Appropriate Use
|
As we store more and more information in computer data bases, and
as these data bases become more closely linked in networks, more people have broader
access to more information than ever before. Computer technology has magnified many times
the ability of a careless or disaffected employee to cause severe damage. | This topic
discusses rules for using your computer. You should also read Computer Vulnerabilities in the Vulnerability to Technical Operations module,
which describes in nontechnical language the security and other vulnerabilities of
computer networks that make some of these rules necessary. Owing to the magnitude of problems that can be caused by misuse of computer systems, Misuse of Technical Information Systems is now one of the 13 criteria used in adjudicating approval and revocation of access to classified information. See Adjudicative Guidelines for Determining Access to Classified Information. |
 |
Many aspects of computer use are governed by your organization's policy rather than by federal government regulation. Many government agencies and defense contractors specify the security procedures and prohibited or questionable activities discussed below.
Security Procedures
- Do not enter into any compartmented computer system without authorization. Unauthorized entry into a protected or compartmented computer file is a serious security violation and is probably illegal. It can be a basis for revocation of your security clearance. Whether motivated by the challenge of penetrating the system or by simple curiosity to see what is there, unauthorized entry is a deliberate disregard for rules and regulations. It violates the need-to-know principle and in some cases is an invasion of privacy.
- Do not store or process classified information on any system not explicitly approved for classified processing. See Security of Hard Drives.
- Do not attempt to circumvent or defeat security or auditing systems without prior authorization from the system administrator, other than as part of an authorized system testing or security research.
- Do not use another individual’s used, password, or identity.
- Do not permit an unauthorized individual (including spouse, relative or friend) access to any sensitive computer network.
- Do not reveal your password to anyone -- not even your computer system administrator. See Passwords
- Do not respond to any telephone call from anyone whom you do not personally know who asks questions about your computer, how you use your computer, or about your userid or password. See "Social Engineering."
- If you are the inadvertent recipient of classified material sent via e-mail or become aware of classified material on an open bulletin board or web site, you must report this to the security office.
Prohibited Activities
- Activities for the purpose of personal entertainment or financial gain, including games, business or service solicitations, chain letters, etc.
- Religious proselytizing or lobbying on behalf of an organization having no affiliation with the U.S. Government.
- Partisan political activity or political lobbying.
- Storing, processing, or displaying offensive or obscene material, such as sexually explicit material, "hate literature," etc.
- Annoying or harassing another individual, e.g., through uninvited e-mail of a personal nature, using lewd or offensive language, etc.
- Participating in Internet "chat rooms" or open forum discussion from your office computer unless for official purposes and after approval by appropriate authorities.
- Use of unlicensed or unauthorized software. Copying copyrighted software, unless site license allows copying.
- Unauthorized modification, destruction, manipulation, or denial of access to information residing on a computer system.
- Modifying or altering the operating system or configuration of any system without first obtaining permission from the owner or administrator of that system.
Questionable Activities
The following activities, while not absolutely prohibited, are almost always inappropriate. Individuals may be asked to justify their reasons for engaging in such activities.
- Inconsiderate conduct toward other system users.
- Storing files or materials not needed for work and which could reasonably be used for illegal or fraudulent purposes.
- Excessive use of computing resources, such as storage or transfer of excessively large files, which in the judgment of the system administrator, interferes with other legitimate uses or degrades system performance.
As a result of the Internet and e-mail, there has been a sharp increase in security incidents involving the accidental disclosure of classified and other sensitive information. One common problem occurs when individuals download a seemingly unclassified file from a classified system, and then fail to carefully review this file before sending it as an attachment to an e-mail message. Too often, the seemingly unclassified file actually has some classified material or classification markings that are not readily apparent when the file is viewed on line. Sending such material by e-mail is a security violation even if the recipient has an appropriate security clearance, as e-mail can easily be monitored by unauthorized persons. See E-Mail Pitfalls in Computer Vulnerabilities.
More important, even if the downloaded file really is unclassified, certain technical procedures are required prior to sending that file by e-mail or on diskette to anyone else. A file downloaded from a classified network may have recoverable traces of classified information. This happens because data is stored in "blocks." If a document does not take up an entire block, the remainder of that block may have recoverable traces of data from other files. (See Security of Hard Drives for further information on this.) Your system administrator must follow an approved technical procedure for removing these traces before the file is treated as unclassified.
One organization had so many violations dealing with downloading and retransmitting unclassified files from its classified system that it found it necessary to lock its computer drives. This means that only the system administrator can download from the classified system. The system administrator processes the material and authorizes transmittal by e-mail as appropriate.
