A Message to the DON Community from Christopher P. Cleary, DON Chief Information Security Officer
By Christopher P. Cleary - Published, July 31, 2020
Now more than ever, during this time of mass telework, we need to be vigilant about protecting our data. Like sentries standing guard to prevent unauthorized access or watching for fires, everyone in the Department of the Navy enterprise must become a 'Cyber Sentry' and be 'Cyber Ready.' Fundamental to this is being on guard against any phishing attempts. The more advanced we become as an information-based organization, the more our adversaries will seek to attack and exploit us in this domain. We will not be able to stop them unless everyone does their part to protect the advantages digital information provides, and limit the vulnerabilities it creates.
Cybercriminals have become extremely savvy and sophisticated in their attempts to lure people into clicking on links or opening phony email attachments. Phishing attempts threaten DON data. Phishing attacks can not only spread computer viruses, but they can also place our personally identifiable and mission critical information at significant risk. Phishing remains the most common attack method used by malicious cybercriminals. While most phishing attempts are sent en masse to large numbers of low yield targets, spear phishing is more targeted, with attackers researching specific targets and creating individualized attacks which appear to come from trusted sources. Hackers regularly use spear phishing to target government agencies and corporations in an attempt to steal national security and proprietary information. Spear phishers often exploit current events, such as the COVID-19 pandemic, to lure people into clicking links or opening an attachment.
As a Cyber Sentry, we need each of you to be educated and on guard by doing the following:
- Never open website links contained in suspicious emails.
- Look for and be wary of emails without digital signatures.
- Watch out for unsolicited emails that contain misspellings or grammatical errors.
- Never provide personal, organizational or financial information to anyone by email.
- Use a firewall, spam filters, anti-virus and anti-spyware software on personal computers. The DoD provides free options for government employees.
- Only use approved apps on government-furnished equipment. For more information about approved apps, see the Top Telework Tools Playbook.
- Hover over any links to see where they lead. Do not go to any URL which is unfamiliar. Be careful as malicious website URLs frequently look identical to a legitimate sites with minor variations or spelling.
- Do not type personal information into pop-up windows.
- When in doubt, throw it out. Delete unsolicited or suspicious emails and texts.
- Report phishing. Navy personnel should report suspicious emails by forwarding them to NMCI_SPAM@navy.mil. Marine Corps personnel should report phishing attempts by sending suspicious emails as an attachment to Suspicious@usmc.mil. Reporting ensures the sender's email address is blocked and enables the email content to be analyzed for malicious code. Once you forward/send the email to the appropriate address, please delete it and then empty your deleted items in Outlook.
- If you open an inappropriate link, please report that action to your supervisor, security manager, and Information Systems Security Manager (ISSM). Also, send the email with the link to NMCI_SPAM@navy.mil or Suspicious@usmc.mil.
With so many people conducting work and personal business on their mobile devices, phishing via text, also known as smishing, has become another way for cybercriminals to obtain information or trick users into downloading a Trojan horse, virus or other malware onto their mobile devices.
To help avoid smishing, take the following steps:
- Do not respond to suspicious texts. Delete the message and block the sender.
- Do not click on links or call any numbers provided in texts from unknown senders.
- Avoid downloading apps via text messages.
Another form of phishing to be aware of is vishing. This is the practice of using deception to get you to reveal personal, sensitive, or confidential information via telephone. The cybercriminal will use social engineering to convince targets to disclose information. Sometimes the numbers will appear to come from trusted sources. Caller-ID phone numbers can be spoofed by cybercriminals to trick people into providing sensitive information.
To help avoid vishing, take the following steps:
- Join the National Do Not Call Registry.
- Hang up. The moment you suspect it's a vishing phone call, simply hang up and block the number.
- Do not press buttons as requested or respond to prompts.
- Verify the caller's identity.
To aid your efforts, the Navy has published a list of approved collaboration tools. All Cyber Sentries should review this information, be vigilant, and make every effort to protect DON data. To learn more about phishing and to increase awareness, you are encouraged to take the DoD's phishing awareness training.
Stay safe, and remember we need everyone to be a Cyber Sentry to help protect the network.
Christopher P. Cleary
Ham, Walter T., IV, "DoD encourages workforce to avoid the hook of spear phishing attempts"