The White Sands Missile Range G-6 Cyber Security team has recently developed a faster, more efficient, and concrete method of catching and suspending users who do not follow the WSMR Acceptable Use Policy.
The policy outlines what you can and can’t do while logged onto a WSMR computer system. Violations of the AUP policy, which every user must sign before accessing the network, include viewing pornographic material, accessing gambling sites, downloading executable files, and excessive use of dating sites. WSMR Information Systems Security Manager, Roberta Martinez, stated that in 2011 there were approximately 100 AUP violations. Since then, the number has reduced drastically to about 30 a year.
Though the numbers have reduced significantly, AUP violations continue to occur. Martinez said her team usually sees a rise in violations during the holidays, when the workflow slows down and from areas that man 24-hour operations.
“We’ve stepped up our network monitoring and we’ve stepped up the way we respond,” Martinez said. “I believe the overall reduction is due to our increased monitoring activities and in recent years, command support through written policy letters.”
Accessing unapproved websites can bring malicious code to a user’s computer. Since all user computers are connected to a shared network the malicious code then becomes a threat to the entire network.
The Scan Team does have the ability to monitor browsing activity and downloading activity, however, their system is based off of an alert system. Once a user continues to access the same site for long periods of time, downloads executable files or does anything in violation of the AUP policy, the Scan team is alerted. We leverage tools configured to alert us when it detects abnormal traffic, said a team member.
The team also has web monitoring software that can look at specific categories, web proxies that filter based on notifications, a Network Identification Intrusion Detection System that can monitor communication internally from the inside world to the outside world. Other systems that offer virus protection can also see what users were attempting to do on their computer. The Rogue System Detection can detect devices that are plugged into network computers that are not on the access control list. Team members are also able to access files that were deleted. Each separate system has a host base intrusion system where team members get alerted on suspicious activity, the team member said.
Sites that are business or banking related will not register. Social media sites are allowed during your breaks. Sites that are accessed in error will not trigger an alert. Martinez said the activity monitoring that is currently in place will alert her team on the use of unapproved or blocked sites and can provide concrete evidence that links the user to the violations.
“There’s really no such thing as false positive…we verify 100 percent. It’s all tied to their profile and we can see how long they were on the sites and if they downloaded any photos. You can’t hide it,” Martinez said. “Users are under the impression that we actively seek violations but that’s not the case, it’s actually something we get alerted to through automated tools.”
If a user is caught with an AUP violation the user’s network is suspended for three days on the first offense, 30 on the second offense and on the third offense the user is suspended indefinitely. Disciplinary actions depend on the supervisor.
“Once we respond to an incident the system has to get pulled off the network for further investigation,” Martinez said. On average it takes about 80 man hours to investigate an AUP violation and anywhere from three to 30 days of lost productivity for the user. It takes three to five days for the forensics Scan team to analyze the hard drive and prepare reports. From there Martinez said, the system has to be rebuilt and the user may or may not get the data back.
“We cannot allow a compromised system back on the network,” Martinez said
Any violation, whether first or third offense, requires users to retake Cyber Awareness training and sign another AUP.
Last year there were two users who reached their third violation and had their network access revoked. Martinez said the demographic for offenders varies and does not apply to one specific group. Martinez urges users to take proper precautions when on the network, to read and understand the AUP, and to understand that they are using a shared network.
“Use your common sense. You can’t get away with it, you’re eventually going to get caught,” Martinez said. “You never know what can come in. With the amount of cyber-attacks it’s more important than ever to practice good cyber security,” Martinez said. “It’s all about network security, that’s why it’s a serious issue.”
“We’re not the bad guys we’re just trying to keep the network safe,” a Scan team member added.