Operations Security (OPSEC)
Operations Security (OPSEC) - A systematic method used to identify, control, and protect critical information and subsequently analyze friendly actions associated with military operations and other activities. Basically, protecting your information and activities from the “bad guy”.
The Five Steps
Critical information – Information about friendly (U.S., allied, and/or coalition) activities, intentions, capabilities, or limitations an adversary seeks in order to gain a military, political, diplomatic, economic, or technological advantage. Simply put, any information that the “bad guy” wants and needs to do us harm or allows them to gain an advantage over us.
Indicator – Data derived from friendly detectable actions and open source information that adversaries can interpret and piece together to reach conclusions or estimates of critical information concerning friendly intentions, capabilities, or activities.
Example: Several newspapers on the front porch and high grass in the front lawn can indicate that your house has been unoccupied for a while and can be an easy target for burglars.
Threat – A person, or group of people, whose objective differs with the friendly objective.
Vulnerability – A weakness that the adversary can exploit.
Example: You are on vacation posting pictures on your social media platforms with captions “having a great time”. A burglar (adversary) is monitoring your social media and realizes you are not at home and robs your house.
Risk – A measure of the potential degree to which protected information is subject to loss through adversary exploitation. Basically, this is the likelihood your information will be collected and acted on.
Countermeasure – Anything that effectively negates or mitigates an adversary’s ability to exploit vulnerabilities.
Example: By using the available privacy settings (countermeasure) offered on Facebook, you mitigate the potential of ISIL obtaining your information via that source and reduce your chances of being on a publicly released listing.
Adversary – An individual, group, organization, or government that must be denied critical information. Simply put, the “bad guy” or anyone who wants to do us harm or take advantage of us.
Assessment – An evaluative process of an organization, operation, activity, exercise, or support function to determine if sufficient countermeasures are in place to protect critical information. Basically, it helps you determine how well you or your organization is doing at keeping the adversary from obtaining your information.
Controlled Unclassified Information (CUI) - Established by Executive Order 13556, the CUI program standardizes the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies. In other words, this handling marking replaces the For Official Use Only (FOUO) marking.
Critical Information List (CIL) - A list of critical information that has been fully coordinated within an organization and approved by the senior decision maker, and is used by all personnel in the organization to identify unclassified information requiring application of OPSEC measures. In other words, it is a list of information the command does not want released to the public, even though it is unclassified.
Data aggregation – Information collected from multiple sources and pieced together to form a bigger picture. Multiple sources can include, but are not limited to; trash, conversations and social media, open source information made available on the internet.
Example: New people move in next door to you with out-of-state vanity plates on their vehicle that reads CTR CPO. One family member leaves the house every morning in a Navy uniform. You look that person up on Facebook and see that he/she list the USS PICKANAME as their place of employment. Through a little aggregation, you know where they recently came from, their current address, he/she is a Navy Chief in the CTR rating, and he/she is stationed aboard the USS PICKANAME, which is most likely a cryptologic capable ship. Through simple aggregation, you can see he/she has a high level security clearance and works with Navy cryptologic collection assets.
Countermeasure: Although difficult to protect all pieces of open source information, associating yourself with a specific unit (Facebook) and rating (license plate) may be information you wish to protect.
Digital footprint - The data that is left behind by users on digital services (i.e. social media sites, online message boards.
Elicitation – Similar to social engineering, a technique used to discreetly gather information. It is a conversation with a specific purpose: collect information that is not readily available and do so without raising suspicion that specific facts are being sought. It is usually non-threatening, easy to disguise, deniable, and effective.
Countermeasure: Always be aware of the information that you are providing and be conscious of how the information may be used against you, your family or your service / company.
Essential secrecy - The condition achieved from the denial of critical information to adversaries.
Example: If you plan, and are successful at throwing a surprise birthday party for someone, you’ve achieved essential secrecy.
