OPSEC

1
OPSEC

• Operation Name
• SGT Artemis OConan
• Operations Center

2
Information and Value

• 80 of all intelligence is from unclassified
  sources
• Tidbits of information are pieces of a puzzle
• Even your tidbits help complete the picture

• Objective make yourself your mission the
• hard target. Let the bad guys find a softer
  target
• somewhere else!

3
The Adversaries

• Foreign Nationals
• Drug Cartel
• Terrorists
• Hackers
• Criminals

4
Consider YOURSELF a Target

• You and Your Family
• Your Friends Neighbors
• Your fellow soldiers
• Your Job
• Your Mission
• Your Unit
• Your Country

The Manchester Document A Terrorist Handbook
5
So What Is OPSEC?Operations Security

• OPSEC deals primarily with protecting sensitive
  but unclassified information that can serve as
  indicators about our mission, operations and
  capabilities
• A Five Step Process
• 1. Identify Critical Information (CI)
• 2. Analyze the threat to the CI
• 3. Determine OPSEC vulnerabilities
• 4. Determine the acceptable level of risk
• 5. Implement appropriate countermeasures

6
The OPSEC Process
7
You already practice OPSEC at home

• When most of us leave home for vacation, we take
  actions to protect our homes while were away.
• We may
• Stop newspaper deliveries
• Have the yard mowed
• Buy light timers
• Have a neighbor get the mail
• In short, we want our houses to look like someone
  is home

8
What is Critical Information?

• Critical Information (CI) is information which
  can potentially provide an adversary with
  knowledge of our intentions, capabilities or
  limitations. It can also cost us our
  technological edge or jeopardize our people,
  resources, reputation and credibility.
• Controlled unclassified information, is often
  identified as Critical Information.

9
Information Designations

• For Official Use Only (FOUO)
• Sensitive But Unclassified (SBU)
• Law Enforcement Sensitive (LES)
• Trusted Agent Eyes Only, etc.

10
Control of Critical Information

• Regardless of the designation, the loss or
  compromise of sensitive information could pose a
  threat to the operations or missions of the
  agency designating the information to be
  sensitive.
• Sensitive information may not be released to
  anyone who does not have a valid need to know.

11
Examples of Critical Information

• Where are the TXSG Soldiers living during the
  deployment
• What is the make and model of the soldiers
  vehicles
• What is the capabilities of the Operation
• What type of technology does the Operation have
• Who are participations
• Location of law enforcement
• Locations of Resources

12
The Threat

• Others constantly study us
• to determine our weaknesses
• Their Tools
• HUMINT
• Human Intelligence
• SIGINT
• Signals Intelligence
• COMMINT
• Communications Intelligence
• ELINT
• Electronic Intelligence
• Many more INTs

13
HUMINT You could be a target!

• Watch what you say to
• The public/media
• Friends
• Professional Colleagues in and outside of TXSG
• Places to be especially wary
• At school
• Bars and restaurants
• Conventions/symposiums
• Dont try to impress people with your knowledge
• Loose Lips Sink Ships!

14
SIGINT, COMMINT, ELINT

• TXSG is perform a non-combat military mission and
  is operating on state communications systems
• TXSG is being entrusted with more sensitive
  information than you may think
• Dont assume were immune because were out of
  the mainstream presence
• For that reason we can actually be MORE
  vulnerable
• Watch what you transmit on
• Radios, phones, Fax, and email

15
Marking Documents

• Documents containing FOUO info should be marked

UNCLASSIFIED//FOR OFFICIAL USE ONLY Information
contained in this document is designated by
the State of Texas as For Official Use Only
(FOUO) and may not be released to anyone without
the prior permission of the and/or the

• Documents containing LES info should be marked

UNCLASSIFIED//LAW ENFORCEMENT SENSITIVE
Information contained in this document is
designated by the State of Texas as Law
Enforcement Sensitive (LES) and may not be
released to anyone without the prior permission
of the and/or the
16
Marking Documents

• Material other than paper documents (for example,
  slides, computer media, films, etc.) shall bear
  markings that alert the holder or viewer that the
  material contains FOUO or LES information.
• Each part of electrically transmitted messages
  containing FOUO of LES information shall be
  marked appropriately.

17
Protection of FOUO LES Information

• FOUO LES information should be stored in locked
  desks, file cabinets, bookcases, locked rooms, or
  similar items, unless Government or
  Government-contract building security is
  provided.
• FOUO LES documents and material may be
  transmitted via first-class mail, parcel post or
  -- for bulk shipments -- fourth-class mail.
• Electronic transmission of FOUO LES information
  (voice, data or facsimile) should be by approved
  secure communications systems whenever practical.

18
Its Everyones Responsibility

• The purpose of the security program is to protect
  against unauthorized disclosure of official
  information. Keep your information secure at all
  times.
• OPSEC is mostly common sense. If we all take the
  time to learn what information needs protecting,
  and how we can protect it, we can continue to
  execute our mission effectively.

