VSolvit Annual Security Refresher Training - 2017 Year in Review

Welcome to your annual security refresher training. 

This presentation covers security requirements in maintaining your DoD security clearance.

Introduction and Objective

Objective

Annual Training Requirement

This annual briefing was developed to increase your awareness and sharpen your security skills while you serve as an integral member of our security team.  If you have any questions about the material covered in this briefing or any other security concerns, please contact your FSO.

NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING MANUAL (NISPOM) Chapter 3-107




Refresher Training

The contractor shall provide all cleared employees with some form of security education and training at least annually. Refresher training shall reinforce the information provided during the initial security briefing and shall keep cleared employees informed of appropriate changes in security regulations.


Further Exploration

When you see "Further Exploration" throughout this training, it is not a required component, however it provides additional, useful information that may be pertinent in your career here at VSolvit and protecting information. 

Topics Covered

Topics in this training include

- Objectives and Overview

- Counterintelligence and Threat Awareness

- Operational Security (OPSEC)

- Security Classification System Overview

- Reporting Responsibilites and Requirements

- Secuirty Procedures and Duties Applicable to your Job

-Conclusion

Learning Objective: Responsibilities, Security and You

  • As a VSolvit employee, you play a critical role in protecting classified and sensitive information and following other security requirements.

Counterintelligence (CI) and Threat Awareness

Definition

Counterintelligence

Information gathered and activities conducted to protect against espionage.


Espionage is a national security crime, specifically a violation of Title 18 USC,  §§ 792-798 and Article 106, Uniform Code of Military Justice (UCMJ).

Espionage

The acquisition by foreign governments or corporations of U.S. high-technology information (classified or not) in order to enhance their countries’ economic competitiveness.  In simple terms - it is the practice of spying or of using spies to obtain secret information, especially regarding a government or business.

Eliminating the Threat

The best way to counter threats:

- know the targets

- know your adversaries

- know how to protect and report information 

- always report any suspicious information activity or attempts to obtain information

It's in the numbers: 

Every year billions of dollars are lost to foreign and domestic competitors who exploit open source, sensitive and classified information.

Front-line Defense

You are the front-line of defense against these threats.  Being alert to the threat and reporting any suspicious activity contributes to helping VSolvit maintain its competitive advantages as well as our national security.

Security Programs

There are many security programs and procedures that fall under Intelligence Security Management which complement and enhance counterintelligence:

 –Physical security 

–Personnel security 

–Communications security (COMSEC) 

–Information system security (INFOSEC) 

–Security Classification 

–Operations Security (OPSEC)


For this briefing we will focus on OPSEC and Security Classification

Learning Objective: Defining Key Terms

  • Counterintelligence
    Information gathered and activities conducted to protect against espionage.
  • Espionage
    The acquisition by foreign governments or corporations of U.S. high-technology information (classified or not) in order to enhance their countries’ economic competitiveness.

OPSEC

Definition

What is it?

Operations Security (OPSEC) is a process by which we protect unclassified information that can be used against us.  Thereby we deny sensitive information to an adversary.


What does it mean to you?

This means we need to identify, control, and protect generally unclassified information related to sensitive activities so that we can reduce vulnerabilities to our information.


Why is it important?

Who are the "bad guys"?

Enemies, Competitors, Terrorist, Criminals, Insiders...

Whoever they are, foreign or home-grown, they are generally well educated and technologically sophisticated, and certainly well able to navigate in high-tech waters.

What do they want?

What do they want from me?

Any critical information that the adversary would need to prevent our success. 

This can include:

- Our limitations

- Specific operation plans (who, whatm when, where, and how)

- Our personnel and their families information

- Our security process

How do they get it?

We give it to them!

Through the following methods, including illegal operations, people are able to receive sensitive information:

- Converstaions in public areas

- Using cell phones for business

- Web pages

- Email

- Social Networking

- Communications intercept, social engineering, internet, elicitation and espionage


“Every man is surrounded by a neighborhood of voluntary spies.” -Jane Austen


BE CAREFUL WHAT YOU TWEET ON TWITTER AND POST ON FACEBOOK!

Social media amplifies OPSEC risks because it enables greater volume and increased speed of information shared publicly.

