Stolen passwords. Data breaches. Identity theft. Divulging sensitive information. These can be the results of bad judgement, policy violations, or simply using weak online security measures.
National Cybersecurity Awareness Month is held every October to emphasize personal accountability and stress the importance of taking proactive steps to enhance cybersecurity at home and in the workplace. In the Navy, cybersecurity is an area where all personnel "man the equipment" and their actions, either deliberate or unintended, can lead to vulnerabilities across the entire organization.
NSA Souda Bay Information Systems Security Manager Darrell Nichols said that making people aware of the cybersecurity threats they face on the job is an important part of the risk management framework that goes into implementing an effective cybersecurity policy.
“Once people become educated and understand what they need to do it really does have an impact on the risk,” said Nichols. “By making them situationally aware then they can understand not to procure, issue or utilize flash media devices on Navy Networks – such as plugging a USB drive into the computer since USB drives are not authorized (per JTF-GNO 10-004A/NETWARCOM CTO 1-04), and lower the risk.”
NSA Souda Bay has a high turnover rate of personnel because many Sailors are on one-year orders. Nichols said that since people are constantly coming and going it is important when they first arrive to educate them to treat the Navy networks like a weapons system.
“Like a weapons system – a weapon you might have – you would not just leave that weapon laying around loaded for anyone to use,” said Nichols. “The same thing goes for your CAC card or alternate token. You’re not just going to leave your CAC card or alternate token laying around for someone else to use.”
He also has a few tips for NSA Souda Bay personnel to reduce the risk of a cyber-threat in the workplace:
– Use a strong password and make it hard to guess.
“If ‘password’ is your password, then all a cybercriminal needs is your email address to access your account.”
“If you are working on a system and you are required to use a password, well, you do not want to post your user name and password on the computer, because you have now given an insider threat all they need to access your account.”
– Use two-factor authentication.
“When available, you want to use two-factor authentication with either your DoD CAC card or with your alternate token to be able to login to a DoD website or network. It’s an added layer of security.”
“Two-factor authentication can also apply to your cell phone and personal email account. When you log into your personal email account it will ask you, ‘Hey, is this really you or not?’ That’s a better way of doing it – because you have to have the phone…so if somebody was to get to your user name and password but doesn’t have access to your phone – good luck.”
– Pay attention to digital email signatures.
“If you get any kind of DoD email from a non-digitally signed or encrypted e-mail, without the little red ribbon or yellow lock, don’t download any of the attachments.”
“The best step is to come talk to us first and then we’ll help with the verification process. Because it could be a trick – it could be phishing – and we want to go look at it so we can have our eyes on it. It also gives us an opportunity to show the individual while we’re there ‘Yeah, this is a phishing attempt’ or ‘No, it looks like this is legitimate.’”
– Use caution when posting on social media.
“If you post about a specific date and time a ship is arriving an adversary can use that information to cause harm. ‘Tweets sink Fleets. Think before you post.’ – just as the poster says.”
“One of the latest scams is actually called sextortion. If anybody contacts a Sailor, or anyone that’s in the military, and is like ‘Hey, let’s develop an online relationship’ and it maybe turns into some kind of sexual encounter or whatever have you, and then they try to extort you for classified information. You need to let us know immediately so we can go ahead and resolve that! You need to go tell a security person. You can let me know or you can let the command security manager know. Just please let us know so we can actually go and do something about that.”
Each week during the month of October, Nichols will place a presentation covering a different aspect of cybersecurity on the N6 department’s intranet page at:
Topics will include: the anatomy of a cyber-intrusion, cybersecurity is an all-hands effort, protecting your shipmates by protecting yourself, enhancing protection while increasing resiliency, and getting from vulnerable to cyber-secure.
Nichols also said that if you experience any suspicious activity on your government computer you should contact the N6 department immediately by calling DSN: 314-266-1338 or visit them in Building 58 Room 20.
For more information about the Navy’s Cybersecurity Month, visit www.navy.mil/cyberawareness/.