Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ombudsman and OPSEC Security Policy and Management

Similar presentations


Presentation on theme: "Ombudsman and OPSEC Security Policy and Management"— Presentation transcript:

1 Ombudsman and OPSEC Security Policy and Management
DCMS-34 OPSEC/SETA Team Karen J Newhouse Sven Kummelt Callie Smith

2 Operations Security OPSEC
OPSEC is an analytical process used to deny potential adversaries information about our sensitive operations. We take the part of the adversary to analyze our own actions using the 5-step OPSEC process. We document our footprints, those little things that expose our actions to outside viewers, so that we can develop ways of blurring or eliminating them. OPSEC analysis generally deals with unclassified information. Information that is classified has very specific protections. If you suspect classified information has been compromised then it should be immediately reported to your local command. OPSEC is a 5-step process, not a list of do’s and don’ts. It is an analysis of information to reduce the risk of compromise. Classified information is a different situation, with specific procedures required by law. Unclassified information can still be sensitive, even critical, to mission success and family safety.

3 Operations Security OPSEC
It’s all about the details. By collecting pieces of the puzzle from various sources, the adversary can create a whole picture of a sensitive operation. Military members, Auxiliarists, civilian employees, contractors, and family members all hold pieces of the puzzle by virtue of their position and interaction with the Coast Guard. Family safety, morale, and other non-operational support structures are important to the overall success of the Coast Guard missions. Learning about OPSEC improves the security, safety, and well-being of everyone in the Coast Guard community.

4 The 5-Step OPSEC Process
Analyze assets/critical information Assess threats Look at vulnerabilities Get a big picture of overall risk Consider simple countermeasures There is no end to the process. REPEAT AS NEEDED

5 Analyze assets/critical information
Military member’s mission: Specific Names, Rank Specific Mission goals Specific itineraries, travel Security procedures Problems in the field-Accidents Household Information: Usernames and Passwords Photos (geotags/GPS locations) Job info, including schedule and commute Social Security Numbers Financial information Military Member List: Don’t discuss problems at the unit on non-secure social media sites or in public. The knowledge that a unit is lacking equipment or has internal squabbles can be used against them. Home List: Photos can have embedded location information, cell phones can track your movements. Do you password protect your mobile devices??? You should. Small devices are easily stolen. Consequences: What does your phone tell a thief? What are the consequences of discussing an accident in the field? Do you have anything that you would not want to become public? Is it on your phone? Make a personal list. Writing it down helps. Keep it by the computer or phone. Consider the consequences of loss, theft, or public exposure of the information.

6 Intent: Do they want to do you harm?
2) Assess your threats Intent: Do they want to do you harm? Capability: What can they actually do? Terrorists Organized Crime Illegal fishermen Pedophiles Gangs Insider threat Domestic Violence Anti-Government Stalking Local unrest Active Shooter An individual or group must have both the intent to do harm, and the capability to do harm, in order to be a threat. Threats can be different in different areas, so it is important to get threat information from local sources. Capability: Can they actually do it? Has it actually happened before? Who supports them, who pays their bills- are they local or international? Intent: Would they actually do it? Why would they? Is it about YOU and your safety, or about your Organization? Have they tried something before? What happens at your local unit during an Active Shooter event? Do you encourage CGPAAS registration? Ransomware is getting more popular. Your device is locked by a hacker, and you must pay them, with the hope that they will unlock it after receiving payment. Because of the lack of guarantee that your device will be unlocked, the FBI suggests that you do not pay. Maintain a backup of your essential files, and stay alert to tainted s. Infected s are the most common method to get ransomware on your device. Some threats are more likely than others. What is the most significant threat in your area?

7 3) Look at vulnerabilities
Home Alone Stress Childcare New Job New Location Financial Issues New to the Military Unaware of Resources Isolated from Family Isolated from Friends Marital Issues Social Engineering discussed later. Lack of knowledge and lack of a local support structure can lead to oversharing with non-local friends and family on social media. All of these circumstances can lead to oversharing on social media. Loneliness and isolation are easily exploited by social engineering.

