We've all heard nightmarish tales of identity theft, but that only happens to someone else, right? Wrong! Security breaches at the Department of Veterans Affairs and Los Alamos National Laboratory underscored the fact that regardless of how secure you think you are — the safety of your personal information is really at the mercy of virtual strangers.
These incidents served as a call to arms to government offices and personnel to better protect personally identifiable information (PII). These breaches and others like them are completely avoidable. Most importantly, employees should not load any personally identifiable information personal computers as of Oct. 1, 2007. Vigilant physical security enforcement and supervisory oversight are essential in protecting personal information.
While the Navy Marine Corps Intranet (NMCI) protects computers and laptops on the job, we still must be alert to the hazards of the Internet and e-mail. Also, many of us have multiple computing devices for personal and official use that we must defend.
Virtual predators are cunning! The Federal Trade Commission estimates that 27.3 million Americans (9 percent of the total U.S. population) have been victims of identity theft. Financial losses totaled nearly $48 billion for businesses and financial institutions and at least $5 billion in expenses for individuals. With these startling statistics in mind, we can improve our security posture at home and in the office by practicing these 10 common sense countermeasures:
• Strong Password Protection
• Virus Protection
• Spam Protection
• Spyware Protection
• Security Patches
• Security for data at rest and mobile devices
• Data Backups
• Firewall Protection
• WiFi Protection
• Data, E-mail and Transaction Encryption
Let's take a brief look at each and establish best practices for implementation.
Strong Password Protection
Effective passwords are the first line of defense. They should:
– Be at least eight characters including upper and lower case, digits and special characters (~, #, %)
– Change frequently — every 60 to 90 days
– Be unique with each change
– Never be shared with others
– Be easy to remember. Use identifiers such as the first characters of a phrase. For example, "My wedding anniversary is July 26, 199990" = MwaiJ26,199990 — is a pretty good password!
– Never use proper nouns; dictionary attacks and brute force techniques can easily crack these!
Viruses and other malware, including worms and Trojan horses, are programs that attach to or masquerade as other programs causing widespread and often unrecoverable damage.
If you don't have antivirus software, get it! Antivirus software is free to Defense Department personnel. The Navy Information Assurance Web site is just one of the sources for downloading antivirus software. It is the primary distribution center for antivirus tools for the Navy and Marine Corps, although any DoD-affiliated agency may request them. McAfee, Trend Micro and Symantec antivirus software applications are currently licensed for use by the DoD.
Spam is unsolicited bulk e-mail messages indiscriminately distributed to unsuspecting users. Spam cost U.S. companies more than $10 billion in 2004, including lost productivity and the additional equipment, software and manpower needed to combat the problem. Spam e-mail is often the vehicle of choice used to spread viruses and other malware. Even though most e-mail applications have some anti-spam capabilities, such as the junk mail filter in MS Outlook, the problem still persists.
Most Internet service providers have provisions for reporting spammers and many antivirus applications can also protect against spam. Remember, never open unsolicited e-mail and attachments at work or at home!
Spyware is software that is unwittingly installed on a computer by linking to Web sites that deploy spyware to intercept or record information. Some spyware monitors user behaviors and can collect and distribute personal information — even passwords! Benign forms of spyware often redirect Web pages to paid advertisers. Spyware is one of the leading causes of identity theft. To combat this problem, use an anti-spyware application such as Ad-Aware or Windows AntiSpyware. They are free!
Operating Systems and Security Patches
It’s a fact that new software vulnerabilities are exposed almost daily. In fact, since April 2007 more than 20 new Microsoft security vulnerabilities have been documented. Operating systems, especially Windows, since it is the most widely used OS, are usually the primary targets. Use the Windows update service to remediate security vulnerabilities daily by clicking on the Tools bar and following the directions for automatic updates.
Mobile Workforce Awareness
More and more people are using mobile computing devices that allow them to work from virtually anywhere. This presents security challenges including safeguarding information. Follow your workplace’s policies for telework and mobile devices.
