Abstracts for National OPSEC Conference

Workshop Abstracts

Advanced Operations Security Applications Workshop

This full-day workshop will cover instruction on skills critical to the professional practice of OPSEC. Main topics of the workshop are OPSEC threat analysis, Internet usage relative to an adversary's perspective, and the planning phase of an OPSEC Survey.

The material in this workshop is a sample of the IOSS' OPSE 3100 Advanced Applications course. This is not an orientation level workshop; participants in the workshop will find the material most useful if they have already completed a basic course in OPSEC analysis.

Steps to Achieve Increased Security Awareness

Security awareness training is an effective strategy to reduce overall risk to an organization. The more employees are aware, the greater chance their behavior will be different, resulting in fewer security incidents. Being able to design, implement and manage an effective security awareness program is a difficult task - even for the best. This "train the trainer" session will walk you through the design of a successful awareness program. It will address how to overcome various challenges, gain management support, tailor a program to the needs of your workforce, and keep your security message fresh.. The workshop will focus on the following topics:

OPSEC and Web Risk Assessments

Principles of reviewing web pages for OPSEC vulnerabilities are the primary subject of this workshop. Use of checklists, commercially available software, and government-developed software are addressed as evaluation and review techniques.
This workshop will also provide an overview of the nature and use of the Internet to give an appreciation of why release of information on a web page might represent an unanticipated risk.

OPSEC for Law Enforcement Agencies

TOPICS :
• OPSEC and the Risk Management Process
• Vulnerabilities and Indicators
• Radical Islam & Domestic Terrorism
• Personal Computer Vulnerabilities and Countermeasures
• Threat Analysis

OPSEC and the Acquisition Process

This workshop will identify OPSEC considerations in all phases of the acquisition process. The workshop will identify the need for OPSEC in contracts and explore the basics of writing contractual OPSEC requirements in both classified and unclassified contracts. The purpose of the “Contract Security Classification Specification” (DD form 254) will be discussed to include how this form relates to contractual OPSEC requirements.
The workshop will highlight key points in a sample OPSEC Plan designed for use by a contractor. This workshop will provide valuable information to anyone involved in the acquisition process, directly or indirectly, including; contracting officers, Program Managers, OPSEC officers of organizations that purchase goods of services, contractors who provide goods or services to a government agency and others.

OPSEC: Why it is Essential for Risk Management

TOPICS:
• The Power of OPSEC
• Why OPSEC is Important to Me & My Organization
• Most Dangerous Threats to America’s Corporate and Public
• Where to Begin

Red Dragon, the Bear and the Scimitar International and Ideological Threats

This 4-hour threat briefing will state and explain the components of threat and then describe and define the adversary, its intent and capability unique to authoritarian Russia, the People’s Republic of China, Salafa Wahhabi Sunni Islam, and Khomeini Imami 12er Shia Islam. The presentation will also include a film that explains the basis for the Radical Islamic anti-secular Muslim and anti non-Muslim ideology that threatens the West and its allies.

Steganography: An Overview of Data Hiding Techniques

Steganography describes the practice of disguising the existence of a message, and sophisticated criminals and terrorists are believed to be increasingly using such techniques as a means of communicating anonymously and covertly. The increasing availability of steganography software, combined with their easy-to-use nature, may increase the attractiveness for adversaries to use steganographic techniques.
In this updated version from last year’s successful presentation, Mr. Panczenko will present an overview of steganography and some of the common ways data is hidden; who's using these techniques; and the latest challenges of this technology to the OPSEC community.

The Executive Office for United States Attorneys approach to Operations Security

In order to do that successfully, the famous strategist Sun Tzu wrote: “O Divine art of subtlety and secrecy! Through you we learn to be invisible, through you inaudible; and hence hold the enemy’s fate in our hands.” ( c. 500 B.C. The Art of War). Crime, terrorism, and disaster fill our world; are your employees prepared? Operations security is essential in all aspects of the U.S. Attorneys’ Offices (USAO) located throughout the country. We support the Department of Justice’s law enforcement mission in prosecuting both civil and criminal cases. The presenter conveys proven concepts and strategies to the audience using practical, real-world examples that will allow OPSEC program managers and professionals to understand how the USAO interacts with federal, state and local law enforcement agencies in order to successfully complete their mission.

