Thursday, May 29, 2014

Increased Password Strength Might Actually Weaken Security Countermeasures

I recently read with admiration a tech article written by a security expert being open and honest about computer, network and online account security access passwords. Even though she understands the importance of strong security, she wrote of the woes of trying to remember different passwords to her many accounts. Finally exasperated, she gave up change and now maintains a policy of a single password for all accounts.

This works for her and can work you as well, unless you access defense contractor, Department of Defense networks or DoD or other government maintained websites and systems such as Defense Security Services’ JPAS, training, SPeD certification, databases, or the applications offered by many other agencies. Where most could get away with using a single password on multiple systems, each of these DoD systems require unique password structures.  One single password will not work.

For example, in most of my online business profiles for email, social media, banking and etc, I can use a common password consisting of letters and maybe a number for good measure. In many cases, the sites help you determine the strength of your password so that you can adjust to however you feel comfortable. You might get a red, amber or green indication with green representing the most protection, but in most cases any password is acceptable if you are comfortable with the results.

In these cases, you can use words or numbers that you are familiar with such as: carman311, cookiemom214, or securitydave2. You may never forget your password as they are not too difficult. However, such familiarity and comfort also create greater vulnerabilities with the level ease required for breaking your code.

Now bring on websites like the ones mentioned above. The company I work for requires uppercase, lowercase, numbers and symbols. DoD sites require the same, as do some classified and unclassified networks. So, simple, adopt a more complicated version of an already used password such as Jollyrancher now might be jollyrancher55672%%^&@ if you add in your address and associated symbols. Then use them for all the multiple applications and you are home free, right?

Not so fast. Where upper and lowercase, numbers and symbols are required; each application may require different combinations. For example one website requires that the passwords DO NOT have repeating characters. Yikes, this eliminates many words such as: jollyrancher, mollymoocow, muddywaters, suggestive, message, eliminate, tellingword, and many more words. Now we now have to have at least two passwords to access all of our accounts. Ok, I can do that.

Not really. So, maybe you have the words with non repeating letters, but now you have to make sure your number combinations and symbols  don’t repeat as well. So, there goes Jollyrancher55672%%^&@. Now you have to vary your password with simple nuances that might be hard to remember. So, maybe I spell it JOlyrancher54672%$^&@ and hope you remember those simple nuances. This might at least require at least three passwords (don’t forget the ones you already have for banking and social networks; add those to the count as well).

I can go on about some password requirements that do not allow the use of certain special characters, but I think you get the point now. The password protection requirements are designed specifically for you not to use familiar terms and NOT to use the same password for multiple applications. We can all agree that that makes for great security, but is it even practical or fair? Heck, try accessing a secure website using those complicated policies from a smartphone where the special characters are no longer above the corresponding numbers…sheesh!

So, the passwords are more secure now as probability of guessing the passwords has just plummeted. But now there is a new risk introduced. I CAN’T REMEMBER MY PASSWORD SO NOW I HAVE TO WRITE IT DOWN.
Ok, I know security and IT folks hate to admit this, but it actually happens. In spite of the hours, days and years of security training, people are still writing down passwords. 

Sure, you get the up and down nod from employees understanding the importance of protecting passwords, but that’s just acknowledgement. The reality is, many of us can’t remember multiple complicated assemblies of letters, numbers and symbols. The industry has given us no choice.
There is hope. In the past few years the Common Access Card and similar “who am I” technology has made passwords almost obsolete. All you need is to register the credentials and you can gain access. There are still some restrictions such as those websites, internal networks, and other places or situations where such credentials aren’t accepted or implemented. Until then, we just have to make do.

Can we eliminate the password requirement? There are other alternatives such as password generator, answering security questions, or even a card with pre-loaded credentials that can be used in combination with a pin number to provide similar great security. These only require a single pin code to access a world of information. No need to remember complicated and multiple formulas.


The lesson here is, if it’s in your control, don’t make security too hard to work with. Protecting sensitive and personal data is very important and in most cases contractual requirement. However, the methods are not always proscribed. This leaves room for alternative ways to protect information that is both easy for the user and safe for the information being protected. The relationship between user and information provides better protection. 

