|
|
 |
|
|
|
register |
bbs |
search |
rss |
faq |
about
|
|
|
meet up |
add to del.icio.us |
digg it
|
|
|
|
Operations Security (OPSEC): The Basics
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
Operations Security (OPSEC): The Basics
"Intelligence is a curious business. The more you gather
competitive information and analyze it, the more you begin to
realize others may be doing the same to you. You and your
competition constantly release information into the marketplace.
You can never lock it all up, simply because of your need to
conduct business. Yet, many companies recklessly expose more
information than they need to; critical information that they should
be protecting. Are you one of them?" [1]
Any organization military or commercial that develops proprietary
information such as trade secrets, or national security secrets
desires to protect that information.
OPSEC is a discipline that should work with the other traditional
security programs. These programs might include physical security
which takes care are guard forces, locks on office doors and
buildings, and alarms as well as communications and personnel
security. What OPSEC does that is unique is to employ the study
of indicators to detect potential vulnerabilities. My favorite book
on operations security and how it needs to fit in with other security
disciplines is Computer Crime: A Crimefighters Handbook.
I work for the military so when I think of security, I think
"CLASSIFIED INFORMATION". But, I need to learn to rethink
this issue. MOST!!! of the information that is collected
from/by/against any organization military or otherwise is simply
compiled from unclassified sources (like web pages!). We create
signature data, data that defines exactly what we are working on
and how we are doing that work. In addition to classified and
sensitive unclassified data, we also generate and store proprietary
information which ranges from financial bids to source code.
The steps to apply OPSEC to a situation:
Identify critical information (and its indicators). What is the
information or resource that you have other people might consider
important.
What is the value of this information? Is it important to you?
Would it be important to someone else? If someone else had access
to this information could this be a threat to your company or
country? We have a worksheet that can be very helpful in
determining the value of information.
What are some tricks, methods an adversary could use to get at this
information or resource? Or perhaps just to modify it. What are the
capabilities of a potential adversary? Could they possibly access
the information (if you are connected to a network that is connected
to the internet, this is a distinct possibility). If your information is
locked in an access controlled vault and the adversary would have
to send in a Mission Impossible team, it is less likely.
How likely is it that someone can get at this information? How
much work is involved to actually do the tricks you just thought up.
*HINT* fix the ones that are very likely and very easy fast!
Begin to make it harder for these tricks to work. Fix problems, put
in countermeasures. Make sure your employees and co-workers are
aware of what you are doing to improve their job security. That's
right, lousy security can lead to the loss of a company's
marketshare, or a country's very existence.
I mentioned that OPSEC is a discipline that needs to work with
other security programs. Computers that do not protect information
properly is one of these sources of unclassified information. Here at
NSWC we have an active information disclosure management
effort. This is critical because open source intelligence is probably
the most cost effective intelligence method going. For some
unfathomable reason, we will send/post information via computer
we would never dream of disclosing in paper. Here is a snippet
from a JAN 97 edupage:
"INTERNET IS NO.1 CHOICE FOR FOREIGN SNOOPERS
A report released by the National Counterintelligence Center
(NACIC) indicates that the Internet is the fastest growing method
used by foreign entities to gather intelligence about U.S.
companies. "All requests for information received via the Internet
should be viewed with suspicion," says the report, which urges
caution in replying to requests coming from foreign countries or
foreign governments, particularly with regard to questions about
defense-related technology. NACIC works in close coordination
with the CIA, but is an autonomous agency reporting the National
Security Council. (BNA Daily Report for Executives 6 Jan 97 A15)"
The whole point of operations security is to have a set of
operational (daily, habit ingrained) practices that make it harder for
another group to compile critical information. This can be as simple
as shredding documents with sensitive information. You would be
amazed what can be collected from a dumpster. I love dumpster
diving, when you see me in jeans and a t-shirt, you can just bet I
have been collecting information. If everything else I have written
doesn't motivate you to protect your country's or company's
proprietary information, then you should know I have also come up
with bank statements and phone billing records.
OPSEC INDICATORS
Common Research Facility Indicators (I should know!)
Dates, times, and places information not protected. If a test or
event is classified or sensitive, don't leave a breadcrumb trail of
pointers to check for "further information"
Objectives. Unprotected statements like the "the purpose of this
test/program/weapon system is to ...." allow adversaries to quickly
assess what interest it migt be to them.
Associated nicknames and acronyms .. very often we sum up how
one program is associated with others and then mail that
information over the internet.
Contingencies. If the wazoo rocket fails the SEP 97 test, RTD&E
efforts will be focused on the bananna missle which is based on the
Windows 97 operating system from Microsoft ... is not the sort of
thing to post on a web page.
Funding. Sure we all get mad if your funding gets cut, but if you
carefully describe the milestones that cannot be met and the
capabilities that can never get fielded if your program has to sustain
a 3% cut and that document ends up in a trash can (and you can bet
that it will, nobody reads that stuff except adversaries) you may
have done more damage and a 30% cut.
[1] Complete Resource for Finding, Analyzing, and Using
Information About You Competitors. John Wiley & Sons, Inc.
|
|
|
To the best of our knowledge, the text on this page may be freely reproduced and distributed.
If you have any questions about this, please check out our Copyright Policy.
totse.com certificate signatures
|
|
|
About | Advertise | Bad Ideas | Community | Contact Us | Copyright Policy | Drugs | Ego | Erotica
FAQ | Fringe | Link to totse.com | Search | Society | Submissions | Technology
|
|
|
|
|
|