Virtual Worlds – A Wild Frontier or a New World Order?

Virtual worlds are a great place for socializing, fantasizing, collaboration and learning but are you a target in these 3D environments?
This session will take a look at the 3D environment and the threats and vulnerabilities you face each time you login.

I Had The Right To Remain Silent; I Just Couldn't

This humorous skit demonstrates the all-too-common type of discussion between two total strangers in an airport lounge. In a matter of minutes they willingly (but unwittingly) divulge all sorts of personal and job-related information, failing to understand basic OPSEC practices. Making matters even worse, they pat each other on the back for being such stellar security professionals! As computer scientists say, "there is no patch for human stupidity."

The presentation includes clips from recent movies which also highlight social engineering and related OPSEC gaffes. Prepare to be entertained!

A Common Link – Risk Mitigation: Comparing the OPSEC Analytical Model and the DoD Program Protection Process

The protection of critical information in the public sector demands a risk mitigation process that requires multi-discipline analysis and decision making. Correct calculation of risk provides the basis for effective and efficient analysis resulting in accurate decision making leading to more effective countermeasures and responsible safeguarding of taxpayer investments.

Two dynamic, but similar environments are examined as backdrops with respect to overlaps in regard to risk mitigation; the DoD Acquisition Program Protection Planning (PPP) process and the Operations Security (OPSEC) analytical model. Both models provide frameworks and structures to guard against the compromise of critical program information and leading edge programs through risk analysis and mitigation. The heart of both models is the risk mitigation step.

The presentation explains how to get to this step, what happens during this step and the ensuing actions. Risk mitigation is explained within a basic problem solving model to include perception of the problem, decision-making and action. The Accumulate-Calculate-Mitigate-Regulate (ACMR © ) framework is explained and how it can be applied to both the PPP and OPSEC models. The specific challenges of converting qualitative analyses into quantitative models in a team environment are considered. Challenges in calculating program risk are examined from individual, team and organizational perspectives as well as the steps to guide leadership and senior decision makers in interpreting the results to make responsible decisions in regard to asset protection.

The Adversary Strategy - A Workshop on Identifying OPSEC Critical Information

OPSEC courses normally teach OPSEC methodology application using an adversary's perspective. This perspective is especially important when identifying critical information. In practical application, however, maintaining an adversary perspective is not always as easy as one might expect. The Adversary Strategy Technique is a proven, structured, and methodical approach for identifying critical information from the adversary perspective.

The instructors will lead a workshop enabling audience participation in an exercise to practice this technique in support of a notional operational scenario. They will present the technique, discuss the necessary data collection techniques, and identify the benefits gained from its use.

Analytical Risk Management

As practitioners of security analysis, OPSEC, and risk management we must always strive towards “professionalization” of our discipline and the improvement of its analytical methods. One of the ways we can do this is to create a common base of knowledge to share information that is documented, generally agreed upon and available to be taught to future generations. The SARMA Common Knowledge Base (CKB) project is intended to address these issues.

The initial focus of the SARMA CKB is threefold. It seeks to: 1) establish a common lexicon for security practitioners; 2) document the efforts of the profession to date; and, 3) develop standardized approaches to key security analysis issues. The SARMA CKB uses advanced Wiki software that enables practitioners from around the nation and the world to participate in creating this body of knowledge. This session will detail the effort and give participants the knowledge and tools to contribute to this endeavor for the benefit of the professional and of our national security.

Applying Operations Security - A 21 st Century Approach

Have you have ever felt your level of OPSEC effort addresses only low hanging fruit? Do you have the resources and organizational support to really apply the OPSEC process to your mission? Do you think the adversary might really be getting too much? With nearly 60 years of government experience between them, the instructors will present:

•  How OPSEC methodology application underpins OPSEC posture improvement.

•  How we're doing after two decades of mandated OPSEC application in government.

•  How additional-duty OPSEC designations help but also negatively impact OPSEC posture.

In this 20th anniversary year of NSDD 298, the instructors believe the community needs an innovative approach to implementing OPSEC and they believe they've developed a 21 st Century approach that:

•  Supports short and long-term needs of organizations.

