In OPSEC Part 1 I talked about the basics of OPSEC. What it is and things to consider when building your OPSEC plan. There are things you should consider and then determine your priorities of what you can adjust, change, and the things simply cannot be changed or adjusted. There's also things that seem to be common sense to many but some must be told. OPSEC can be in the planning form but is also in your daily practices. Once you identify steps and measures you must then implement it in your daily life and develop OPSEC habits.
As crazy as it may sound, there are many countries and organizations that can be adversarial towards Americans. You, your spouse, or family member can be targets for numerous reasons. It may not be personal. It may simply be because you are American, or your professional affiliation to a targeted business such as banks, critical infrastructure locations, medical, police, water treatment, emergency responders .... A lot of the information desired is collected by human spies on the ground level and through digital spies such as cyber and hackers. The Chinese have been tagging popular websites such as stores, sports teams, music, food, loan companies and the list goes on. You don't realize it but you visit the site and the ghost attaches to your connection and then rides from the website back in to your personal computer. This is why most cyber security will tell you not to click on emails and sites you aren't familiar with. And, once on a site, do not click to another site and then click again. The more you click the more vulnerable you can be.
Be cautious of sudden new friends who are overly friendly and aggressive to spend time with you. They will ask lots of questions. Maybe about you. Your job? Your spouse's job? They want you to do them a favor. Your guard should already be up and your "beware" flasher going off. A couple years ago, an associate contacted me here in my area and asked to talk to me in person. We met and he was seeking help for guidance and support. He was retired military, appeared of Asian descent, worked out on a regular schedule at a local fitness facility. A few men around the same age approached the guy and moved to quickly become friends with the guy. Bottom line, these guys knew the home address, had pictures of the guys wife and children, employer, and then tried to trap the guy to join them as ISIS recruiters in our area. They were based out of NY City but moved to our city because of our large defense and space industry. I connected the associate with some local intelligence, civilian and military law enforcement professionals. This event is not uncommon in America. You can be a target for multiple reasons. Sometimes you may be a single piece of a big puzzle and not the only target. From the national level down to the neighborhood thief. Again, think outside the box and don't be a soft target.
One of the easiest places for an adversary to gain information is hanging out at a bar near a military base. Remember my referral to "loose lips sinks ships" in article one? Well, alcohol widens the gap between the lips and as the muscles swell and the throat opens up to allow the individual to sing like a canary.
So, to be fair, I used this scenario because I know it to be true. I also know this happens without alcohol and it happens in barber shops, beauty shops, workout centers, around the coffee bar, at neighborhood cookouts. The boss, the money guy, the cute gal, the person of importance is talking to a person who feels elevated by the recognition and wants to impress the person. Men like to impress ladies by bloating their story. Yes, it's true. I'm sure it happens the other way around but since I've never been a lady, I won't speak for them. My point is, people like to talk. Men, ladies, children, bosses, employees, troops, .... We are all human. We must mentally train our minds what is important and things we should not share. You want to be Gray Man to your best extent possible.
Now, to be on the level, if I was practicing full OPSEC, you wouldn't know me. I wouldn't have this website nor would I have written a book or have a Facebook page. And lastly, I would never have signed up to share these tools and information at Heritage Life Skills. Shall I continue? But, I was blessed over the past 35 years with a 20 year military career with lots of training and experience, and post military jobs and training has afforded me the opportunity to store a lot of tools in my mental tool box. It was my decision to share the knowledge and abilities with those who are interested in learning and being better prepared. It is the right thing to do. We are all in this life together. I know folks who have far more skills and abilities but they choose to stay off the radar and not help others. It's their decision and they will have to live with it from a personal perspective.
Personally, I believe you must address the following areas: Identification of critical information; analysis of threats, analysis of vulnerabilities, assessment of risk, and application of appropriate countermeasures.
1. Identification of critical information - What do you deem critical to you and your family? Only you know this information . This would be items that you believe to be sensitive. Family information, birth certificates, social security numbers, finger prints, biometrics and DNA sampling. Bank Information such as, printed bank statements, banks you use for your mortgage, checking, savings, retirement accounts, and such. How do you protect your hard copy data and digital data? How do you protect printed copies and passwords for your accounts on line? If you have online account access, do you protect your digital system that has the bank software on it? Setting up the password to be something very out of the norm and not family related. You should not write down the password or store it on your digital devices. This would go for your home safe where you store the hard copies of your information.
Years ago in my former life I worked for several years in what was called Information Security. I trained and inspected organizations ability to protect classified information and resources. I received a call at my desk from one of my 50 organizations and the gent told me he was locked out of his safe and needed help. I asked him if the combination was documented any place and he said no. Good answer I thought. But, knowing how most individuals work, my gut said go visit the site. I went to the location and the gent showed me the safe. I stood in the approximate location one would stand to open the combination dial on the safe. I then looked up to the ceiling. I didn't see anything out of the norm, except, one of the tiles was slightly out of alignment. I grabbed a chair and stood under the tile. I moved it slightly to find the corner of a piece of paper which I removed and opened to find the combination. My point is, don't try to be slick or wise because someone out there will likely figure it out. I do know some folks with multiple safes in their home and they will write down combinations to other safes and devices and secure it within a safe that is a key or fingerprint open type safe.
Credit card and ATM information would also fall in to this category. Do you get a paper statement or digital statement? If paper, like all other personal information, how do you destroy it after it is used? Throw it in the garbage to land at the local landfill? Most adversaries who are of any credibility will tell you dumpster diving is like a gold mine for information. It is not overly difficult to follow a garbage truck through a neighborhood and then to the landfill. Most trucks are assigned a specific location where to dump their loads each day. If you throw your mail in to your garbage and it ends up in the landfill your information is now free game. Consider burning at home or shredding your mail before dumping it.
