Presentation is loading. Please wait.

Presentation is loading. Please wait.

OPSEC and Social Networking

Published byBruno Weaver Modified over 8 years ago

Similar presentations

Presentation on theme: "OPSEC and Social Networking"— Presentation transcript:

1 OPSEC and Social Networking
Naval OPSEC Support Team (NOST) Navy Information Operations Command (NIOC) (757) DSN 537

2 References DTM Responsible & Effective use of Internet-based Capabilities SECNAVINST B DON WWW Web Policy DON CIO_CHINFO Joint Memo 10_Oct 07_DOC Web Presence Policy NTTP 3-54 M Operations Security DOD Directive OPSEC Program OPNAVINST Operations Security DON Navy Public Affairs Policy & Regulations SECNAV B DON Policy for Content of Publicly Accessible World Wide Web Sites SECNAV B COMNAVREGMIDLANTINST Web 2.0 Technologies Social Networking Sites Safety Checklist ALNAV IbC- Official Internet Posts ALNAV IbC- Unofficial Internet Posts Web based instructions and guidance. The most important point to take away is that DOD and DON have opened access to social networking sites and other previously blocked sites, with the exception of gambling, hate and pornographic sites. Web based accounts such as Yahoo are still under review. Please note CO maintain the authority to restrict web access as they see fit for their respective commands.

3 Operations Security OPSEC
OPSEC is a process that identifies critical information, outlines potential threats and risks and develops counter measures to safeguard critical information Operations Security: 1. A systematic, proven process by which a government, organization, or individual can identify, control, and protect generally unclassified information about an operation/activity and, thus, deny or mitigate an adversary's/competitor's ability to compromise or interrupt said operation/activity (NSC 1988). 2. OPSEC is a process of identifying critical information and subsequently analyzing friendly actions attendant to military operations and other activities to (a) identify those actions that can be observed by adversary intelligence systems, (b) determine indicators adversary intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries, and select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation (DOD JP 1994; JCS 1997). Operations Security process: An analytical process that involves five components: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures (NSC 1988). Source:

4 Critical Information Information we must protect to ensure success.
Information the adversary needs to prevent our success. - Names and photos of you, your family and co-workers - Usernames, passwords, network details - Job title, location, salary, clearances - Physical security and logistics - Position, mission capabilities and limitations - Operations & missions - Schedules and travel itineraries - Social security number, credit cards, banking information - Hobbies, likes, dislikes, etc. Critical Information (CI) as it pertains to OPSEC is detail specific, unclassified information that an adversary needs to obtain to act against an individual or unit. For example, the watch rotation of a unit, while not classified information, is vital to the security posture and is a detail that should be protected. critical information: Specific facts about friendly (e.g., U.S.) intentions, capabilities, or activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for accomplishment of friendly objectives. Source:

5 Data Aggregation Information collection from multiple sources
Al Qaeda handbook: open and legal public sources accounts for 80% of all information collected Legal and illegal collection methods Data aggregation is simply the collection of information, typically from multiple sources, including open source. Open source data aggregation accounts for about 80% of intelligence collection efforts against the USA by adversaries. Open source collection methods include both legal and illegal means, from digging through someone trash to tapping into a phone line.

6 Potential Vulnerabilities
Methods used to obtain Critical Information: Unprotected communications Sharing too much with strangers HUMINT Observations Technology Trash Media Web pages Social Networking Sites CI is made available everyday through many channels, some of which are listed in the slide. The information that people put out both at work and at home represents a huge vulnerability and an easy (and often legal) target for open source data aggregation. Military members, government employees and their families should make every effort to minimize the amount of CI, and personally identifiable information that they release through their everyday actions. Illegal methods are OK with adversaries!!!

7 Social Networking Social Networking Sites (SNS) allow people to network, interact and collaborate to share information, data and ideas without geographic boundaries.

