From the NAVAIR Office of CIO Communications

In recent years, email has become one of the most common and important methods of communicating in our daily lives. And now more than ever, organizations depend on email as a major part of their normal business processes. A Gartner (META Group) survey found that 80% of respondents consider email communications more valuable to their respective organizations than phone communications. Yet, the two primary mechanisms these organizations use to protect their networks from security threats – firewalls and anti-virus software – are of little use against most email threats. As end users, we must proactively take responsibility and accountability for preventing and/or minimizing the risk and damage these threats present.

Viruses are one of the most common and harmful email security threats. Cloaked in an executable, image, or other common file type, a well constructed virus can easily run rampant and quickly penetrate a system or network. This not only results in loss of data and consumes valuable IT resources, but also allows attackers to access sensitive data and render critical assets inoperable. The best way to stay safe is to avoid opening any attachments from unknown senders. Although installing up-to-date anti-virus software and security updates provides some protection, there are no guarantees.

Phishing is a method used by attackers whereby an email is sent in an attempt to get the user to follow a link to a spoofed web site and provide personal information, such as social security or credit card numbers. The attacker then uses this information to conduct fraudulent activities. The number and sophistication of phishing scams has risen significantly over the last couple of years due to the fact that phishing can be very lucrative and very difficult to trace.

Most organizations cite spam or unsolicited emails as the number one email security threat. Spam causes organizational problems through the loss of worker productivity and the drain on network and email server resources. Although reports vary, most research indicates that spam accounts for between 70-90% of all email.

Well-intended spam can also be burdensome to both the user and the network. Jokes, images, warnings, and stories circulated among friends, family, and co-workers can also be considered spam as they take up valuable time and resources. But how many of us have caved in after reading, “If you are a true friend you will forward this email to ten of your closest friends”?

NMCI and most email account providers have spam filtering mechanisms, but they can’t catch every one. In addition, spammers invest a lot of effort to ensure their emails are able to penetrate these filters. The anti-virus vendor, McAfee, has a threat center on its corporate web site that provides tips for avoiding spam, such as never responding to spam, utilizing your ISPs spam filtering, never clicking on links in a spam email, and using two email accounts, one for friends and associates only and one for newsletters, online stores, etc., which are the sources of spam.

As long as there are profits to be made, email infrastructures will be under attack from unscrupulous characters looking to cause damage and exploit the millions of users who utilize email. Organizations spend billions of dollars in time and resources each year in an effort to reduce susceptibility to these threats. We all need to do our part to make sure our systems and our organization’s resources are adequately protected.

The Department of Navy has required that all users be trained about risks posed by these phishing scams. The Joint Task Force Global Network Operations (JTF-GNO) has developed a training package to increase situation awareness concerning “socially engineered” email and “Phishing” activity. The training is located on the Office of CIO Web site https://mynavair.navair.navy.mil/cio .

If you would like more information on any information security or Information Assurance (IA) matters or if you believe you have received a phishing email or suspect any unusual activity or security compromise on your government-issued workstation, contact your local IA Officer, IA Manager, the NAVAIR 7.2.6 Information Assurance office, or the NAVAIR 7.4.1 security office. Your IA Manager will forward all suspicious emails as an attachment to the Global Network Operations Center at [email protected] for investigation. A list of IA Points of Contact is located on the Office of CIO Web site https://mynavair.navair.navy.mil/cio.

About the author: Kevin Meadows, a regular contributor to Office of CIO communications, is an employee of Smartronix Corporation, Information Assurance Division.