8 4) Get a big picture of overall risk
How likely is it that an adversary will obtain my information? What are the consequences if they do? Is it worth the risk? Can I do it another way? Do I understand all the factors? Threats? Vulnerabilities? Etc. Am I overstating or understating the risk? Use all of the factors to assess risk. Critical information and the consequences of loss or exposure. Threats of various kinds The Capability and Intent of the Threats. Vulnerabilities that would make it easier for Threats to obtain your information. We are human. We are more likely to overstate overall risk when assessing things close to us, and understate overall risk when things are not as close. The more we understand, the better our ability to estimate risk. Generally, as human beings, we overstate the risk when assessing situations closer to us, and understate the risk when the consequences are further removed from our inner circle. Consider having someone else help you review your assessment of risk.

9 5) Consider simple countermeasures
Household countermeasures: New locks on doors Discuss with family how to recognize suspicious online activity Password protect your mobile devices Get to know neighbors Awareness countermeasures for new spouses: Add OPSEC to spouse orientation sessions Actively market OPSEC and other resources for spouses Keep resources up-to-date and relevant Consider adding OPSEC to orientation sessions. Consider moving personal discussions to a face-to-face setting to avoid oversharing sensitive and emotional information online. Marketing of resources and OPSEC information can be done passively- by posting to a central website or facebook page, or actively, through personal efforts to meet new people, and by having smart cards or pamphlets with local numbers and services. They work best together, combining an active campaign with passive, online resources. Keeping online repositories updated means that information will be trusted and used. Eye-rolling will commence if you are making social media suggestions regarding outdated programs or your contact numbers are for people who left two months ago. For Ombudsmen or other support personnel, consider discussing sensitive, personal information with individuals face-to-face, rather than online or over the phone.

10 Social Media Footprint
“Trusted Sites”: LinkedIn, Military.com, Together We Served, etc. These sites are only as ‘closed’ as their vetting process allows. How are people vetted to become members? In most cases, members provide no real-world authentication, meaning there is no way of knowing who they are in real life. Are we more likely to put sensitive information on a members-only site? Do we talk about our military experience on Together We Served? Do we include military experience and our clearance levels in our online resumes? Trusted Sites: Many members-only sites require only a credit card number for membership. What does it take to get a LinkedIn account? What are you putting there? There is a website that gathers information from sites such as LinkedIn, in order to expose members of the US intelligence community. It can be difficult, but keeping an eye on the latest trends in social media is important for you, your family, and the Coast Guard. Stay informed about scams, hacks, and privacy controls. Spread the word.

11 Social Media Footprint
Zombie Profiles: Old social media account profiles can come back to haunt everyone. Older platforms may not protect personal information, especially if old accounts are inactive. Who will notice if your 10-year old MySpace account is hacked? What sites did you use to look for a new job five years ago? Additionally, information you shared in college may not have seemed relevant then, but photos and posts from your past may be less welcome today, and if old sites are hacked, things could come back from the dusty past. Zombie Accounts: Old accounts on old platforms have less security. If you no longer use an account, delete it. Someone could get control of your old account without your knowledge, especially if you don’t visit often. *Recent MySpace Hack has affected millions. Older accounts which were not as well protected were the primary target. If you no longer use an account, delete it. Someone could get control of your old account without your knowledge, especially if you don’t visit often.

12 Social Media Footprint
Restrict your circle: If we discuss personal information on any social media page, it should be restricted to ‘Friends’ only, or ‘Private’ settings. Every major social media site has privacy settings. Check online and find out how to control the limits of your audience. You do not control the circle of friends around your friends. You just do not know for sure who is reading your posts. We know how mom and dad like to brag. What are they saying? Do family and friends need a bit of OPSEC awareness? Or do we need to hold back sensitive information until it is appropriate to release it? Restrict your Circle: Know your audience. Are you only using Facebook for personal information or is it part of your business? Know your limits, and find out how to set privacy filters in all your social media accounts. Check online to research how to set your privacy settings for your accounts. Remember that you do not have control over who your friends add to their own accounts, so even privacy settings can be bypassed. Know what is out there on you! Just because you may not have an account, others you know could be posting compromising tweets or pictures about you. Decide what to share and when, before you post. Know your audience, and know what others post about you.