8 Revised Statement of Rights & Responsibilities
“You own all of the content & information you post.” “You specifically give us the following permission, subject to your privacy and application settings, to use any content that you post on or in connection with Facebook.” Non-exclusive Transferable Sub-licensable Royalty-free Worldwide license “We may collect information about you from other users.” “Sometimes we share aggregated information with third parties.” Consent to Collection and Processing in the United States. By using Facebook, you consent to having your personal data transferred to and processed in the United States. After public outrage over the loss of rights Facebook issued a revision in the terms of use policy. Using gentler verbiage like “share” and “opportunity” the policy reads almost exactly the same as the previous policy when you get down to it. “We may retain certain information to prevent identity theft or other misconduct” The last line in the privacy policy, after all this jargon about respecting information and privacy settings and protecting information we have this in bold type with no further explanation: “Consent to Collection and Processing in the United States. By using Facebook you consent to having your personal data transferred to and processed in the United States.”

9 Why use a SNS? Personally Entertaining Maintain Relationships Network
Centralized information Professionally Marketing/recruiting Public Relations Connect with customers Solicit ideas and feedback SNS’ are personally entertaining and a valuable marketing tool. More than 400 million active Facebook users and counting As of November 2009 top three sites world wide: Google- worth 2.41 Billion USD generates $3.3 million daily Yahoo- worth 1.2 Billion USD generates $1.6 million daily Facebook- worth Million USD generates $825,000 daily 9.Baidu.com- Chinese search engine Source:

10 The Danger Bad guys use it, too: Stalkers Thieves Terrorist Hackers
Phishers/Scammers Enemy organizations Pedophiles And the list goes on… There is no filter for bad guys on the internet. The internet is available to anyone, world wide regardless of their intentions. The internet is an invaluable tool for “the bad guy” and a one stop source for too much information!

11 The Danger Al-Qaeda communiqué December 2009: “The affair with the U.S. Navy began several years ago, when the lions of Al-Qaeda struck the destroyer U.S.S. Cole, in Yemen; now, with Allah’s help, all the American vessels in the seas and oceans, including aircraft carriers, submarines, and all naval military equipment deployed here and there that is within range of Al-Qaeda’s fire, will be destroyed… “To this end, information on every U.S. naval unit – and only U.S. [units]!! – should be quietly gathered [as follows:] [the vessel's] name, the missions it is assigned; its current location, including notation of the spot in accordance with international maritime standards; the advantages of this naval unit; the number of U.S. troops on board, including if possible their ranks, and what state they are from, their family situation, and where their family members (wife and children) live; what kind of weapons they carry; the [vessel's] destination…; which naval units are closest to Islamic countries; which naval units are close to Western countries in general; searching all naval websites in order to gather as much information as possible, and translating it into Arabic; search for the easiest ways of striking these ships… “My Muslim brothers, do not underestimate the importance of any piece of information, as simple as it may seem; the mujahedeen, the lions of monotheism, may be able to use it in ways that have not occurred to you.” Information on every U.S. Naval unit should be quietly gathered…what state they are from, their family situation, and where their family members live… …search for the easiest ways of striking these ships… December Al Qaeda posts a message instructing all operatives to target the Navy, the sailors and their families. Search for personal information, find out where their families– find the easiest way to strike the ships. An important point for everyone to understand: your information is important to someone, you are a target to someone. Do not be casual with any piece of information, no matter how trivial it may seem to you. …. Do not underestimate the importance of any piece of information, as simple as it may seem….

12 Social Networking Websites and Your Security Clearance
The following is a security awareness statement signed by the Chief of Security, Pentagon Chief Information Officer, OSD Network Directorate: “Social sites risk security clearance. If you hold a security clearance or if you ever want to apply for one, be mindful of your postings and contacts online, particularly on social networking sites such as Facebook and Twitter. These sites pose risks to gaining and keeping a security clearance. Question 14 of the National Agency Questionnaire (SF-86) asks for names of your relatives and associates. The term associate is defined as any foreign national that you or your spouse are bound by affection, obligation, or close and continuing contact. Question 14 of the National Agency Questionnaire (SF-86) asks for names of your relatives and associates. The term associate is defined as any foreign national that you or your spouse are bound by affection, obligation, or close and continuing contact. SF-86– required to be granted a security clearance. Associate is anyone that you or your spouse have close or continuing contact with. This includes “friends” on SNS’. Who is in your friends?

