Overall Classification of this Briefing is UNCLASSIFIED Fleet & Family Support Ombudsman Program & Operations Security
Facebook.com/NavalOPSEC Overview OPSEC Threat Critical Information Indicators Data Aggregation Vulnerabilities Risk Countermeasures Ombudsmen and OPSEC Social Media OPSEC@navy.mil Http://www.navy.mil/ah_online/OPSEC/index.asp Facebook.com/NavalOPSEC @NavalOPSEC 757-417-7100
OPSEC A 5 step process that … Identifies, controls and protects sensitive, critical unclassified information about a mission, operation or activity Assesses potential threats, vulnerabilities, and risk Utilizes countermeasures to mitigate an adversary's effectiveness against a friendly operation Operations Security: 1. A systematic, proven process by which a government, organization, or individual can identify, control, and protect generally unclassified information about an operation/activity and, thus, deny or mitigate an adversary's/competitor's ability to compromise or interrupt said operation/activity (NSC 1988). 2. OPSEC is a process of identifying critical information and subsequently analyzing friendly actions attendant to military operations and other activities to (a) identify those actions that can be observed by adversary intelligence systems, (b) determine indicators adversary intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries, and select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation (DOD JP 1994; JCS 1997). Operations Security process: An analytical process that involves five components: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures (NSC 1988). Source: http://www.ioss.gov/glossary.html#o
Threat Capabilities and intentions of an adversary to undertake any action detrimental to the success of friendly activities or operations. Conventional Threats Military opponents Unconventional Threats Terrorism (foreign and domestic) Hackers Insiders (Spies) Thieves, stalkers, pedophiles There are several factors that help you determine the treat to your command or unit’s mission. Geography plays a large role in threat identification. Example: If you are in the Arabian Gulf, then MS-13 will probably not make your threat list. The best source to request threat information will be the N2 shop if the command has one and if not, NCIS MTAC.
What are they looking for? Names, photographs of important people Present/future operations Information about military facilities: Location Number of personnel Ammo depot locations Dates and times of operations Family details Spouse, children Location of work, school
Critical Information Information we must protect to ensure success Information the adversary needs to prevent our success Capabilities Operations Personnel Security procedures
Family Critical Information Some examples of critical information that apply to your family life: Names and photos of you and your children Usernames and passwords Length and location of spouse’s deployment Social Security Numbers Credit card/banking information Significant dates (birthdays, anniversaries) Addresses and phone numbers Everyday schedules Travel itineraries
Indicators Friendly, detectable actions that reveal critical information and vulnerabilities Longer working hours Rehearsals Sudden changes in procedures Onloads Large troop movements Not all indicators are bad Indicators are signatures of an event or action an adversary can observe via collection methods available to them. Indicators can point to vulnerabilities and possibly reveal Critical Information.
Avoid Indicators This slide depicts common indicators for families.
Data Aggregation Information collection from multiple sources Open source collection provides enemy most of their intelligence Manchester Document: 80% of information collected is done so legally Internet Trash Media Small details put together give big picture Countermeasures are used to address vulnerabilities that an adversary may exploit to gain access to critical information. The objective is to lower the vulnerability rating which will in turn lower the risk level. The remaining risk is referred to as residual risk. The ultimate goal of countermeasures is to reduce Risk to the commanders acceptable level. Two things that must be considered when developing countermeasures are “Cost & benefit”.
Vulnerabilities Weakness the adversary can exploit to get critical information Some common vulnerabilities are: Lack of awareness Social networking Social engineering Data aggregation Technology Trash Poor policy enforcement Unsecure communications Like with anything, a vulnerability is something that can be exploited to cause damage or disruption. This slide is a list of the most common vulnerabilities a person or organization may experience.
Risk The probability an adversary will gain knowledge of your critical information and the impact if they are successful Impact: How much will it cost if your critical information is lost? Lives Mission Money Time How much are you willing to risk by displaying this indicator or not correcting that vulnerability? The Risk assessment step of the OPSEC process aids decision makers in understanding what aspects of an operation or mission could be compromised and how resources could be affected. The cost can be measured by what is shown on this slide. Always keep in mind that the “Commander” is the only only one who can accept risk, therefore will determine the acceptable level of risk.
Countermeasures Anything that effectively negates or reduces an adversary's ability to exploit vulnerabilities or collect & process critical information Hide/control indicators Vary routes Modify everyday schedules Influence or manipulate an adversary’s perception Take no action React too late Take the wrong action Countermeasures are used to address vulnerabilities that an adversary may exploit to gain access to critical information. The objective is to lower the vulnerability rating which will in turn lower the risk level. The remaining risk is referred to as residual risk. The ultimate goal of countermeasures is to reduce Risk to the commanders acceptable level. Two things that must be considered when developing countermeasures are “Cost & benefit”.
Ombudsmen and OPSEC Knowledge of command’s critical information Families must understand OPSEC process Educate the family members whenever possible Newsletters Meetings - Sailors bring home their command’s Critical Information. Family members must know what information they receive is critical and what is not. The easiest way to do ensure that family members are not posting Critical Information is to educate them. There are several ways to spread the OPSEC message across the FRG. If you maintain a newsletter, you can push the OPSEC message that way. Always have some sort of OPSEC training at any and all FRG meetings that you have, whether you do it or you request outside assistance (NOST). Family members protecting information is just as important as the service member protecting the information. Educate the families, especially teenagers that are active on social media.
Social Media Highly recommended Open groups on Facebook Monitor the site Never post PII Regularly check security settings Be careful using public wireless networks - Social media is the easiest way to communicate with large groups of people. It is highly recommended for ombudsmen to use Facebook and other social media sites to keep in touch the family members. Facebook is the easiest way to communicate with large groups of people at the same time. If an ombudsman is running a Facebook group, it is recommended to keep the group open. People think or assume that if a Facebook group is closed to the general public, it is unable to be seen by outsiders. This causes some people to think it is acceptable to post sensitive information. Adversaries could easily hack into the closed group to access the page. Also, anybody who shares a post from the closed group to their personal page has made it accessible to the general public. You should always know who is a member of your page. Block any suspicious followers to your pages. Obviously, never post PII on social media, whether it be a service member or family member. Also, never go into detail about your personal life on social media. The adversary could be watching your online activity. Don’t give him an opportunity to take advantage of you because of the information you provide on Facebook. Facebook changes or updates their security settings often. When an update occurs, it may change your security settings back to default, which isn’t very secure. Always keep an eye on this. Be very careful about your online activity when you are using a public wireless network (airport, hotel, coffee shop, etc), especially if you are overseas. Always assume the adversary is watching. Equipment can be easily obtained to monitor devices on public networks.
Summary OPSEC Threat Critical Information Indicators Data Aggregation Vulnerabilities Risk Countermeasures Ombudsmen and OPSEC Social Media
Questions www.navy.mil/ah_online/OPSEC/index.asp www.navy.mil/local/OPSEC @NavalOPSEC Facebook.com/NavalOPSEC Youtube.com/USNOPSEC JEB – Little Creek (Bldg 1126) 2555 Amphibious Drive Virginia Beach, VA 23459-3225 OPSEC@Navy.mil 757-417-7100 Naval OPSEC App Collaboration at Sea