Directorate of Information Management
USAG APG Computer-User Guide
15 September 2001
Summary. This pamphlet is a guide to using Government computers in the workplace. In support of information assurance, this guide prescribes procedures for using computers in a way that protects them against viruses and hackers.
Applicability. This pamphlet applies to all USAG APG
military and civilian personnel who use Government computers in the workplace.
TABLE OF CONTENTS
1. Purpose
2. Your Computer as a Gateway to Information
3. What is the Common User Data Network and Internet Connectivity
4. How to Treat Your Computer
5. Personal Use and penalties for misuse of Government Computers
6. The Importance of Passwords
7. What are Viruses?
8. Detecting and Preventing Viruses
9. Local Email Policy
10. Chain-Mail, Virus Hoaxes, and Other Computer Hoaxes
11. Remote Access
12. Use of Hardware and Software
13. Reporting Computer-Security Incidents
14. Auditing Computer-User Activity
15. Monitoring
16. Prohibited Websites
17. User Agreement
18. Conclusion
Appendix
A. USAG APG Computer-User Agreement
B. Password Policy
C. EMAIL Policy
D. Army Wireless Policy
Glossary
USAG APG COMPUTER-USER GUIDE
1. Purpose
As a USAG APG computer user, your actions can greatly increase or decrease the integrity, availability, and confidentiality of information concerning national defense. Protecting that information is called "information assurance." This guide will help you understand and enforce information assurance by showing you how to recognize and avoid the hazards awaiting you once you enter the
"information highway."
2. Your Computer as a Gateway to Information
Since almost all unclassified USAG APG computers are networked, your computer has access either through your local area network (LAN) or over the Internet to almost every unclassified computer in the entire Department of Defense (DOD). This internetworking of computers makes your computer a gateway to vast amounts of sensitive but unclassified information. The security of our networks is only as strong as the weakest link. As a user of a computer
at USAG APG, you play a key role in ensuring the availability, confidentiality, and integrity of our data.
a. If you can get out, a hacker can get in. A basic premise of networked computing is that if you have access to the Internet through your computer, hackers have access to you.
b. Since your computer is "trusted" by other computers within the military domain, it provides access to various military networks. "Trusted" means that other computers recognize your computer as a Department of the Army computer. As such, you can obtain passwords and gain access to certain information not available to non-Army users. Based on that, your actions can put your computer, your unit's network, and all Army computer networks at risk. Your use of an Army computer therefore places a great deal of responsibility on your shoulders. You are directly responsible (along with others) for the security of the Army's computer networks.
3. What is the USAG APG Net and Internet Connectivity
The USAG APG network is a data network created for APG and tenants
that is intended for transmission of only unclassified information. We use the
APG Net to communicate throughout USAG. The APG Net is linked to the World Wide Web (the Internet). We therefore need to know who has access to the
APG Net to protect ourselves against hackers. This is why we cannot allow users to create "backdoors" to the Internet through the
APG Net. A "Backdoor" is an unauthorized, unknown connection between the APG Net
and the Internet. If, for instance, your computer is connected to the APG Net through a LAN,
and simultaneously connecting to the Internet through a modem to a commercial Internet service provider
you are createing a "Backdoor", which is strictly prohibited.
4. How to Treat Your Computer
a. Your computer is an important part of the toolkit you need to do your job. You therefore must treat your computer with care. One of the most important things you must do is keep the temperature and humidity correct in your office. Heat is your computer's worst environmental enemy. Exposing your computer to heat will shorten its lifespan and put your data at risk.
b. Do not eat or drink near your computer. Spilling soft drinks, coffee, or other liquids on your computer can damage it and destroy your files.
c. Keep your system clean and free of dust.
d. Do not disconnect your computer from its network. The small network connections are very fragile and very expensive.
e. Do not move your computer unless first notifying APG DOIM service desk and supervised by your system administrator (SA) or information
assurance security officer
(IASO). Most damage done to computers in the Army occurs while moving them. Computers also wind up missing after moves; so care must be taken to notify the hand-receipt holder of the computer's new location.
f. Do not turn your computer off at the end of the day, most systems have RCO or
remote control loaded from the DOIM. RCO allows the DOIM to automatically pass
(unattended) to your computer the latest software updates and allows for
remote monitoring. At the end of the day or when leaving your computer
unattended simply log off and restart your system
g. In many ways, you as a user can cause the biggest threats to your computer. Take care of your computer by following the above instructions and your computer will perform its many valuable functions for you day after day.
h. Change the default homepage on your Internet Explorer to www.apg.army.mil,
or to a server that is local to your community, doing this assures you of
network connectivity.
