Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fleet & Family Support Ombudsman Program & Operations Security

Similar presentations

Presentation on theme: "Fleet & Family Support Ombudsman Program & Operations Security"— Presentation transcript:

1 Fleet & Family Support Ombudsman Program & Operations Security
Naval OPSEC Support Team (NOST) Naval Information Operations Command (NIOC)

2 Operations Security Operations Security, OPSEC, is a process that identifies unclassified critical information (CI), outlines potential threats and the risks associated and develops counter measures to safeguard critical information. OSPEC protects our operations- planned, in progress, and future. Success of these operations depends on secrecy. Military members can more safely carry out missions if the element of surprise and secrecy is preserved. As family members of active duty members you have a unique responsibility to practice good OPSEC measures, and protect not only mission critical information, but your personal and family critical information as well. Operations Security: 1. A systematic, proven process by which a government, organization, or individual can identify, control, and protect generally unclassified information about an operation/activity and, thus, deny or mitigate an adversary's/competitor's ability to compromise or interrupt said operation/activity (NSC 1988). 2. OPSEC is a process of identifying critical information and subsequently analyzing friendly actions attendant to military operations and other activities to (a) identify those actions that can be observed by adversary intelligence systems, (b) determine indicators adversary intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries, and select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation (DOD JP 1994; JCS 1997). Operations Security process: An analytical process that involves five components: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures (NSC 1988). Source:

3 Operations Security The OPSEC process teaches you to:
Look at your daily activities from the enemies’ point of view. Understand what an enemy might learn about you and your family from the information and details that you make available. Assess the level of risk that this places on you and your family. Develop and apply counter measures, which help to prevent the enemy from obtaining your critical information and using it against you.

4 OPSEC Best Practices Be aware of your surroundings
Be aware of the information that you are putting out in s, online, phone conversations, photos and open unsecure conversations in public. Safeguard all sensitive, unclassified information. Think like the wolf. How can this information be used against me? Don’t discuss details Time lines, detailed locations or movements Limitations/capabilities Specific names, ranks, job titles, budgets Future or current operations Security procedures Don’t spread rumors

5 OPSEC Terms & Concepts Critical Information (CI) Data Aggregation
Threat Indicators Vulnerability Risk Counter Measures

6 EEFI = question; Critical Info. (CI) = answer
Critical Information Information we must protect to ensure success. Information the adversary needs to prevent our success. Position Capabilities Operations Personnel Family Is it: Technical specifications on a project, some equipment, a process. The way you ship or receive supplies, or specimens for analysis. How you develop travel arrangements, itineraries, where and why your traveling. How security is provided. Budget information. And the list goes on. The people who own the process, who work the process can best identify what the Critical Information is. Key questions asked by adversaries about friendly intentions, capabilities, and activities. EEFI = question; Critical Info. (CI) = answer Common features of EEFI & CI Focus on protecting vital information Adversary’s point of view

7 Family Critical Information
Information to safe guard Names and photos of you, your children and co-workers Usernames, passwords, network details Job title, location, salary, clearances held Physical security and logistics Addresses, phone numbers, significant dates Mission capabilities and limitations Length and location of spouses deployment Status of equipment and personnel Schedules and travel itineraries Social security number, credit cards, banking information Hobbies, likes, dislikes, etc.

8 Data Aggregation Data/information collection from multiple sources
Open source intelligence collection is a huge source of collection Internet Trash Media Open and legal public sources accounts for about 80% of all information collected There are many different legal and illegal collection methods Small details pieced together for a big picture

9 Threat Threat: The capability of an adversary coupled with their intention to undertake any actions detrimental to the success of program activities, operations or individuals. Conventional Threats Military opponents Foreign adversaries/countries Unconventional Threats Organized crime Foreign terrorists Home grown terrorism Insiders (espionage) Hackers, phishing scams Thieves, stalkers, pedophiles Ask yourself, how could any one on this list be called an ‘adversary’? Do they have, intentional or unintentional, the capability to collect information on you/your organization, that you wouldn’t want them to know? Ask the audience what kinds of information some of these adversaries might want from them.

10 Terrorist Threat What are they looking for?
Names/photographs of important people Present and future operations & capabilities Information about military facilities: - Location & Units - Weapons used - Exterior size and shape - Number of sailors & officers - Ammunition depot locations - Leave policies - Dates & times of operations Family details Marital status - Children & extended family members - Location of work, school, home etc Details details details…… OPSEC

11 Indicators Friendly detectable actions that reveal critical information & vulnerabilities: Longer working hours Flight plans, schedules, itineraries Rehearsals Sudden changes in procedures Purchases/on-load’s Blog’s/posts Routine predictable procedures Large troop movements Emblems, logo’s, distinctive markings

12 Avoid Indicators: Don’t advertise!

13 Vulnerability Weakness the adversary can exploit to get critical information Vulnerabilities make you susceptible to intelligence/data collection. Poor security and sharing too much information are common, easily exploited vulnerabilities. Blogs, posts, s, phone calls and conversations in restaurants, airports and other public places expose important information to potential adversaries and are a very common vulnerability. Vulnerability: A weakness the adversary can exploit to get critical information. A vulnerability is anything that makes your critical information susceptible to intelligence collection. Your EEFI/CI list, threat analysis, and considering the adversaries perspective will point to the vulnerabilities in the planning process

14 Common Vulnerabilities
Lack of Awareness Data aggregation Unsecure communications Social engineering Trash Technology Internet/social networking Blogs Predictable actions & patterns

15 Lack of Awareness Frequently Asked Questions
But it’s secure! Right? How much is too much? Details are dangerous. The less information you provide the safer you are. As a rule only discuss events well after they have occurred. When in doubt don’t say anything at all. WRONG! Address the issue with the person- ask them to remove the information and tell them why its important to think OPSEC. If issues persist contact the command CMC for further clarification and resolution. What do I do if a family member is violating OPSEC procedures?

