How Security Awareness Training Can Protect the Military

Introduction

There stills seems to be no true consensus on the need for or importance of security training in the workplace. There are people on both sides of the argument who are making valid points for their stances. Though the majority of security professionals agree that security education is important, many question whether it is really worth the time, money, and effort spent. According to a survey by PricewaterhouseCoopers, 42 percent of those who responded said that security training played a role in deterring potential cyber-attacks against their organizations. A different report found that companies that did not provide employee training had average financial losses of $683,000. Compare that to companies that did provide training only losing $162,000 on average. That is a BIG difference.

Security specialists who are against employee security training feel it is wasted time and resources. Users are not security experts and organizations should not expect them to be. The same time and resources spent trying to train the security novice user could be better invested in securing the enterprise infrastructure, enhancing and strengthening technical controls, and addressing security failures in software design. The issue with this train of thought is that most organizations are mandated under current regulations to provide security training to their employees. The military is no exception. The Army, Navy, Marine Corps, Air Force, and Coast Guard are all charged with the responsibility of protecting the United States from foreign enemies and, at times, domestic disasters. In this day and age, warfare is not just hand-to-hand combat, sailing the seas, flying through the air, dropping bombs, or launching missiles; it also includes the logical warfare of cyber-attacks. If an enemy wanted to harm the United States, weakening the military would be a great place to start.

Why Does the Military Sector Need Security Awareness?

Everyone needs security awareness—at least anyone who plans to touch a computer system that is connected to the Internet. Even if there is no company-provided training, computer users need to stay up to date with current trends in cybersecurity. The military, and the Department of Defense (DoD) as a whole, which includes both the military and its civilian employees, have access to valuable information. It has been stated by numerous security experts that the human is the weakest link in the cybersecurity chain. With the DoD having 1.4 million members of the military, and approximately 740.000 civilian employees, that is a large landscape of potential attack vectors.

With the increased sophistication of spear-phishing tactics and social engineering attacks, the military sector has good reason to provide its employees with security awareness training.

According to Trushield, a managed security services provider, there are three top reasons cyber security awareness training is needed:

  1. Regulatory requirements
  2. The vanishing perimeter
  3. Constant changes in the threat landscape

The DoD is no exception to the regulatory requirements. It is federally mandated that some sort of IT security awareness training be given at least once a year. Many military organizations have started, or are planning to start, authorizing systems under the risk management framework (RMF), which requires cybersecurity awareness training as a part of the authorization, and continuous monitoring criteria. This means that a system will not be authorized to operate unless there is a documented and implemented (or plan to implement) security training program for the system users.

The vanishing perimeter threat is related to employees who bring their own computing devices to work, e.g., iPods, personal laptops, cellphones, etc. Connecting these devices to the network introduces new vulnerabilities. There is no way to ensure that these personal devices are used by people following good cyber-hygiene practices and are patched and/or updated consistently. Fortunately, most military installations do not allow their users to bring in personal electronic devices and, at the installations that do allow some of these items into their facilities, most are banned from connecting to the network or to other government assets. Even though these rules are in place at some facilities it is not a blanket rule across the board, and it is always possible for some users to fall through the cracks and not follow the rules. As part of the specific training given at DoD facilities ensures users are made aware of the installation’s specific policies related to bringing personal electronic devices on site, as well as the importance of not connecting to the network to avoid compromise.

Constant threat landscape changes require staying on top of current cyber-threats and assessing how your organization could fall victim. The majority of spear-phishing attempts are aimed at large organizations. What larger organization is there than the DoD?

What Risks/Threats Does the Military Sector Face?

When we think of potential threats against commercial entities, the first thought is industry competitors wanting to steal company secrets and proprietary information. The military has secrets that, if leaked, could damage the security of the entire nation. So, their number one threat is potentially bad foreign actors wanting to learn military secrets, tactics, and plans.

In 2015 a spear-phishing attack against the Pentagon was responsible for compromising email credentials of over 4,000 employees, both civilian and military. Officials claimed the enterprise assets were properly configured and patched, so the assumption is that they were the victim of a zero-day attack. There is also evidence that the attack may have used some social engineering tactics. The suspected hackers may have evaluated the social accounts of staff members to gain enough information to conduct the spear-phishing attack that was convincingly shaped to draw in the intended victims. The effectiveness of this attack gives validity to the argument about the importance of training users to be diligent in their system use. Long gone are the days of poorly worded emails, oozing with bad grammar, misspellings, and questionable images. Even those attempts were able to trick some victims; with these new sophisticated efforts, even educated users could fall victim.

