Publicity of attacks on information systems is increasing. Examples of two news stories are shown here. Click on a headline to read the story.

Fifty years ago, computer systems presented relatively simple security challenges. They were expensive, isolated in environmentally controlled facilities, and their use was an arcane art understood by few. Consequently, protecting them was relatively easy, a matter of controlling access to the computer room and clearing the small number of specialists who needed such access. As these systems evolved, their connectivity was extended, first by remote terminals and eventually by local and wide-area networks, also known as LANs and WANs.

As size and price came down, microprocessors began to appear in the workplace, in homes, and eventually on the battlefield. What was once a collection of separate systems is now best understood as a single, globally connected network. As such, information assurance includes infrastructures we neither own nor control. Because of the global connectivity, a risk to one is a risk to all.

We need to apply the concepts of Information Operations, or IO, Information Assurance, or IA, and Information Systems Security, or INFOSEC, to nearly everything we do in order to protect ourselves and to stay ahead of potential adversaries. Please click on a term for the definition.

A secure information system provides three properties: confidentiality, integrity and availability. Click on a corner to find out more.

Confidentiality ensures that people who don't have the appropriate clearance, access level and "need to know" do not access the information.

Integrity ensures that information cannot be modified or destroyed.

Availability means that information services are there when you need them

To stem attacks against Department of Defense systems, it is imperative that you are aware of the possibility of these attacks occurring and of your responsibilities towards protecting our information resources. Public Law 100-235, or the Computer Security Act of 1987, the Presidential Decision Directive 63, or PDD 63, and OMB Circular A-130 require that all users of Federal computer systems be trained in information systems security concerns.

Here are two policies which require that DOD information resources be protected. Click on a policy to learn more.

Take a moment to read some key points from DOD Directive 5200.28. This directive is being rewritten and will be issued as DOD Directive 8500.XX.

Please take a moment to read this description of DOD Instruction 5200.40 that defines the DOD Information Technology Security Certification and Accreditation Process or DITSCAP. For more information regarding the DITSCAP, visit the resources section.

Critical Infrastructure Protection is a national program to protect critical infrastructures, which are those physical and cyber-based systems essential to the minimum operations of the economy and government. They include, but are not limited to, telecommunications, energy, banking and finance, transportation, water systems and emergency services, both government and private.

Many of the nation's critical infrastructures have historically been physically and logically separate systems that had little interdependence. However, these infrastructures have become increasingly automated and interlinked, creating new vulnerabilities to equipment failures, human error, weather and other natural causes, as well as, physical and cyber attacks. DOD developed a plan that addresses how DOD will protect its portion of the federal government critical infrastructure.

It is important to understand the difference between threats and vulnerabilities and how they can affect your system. Click on an icon to learn more.

A threat is any circumstance or event with the potential to cause harm to an information system in the form of destruction, disclosure, adverse modification of data, and/or denial of service.

A vulnerability is a weakness in an information system, cryptographic system, or components that could be exploited.

There are two types of threat categories: natural and human threats. Click on a threat category to see a distinction between the two.

A natural or environmental threat is just what it sounds like; its source is either from nature or a system's environment. Natural threats can include lightning, fires, hurricanes, tornadoes, or floods. Environmental threats can include poor building wiring or insufficient cooling for the systems.

Human threats are caused through unintentional or intentional actions. An unintentional threat is a human accident, bad habit, carelessness, or misinformation. An intentional threat, whether caused by an insider or outsider, can be a spy, hacker, corporate raider, or a disgruntled employee. Click on the user and the drink to see examples of intentional and unintentional threats.

Have you ever accidentally spilled coffee or soda on your keyboard or computer? This unintentional threat occurs more than any other type.

The insider intentional threat is one of the most challenging security problems today. Since insiders have working knowledge of and access to their organization's computer resources, the potential for damage is great. One example could be someone you work with who is extremely disgruntled. Who is to say he or she won't misuse your system to delete or change sensitive information?