5. Personal Use of Your Government Computer
The regulations for appropriate and inappropriate use of Government
computers are specifically spelled out in AR 380-19. These regulations also
govern how you may use your Government computer for personal use. The U.S. Government provides you a computer to do your assigned duties. The taxpayer is not required to provide you free and unlimited Internet access. The rules are simple and clear. Government computers may be used only by Government employees for the following:
- Official business (a below).
- Authorized personal use (b below).
- Limited morale and welfare communications between deployed soldiers and their family members (c below).
a. Official business is that which is related to your official duties.
b. Authorized personal use is defined in the Joint Ethics Regulation (JER). Authorized personal use includes brief access and searches for information on the Internet and sending short e-mail messages.
c. The JER also requires commanders and supervisors to make every effort to ensure that personal use of Government computers--
(1) Does not adversely affect the performance of official duties.
(2) Is limited to reasonable durations and frequency and, when possible, done during off-duty hours.
(3) Serves a legitimate public interest, such as furthering the education and self-improvement of employees, improving employee morale and welfare, or job-searching in response to downsizing. Using Government computers to send e-mail between deployed soldiers and their immediate family members is authorized and strongly encouraged by
USAG.
d. Personal use of Government computers must not overburden the communication system. Remember, in
USAG the communication system is designed to support our soldiers and
civilians foreign and domestic.
e. Personal use of Government computers must not reflect adversely on DOD or DOD components. The JER specifically prohibits using Government computers for pornography, chain-mail, personal gain, or any action that violates another statute or regulation.
f. Other misuse of Government computers includes hacking or using hacker tools, visiting hacker websites, deliberately installing viruses on DOD computers, trying to mask or hide your identity, attempting to bypass security policy, and using Internet telephony, "streaming" audio/video websites (for example, keeping a
web page open to receive hourly stock updates).
g. Penalties for misuse of Government computers range from courts-martial to nonjudicial and administrative actions, such as letters of
reprimand for military and time off to dismissal for Civilian employees.
6. The Importance of Passwords
a. Your password is the key that gets you onto the information highway. While this key opens the vast world of various military networks and the Internet, it can also allow others access to the same information. Maintaining the security of your password is therefore one the most important security precautions you must take as a user.
See appendix B. for Password Policy.
b. The security of your password is important to maintaining the integrity of our networks. If your password is compromised, a computer intruder can access all data to which you have access. You should not write down your password, nor should you ever share your password with anyone. If someone obtains and uses your password, they could become "you" in the virtual world. You are responsible for anything that occurs on the network under your log-on name and password. If you share your password and someone logs on as you and then hacks a website or downloads a hacker tool, you could be held responsible.
c. As a computer user at USAG, you will have a unique log-on name and password for each computer account you use.
USAG policy requires passwords to be alphanumeric, at least eight digits long and not form a word. You may not tamper with your computer to avoid the
USAG password policy. Passwords must be changed every 6 months on unclassified systems, and every 3 months on classified
systems or as dictated by local Threat Condition. Do not configure a shared directory without password protection. This would enable everyone with access to the shared computer to modify, delete, or download your files. No group passwords are authorized unless the
DOIM IASO approves; the IASO grants approval only for operational requirements.
d. Passwords that do not conform to the standards in c above are very vulnerable to password-cracking programs continually used by hackers. Most cracker programs compare passwords to words in dictionaries. If your password is made up of words or acronyms, the program unscrambles your password and gives the hacker access to your computer. Once hackers gain access to your computer, they have access to much of the DOD network. Password protection is therefore essential.
