Air Force Sustainment Center
Hill AFB Computer
Security for New
Hires
75 ABW/SCXO
March 2014
Program Overview
75TH AIR BASE WING
 Information
System Access
 Consent to Monitor
 Air Force Messaging
 Social Media and Discussion Forums
 Social Engineering
 Security Incident Reporting
 Inappropriate Use of the Hill AFB Network
SPECIAL INTEREST ITEMS
 Personally Identifiable Information (PII)
 Removable Media
Information System Access
75TH AIR BASE WING
 Access
to an Air Force Information System (IS) is a
privilege and continued access is contingent on
personal conduct, personnel actions, changes in need to
know, or operational necessity.
 If unsure on any Information System requirement,
contact the organizational Information Assurance Officer
(IAO).
What is Monitored?
75TH AIR BASE WING
 Essentially
everything is monitored!
Emails
 Computer networks and devices

• Desktops PCs, laptops, notebooks, tablets, printers
Internet websites
 Phones

• Blackberry and smartphone
 Consent
to monitor:
Logging into computer
 Red sticker on phones (DD Form 2056)
 User agreements (4394s, removable media, etc)

Why Monitor?
75TH AIR BASE WING
 To
ensure appropriate measures are taken to
protect all Air Force information system resources
and information effectively and efficiently.
 To take appropriate levels of protection against
threats and vulnerabilities of information systems.
 To prevent denial of service, corruption,
compromise, fraud, waste, and abuse.
 To protect our people and resources.
 To stop adversaries from monitoring our systems.
 To protect classified or sensitive information.
Monitoring the Network
75TH AIR BASE WING
Network traffic is monitored, logged, reviewed daily
 User’s conduct that is inconsistent with IA policies and guidelines
may result in immediate suspension of access to unclassified and
classified ISs.
 Violations of IA policies and guidelines include, but are not limited
to:





Unauthorized use of the network
Failure to maintain annual DOD IA awareness training
Actions that threaten the security of a network or a governmental
communications system (e.g., willful downloading of malicious
software, attempting to add unauthorized software, unauthorized
flash drive usage)
Actions that knowingly threaten or damage DOD IS or
communications security (hacking or inserting malicious code or
viruses, theft, destruction of IT assets, willfully not using encryption)
Air Force Messaging
75TH AIR BASE WING
 Electronic
messaging (including email and instant
messaging) users will:






Maintain responsibility for the content of their electronic
messages.
Maintain sent and received information according to Air Force
records management directives.
Adhere to local policy on sending electronic messages to a large
number of recipients. Digital images, as well as mass distribution
of smaller messages, may delay other traffic, overload the system,
and subsequently cause system failure.
Only reply to electronic messages that absolutely require a
response and minimize the use of the ―Reply to All function.
Bear sole responsibility for material sent.
Not auto-forward electronic messages from the .mil domain to a
commercial Internet Service Provider (ISP).
Email
Digitally Signature
75TH AIR BASE WING
 Use
PKI (Public Key Infrastructure) CAC digital signature
certificates for the following:

Necessary for the recipient of an electronic message to be
assured of the sender's identity (non-repudiation).
• Socially engineered e-mails are the number one attack utilized by our
adversaries to compromise sensitive information across the DoD

Must have confidence the message has not been modified.
• Digitally signed e-mail increases user confidence that the message
contents are trustworthy and are from legitimate DoD personnel/system

Contains an embedded hyperlink and/or attachment.
 Should I just digitally sign all emails? NO!
• Unofficial information should NOT be digitally signed
Email
Encryption
75TH AIR BASE WING
 Use
E-mail encryption to protect the following types of
information:







For Official Use Only (FOUO)
Privacy Act Information (Reference AFI 33-332)
Personally Identifiable Information (PII)
Individually identifiable health, DoD payroll, finance, logistics,
personnel management, proprietary, and foreign government
information
Contract data
Export Controlled technical data or information
Operational information regarding status, readiness, location, or
operational use of forces or equipment (Reference AFI 10-701)
 Like
digital signatures, encrypted E-mail increases
bandwidth and resource requirements.
Social Media and
Discussion Forums
75TH AIR BASE WING
 When
using Federal Government resources, users shall
comply with OPSEC guidance and shall NOT represent
the policies or official position of the DoD

