An official website of the United States government
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

OPSEC: From the outside in

  • Published
  • By Dominick Scalzitti
  • 375th AMW Plans, Programs, and Readiness
Scott Air Force Base, Ill. --  When we park our vehicle to enter a restaurant or other establishment for a period of time, we make sure the vehicle is locked and that all valuables are hidden, either under a seat, or in the glove compartment or trunk.

Welcome to operations security, or OPSEC. Operations security, a program developed during the Vietnam War, used teams under the moniker "Purple Dragon" to ascertain sources of disclosed information. OPSEC looks at our activities and processes from the viewpoint of the adversary, or those who would do us harm. It forces us to think about our processes to implement actions to prevent the potential harm. Applying OPSEC to the vehicle example above, and looking at the situation from the adversaries' perspective, or from the outside in, we would expect them to peer in the vehicle windows to see if there are any valuables worth taking. The fact that the vehicle contains valuables, such as a GPS or laptop computer, would be considered "critical information." Leaving the valuables visible on the seat would be considered an OPSEC indicator--we have something valuable worth taking. By stowing the valuables in the trunk, our vehicle is less of a target for vandalism or theft. The act of stowing our valuables in this example constitutes an OPSEC countermeasure.

With this basic explanation of OPSEC, let's apply it to computers since it is the most diverse and expanding challenge to the protection of our critical information, whether it be flight plans, deployment or financial records, etc. Let's not forget that a threat to a computer equals a threat to the critical information on the computer, and that a threat to the network is a potential threat to all sensitive information on the network.

The Department to Defense 2011 Annual Report to Congress on Military and Security Developments Involving the People's Republic of China states, "In 2010, numerous computer systems around the world, including those owned by the U.S. Government, were the target of intrusions, some of which appear to have originated within the PRC. These intrusions were focused on exfiltrating information. Although this alone is a serious concern, the accesses and skills required for these intrusions are similar to those necessary to conduct computer network attacks." During 2009, the DoD reported 71,661 incidents of malicious cyber activity according to the 2010 Report to Congress of the U.S.-China Economic and Security Review Commission.

With this information, and other reports and articles readily available on the web, it seems that our critical and sensitive information is at risk from individual hackers, groups or organizations, nation states, and even us. The "us" comes from a white paper, entitled Protecting Your Organization from Insider Threat, published by Perimeter E-Security. The company conducted a study using data from 2000 to 2009, and reported that one-fifth of all data breaches are caused accidentally by insiders, or employees. The data breaches ranged from incorrectly disposed of documents, media, and computers to clicking on malicious links and visiting malicious web sites.

Three times I've received suspicious e-mail messages from friends and family. Each contained an attached document or link with no text. I contacted all three and two were malicious. The two friends with infected machines sent e-mail messages to all their contacts informing them of situation, and cautioning them not to trust e-mail messages from them until informed otherwise.

Then, within the past week, I suspected malicious posts on three relatives' social networking pages which purported to link to videos on the YouTube site. YouTube's actual address of "www.youtube.com" was listed below the video link, but the video link itself pointed to a site on "youtu.be" with the "be" domain indicating the site is in Belgium.
As it turned out, the site "youtu.be" is a legitimate shortener for YouTube's primary site. I was suspicious as malicious sites often use some variation of the actual website name in their links, for example, http://www.ac.info/microsoft.com. In this example, the actual site is "ac.info" and "microsoft.com" is a folder on the site. The malicious site owners expect their prey to see "microsoft.com" and assume the site is legitimate. When you hover the mouse over a link on a web page or in a document, the actual site name it links to should pop up in a box over the link, or the site should be displayed in the bottom of the window in the information bar. This is how we should detect links to malicious sites, ensuring we pause and look at the entire text of the link.

Our goal is to maintain awareness and effectively use countermeasures to protect our critical and sensitive information. The Oct. 6 issue of Command Post included an excellent article, titled "October is Cyber Security Month," which listed a number of protective measures which will help us keep the adversaries out, both at home and work (can be found at www.scott.af.mil).

Additionally, your unit OPSEC coordinator can provide you with resources such as OPSEC For Family Members, Safe Social Networking, Cyber OPSEC: Protecting Yourself Online, Best Practices for Keeping Your Home Network Secure, etc., all of which you can email home to help you protect your personal computers better. If you have difficulties getting the material, you can send an email to opsec@scott.af.mil requesting documents be sent to you.

Always... pause, think, protect. Do OPSEC!