WASHINGTON - Mistakes you make in cyberspace could put yourself, others, and the Navy at risk.
In 2016, the Russians began a sophisticated campaign to infiltrate and collect information from companies responsible for our critical infrastructure. Although nothing was damaged, the intrusion could have set up future attacks of power plants and water facilities.
The tactics employed by the Russians to conduct this potentially devastating intrusion were relatively common – they sent fraudulent emails to targeted individuals and then stole key passwords once they had broken into the network. Recommendations for defending against the Russian’s tactics in the joint DHS and FBI report on these attacks were common too, including one to “…require complex passwords for all users.”
Fortunately, as in this case, the steps you can take to protect yourself and the Navy from cyber bad actors are relatively simple but constant vigilance is needed to ensure safe operations in cyberspace – both at work and at home. You are the front line of Navy’s cyber defense.
This article will introduce best practices for defending yourself at home and at work, starting with those that will help in both places. Further details are available in Cybersecurity and Infrastructure Security Agency (CISA) “tip sheets” (https://www.cisa.gov/national-cybersecurity-awareness-month-resources) and in materials from the National Cybersecurity Alliance (https://staysafeonline.org/resources/). These materials can also be accessed from the Cybersecurity Awareness Month announcement on the DON CIO website, https://www.doncio.navy.mil.
Don’t take the phishing bait. Phishing involves sending fraudulent emails that appear legitimate to obtain sensitive personal information or lure recipients to click on a link or open an attached file that infects their computer. To protect against this very effective and often used attack, always verify the source of emails and the links in them. Be wary of unsolicited emails that urge immediate action and contain misspellings or grammatical errors. If you’re directed to a site for an online deal that looks too good to be true, it probably is. If you open a bad link at work, report it to your supervisor, security manager, and Information Systems Security Manager. Also, forward the email containing the link to NMCI_SPAM@navy.mil. Read the Phishing tip sheet posted on the CISA site above for more information.
When in doubt, throw it out. Delete unsolicited or suspicious emails and texts. If you think a Navy email is suspicious, forward it to NMCI_SPAM@navy.mil. Reporting ensures the sender’s email address is blocked and enables the email to be analyzed for malicious code. Once you forward the email to this address, delete it and then empty your “Deleted Items” in Outlook.
Use strong passwords. Don’t use easily guessed or weak passwords, and safeguard them so they can’t be stolen. Strong passwords include a mix of upper and lowercase letters, numbers, and symbols, and are as long as possible. To make your password easier to remember, use a pass phrase. Have a unique password for each account so hackers don’t have carte blanche access if they compromise one of your accounts. Read the Creating a Password tip sheet posted on the CISA site above for more information.
Back it up. Make electronic and physical back-ups or copies of all your important work. Data can be lost in many ways including computer malfunctions, malware, theft, viruses, and accidental deletion.
Work best practices
Stay on known good websites. Avoid websites that are not work related or are known bad sites.
Don’t connect unauthorized devices to the network. Unauthorized devices, such as thumb drives, may contain software that can allow an attacker inside the Navy’s network.
Remove your CAC or lock your computer. Don’t make it easy for an inside attacker by leaving your computer unlocked when you’re not using it.
Don’t use systems in unauthorized ways. The Navy has established polices to protect itself from compromise. Don’t put others at risk by using systems in ways that aren’t authorized. Read the 25 Feb 2020 version of the Acceptable Use of DON Information Technology memo, at https://www.doncio.navy.mil, for more details.
Personal (home) best practices
Use security software. Use a firewall, spam filters, anti-virus and anti-spyware software on your personal computer. Security software with these capabilities is free for DoD employees and authorized government contractors, https://storefront.disa.mil/kinetic/disa/service-catalog#/forms/antivirus-home-use.
Keep it current. The best defense against malicious software on all your devices is the latest version of security software, web browser, and operating system. Sign up for automatic updates, if you can.
Secure your home network. The Wi-Fi router is the physical device that controls who can connect to your home wireless network. Buy one with at least WPA2 encryption, and enable encryption on the router. Always change the default network name and password, and configure your router so anyone who wants to join your wireless network will have to enter the password.
Double your login protection. Multi-factor authentication (MFA) better protects your accounts by requiring more than one piece of information, such as your password and a verification text, before allowing access. If MFA is an option, use it for any service that requires logging in. Read the A How-to-Guide for Multi-Factor Authentication tip sheet for more information.
Never click and tell. Limit what you post on social media — from personal addresses to where you like to grab coffee. These seemingly unimportant details are used by criminals to target you, your loved ones, and your physical belongings — online and in the physical world. Disable location services that allow anyone to see where you are – and where you aren’t – at any given time. Read the Social Media Cybersecurity Tip Sheet for more information.
By following the simple steps in this article and the more detailed guidance in the CISA tip sheets, you will help protect the Navy and reduce your chances of being hacked at home.
You have the watch – be alert!