BEST PRACTICE: Share information about yourself smartly and be careful what you disclose about your family and occupation. Use privacy settings to protect your personal info.



Other ways on how they collect information:

Requests for Information

This is the most frequently reported collection method and provides the greatest return for minimal investment and risk.  Collectors use direct and indirect requests for information (e.g. e-mails, phone calls, conversations) in their attempts to obtain valuable U.S. data.  These types of approaches often include requests for classified, sensitive, or export-controlled information.  A simple request can net a piece of information helpful in uncovering a larger set of facts.

Solicitation or Marketing of Services

Foreign-owned companies seek business relationships with U.S. firms that enable them to gain access to sensitive or classified information, technologies, or projects.

Acquisition of Technology

Collectors continue to exploit direct and indirect acquisition of technology and information via third parties, the use of front companies, and the direct purchase of U.S. firms or technologies.

Public Venues

Conferences, conventions, symposiums and trade shows offer opportunities for foreign adversaries to gain access to U.S. information and experts in dual-use and sensitive technologies.

Official Foreign Visitors and Exploitation of Joint Research

Foreign government organizations, including intelligence and security services, consistently target and collect information through official contacts and visits.

Cyber Attack

Cyber threats are increasingly persistent and rapidly becoming a primary means of obtaining economic and technical information.  Reports of new cyber attacks against U.S. government and business entities continue to increase.  Adversaries have expanded their computer network operations, and the use of new venues for intrusions has increased.

Mobile Telephones

Threats against mobile phones continue to rise.  Smart phones such as Blackberry and iPhone, essentially general purpose computers, are susceptible to malicious software, according to open source reporting.

Foreign Targeting of U.S. Travelers Overseas

Foreign collectors also target U.S. travelers overseas.  Collection methods include everything from eliciting information during seemingly innocuous conversations, to eavesdropping on private telephone conversations, to downloading information from laptops or other digital storage devices.

Targeted Information and Sectors

Foreign collectors continue to seek a wide range of unclassified and classified information and technologies from specific targets.  Information systems attract the most attention - other top targets: aeronautics, lasers and optics, sensors, and marine systems.

Protecting the Information

How can you help stop them?

 Countermeasures that include:

- Protect communications 

- Web page policies 

- Shred sensitive documents 

- Control access to files and folders on shared network drives 

- Be alert --- Be suspicious --- Be aware

Consider the threat when you:

- Use the phone  

- Answer stranger’s questions

- Discuss work in public places   

- Engage in social networking

What else do we need to protect? 

- Competition Sensitive  

- Bid Rates and Factors 

- Pricing Information 

- Accounting Data §Customer Data 

- Our Company’s Internal Organization 

----Telephone/Address Lists 

----Org Charts 

----Email Lists 

----Personally Identifiable Information (see the next slide) 

Don’t make it easy for an outsider to build up a picture of our organization and use it against us.


Personally Identifiable Information (PII)

What is PII?

Personal Identifiable Information about an individual including (but not limited to): 

- Social Security Number 

- Driver’s License / Passport /  Green Card 

- Medical History

- Criminal Background checks 

- Financial Information/Credit History 

- Mother’s Maiden Name 

-Place/Date of Birth


How do we protect PII?

- Store it in a locked office or locked cabinet when unattended 

- Do not e-mail PII outside the secure network unless the file is encrypted 

- Shred the file when no longer needed; do NOT discard in the trash! 

- If stored on a computer, password protect the computer and/or the file


Reporting procedures

Prompt reporting of foreign collection activity to your FSO is critical to an effective industrial security program [801-10.4]

- Report any suspicious e-mail activity to Security immediately 

* do not delete the e-mail until you are notified to do so*

- Notify the FSO of any irregular in-person, phone or U.S. mail attempts to access Government or proprietary information. 

- IMPORTANT: Get names & return phone numbers if possible (“Let me check on that information. How can I reach you?”) 

- Document the incident so you don’t forget any details.

Protect anything that would effectively regress or reduce an adversary’s ability to exploit us.



Would you give information to Edward Snowden (above, left) or Osama Bin Laden (above, right)?

If the answer is no, then do not give it to any other source!

Learning Objective: Who could be a "bad guy" when it comes to OPSEC?

