ombudsman/frg training

UNCLASSIFIED

Navy IO Center of Excellence

Fleet & Family Support Ombudsman Program & Operations Security

Naval OPSEC Support Team (NOST)Naval Information Operations Command (NIOC)

(757) 417-7100 [email protected]

www.facebook.com/NavalOPSECwww.twitter.com/NavalOPSEC

www.slideshare.net/navalOPSEC

UNCLASSIFIED


Operations Security

Operations Security, OPSEC, is a process that identifies unclassified critical information (CI), outlines potential threats and the risks associated and develops

counter measures to safeguard critical information.

OSPEC protects our operations- planned, in progress, and future. Success of these operations depends on secrecy. Military members can more safely carry out missions if the element of surprise and secrecy is preserved. As family members of active duty

members you have a unique responsibility to practice good OPSEC measures, and protect not only mission critical information, but your personal and family critical

information as well.

UNCLASSIFIED


Operations Security

The OPSEC process teaches you to:

• Look at your daily activities from the enemies’ point of view.

• Understand what an enemy might learn about you and your family from the information and details that you make available.

• Assess the level of risk that this places on you and your family.

• Develop and apply counter measures, which help to prevent the enemy from obtaining your critical information and using it against you.

UNCLASSIFIED


OPSEC Best Practices

• Be aware of your surroundings

• Be aware of the information that you are putting out in emails, online, phone conversations, photos and open unsecure conversations in public.

• Safeguard all sensitive, unclassified information.

• Think like the wolf. How can this information be used against me?

• Don’t discuss details

– Time lines, detailed locations or movements

– Limitations/capabilities

– Specific names, ranks, job titles, budgets

– Future or current operations

– Security procedures

• Don’t spread rumors

UNCLASSIFIED


OPSEC Terms & Concepts

• Critical Information (CI)

• Data Aggregation

• Threat

• Indicators

• Vulnerability

• Risk

• Counter Measures

UNCLASSIFIED


• Information the Information the adversary needsadversary needs to prevent our success. to prevent our success.

Critical Information

• Information Information wewe must protectmust protect to ensure success. to ensure success.

• Position Position

• CapabilitiesCapabilities

• Operations Operations

• Personnel Personnel

• FamilyFamily

UNCLASSIFIED


Family Critical Information

Information to safe guardInformation to safe guard

• Names and photos of you, your children and co-workers

• Usernames, passwords, network details

• Job title, location, salary, clearances held

• Physical security and logistics

• Addresses, phone numbers, significant dates

• Mission capabilities and limitations

• Length and location of spouses deployment

• Status of equipment and personnel

• Schedules and travel itineraries

• Social security number, credit cards, banking information

• Hobbies, likes, dislikes, etc.

UNCLASSIFIED


Data Aggregation

• Data/information collection from multiple sources

• Open source intelligence collection is a huge source of collection

– Internet

– Trash

– Media

• Open and legal public sources accounts for about 80% of all information collected

• There are many different legal and illegal collection methods

• Small details pieced together for a big picture

UNCLASSIFIED


Threat

Threat: The capability of an adversary coupled with their intention to undertake any actions detrimental to the success of program activities, operations or individuals.

• Conventional Threats

– Military opponents

– Foreign adversaries/countries

• Unconventional Threats

– Organized crime

– Foreign terrorists

– Home grown terrorism

– Insiders (espionage)

– Hackers, phishing scams

– Thieves, stalkers, pedophiles

UNCLASSIFIED


Terrorist Threat What are they looking for?

• Names/photographs of important people• Present and future operations &

capabilities• Information about military facilities:

- Location & Units - Weapons used - Exterior size and shape - Number of sailors & officers - Ammunition depot locations - Leave policies - Dates & times of operations

• Family details• Marital status

- Children & extended family members - Location of work, school, home etc

• Details details details……

UNCLASSIFIED


Indicators

Friendly detectable actions that reveal critical information & vulnerabilities:

• Longer working hours

• Flight plans, schedules, itineraries

• Rehearsals

• Sudden changes in procedures

• Purchases/on-load’s

• Blog’s/posts

• Routine predictable procedures

• Large troop movements

• Emblems, logo’s, distinctive markings

UNCLASSIFIED


Avoid Indicators: Don’t advertise!

