|If access control is:||the vulnerability is:||and information can be:|
|Open -- no access limitations, plain text, unencrypted.||Extremely high. Subject to worldwide dissemination and access by everyone on the Internet.||Non-sensitive, of general interest to the public, cleared and authorized for public release. Worldwide dissemination must pose limited risk even if information is combined with other information reasonably expected to be in the public domain.|
|Limited by Internet domain (e.g., mil, gov) or IP address. Plain text, unencrypted.||Very high. This limitation is not difficult to circumvent.||Non-sensitive, not of general interest to the public although approved and authorized for public release. Intended for DoD or other specifically targeted audience.|
|Limited by requirement for User ID and password. Plain text, unencrypted.||High. Still vulnerable to hackers, as User IDs and passwords can be compromised if encryption is not used.||Non-sensitive information that is appropriate only for a specific targeted audience.|
|User certificate based (software). Requires PKI. encryption through use of secure sockets layer.||Moderate. This provides a moderate level of secure access control.||Sensitive but unclassified information, and information that is "sensitive by aggregation."|
|User certificate based (hardware). Requires PKI encryption.||Very low vulnerability.||Sensitive but unclassified information, and information that is "sensitive by aggregation" where extra security is required.|
Before putting any information on a web site, you must consider how an adversary or competitor might use that information to target your organization's personnel or activities. This requires applying risk management concepts to balance the benefits gained from using the Internet against the potential security and privacy risks created by having that information available to a worldwide audience.
There are several common mistakes that people make when deciding what to put on a web site. One is to ignore the danger associated with personal data on the Internet. Another is to assume that information is not sensitive just because it is not marked with any sensitivity indicator. A third is that people underestimate the ease and potential significance of "point-and-click aggregation" of information.
Inclusion of information about home addresses or family members in biographic summaries is one of the most common errors. Personal information that could facilitate criminal, harassment, or terrorist activity against military personnel or government or defense contractor employees should not be on the Internet. This includes home address, telephone numbers other than those readily available to the public, social security number, date of birth, and any identifying information at all about family members.
For Official Use Only information and other sensitive information is normally marked with a sensitivity indicator at the time it is created. However, the absence of any sensitivity marking is not a valid basis for assuming that information is non-sensitive. Before putting unmarked information on a web site, it must be examined for the presence of information that requires protection and qualifies as exempt from public release. Don't depend on your memory or general impressions when trying to make this determination. Check the appropriate classification guide or regulation or ask a knowledgeable person.
People who have not themselves developed strong skills at searching the Internet generally underestimate the amount and nature of the information that can be found there and the ease with which it can be located. The vast quantity of information on the Internet, combined with powerful computer search engines, has spawned sophisticated "data mining" techniques for the rapid collection and combination of information from many different web sites. Very little know-how is needed, as the tools of the Internet have been designed to do this. A single user sitting at a computer in a foreign country can now identify, aggregate, and interpret information available on the Internet in ways that sometimes provide insights into classified or sensitive but unclassified programs or activities.
Information relevant to operations security (OPSEC) is a particular concern. Commanders and program managers responsible for OPSEC need to identify what needs to be protected and then take a "red team" approach to how outsiders might obtain unauthorized knowledge. As a double check, military reserve units have been tasked to conduct ongoing operations security and threat assessments of DoD web sites.
One useful tool is to do your own keyword search on the Internet to learn what related information is already out there that others might use to deduce information about your sensitive activity. As you visit these other sites or read newsgroup messages, see if they have information that could be used in conjunction with your information, or with information from some other site, to deduce your sensitive information.
For example, seemingly non-sensitive technical data, when associated with a specific research or development program, might provide clues to a new weapon's capabilities, vulnerabilities, or intended uses. Similarly, unclassified and seemingly innocent information on things such as personnel travel, commercial support contracts, changes in unit deployment or training, changes in communications patterns, messages between soldiers and family members, supply and equipment orders or deliveries, etc., might, when combined with other information, provide a tip-off to sensitive plans and intentions.
1. "Web Site Administration Policies and Procedures, November 25, 1998, Office of the Assistant Secretary of Defense (C3I). Approved by the Deputy Secretary of Defense December 7, 1998. The full document is available on the Internet at www.defenselink.mil/admin/about.html#WebPolicies.