•  Enhances application using fewer resources than current approaches.

•  Improves OPSEC practitioner skill and experience development.

The session will include a mixture of seminar presentation and hands-on exercise participation to demonstrate how this new approach can improve an organization's OPSEC posture over the long term.

Asia Update - Assessing the Regional Threat in North-East Asia

A number of important issues have impacted security in the North-East Asia region within the past few months. A report published in late November 2007 by a Congressional panel states "Chinese espionage activities in the United States are so extensive that they comprise the single greatest risk to the security of American technologies.” China is also is gearing up to become the world's biggest producer and operator of nuclear plants, with some 30 new reactors planned by 2020.

The Korean peninsula remains unstable due to the persistent threat from the North. North Korea presently has an arsenal of ballistic missiles that are capable of hitting targets in mainland Japan and is developing weapons that will be able to strike United States military facilities in Okinawa and elsewhere

Most recently, Japan's Ministry of Defense announced plans to deploy Patriot missile batteries on the streets of Tokyo in a security drill designed to prove that it is capable of defending itself from any threat posed by North Korea or China. Military analysts have estimated North Korea is only a matter of years away from developing a weapon that is capable of delivering a nuclear payload.

This presentation will address regional stability and threats to security in North-East Asia with emphasis on the major powers in the region - China, Taiwan, North and South Korea and Japan.

The Blog Days of War

Operations Security, or OPSEC, is a proven analytic process to identify and then protect mission-critical, sensitive information so that an adversary can't take advantage of it for their gain and your loss. Taking an OPSEC perspective, The Blog Days of War, is focused on real-world examples of the breadth and depth of information gained from blogs and similarly oriented avenues – and the facets of aggregation. The Blog Days of War ultimately demonstrates, especially in this communication-sphere, both the challenges faced by OPSEC Program Managers and the need for stronger OPSEC practices.

Our adversaries are too often successful because of our own OPSEC shortcomings. It is through the eyes of our adversaries that we must continually assess our information and ourselves. Improvement begins with a solid awareness and practice of OPSEC, an understanding of how our enemies take advantage of our self-produced vulnerabilities, and what constitutes critical information.

Combating Complacency in Our Security Programs

This presentation supports the contents of the security awareness article, “Where Have All Our Flags Gone.” The title of the article is a reference to the overwhelming display of the American flag in the days and months following the catastrophic events of September 11 and other attacks on the U.S. However, after time passed, “complacency has occurred: this is reflected in how the display of the flag has slowly disappeared from the scene.”

The presentation, Combating Complacency in Our Security Programs, addresses the need for the defense contractor and military communities to utilize sound security awareness, education and training, and Operations Security (OPSEC) to combat the complacency eroding our security programs. It provides the preventive tools to address complacency while motivating security professionals to go above and beyond meeting standard requirements. The presentation targets security members and challenges them to provide the leadership within their respected communities to identify, address and eliminate complacency from their programs.

Disposable Intelligence

Countless tons of garbage are disposed each day. Have you ever thought about what your garbage is saying about you? What types of intelligence can an adversary acquire just by looking though your trashcan or dumpster? Tons upon tons of waste paper are being shipped overseas on a daily basis for “recycling.” Do you want someone, who could be a potential adversary, on the other side of the world learning about your interests or targeting you as a government contractor or employee?

This workshop will focus one type of OPSEC Assessment tool readily available if you know what to do! There will also be a practical exercise in which workshop participants will do a simulated dumpster dive and find out how much intelligence can be gleaned from a single bag of “trash.” The workshop will further focus on how the information gathered from trash can be used to profile you, your family or your company.

Family OPSEC

Operations Security is not only for military operations during training and real world operations. It's not solely for the military member far away from home. OPSEC is for the whole family whether they belong to the military or not. OPSEC is an integral piece needed for the safety and security of a family.

The Joint OPSEC Support Center (JOSC) will present a brief for all family members including information to pass along to children. The presentation will touch on topics such as home security, awareness of personal surroundings, security for children and deterring Identity Theft. The information discussed is useful whether a loved one is deployed, the family is on vacation and “normal day-to-day” activities.

