[ISN] WWW.huh?: You Are the First Line of Defense

From: William Knowles (wkat_private)
Date: Tue Jun 26 2001 - 02:01:21 PDT

  • Next message: InfoSec News: "[ISN] Survey: Security Password Picks Are Easy Prey"

    By Steve Hara 
    American Forces Press Service 
    WASHINGTON, June 25, 2001 -- Defense Department computer security
    systems and specialists foiled nearly 22,500 would-be intruders in
    1999 and 24,500 in 2000. There's no let-up in sight.
    Special agent Jim Christy said he and others on his law enforcement
    staff are in a "growth business" chasing hackers and spies and running
    other criminal activities to ground. As representatives of the Office
    of the Assistant Secretary of Defense for Command, Control,
    Communications and Intelligence, they also counsel DoD employees on
    being an effective first line of defense instead of the weakest link.
    When he discusses computer security, Christy said, he drives home that
    average folks aren't expected to mount an ironclad defense. Rather, he
    stressed, they can do simple things that make life harder for bad guys
    -- and stop doing simple things that make life easy for them.
    Use different passwords at Web sites and on every machine you use.
    Reject all site and system offers to "remember" you and your password.
    Bad guys know many people use just one password, so attacking an
    easily hacked site gives them "skeleton keys" to tough ones.
    Don't open e-mail attachments from people you don't know, and don't
    open them uncritically just because someone you do know supposedly
    sent them. Hackers use attachments to inject viruses and other
    mischievous or malicious computer code into machines and systems. A
    common means to spread infections is by sending e-mail copies to
    everyone in a victim's address book -- using the victim's name.
    Log off or lock your workstation when you go on breaks or out to
    lunch. No point giving bad guys unfettered access to your computer and
    network -- and leaving you holding the bag because the system thinks
    you're at the keyboard.
    Never use personal diskettes, Zip disks and the like on classified
    systems. Computers divide files and write them to disk in units called
    sectors. If the file's last sector is only partially filled, the
    machine tops it off with data randomly pulled from memory or hard
    drives -- there's no real telling in advance where the information
    might come from. So writing and saving even your holiday greetings
    letter on a classified system is a potential disaster. That's why the
    practice is a security violation.
    You can be a security risk even if you don't work with classified
    files, have none on your computer and have no access to any. The
    mindset on the last point is wrong for at least three reasons, Christy
    noted. First, too many people think a secure system can't be hacked
    from their office computer network -- usually because they themselves
    don't know how. Fact is, good hackers really can launch attacks on
    your lowly machine if you give them the time and opportunity, he said.
    Second, he continued, intelligence analysts make a living by drawing
    conclusions and educated guesses from bits and pieces of unclassified
    and seemingly unrelated information.
    Third, information doesn't have to be classified to be sensitive.
    Medical records, personnel records and personal address and phone
    books aren't usually classified, but all contain data protected from
    public release by the Privacy Act of 1974. Good security, he said,
    means locking out all snoops, not just spies.
    Christy and company's growing business in security issues gives
    constant rise to another: personal privacy. You have none, and that
    roils many employees.
    Uncle Sam's machine, Uncle Sam's rules, Christy noted.
    Agency systems administrators are supposed to have the means to track
    every move made by every user in their realm. Literally. Every
    keystroke. Every mouse click. They can reconstruct any document you
    write, every Web site you visit, Christy said.
    Monitoring could be used to detect crimes and employee waste and
    abuse, but rarely is, he noted. More frequently, investigators and
    managers consult monitoring records to make or break cases after
    allegations surface other ways. Computer users can't claim a "probable
    cause" defense after being caught, because they all agree to be
    monitored as a condition of access.
    "There is absolutely no privacy on a government computer," Christy
    said. "Every time you turn one on, you get a message that the
    government can and will monitor you, and if you sign in, that means
    you understand and agree. Always assume you're being monitored."
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Tue Jun 26 2001 - 02:17:28 PDT