Presentation is loading. Please wait.

Presentation is loading. Please wait.

OPSEC and the World Wide Web

Published byBrice Mosley Modified over 5 years ago

Similar presentations

Presentation on theme: "OPSEC and the World Wide Web"— Presentation transcript:

1 OPSEC and the World Wide Web
U.S. Army 1st Information Operations Command 1st BN - Vulnerability Assessment Detachment OPSEC and the World Wide Web We are here today to talk about OPSEC and the role it plays on the World Wide Web or Internet as most are use to saying. The media has played a role in deciphering how the 1st Amendment plays with regards to soldiers and the numerous MILBlogs that are currently in the public domain. Soldiers must be aware that it is not the blogging that is at question here, it is the content that is being posted to the blogs and other open forums located on the Internet. As soldiers, it is our duty to protect the information that we come into contact on a daily basis. The core of Essential Secrecy is just that—protecting the information that is critical to adversaries in their planning process. UNCLASSIFIED/FOR OFFICIAL USE ONLY

2 UNCLASSIFIED/FOR OFFICIAL USE ONLY
Information and Value 80%+ of all intelligence is unclassified Tidbits of information are pieces of a puzzle It’s those aggregated pieces of tidbits that help complete the picture Objective: make yourself & your mission the hard target. Let the bad guys find a softer target somewhere else! The point is to get across to the audience that all critical information is important to protect, even if it is unclassified. Intelligence communities wouldn’t be investing in collecting unclassified information if it wasn’t yielding useful intelligence. REMEMBER – OPSEC is about the UNCLASSIFIED information. The bad guys don’t act on one piece of information. They must collect multiple pieces, and then verify them. We don’t just protect information we think is valuable. We protect the information that is valuable to the bad guy. Makes sense when you think about it. We protect what they bad guy wants. Even though it may seem insignificant for you, it may be just the piece the terrorist needs to finish his surveillance or his attack plan. Make yourself the hardest target; let them “get” someone else! When they have to work harder for the information, they take bigger risks, and it is easier for us to catch them. Terrorists have shown us that if we can throw them a curve ball, be unpredictable and mess up their plan, they’ll abandon the target. UNCLASSIFIED/FOR OFFICIAL USE ONLY

3 UNCLASSIFIED/FOR OFFICIAL USE ONLY
The Adversaries Foreign Nationals Terrorists Hackers Criminals Competitors Insiders Who’s the bad guy? Each of these groups of people might be an adversary, and the list that applies to our mission might change over time. Ask the audience if they can connect any of these bad guys with any of your missions. Don’t forget, you have left family members behind and the neighbor, the places they go to school, go shopping, etc. Ask them if they can think of some information each of these groups of people would like to know about your unit. UNCLASSIFIED/FOR OFFICIAL USE ONLY

4 Consider YOURSELF a Target
Each of the following has a piece of the puzzle the adversary can exploit Family Friends & Neighbors Fellow soldiers Job, Mission & Unit Stars and Stripes, USA and Country This is a “terrorist handbook” captured in Manchester, England in February of 2000. If you are not familiar with the Manchester Document it can be found on the Internet at What information is the bad guy after? Not every adversary will want all this information, but we know for certain that this is what terrorists want to know. Each in its own has a piece of the puzzle. Your friends and family know when you are departing for the most part or at least an assumption, and the general location of where and for how long. Your soldiers in arms have another piece of information to add, and the adversary knows of what you do and the mission of your unit and most of all he knows all about your discipline and upbringing and to God and your country… Also, don’t forget, the adversary isn’t always on foreign soil, he could also be right in your own neighborhood too. “The Manchester Document” A Terrorist Handbook UNCLASSIFIED/FOR OFFICIAL USE ONLY

5 Are You The Weakest Link?
Vulnerabilities: Weaknesses the adversary can exploit to get to the critical information So what is a vulnerability? It is anything that lets the bad guy get our information. Most often, we are our own greatest vulnerability. American society is based on free sharing of information, and we grow up willing to share much of the information our greatest adversary would like to collect. UNCLASSIFIED/FOR OFFICIAL USE ONLY

6 Web Log Vulnerabilities
Photos (with captions!) Installation maps with highlights of designated points of interest (sleep/work, CDR, dining facility, etc) Security Operating Procedures Tactics, Techniques and Procedures Capabilities and Intent Unit morale Undermining senior leadership This is a small list of the types of information that adversaries are looking for that are freely published on websites. We tend to publish more than is needed to meet the objective. We add information to “spice it up” or make it more interesting, but in the process we compromise critical information. It’s the same principle as answering the phone in your office when a coworker is absent. We don’t give the caller a simple “no” – we volunteer that he/she is TDY, where they’ve gone, how long they’ll be gone, and so on. A simple “no”, with maybe “can I help you instead” would have been sufficient. When we post on the web, we should remember who the targeted audience is. Anything that is operational explicit that reveals our TTPs, photographs of damaged equipment, weakness, specifications of equipment capabilities, intent and other military related operational information will not be posted in the public domain Sensitive Information? UNCLASSIFIED/FOR OFFICIAL USE ONLY