For more security tips, keep following this blog or sign up for our newsletter. We also have great security training and books at www.redbikepublishing.com





Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Tuesday, May 27, 2014

ISP Certification NISPOM Questions

Try your knowledge of the NISPOM and industrial security with these challenging questions:


1.      Which of the following can the CSA approve when no other alarm response options are available:
a.            Response by neighborhood watch
b.            Monitor by hidden camera
c.             Guarded by working dogs
d.            Installation of wire security
e.             Response by cleared employee
2.      In the Protection Profile Table for Confidentiality, which Data Transmission is required for PL2?
a.            Trans 1 
b.            Trans 2
c.             Trans 3, 4
d.            Trans 5
e.             Trans 6
3.      In the Protection Profile Table for Confidentiality, which System Assurance is required for PL1?
a.            SysAssur 1 
b.            SysAssur 2
c.             SysAssur 3,4
d.            SysAssur 5
e.             SysAssur 6
4.      In the Protection Profile Table for Integrity, which Backup and Restoration of Data is required for Basic?
a.            Backup 1 
b.            Backup 2
c.             Backup 3
d.            Backup 5
e.             Backup 6
5.      Classified intelligence documents at a contractor facility shall be controlled according to NISPOM, with possible additional instructions from:
a.            NRC
b.            DNI
c.             CSA
d.            GCA 
e.             FSO



SCROLL DOWN FOR ANSWERS






1.      Which of the following can the CSA approve when no other alarm response options are available:
e.             Response by cleared employee (NISPOM 5-906d)
2.      In the Protection Profile Table for Confidentiality, which Data Transmission is required for PL2?
a.            Trans 1 (NISPOM Chapter 8 Table 5)

3.      In the Protection Profile Table for Confidentiality, which System Assurance is required for PL1?
a.            SysAssur 1 (NISPOM Chapter 8 Table 5)

4.      In the Protection Profile Table for Integrity, which Backup and Restoration of Data is required for Basic?
a.            Backup 1 (NISPOM Chapter 8 Table 6)

5.      Classified intelligence documents at a contractor facility shall be controlled according to NISPOM, with possible additional instructions from:
d.            GCA (NISPOM 9-305)

Find way more questions in Red Bike Publishing's Unofficial Guide to ISP Certification and more NISPOM information in DoD Security Clearances and Contracts Guidebook and the print copy of NISPOM


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Wednesday, May 21, 2014

Communicating Your Security Message

NISPOM topics applying to the cleared contractor facility should be addressed as often as possible. Cleared employees may be very familiar with classified performance requirements, but may not always remember countermeasures implemented at the facility to protect classified information. Though they may be excellent at marking documents or using deriviative classification techiques to properly transfer a classification from a security classification guide to a classified report, they may still need to be reminded to attend security training, report suspicious information, or attend threat briefings. Excellence comes from day to day exposure. As their daily performance makes cleared employees experts in their fields, FSOs play a large role in bringing them to that same level of NISPOM compliance. Take the time to understand what training is needed and try to meet that need.

Three effective ways to communicate your security message:

1. Group presentations-a popular and fast way to train others is in a classroom environment. Many FSOs conduct this type of training using PowerPoint as the media of choice. You can get a lot of great applicable NISPOM information in a single presentation. Though the volume of information is high, risk of an audience tuning out is just as probable. Keep your presentations alive with you being the focus. Use PowerPoint to reinforce your message, not to deliver the message. A few bullets with applicable images will do the trick. But don't make the PowerPoint do all of your talking. Eyes should be on you with frequent glimpses at the charts to illustrate points, not narrate them. You can buy royalty free images (like the picture accompanying this article) from online providers that are clear and catchy and download them for use in your presentations.

2. Multimedia messages-Initial security training occurs when employees get their clearances and security refresher training is an annual training requirement per the NISPOM. However, training doesn't always have to be performed once a year. Instead of having an hour long command performance, try smaller and more frequent venues. A newsletter via print, electronic bulletin board or email is very effective. Just be sure the keep the message short and easy to read. Don't worry about trying to cram all the information into the communique all at once. Try to make your point using a few bullet sentence or a few paragraphs with no more than 250 words. Even better, download some royalty free images relating to the topic.

