By U.S. ArmyJanuary 31, 2013
Fort Huachuca, AZ. - It was long after the hour of darkness and everyone had left the building for the day. Ever so slowly, the door leading onto the main hall swung open, and, after glancing furtively up and down the corridor, a man dressed in janitor cleaning attire slid out. Hesitantly, he pushed his cart to an office where a door was cracked open, slightly ajar. The 'custodian' slipped inside, closed the door, snapped on a dim light and sat down at a waiting computer terminal which had been left on and was humming slightly.
He stealthily removed equipment from the bowels of his janitor cart, hooked it into the unit, loaded the password which unlocked the system and went to work.
The "cyber terrorist" doesn't distinguish between a Department of Defense computer network system or one from the private sector. With the stroke of a key, the cyber terrorist can wreak havoc on a system not fully protected with a robust fire wall suppression system. Even with the strongest firewall suppression system we still see signs of attackers getting through via Phishing attacks or installing viruses.
How does this correlate with operations security, or OPSEC? The key is information or the protection of information filed or stored within our computer networks. We've heard of and seen countless stories in newspapers and on the television concerning federal agencies and private companies losing or being denied their own information due to the spread of spyware, malware and other denial-of-service programs. On an average, 63,912 computers are affected daily. The United States is the target of most denial of service attacks, accounting for 52 percent worldwide.
In today's cyber world environment we must finally come to the realization that our computer is a weapon systems platform. The adversary's goal is to neutralize or eliminate the threat coming from the weapon platform itself. Hence, when we discuss the cyber threat from an adversary's point of view their goals are to deny the use of these systems, while simultaneously, trying to steal stored information. We cannot solely rely on our critical infrastructure to deny the cyber terrorist an avenue in penetrating our system defenses. We must all take an active role in assuming responsibility for sensitive information stored on desktops such as unit Critical Information (CI), For Official Use Only (FOUO) and Privacy Act (PA) data.
Doing the right things like properly protecting the personal identification number, or PIN, to your Common Access Card and passwords to other internal software programs are a good start. Not corrupting a computer with non-approved external media devices is another way of protecting sensitive information from getting into the hands of an adversary by eliminating the threat of infected spyware and malware embedded in the media.
Those who receive suspicious looking email that they do not recognize should simply not open them. Delete them from the inbox and the office recycle bin to ensure any potential attached viruses are neutralized.
One last important factor is to ensure that all information containing FOUO or PII information is protected from potential hacking through the use of encryption with PKI.
As we know from the news, cyber threats are pervasive. What is not as widely known is cyber threats most often target human behavior, using attacks such as social engineering, spear phishing, cyber bullying and the targeting of children. The mitigation measure for these risks is education.
We have made great strides in securing government systems to accomplish our mission. Don't forget to protect your families by maintaining the same security principles at home through education and good practices such as the following:
Secure computer accounts: Ask for protection beyond passwords. Many account providers now offer additional ways for people to verify who they are before they conduct business on that site.
Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password.
Unique account, unique password: Separate passwords for every account helps to thwart cybercriminals.
Write it down and keep it safe: Everyone can forget a password. Those who keep a list should store it in a safe, secure place away from their computer.