Online Safety and Security Tips and Resources

Social media is a great tool for staying connected and keeping in touch with friends, family and coworkers, but members of the military should be cautious about how much personal information they share. Virginia National Guard personnel and their families should take time to review the settings on their social media accounts and remember operational security in their online activities.

Key online safety and security recommendations:

  • All Virginia Army National Guard, Virginia Air National Guard, Virginia Defense Force, federal and state civilian employees as well as family members are encouraged to ensure privacy settings on social media accounts or online forums are adjusted to limit the amount of available personal information.
  • All personnel are encouraged to remove personal details such as physical addresses, email addresses and phone numbers from their online or social media accounts.
  • Remember that each service component and unit may have special OPSEC considerations depending on their mission, so check with your chain of command for more specific guidance.

“We should all take the warnings about social media security seriously, and I encourage all of our uniformed personnel, civilian employees and their families to review their social media accounts,” said Brig. Gen. Timothy P. Williams, the Adjutant General of Virginia. “We should not abandon our online identities and our efforts to communicate by platforms like Facebook, Twitter and LinkedIn, but we do need to be smart and vigilant about how we operate in cyberspace.”


Social Networking Safety Tips from the U. S. Army Criminal Investigation Command Computer Crime Investigative Unit

Download the PDF:
http://www.cid.army.mil/documents/CCIU/2can/SocialNetworkingSafetyTips.pdf

Overview:

Social networking sites allow people to interact with others and find people with similar interests or backgrounds. Social networking sites enjoy worldwide popularity, underscoring the need to understand potential risks associated with the use of these sites. A person’s online activities may inadvertently expose excessive information about their identity, location, relationships, and affiliations, creating an increased risk of identity theft, stalking, or targeted violence.

A safer social networking experience is available by accepting some basic assumptions and following a few recommendations.

Assumptions:

  • Once something is posted on a social networking site, it can quickly spread. No amount of effort will erase it – the Internet does not forget.
  • You are not anonymous on the Internet.
  • There are people on the Internet who are not who they purport to be and will take advantage of you if afforded the opportunity.
  • Participating in more social networking sites increases your attack surface and overall risk.
  • Everyone on the Internet can see what you post, from where you post it, who your friends and associates are, the comments your friends make and your “witty” replies.
  • An embarrassing comment or image will come back to haunt you…one day…when you least expect it…at the least opportune time.
  • There is a complete record of your online activity…somewhere.

Recommendations:

  • Do not post anything you would be embarrassed to see on the evening news.
  • Do not accept friend/follower requests from anyone you do not know; independently verify identities.
  • Avoid using third-party applications; if needed, do not allow them to access your social networking accounts, friends list or address books.​
  • Do not post personally identifiable information.
  • Be cautious about the images you post. What is in them may be more revealing than who is in them. Images posted over time may form a complete mosaic of you and your family.
  • Do not allow others to tag you in images they post. Doing so makes you easier to locate and accurately construct your network of friends, relatives and associates.
  • Securely configure your social networking accounts to minimize who can see your information.
  • Do not use check-ins. If check-ins are enabled, disable them. Do not post your specific location.
  • Be cautious when accessing online accounts from public Wi-Fi connections. Someone might have installed software capable of capturing your login credentials and other sensitive information.
  • Do not use the save password, remember me or keep me logged in options from public or shared computers.
  • Limit social networking to personal use.
  • Do not use the same password for all of your accounts. Make sure the passwords for your financial sites are not permutations of your other passwords.
  • Do not use your social networking site to login to other sites. Create another user account on the new site instead.
  • Use strong, unique passwords. Consider passphrases for an additional level of safety.
  • Keep anti-virus software current.
  • Do not arrange meetings with people you meet online.

