Operational Security Awareness OPSEC OFFICERS SSG Wilson 6-9071 SGT Fox 6-0029 There are two title slides. Hide the one you don’t want to use. In the lower left corner, select the icon that looks like four small boxes. Click on the title slide you don’t want to use, and in the Slide Show menu select “Hide Slide”. Go back to the notes view or the presentation view. Operational Security Awareness ARMY Regulation 530-1

OPSEC Process Identify Critical Information Apply Countermeasures Analyze the Threat Identify Critical Information: What, if disclosed to an adversary, could cause damage to your mission/operation/project, etc. This can be brainstormed in a ‘roundtable’ discussion with those from each section of your organization. Assess the Threat: Know who you are vulnerable to, who the threat is. If you don’t know, develop a relationship with those who do, and stay current. Know what, who, and from where, the threat is, as best you can. Analyze Vulnerabilities: Related to the threat, know your vulnerabilities. This is not only your physical vulnerabilities, but networks, to include data and voice (phones and email), radio communications, logistics, personnel, policy, operations, intelligence, etc. Where are the vulnerabilities that could be exploited by the ‘threat’. Assess the Risk: If you have assessed the threat, know your vulnerabilities. If the risk to that is low, then maybe it’s an acceptable risk. If it’s a medium or high risk, then maybe it’s an unacceptable risk. Develop Countermeasures: Having assessed the Risk, developing a countermeasure that would be appropriate. Realizing a countermeasure is anything that lowers the risk to an acceptable level. Assess Risk Analyze Vulnerabilities 4/26/2017 UNCLASSIFIED

Critical Information Information the Adversary needs to prevent our success. Is it: Technical specifications on a project, some equipment, a process. The way you ship or receive supplies, or specimens for analysis. How you develop travel arrangements, itineraries, where and why your traveling. How security is provided. Budget information. And the list goes on. The people who own the process, who work the process can best identify what the Critical Information is. Information WE must protect to ensure success. 4/26/2017 UNCLASSIFIED

Critical Information Our adversaries may want to harm personnel and/or damage property and resources Critical Information could relate to: Employees’ Safety (911) Fleet of ships and aircraft (USS Cole) Facilities Design (Oklahoma City) Security Vulnerabilities (Anthrax Mailings) Satellite Data (Weather, Environmental) Law Enforcement Activities Management Decisions (All levels) 4/26/2017 UNCLASSIFIED

Indicators Information may be collected by monitoring telephone and public conversations, analyzing telephone directories, financial or purchasing documents, position or "job" announcements, travel documents, blueprints or drawings, distribution lists, shipping and receiving documents, even personal information or items found in the TRASH. SHRED any paperwork that is associated with our CIL!! 4/26/2017 UNCLASSIFIED

Threats Enemies Competitors Employees -Disgruntled Terrorists Dishonest Terrorists Criminals Media Hackers Ask yourself, how could any one on this list be called an ‘adversary’? Do they have, intentional or unintentional, the capability to collect information on you/your organization, that you wouldn’t want them to know? Ask the audience what kinds of information some of these adversaries might want from them. 4/26/2017 UNCLASSIFIED

Elements of Threat Adversary Intent Capabilities History, politics, doctrine Capabilities Collection Response 4/26/2017 UNCLASSIFIED

Collection Methods Open Source Collection (OSINT) Human Intelligence (HUMINT) Signals Intelligence (SIGINT) Imagery Intelligence (IMINT) Trash Intelligence (TRASHINT) 4/26/2017 UNCLASSIFIED

Open Source Collection (OSINT) Our publications Our Web sites and Blogs Statements to the press Newspapers Other publicly available information This is the preferred method of collection, greater than 80% of what the adversary needs is collected by this method. 4/26/2017 UNCLASSIFIED

Human Intelligence (HUMINT) Asking questions Questions through e-mail Visiting our facility Social Engineering (posing as one of us) Other methods involving humans collecting information 4/26/2017 UNCLASSIFIED

Imagery Intelligence (IMINT) Taking Pictures Cell phones with cameras Cameras with zoom lens Movie cameras / Camcorders Satellite Imagery Available on the Internet 4/26/2017 UNCLASSIFIED

TRASH INTELLIGENCE (TRASHINT) Shred all paper that could be used by an adversary Shred all paperwork that is associated with the CIL Adversarys will go through your trash!!! 4/26/2017 UNCLASSIFIED