7 Web Log Vulnerabilities
A US soldier stands guard as a suspected looter begs to be released after they were caught while fleeing a building on fire in Baghdad, Iraq (news - web sites) Saturday June 28, The suspects were allegedly looting gasoline from the building. 12-year old Mudhr Abdul Muhsin, bottom, was released later has many pictures within this blog site, and each one has a caption. Imagine yourself the adversary. What could you do with the information in this caption to the right of the picture? Now image yourself as one of those three people. Does the caption put you or your family at risk? If terrorists started exploiting this information so that our families are at risk when we’re gone, what does that do to the mission? To our efficiency deployed? It’s not that we shouldn’t use the technology and the convenience of the web. The point is that we should understand the risks, and adjust how we deal with vulnerabilities and how we use the technology accordingly. Could this caption be edited to suit the purposes of DOD without putting the people and the mission at risk? What is the value of identifying the individuals, their unit, and their deployment dates versus the risks that may represent? This photo can be used against us both from the adversary and our own people. Perceptions can be your WORST enemy. If you were a bad guy, could you use this? UNCLASSIFIED/FOR OFFICIAL USE ONLY

8 (JOURNAL OF A MILITARY HOUSEWIFE)
Web Log Targeting (JOURNAL OF A MILITARY HOUSEWIFE) INFORMATION WAS OBTAINED FROM A FAMILY WEBSITE: 1. HUSBAND’S NAME, HOMETOWN, UNIT, AND DATES OF DEPLOYMENT. 2. PICTURE OF SPOUSE 3. EXPECTING THEIR FIRST CHILD ON DECEMBER 8, 2005. 4. BABY SHOWER SCHEDULED FOR OCTOBER 22, 2005 5. DATE SPOUSE FAILED HER DRIVER’S TEST A GOOGLE SEARCH ON INFORMATION OBTAINED FROM WEBSITE REVEALED: 1. SPOUSE’S A.K.A. (Screen Name) 2. COUPLE’S HOME ADDRESS 3. SPOUSE’S DATE OF BIRTH 4. HUSBAND’S YEAR OF BIRTH 5. DATE SPOUSE OBTAINED HER DRIVER’S LICENSE. This information was obtained from an actual Website The site provided a daily summary of the spouse’s activities. She even lists where and when she received her medical treatments. She also has baby registries with Wal-Mart and Target . A Google search was then done on the information obtained from the website and additional vital data was revealed. Information revealed could be used for identity theft or to target the family. Family members have received letters and telephone calls from our adversaries. COULD YOUR FAMILY BE A A TARGET? UNCLASSIFIED/FOR OFFICIAL USE ONLY

9 Personal Web Page Vulnerabilities
Personal web pages can expose something the unit would like to protect A picture is worth a thousand words We enlisted – our families didn’t Individuals expose information because: They’re proud of their work They’re marketing the unit or they want public support They’re miffed or frustrated People in your unit probably have personal web pages. Very often they include work information in those pages, especially if they’re either very proud of what they’re doing, or really PO’d. Or they think they’re helping to “market” the mission or encouraging public support. There should be a commander’s policy on how or when an individual can put work information on personal web pages, and everyone in the unit should be made aware of the policy. You might even have then sign a statement to that effect just like they sign nondisclosure agreements. Whatever process you set up, make sure your legal authorities are on board. OPSEC vulnerabilities and getting information off a particular web site once it’s there is difficult. As they say, once it’s posted it can’t be retrieved because there are sites out there that archive data and there are companies that also data mine information from other sites onto their own. Educate your workforce to ensure that sensitive or critical information is not inadvertently posted into the public domain. Ask yourself: Who is the targeted audience? If you don’t want to whole wide world to see it, then you are in the wrong environment. UNCLASSIFIED/FOR OFFICIAL USE ONLY

10 UNCLASSIFIED/FOR OFFICIAL USE ONLY
Countermeasures Anything that effectively negates or reduces an adversary’s ability to exploit our vulnerabilities If the answer is “no”, DON’T PUT IT ON THE WEB!!! Countermeasures are anything that works! If we can keep information from being released in the first place, that’s the best countermeasure. If we can use awareness training to help people understand the threat, so that they are more cautious about the information they handle, that’s a good countermeasure. Countermeasure don’t always have to be mechanical, like secure phones, encrypted networks, locks and alarms. We have to consider the human element, and be sure our folks understand the risks they take. Perhaps the most significant thing we can do is help them understand the threat. Most people know (intellectually) that if they post something on the internet that everyone can get access to it, but they don’t internalize that knowledge. That is, they don’t keep that information at the front of their brain so that when they start to post something they shouldn’t a little alarm goes off that says “STOP!!! THINK!!! Would you give it to a terrorist?” Best case, we want them to think of themselves and the best countermeasure your unit has available. Would you want the enemy to read this? If the answer is NO, DON’T PUT IT ON THE WEB! UNCLASSIFIED/FOR OFFICIAL USE ONLY

