Air Force Cyber -- Back to Basics

October is Cybersecurity Awareness Month.

October is Cybersecurity Awareness Month.

JBSA-LACKLAND, San Antonio -- Twenty-Fourth Air Force (AFCYBER) recently disseminated a mass electronic notification to Air Force Department of Defense Information Network (DODIN) system users about the reminders when accessing government computers. DODIN users should also consider these tips when accessing government databases from home, or when operating personal computers and devices.

Accessing the Internet and Protecting your Home Computer:

- Publically available Wi-Fi hotspots are often unsecure and put your private/personal data at risk. If using public Wi-Fi, do not go to sites that require entering personal data, information or passwords.
- On your home routers, enable WPA2/PSK (Strongest) or WPA/TKIP (Moderate) encryption. The "WEP" encryption is an older version (weakest) and should be avoided if possible.
- Secure your laptops and handheld devices with biometric locks such as fingerprint or facial recognition capabilities, strong passwords (more on those later), or a PIN.
- Active Duty military and civilian employees are encouraged to take part in the DISA Home Use program, which provides Anti-Virus/Anti-Spyware (AV/AS) software for use on home computers.
- For those unable to participate in the DISA Home Use program, many Internet Service Providers (ISPs) include AV/AS software as part of their service package, so check with your provider.
- Many operating systems include firewall applications that provide an additional layer of security for your home computers. Make sure they are updated, properly configured and running.
- Operating system and browser updates often include security patches. Set your devices to automatically install them when they become available and you'll never miss an update.
- Configure your system to automatically scan USB thumb drives, hard drives, and other storage media upon connection. Also, ensure any "auto-run" features are disabled.
- Only download software, applications and other files from reputable sources.
- Do not click on links or open attachments from unknown users.
- Likewise, Adobe's Flash and Java's Runtime Environment (JRE) are common threat vectors. If you use these applications, we recommend you review the "Options" and update the settings to prompt the user before running.

Web Sites and Internet Activity:

- Surf securely. Ensure URLs (web addresses) begin with HTTPS:// and display a locked padlock symbol.
- Unless absolutely certain you know where the link will take you, avoid websites with foreign domain designations such as ".cn" or "ru" or ".ir"
- When selecting security questions for personal accounts, think "outside the box" and avoid using information that can be easily traced back to you such as your mother's maiden name, a former street address, etc.
- Ensure you are using the security features in your web browser by enabling "SSL" and "TLS" in the Settings options.
- Type with care. Hackers often register "misspelled" domains such as "answre.com" versus "answer.com" or "micr0soft.com" versus "microsoft.com" to infect unwitting web surfers.

Social Media Security:

- Be cautious about posting personal information in profiles. Details such as your Title, Organization, Duties, Travel Schedules and Locations may be used by hackers for social engineering or email spear-phishing purposes.
- Facebook, Twitter, Linkedln and other social media platforms are invaluable tools for networking purposes. However, they can introduce a variety of cybersecurity hazards to include release of unauthorized data, damage to reputations, opportunities for social engineering, as well as lawsuits stemming from inappropriate use. When using these tools, be mindful of these risks.
- Social media users often consider such sites as a means for personal expression, but if used inappropriately, they can also pose a risk to the mission and your organization.
- Users have to be extra vigilant about friending bogus Facebook accounts, which can allow hackers to harvest sensitive user photos, phone numbers, and email addresses for social engineering attacks.

E-mails:

- Be on the lookout for messages that don't seem "right" or are too good to be true.
- Financial Institutions, Utility Companies, Internet Service Providers and other institutions almost always have your account information to include PINs, Passwords, and Security Questions. So, it is extremely rare for requests to be made via email. Always call to confirm if there is a question using the phone numbers on your credit/ATM card, billing statement or official website.
- Be wary if an e-mail attempts to prove legitimacy by using words such as "official," "mandatory," "urgent," or try to instill a sense of urgency or fear by stating that it's "your last warning!"
- Before clicking any links, ensure the text in the email matches the associated URL by holding the cursor over the link so the website link is shown. If the link doesn't match, it's very likely a spear-phishing attempt.

Passwords and Passphrases:

- If possible, always use 2-factor authentication when logging into accounts on commercial sites. For example, an email or bank account that not only requires a password, but a code to be entered that is texted to a cellphone or displayed on a printable, single use pad.
- Use different passwords or passphrases for each account. There are several tools available online to assist with generating and managing your personal passwords and passphrases. We recommend researching and choosing the one that best meets your personal needs.

- Strong passwords have the following features:
1. Are a minimum of 8 characters long and include at least one number, one capital letter, one lower case letter and one special character. Also, they avoid use of keyboard progression patterns such as "123$QWEr"
2. Do not contain names or words that can be found in any dictionary (including foreign languages) or on your social media.
3. Do not contain your user name, real name or company name.
4. Are significantly different from previous passwords.

- Strong passphrases, which are typically longer than passwords and contain multiple words that create a phrase such as "horsestaplebattery" or "coyotehammerdeep" have the following features:
1. Are 15-30 characters long in the form of a series of words that create a phrase.
2. Do not contain common phrases that are in literature or music, or found in the dictionary.
3. Do not contain your user name, real name or company name.
4. Are significantly different from previous passphrases used.

- Extend Spring Cleaning to your cyber hygiene by routinely changing passwords/passphrases on all your accounts. However, avoid changing passwords in a serial fashion such as "P@ssWord2015" being replaced with P@ssWord2016
- If you save your passwords/passphrases to a file on your computer, mobile device, or in the cloud, always password protect and/or encrypt it!
- Do not write down your passwords and keep them in your wallet/purse or posted in your work area.
- Finally, do not allow your browser to store your passwords/passphrases. Although it's convenient, it increases your risk since anyone with access to your browser can see them.

DISCLAIMER: The inclusion of commercial vendor names, services or products herein does not constitute endorsement by the U.S. Department of Defense, U.S. Air Force or 24th Air Force.