Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
OPSEC Briefingfor
Communications Managers
LtCol Ed Wolff, CAP/DOKS
Civil Air Patrol
CITIZENS SERVING COMMUNITIESUNCLASSIFIED
Consider some of the following “traditional” security programs:
• Personnel Security• Personally Identifiable Information
• Names, telephone numbers, addresses, call signs
• Physical Security• Security of repeater sites• Security of radio equipment
• Communications Security• Using encryption on VHF• Using off line encryption
• Information Security• Encrypting files posted to the internet• Using password protected, member access web sites
as compared to public facing sitesUNCLASSIFIED
UNCLASSIFIED
Do we need a security program?
• XX Wing- PDF file that provides calls signs• X Region Communications Guidebook providing calls signs• XX Wing- Communications Exercise Plan with names, phone
numbers, call signs, etc.• XX Region- CW15 Exercise Plan• XX Wing- Call sign list document• XX Wing- Call sign list• XX Wing- Call signs on web page• XX Region- Cal sign list• Non Cap sites:
• CAFED lists frequencies, maps of coverage, and code plug information, this can’t come from just monitoring radio traffic
• Radio Reference lists complete frequency lists, exactly as programmed in CAP code plug. This can’t come from just monitoring traffic.
When can OPSEC be used?
• Communications Training Exercises• Communications Plans and Standard
Operating Procedures• Communications Methods, Sources,
and Technical Tradecraft (Code Plugs)
• Software and Source Code • PIO/PAO releases• Personal social media published
informationUNCLASSIFIED
Every Person Is An OPSEC Sensor!
Every person in your squadron, group, wing, region is a part of the security solution by:
Knowing the threats Knowing what to protect Knowing how to protect
it!
UNCLASSIFIED
The OPSEC “5-step Process”
UNCLASSIFIED
Identify Critical Information
The first step in the OPSEC Process is to identify critical information.
• PII• Call signs• Frequencies• Net schedules• Mission specific details• Operations and Exercise Plans
UNCLASSIFIED
Definition: “Adversary”(AKA- “Bad Guy”)
An adversary is anyone who contends with, opposes or acts against your interest and must be denied critical information.
It could be as simple and obvious as your opponent in any game, or as complex and unknown as a spy, agent of a foreign government, or a criminal.
Remember that each adversary will have its own motivations and capabilities
Examples include:• Terrorist groups, foreign and domestic• Criminals• Organized crime groups• Extremists• Foreign Intelligence Services• Hackers/Crackers• Insider Threats
UNCLASSIFIED
Definition: “Vulnerability”(AKA- “Weakness”)
A vulnerability is a weakness that can be exploited by an adversary to obtain your critical information, and it can be present in any facet of your operations.
Vulnerabilities can come from many sources in your operation to include the physical environment of the work area, the office operating procedures, computers, or a myriad of other sources.
A vulnerability is weakness that can be exploited by an adversary if it is discovered. A vulnerability exists when critical information is susceptible to exploitation by an adversary.
Potential Categories:• Communications• Public Affairs Department• Critiques and after action reports• Mail• Trash• E-mail UNCLASSIFIED
Definition: “Indicator”(AKA- “Clue”)
An indicator is a piece of information or an activity that can be observed and combined with other information to reveal sensitive information.
An indicator acts as a “clue” to reveal information about an activity and will be the subject of analysis.
Examples of indicators:• Increased training• Unusual deliveries• Advanced parties• An increase in related personnel actions,
such as TDY/business travel, financial preparation, etc.
• Large and frequent meetings• Increased overtime• Press releases and news items
UNCLASSIFIED
Definition: “Threat”
“Threat” refers to the combination of an adversary and their intentions to undertake actions detrimental to friendly activities or operations. A threat can be thought of any potential danger that a vulnerability will be exploited by a threat agent.
Both intent AND capability must exist to be considered a threat.
Ask yourself:“Does this person/group want to cause me/us harm?”
And, if so:“Are they able to do so?”
UNCLASSIFIED
Definition: “Risk” and “Impact”
“Risk” is the probability that an adversary will compromise your critical information.
“Impact” is the effect that this compromise would have on your organization. Impact is the “what would it mean” factor.
UNCLASSIFIED
Open Source Intelligence
AKA- One of the greatest threats to any organization
1. Publically available information that any member of the public may lawfully obtain my request or observation.
2. Unclassified information that has limited public information or access
3. 80-85% of intelligence can be gathered using OSINT
Source: re-configure.orgUNCLASSIFIED
The enemy is watching…
In this digital world, there are very few truly “primitive” enemies. The enemy is:
Sending social engineering email (“phishing”)
Monitoring Forums
Following Tweets
Connecting on Social Media
Watching Chatrooms
Listening
UNCLASSIFIED
“It” never goes away!
When you put information on the net, via your blog, MySpace, email, etc., you have to assume that it’s going to stay there forever.
Same thing with newspapers, magazines, and other media.
The only safe bet is to make sure that it never gets there in the first place!
UNCLASSIFIED
For Example:
UNCLASSIFIED
1,524 saved “snapshots” for UN.org, with saved content and information
UNCLASSIFIED
For Example:
“BlackWidow” downloads all pages and files from a website, which can reveal pages and entries not meant to be publically accessible.
UNCLASSIFIED
For Example:
A note on public websites:
Certain things should not be found on public websites, blogs, etc., including:
• Sensitive Operations Plans• Sensitive Communications Plans• Alerting Lists, With Names• By Name Personnel Lists• Locations of Sensitive Assets (Vehicles, Airplanes,
Radios, etc)• Locations of Sensitive Facilities (EOC's, COOP
Sites, etc)
UNCLASSIFIED
REMEMBER
It is the responsibility of the security professional to answer those questions for the end-users
It is the responsibility of the end-users to do it!
UNCLASSIFIED
Conclusion
OPSEC is what you make of it.• The way ahead
• Annual OPSEC training requirements in compliance with AFI 10-701
• OPSEC Survey• OPSEC evaluations of CAP web sites (already
started from the DOK side)• OPSEC awareness emphasis at the Squadron,
Group, Wing, Region and National levels.• New emerging missions will drive this
requirements for enhanced OPSEC awareness
UNCLASSIFIED
CITIZENS SERVING COMMUNITIESUNCLASSIFIED
Civil Air Patrol