No announcement yet.

OPSEC and This Forum

  • Filter
  • Time
  • Show
Clear All
new posts

  • OPSEC and This Forum

    I've recently seen some posts on the forum that suggest to me that it might be well to remember a couple of things about this board and to understand their implications for the need for OPSEC integrity in our postings:

    1. It's basically open to the public.

    2. We really don't know that much in terms of identity, verifiable experience, etc. even with regard to members of the forum. A few people know each other personally, of course, but even then I would guess there are things we don't know.

    Ask yourself this: Would you omit this board from your "reading list" if you were a terrorist? I doubt you would, even if only by including the forum on your "scanning" or "alert" list, ..and, of course, they can easily stay on top of such resources using bots and many other very sophisticated forms of intelligence gathering. Ditto with regard to people who may be gathering competitive intelligence to use against our company or our client.

    Another question might be: What would the chief executive of my company or department think about what I'm revealing about our operation in this post?

    One powerful tool provided within the forum is the "search" function. Using this, I can collect all the posts by a particular member and by so doing piece together the bits of intelligence that may be contained collectively within many messages that, each one considered separately, might be thought to be very innocuous. So, for instance, I might piece together all of the following about a particular forum member:
    • Who he works for
    • Where he's assigned
    • What kind of car he drives and what it looks like
    • Whether he's armed, and with what
    • What training he's received
    • A picture of his badge, uniform, patches, etc.
    • Maybe a picture of the officer himself
    • Company and site policies and procedures that govern his actions
    • Perhaps the name of his supervisor
    • The days and shift(s) that he works
    • Information about CCTV, alarm and access control systems where he works
    • Certain details about the business operations of the client he works for
    • ...and perhaps much, much more, including even how tired he is, how discouraged he might be with his job or how angry his boss makes him, and other very interesting HUMINT information. Sometimes a lot of this information is not only provided for his current job but former jobs as well.

    Then, knowing who he works for and where, I would obtain further information from his company's website (and security companies sometimes reveal a horrifying amount of information about themselves on their websites, apparently because of their eagerness to get business - whether all of it is true or not)...and also from the website of the client where he is assigned to work.

    In this way, bit by bit, I would piece together a picture of a target and it's security posture. We would never dream of providing this information in a single posting on the forum, because we could easily see how damaging it could be, but we think nothing of releasing the very same information in "dribs and drabs". We must think about the OPSEC implications of our posts when viewed collectively, rather than individually.

    If, in thinking about it, you honestly realize that you've already released too much information, you might request that your posting history be deleted, if s possible, by the board administrator. It's not a complete solution, but would help. Unfortunately, you'll never know what's already been harvested by someone, of course.

    Another thing, arising from what we do NOT know for a fact to be true about other members, including their educational/training background: I'm frankly not convinced, and grow less so as my time on the board lengthens, that some of the people we hail as "experts" are quite as expert as some might think. It really wouldn't serve any useful purpose to provide examples, but it would be a disservice to the profession if I did not observe that there has been information posted here that is grossly inaccurate. I'm not, of course, referring to "opinions", but to misstatements or misrepresentation of of matters of "fact" that go beyond the simple errors that any of us might make. Some of the "legal advice" that I've read, in particular, has been stunningly inaccurate.

    The bottom line, though, is that we should only take advice from anyone on the board - and I include myself - with a degree of caution, and after running it by our superiors if need be. At the end of the day, nothing we say here really matters or has any authority. It can only be such things as the opinions of our own corporate counsel, the specific statutes and case law of our own state, the orders of our supervisors, specific post orders, company policies and procedures that represent the "final word" in the conduct of our jobs.
    Last edited by SecTrainer; 12-26-2006, 08:00 PM.
    "Every betrayal begins with trust." - Brian Jacques

    "I can't predict the future, but I know that it'll be very weird." - Anonymous

    "There is nothing new under the sun." - Ecclesiastes 1:9

    "History, with all its volumes vast, hath but one page." - Lord Byron

  • #2
    SecTrainer you are absolutely correct. As a former OPSEC Officer at the Belvoir R&D Center, I know whereas you write.
    I use PM or email to talk some specifics and 1st Class US Mail for sensitive stuff. Postal regulations require handling of this type of mail as if the contents were to contain "US Confidential Material."
    Enjoy the day and thanks again for this post.