IA provides umbrella for computer security Published Nov. 20, 2006 By Frank McIntyre Public Affairs Vance Air Force Base, Okla. -- Too hot to go out for lunch, time for a sandwich at the desk and a little Internet surfing. No problem with that, right? Actually there is. Amanda Loveless, Information Assurance manager for Vance Air Force Base, said surfing the Internet is one of the biggest computer security risks. "Although Air Force computers are supposed to be used for official business only, it would be unrealistic for us to expect that to be the case," the Computer Sciences Corporation information technology staff member said. "It's only natural someone wants to check out news headlines or sports scores, but going to 'junk' sites is when the problems start. "Under no circumstances should anyone use a military e-mail address to register on a site, and downloads are a definite no-no." Information assurance is defined as "information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality and non-repudiation." Also falling under the IA umbrella for computer security are appropriate communications security and operations security measures. The five goals of Department of Defense IA are: n Provide end-to-end protection of DoD information n Defend information systems and computer networks from unauthorized or malicious activity n Provide IA situational awareness and command and control n Improve IA processes through integration n Create an empowered IA workforce As part of the awareness goal, all users are required to complete IA awareness training each year and should be very familiar with IA. With that required training out of the way, thanks to the computer based training module, it's time to return to lunch and surfing the net. Eliminating risks related to surfing addresses the user empowerment goal of the IA program. Registering on a site or downloading to a government e-mail address equates to a poor defense of your computer system by opening the door to social engineering or a possible introduction of a virus. But it's not just the external sites that threaten the computer systems. "Although we do have programs in place that should prevent it downloading a virus can never be ruled out -- that's one reason downloads should never be done from the Web," Ms. Loveless said. "When you surf, all addresses visited are recorded and logged for review," she said. "If inappropriate activity, such as visits to 'trigger sites' are discovered during the review, corrective action may be taken." Ms. Loveless said "trigger sites" include addresses such as foreign country or adult sites. Oops, spent too much time surfing the net, better take my work home with me to finish up. "Our network is well protected from external threats, but internal threats continue to be a problem," Ms. Loveless said. An example of an internal threat would be using a personal flash drive that may contain a virus to transfer files from an infected home computer onto the government computer. "The best defense against internal threats, such as those provided by transferring files from a CD or flash drive," Ms. Loveless said, "is to run a virus scan on the files before introducing them on a government computer. "It's just a matter of being vigilant when using anything that may present an internal threat," she said. And the computer security threat can work in reverse too -- taking government files home on a portable device. How serious a threat can that government laptop taken outside the gate present? Ask any of the nation's 26.5 million living veterans when the release of their personal information was at risk recently when the laptop a Department of Veterans Affairs employee had taken home was stolen. Even information that seems mundane to an employee may be considered vital data to a hostile foreign power or anyone wanting to use the data for personal gain. According to Wally Cox, CSCcomputer systems branch manager, one of the best defenses we have against such potential threats is sound judgment. "Applying common sense is something we can all do to prevent the loss of any sensitive information, whether it is classified or not," Mr. Cox said. "Common sense should tell us to avoid taking the data off-site if possible. "But if that's not possible, ensure the storage device is protected from thieves and treat the data as if it were your own (like a credit card number or password)." This is in addition to security guidelines that dictate when taking information offbase on any type of storage device (such as a laptop or PDA), three safeguards must always be in place: n You must obtain your supervisor's permission n Make sure access to the device with the data on it is password protected n Encrypt all sensitive files "If employees have any doubts about whether appropriate safeguards are in place, they should contact a member of their security department, as well as their manager," Mr. Cox said. "When in doubt, just don't do it." For more information on computer security, see the bimonthly Short Circuit newsletter published by the CSC information technology staff that's available under base information in the menu on the Vance home page. (Editor's note: This is the third in a four-part series about small computers and their use on Vance Air Force Base.)