19
Disclosure of Information
Disclosure of information, quite simply is when
information passes from one party to another.
When dealing with sensitive information, it is
the responsibility of the party possessing the
information to ensure it is not disclosed to
parties who do not have a need for or a right to
the information.
20
Authorized Disclosure
Disclosure of sensitive information is
authorized only when the party receiving the
information can be properly identified and has a
need to know.
Need to Know does not mean, because a person
holds a high management position, he or she
automatically needs access to the information.
21
Unauthorized Disclosure
Unauthorized disclosure of sensitive information
is when the party receiving the information does
not have a Need to Know.
In most cases, unauthorized disclosures are
unintentional and due to poor planning or a
failure to think by the possessing party.
22
Unaware of Surroundings
One of the leading causes of unintentional
disclosures is simply people not being aware of
what is happening around them.
Discussing sensitive information when you are
unsure or unaware of your surroundings can
quickly lead to this information being disclosed
to the wrong people.
23
Awe Of Position
We all want to please our commanders, and work
very hard each day to do so.
However, even if a superior officer requests
something that is sensitive in nature, we must
still make sure they meet all the requirements
for access to this information just like everyone
else.
24
OPSEC and the Web


Unclassified
25
Web Log Vulnerabilities

• Photos (with captions!)
• Installation maps with highlights of designated
  points of interest (sleep/work, CDR, chow hall,
  etc)
• Security Operating Procedures
• Tactics, Techniques and Procedures
• Our capabilities
• The morale of you and the soldiers in your unit
• Undermining your senior leadership

Sensitive Information?
26
Web Log Vulnerabilities
A US soldier stands guard as a suspected looter
begs to be released after they were caught while
fleeing a building on fire in Baghdad, Iraq (news
- web sites) Saturday June 28, 2003. The
suspects were allegedly looting gasoline from the
building. 12-year old Mudhr Abdul Muhsin,
bottom, was released later
This photo can be used against us both from the
adversary and our own people. Perceptions can be
your WORST enemy. If you were a bad guy, could
you use this?
27
Web Log Targeting
(JOURNAL OF A MILITARY HOUSEWIFE) INFORMATION
WAS OBTAINED FROM A FAMILY WEBSITE 1. HUSBANDS
NAME, HOMETOWN, UNIT, AND DATES OF DEPLOYMENT. 2.
PICTURE OF SPOUSE 3. EXPECTING THEIR FIRST CHILD
ON DECEMBER 8, 2005. 4. BABY SHOWER SCHEDULED FOR
OCTOBER 22, 2005 5. DATE SPOUSE FAILED HER
DRIVERS TEST A GOOGLE SEARCH ON INFORMATION
OBTAINED FROM WEBSITE REVEALED 1. SPOUSES
A.K.A. (Screen Name) 2. COUPLES HOME ADDRESS 3.
SPOUSES DATE OF BIRTH 4. HUSBANDS YEAR OF
BIRTH 5. DATE SPOUSE OBTAINED HER DRIVERS
LICENSE.
COULD YOUR FAMILY BE A A TARGET?
28
Personal Web Page Vulnerabilities

• Personal web pages can expose something the unit
  would like to protect
• A picture is worth a thousand words
• We enlisted our families didnt
• Individuals expose information because
• Theyre proud of their work
• Theyre marketing the unit or they want public
  support
• Theyre miffed or frustrated

29
Lets go Googling

• Time No more than 10 min
• Info First and Last Names
• Info Rank
• Now let see what we can see

30
Rank Name

• Who
• Home
• Hometown
• Children
• E-mail

31
Interests

• Favorite Music
• Favorite Books
• Favorite Movies
• Favorite TV Shows, Actors
• Interests and Activities

32
Affiliations

• Political Affiliation
• Religious Affiliation
• Employers
• Colleges
• Major
• High Schools
• Other Affiliations

33
Countermeasures
Anything that effectively negates or reduces an
adversarys ability to exploit our
vulnerabilities.
Would you want the enemy to read this?
If the answer is NO, DONT PUT IT ON THE WEB!
34
What YOU Can Do

• Post information that has no significant value
  to the adversary
• Consider the audience when youre posting to a
  blog, personal web page or EMail
• Always assume the adversary is reading your
  material
• Believe the bad guys when they threaten you
• Work with your OPSEC Officer follow policies
  and procedures!

35
The Challenge
Think like the bad guy before you post your
photographs and information in a blog, a personal
web page, or in your EMail
Sometimes we can be our own worst enemies
36
The Message

• Operations Security is everyones business
• Good OPSEC saves lives and resources
• Always use common sense and stay alert
• Only release info to those with a valid
  need-to-know
• Identify vulnerabilities to your commander

37
The Bottom Line

• OPSEC is a time-tested process that analyzes
  threats, identifies Critical Information, and
  develops appropriate countermeasures
• OPSEC is used by all of us in everyday life
• OPSEC is not so much a bunch of security rules,
  but a common-sense approach to viewing your
  operations through the adversarys eyes
• OPSEC increases opportunities for mission success
  by protecting Critical Information
• You are the key to making OPSEC work!

38
Are You the Weakest Link?
Vulnerabilities Weaknesses the adversary can
exploit to get to the critical information
39
QUESTIONS ?