Security of Hard Drives
Secrets in the computer require the same protection as secrets on paper. This is because information can be recovered from a computer hard drive even after the file has been deleted or erased by the computer user. It is estimated that about a third of the average hard drive contains information that has been "deleted" but is still recoverable. 1
When you delete a file, most computer operating systems delete only the "pointer" which allows the computer to find the file on your hard drive. The file itself is not deleted until it is overwritten by another file. This is comparable to deleting a chapter heading from the table of contents of a book, but not removing the pages on which the chapter is written. Some networks may be configured to "wipe" or purge the hard drive when information is deleted, but most are not.
Computers on which classified information is prepared must be kept in facilities that meet specified physical security requirements for processing classified information. If necessary to prepare classified information on a computer in a non-secure environment, use a removable hard drive or laptop that is secured in an approved safe when not in use. Alternatively, use a typewriter.
Check with your security office concerning rules for traveling with a laptop on which classified or other sensitive information has been prepared. Laptop computers are a particular concern owing to their vulnerability to theft.
Computer Passwords
Passwords are used to authenticate an individual’s right to have access to certain information. Your password is for your use only. Lending it to someone else is a security violation and may result in disciplinary action against both parties. Never disclose your password to anyone. Memorize it – do not put it in writing. If you leave your terminal unattended for any reason, log off or use a screen lock. Otherwise, someone else could use your computer to access information they are not authorized to have. You will be held responsible if someone else uses your password in connection with a system transaction.
Do change your password regularly. Use a password with at least six and preferably eight characters and consisting of a mix of upper and lower case letters, numbers, and special characters such as punctuation marks This mix of various types of characters makes it more difficult for a hacker to use an automated tool called a "password cracker" to discover your password. Cracking passwords is a common means by which hackers gain unauthorized access to protected systems.
For additional information on selecting a strong password and why this is so important, see Passwords and the case studies in Computer Vulnerabilities.
"Social Engineering"
"Social engineering" is hacker-speak for conning legitimate computer users into providing useful information that helps the hacker gain unauthorized access to their computer system.
The hacker using social engineering usually poses as a legitimate person in the organization (maintenance technician, security officer, inexperienced computer user, VIP, etc.) and employs a plausible cover story to trick computer users into giving useful information. This is usually done by telephone, but it may also be done by forged e-mail messages or even in-person visits.
Most people have an incorrect impression of computer break-ins. They think they are purely technical, the result of technical flaws in computer systems which the intruders are able to exploit. The truth is, however, that social engineering often plays a big part in helping an attacker slip through security barriers. Lack of security awareness or gullibility of computer users often provides an easy stepping stone into the protected system if the attacker has no authorized access to the system at all.
For additional information see "Social Engineering" and the two case studies in Computer Vulnerabilities.
Laptop Computers – Vulnerability to Theft
Laptop computers are a prime target for theft for the value of the information on them as well as for the value of the computer. According to Safeware, a computer insurance firm in Columbus, Ohio, 309,000 laptop computers were stolen in the United States during 1997. There is also a high risk of theft during foreign travel. See Theft of Laptops and Theft While Traveling.
The best protection for information on your laptop is to encrypt all sensitive files and e-mail. A variety of keys, cards, and other physical means of preventing unauthorized access to information on a laptop are now coming on the market. Evaluate the various alternatives to see if one of them meets your needs.
Here are some other guidelines for protecting laptops:
- Never let a laptop out of your sight in an airport or other public area. If you set it down while checking in at the airport counter or hotel registration desk, lean it against your leg so that you can feel its presence, or hold it between your feet.
- When going through the airport security check, don't place your laptop on the conveyor belt until you are sure no one in front of you is being delayed. If you are delayed while passing through the checkpoint, keep your eye on your laptop.
- Never, ever, check your laptop (or other valuables) with your luggage.
- Never keep passwords or access phone numbers on the machine or in the case.
- If possible, put your laptop in a bag that does not resemble a laptop carrying case.
- If your hotel room has a safe, keep your laptop in the safe while you are out of the room.
- Before traveling, back up all files.
Related Topics: Computer Vulnerabilities, The Insider Threat to Information Systems.
References
1. Alex Markels, The messy business of culling company
files. The Wall Street Journal, May 22, 1997, p. B1
HOME | PROTECTING UNCLASSIFIED CONTENTS | TOP OF PAGE | HELP
SECURITY | THREATS | TECH VULNERABILITY | ASSISTANCE | SPY STORIES | TREASON 101