13 Social Media Footprint
Photographs Metadata: Information is embedded in each photograph you take with modern cameras and cell phones. This data was originally for professional photographers, and includes GPS location data, time, shutter speed, camera model, etc. This information can be used to establish the time and location that a picture was taken. It is a very good idea to remove the metadata from your photos before posting, or set your device so that metadata is not embedded. Interpretation: Sometimes the interpretation of photos can be unexpected. A posted photo of a loved one in a combat zone can be very easily interpreted in ways to negatively view the military unit and the military mission it represents. Photos with confiscated weapons or destroyed buildings can be seen as arrogant and very damaging, especially if the location is not well-known to the photographer and turns out to be something sensitive, such as a hospital. Check the internet to find out how to remove metadata from pictures before you post, or how to set your device to keep it from including metadata. Even if the photo is not sensitive, the location can be derived from the metadata, and may be just part of the information an adversary needs. Think twice about every photo you post.

14 Social Engineering Social Engineering is the art of persuading us to give up useful information that is not readily available. The adversary can enhance their technique by using little bits of information from social media or by digging through our trash, to create a plausible story and gain the trust of a target. If you are going to use social media to maintain connections, know your online self. If you discuss your yoga class on Facebook, don’t assume that a stranger who happens to have the same yoga class is just a cosmic coincidence. Own your information. If your mom is a friend on Facebook, don’t use her maiden name as a security question on your bank webpage. Information can come from a wide variety of sources. Garbage can reveal hobbies, fast food preferences, club memberships etc. Car stickers can reveal favorite running parks and political leanings. All of this can give an adversary an edge when trying to gain your trust. Social engineering is essentially the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password. Famous hacker Kevin Mitnick helped popularize the term 'social engineering' in the '90s, although the idea and many of the techniques have been around as long as there have been scam artists of any sort. Social engineering has proven to be a very successful way for a criminal to "get inside" your organization. In the example given above, once a social engineer has a trusted employee's password, he can simply log in and snoop around for sensitive data. Another try might be to scam someone out of an access card or code in order to physically get inside a facility, whether to access data, steal assets, or even to harm people. No one says you CAN’T post family information on social media. Just be aware, if stranger suddenly seems to be a fellow Civil War buff or also has a teenage daughter driving him crazy, you may have given the stranger the information about yourself. Just remember what you’ve posted and be wary of coincidences. No software or hardware can prevent Social Engineering!! Training and Awareness programs are the best solution.

15 Social Engineering: Elicitation
Elicitation describes the face-to-face discussions which the adversary uses to gain information. In many cases, we do not realize we have given away too much until we think about the discussion later. The adversary knows, through experience, that we normally like to be polite, and helpful. We like to appear well-informed and intelligent in front of strangers. We answer surveys. We gossip. We correct others when they are wrong, and we underestimate the importance of our own information. We can be too embarrassed to report our interactions or not even realize what we’ve done. A study in Britain showed that employees were willing to give up information about their workplace in exchange for small, free, gifts. This included names and personal details of coworkers, and their job descriptions. Posing as a survey taker is a common cover for elicitation. Many governments send agents to tech or scientific gatherings, or other places where military and government employees are known to sit and relax, such as restaurants or local bars. Elicitation can be difficult to spot. If you think you have said too much when talking with a stranger, report the incident to a local command.

16 Elicitation Techniques
Someone may tell us something that is incorrect, just so we will provide the correct information. Correcting inaccuracies can be an almost automatic response. Someone may seem to confide in us, trying to elicit information that is “…just between you and me.” Someone may initiate an emergency, or urgent request, such as a lost child or medical issue. They may be trying to keep us from thinking clearly. Take a deep breath and stay calm. Someone may ask about a non-sensitive issue, such as how we organize an event, and in the end, they will have the information on how visitors or outside vendors are allowed access to the event. Some traditional elicitation techniques. The FBI has a lot of information on elicitation on their webpage.