The threat to the Department of Defense information systems is both internal, such as the disgruntled or greedy employee; and external, as typified by hackers or crackers. We should dismiss the notion that today's hacker is a geeky 14 year old trying to crack one computer at a time as an indoor sport. Today's hacker is far more advanced in computer skills. Using hacking tools available on the Internet, this hacker is capable of running automated attack applications against thousands of host computers at a time to identify security weaknesses. Click on an icon to learn more.

What is an insider threat? An insider looks like you or me. He can be an employee, contractor, or someone who has legitimate access to a computer system. Most insiders misuse or exploit weaknesses in the system. Others, due to lack of training and awareness, can cause grave damage. To see a profile of an insider, or learn how insider threats can affect you and what you can do, click on one of the topics.

An insider is any employee or contractor who has legitimate access to the computer system. All insiders have some degree of physical or administrative access to the information system. Stress, divorce or financial problems are some examples of what might turn a "trusted" user into an insider threat.

So, you're wondering how insider threats can affect you? Take a look at these scenarios to see just how common insider threats are.

Although there are security programs to prevent unauthorized access to information systems and employees undergo background investigations, certain life experiences can alter a person's normal behavior and cause them to act illegally. Here are a few suggestions for what you can do to help in the fight against insider threat.

Social engineering is also considered an intentional threat. It is a term used among hackers for cracking techniques that rely on weakness in human nature rather than software. The goal is to trick people into revealing passwords and other information that compromise the security of your system. Click on one of the icons to learn more about social engineering and what you can do.

Acting as a field service technician or fellow employee with an urgent access problem, the caller attempts to have employees reveal passwords or other sensitive information like operating systems, logon IDs, server names, or application names.

You can play a vital role in preventing social engineering. Take a moment to review these tips, and remember, ask your Information Systems Security Officer if you need additional guidance.

What should you do if you receive a call that you believe is from an unauthorized person? Here are some suggestions that may help you deal with such a situation and avoid security breaches.

There are security risks associated with browsing the Internet. Two of these are highlighted here. Click on an icon to learn more.

A cookie is a text file that a web server stores on your hard drive when you visit a site, and retrieves whenever you revisit that site. When you return to that site, the cookie 'recognizes' you, saving you the trouble of re-registering. The most serious security problem with cookies has occurred when the cookie has "saved" unencrypted personal information, such as credit card numbers or social security numbers, in order to facilitate future business with that site. Another problem with cookies is that the site potentially can track your activities on the web. You can set up your browser not to accept cookies.

Mobile code, such as ActiveX and Java, are scripting languages used for Internet applications. Mobile code embedded in a web page can recognize and respond to user events such as mouse clicks, form input, and page navigation as well as play audio clips. However, mobile code does introduce some security risk. It can cause hostile programs to be automatically run on your computer without your knowledge, simply because you visited a Web page. The downloaded program could try to access or damage the data on your machine, or insert a virus.

To protect information systems from the threat of malicious or improper use of mobile code, organizations must assess and control the risks imposed by the technology. The DOD has developed policy guidance for use of mobile code in DOD information systems. The guidance categorizes mobile code technologies and restricts their application within DOD based on their potential to cause damage if used maliciously. Click on a category to learn more.

As a user, you can limit your exposure to mobile code by setting your browser to warn you prior to accepting cookies, Java and Javascript from web pages. ActiveX security relies entirely on your judgement. ActiveX programs come with digital signatures from the author of the program. Once your browser has verified the signature, it tells you who signed the program and asks whether or not to run it. Depending on the trust-worthiness of the source you can either accept the program and let it run on your machine or reject it completely. Additional actions you can take to lower your risk are listed on the screen.

Another threat in Internet security is the Distributed Denial of Service, or DDoS, attack. These attacks involve bombarding a web server with huge amounts of data from many different machines and locations in an effort to bring the server down and deny its availability. The attacks can be launched from systems across the Internet unified in their efforts, or by compromised systems that are controlled by servers which can hide the true origin of the attack.

Malicious Code is software or firmware capable of performing an unauthorized function on an information system. It is designed with a malicious intent to deny, destroy, modify or impede systems configuration, programs, data files, or routines. Malicious Code comes in several forms to include viruses, Trojan horses, Bombs, and Worms.

