Air Force Sustainment Center Hill AFB Computer Security for New Hires 75 ABW/SCXO March 2014.

Air Force Sustainment Center

Hill AFB Computer Security for New

Hires

75 ABW/SCXO

March 2014

7 5 T H A I R B A S E W I N G

Program Overview

Information System AccessConsent to MonitorAir Force MessagingSocial Media and Discussion ForumsSocial EngineeringSecurity Incident ReportingInappropriate Use of the Hill AFB Network

SPECIAL INTEREST ITEMSPersonally Identifiable Information (PII)Removable Media


Information System Access

Access to an Air Force Information System (IS) is a privilege and continued access is contingent on personal conduct, personnel actions, changes in need to know, or operational necessity.

If unsure on any Information System requirement, contact the organizational Information Assurance Officer (IAO).


What is Monitored?

Essentially everything is monitored! Emails Computer networks and devices

•Desktops PCs, laptops, notebooks, tablets, printers Internet websites Phones

•Blackberry and smartphoneConsent to monitor:

Logging into computer Red sticker on phones (DD Form 2056) User agreements (4394s, removable media, etc)


Why Monitor?

To ensure appropriate measures are taken to protect all Air Force information system resources and information effectively and efficiently.

To take appropriate levels of protection against threats and vulnerabilities of information systems.

To prevent denial of service, corruption, compromise, fraud, waste, and abuse.

To protect our people and resources.To stop adversaries from monitoring our systems.To protect classified or sensitive information.


Monitoring the Network Network traffic is monitored, logged, reviewed daily User’s conduct that is inconsistent with IA policies and guidelines

may result in immediate suspension of access to unclassified and classified ISs.

Violations of IA policies and guidelines include, but are not limited to:

Unauthorized use of the network Failure to maintain annual DOD IA awareness training Actions that threaten the security of a network or a governmental

communications system (e.g., willful downloading of malicious software, attempting to add unauthorized software, unauthorized flash drive usage)

Actions that knowingly threaten or damage DOD IS or communications security (hacking or inserting malicious code or viruses, theft, destruction of IT assets, willfully not using encryption)


Air Force Messaging

Electronic messaging (including email and instant messaging) users will:

Maintain responsibility for the content of their electronic messages.

Maintain sent and received information according to Air Force records management directives.

Adhere to local policy on sending electronic messages to a large number of recipients. Digital images, as well as mass distribution of smaller messages, may delay other traffic, overload the system, and subsequently cause system failure.

Only reply to electronic messages that absolutely require a response and minimize the use of the ―Reply to All function.

Bear sole responsibility for material sent. Not auto-forward electronic messages from the .mil domain to a

commercial Internet Service Provider (ISP).


Email Digitally Signature

Use PKI (Public Key Infrastructure) CAC digital signature certificates for the following:

Necessary for the recipient of an electronic message to be assured of the sender's identity (non-repudiation).

• Socially engineered e-mails are the number one attack utilized by our adversaries to compromise sensitive information across the DoD

Must have confidence the message has not been modified.• Digitally signed e-mail increases user confidence that the message contents are trustworthy and are from legitimate DoD personnel/system

Contains an embedded hyperlink and/or attachment. Should I just digitally sign all emails? NO!

• Unofficial information should NOT be digitally signed


Email Encryption

Use E-mail encryption to protect the following types of information:

For Official Use Only (FOUO) Privacy Act Information (Reference AFI 33-332) Personally Identifiable Information (PII) Individually identifiable health, DoD payroll, finance, logistics,

personnel management, proprietary, and foreign government information

Contract data Export Controlled technical data or information Operational information regarding status, readiness, location, or

operational use of forces or equipment (Reference AFI 10-701) Like digital signatures, encrypted E-mail increases

bandwidth and resource requirements.


Social Media and Discussion Forums

When using Federal Government resources, users shall comply with OPSEC guidance and shall NOT represent the policies or official position of the DoD

The following will NOT be posted on any DoD-owned, operated, or controlled publicly accessible sites or on commercial Internet-based capabilities

• Classified• For Official Use Only (FOUO)• Controlled Unclassified Information• Critical Information• Personally Identifiable Information (PII)

Users are responsible for following Information Assurance and OPSEC guidance/policies


Social Engineering

Social engineering is considered an intentional threat. It is a term used among hackers for cracking techniques that rely on weakness in human nature rather than software. The goal is to trick people into revealing passwords and other information that compromise the security of your system.

You can play a vital role in preventing social engineering by implementing these tips:

Never give your passwords to anyone for any reason Verify the identity of all callers Don’t give out information about other employees Never type things into the computer when someone tells you to

unless you know exactly what the results of the commands are Never answer questions from telephone surveys.


Security Incident Reporting

A security incident is an assessed occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an IS. Security incidents can include but are not limited to:

Data Spillage. Data spillage occurs when a higher classification level of data is placed on a lower classification level system/device or across compartments.

Classified Message Incidents. A classified message incident occurs when a higher classification level of data is transferred to a lower classification level system/device via messaging systems.


Inappropriate Use DO NOT - Use federal government communications systems for

unauthorized personal use (Reference DoD 5500.7-R, Joint Ethics Regulation (JER).