The current DOIM policy on password age is 90 days.(see Password
Policy)
7. What are Viruses?
a. Computer viruses are programs that corrupt and damage programs and data. A program does not have to perform malicious actions to be a virus; it only needs to infect other programs. Almost all viruses, however, perform malicious actions. Deliberately introducing "malicious logic" (the technical term for viruses and other malicious programs) into any Government information system is a Federal crime for any soldier, DOD employee, or contractor. Withholding information needed to effectively implement countermeasures or
ant virus protection is also against the law.
b. How do viruses get into your computer? Viruses can invade a system through any normal means of communicating, transferring, or sharing information (for example, through diskettes, CD-ROMs, modems, network interfaces, communication ports). The most common means of spreading a virus is through e-mail. Viruses that are spread through e-mail are inserted into files, which are sent as e-mail attachments. Remember that the virus is not in the body of the e-mail; it is in the attachment. Opening the attachment releases the virus. This is the most common method of spreading new viruses; users therefore need to be very careful when receiving e-mail attachments. Some viruses compromise the confidentiality of data and clog the e-mail system, hindering the availability of data. Other viruses use personal address books to spread. When, for example, a user opens an infected e-mail attachment, the virus sends the attachment to the first 50 addresses in the user's address book. More recent and more destructive viruses erase a variety of files, including Word documents, Excel spreadsheets, and PowerPoint slides.
c. Many macro viruses exist. They are written for Word macro language and are spread through Word documents. This is a very serious problem, since we exchange so many Word documents by e-mail; as soon as the attached document is opened, the virus is activated. The more creative macro viruses use your personal address book or in-box to rapidly spread the virus by e-mail. The Melissa virus was spread worldwide in a matter of days. The speed at which new viruses can be spread by e-mail can cripple an entire e-mail system by generating more messages than the system can handle. If you receive an e-mail message with a suspicious attachment, scan the attachment
using your antiviral software for viruses before opening it, if you require
assistance with this procedure contact DOIM help desk. If you are still concerned, do not open the attachment; instead, contact your
IASO.
8. Detecting and Preventing Viruses
a. We have talked about viruses and what they can do once they have infected your computer. The best course of action is to prevent them from infecting your computer in the first place.
Virus protection is remotely loaded and administered by APG DOIM. If in
question about whether you have antiviral software installed contact the DOIM
help desk.
b. Even when taking the best precautions, viruses can still occur. They are not always immediately identifiable. Here are some things that may indicate the presence of a virus:
(1) Abnormal displays or banners.
(2) Your computer's performance slows down.
(3) Unusual activity, error messages, changes in file sizes, and loss of programs or data.
c. The above symptoms do not always mean that your computer has a virus. You need to be aware, however, of these abnormalities and report them to your
IASO as soon as they occur.
e. Diligent use of antiviral software by all users of Government computers is the best way to prevent damage to
USAG networks and data by viruses. Antivirus software companies are constantly updating their product.
. If every user of
USAG networks kept their antiviral software up-to-date, the number of viruses would drop dramatically. When a recent virus struck, our computer users were doing a very poor job updating their
antiviral software. We therefore had thousands of reported cases of the virus. When a later virus hit, we had less than one hundred reported cases in
USAG. By keeping your antiviral software up-to-date, you will most likely never suffer the problems caused by viruses.
f. If you find a virus, contact the DOIM service desk or IASO immediately. Prompt reporting of viruses can lessen their effect by giving security officers time to warn coworkers, who can then check their computers for the virus. If you have a new virus, chances are good that others in your organization will have the same virus. If your system is infected, first make sure you have the most current version of antivirus software. Then disinfect all files. If you are unsure how to use the antivirus software, get help from an expert. Improper use of the software may fail to find all viruses. If you have a virus, try to determine the source. The
IASO can then notify the sender, who can clean the virus and lessen the chance of further spreading the virus. Always re-scan to make sure all viruses have been eliminated. We will never be completely free of viruses, but with the correct measures, we can do a better job of controlling them.
Make sure you have current anti-viral software installed, scan all diskettes, and be sure not to open suspicious e-mail attachments.