Operating systems such as Windows or Linux have built-in backup utilities, although you may have to purchase additional media, such as an external USB drive. A popular alternative is drive imaging which creates a backup snapshot or image of your disk drive, most commonly your system drive. These utilities are included with some versions of Microsoft Vista or third party utilities such as Drive Image and Norton Ghost. Backup data frequently and store media in a safe place.
A firewall is a hardware or software device designed to permit or deny network traffic. All traffic inbound (ingress) through a firewall should be denied unless explicitly permitted. In most cases, all outbound traffic (egress) is allowed. If you work remotely, most firewalls have provisions for remote access to network resources through a virtual private network (VPN). Windows and other operating systems contain software-based firewalls that are simple to enable. Most antivirus and malware applications also provide a personal firewall.
Over the last few years, wireless computing has become wildly popular. From airports to coffee shops, wireless hotspots are available for your use. However, they are not without potential security vulnerabilities as well. Keep Wi-Fi network cards disabled unless you are actively using them. Configure wireless networks to use Wi-Fi protected access and change the default network name or service set identifier (SSID) often. The SSID is a code attached to all packets on a wireless network to identify each packet as part of that network. Select a Wi-Fi protected access (WPA) passphrase with the same careful attention you must give to your other passwords.
Most wireless access points have a Web-based configuration utility that is simple to use. Two of the more common methods for exploiting Wi-Fi are WiPhishing and wardriving.
WiPhishing – In this instance, attacks impersonate a popular wireless access point, such as Linksys, to divert traffic through the attacker’s network and obtain personal information. This is especially prevalent in urban areas where there are many wireless networks in a small geographic area.
Wardriving – Is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle using a Wi-Fi-equipped computer, such as a laptop or a PDA, to detect vulnerable networks.
In 2004, a Michigan man was sentenced to nine years in prison for his role in an unsuccessful attempt to steal credit card numbers from the Lowe’s chain of home improvement stores by taking advantage of an unsecured Wi-Fi network at a store in suburban Detroit using the wardriving technique. According to a Justice Department document, the man and his co-defendant conspired and schemed to gain unauthorized access to the nationwide computer system used by Lowe’s and, after gaining access, to download and steal credit card account numbers from that computer system.
Be on guard — wardrivers are now mapping likely neighborhoods using Google Earth to exploit wireless networks!
Data, E-mail and Transaction Encryption
Data, including e-mail, can be encrypted and decrypted easily using encryption applications such as GPG4WIN. GPG4WIN is a versatile tool and, best of all, it’s free. It provides e-mail and file encryption and an extension of the GnuPrivacyGuard, which is an open source alternative to Pretty Good Privacy.
Secure online transactions are only encrypted using the https protocol and digital certificates. Do not send personal information to any Web site unless it uses https and is a trusted source.
Remember to review computer log files for irregularities and assess your security posture often. You can do this by running MS Baseline Security Analyzer or Nessus Security Analyzer.
Keep abreast of current threats and vulnerabilities and remain on guard!
John Janachowski is a Navy veteran who recently reenlisted in the Navy Reserve after many years. When on active duty, Janachowski works at Fleet Forces Command Navy Cooperation and Guidance for Shipping.
At a Glance: DoD requires encryption protection for mobile devices
Signed July 3, 2007, by DoD chief information officer, John Grimes, the memo mandates that all sensitive but unclassified data stored on mobile devices, including laptop PCs and storage media, such as thumb drives and compact discs, be encrypted using commercially available encryp¬tion technology. The memo further directs that all unclassified data not approved for public release shall be treated as sensitive data. However, the Depart¬ment of the Navy (DON), Army and Air Force are working on service-spe-cific acquisition strategies. As of press time, Defense and DON users are not authorized to purchase a PII encryption solution until their service component has issued guidance. .