What about the information stored in your newer automobile? The digital address book that has your destinations, to include home? Work? Children locations? Work location? Registration and insurance data? What else do you leave in your automobile on a regular basis?
Other information that could be categorized as critical information would be regular travel information. Location of a second home. Information on children away at attending a school or university. Also include all information regarding family members living outside your home such as parents and siblings who you care for and help manage their information. There is a never ending list of items that could be included on this list. Hopefully you get the meaning of what I'm talking about.
If you own or decide to purchase a shredder for destroying your sensitive information, you should consider a strip cut shredder, level P-2 that will provide basic security. Strip cut shreds are typically a 7/32" of an inch wide and as long as the document being shredded. If you want a higher security rated shredder go with the P3 and P4.
2. Identify possible threats - This is where you want to understand risk analysis, assessment, threat ID and mitigation. The more you and your family uses the internet the higher your exposure will be. Based on your life, family, status, home, environment and exposure to the world, what would be threats to you? Status at work? Is your photo posted when one walks in to your employers location? Is your face on a website to your company? What is exposed when your name is typed in google? Do you drive a Mercedes through a high crime area? Do you ever stop for fuel at a location in a high crime area? Do you leave your receipt hanging from the gasoline pump when you depart? What about your neighbors and coworkers? Do they know you prepare and if so, at what point will they become a threat? What about insider threats? Ahhh, the family. How much information should you share with your children? Have you showed your children where you hide your preparedness goodies? Did your son show Little Johnnie where you extra food is located? Grid goes down and the doorbell rings. You open the door to find Little Johnnie, Big Johnnie, Johnnie Jr ,and cousin Johnnie Ray and Johnnie Ray Jr. See my point?
Do you use popular security and camera systems that relies on wireless internet signals? Have you researched the vulnerabilities of the signal and system. Do you maintain a backup battery source to cover your system when your electricity goes down? How do you protect this information?
Do you belong to a fitness center? How is your personal information protected at the check-in/check-out desk? Did you pose for a photograph to be placed on your fitness center I.D. card?
A lot of what I'm talking about goes back to the question I ask often in articles and other platforms, "what doesn't fit in this picture." If you drive a Mercedes, wear a suit and tie, and are white yet stop for gasoline where the average vehicle is mid-level American made work type vehicle, most shoppers are in jeans or kaki's, and there's few white skinned workers and shoppers, you stand out. You are not blending in very well.
One of the things we talk about in training on grid down situations is that families with food must not continue to eat well and must show signs of losing some weight to blend in. If the average person has lost 30 lbs. in the first three months and you stay the same, you will stand out and not blend. So, a possible threat to you, grid down, is eating well and not losing weight. The mitigation would be to lose weight and try to blend in or else don't go around people to allow them to see you are eating well when they are starving. You must go through the steps and processes in your daily life and determine what items would deemed critical or important and then conduct analysis of the process and identify how you will mitigate it to make it less a threat.
3. Analyze security holes and other vulnerabilities - In this level you must assess what safeguards you currently have in place and determine what, if any, existing holes or shortfalls remain that can be exploited to gain access to what you are protecting. This is a blanket statement for all aspects of your life. Home, work, in transit, financially, and digitally. This step could be time consuming but it is a must. This step is also ongoing and never ends as threats change very often. You must adjust with the threats. Where possible, test your security measures against your fixes. You want measures that can't be predicted. Being a hard target is the goal, in all manners of your life.
4. Appraise the level of risk associated with each vulnerability - The is where you rack and stack your priorities and vulnerabilities and assign risk mitigation steps to each, top to bottom. If you can't afford to do every step because of cost, then use your money from the top down as you can afford it. A simple example would be you park a $60 thousand dollar truck or car outside the garage on a routine basis. If it is apparent the truck won't fit inside the garage then it is obvious. But, if the vehicle will fit in the garage, one will wonder what is in the garage that means more to the owner than the expensive automobile parked outside. It could mean nothing or it could mean suspicion would lead a person of interest to target your garage. You may have converted your garage to storage space to store all your preparedness resources? I know a gentleman who converted his garage to a full sized faraday cage. He didn't have expensive vehicles parked outside so the only question could be, why did the family park their cars in the garage for years and now both cars are outside permanently? Another example could be the fact you work ten miles from home M-F. You drive a nice car and your job requires you to wear professional attire. About three miles of your daily primary and alternate route requires you to travel through higher crime areas. You live in a state and/or city that has strict firearm laws and you cannot legally carry a firearm or obtain a license to possess the firearm. You must decide to what extent you will protect yourself. What is the risk to you based on your vulnerability.
5. Get countermeasures in place - You want to put measures and countermeasures in place before they become problems. But, you must know your measures and vulnerabilities before you can actually identify and mitigate them. When you build your different plans, one of the steps you must conduct is the Risk Mitigation process because this will help you identify your vulnerabilities and fixes. These are like band-aides on sores that are long lasting. How are you going to protect the sore short term and as long as the sore remains.
Many of the items I listed are security vulnerabilities. Identifying them and noting how you will mitigate them would fall under OPSEC. If the adversary identifies these same issues it puts you at risk.
Knowing, studying, and understanding threats will assist you greatly in the OPSEC process. Know what is valid intelligence information and what is psychological operations is also important. You must determine what surrounds you that can be a threat to your personal operations 24 x 7 and how you will mitigate it to make you less vulnerable. You then must determine how you will protect that information.
Be smart and protect yourself and family.
Paranoia is not protection. Build a plan that will layer protection around you, your family, and all that you do.
Bravo Echo Out