11 UNCLASSIFIED/FOR OFFICIAL USE ONLY
What YOU Can Do Ensure information posted has no significant value to the adversary Consider the audience when you’re posting to a blog, personal web page or Always assume the adversary is reading your material Believe the bad guys when they threaten you Work with your OPSEC Officer – follow policies and procedures! Only put information that helps your mission on the web. Don’t help the bad guy. Don’t use the web to get information out to a limited group of people. Don’t post information because it is a convenient way to transmit meeting minutes, let everyone see a draft for coordination, etc. Assume that your adversaries are using your blog or web page to collect information that can be used against you, your fellow soldier or even your family! Once they find your web page, they’ll keep coming back to see what’s changed. They’ll be your best customer. And they’ll tell their friends. When the bad guys tell you what they want to know, use that information to your advantage. Learn from what they do. Make their mistakes your gain. Demand that you are kept informed as to changes in threat – the squeaky wheel gets the grease! Don’t work against your OPSEC Officer. Don’t view policies and guidelines as something to be gotten around. Spend as much energy doing what’s right as you spend finding a way around the rules. Understand why they are in place. UNCLASSIFIED/FOR OFFICIAL USE ONLY

12 UNCLASSIFIED/FOR OFFICIAL USE ONLY
The Challenge Think like the bad guy before you post your photographs and information in a blog, a personal web page, or in your Ask yourself: Who is the adversary? What does that person/organization need to know about my organization? What can he do with it? How can it affect the mission? It’s not just what the adversary can learn from one site, but what can be pieced together from many sites. Sometimes we can be our own worst enemies UNCLASSIFIED/FOR OFFICIAL USE ONLY

13 UNCLASSIFIED/FOR OFFICIAL USE ONLY
QUESTIONS ? UNCLASSIFIED/FOR OFFICIAL USE ONLY

Download ppt "OPSEC and the World Wide Web"

Similar presentations

NEW YORK NATIONAL GUARD FAMILY PROGRAMS Offered & presented by CW2 Walker Family Programs OPSEC Program Manager.

NEW YORK NATIONAL GUARD FAMILY PROGRAMS Offered & presented by CW2 Walker Family Programs OPSEC Program Manager.
TLO 2: Action: Plan operational security. Intermediate-level training.

TLO 2: Action: Plan operational security. Intermediate-level training.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
UNCLASSIFIED. Your loved one has the training, leadership and equipment needed to perform the mission and come back home to you. But did you know that.

UNCLASSIFIED. Your loved one has the training, leadership and equipment needed to perform the mission and come back home to you. But did you know that.
Do you know how to keep yourself safe?

Do you know how to keep yourself safe?
One Team, One Fight One Mission Presented by the Ordnance Center & Schools Security Office.

One Team, One Fight One Mission Presented by the Ordnance Center & Schools Security Office.
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?

DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
Operation Name SGT Artemis O’Conan Operations Center

Operation Name SGT Artemis O’Conan Operations Center
BY: CHELSEA KUCERA ELED 318 The Legal, Social and Ethical Issues in Technology for the Classroom.

BY: CHELSEA KUCERA ELED 318 The Legal, Social and Ethical Issues in Technology for the Classroom.
Military families and Operational Security. Family members are vital to the success of our military. You may not know it, but you play a crucial role.

Military families and Operational Security. Family members are vital to the success of our military. You may not know it, but you play a crucial role.
UNCLASSIFIED VP-4 Skinny Dragons Operations Security (OPSEC) and Social Networking.

UNCLASSIFIED VP-4 Skinny Dragons Operations Security (OPSEC) and Social Networking.
Presented by the 1st Information Operations Command.

Presented by the 1st Information Operations Command.
Operations Security (OPSEC) 301-371-1050. Introduction  Standard  Application  Objectives  Regulations and Guidance  OPSEC Definition  Indicators.

Operations Security (OPSEC) Introduction  Standard  Application  Objectives  Regulations and Guidance  OPSEC Definition  Indicators.
Provided by OSPA (www.opsecprofessionals.org) OPSEC for Families Presented by: (Presenter’s Name)

Provided by OSPA ( OPSEC for Families Presented by: (Presenter’s Name)
Operational Security PCC. VII-F.1.

Operational Security PCC. VII-F.1.
Broadcasting News Trivia LESSON PLANS. BBC News. BBC, 30 Jan. 2012. Web. 19 Nov. 2014.

Broadcasting News Trivia "LESSON PLANS." BBC News. BBC, 30 Jan Web. 19 Nov
Audacity Audacity web address:

Audacity Audacity web address:
MY DIGITAL FOOTPRINT. WHAT IS A DIGITAL FOOTPRINT? Each time you log onto social media, you leave a trail behind you, mostly based on what you search.

MY DIGITAL FOOTPRINT. WHAT IS A DIGITAL FOOTPRINT? Each time you log onto social media, you leave a trail behind you, mostly based on what you search.
Easy Read Summary Mental Capacity Act 2005. Mental Capacity Act 2005 - A Summary The Mental Capacity Act 2005 will help people to make their own decisions.

Easy Read Summary Mental Capacity Act Mental Capacity Act A Summary The Mental Capacity Act 2005 will help people to make their own decisions.
Operational Security Awareness

Operational Security Awareness

Similar presentations

Ads by Google