Information from the Defense Media Activity Guide To Keeping Your Social Media Accounts Secure:
Social media is an integral part of the strategic communications and public affairs missions of the Department of Defense. Like any asset, it is something to defend and protect with vigilance. Cyber attacks are a real and present threat to the cyber security of government social media accounts. In this guide you will find the steps and contacts needed in order to be protective, preventative, prohibitive and proactive against cyber-attacks.

If you suspect that your organization is being targeted or compromised by a malicious cyber-attack, you must be proactive and swift to mitigate this threat. The steps you take can help to greatly reduce the risk of exposure and vulnerability of attack to your organization.

Protective measures:

  • Use a strong password. At least 20 characters long, that is either randomly-generated (like LauH6maicaza1Neez3zi) or a random string of words (like “hewn cloths titles yachts refine”). Use a unique password for each website or service you use; that way, if one account gets compromised, the rest are safe.
  • Use a government e-mail address, also with a strong password. A .gov or other private-domain account will generally be more secure than a public service, and will reduce the possibility of password-reset and other emails being intercepted. If you must use a public email provider, consider added precautions such as Gmail’s two-factor authentication.
  • Don’t give your username and password out to untrusted third parties, especially those promising to get you followers or make you money.
  • Select third-party applications with care. There are thousands of applications built by external developers that allow you to do an array of neat things with your account. However, you should be cautious before giving up control of your account to someone else. Revoke access for any third-party application that you don’t recognize by visiting the Applications tab in your account settings.
  • Make sure your computer and operating system is up-to-date with the most recent patches, upgrades, and anti-virus software, and that all your computers and mobile devices are protected by secure passwords.

Preparation checklist:

  • Change your Twitter account passwords. Never send passwords via email, even internally.
  • Keep your email accounts secure. Twitter, Facebook, Google+, etc use email for password resets and official communication. Change your email passwords, and use a password different from your social media account passwords.
  • Review your authorized applications. Log in to Twitter or Facebook and review the applications authorized to access your accounts. If you don’t recognize any of the applications on Twitter, contact them immediately by filing a security ticket and emailing hacked@twitter.com.
  • Use extra security features. This will help keep your accounts protected. Facebook has a whole section on how to do that located here.
  • Build a plan. Create a formal incident response plan. If your organization is a target for a phishing campaign or has been hacked, you’ll be prepared to take action and resolve the issue immediately.
  • Talk with your security team about ensuring that your email system is as safe as possible.
  • Minimize the number of people who have access to the account. Even if you use a third-party platform to avoid sharing the actual account passwords, each of these people is a possible avenue for phishing or other compromise.
  • Log out of Facebook and Twitter when you use a computer you share with other people. If you forget, you can log out remotely.
  • Check for signs of compromise. Checking your email address and authorized apps weekly or monthly can help detect unauthorized access and address the problem before access is abused.
  • Change your password regularly. Changing your social media passwords quarterly or yearly can reset the clock if a password has leaked.
  • Using a Password Manager integrated into your browser can help prevent successful phishing attacks.
  • Third-party solutions such as 1PaSSWoRD or laSTPaSS make it much easier to use a very strong password. Password managers, as well as the browser’s built-in password manager, will only auto-fill passwords on the correct website. If the password manager does not auto-fill, this might indicate a phishing attempt.

IF YOU SUSPECT YOUR ACCOUNT IS COMPROMISED, the following actions are advised:
1. Notify your chain of command immediately
2. If possible, suspend all accounts to prohibit further illicit activity
3. Take the following action on the following platforms to stop the hack from proceeding

—–

Full text of National Guard Bureau Social Media Guidance:

Background: National Guard military and civilian members are encouraged to use social media to share their experiences and conduct themselves online in a safe and professional manner worthy of their status and calling to support and defend the American people.

Official Use: Official online posts involve content released in an official capacity by a National Guard public affairs office. Official contact information, such as official duty telephone numbers or postal and email addresses, should be used to establish official-use accounts when such information is required. Posting internal documents or information that the National Guard has not officially released to the public is prohibited, including memos, emails, meeting notes, message traffic, white papers, public affairs guidance, drill weekend or other training guidance, pre-decisional materials, investigatory information and proprietary information.

