turnover
• Employee Mistakes
• Lack of Good Passwords
• Exhibits and Conventions

10
Communication Vulnerabilities

• Radios
• Cell Phones
• Telephones
• Facsimiles (Fax)
• Computers

11
Common Vulnerabilities

• Government Reliance on Commnercial Backbone
• Domestic
• Overseas

Few Government-Owned Systems
12
Cell Phones

• Incorporate a wide-spectrum of technologies
• Analog/ Digital Wireless
• Sound Recording
• PDA
• Camera
• Streaming video
• Computing/ Internet
• And more

13
Cell Phones

• Asset vs Vulnerability
• The Good
• Convenience
• Reach out and touch someone
• Access to Commercial Numbers
• Coordination Outside radio Range/ Frequency
• The Bad and the Ugly
• Multiple Technical Vulnerabilities
• Typically Unsecure

14
Common Vulnerabilities

• Computers
• Access Control
• Auditing
• Regulations/ Policy
• User Training
• Passwords
• Systems Accreditation

15
Common Vulnerabilities

• Associated Computer Concerns
• Email
• Sniffer
• Cookies
• Virus/ Spyware
• Web Logs (Blogs)
• Instant Messaging (IM)
• Personal Data Assistants (PDAs)

16
Areas of Vulnerability

• Administration
• Financial
• Logistics
• Operations

17
Administrative

• Memos
• Schedules
• Travel Orders
• Advance Plans
• Annual Reviews
• Org Charts
• Job Announcements
• Management Reports

18
Financial

• Projections
• Justifications
• Financial Plans
• Special Purchases
• Budget and Contracts
• Supplemental Requests

19
Logistics

• Unusual Equipment
• Volume or Priority Requisitions
• Boxes Labeled With the Name of an Operation or
  Mission
• etc

20
Operations

• VIP Visits
• Schedules
• Stereotyped Activities
• Increased Mission-Related Training
• Abrupt Changes in Normal Operation

21
EVEN MORE Indicators and Vulnerabilities

• Family
• Personnel
• Public Affairs
• Physical Environment
• Procedures and Reports

22
Where Are the Indicators?
23
Indicators

• Presence of specialized Equipment
• Increase (or Decrease) in activity
• Sudden Changes in Procedure
• Unique Convoy Configuration
• Staging of Cargo or
• Vehicles

24
Information of Intelligence Value
Collectible
Observable
25
Collectible

• Can be physically collected or intercepted

Examples Dumpster diving, cordless/cell phone
interception, email, open source
26
Observable
What you can see What you can smell What you can
hear
27
Why train for OPSEC? ( A real Exercise)
28
What is our greatest Weakness?
OURSELVES!
29
Questions?

• In wartime, the truth is so precious that it
  must be protected by a bodyguard of lies.
• Winston Churchill