In the commercial sector, businesses can generate income based on their marketing and sales efforts. The military always has budget limitations that are set by the executive branch of the government. With these budget constraints, it can be difficult for the military sector to update their digital infrastructure with the latest and greatest. They use all of the same operating systems the commercial sector uses, Windows, Unix/Linux, etc., but they may have outdated equipment, or they may still be using old, unsupported software, which makes updates and patching tough. For instance, the United States Navy is still running on Windows XP. While the rest of the world is being pushed towards upgrading to Windows 10, the Navy is spending 9 million dollars a year to use an operating system that has been obsolete for years. According to Steven Davis, a Navy spokesman, “The Navy relies on a number of legacy applications and programs that are reliant on legacy Windows products.” The DoD has enlisted the help of industry cybersecurity professionals, who are working to educate high-level officials on the importance of keeping their systems updated. Training is also important for the people who control the budgets. Training the users is important so they understand how to identify phishing scams, but having a secure infrastructure is also an important start.

The military heavily recruits young people directly out of high school to enlist. These are not normally professionals who have completed four years of computer engineering courses. The military may provide them a few weeks or maybe a few months of training before starting their jobs. Unlike full-time students or seasoned professionals, who may have spent time gaining experience during an internship, these young recruits are immediately thrown into real-world, high-stress, environments and forced to use their skills with minimal support.

Some other problems that affect the military include the use of government off the shelf (GOTS) products and the use of embedded systems that may pose a unique risk. The use of these systems may have provided a false sense of security that they are “un-hackable” because of their proprietary nature. The other problem with the use of these systems is that many of them were built many years ago, some decades ago, with no consideration of cybersecurity needs. Now that hacking capabilities have become sophisticated to the level they are currently at (and continue to grow), these systems could have vulnerabilities never before considered, and they are hard to upgrade because of their uniqueness, and of course, budgetary constraints.

Security Awareness

Security Awareness in the Military Sector, Tips, and Resources

 As stated before, security awareness is a mandate for the military under the RMF. The DoD provides a phishing awareness training to some employees, but the mandatory training for everyone is called the Cyber Awareness Challenge. The training is created and provided by the Defense Information Systems Agency (DISA). The training is interactive and quizzes the user on their learned knowledge. DISA provides other training, as well as information on current cybersecurity trends, on their website. The training is pretty sufficient, but in order to help minimize the success of future phishing attacks, the military should start sending phishing emails to their users and see who falls for the test. This will allow them to better evaluate the effectiveness of their training and tweak it accordingly. The training is only done annually. With the constant changes in the cyber-security threat landscape, they may want to consider having this type of interactive training performed quarterly to enforce what is learned and to remind their users of the potential dangers.

The Navy is working to increase cybersecurity awareness within their branch members. During cybersecurity awareness month, which falls in October, the chief of naval operations, Adm. John Richardson, stated that every sailor is a “cyber-warrior,” meaning that every sailor is responsible for protecting Navy and DoD cyber assets. The Navy hopes to continue the awareness program past October to reinforce its importance.

Conclusion

The human link has been deemed the weakest in the cybersecurity chain. No matter how strong your firewall settings, or your IDS, or the eagerness of your 24-hour SOC workers, if your users don’t use good operations security (OPSEC), both behind your network and in their social life, it doesn’t matter. With the ease of finding information, people have to be diligent about the information they allow to be used and released to the public. Social engineering has matured, but so has the availability of information. Training users means not just teaching them how to spot a phishing email, but to also think about what they post on social media sites, and the things they disclose to total strangers. This is even more important for members of the military. They are protecting not just themselves, but also the security of the entire nation.

References

http://www.darkreading.com/operations/careers-and-people/is-security-awareness-training-really-worth-it/d/d-id/1317573

https://en.wikipedia.org/wiki/United_States_Department_of_Defense

https://en.wikipedia.org/wiki/United_States_Armed_Forces

https://www.hackread.com/pentagons-network-hacked-with-phishing-attack/

http://www.crn.com/news/security/300077701/pentagon-data-breach-shows-growing-sophistication-of-phishing-attacks.htm

http://money.cnn.com/2015/06/26/technology/microsoft-windows-xp-navy-contract/

http://iatraining.disa.mil/eta/cyberchallenge_v4/launchPage.htm

https://www.opm.gov/wiki/training/Federally-Mandated-Training/Print.aspx

http://www.navy.mil/submit/display.asp?story_id=96999

Be Safe

Section Guide

Tyra
Appleby

View more articles from Tyra

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Tyra
Appleby

View more articles from Tyra