Personal Use: National Guard members are personally responsible for all the content that they publish on social media networking sites, blogs or other websites. Personal contact information, such as personal telephone numbers or postal and email address, should be used with discretion to establish personal-use social media accounts. Guard members must comply with their State, Territory or District guidelines and with Army or Air Force guidelines for use of social media. When assigned to a federal mission, Guard members are subject to disciplinary action under the Uniform Code of Military Justice. Guard members should be mindful that reviewing posts on public and social networking sites may be used as a part of character evaluations and background checks for security clearances.

Tips on Using Social Media

  • Guard members may identify themselves as and include their rank, military component and status. However, if they decide not to identify themselves as Guard members, they should not disguise or misrepresent their identity or affiliation with the National Guard.
  • When expressing personal opinions, Guard members should make it clear that they are speaking for themselves and not on behalf of the National Guard. They are also encouraged to use a disclaimer such as: “The postings on this site are my own and don’t represent the National Guard’s positions or opinions.” 
  • As with other forms of personal public engagement, Guard members must avoid offensive and inappropriate behavior that could bring discredit upon themselves and the National Guard. This includes posting any defamatory, libelous, obscene, abusive, threatening, racially or ethnic hateful or otherwise offensive or illegal information or material.
  • Correcting errors and misrepresentations made by others about the National Guard should be done professionally respectfully, not emotionally. Guard members should contact their chain of command or public affairs office for guidance if they are uncertain about the need for a response.
  • When posting political content, Guard members must adhere to policy in Department of Defense Directive 1344.10. They should not also imply National Guard endorsement of any opinions, products or causes other than those already officially endorsed by the National Guard.
  • Guard members should use privacy settings on social networking sites so only their “friends” can view their photos and updates. They should also recognize that social network “friends” and “followers” could affect determinations in background investigations for security clearances.
  • The National Guard, Army or Air Force logo and other symbols may be used in unofficial posts as long as the symbols are used in a manner that does not bring discredit on the Guard, result in personal financial gain or give the impression of official or implied endorsement.

Safety

  • Guard members should not release personal identifiable information, such as Social Security number, home address or driver’s license number that could be used to distinguish their individual identity or that of another Guardsman.
  • Guard members are also not allowed to release National Guard email addresses, telephone numbers or fax numbers not already authorized for public release. By piecing together information provided on different websites, criminals can use information to impersonate Guard members and steal passwords.
  • Guard members should not post information that would infringe upon the privacy, proprietary or personal rights of others or use any words, logos or other marks that would infringe upon the trademark, service mark, certification mark, or other intellectual property rights of the owners of such marks without permission of the owners.
  • Finally, Guard members should review their accounts daily for possible use for changes by unauthorized users and should install and maintain current anti-virus and anti-spyware software on their personal computers.

The Air Force offers the following tips to make it more difficult for unwanted users to acquire your data through social media:

• Be cautious when accepting friend requests and interacting with people online.

• You should never accept a friend request from someone you do not know, even if they know a friend of yours.

• Don’t share information you don’t want to become public. Remember, once you put something out there, you can’t control where it goes.

• Disable location-based social networking, or geotagging, on all social media platforms. Geotagging is the process of adding geographical identification to photographs, video, websites and text messages.

• Avoid posting work or personal schedules and travel itineraries, especially deployment information and return dates for yourself, a loved one or a unit.

• If you ever hesitate before clicking ‘post’, reconsider the content you are about to share. Our team follows the motto: When in doubt, throw it out!

• Adjust your privacy settings to ensure your posts and profile information is secured and seen only by approved audiences.