Vulnerability Ways we let the bad guys get our Critical Information Web pages Unprotected communications Email Sharing too much with strangers Off duty social time Vulnerabilities are the ways we inadvertently give our adversaries access to the information we should be protecting. We post too much on web pages. We use unprotected communications, such as cell phones and radios. We send emails with detailed attachments, such as maps or drawings or pictures. We innocently share too much information with people who don’t need to know. How often have you answered the phone, and given more information than the caller needed? “No, I’m sorry Joe isn’t here. He’s on a job in Bermuda for the next two weeks, and since the kids were out of school, he took his family for a vacation. Can I take a message?” 4/26/2017 UNCLASSIFIED

Risk and Countermeasures Risk: What will it cost us? Countermeasures Protected communications Web page policies Awareness Once the threat and vulnerabilities are understood, we can estimate the risk. Ultimately, it is up to the (commander, boss, senior managers) to decide what level of risk is acceptable. For those vulnerabilities that represent unacceptable risks, we need to develop countermeasures. Countermeasures are anything that works. We can use protected communications, and implement policies that control what information can be posted on the web. Ultimately, the best countermeasure is an informed work force. We believe that you will all make sound judgments about how to protect information once you understand what information requires protection, and what the threats are. 4/26/2017 UNCLASSIFIED

Two Perspectives when Dealing with RISK Adversary’s Ours When deciding on how to mitigate your RISK you MUST always look at the situation through the eyes of the ADVERSARY!! 4/26/2017 UNCLASSIFIED

Countermeasures Defined Anything which effectively negates or reduces an adversary’s ability to exploit our vulnerabilities 4/26/2017 UNCLASSIFIED

Countermeasures Consider the threat when you: Practice good security Use the phone Answer stranger’s questions Discuss work in public places Practice good security Shred all paper These are common countermeasures. You may need more than one slide. You may delete some of these and add some others. 4/26/2017 UNCLASSIFIED

Web Log Vulnerabilities Photos (with captions!) Installation maps with highlights of designated points of interest (sleep/work, CDR, dining facility, etc) Security Operating Procedures Tactics, Techniques and Procedures Battle Damage Assessments (BDA) Capabilities and Intent Unit morale Undermining senior leadership 4/26/2017 UNCLASSIFIED

IED BDA Examples Thanks to the 10 panes of ballistic glass in each window, no one was hurt in this blast. This is a result of a medium sized-IED. HMMWV Driver of Alpha 41 (the luckiest STRYKER Driver in Mosul 4/26/2017 UNCLASSIFIED

Web Log Targeting COULD YOUR FAMILY BE A TARGET? (JOURNAL OF A MILITARY HOUSEWIFE) INFORMATION WAS OBTAINED FROM A FAMILY WEBSITE: 1. HUSBAND’S NAME, HOMETOWN, UNIT, AND DATES OF DEPLOYMENT. 2. PICTURE OF SPOUSE 3. EXPECTING THEIR FIRST CHILD ON DECEMBER 8, 2005. 4. BABY SHOWER SCHEDULED FOR OCTOBER 22, 2005 5. DATE SPOUSE FAILED HER DRIVER’S TEST A GOOGLE SEARCH ON INFORMATION OBTAINED FROM WEBSITE REVEALED: 1. SPOUSE’S A.K.A. (Screen Name) 2. COUPLE’S HOME ADDRESS 3. SPOUSE’S DATE OF BIRTH 4. HUSBAND’S YEAR OF BIRTH 5. DATE SPOUSE OBTAINED HER DRIVER’S LICENSE. COULD YOUR FAMILY BE A TARGET? 4/26/2017 UNCLASSIFIED

Personal Web Page Vulnerabilities Personal web pages can expose something the unit would like to protect A picture is worth a thousand words We enlisted – our families didn’t Individuals expose information because: They’re proud of their work They’re marketing the unit or they want public support They’re upset or frustrated 4/26/2017 UNCLASSIFIED

What YOU Can Do Ensure information posted has no significant value to the adversary Consider the audience when you’re posting to a blog, personal web page or EMail Always assume the adversary is reading your material Believe the bad guys when they threaten you Work with your OPSEC Officer – follow policies and procedures! 4/26/2017 UNCLASSIFIED

Sometimes we can be our own worst enemies The Challenge Think like the bad guy before you post your photographs and information in a blog, a personal web page, or in your Email!! Sometimes we can be our own worst enemies 4/26/2017 UNCLASSIFIED

The Adversary is watching! Are you? Always Think OPSEC ! 4/26/2017 UNCLASSIFIED

QUESTIONS 4/26/2017 UNCLASSIFIED