UNCLASSIFIED


Vulnerability

Weakness the adversary can exploit to get critical information

• Vulnerabilities make you susceptible to intelligence/data collection.

• Poor security and sharing too much information are common, easily exploited vulnerabilities.

• Blogs, posts, emails, phone calls and conversations in restaurants, airports and other public places expose important information to potential adversaries and are a very common vulnerability.

UNCLASSIFIED


Common Vulnerabilities

• Lack of Awareness

• Data aggregation

• Unsecure communications

• Social engineering

• Trash

• Technology

• Internet/social networking

• Blogs

• Predictable actions & patterns

UNCLASSIFIED


Lack of AwarenessFrequently Asked Questions

But it’s secure! Right?

WRONG!

How much is too much?

What do I do if a family member is violating OPSEC procedures?

Details are dangerous. The less information you provide the safer you are.

As a rule only discuss events well after they have occurred.

When in doubt don’t say anything at all.

Address the issue with the person- ask them to remove the information and tell them why its important to think OPSEC.

If issues persist contact the command CMC for further clarification and resolution.

UNCLASSIFIED


Unsecure Communications

• Unencrypted, unsecure communications are a common vulnerability

– Cell phones

– Cordless phones

– Blue tooth

– Email

– Open/over heard conversations

– Blogs & chat sites

– Internet postings

Not Secure

Not Secure

Not Secure

Not Secure

Not Secure

Not Secure

Not Secure

UNCLASSIFIED


Trash

Mind your trash- what details are being thrown away?

• Rosters

• Training details & schedules

• Itineraries & mail

• Phone trees

– Rank/position details

• What happens to the trash/recycling?

– Who owns/has access

UNCLASSIFIED


Emerging TechnologyThere’s an App for that

• Phone carrier's push applications to users without prompts

• Convenience vs. vulnerability

• Friendly use vs. adversarial use

– How can this application be used against me?

• Terms of use & privacy issues

– What are you consenting to by using an app?

• What is the risk if your phone is lost or stolen? What data would then be available?

• Remote installation/activation possibilities

UNCLASSIFIED


InternetSocial Networking Sites

• Limit the amount of personal and sensitive information you make available on:

– Social Networking Sites

– Dating sites

– Web browsing

– Email

– Blogs

– Chat/IM

• Data aggregation & data mining

– Collecting & selling your information

• Friend vs. Foe

– Account spoofing & identity theft

– Phishing scams

UNCLASSIFIED


InternetBlogs

• Blogs are very detail oriented. The more specific the information the higher value it has to adversaries.

• Limit the amount of personal information posted and blogged.

• Lessons learned 101 for the adversary

– What information can an adversary learn based solely on details in photos?

UNCLASSIFIED


The probability an adversary will gain knowledge of your critical information (CI) and the impact if the adversary is successful.

Risk

If I put this information out there, what could possibly go wrong?

UNCLASSIFIED


Risk

Risk scenario:

You are proud of your military family.

So you prominently display personal information about

them on the back of your car for everyone to see.

What is the possible risk associated with displaying

these indicators??

UNCLASSIFIED


Countermeasures

• Anything that effectively negates or reduces an adversary's ability to exploit vulnerabilities or collect & process critical information

- Hide/control indicators

- Protect personal information

- Change routines & routes

- Differ times you do activities

• Counter measures are intended to influence or manipulate an adversaries perception

- Take no action

- React too late

- Take the wrong action

UNCLASSIFIED


Knowledge is power …. for both you and the adversary.

• Be aware of the threat that exists against you as an American citizen, and as a military family member.

• Be suspicious of unsolicited phone calls, online requests, or emails.

• Be suspicious when information about you and your family is requested.

• Always ask yourself, do they have the “need to know”?

• Share the OPSEC message with friends and extended family members.

Don’t Be A Victim

UNCLASSIFIED


Questions

Questions? Please contact the NOST for assistance or any of the following:

• Computer-based training

• FRG/Ombudsman support

• OPSEC & other tailored briefs

• Videos , posters, brochures & fliers

• OPSEC Reminder Cards

• Two-day Navy OPSEC course

• Other Resources

Naval OPSEC Support Team (NOST)(757) 417-7100

[email protected]

http://www.facebook.com/NavalOPSEC

ombudsman/frg training

Education