Information Security News
mailing list archives
WWW.huh?: You Are the First Line of Defense
From: William Knowles <wk () c4i org>
Date: Tue, 26 Jun 2001 04:01:21 -0500 (CDT)
By Steve Hara
American Forces Press Service
WASHINGTON, June 25, 2001 -- Defense Department computer security
systems and specialists foiled nearly 22,500 would-be intruders in
1999 and 24,500 in 2000. There's no let-up in sight.
Special agent Jim Christy said he and others on his law enforcement
staff are in a "growth business" chasing hackers and spies and running
other criminal activities to ground. As representatives of the Office
of the Assistant Secretary of Defense for Command, Control,
Communications and Intelligence, they also counsel DoD employees on
being an effective first line of defense instead of the weakest link.
When he discusses computer security, Christy said, he drives home that
average folks aren't expected to mount an ironclad defense. Rather, he
stressed, they can do simple things that make life harder for bad guys
-- and stop doing simple things that make life easy for them.
Use different passwords at Web sites and on every machine you use.
Reject all site and system offers to "remember" you and your password.
Bad guys know many people use just one password, so attacking an
easily hacked site gives them "skeleton keys" to tough ones.
Don't open e-mail attachments from people you don't know, and don't
open them uncritically just because someone you do know supposedly
sent them. Hackers use attachments to inject viruses and other
mischievous or malicious computer code into machines and systems. A
common means to spread infections is by sending e-mail copies to
everyone in a victim's address book -- using the victim's name.
Log off or lock your workstation when you go on breaks or out to
lunch. No point giving bad guys unfettered access to your computer and
network -- and leaving you holding the bag because the system thinks
you're at the keyboard.
Never use personal diskettes, Zip disks and the like on classified
systems. Computers divide files and write them to disk in units called
sectors. If the file's last sector is only partially filled, the
machine tops it off with data randomly pulled from memory or hard
drives -- there's no real telling in advance where the information
might come from. So writing and saving even your holiday greetings
letter on a classified system is a potential disaster. That's why the
practice is a security violation.
You can be a security risk even if you don't work with classified
files, have none on your computer and have no access to any. The
mindset on the last point is wrong for at least three reasons, Christy
noted. First, too many people think a secure system can't be hacked
from their office computer network -- usually because they themselves
don't know how. Fact is, good hackers really can launch attacks on
your lowly machine if you give them the time and opportunity, he said.
Second, he continued, intelligence analysts make a living by drawing
conclusions and educated guesses from bits and pieces of unclassified
and seemingly unrelated information.
Third, information doesn't have to be classified to be sensitive.
Medical records, personnel records and personal address and phone
books aren't usually classified, but all contain data protected from
public release by the Privacy Act of 1974. Good security, he said,
means locking out all snoops, not just spies.
Christy and company's growing business in security issues gives
constant rise to another: personal privacy. You have none, and that
roils many employees.
Uncle Sam's machine, Uncle Sam's rules, Christy noted.
Agency systems administrators are supposed to have the means to track
every move made by every user in their realm. Literally. Every
keystroke. Every mouse click. They can reconstruct any document you
write, every Web site you visit, Christy said.
Monitoring could be used to detect crimes and employee waste and
abuse, but rarely is, he noted. More frequently, investigators and
managers consult monitoring records to make or break cases after
allegations surface other ways. Computer users can't claim a "probable
cause" defense after being caught, because they all agree to be
monitored as a condition of access.
"There is absolutely no privacy on a government computer," Christy
said. "Every time you turn one on, you get a message that the
government can and will monitor you, and if you sign in, that means
you understand and agree. Always assume you're being monitored."
"Communications without intelligence is noise; Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
ISN is hosted by SecurityFocus.com
To unsubscribe email isn-unsubscribe () SecurityFocus com
- WWW.huh?: You Are the First Line of Defense William Knowles (Jun 26)