Some of the information provided is based on real experiences in law enforcement and will touch on “physical security”. However, tying OPSEC together with other security measures will help reduce the vulnerabilities to your home, your finances, your children, your civilian job and your military unit, its members and its operations.

Foreign Nationals Among Us – Are you Ready?

The U.S. is a free and open society. We welcome citizens from around the world who genuinely want to visit, study, and do business here.” The United States has strongly benefited from foreign engagement in the past and, in an increasingly globalized society, the value of foreign interaction continues to increase.

However, openness can also facilitate those who threaten the security of this nation and its inhabitants both here and those who are deployed to locations all over the world. Security officials have long had to contend with individuals who seek to enter the United States without visas, or to remain after their visas have expired.

This briefing is designed to teach the security professional how to conduct a Foreign National Threat Assessment on all areas to ensure critical information is properly protected from unauthorized disclosure. You will find out during this briefing how terrorist used OPSEC to gain an advantage against us as well as performing a foreign national vulnerability assessment and how you as the security professional can set up and maintain OPSEC with assigned and visiting foreign nationals.

Remember they are here and among us the question is are you ready?

Get Your Message Across…Every Time!

Having a critically important message is one thing, but if you as the speaker cannot motivate the audience through a dynamic, self-confident, focused presentation, then your message will probably be lost. The near-universal fear of public speaking is well known; ways to get past that fear should also be.

This workshop, attended by over 2,000 students over the past 5 years, offers a primer on how to get your message across, how to captivate and motivate an audience, and how to conquer stage fright once and for all. The speaker combines years of public speaking experience with pertinent “war stories” and plenty of humor to make this presentation a must-see for all who find themselves on stage with an important message to pass on but without all the skills and tricks of the trade to pull it off effectively.

Reviewing and Sanitizing Popular File Formats for Transfer across Security Domains

Hidden data is often incorrectly labeled as Meta data, which leads many people to trivialize the threat. Meta data is only one small part of a much larger hidden data threat that is so pervasive that it is difficult to protect sensitive and classified information when sharing popular applications like Microsoft Office and Adobe PDF. One example is Microsoft's Ad Hoc Review. The Ad Hoc Review automatically turns on “Tracked Changes” in Word, PowerPoint and Excel without warning the user when these files are attached to an Outlook email. Deleted text, deleted pages, deleted images, and even deleted Meta data can be recovered from Adobe PDF documents, and text and graphical objects have been found hidden under other objects in this popular “safe” format.

Examples used in this presentation are recreations of actual hidden data incidents, including many examples that were reported in the open press. Network security cannot protect unknown content hidden in data files. Awareness is a critical first step. Learn more about the threat and potential mitigation strategies.

Hidden Universes of the Internet

This fast-paced course is designed for anyone who is expected to quickly find a wide variety of information located anywhere in the online world. A quick review of the Internet's architecture is followed by a detailed description of Persona issues. You will be surprised at how much information your organization may be leaking online, as your users explore other people's web sites.

Search techniques are heavily covered including: organizing search terms, strengths and weaknesses of search tools, and finally thousands of specialty search engines that go well beyond generic tools like Google. Learn to determine “who is” the owner, and to trace the location of, online content.

The course finishes with a tour of paradigm shaking demo-sites, and advice to ensure that the Internet is an asset (not a liability) to your organization. All online resources illustrated during the session are linked from the following web page:

http://navigators.com/opsec.html

Homicide/Suicide Bombers

What is it like being on scene when your countermeasures fail to thwart a homicide/suicide bomber attack? The Department of Homeland Security and the FBI agree that suicide terrorism is a real and growing threat to the United States. The homicide/suicide bomber is the terrorists' weapon of choice. The person-borne improvised explosive device (IED) is an intelligent, reasoning bomb. The vehicle-borne IED is a martyr-guided missile.

This presentation is about what America is facing. It traces the history of homicide/suicide attacks, identifies the goals of suicide terrorism and the criteria of terrorist target selection. It explains why terrorist groups use homicide/suicide bombers and why one chooses to become a homicide/suicide attacker.