Geotagging - The process of adding geographical identification data to various media, such as a photograph or video. On most smart phones, geotagging is preset. In some cases, you might unwittingly be letting others know where you live and work and your travel patterns and habits. These details can be revealed through bits of information embedded in images taken with smartphones and some digital cameras and then shared on public websites. The information, called metadata, often includes the times, dates, and geographical coordinates (latitude and longitude) where images are taken. –fbi.gov
Countermeasure: You must manually disable this function in your phone’s settings.
Internet Based Capabilities (IbC) - All public information capabilities or applications available across the Internet from locations not directly or indirectly controlled by DoD or the Federal government (i.e., locations not owned or operated by DoD or another Federal agency or by contractors or others on behalf of DoD or another Federal agency).
Malware – An umbrella term for a wide range of malicious code or software. Malware includes, but is not limited to, viruses, worms, or bots. Malware is code used to infect a computer or network for malicious intentions. A computer or network can be infected by clicking on a link, downloading a file, connecting to a server, or just visiting a web page.
Countermeasure: Ensure your anti-virus software is up-to-date, ensure all your programs are updated with the latest patches and upgrades, do not click on suspicious links, do not connect to unsecure or unknown networks, do not allow unknown users access to your network or computer, and only use encrypted connections when transmitting sensitive information on the internet.
Scareware - A type of malware designed to trick, usually by a scare tactic, victims into purchasing and downloading useless and potentially dangerous software.
Example: Scareware pop-ups may look like actual warnings from your system, but upon closer inspection, some elements aren’t fully functional. For instance, to appear authentic, you may see a list of reputable icons—like software companies or security publications—but you can’t click to get to those actual sites. Scareware pop-ups are hard to close, even after clicking on the “Close” or “X” button. Fake anti-virus products are designed to appear legitimate, with names such as Virus Shield, Anti-virus, or VirusRemover. –fbi.gov
Countermeasure: Do not trust pop-up offers. If you are interested in the product, research it first online and access the product through a legitimate website vice a pop-up.
Ransomware - A type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to regain access to their systems, or to get their data back.
Example: Crowti (also known as Cryptowall) and Tescrypt (also known as Teslacrypt) are two ransomware families that have infected over half a million PCs running Microsoft security software in the first half of 2015. Since the start of 2015, Crowti is found to be the most prevalent ransomware overall, accounting for 30% of all ransomware families. –microsoft.com
Countermeasure: Ensure your antivirus is up to date, your firewall is configured correctly and back up all important files and documents to an external hard drive (disconnected from your computer when not conducting backups) on a regular basis.
Ombudsman (Navy)/Family Readiness Officer (FRO) (USMC) - Provide an important communications link between families and Navy/Marine Corps commands. The Ombudsman/FRO is an official representative of, and is personally selected by, the commanding officer and serves as the liaison between command families and the command. Most command leaders agree that an effective Ombudsman/FRO is a priceless asset, linking commands and families to ensure accurate and timely communication.
Open Source Intelligence (OSINT) - Collection of information using anything that is available to the public and can be obtained legally. (television, internet, newspapers, etc)
Example: Information collected via conversations in an airport, personal information such as credit card statements discarded in the trash, PII posted on social media, etc.
Personal Identifiable Information (PII) - Any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.
Phishing – There are several categories of phishing, but they all basically have the same purpose or end state. Phishing is an attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. Simply put, an email originated from a hacker, foreign agency, thief, or solicitor that appears to originate from a legitimate company. They can also appear as "pop ups" or advertisements. For example, if you receive a "pop up" from your anti-virus software provider telling you it's time to renew just by clicking on the pop up, it may be a phishing scam. Your countermeasure is to go to your anti-virus software provider's home page for your renewals and updates. Same holds true for advertisements. Although most are legitimate ads, it only takes one non-legitimate to completely infect your computer, tablet or smart phone.
Spear phishing - An e-mail spoofing fraud attempt that targets a specific organization or group, seeking unauthorized access to information.