13 DO’S & DON’TS of SOCIAL NETWORKING
Do’s and Don’ts of Social Networking An outline of some basic points that a user should follow to make their use of the internet safer.

14 “Do’s” Do: Remember Computer Security
Do not be an easy target for computer crimes Hacking Theft Planted code vs. Antivirus software Firewalls Strong Passwords Permission Settings Computer Security is the most important point. Antivirus software is critical. Norton, Mcafee, AVG and others are all vital programs that every computer should run to protect from virus’ and other malicious attacks. Virus scans, virus definition updates and spy ware scans should be done daily to insure a computer, both at work and at home, are as secure as possible. Firewalls and routers should be configured correctly and with strong passwords to help guard against unauthorized access. File permissions should be set to restrict access to unauthorized users. A wireless router is often the single point of both access and failure in any given home. Those with weak passwords and easily accessed routers are easy targets.

15 Do: Verify All Friend Requests
“Do’s” Do: Verify All Friend Requests Social engineering and “conning” starts with a friend request Adversaries can get the data from: Free people search engines Other SNS’s Your posts/profile Your friends posts/profile Do not trust who you cannot see and verify. It is not hard to establish accounts and to fake information to target people. Verify Requests Before Approving! Adversary

16 Do: Utilize All Available Privacy Settings
“Do’s” Do: Utilize All Available Privacy Settings Customize available settings to be as secure as possible “Everyone” may be accessed by anyone with access to the internet How many security settings are available on Facebook? Privacy settings are available on most sites and vary depending on the specific sites privacy policy. Facebook’s current privacy settings are now included in the rights that you grant Facebook in regards to what they are able to do with your information, as well as what applications linked to the site are able to obtain. There are over 120 different security settings on Facebook. Over 120

17 Do: Watch Your Friends Settings
“Do’s” Do: Watch Your Friends Settings Sure your profile is secure, but what about your 115 friends profile settings? All the privacy settings in the world mean nothing if someone in your network of friends does not have any privacy settings. Be careful of what you and your friends post and make available to the world.

18 Do: Closely Monitor Your Children’s Use of the Internet
“Do’s” Do: Closely Monitor Your Children’s Use of the Internet Cyber-bulling Kidnapping “Sexting” Stalking Pedophiles 500,000+ registered sex Offenders in the USA 95,000 registered sex offenders profiles on Myspace Children are especially vulnerable on the internet and make easy targets. Monitor closely children's use the internet to insure they are not posting critical and personal information.

19 Do: Verify Links & Files Before Executing
“Do’s” Do: Verify Links & Files Before Executing Would you follow a link in ? Would you download and run an attachment? Then why do you do these things on SNS’s? Phishing scams Malicious coding Viruses Scareware The same threats that exist in your inbox exist in social networking sites and any download. Verify links and websites before accessing and executing. Do not follow links provided in s, go through a trusted link that you know to be good. Call your bank and verify that the information they are requesting or sending is legitimate. Often times a bank will not contact you via for account changes. Verify before executing!

20 “Do’s” Do: Blog with Caution Avoid details, don’t get personal
Who is reading your blog? Lessons learned 101 for the adversary Blogs, and the internet in general are a great source for information. People tend to post the most intimate details about themselves in a typically completely unsecure, wide open public forum. This is horrible OPSEC. Lessons learned 101 for the bad guy is as simple as goggling IED damage to vehicles. The above battle damage assessment photos were pulled right off .mil sites. What can the adversary learn just by studying these photos? What do these images tell the adversary about the effectiveness of their attacks? Military spouse blogs are a great way to learn all kinds of information, including the kids ages, names, school district, deployment schedules, duty days, smoking/eating habits and on and on– too many details.

21 Do: Understand the Risks Associated with Geotagging
“Do’s” Do: Understand the Risks Associated with Geotagging Location/GPS data attached to photos Feature in Smartphones and digital cameras Lat/Long Device details “Check-in” feature Facebook Places Google Latitude Foursquare Gowalla Geotagging on social networking sites is increasing in popularity. From virtual check-in’s to simply uploading photos with geographical information included in the data, users are posting detailed physical location data online for the world to see. The technology for geotagging now comes standard on newer digital camera’s and smartphones, and is easily extracted with a simple software package that can be downloaded free in many cases.