3. Personal touch-Get up from your desk and visit the team. Relationships contribute tremendously to the protection effort. Develop relationships that allow you to interact with each of the groups or individuals. Cleared employees should look forward to seeing you at their door; better yet, they should seek out your advice. Such status comes from developing trust and value. Once it thrives, there's not much you won't be able to do. If you have employees working in IT, just follow them around. You'll see an incredibly valuable employee being sought out by others for software, hardware and network fixes. If you aren't yet at that level, consider partnering with someone who is. You might roam with the IT, safety or HR professionals and glean experience and develop relationships based on ones they already have. You can then develop similar value as people learn to trust your input.

Understand what your message is and communicate it effectively. Some ways to build up your security program is to educate the employees through training in the form of presentations, multimedia contact and by developing relationships. Take time to understand where some of the NISPOM requirement weaknesses are and develop training to meet it. If you don't have your own NISPOM training presentations, SF 312, or derivative classification briefings, consider downloading ours.






Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Thursday, May 15, 2014

So, What Could Happen? Social Media and Security Clearances Further Review

Social media is a great way to stay connected. Before social media, when the world was so big, we relied on letters and phone calls. These were time consuming endeavors to keep each other informed. If I went on a trip to Europe, I might be back stateside before friends and family ever receive my postcards. Now that we have social media, the world has shrunken significantly and it only takes moments to share information. And, we do that willingly.
As we go forward with the topic of security clearances and social media, let’s leave the more direct investigation process behind for a moment and discuss the continuous evaluation, the Defense Security Services annual review, or other less direct, but just as impacting ways social media can effect a cleared employee’s security clearance.
The continuous evaluation process is in place to ensure a cleared employee remains eligible for their clearance. Just think about how this system has been challenged as ineffective. Both military, government and contractor employees with security clearances have committed atrocious acts. People who have been vetted with a security clearance have committed espionage, mass murder and terror.
The continuous evaluation process should identify and report problems that can lead to dangerous behavior. However, these interactions usually only occur at the office where everyone is already so busy. In the continuous evaluation process, the behavior once demonstrated as trustworthy should continue as cleared employees perform on classified work.
Employees are relied upon to observe other cleared employees and report any information that might be reportable or suspicious. These are again related to the 13security clearance adjudication criteria that reflect a person’s trustworthiness. Most of this information is currently observed as employees serve at work. Does anyone show up under the influence? Is anyone suddenly displaying unexplained wealth? Is anyone staying late and using the copier a little more than normal? Are threats made or communicated? The chances of discovery are slim.
With social media the playing field is suddenly extended. Now we get a glimpse of a co-workers after hours activities. We might see posts from church, conferences or at play. We also might see them getting married, threatening enemies, bullying, travelling overseas, drinking every night or with a relationship every week. Under this possibility, cleared employees could report information to their FSOs based on what is displayed on social media pages.
Consider the DSS annual review. They usually interview employees to determine whether or not there are security vulnerabilities with the security program or cleared employees. They might ask questions about travel, briefings, security awareness and the protection of classified information. In the future they might access information on employees associated with the cleared facility through social media. That would be an easy task since most of us associate our profiles with our places of work. Now they could go in forearmed with information on foreign travel, changes in marital status, and more.
On the same topic, security clearance investigators could also use social media to research information on the subject of the investigation as well as develop character references. The information is available and the ease of obtaining that information would be beneficial to the investigator.
DoD continues to find answers to the question “What happened?” as they look into and try to prevent espionage and terror too many times committed by our trusted insiders. To better vet cleared employees, changes will need to be made. These changes must gain a more thorough “whole person” concept extending more into our observable behavior.

Enjoy the good life that your job has provided. But think seriously about what you want to post about yourself and how you want to world to perceive you. A little good judgment keeps you out of hot water. Bad decisions could possibly hold up or deny your chances of a security clearance.



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".