Prevent ghosts in the machine with cybersecurity

  • Published
  • By Lt. Col. James Trachier
  • 60th Communications Squadron commander
TRAVIS AIR FORCE BASE, Calif. --  With Halloween approaching, while we all recognize the ghosts, goblins and ghouls of All Hallows' Eve as benevolence garbed in costumes of malevolence, such masquerades should serve as a reminder that the reverse can be very real indeed, especially within the digital domain. Truly, there are things that go bump in the night of cyberspace.

A common threat to Air Force networks is spear-phishing. Spear-phishing campaigns use tailored, legitimate-looking emails to trick the recipient into triggering malicious logic, thereby "treating" the sender to information such as online account credentials, Personally Identifiable Information or even illicit, backdoor access to the AFNET.

While most of us rightfully scoff at the grammatically challenged, overly generous offers of supposedly desperate Nigerian millionaires, spear-phishing messages have evolved to become increasingly sophisticated and more difficult to detect. The best way to screen these attempts from legitimate email message traffic is to use the READ+B mnemonic:

R: Is the message relevant to your official position and duties?

E:  Did you expect to receive the message?  If not, contact the apparent sender to confirm they actually sent it.

A:  Is the email properly addressed? Was it sent to your specific email address and is the salutation (sir, ma'am, ALCON, etc.) appropriate for the relationship between you and the sender?

D:  If the email contains hyperlinks or attachments, is it digitally signed as required by Air Force Manual 33-152?  If not, it may be a spear-phishing attempt. Note that some official Air Force systems that frequently disseminate hyperlinks, such as the AMS Mail Robot and Leave Web, do not yet support digital signatures, while others, such as ASIMS, support this security feature.  You'll have to use good judgment, which brings us to ...

B:  Look for breadcrumbs that can indicate the message's authenticity or lack thereof.  As a rule of thumb, always assume attachments to nondigitally signed messages are untrustworthy until you've confirmed the sender's identity and intent. Also, always convert HTML messages to plain text format because doing so will allow you to confirm that text labels for internet Web addresses and their underlying hyperlinks point to the same site. If they match and point to a legitimate web site, the message is likely authentic. Otherwise, it's probably a spear-phishing attempt. Don't take the bait.

Universal Serial Bus flash media devices represent another preeminent cyberthreat.  AFMAN 33-282 and USCYBERCOM Communications Tasking Order 10-084 prohibit the use of USB flash media on Department of Defense networks unless explicitly authorized, but every year Air Force members connect hundreds of unauthorized USB devices to the AFNET. 

Like a double-edged cybersword, these devices can cause harm in two different ways. First, USB devices can place PII, For Official Use Only and sensitive but unclassified data at risk of compromise should the device become lost or the information transferred to a potentially compromised personal computer.

Second, these devices can introduce hidden malware into the AFNET the nanosecond they're plugged into an Air Force computer, even if the intent is merely to recharge the device's batteries. Common Travis Air Force Base violations include iPhones and Androids, e-readers such as Kindles and Nooks, digital photo frames and USB hard drives and thumb drives. All of these devices are capable of infecting the Travis segment of the AFNET, even if the owner is unaware the device may be compromised.

Since these personal devices are typically manufactured overseas and do not undergo approved DOD screening processes or conform to Defense Information Systems Agency Security Technical Implementation Guides, users must not connect them to DOD systems.  A network script automatically detects new USB connections on the Travis network in real time and alerts the wing's information assurance officer, who will then lock the offender's network account. Violators are required to retake their annual information assurance training and submit a reinstatement memorandum signed by their group commander before their accounts are unlocked.

As National Cyber Security Month begins, remember that your signed Network User Agreement constitutes a contract for good network behavior and that violating the rules of the road can cost you your Network Driver's License. By definition, the primary characteristic of a computer network is connectedness and a single vulnerability is shared by all. Don't be the one who lets a ghost into the machine.