Whaling - A type of fraud that targets high-profile end users such as C-level corporate executives, politicians, celebrities or ranking military officials.
Smishing - A security attack in which the user is tricked into downloading a Trojan horse, virus or other malware onto a cellular phone or other mobile device. Smishing is short for "SMS phishing."
Countermeasure for phishing, spear phishing, whaling, and smishing: If an offer is too good to be true, it usually is. Never follow the directions or links provided in an e-mail from a company or someone you do not know or were not expecting to hear from. In a work environment, Sailors who receive suspicious emails should immediately contact their organizations Information Assurance Manager (IAM) or Information Security Manager (ISM). Do not open and if you've already opened the email, do not click on any files or links. Be especially suspicious of email routed directly to your "Junk" email folder. Most of those emails go to the junk folder for a reason. Annual IA on-line training is available on NKO and TWMS.
Registered social media sites – Commands must register their official social media sites with the Navy/Marine Corps. To ensure your command is properly registered, visit the following sites:
- Navy - http://www.navy.mil/CommandDirectory.asp
- Marine Corps - http://www.marines.mil/News/SocialMedia.aspx
Social Engineering – Social Engineering is a non-technical method of intrusion that relies heavily on human interaction, and often involves tricking people into breaking normal security procedures. It is one of the greatest threats that personnel assigned in high profile organizations may encounter.
Example: Circa 2009, Israeli intelligence personnel were working at kiosks in malls near military bases. Their objective was to gather information about the personnel, commands, and operations. Seemingly innocent conversations were started with military members, eventually leading to divulgence of critical information.
Countermeasure: Always be mindful of the information you’re providing to people you do not know, regardless of how sincere or legitimate they may seem. Determine if the person that is requesting or demanding the information has a need to know.
Social Media - Computer-mediated tools that allow people to create, share or exchange information, ideas, and pictures/videos in virtual communities and networks. The use of social media in the DOD is highly encouraged. However, Sailors, their families and friends can limit exposure of their PII on social media by following two general precautions (Countermeasures):
1. Privacy Settings.
- Each social media site allows for all of your private profile information, as well as your posts, to be viewable by the public if you don't set the site's privacy settings to your desired level.
- Keep PII away from others by setting your security settings to include only friends.
- Go through each of the privacy settings on each site you frequent, and set them accordingly.
- Be aware of geo-tracking features and turn them off as certain sites will track your physical locations via a cell phone app, providing your exact whereabouts at any given time.
- Even with the strictest security and privacy settings in place, remember that there are certain details of your personal lives that if made public could be a security concern for you, your family or the Navy.
- Information such as specific ship movements, deployments, personnel rosters and weapons information should never be posted online.
- Don't share private information such as where children go to school, address, phone numbers and times and locations of events you plan to attend. If you let the people know where you're at, you're potentially letting other also know where you're not, like your residence (think thieves)
- Similarly, be aware of spear-phishing emails and links on your social media page.
- Be wary of opening attachments or clicking links contained in emails from senders with who the recipient is not familiar, even if they appear legitimate at first glance.
- If unsure of the legitimacy of an attachment or link, contact the sender of the email to verify that it is in fact sent by that person. Attachments can contain malware that is only detectable by anti-virus software. If the attachment looks suspicious, do not open it.
- If moving the mouse over a link gives you a different URL that what appears in the email, or if the links looks unofficial, it may be malicious.
- Make sure your anti-virus updates are put in place as soon as they are released. It's your first line of defense.
Spoofing - A situation in which one person or program successfully masquerades as another by falsifying information or data, and thereby gaining an illegitimate advantage.
Countermeasure: Constant vigilance. Be aware of what web site you are trying to access, or the identity of the sender of the email/text message.
Vishing - The act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft. The scammer usually pretends to be a legitimate business, and fools the victim into thinking he or she will profit.
Countermeasure: Never give out personal information over the phone to people you do not know. Ask for the name of the organization that the person represents and tell them that you will call back. Look up the number yourself.