22 Do: Be an Informed User of a SNS
“Do’s” Do: Be an Informed User of a SNS How much personal information do you broadcast? Are you very careful about what details you post? Do you understand data aggregation issues? Are you willing to find and learn all the security settings and keep up with them as they change? Be an informed user. Know the terms of use, the changes to the site, and all of the different settings that are available. Make your site as secure as possible, understand that data collection is the job of many– from marketing campaigns to adversaries. Regardless of settings, never post details– details make you vulnerable. Are you willing to accept the risk?

23 Do: Have a Contingency Plan
“Do’s” Do: Have a Contingency Plan KIA, MIA, POW What details will the adversary have to use against you? What information will the media have access to? Power of Attorney Memorial pages In the event of death or capture have a power of attorney in place to allow family members to delete or change your social networking profile. Protect your personal details from the media and adversaries.

24 Do: Assume the Internet is FOREVER
“Do’s” Do: Assume the Internet is FOREVER There is no true delete on the internet WWW means World Wide Web Every Picture Every Post Every Detail The internet is a cache of information– there is no true delete option. Facebook Stats: Facebook has been translated into 70 different languages 70% of FB users are outside of the USA More than 3 BILLION photos uploaded every month More than 5 BILLION pieces of content are shared every week

25 “Do’s” Do: Understand Official DON Guidance That Governs Military Personnel Use of SNS’s DON ALNAV 056/10 Official Internet Posts Social media posts in an official capacity DON ALNAV 057/10 Unofficial Internet Posts Any content posted about the DON by DON personnel in an unofficial & personal capacity DON personnel are responsible for all DON-related content they publish on the internet Unofficial internet posts is defined as any content about the DON or related to the DON that is posted on any internet site by DON personnel in an unofficial and personal capacity. Content includes but is not limited to, personal comments, photographs, video and graphics. Internet sites include social networking sites, blogs, forums, photo and video sharing sites, and other sites to include sites not owned, operated or controlled by the DON or DOD. DON personnel are responsible for all DON-related content they publish on social networking sites, blogs, or other IbC and should ensure that this content is accurate, appropriate and does not compromise mission security or success.

26 Don’t: Use the Same Passwords
“Don’ts” Don’t: Use the Same Passwords Hackers count on users using the same passwords for multiple accounts Password1 is not a strong password Password strength is key to protecting yourself on the internet. The average user has over 15 accounts and 4 different passwords. Do not use the same password for every account, that is an easy way to be taken advantage of.

27 Don’t: Depend on SNS’s Security Settings
“Don’ts” Don’t: Depend on SNS’s Security Settings But it’s set to private … right? Hackers Incorrect or incomplete settings Sale of data Upgrades/site changes “Risks inherent in sharing information” “USE AT YOUR OWN RISK. We do not guarantee that only authorized persons will view your information.” Never forget- the true purpose of a SNS from the creators POV is data aggregation for profit There are many instances where your information that you thought was private, really isn’t. Security isn’t perfect, and in many cases, it’s not even adequate because it’s not a priority for the owners of the SNS. Straight from the Facebook statement of rights & responsibilities- “USE AT YOUR OWN RISK. We do not guarantee that Facebook will be safe or secure.”

28 Don’t: Trust Add-On’s or Applications
“Don’ts” Don’t: Trust Add-On’s or Applications Plugins, Games, Applications Third Party Software Applications designed to collect data Malicious code Separate terms of use & privacy “We are not responsible for third party circumvention of any privacy settings or security measures.” Add-on’s and applications are third party software.This includes games like farmville, mafia wars etc. These applications have their own terms of use and often do not comply with the privacy settings of the host website. Facebook stats: Facebook Platform– more than 1 million developers and entrepreneurs from more than 180 countries. Every month more than 70% of Facebook users use a platform application More than 500,000 active applications currently on Facebook platform More than 250 applications have more than 1 million monthly active users Facebook Platform: “A standards-based web service with methods for accessing and contributing Facebook data….. Making the web more social!” Facebook Platform: “We do not own or run the applications and websites that you interact with through Facebook Platform, and while we try to enforce standards to protect your information, we cannot guarantee that they will follow our rules.:

29 Don’t: Grant the Same Access to Everyone
“Don’ts” Don’t: Grant the Same Access to Everyone Don’t treat all Friends equally Control & customize individual access Do create groups Poker club Family Set permissions for everything: Your status Photos Postings Permissions and groups are available to further customize permissions and restrict access. Not everyone in your friends list is your “best friend”, restrict the amount of data that everyone in your network is able to access.

