Tuesday, December 2, 2014

Tool to safeguard PII scheduled for AF-wide December rollout



Published December 01, 2014

JOINT BASE SAN ANTONIO-LACKLAND, Texas (AFNS) -- The Digital Signature Enforcement Tool is scheduled for Air Force-wide integration Dec. 5, providing Microsoft Outlook email users with an interactive, automated virtual assistant to help ensure the security of personally identifiable information.

“I can’t overstate the operational importance of preventing PII breaches,” said Maj. Gen. B. Edwin Wilson, the commander of 24th Air Force and Air Forces Cyber. “It’s not an IT problem, it’s a total-force problem, and DSET is an effective tool the total force can use, right now, to help reduce inadvertent PII breaches.”

Beyond potential identity theft, PII breaches can lead to significant compromises in operational security. For example, a well-meaning member working to meet an operational deadline sends an unencrypted email, containing PII on several unit members, to a “non .mil” email account.

The sender could be attempting to get ahead on a project or be providing a status update to unit members on pending unit movements.
Unknown to the sender, hackers have compromised email transport infrastructure between the sender’s desktop and one of the destination, “non .mil” desktops. Hackers intercepting this unencrypted email traffic can utilize the newly acquired personal information to form specifically targeted attacks, known as spear phishing, to acquire additional information such as account numbers or passwords.

Unfortunately, the attack does not stop there. Once an attacker has acquired enough information, he can simulate user accounts or even pass off communications on behalf of the service member, who is likely still unaware that his information has been compromised. Those false communications could be leveraged to gain digital access to Air Force systems, or even physical access to installations and personnel. Obviously, the negative implications caused by PII breaches are severe, and equipping the force with tools to mitigate the risk is paramount.

DSET version 1.6.1, an updated version of the DSET 1.6.0 software already in use by the Air National Guard, Air Force Reserve Command, and Air Force Space Command, contains fixes for some previously identified software bugs as well as enhancements to make the digital tool more effective.

“DSET 1.6.0 launched back in July to three major commands,” said Alonzo Pugh, a cyber business system analyst for 24th Air Force.
“Feedback has been overwhelmingly favorable for the use of the tool, and version 1.6.1 is definitely ready for Air Force-wide usage.”

DSET is regarded as a short-term fix to help all Air Force network users protect PII, specifically if that information is to be included in an email communication. DSET 1.6.1 still only scans for PII in the form of social security numbers, leaving overall responsibility on the user to safeguard the sensitive information in all of its forms.

“First, the user should ask him or herself if the PII in the email is truly necessary,” Pugh said. “DSET scans the email draft before transmission. If PII is identified, DSET will notify the user through a series of pop-up windows. This interactivity allows the user to make a conscious decision of how to proceed with the information in question.”

According to Pugh, if the information must be transmitted, encrypting the PII is all that is necessary to protect the data during transmission. DSET will trigger when it detects potential PII in an email, giving the user the opportunity to delete the information if not necessary to the communication, encrypt the information, or override and transmit the email as originally written.

If the file containing PII is already encrypted – through the Microsoft Office “protect” permission feature or some other software – DSET will not trigger and the email can be sent as usual to any recipient’s email address, whether “.mil,” “.com,” etc. However, if the email itself is encrypted through Microsoft Outlook, the communication is only safe to transmit to a recipient’s “.mil” email address. An email encrypted in this fashion cannot be sent to any “non-.mil” addresses. If the user attempts to do so, DSET and Microsoft Outlook will provide pop-up boxes explaining the user’s options.

“I can’t overstress the importance of reading the information in the pop-up box,” Pugh said. “Read the training materials on the use of DSET; read the training slides on how to use Microsoft Office features to encrypt various documents; understand how these tools can help you safeguard PII.”

No comments:

Post a Comment