Monday - What's behind that screen? Published Oct. 5, 2010 By Lt. Col. Robert Schroeter 22nd Communications Squadron commander MCCONNELL AIR FORCE BASE, Kan. -- Imagine this scenario. Tuesday morning at 10:45 a.m., everyone is working at their desks going about their day -- then the network stalls. SharePoint is down, e-mail is unresponsive and Web sites are inaccessible. As a result, the 22nd Communications Squadron jumps into action and notices an extremely large amount of data moving outbound on our network pipes because McConnell's network has been compromised. After recovering the network, the forensics determined that on Monday morning at 9:02 a.m., a hacker targeted five McConnell members with a well-crafted social engineered e-mail. This trap installed malicious software on one of their government computers. As this e-mail passed through the Internet and eventually through the mail server servicing McConnell members, it encountered many validation checks put in place by the network security defender. But because of the way it was crafted, it passed through unchallenged. The (from) line in the e-mail displayed "22.Services@mcconnell.af.mil," with the subject "Fitness Tracker to help you pass the new AF PT test" and an excel document attached, "PT tracker.xlsx." Four of the recipients opened the e-mail immediately upon receiving it and thought it looked odd and, because they were not expecting it, they chose to just delete it and move on with their day. After returning Tuesday morning from leave, the last recipient noticed the e-mail and was very curious to see the attached excel document to help him prepare for the PT test. Once the attached document opened, Excel informed him that he needed to enable macros to use the PT tracker. The message, 'Caution! Enabling macros could run malicious code on your computer,' appeared on his screen. Being familiar with this message on other documents, he clicked on enable macros. This action installed malicious code on his government computer, establishing a back door connection between McConnell's network and the hacker located somewhere in cyber-space. This scenario portrays today's cyber-environment. The bad guys have easy access to tools to develop attacks such as this within minutes, and our Airmen are on the front lines everyday in cyberspace, whether they are at home or at work. To prevent these attacks, we must all be ready. Ready Airmen and Families Being "Ready" in cyberspace means protecting you, your family's, and your fellow Airmen's information in e-mails and on the Internet. Once out there, it is available to every Internet user in the world. How do you protect this information? · Make sure you know the sender or can verify his/her legitimacy. · Use and look for digital signatures and encryption when sending and receiving emails. · Be careful what information, whether personal or mission related, is placed on social networking sites and discussion forums. The information could be used in combination to create the traps used against our Airmen and their families to steal identities or to gain access to U.S. Air Force systems. Ready Base The 22nd CS, along with our partners at 24th Air Force, secures our cyber-networks -- even if a social engineering attempt, such as the above scenario, is successful against one of our team members. Our cyber-defenders take a defense-in-depth approach to ensure attempted attacks against the 22nd Air Refueling Wing and its Airmen are unsuccessful. These common practices, such as perimeter security devices, computer patching, permissions restrictions and Web site blocking, prevent hackers from collecting information and degrading our base mission, while protecting our Airmen. Ready Mobility This is why we are here. Just like our 22nd Security Forces Squadron defenders, who protect our people and resources, our cyber-defenders secure our networks to ensure Team McConnell's ability to execute its missions fast and efficiently for the fight. Our networks provide mission planners and flightline maintainers the capability to generate increased numbers of sorties to support global operations. Our Mission (back to the scenario): In the scenario, how were these Airmen targeted? Hackers have access to tools, such as common search engines to seek out public Web sites, social networking sites and other "private" sites to find what information they need about people. Then they can go to popular hacking sites where they can download files preloaded with malicious code to fit their desire, create an e-mail and send it. This process can take as little as 30 minutes. How could this have been prevented? The 22nd CS is charged to respond to these types of issues. One of the four recipients, who had suspected something was wrong with the e-mail, should have contacted their unit's Information Assurance Officer to up-channel this information to the 22nd CS. The 22nd CS would have then verified this e-mail as malicious and completely removed it from the mail server therefore preventing the fifth Airman from seeing it on Tuesday preventing his actions from opening a pathway into our information from a rogue location. Once opened, the malicious software had the ability to install itself on the system. This means two things: the machine's security patches were probably not up-to-date and the antivirus software was not operating correctly. The 22nd CS is responsible for ensuring that our machines are configured properly, so in the case of an attempt the attacks are contained. Cyber security is everyone's responsibility. Protect the team -- protect the mission.