The majority of the most common viruses today is the macro virus. A macro virus affects programs used to create documents and spreadsheets, such as Microsoft Word and Excel. Once infected, every document opened or created with these programs is corrupted, meaning that data could be lost or altered. Since they infect such commonly used applications, macro viruses can spread quickly. It is important to remember that viruses work only if you execute them!

Sharing files through the use of diskettes and e-mail attachments or downloading files from the Internet are the most common forms of spreading Malicious Code. It is your responsibility to scan all outside files using current anti-virus software. Your system may contain a virus even if it appears to be virus free. Viruses can remain hidden and may show up months later to infect your system. For this reason, it is essential that you scan your system daily using current anti-virus software.

It is important that you use caution when opening e-mail attachments. Attachments may contain malicious code that could corrupt files, erase your hard drive, or even allow a hacker to gain access to your computer. Be especially wary of attachments that end in .exe, .com, .vbs, .bat, or .shs. Don't assume that an attachment is safe because a friend or coworker sent it. A good rule of thumb is to save the attachment to your hard drive and scan it with current anti-virus software before opening it.

If you discover that a virus has infected your system, follow these basic steps. First, remain calm. Next, call your help desk for assistance. Also, don't email the infected file to anyone.

Internet hoaxes are e-mail messages written with one purpose; to be sent to everyone you know. There are many different types of hoaxes. Some of them warn of new viruses, promote moneymaking schemes, or ask for the user to forward the message to all their friends in the name of a fictitious cause. These hoaxes only serve to slow down Internet and e-mail service for computer users by clogging networks. If you receive an e-mail message that asks you to forward it to all your friends and coworkers, take the time to check the facts. For hoax information, visit the U.S. Department of Energy's Computer Incident Advisory Committee site. You can click on the link above to access the site.

Here are 8 common sense rules to compute by when using a government machine: Don't use a computer to harm other people. Don't interfere with other people's computer work. Don't snoop in other people's files. Don't use a computer to steal. Don't use or copy software that you have not purchased. Don't steal other people's intellectual property. Don't use a computer to pose as another person. Don't use other people's computer resources without approval.

Keep in mind that your rights to privacy are limited when using government computer resources. When you log on to a government system, you give your consent to monitoring. Everything you do can be monitored. Some examples of computer misuse are: viewing or downloading pornography, gambling on the Internet, conducting private commercial business activities or profit-making ventures, loading personal software, or making configuration changes.

User identification is the process by which an individual identifies himself to the system as a user. The system authenticates the user through his password and determines his right to use the system. Here are some key points to keep in mind when creating passwords: Memorize your password. Don't write down or share passwords. Choose a password that is easy to remember, hard to guess, and at least six characters in length, mixing letters, numbers, and special characters.

Don't use personal information like the names or birthdays of family members, pets, or the name of your favorite sports team. Avoid using words or phrases that can be found in a dictionary. Change your password on a regular basis. Remember, it is your responsibility to ensure that all activity done under your user ID constitutes appropriate use of DOD information systems resources.

It is essential that you back up all important computer files on a regular basis. These backups will minimize the loss of data if your hard drive crashes or is infected by a virus. Keep a set of your backup files off-site. Label the backups to reflect the sensitivity level of the information they contain. Prevent erasures by keeping diskettes away from magnetic sources such as radios and telephones. Store in areas such as metal cabinets for greater protection from fire and water damage.

You must also protect information stored or transmitted on devices other than your computer. These include fax machines, cell phones, laptops, and palm pilots. You need to be as vigilant about security on these devices as you are with your computer at work. Click on an icon to learn more.

Be careful with information transmitted over a fax machine. Make sure that the recipient will be there to pick up the fax immediately if you are sending sensitive information.

Remember that cell phones are nothing more than glorified transmitters. Anyone with the right equipment could potentially listen to your conversation. Use a landline for more privacy, and never discuss sensitive information on an unsecure phone.

The convenience of laptops also makes them vulnerable to theft or security breaches. Password protect the logon to your laptop. Be careful what you display on your screen, especially in close quarters such as airplanes. Be aware of your laptop when traveling to prevent theft.