  • Enemies of the United Sates
  • Competitors to VSolvit
  • Terrorists
  • Criminals
  • Insiders
  • Your mother-in -law

Learning Objectives: What ways could information be obtained?

  • Cyber Attack
  • Mobile Telephones
  • Foreign Targeting of U.S. Travelers Overseas
  • Targeted Information and Sectors
  • Requests for Information
  • Solicitation or Marketing of Services
  • Acquisition of Technology
  • Conferences, conventions, symposiums and trade shows
  • Official Foreign Visitors and Exploitation of Joint Research

Learning Objective: What are the five steps in proper OPSEC analysis?

  • Identify critical information.
  • Analyze potential threats
  • Analyze the vulnerabilities - know your weaknesses
  • Assess risks
  • Apply countermeasures

Security Classification Systems Overview

Definition

Security Classification System Review

Classified Information is official government information that has been determined to require protection in the interest of national security

Types of Classified Information

Top Secret

Information or material whose unauthorized disclosure could be expected to cause exceptionally grave damage to national security.  

Secret

Information or material whose unauthorized disclosure could be expected to cause serious damage to the national security.

Confidential

Information or material whose unauthorized disclosure could be expected to cause damage to the national security.

Not Classified: FOUO and Company Private

Two other categories of information which, while not classified, are utilized and recognized at VSolvit

For Official Use Only - FOUO

Unclassified government information which is exempt from general public disclosure and must not be given general circulation.

Company Private / Proprietary Information

Business information not to be divulged to individuals outside the company.  Examples of this kind of information are: 

 -  Salary and wage lists

-  Technical and research data

-  Trade Secrets

Access Requirements

To access classified information, two conditions must be met:

1 ) Recipient must have a valid and current security  clearance at a level at least as high as the information to be released.

2 ) Recipient must demonstrate the need for access to the classified information.  This is referred to as “Need-to Know”.

If one or neither of these conditions are met than the individual has no need to access the information.

Learning Objective: Types of Classification

  • Top Secret
    Information or material whose unauthorized disclosure could be expected to cause exceptionally grave damage to national security.
  • Secret
    Information or material whose unauthorized disclosure could be expected to cause serious damage to the national security.
  • Confidential
    Information or material whose unauthorized disclosure could be expected to cause damage to the national security.
  • FOUO
    Unclassified government information which is exempt fromgeneral public disclosure and must not be given general circulation.
  • Proprietary Information
    Unclassified business information not to be divulged to individuals outside the company.

Learning Objective: Access Requirements

  • If the person has a need to know, but not a security clearance, then it is o.k. to show that individual classified information.

Reporting Responsibilities and Requirements

Why do we report incidents?

Your reporting responsibilities

You will need to know what to report and to whom. Elicit attempts, espionage, terrorism, sabotoge, and any suspicious contacts all can be countered by reporting them. •Any vulnerability, no matter how seemingly inconsequential, should be reported to your Facility Security Officer (FSO) or Security Representative as soon as possible.

What type of situations do we report?

All situations are different...

....however, each one requires reporting to your FSO. These can include:

  • Suspicious Contacts. All contacts with known or suspected intelligence officers from any country, or any contact that suggests the employee may be the target of an attempted exploitation by a foreign intelligence service. This can include any efforts, by any individual, to obtain illegal or unauthorized access to classified or sensitive unclassified information. Or any efforts, by any individual, to compromise a cleared employee.
  • Adverse Information. As a general rule, adverse information is that which reflects unfavorably on the trustworthiness or reliability of the employee and suggests that the person’s ability to safeguard classified information may be impaired. Cleared contractor employees are required to report to their respective security department adverse information regarding other cleared employees.
    • Examples include:
      • Arrest for any serious violation of the law (including dismissed charges) 
      • Excessive use of alcohol or abuse of prescription drugs
      • Any use of illegal drugs
      • Bizarre or notoriously disgraceful conduct 
      • Sudden unexplained affluence
      • Treatment for mental or emotional disorders
      • Attempt to solicit classified information 
      • New status as a Representative of a Foreign Interest  (RFI) •Change in RFI status
  • Other Reporting Requirements. These acts or behaviors are mandatory to report.
    • Examples Include:
      • Any act of sabotage, espionage or attempted espionage, and any subversive or suspicious activity.
      • Any attempts to solicit classified information
      • Unauthorized persons on company property
      • Citizenship by naturalization 
      • Unwillingness to work on classified information 
      • Disclosure of classified information to an unauthorized person
      • Internet abuse/violations 
      • Any condition that would qualify as a security violation or which common sense would dictate as worth reporting.