9. Local Email policy
10. Chain-Mail, Virus Hoaxes, and Other Computer Hoaxes
a. The Internet is constantly flooded with bogus information (for example, messages about potentially damaging viruses, notices that Bill Gates will send you money for forwarding e-mail to others, messages about people waking up in bathtubs filled with ice in strange hotels without their kidneys). While some real information may be mixed in with these hoaxes and urban legends, it is unlikely. The best course of action on receipt of these types of messages is to delete them without reading them. The premise behind a hoax is that it will stimulate the reader to get emotionally involved (for example, by making the reader angry, afraid, eager for money offered) and immediately forward the message to everyone the reader knows or can reach through a Global Address List. That creates "chain-mail," which in turn creates bottlenecks of electrons in our e-mail and other network servers, slowing them down. Chain-mail can even cause network servers to "crash." Because of this threat to our systems, you are strictly forbidden to forward hoax messages to anyone except your
IASO or to the
RCERT. Remember, Bill Gates is not going to send you money if you forward an e-mail message to thousands of people; but the Army might take some of your money if you do.
b. Virus hoaxes are not real viruses, but they can be harder to get rid of than real viruses. Virus hoaxes and other e-mail hoaxes take up space on e-mail servers, use up network bandwidth, and waste time. Virus hoaxes are more common (and sometimes more time-consuming) than actual viruses. They usually take the form of e-mail warnings sent to large numbers of people to warn them about nonexistent viruses. Before you forward warnings such as these to the
RCERT or to your IASO, read the Hoaxes & Scams page on the RCERT web page (http://www.rcert-c.belvoir.army.mil).
c. If you receive a warning and are not sure if it is real, do not send it to everyone you know; forward it your
IASO. Here are some common hoaxes:
- Telephone Scam-Request to Forward
- Join the Crew
- Penpal Hoax
- AIDS Hoax
- Bill Gates $1000 chain-mail
- Bill Gates/Windows 98 chain-mail
- Yahoo! World Domination Virus
- Win-a-Holiday
- Bud Frogs Screen Saver
- Tommy Hilfiger
- BUDDYLST.ZIP
d. When any of the items above are forwarded to large numbers of users, they use up bandwidth, take up space on e-mail servers, and mislead recipients. Forwarding chain-mail and hoaxes violates the JER and Army policy. Data networks were designed to support the warfighter
at USAG; forwarding chain-mail does just the opposite by causing systems to overload and fail, thus putting our soldiers at risk by blocking their ability to communicate.
11.Remote Access
will only be accomplished by a Radius Compliant Server such as TSAC as
authorized by the DOIM.
12. Use of Hardware and Software
a. Software. Software used on Government computers must be licensed, accredited, and approved by your organization.
You may not load any games on your computer. All software on your computer must meet standards established
by the DOIM.
b. Hardware. Any hardware you use must be accredited. As the user, you must maintain property accountability. You cannot install and use your own hardware at work. Any hardware your unit buys must meet Army accreditation standards and be accounted for properly.
All hardware will be approved by the DOIM prior to installation.
13. Reporting Computer-Security Incidents
a. Users must report any suspected individual computer-security incidents to their
IASO or, in the absence of the IASO, to the organization's information
assurance security manager (IAM). IASOs report to IAMs.
b. Users must report all network-security incidents to their IASO. If you think you observed a network-security incident, report it to your
IASO and let the IASO determine whether or not it requires further investigation.
c. Users are often the first in the command to recognize a new virus. Reporting viruses to your
IASO or IAM as soon as you detect a virus will greatly increase the chances of catching and stopping the virus from spreading any further. Other users can be warned and, subsequently, update their antivirus software and scan their system for any new viruses. Early reporting of viruses also gets the word to computer users not to open e-mail attachments that contain the virus; warnings such as these are the best way to limit the spread of viruses that are transmitted in attachments.
d. Users are also among the first to notice intrusions by hackers. Some indications of a possible intrusion are seeing a web-browser open on your screen without your having opened it, noticing your CD-ROM drive trying to read a compact disk (CD) without your prompting it, or finding that your files are mysteriously being deleted or moved. If any of these things are happening, you may be the victim of a hacker and must report the incident to your
IASO or IAM immediately.
14. Auditing Computer-User Activity
a. Auditing is defined as the independent review and examination of records and activities to assess the adequacy of system performance and controls, to ensure compliance with established policy and operational procedures, and to recommend necessary changes in controls, policy, or procedures.
b. Auditing has four goals:
(1) Review computer use.
