MACDILL AIR FORCE BASE, Fla. -- Since 2004, October has been recognized as National Cybersecurity Awareness Month. This month was designated by the National Cyber Security Alliance (NCSA) and U.S. Department of Homeland Security (DHS) to be used to help Americans operate more securely online and decrease the number of successful cyberattacks.
In the beginning stages of the month's recognition, the main focus was prompting users to update their system's antivirus software and perform routine patch installation.
Today it now focuses on a wide range of relevant cybersecurity topics and has grown tremendously in scope and participation. From 2009 up until 2018, the theme was "Our Shared Responsibility." The theme highlighted the important role that we all share in protecting our digital assets, from large enterprise networks to the individual PC user.
The theme has changed since then, and for 2020 it is "Do Your Part. #BeCyberSmart.” This year's theme aims to push organizations and individual users to take on more responsibility in protecting their digital assets.
Now more than ever, we must place our focus on the cyber domain, and realize its importance. Not only to as members of the military community, but ultimately as Americans, because how we protect ourselves and our assets will determine our future.
The first step that each of us should take should be in the direction of education. Having a baseline understanding of cyber criminals' tools and techniques is essential to defend against them. The most common attack methods seen today are phishing, vishing, social engineering, and physical security breaches.
Phishing, pronounced with an "F," and vishing are both methods of social engineering. Social engineering is used by threat actors to pose as a trusted or reputable authority, attempting to gain unauthorized access to sensitive information using manipulation or deception. During phishing attempts, threat actors send digital messages, such as an email or text message to an individual to gain personal information about that individual or their organization. In combination with fabricated emails and text messages, threat actors also use websites, impersonating legitimate organizations or companies.
Vishing, short for voice phishing, is typically done over the phone. This is a common way threat actors find information on Department of Defense personnel. To show just how common and easy it is for vishing to occur, let's break down a recent exercise that happened here at MacDill.
A special team was put together, charged with conducting vishing attempts across the base. The exercise results showed that many individuals revealed sensitive information about themselves and current missions at MacDill. This exercise highlighted precisely how important it is to be mindful of what information you give out.
In this case, the people receiving this information were running an exercise; however, in a real-world situation, the information given out could have severely harmed MacDill's mission and/or personnel.
Lastly, physical security is one of the least considered but easiest ways to secure our digital resources. Users should be aware that they keep their Common Access Cards (CAC) and Secret Internet Protocol Router Network tokens on-hand and not left unattended in plain sight.
There are many added benefits to the CAC other than being a physical access card. Have you ever wondered why DOD personnel use CACs with PINs instead of user names and passwords? The answer is it's more secure! Usernames and passwords leave your data unprotected against phishing attacks, false authentication, hijacking, and theft.
So what do CACs and PINs do that usernames and passwords don't? Your physical Common Access Card is Public Key Infrastructure enabled, and your PIN serves as a private key. That means that your CAC and its PIN work together to secure data on the computer or device you use them on. It does this by employing Multi-Factor Authentication or MFA.
Simply put, MFA helps ensure that the only person able to access your data is you. When MFA is used to secure an account, the user must enter two independent pieces of identifying information to unlock the account. These pieces of data can be something you know, something you have, or something you are. In this example, your CAC acts as the thing you have, and your PIN is the thing you know. Although MFA is more secure than a simple username and password, it's important to remember that your PIN is private, and you should take steps to secure it. It’s highly encouraged to leverage MFA on your personal devices, applications and websites.
Before the close of the month, we at the 6th Communications Squadron ask you to take the time and think about your cybersecurity knowledge and your unit as a whole. The month is geared towards taking an active approach in your personal and workplace security.
Ask yourself, when you go home at the end of the day, are you taking the best precautions to protect yourself online? Just because the month comes to a close does not mean that you still don't have an obligation to play your part in cybersecurity.