If you hold a Security Clearance....

...there are additional reporting responsibilities. 

In addition to adverse information regarding fellow employees, all personnel currently holding a federal clearance (and those in the process of obtaining a clearance), must report the following changes:

  • Any arrest or criminal charges (including any charges that have been dismissed.) 
  • Traffic violations over $300 
  • All traffic violations involving drug or alcohol use (regardless of fine amount) 
  • Bankruptcy
  • Garnishment of wages
  • Legal action to affect name change
  • Change in citizenship
  • Any use of an illegal drug or use of a legal drug that deviates from approved medical direction
  • Hospitalization for mental health reasons or treatment for drug or alcohol abuse
  • Immediate family member assuming residence in a sensitive country
  • Marriage or cohabitation
  • Foreign travel (at least 2 weeks prior to departure)

Security Violations

Report Security Violations immediately!

Security violations are also required to report to your FSO. These can include:

  • Leaving a safe containing classified material open and unattended 
  • Allowing uncleared individuals to have access to classified material, either by viewing classified material or by conducting classified discussions in a non-secured area or over unapproved communication lines
  • Leaving classified material unattended 
  • Removing classified material from a particular location without approval 
  • Copying or destroying classified material without approval 
  • Generating classified material on a non-approved computer

This list is not all-inclusive. If a situation occurs that you think may be a violation of security procedures, please discuss it with your Facility Security Officer immediately. If you find unattended classified material, call Security and stay with the classified material until Security arrives (or find someone who can lock it in a safe temporarily).

How to Report

VSolvit FSO Contact Information

Terra Cox

[email protected]

(805) 277-4705 x 119


OR


The Defense Hotline

The Pentagon

Washington, DC  20301-1900

(800) 424-9098

(703) 604-8569

Verbally

You have 2 (two) working days after the event to notify your FSO.

Written

You must then follow up within 3 (three) additional working days to your FSO. 

Learning Objective: Security clearance

If you hold a security clearance

There are additional time you will need to speak to the FSO. They include:

  • Any arrest or criminal charges (including any charges that have been dismissed.) 
  • Traffic violations over $300 
  • All traffic violations involving drug or alcohol use (regardless of fine amount) 
  • Bankruptcy
  • Garnishment of wages
  • Legal action to affect name change
  • Change in citizenship
  • Any use of an illegal drug or use of a legal drug that deviates from approved medical direction
  • Hospitalization for mental health reasons or treatment for drug or alcohol abuse
  • Immediate family member assuming residence in a sensitive country
  • Marriage or cohabitation
  • Foreign travel (at least 2 weeks prior to departure)

  • If you are in the process of obtaining a security clearance, or have a security clearance, there are no special circumstances you have to report

Learning Objective: When do you contact the FSO?

Select all that apply. 

  • Any act of sabotage, espionage or attempted espionage, and any subversive or suspicious activity.
  • Disclosure of classified information to an unauthorized person
  • Any condition that would qualify as a security violation or which common sense would dictate as worth reporting.
  • Citizenship by naturalization
  • Unauthorized persons on company property
  • Leaving a safe containing classified material open and unattended
  • Generating classified material on a non-approved computer
  • Making out-of-country calls

Security Procedures and Duties Applicable to the Job

Classified Material in Action

When in use:

  • Cleared individuals with classified documents are responsible for safeguarding these materials at all times. 
  • Classified material should be given sufficient protection to reasonably ward against loss or compromise.
  • Classified information cannot be discussed over unsecured telephones, in public places, or any manner that may allow transmittal or interception by unauthorized persons.  This includes not working on classified material on unapproved computers. 
  • Classified material should never be left unsecured or unattended.  Constant surveillance by an authorized individual (cleared to the appropriate level and a need-to-know) who is able to exercise control over the classified material will provide reasonable security.
  • When working with classified material in an unsecured area, any open curtains, blinds and doors should be closed.  It is prudent to also post a sign, declaring “CLASSIFIED WORK IN PROGRESS”.  If a visitor or unauthorized employee is present, a classified document must be protected by either covering it, turning it face down, or placing it in an approved storage container. 
  • When employees are working on classified material and leave their desk, the documents must be locked in an approved storage container.  They must never be tucked in a desk drawer, file cabinet, credenza, key-lock file, etc., for even the briefest period. 

