A cyber security vignette: The unwitting victim

  • Published
  • By Robert Frees
  • Air Mobility Command Cyber Threat Analysis and Response Cell
You are concluding a busy day at work and you receive an auto-email reminder that your ancillary training is due. After a few minutes of negotiating the training module, you are congratulated on the completion of your annual Information Assurance training. What this means to most is that you are able to log back on to your government computer and catch up on unread emails without the risk of being locked out tomorrow (in theory). You are now the cyber-savvy user entrusted with the virtual defense of the government network.

Let's step back and look at a day in the life of a DOD employee and consider the many pitfalls that leave the unsuspecting person at risk.

Your day began 10 minutes before the alarm goes off with the sound of a screaming child coming from the baby monitor. While feeding the kids, you open your tablet to check the news, social network profile, and e-mail. Your deployed buddy just posted a 15 mile run around base - what a beast! It looks like you also have an invitation email from a business networking site you belong to from a job recruiter. Might as well accept it - you might be PCSing soon and your spouse will be looking for a new job!

You're dressed and ready to go.  Keys, cellphone, badges and hat - check! Wait, where's your work laptop? Oh, it's in the car outside. Suddenly the home phone rings before you can leave and your spouse yells to you to answer it.

"Hi, I'm a network administrator from your Internet Service Provider. I'm contacting you because we've detected that your computer is infected with a virus." You hand the phone to your spouse since you're already late for work. "Can you take this?" Your spouse asks if it is okay to use the debit card for purchases at the local home improvement store today. With a quick "yup", you're finally out the door.

Driving to work, you decide to make good use of your time by enabling your hands-free Bluetooth to knock out a few calls.  You arrive to work and see 100 new unread emails.  This will require more coffee, so you quickly run to get a cup and leave your ID card in the workstation unattended - you'll only be a second. Upon reviewing all those emails, you see a hot task to collect personal data on your troops for the new recall roster. You quickly compile this information and click send since it was due 15 minutes ago. You decide to send it to your personal email as well since it may come in handy during those unexpected snow storms. 

Before you know it, lunch time!  It's Friday so you're going to your favorite restaurant. Some of your friends may be in the area, so a location "check-in" is a must. Your cell connection seems to be weak, but luckily there's a Wi-Fi hotspot called "FreeNet" you can connect to. You log into your bank account and transfer funds to cover a recent purchase.

After returning to work, you notice an e-mail with the subject title, "Click the link - this is SO funny." It appears to be from a friend. You click the link, but it takes you to a weird website. Oh well, you figure it's just an error or broken link. 

You finished responding to e-mails and attend a few meetings, but before you pull your ID card for the last time that day, you hear that familiar "ping" - looks like ancillary training is due today. You think to yourself, "This will be easy. I'm very cautious of my actions, and I've been around computers long enough to know the safeguards."

At this point in the story, it's obvious there are numerous "cyber" pitfalls that expose us; many times we are unsuspecting victims. As the "Internet of things" expands from digital devices to home appliances, we must be ever vigilant of our actions online. So, let's summarize the warning signs and make recommendations based on best practice.

> Baby monitor: All connected devices are vulnerable. It's critical to keep devices and computers patched with the latest device firmware or anti-virus and anti-spyware software. Secure your home network with encryption (WPA-2) on your wireless router.
> Mobile devices: Ensure your devices have mobile device management, strong passwords, and parental controls enabled.
> Unsecure Laptop: Since personally identifiable information (PII) is the launching point for most hacking activity, leaving your laptop or mobile device unsecured in vehicles or in hotels could lead to theft and eventually a data breach. Look for laptops with self-encrypting hard drive features and use laptop lockdown cables. 
> Social Networking: Enable privacy/security settings, disable GPS locators, avoid posting PII (like home address), and use strong passwords. 
> Phone scam: Don't fall victim to call scams looking to gain remote access to your computer or link to financial accounts.
> Passwords: Don't give out your password or use the same password repeatedly for multiple accounts. Use a password manager where possible and two-factor authentication.
> Debit card use: Funds in your bank account are unavailable until a fraudulent charge investigation is resolved. 
> Bluetooth: Bluetooth is susceptible to identity detection, location tracking, denial of service, unintended control and access of data and voice channels.
> Email: Digitally sign and encrypt messages.  When receiving/reading emails, ensure it's relevant, expected, addressed properly and digitally signed. Don't send PII home!
> Malicious links/attachments: These can infect your computer or take you to web pages designed to steal your information. Only click on links from trusted sources.
> Public Wi-Fi: Hackers can monitor traffic on legitimate free Wi-Fi hotspots or set up fake hotspots in public places to access your information. Don't conduct important personal business (like financial transactions) on public Wi-Fi.
 
Please take a moment in recognition of National Cyber Security Awareness Month to reflect on how we conduct ourselves in cyberspace, and use security best practices to protect yourself and the government. STOP. THINK. CONNECT.