30 Don’t: Discuss Details
“Don’ts” Don’t: Discuss Details Never post anything you would not tell directly to the enemy Never post private or personal information- no matter how secure you think your settings are Assume the information you share will be made public Don’t discuss or post details regardless of security settings. There is no truly secure computer with access to the internet- keep that thought in mind at all times and keep details to yourself. Details make you vulnerable

31 Naval OPSEC Support Team opsec@navy.mil
Questions? Please contact the NOST for assistance or any of the following: Computer-based training FRG/Ombudsman support OPSEC & other tailored briefs Videos , posters, brochures & fliers OPSEC Reminder Cards Two-day Navy OPSEC Officer course General OPSEC support Other Resources Naval OPSEC Support Team

Download ppt "OPSEC and Social Networking"

Similar presentations

Surfing the net: Ways to protect yourself. Internet Safety Look into safeguarding programs or options your online service provider might offer. Look into.

Surfing the net: Ways to protect yourself. Internet Safety Look into safeguarding programs or options your online service provider might offer. Look into.
Fleet & Family Support Ombudsman Program & Operations Security

Fleet & Family Support Ombudsman Program & Operations Security
Tiffany Phillips CIS 1055-004 What is a Social Networking Website? Social networking websites function like an online community of internet users. Depending.

Tiffany Phillips CIS What is a Social Networking Website? Social networking websites function like an online community of internet users. Depending.
Part I: Making Good Online Choices

Part I: Making Good Online Choices
Protecting children online  How can you protect your child online?  Are you aware of the dangers?  Do you know what you can put in place to protect.

Protecting children online  How can you protect your child online?  Are you aware of the dangers?  Do you know what you can put in place to protect.
Naval OPSEC Support Team Navy Information Operations Command, Norfolk 757-417-7100 #Don’tDoThat: Social Media Trends.

Naval OPSEC Support Team Navy Information Operations Command, Norfolk #Don’tDoThat: Social Media Trends.
The Internet.

The Internet.
SECURITY CHECK Protecting Your System and Yourself Source:

SECURITY CHECK Protecting Your System and Yourself Source:
INTERNET SAFETY FOR STUDENTS

INTERNET SAFETY FOR STUDENTS
NEW YORK NATIONAL GUARD FAMILY PROGRAMS Offered & presented by CW2 Walker Family Programs OPSEC Program Manager.

NEW YORK NATIONAL GUARD FAMILY PROGRAMS Offered & presented by CW2 Walker Family Programs OPSEC Program Manager.
Lecture 16 Secure Social Networking. Overview What is Social Networking? The Good, the Bad and the Ugly How to protect yourself How to protect your children.

Lecture 16 Secure Social Networking. Overview What is Social Networking? The Good, the Bad and the Ugly How to protect yourself How to protect your children.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
FARMINGTON AREA PUBLIC SCHOOLS SUMMER TECHNOLOGY ACADEMY AUGUST 18TH, 2010 Web 2.0 Tools.

FARMINGTON AREA PUBLIC SCHOOLS SUMMER TECHNOLOGY ACADEMY AUGUST 18TH, 2010 Web 2.0 Tools.
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.

Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
INTERNET SAFETY FOR STUDENTS

INTERNET SAFETY FOR STUDENTS
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?

DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
How To Protect Your Privacy and Avoid Identity Theft Online.

How To Protect Your Privacy and Avoid Identity Theft Online.
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
How It Applies In A Virtual World

How It Applies In A Virtual World
Threats to I.T Internet security By Cameron Mundy.

Threats to I.T Internet security By Cameron Mundy.

Similar presentations

Ads by Google