‒Classified material  must never be taken home.

When NOT in use:

  • Classified material should be properly secured in an approved container, unless it is being guarded by another properly cleared person with a “Need-to-Know”.
    • Approved storage containers should remain locked unless they are under constant surveillance and control.  
    • Security Markings: All classified material should be marked in a conspicuous manner by the originator of the material.  Please seek the assistance of your Security Officer, if you are generating any classified material. 
  • Reproduction of Classified Material   
    • Copies of classified materials are subject to the same security controls as original classified material.  
    • No reproduction of classified materials is allowed without prior approval from the contracting authority.  Seek assistance from your Security Officer. 
    • Copying classified documents on office photocopiers is prohibited unless the machines are designated for such use and proper controls are in place. 
  • Transmittal of Classified Material 
    • Do not attempt to mail, hand carry or transmit classified material on your own.  Always seek the assistance of the Security Officer. 
    • If you receive classified material from another person, or through the mail, contact the Security Officer.

Classified Material in an Emergency

Handling classified materials in an Emergency

How do we guarantee protection, removal, or destruction of classified material in case of emergency such as fire, natural disaster, civil disturbance, terrorist activities, or enemy attack?

Although the importance of protecting classified material cannot be discounted, it must be accomplished in such a way as to minimize the risk of loss of life or injury to employees.

If there is NO imminent danger to employees:

  • Secure classified material in authorized containers before evacuation.
  • If authorized storage is not immediately available, attempt to carry classified material from the area, seeking assistance from other cleared personnel as needed. 
  • Thoroughly check work spaces for unsecured classified material prior to departure. 
  • Should circumstances require that classified material be left unattended, immediately report this fact to your Security Officer. 
  • When feasible, the Security Officer will then designate personnel to monitor the area perimeter and note unauthorized access to the area. 
  • Upon cancellation of the emergency situation, and when given the authorization to do so, employees will return to the work area and inventory any unsecured classified material; reporting the results of this action to the Security Officer.

If there IS imminent danger to employees:

  • Evacuate immediately, leaving classified material in place. Under no circumstances should employees endanger themselves attempting to secure or remove classified information from work spaces. 
  • When possible, report the existence of unattended classified material to the area supervisor who will then, as conditions allow, either arrange for monitoring of the area perimeter or contact the Security Officer to report the situation. 
  • Upon cancellation of the emergency situation, and when given the authorization to do so, employees will return to the work area and inventory any unsecured classified material; reporting the results of this action to the Security Officer.

Cyber-security and You

Cyber security and You

No matter what you call it, cyber-crime can be a real pain. It is a benefit to understand the different kinds of crimes out there so you can be alert, protect yourself and your company.

Malware: Any “malicious software” designed to secretly access your computer.

Virus: Malware that copies itself and infects your computer and files.

Hacking: When someone breaks into a computer or network.

Ransomware: Malware that encrypts data or locks computers until a ransom is paid.

Spyware: Malware that gathers information about you, usually to track your internet use and deliver pop-up ads.

Keylogger: Spyware (or hardware) that tracks and records keystrokes, particularly passwords and credit card information.

Hijackware: Malware that changes your browser settings to direct you to malicious sites or show you ads. Also known as browser hijacker.

Password Stealer (PWS): Malware that collects data likely to be account numbers and the associated passwords.

Backdoor: Opens a backdoor into your computer to provide a connection for other malware, viruses, SPAM or hackers.

Rootkit: Disguises itself as normal files that “hide in plain sight” so your antivirus software overlooks them. The goal is usually to steal the identity information from your computer, often to gain control of a system. It’s difficult to detect and remove.

Worm: Malware that self-replicates and sends itself to other computers in your network.

Trojan horse: Software that pretends to be useful but is really malware.

Phishing: When cybercriminals try to get sensitive information from you, like credit card numbers and passwords. Some specific techniques include spear phishing (targets specific people or departments), whale phishing (targets important people like CEOs), and SMiShing (phishing via text messages) and vishing (voice phishing that takes place over the phone, usually through impersonation).