A homicide/suicide attack is a multi-step process requiring reconnaissance, intelligence, target selection, preparation of the means of attack, selection, recruitment, training and preparation of the homicide/suicide attackers, final operational planning, transportation to the target, drop-off, movement to target and command oversight. Each step of the attack from conception, through planning and execution is described and analyzed. “Bomb basics” are reviewed. How to identify homicide/suicide bombers and the proactive countermeasures to thwart their attacks are shared.

Improving Corporate Security with OPSEC

Top-notch security is critical for any company in today's world. However, many companies struggle to build the most appropriate security infrastructure. Business leaders often suspect security spending does not offer satisfactory return on investment. At the same time, security managers protest their lack resources to accomplish their task. Operations Security (OPSEC) principles provide a solid foundation and framework to solve corporate security challenges.

This presentation will focus on how corporations can implement OPSEC principles to:

•  achieve appropriate converged corporate security;

•  develop security strategies for multinational companies;

•  protect against economic espionage;

•  identify and protect proprietary information;

•  ensure regulatory compliance; and

•  accomplish corporate security core responsibilities.

Additionally, the instructor will discuss how security personnel can increase their credibility, value, and influence within their organizations by applying OPSEC principles. Real-world case studies will illustrate each area of focus.

Low Drag – High Speed OPSEC Awareness

From their innovative OPSEC Fortune Cookies through nine Multimedia (Print and Video) awards, the NNSA/NSO OPSEC Program have consistently shown that they are among the leaders in the marketing and awareness arena.  They've launched the multi-faceted "DOGS of OPSEC" awareness campaign, filmed yet another awareness video, "OPSEC 24/7," and are poised to launch their "Eyes of Awareness" campaign. T hrough the years, this organization has continued to prove its innovation and excellence in marketing, training and awareness.  That said; who better to learn from than acknowledged leaders in the field?

The instructors will demonstrate in words and multi-media exactly how you can capture an audience's attention and make your OPSEC message heard, understood and applied to day-to-day activities and operations.  You will see a range of innovative and effective approaches, from no cost (e.g. articles in the organization print media), to low cost (e.g. posters, trinkets) and higher cost awareness (e.g. fortune cookies, target videos). 

As long time proponents of employee buy-in via training and awareness as the linchpin in a successful OPSEC program they will demonstrate why this is and how to overcome some of the problems you may be facing.

OPSEC and RTP – The Tie that Binds

The Army Research and Technology Protection methodology is predicated on the philosophy of lifecycle protection. Protection from the pre-acquisition phase through design, development, testing, production, and operations are addressed. One significant dilemma is that information released during R&D may subsequently be identified as critical information at a later point in the acquisition process. At this point it may be too late to retrieve and protect this information. Early program information must be protected until it is assessed that its release will not compromise the program; and one of the most effective tools is an adherence to OPSEC procedures and countermeasures.

This briefing will illustrate how the Army integrates operations security into the Program Protection Planning process. More importantly, this presentation will detail how OPSEC countermeasures serve as a crucial protection link as technologies transition from research and development to acquisition and fielding. Utilizing real world examples of how OPSEC has been used both effectively and not, this briefing will explore various ways in which OPSEC is being used to integrate security and protection disciplines. The briefing will culminate with a case study detailing OPSEC tactics and techniques utilized by the Army in enacting protection early in the RTP process.

OPSEC Fundamentals

This course is accredited by the National Cryptologic School (NCS) and is designed to familiarize students with the 5-step OPSEC process. This workshop is the standard course geared to Federal employees, contractors, and military personnel. It will provide students with a basic working knowledge of OPSEC as outlined in the National Security Presidential Directive.

Lectures focus on understanding OPSEC principles and how OPSEC is applied to daily activities and crisis situations. It is geared to all those who need to become familiar with the OPSEC process, to include managers and executives. All students will receive National Cryptologic School credit.

OPSEC Program Development and Assessments Seminar

      This seminar addresses challenges generally faced by OPSEC Program Managers:  developing an effective OPSEC Program, training your workforce to use OPSEC, assessing your program's effectiveness, training your working group to perform assessments, and how to request an OPSEC Survey will also be discussed.  The seminar closes with an informal panel Q&A session.  The seminar is presented jointly by the JOSC, Army 1st IO Command, NIOC - Norfolk, and Air Force.