The following will NOT be posted on any DoD-owned, operated,
or controlled publicly accessible sites or on commercial
Internet-based capabilities
• Classified
• For Official Use Only (FOUO)
• Controlled Unclassified Information
• Critical Information
• Personally Identifiable Information (PII)
 Users
are responsible for following Information
Assurance and OPSEC guidance/policies
Social Engineering
75TH AIR BASE WING
 Social
engineering is considered an intentional threat. It is
a term used among hackers for cracking techniques that
rely on weakness in human nature rather than software.
The goal is to trick people into revealing passwords and
other information that compromise the security of your
system.
 You can play a vital role in preventing social engineering
by implementing these tips:





Never give your passwords to anyone for any reason
Verify the identity of all callers
Don’t give out information about other employees
Never type things into the computer when someone tells you to
unless you know exactly what the results of the commands are
Never answer questions from telephone surveys.
Security Incident Reporting
75TH AIR BASE WING
A
security incident is an assessed occurrence that
actually or potentially jeopardizes the
confidentiality, integrity, or availability of an IS.
Security incidents can include but are not limited to:
Data Spillage. Data spillage occurs when a higher
classification level of data is placed on a lower
classification level system/device or across
compartments.
 Classified Message Incidents. A classified message
incident occurs when a higher classification level of
data is transferred to a lower classification level
system/device via messaging systems.

Inappropriate Use
75TH AIR BASE WING

DO NOT - Use federal government communications systems for
unauthorized personal use (Reference DoD 5500.7-R, Joint Ethics
Regulation (JER).



DO NOT practice uses that reflect adversely on DoD or AF:




Personal web surfing (bill-paying, travel sites, shopping, etc.)
Investment sites (using stock tickers)
Chain Letters/E-mails
Unofficial Soliciting
Selling (except on established and authorized Internet-based
capabilities)
DO NOT store, process, display, send, or otherwise transmit
unauthorized or prohibited content, such as but not limited to:





Pornography, sexually explicit or sexually oriented material, nudity
Hate Speech or Ridicule of Others on the Bases of Protected Class
(e.g., race, creed, religion, color, age, sex, disability, national origin)
Militancy/extremist activities
Terrorist Activities
Personal Gain
Inappropriate Use (Cont)
75TH AIR BASE WING






DO NOT store or process classified information on any
system not approved for classified processing.
DO NOT use copyrighted material in violation of the
rights of the copyright owner (consult JA for “fair use”
advise).
DO NOT obtain, install, copy, store, or use software in
violation of the appropriate vendor’s license
agreement.
DO NOT view, change, damage, delete, or block access
to another users files or communications without
appropriate authorization or permission.
DO NOT use the account or identity of another person
or organization without authorization.
DO NOT permit an unauthorized individual access to a
government-owned or government-operated system.
Inappropriate Use (Cont)
75TH AIR BASE WING



DO NOT modify or alter the network operating system or
system configuration without first obtaining written
permission from the administrator of that system.
DO NOT download files from unfamiliar sites.
DO NOT download and install freeware or shareware or
any other software product without Designated
Approval Authority (DAA) approval.
Consequences
75TH AIR BASE WING
 Misuse
of the network may result In:
Disabling user account for indefinite period
 Offender and the offender’s commander brief
wing/center command
 Reprimand
 Suspension (3 Day, 5 Day, and 7 Day)
 Harassment Charges
 OSI/FBI Investigations
 Loss of Job
 Jail Time

Applies to Military, Civilian, Contractor
Video #1
75TH AIR BASE WING
Personally Identifiable
Information (PII)
75TH AIR BASE WING
What is PII
 Information about an individual that identifies,
links, relates, or is unique to, or describes him or
her. Some examples are:
• SSN
• Age
• Civilian/Military rank
• Marital status
• Race
• Salary
• Home/Office phone numbers
• Medical/Financial information
Personally Identifiable
Information (PII)
75TH AIR BASE WING