16 Unsecure Communications
Unencrypted, unsecure communications are a common vulnerability Cell phones Cordless phones Blue tooth Open/over heard conversations Blogs & chat sites Internet postings Not Secure Not Secure Not Secure Not Secure Not Secure Not Secure Not Secure

17 Trash Mind your trash- what details are being thrown away? Rosters
Training details & schedules Itineraries & mail Phone trees Rank/position details What happens to the trash/recycling? Who owns/has access

18 Emerging Technology There’s an App for that
Phone carrier's push applications to users without prompts Convenience vs. vulnerability Friendly use vs. adversarial use How can this application be used against me? Terms of use & privacy issues What are you consenting to by using an app? What is the risk if your phone is lost or stolen? What data would then be available? Remote installation/activation possibilities Apps that are sent out by service providers are done without prompt and free of charge– a convenience or a vulnerability? Technology changes everyday, and the different software packages and applications available are becoming more and more intrusive and service oriented. When reviewing technology look at both the friendly and the adversarial prospective– how might someone use the tool negatively? Technology is our best friend and our worst enemy. The military is moving towards virtual training using virtual reality worlds– how might this effect OPSEC? App for crossing the boarder: Developed by a professor at UCSD to assist illegal immigrants safely navigate their crossing. Using GPS the app highlights major highways, police stations, water drops and major land marks to highlight the safest route to cross. It is marketed as a humanitarian tool. Plazes widget can be installed on anything that can have flash embedded (i.e. SNS’s). Works off of SIM card and GPS to transmit the devices location in real time, all the time. It is the ultimate way to keep up with friends. Recognizr: Facial recognition software that works with Googles free mobile OS. The user takes a photo of a person and the data is transmitted to a server in Sweden that collects information and creates a database. The photo is then cross referenced with the data in the database and the information that is found on the subject of the photo is then sent back to the originating device, to include any social networking profiles that get a match on the photo.

19 Internet Social Networking Sites
Limit the amount of personal and sensitive information you make available on: Social Networking Sites Dating sites Web browsing Blogs Chat/IM Data aggregation & data mining Collecting & selling your information Friend vs. Foe Account spoofing & identity theft Phishing scams

20 Internet Blogs Blogs are very detail oriented. The more specific the information the higher value it has to adversaries. Limit the amount of personal information posted and blogged. Lessons learned 101 for the adversary What information can an adversary learn based solely on details in photos? Blogs, and the internet in general are a great source for information. People tend to post the post intimate details about themselves in a typically completely unsecure, wide open public forum. This is horrible OPSEC. Lessons learned 101 for the bad guy is as simple as goggling IED damage to vehicles. The above battle damage assessment photos were pulled right off .mil sites. What can the adversary learn just by studying these photos? What do these images tell the adversary about the effectiveness of their attacks? Military spouse blogs are a great way to learn all kinds of information, including the kids ages, names, school district, deployment schedules, duty days, smoking/eating habits and on and on– too many details.

21 If I put this information out there, what could possibly go wrong?
Risk The probability an adversary will gain knowledge of your critical information (CI) and the impact if the adversary is successful. Risk is a measure of the probability an adversary will be successful and the impact if that happens. Risk management is about understanding and minimizing risk. If I put this information out there, what could possibly go wrong?

22 Risk Risk scenario: You are proud of your military family.
So you prominently display personal information about them on the back of your car for everyone to see. What is the possible risk associated with displaying these indicators??

23 Countermeasures Anything that effectively negates or reduces an adversary's ability to exploit vulnerabilities or collect & process critical information - Hide/control indicators - Protect personal information - Change routines & routes - Differ times you do activities Counter measures are intended to influence or manipulate an adversaries perception - Take no action - React too late - Take the wrong action You may require multiple countermeasures to reduce risk to an acceptable level. One countermeasure may work for more than one vulnerability. Countermeasures are not always required. The use of countermeasures are determined by the decision maker after an assessment has been completed. Good countermeasures may include: Hide/control indicators: don’t give away clues Reduce signatures: change things that stand out- don’t let the adversary interpret your indicators Procedural changes: Reduce your predictability by changing the process Planning options: OPSEC is applicable all of the time, but is most effective when implemented in the planning phase.

24 Don’t Be A Victim Knowledge is power …. for both you and the adversary. Be aware of the threat that exists against you as an American citizen, and as a military family member. Be suspicious of unsolicited phone calls, online requests, or s. Be suspicious when information about you and your family is requested. Always ask yourself, do they have the “need to know”? Share the OPSEC message with friends and extended family members. If you use this slide as simple guidelines, you will be better prepared if someone attempts to use social engineering against you. For further information about OPSEC and Social Engineering, please contact your OPSEC officer or the Navy OPSEC Support Team at

25 Naval OPSEC Support Team (NOST)
Questions Questions? Please contact YOUR OMBUDSMEN: Lena G. Bunnenberg Work: (216) Cell: (216) Debbie Lowry Work: (216) Cell: (440) Provided by: Naval OPSEC Support Team (NOST)

Download ppt "Fleet & Family Support Ombudsman Program & Operations Security"

Similar presentations

Ads by Google