Spoofing: When cybercriminals try to get into your computer by masquerading as a trusted source. Examples include email spoofing, IP spoofing and address bar spoofing.

Pharming: When website traffic is redirected to a bogus website, usually an ecommerce or banking site.

Phreaking: When phone networks are hacked in order to make free calls or have calls charged to a different account.

Rogue Security Software: Malware that pretends to be malware removal software.

Adware: Displays ads on your computer. Not dangerous but very lucrative.

Hoax: Message that warns of a non-existent threat, usually related to chain letters and usually harmless.

There’s one more piece of cybercrime lingo you need to know — social engineering. It’s when scammers trick people, including customer service reps, into giving up information that allows access into accounts, networks and systems. It can also be a lot easier to trick a person than to trick a system, especially one that has multi-factor authentication. So beware!

Computer Security Safeguards

Additional safeguards for computers can include

  • Do not open e-mail attachments from unknown sources (ask sender to verify attachment) 
  • Establish and protect passwords (login, screensavers, files, etc.); NEVER share your passwords with anyone 
  • Avoid copyright infringement 
  • Avoid virus attack (run virus checks regularly; avoid unnecessary downloads, etc.)  
  • Secure hardware 
  • Preserve your work (back it up!!) 
  • Use discretion when accessing company and/or customer provided internet and email
  • Do NOT process classified information on unapproved systems

Recent Hacks and Breeches

Large breaches impacting employees and employers worldwide

Most recently impacting millions of Americans included the Equifax breech on 29 July 2017.

Personal information (including Social Security Numbers, birth dates, addresses, and in some cases drivers' license numbers) of 143 million consumers; 209,000 consumers also had their credit card data exposed  Equifax, one of the largest credit bureaus in the U.S., said on Sept. 7, 2017 that an application vulnerability on one of their websites led to a data breach that exposed about 143 million consumers. The breach was discovered on July 29, but the company says that it likely started in mid-May.

Learning Objective: Opening emails

  • I should open email attachments from an unknown sender.
  • When I leave my desk, I will leave my Common Access Card there so I do not loose any work.
  • When I leave my computer, I will lock my screen and secure my computer when necessary.
  • If I have to make duplicate copies of classified information, it does not matter which copier I use.
  • In an emergency, if there is not imminent threat, I will secure the information in an approved container.

Learning Objective: Cyber-crime Definitions

is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

 

 is a type of fraud that targets high-profile end users such as C-level corporate executives, politicians and celebrities.

 

 is irrelevant or inappropriate messages sent on the Internet to a large number of recipients.

 

is a type of malware that is installed on a computer without the knowledge of the owner in order to collect the owner's private information. It is often hidden from the user in order to gather information about internet interaction, keystrokes (also known as keylogging), passwords, and other valuable data.

 

 is a type of malicious software program ("malware") that, when executed, replicates itself by modifying other computer programs and inserting its own code. Infected computer programs can include, as well, data files, or the "boot" sector of the hard drive.

 

 is software that is intended to damage or disable computers and computer systems.software that is intended to damage or disable computers and computer systems.

 

 

Conclusion

In Conclusion

When in doubt - report it. 

When there is a questions about an act, behavior or event being concerning, please report it as soon as possible. 

VSolvit FSO Contact Information

Terra Cox

[email protected]

(805) 277-4705 x 119


OR


The Defense Hotline

The Pentagon

Washington, DC  20301-1900

(800) 424-9098

(703) 604-8569

Learning Objective: Certification

  • I have received, reviewed and understand the contents of this briefing. Any questions that I raised were Addressed by the VSolvit FSO.
  • I will click the option if I did not complete the training and do not wish to receive credit and will be required to re-accomplish the training.

Certification page

Certification Page 

Please minimize the navigation panel,  print the certification page, fill out, scan and email back to [email protected] She will then certify that your training was completed and all questions answered correctly. 

This is page is to certify that 


__________________________________________
(Full name above)


has completed the VSolvit 2017 Annual Security Refresher Briefing 

on

_________________________ (date).


_______________________________________
(Signature of Above Employee)

Certification of Security team

The above person submitted their training at 100% completion on _______________.

Certified by: ____________________________ on ________________.