An Introduction to the DHS Protected Critical Infrastructure Information (PCII) Program and the Process to Become PCII-Accredited

The PCII Program facilitates greater sharing of critical infrastructure information (CII) between private sector and government entities by protecting the information from public disclosure through the Freedom of Information Act (FOIA), State and local sunshine laws and through civil litigation. The PCII Program works with various government partners to integrate PCII protections into data-collection processes. This offers a way for government analysts to access CII while owners/operators of critical infrastructure are assured that their information, in the government's hands, is protected from public disclosure. The presentation will identify Federal, State and local entities that are using the PCII Program. Participants will receive guidance on how government entities may become PCII accredited and access PCII.

Red Team: OPSEC Analysis of U.S. Hostage Negotiation Tactics

In 2007 the authors, under contract to a federal agency, designed and conducted a real time, no notice full-scale field exercise to evaluate the capabilities of State and Federal special operations teams to mitigate an incident involving hostages on a passenger bus.

Prior to the exercise, the authors conducted an operations security vulnerability and risk analysis of U.S. law enforcement hostage negotiation tactics. Open Source intelligence analysis was used to obtain hostage negotiation doctrine and tactics employed by U.S. law enforcement agencies.

By assuming the Aggressor's Method of Operation (AMO), the authors were successful in extracting a significant amount of critical information that would be useful to criminals and terrorists to either deceive or defeat hostage negotiation tactics.

Upon completion of the project, the specific vulnerabilities identified were shared confidentially with federal law enforcement agencies. While this presentation will not discuss the specific findings of the exercise or the vulnerabilities discovered by the Red Team, the authors will provide an overview of the OPSEC analysis techniques used to identify the vulnerabilities and risks that were discovered. More specifically, the authors will discuss the growing need for public safety officers to use operations security as a tool for controlling the release of sensitive information that is useful for the adversary.

OPSEC and RTP – The Tie That Bind Utilizing OPSEC to Integrate and Synchronize Program Protection

The Army Research and Technology Protection methodology is predicated on the philosophy of lifecycle protection. Protection from the pre-acquisition phase through design, development, testing, production, operations, and demilitarization are addressed. One significant dilemma is that information released during research and development may subsequently be identified as critical information at a later point in the acquisition process. At this point it may be too late to retrieve and protect this information. Early program information must be protected until it is assessed that its release will not compromise the program; and one of the most effective tools is an adherence to OPSEC procedures and the implementation of countermeasures*.

This briefing will illustrate how the Army integrates operations security into the Program Protection Planning and Execution process. More importantly, this presentation will detail how OPSEC countermeasures serve as a crucial protection link as technologies transition from research and development to acquisition and fielding. Utilizing real world examples of how OPSEC has been used both effectively and not, this briefing will explore various ways in which OPSEC is being used to integrate various security and protection disciplines. The briefing will culminate with a case study detailing some of the OPSEC tactics and techniques utilized by the Army in enacting protection early in the RTP process.

* AR 530-1, 2-16.f states: “Through the Army Research and Technology Protection Center, support integration of OPSEC as a countermeasure in Program Protection Plans (PPP).”

Vulnerabilities of Foreign Travel

U.S. defense workers are being targeted by foreign spies often by bugging their hotel rooms, rifling through their personal belongings and offering them sexual favors during travels abroad. Understanding the vulnerabilities of cleared employees traveling in a foreign country from the viewpoint of the foreign intelligence service can go a long way in preventing a damaging security compromise.

This session will help you to recognize the mission, methods and means of foreign intelligence services. Connie Huff Allen, a retired Army Counterintelligence Agent and expert trainer, will familiarize you with threats facing Americans overseas .

Dark Eagle: The Benedict Arnold Espionage Case

Benedict Arnold, a name now synonymous with traitor. How did the "greatest fighting general" of the American Revolution turn down the path to infamy?

See this true story of heroism, intrigue, romance and ultimate betrayal. Discover the critical role that Benedict Arnold played in winning the War for Independence!

Learn how Counterintelligence lessons from this case are still being used to combat espionage today!