(2) Reveal repeated attempts to bypass computer-protection mechanisms.
(3) Deter attempts to bypass security mechanisms and deter unauthorized use of computers.
(4) Provide a record of computer-user activity.
c. Auditing must allow for review of--
(1) Access patterns to individual files.
(2) Access histories of specific processes.
(3) Use and effectiveness of various protection mechanisms supported by the system.
d. Auditing records all known attempts to bypass security mechanisms. The IASO needs assurance that auditing will identify attempts to gain access or permission to system files or other restricted information on the system. The audit trail is a set of records containing the history of the activities occurring on a system. Audit trails provide multiple services. They are used to detect and deter penetration of a computer system and to reveal use that identifies misuse. Audit trails cover all applications on the system (for example, word-processing, e-mail, web-traffic, databases, access to shared directories). Audit trails also record events by date, time, user identity, location, and the file in use.
e. Official audits must be done by someone other than the user. Even the most secure system is vulnerable to attack. Auditing provides an excellent way of determining whether or not such attacks may take place and, if so, how.
f. Auditing allows your organization to perform two very useful security functions: surveillance and reconstruction. Surveillance is the monitoring of user activity. Surveillance includes log-ons and log-offs, remote-system access, logs of web-activity, opening and closing files, changes in privileges, changes in security attributes, and changes in user access. If the audit program is configured correctly, the
IASO will be able to reconstruct all activity during specific times by specific users.
15. Monitoring
Your use of a Government computer constitutes consent to monitoring. When you click OK on the warning banner, which opens when you start your computer, you are giving your consent to having your computer monitored. Your Government computer is provided to you for authorized use only. Government computers are monitored to ensure that use is authorized and that users follow security procedures. Monitoring is also done to see if hackers have gained access to computers. Privacy does not exist on Government computers; users should therefore not expect it.
16. Prohibited Websites
a. USAG has the right to block users from accessing certain websites (for example, those devoted to pornography and hate speech). A large number of non-mission-essential websites in various geographic regions (for example, Iraq, Serbia) have also been blocked. Remember, the
USAG telecommunications network is intended primarily to support the warfighter; personal use of Government computers hinders that support by overburdening the system. The
USAG Net is designed to handle authorized data, without having to accommodate personal web surfing.
17. User Agreement
Appendix A
is an agreement between you and the U.S. Government concerning use of Government computers. Before you log onto your computer, you will be required to read and sign the agreement. Your signature acknowledges your understanding of and agreement to support Army and
USAG policy on the use of Government computers. Your signature also makes you accountable for every transaction that occurs on your computer account. Your
IASO will provide you with the proper form and ask you to sign it before issuing you a password. If you refuse to sign, you will not be given access to
USAG computer networks.
18. Conclusion
a. As a USAG computer user, you play a key role in protecting the integrity, availability, and confidentiality of
USAG data. To recap:
- Guard your password.
- Follow the rules on personal use of your computer.
- Never forward chain-mail or computer hoaxes.
- Keep your antivirus software up-to-date.
- Report viruses and all other network-security incidents to your IASO.
b. Taking the steps listed above will help you ensure that your computer and all networks to which your computer is connected are safe. In doing so, you will not only be protecting yourself, you will be protecting the entire command.
APPENDIX A
USAG COMPUTER-USER AGREEMENT
APPENDIX B
Password Policy
APPENDIX C
Remote Access
APPENDIX D
Software Policy - Awaiting Final policy
APPENDIX E
E-MAIL Policy
GLOSSARY
Abbreviations
CD
compact disk
CD-ROM
compact disk, read-only memory
USAG APG Net
APG Net description
DA
Department of the Army
DOD
Department of Defense
IAM
information systems security manager
IASO
information assurance security officer
JER
Joint Ethics Regulation
LAN
local area network
RCERT
Regional Computer Emergency Response Team
SA
system administrator
SDN
Secure Data Network
TNOC
Theater Network Operations Center
URL
uniform resource locator
U.S.
United States
USAG
United States Army Garrison
Terms
For explanations of terms used in this pamphlet, see your servicing system administrator, information systems security manager, or information systems security officer.