The following are tips for helping your family stay safe as they enjoy social networking courtesy of staysafeonline.org:

• Privacy and security settings exist for a reason: Learn about and use the privacy and security settings on social networks. They are there to help you control who sees what you post and manage your online experience in a positive way.

• Once posted, always posted: Protect your reputation on social networks. What you post online stays online. Think twice before posting pictures you wouldn’t want your parents or future employers to see. Recent research found that 70% of job recruiters rejected candidates based on information they found online.

• Your online reputation can be a good thing: Recent research also found that recruiters respond to a strong, positive personal brand online. So show your smarts, thoughtfulness and mastery of the environment.

• Keep personal info personal: Be cautious about how much personal information you provide on social networking sites. The more information you post, the easier it may be for a hacker or someone else to use that information to steal your identity, access your data, or commit other crimes such as stalking.

• Know and manage your friends: Social networks can be used for a variety of purposes. Some of the fun is creating a large pool of friends from many aspects of your life. That doesn’t mean all friends are created equal. Use tools to manage the information you share with friends in different groups or even have multiple online pages. If you’re trying to create a public persona as a blogger or expert, create an open profile or a “fan” page that encourages broad participation and limits personal information. Use your personal profile to keep your real friends (the ones you know and trust) more synched up with your daily life.

• Be honest if you’re uncomfortable: If a friend posts something about you that makes you uncomfortable or you think is inappropriate, let them know. Likewise, stay open-minded if a friend approaches you because something you’ve posted makes him or her uncomfortable. People have different tolerances for how much the world knows about them. Respect those differences.

• Know what action to take: If someone is harassing or threatening you, remove them from your friends list, block them, and report them to the site administrator.

Protect Yourself with these STOP. THINK. CONNECT. Tips:

• Keep a clean machine: Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.

• Own your online presence: When applicable, set the privacy and security settings on websites to your comfort level for information sharing. It’s ok to limit how you share information.

• Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password.

• Unique account, unique password: Separate passwords for every account helps to thwart cybercriminals.

• When in doubt, throw it out: Links in email, tweets, posts, and online advertising are often the way cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it’s best to delete or if appropriate, mark as junk email.

• Post only about others as you have them post about you.

—–

Information from the Federal Bureau of Investigations:

– Do not store any information you want to protect on any device that connects to the Internet.

– Always use high security settings on social networking sites, and be very limited in the personal information you share. Monitor what others are posting about you on their online discussions.

– Use anti-virus and firewall software. Keep them and your browser, and operating systems patched and updated.

– Change your passwords periodically, and do not reuse old passwords. Do not use the same password for more than one system or service. For example, if someone obtains the password for your email, can they access your online banking information with the same password?

– Do not post anything that might embarrass you later, or that you don’t want strangers to know.

– Verify those you correspond with. It is easy for people to fake identities over the Internet.

– Do not automatically download, or respond to content on a website or in an email. Do not click on links in email messages claiming to be from a
social networking site. Instead go to the site directly to retrieve messages.

– Only install applications or software that come from trusted, well-known sites. “Free” software may come with malware. Verify what information
applications will be able to access prior to enabling them. Once installed, keep it updated. If you no longer use it, delete it.

– Disable Global Position System (GPS) encoding. Many digital cameras encode the GPS location of a photo when it is taken. If that photo is uploaded to a site, so are the GPS coordinates, which will let people know that exact location.

– Whenever possible, encrypt communications with websites. It may be a feature social network sites allow you to enable.

– Avoid accessing your personal accounts from public computers or through public WiFi spots.

– Beware of unsolicited contacts from individuals in person, on the telephone, or on the Internet who are seeking corporate or personal data.

– Monitor your bank statements, balances, and credit reports.

– Do not share usernames, passwords, social security numbers, credit cards, bank information, salaries, computer network details, security clearances,
home and office physical security and logistics, capabilities and limitations of work systems, or schedules and travel itineraries.

—–

More information:

OnGuardOnline.gov
http://www.onguardonline.gov/