Personal web surfing (bill-paying, travel sites, shopping, etc.) Investment sites (using stock tickers)

DO NOT practice uses that reflect adversely on DoD or AF: Chain Letters/E-mails Unofficial Soliciting Selling (except on established and authorized Internet-based

capabilities) DO NOT store, process, display, send, or otherwise transmit

unauthorized or prohibited content, such as but not limited to: Pornography, sexually explicit or sexually oriented material, nudity Hate Speech or Ridicule of Others on the Bases of Protected Class

(e.g., race, creed, religion, color, age, sex, disability, national origin) Militancy/extremist activities Terrorist Activities Personal Gain


Inappropriate Use (Cont)

DO NOT store or process classified information on any system not approved for classified processing.

DO NOT use copyrighted material in violation of the rights of the copyright owner (consult JA for “fair use” advise).

DO NOT obtain, install, copy, store, or use software in violation of the appropriate vendor’s license agreement.

DO NOT view, change, damage, delete, or block access to another users files or communications without appropriate authorization or permission.

DO NOT use the account or identity of another person or organization without authorization.

DO NOT permit an unauthorized individual access to a government-owned or government-operated system.


Inappropriate Use (Cont)

DO NOT modify or alter the network operating system or system configuration without first obtaining written permission from the administrator of that system.

DO NOT download files from unfamiliar sites. DO NOT download and install freeware or shareware or

any other software product without Designated Approval Authority (DAA) approval.


ConsequencesMisuse of the network may result In:

Disabling user account for indefinite period Offender and the offender’s commander brief

wing/center command Reprimand Suspension (3 Day, 5 Day, and 7 Day) Harassment Charges OSI/FBI Investigations Loss of Job Jail Time

Applies to Military, Civilian, Contractor


Video #1


Personally Identifiable Information (PII)

What is PII Information about an individual that identifies,

links, relates, or is unique to, or describes him or her. Some examples are:•SSN•Age•Civilian/Military rank•Marital status•Race•Salary•Home/Office phone numbers•Medical/Financial information



Emails including PII information: Must be encrypted Must have “FOUO” at the beginning of Subject

line Must have the following statement at the

beginning of the email: "This e-mail contains FOR OFFICIAL USE ONLY (FOUO) information which must be protected under the Freedom of Information Act (5 U.S.C 552) and/or the Privacy Act of 1974 (5 U.S.C. 552a). Unauthorized disclosure or misuse of this PERSONAL INFORMATION may result in disciplinary action, criminal and/or civil penalties. Further distribution is prohibited without the approval of the author of this message unless the recipient has a need to know in the performance of official duties. If you have received this message in error, please notify the sender and delete all copies of this message."



Best practices to Protect PII Ensure recipient has an official need to know if PII

is included in an email Digitally sign & encrypt all emails containing PII Ensure websites are secure and you have

authorization before posting PII Use cover sheets to protect PII in your work area

•AF Form 3227 or DD Form 2923 Shred or destroy documents before disposing



Consequences for PII violations: User account disabled Must re-accomplish IA training Request to enable user account must come from

the first O-6 or GS-15 within the users chain of command (after the request is received it can take up to an additional 4 days to enable the account)


Removable Media

http://www.gizmodo.com/assets/resources/2006/12/cyber-snipa-dog-tag.jpg

http://upload.wikimedia.org/wikipedia/commons/d/d4/SD_Cards.png

http://upload.wikimedia.org/wikipedia/commons/0/0d/CompactFlash.jpg


Removable Media

Removable media refers to information system storage media that can be removed from its reader device, conferring portability on the data it carries:

Diskettes CDs / DVDs USB storage devices Any other device on which data is stored and which

normally is removable from the system by the user or operator


Because of the vulnerabilities associated with removable media you must adhere to the guidelines and policies established by DoD, Air Force, and Organizations

The Chief of Staff of the Air Force implemented a policy prohibiting the use of flash media storage devices which use a Universal Serial Bus (USB) connection

AFMAN 33-282, Paragraph 6.8.4. Do not connect privately-owned media or peripheral devices (including, but not limited to, music/video CD/DVDs, i-devices, commercial MP3 players, and Universal Serial Bus [USB] drives) to AF ISs and GFE•Listen Carefully - This includes devices that are plugged into a USB port for a “charge only” of the device’s battery (i.e. iPhone, SmartPhone, iPod, etc.)……..DON’T DO IT!!!!!

Removable Media Policies


Consequences

Machine(s) will be removed from the Network. User must explain to his/her Commander/Director why

they violated the prohibition. Commander/Director must brief the user and ensure the

user fully understands what dangers and/or vulnerabilities their actions could have potentially introduced to the ENTIRE Network.

Machine will not be reinstated until the Commander/ Director notifies 75 ABW/SC that the briefing occurred and the justification/reason for having committed the infraction.

If the network is jeopardized action will be taken accordingly.


Caution

Do not bring personal computer equipment or accessories to work.

Do not input or store government information on privately owned equipment and media without specific approval of the DAA. Contact your CST or IAO for assistance

Use only government issued equipment to ensure security.

Do not use public computing facilities (i.e. Internet cafés and kiosks, hotel business centers, etc.) for processing government owned unclassified, sensitive, or classified information.

Using these resources to access web-based government services (e.g. MyPay) constitutes a compromise of log-in credentials and must be reported to your CST immediately


Your Responsibilities

Use the network for official/authorized business ONLY.

Maintain good passwords and keep them secure.Lock or log-off your computer when not in use.Keep track of your CAC at all times.Report all problems or unusual network/computer

activity to your IAO or CST.

Use Good Judgment


QUESTIONS?

Date post:	29-Dec-2015
Category:	Documents
Upload:	molly-rogers
View:	215 times
Download:	0 times

Air Force Sustainment Center Hill AFB Computer Security for New Hires 75 ABW/SCXO March 2014.

Documents