17 Social Engineering: Phishing
Phishing: The basic premise is to send an to as many people as possible and hope that they respond. The target can be asked to send money, click on a link that downloads malicious software, or even allow an adversary to gain control over a computer. Send it to thousands of random people, and SOMEone is going to click. Some examples of phishing s would be fake offers from Amazon. Considering how many people have Amazon accounts, someone is likely to click on the links. If you don’t have an Amazon account, you delete the . But what if the next one is for USAA bank or Disney? An adversary would not need any information about you, other than your , to engineer this kind of attack. It would have to be sent to a large number of targets in order to entice enough people to make it successful.

18 Social Engineering: Spearphishing
Spearphishing: This is a bit more targeted. Using some bits of information, gleaned through social media or digging through the trash, the is targeted to a single individual or a group. Masquerading as a known help-desk or IT employee, they may offer to ‘update’ your anti-virus software or they may use the logo of your bank to convince you to give them account information. Obviously, the more information the adversary has, the better the will be. If they know which bank we use or which stores we frequently use, they will have a better opportunity to sound convincing. Spearphishing is very hard to defend against. The adversary usually has some very targeted information about you. Don’t assume you will catch it every time. Have some phone numbers near the computer in order to call banks or credit card companies to cut off the adversary from your assets if they manage to get your information. Don’t automatically click on “IT helpdesk” popups, or s. Question the validity of them. No legitimate bank will ask you to send a password or account information to them via . Call your bank, using a number you have used before, not one provided by the , and verify any requests that seem suspicious.

19 Talking Points How can you best communicate with OPSEC offenders?
What is the best way to change behavior? “Everyone else does it.” “You can’t tell me what to do!” “We did it at our old command.” “It’s not important information.” It may be as simple as showing them that they are part of a community. Do I tell the command? Who is your OPSEC Coordinator? Do you have a unit procedure in place for reporting incidents? YOU are the first one to see changes occurring in a situation. YOU are the one who knows if something is “odd” or “weird”. It’s YOUR community. Using current, real world examples in education and awareness programs can speak to the audience more than made-up scenarios. Google “elicitation” or “phishing” to find a collection of stories and examples. Do you catch the morning news? Think OPSEC, and you will eventually find local examples. Have you heard these quotes before? Prepare a response. Discuss the participation in a USCG community, and discuss consequences. A woman recently found out about her husband’s death through a facebook post. One of his military team members told his own spouse about a death in a training accident, and that spouse went immediately to the woman to voice her condolences. Would we want that to happen to us? Maintain connections with the local command. They may have specific expectations when it comes to whether or not to report OPSEC concerns.

20 Talking Points Please remember:
There is no such thing as an OPSEC violation. “Violation” is used to describe serious compromise of classified information, or to describe a Cyber-security incident. OPSEC is not a list of do’s and don’t’s. OPSEC is a five-step process used to protect information by looking at it from an adversary’s perspective. If information is released via social media or other means, it is important to assess the loss or publication of the information and how it would affect your USCG member’s mission, and the Coast Guard as a whole. This is more important that pointing fingers at who is to blame. Education and awareness are the most useful tools available to you for supporting this OPSEC process.

21 Consequences Good OPSEC: Invisible- when it works, it doesn’t show
Bad OPSEC: Safety of military and family members compromised Terrorist “Hit Lists” of military members compiled from social media Online communities hacked Homecomings postponed Military member facing reprimands of varying severity Spouses ostracized from some community or military events Poor Coast Guard reputation in joint DoD military missions Consequences of good and bad OPSEC

22 Resources DCMS-34 OPSEC/SETA team Family OPSEC at every OSPEC Survey
FBI Cyber Security webpage DoD Education Activity: OPSEC DoD Social Media Hub YouTube playlist for JointOPSEC Support (JIOWC) Awareness Videos DCMS-34 OPSEC/SETA team Family OPSEC at every OSPEC Survey Karen J Newhouse Sven Kummelt Callie Smith Resources

23 Questions??


Download ppt "Ombudsman and OPSEC Security Policy and Management"

Similar presentations


Ads by Google