Emails including PII information:
Must be encrypted
 Must have “FOUO” at the beginning of Subject line
 Must have the following statement at the
beginning of the email: "This e-mail contains FOR

OFFICIAL USE ONLY (FOUO) information which must be protected
under the Freedom of Information Act (5 U.S.C 552) and/or the
Privacy Act of 1974 (5 U.S.C. 552a). Unauthorized disclosure or
misuse of this PERSONAL INFORMATION may result in disciplinary
action, criminal and/or civil penalties. Further distribution is
prohibited without the approval of the author of this message
unless the recipient has a need to know in the performance of
official duties. If you have received this message in error, please
notify the sender and delete all copies of this message."
Personally Identifiable
Information (PII)
75TH AIR BASE WING

Best practices to Protect PII
Ensure recipient has an official need to know if PII
is included in an email
 Digitally sign & encrypt all emails containing PII
 Ensure websites are secure and you have
authorization before posting PII
 Use cover sheets to protect PII in your work area

• AF Form 3227 or DD Form 2923

Shred or destroy documents before disposing
Personally Identifiable
Information (PII)
75TH AIR BASE WING
Consequences for PII violations:
 User account disabled
 Must re-accomplish IA training
 Request to enable user account must come from
the first O-6 or GS-15 within the users chain of
command (after the request is received it can take
up to an additional 4 days to enable the account)
Removable Media
75TH AIR BASE WING
Removable Media
75TH AIR BASE WING
 Removable
media refers to information system storage
media that can be removed from its reader device,
conferring portability on the data it carries:
Diskettes
 CDs / DVDs
 USB storage devices
 Any other device on which data is stored and which
normally is removable from the system by the user or
operator

Removable Media Policies
75TH AIR BASE WING
 Because
of the vulnerabilities associated with removable
media you must adhere to the guidelines and policies
established by DoD, Air Force, and Organizations
 The Chief of Staff of the Air Force implemented a
policy prohibiting the use of flash media storage
devices which use a Universal Serial Bus (USB)
connection
 AFMAN 33-282, Paragraph 6.8.4. Do not connect
privately-owned media or peripheral devices
(including, but not limited to, music/video CD/DVDs, idevices, commercial MP3 players, and Universal Serial
Bus [USB] drives) to AF ISs and GFE
• Listen Carefully - This includes devices that are plugged into a
USB port for a “charge only” of the device’s battery (i.e.
iPhone, SmartPhone, iPod, etc.)……..DON’T DO IT!!!!!
Consequences
75TH AIR BASE WING
 Machine(s)
will be removed from the Network.
 User must explain to his/her Commander/Director why
they violated the prohibition.
 Commander/Director must brief the user and ensure the
user fully understands what dangers and/or
vulnerabilities their actions could have potentially
introduced to the ENTIRE Network.
 Machine will not be reinstated until the Commander/
Director notifies 75 ABW/SC that the briefing occurred
and the justification/reason for having committed the
infraction.
 If the network is jeopardized action will be taken
accordingly.
Caution
75TH AIR BASE WING
 Do
not bring personal computer equipment or
accessories to work.

Do not input or store government information on privately
owned equipment and media without specific approval of the
DAA. Contact your CST or IAO for assistance
 Use
only government issued equipment to ensure
security.
 Do not use public computing facilities (i.e. Internet cafés
and kiosks, hotel business centers, etc.) for processing
government owned unclassified, sensitive, or classified
information.

Using these resources to access web-based government
services (e.g. MyPay) constitutes a compromise of log-in
credentials and must be reported to your CST immediately
Your Responsibilities
75TH AIR BASE WING
 Use
the network for official/authorized business
ONLY.
 Maintain good passwords and keep them secure.
 Lock or log-off your computer when not in use.
 Keep track of your CAC at all times.
 Report all problems or unusual network/computer
activity to your IAO or CST.
Use Good Judgment
75TH AIR BASE WING
QUESTIONS?