PDAs, such as PalmPilots or Pocket PCs, pose a security threat for a number of reasons. Their small size and low cost make them easy to obtain and difficult to control. They have tremendous connectivity and storage capabilities, and are extremely popular. It can be very easy for a person to setup a PDA to download information from your computer.

Proper protection of our information is critical to information systems security. The Department of Defense has three broad categories of information. Turn the page to see the categories and find out more.

All DOD information, individually or in aggregation, could, given the right set of conditions and circumstances, provide an adversary an insight into our capabilities and intentions and/or impact upon the safety of DOD personnel and, thus, warrants some level of protection. As a minimum, all DOD unclassified information must be reviewed before it is released in any form outside the U.S. Government. This type of information still requires security protection.

FOUO and Sensitive unclassified information can include, but is not limited to, personnel, medical, operational and Privacy Act information. Don't leave files or media containing sensitive unclassified information where an unauthorized person can see or obtain it. When not being used, sensitive unclassified information must be stored in a locked drawer or more secure container. Dispose of it properly. It is a good habit to shred it or put it into a burn bag.

Classified information includes Confidential, Secret, and Top Secret. Information may be originally classified only by the Secretary of Defense, the Secretaries of the Military Departments, and other officials who have been specifically delegated this authority in writing. The original classification authority determines which level of classification is to be applied. If there is significant doubt about the appropriate level of classification, the information shall be classified at the lowest level. Classified information must be used in an area approved and cleared for that classification level. When not in use, the classified information must be stored in a GSA-approved vault or container.

DOD categorizes information as Unclassified, For Official Use Only (FOUO) or Sensitive, and Classified. Click on a category to learn more.

Information is a critical asset to the Department of Defense. It is your responsibility to protect DOD's sensitive and classified information that has been entrusted to you. Remember, absolutely NO classified information is allowed on an unclassified system. Please contact your information systems security officer for more information about classification or handling of information.

Security needs must constantly keep pace with ever changing technologies and applications. Information systems are decentralized; personal computers, networks and access to the Internet are the norm. The rapid pace of technological advances poses new challenges in information assurance.

Electronic Commerce, EC, or e-commerce, is the use of documents in electronic form, rather than paper, to conduct business transactions. An example of e-commerce is the direct deposit of your salary from your employer's account into your bank account, eliminating the need for traditional paper checks. E-commerce gives consumers and businesses greater flexibility as to when and how transactions are conducted. Electronic Data Interchange, or EDI, is an essential component of e-commerce. EDI is the computer-to-computer transmission of strictly formatted messages that represent e-commerce transactions.

One mechanism that supports information assurance is public key technology. Public Key Infrastructure, or PKI, provides a way to issue electronic keys, called digital certificates, to users. The digital certificate issued to the user binds the user's identity to his or her public key, and in combination with the user's private key, allows the user to be authenticated over open networks.

PKI also provides the infrastructure for messages or documents to be encrypted. Thus, one infrastructure supports both confidentiality and user authentication needs. Additionally, users automatically have the ability to check data integrity and have a basis to ensure that the transactions cannot later be denied or repudiated.

Eventually, nearly all DOD employees will likely need a PKI certificate to support their daily activities. Some potential uses of PKI include: identification and authentication for purposes of gaining remote access to computers and other resources (instead of passwords); securing financial transaction, identification cards, and physical access control systems.

Encryption is defined as the conversion of plain text into cipher text by means of a cryptographic system or code. Basically, encryption makes information unintelligible to an unauthorized user. There are two general categories of encryption systems: private and public key systems. Click on an option to learn more.

Private key systems, often called symmetric, secret, or single key systems use a single key to both encrypt and decrypt information. Users must exchange their private keys if they wish to communicate privately. As the number of users increases, private key systems become difficult and costly to manage.

Public key systems are often referred to as asymmetric or a two-key system. Encryption is done with one key while decryption is done with another. One key is kept secret and the other is publicly known. The keys are mathematically related in such a way that even if you have the public key, the private key cannot be deduced. This allows the public keys to be posted so that anyone can use your public key to encrypt information that only you will be able to decrypt using your private key.