Stories‎ > ‎

Every Marine is a Cyber Marine Too: The Four Internet Safety Rules

posted Jan 17, 2018, 6:13 PM by James Caroland   [ updated Jan 17, 2018, 6:14 PM ]
By LtCol John Dobrydney, USMC, CISSP

An oft repeated phrase, "The network would be secure if it weren’t for the users” is a wishful thought of many cyber security professionals.  Repeated mistakes such as plugging in unauthorized USB drives, opening unsolicited emails and thoughtlessly clicking on the embedded malicious links, and uploading publicly viewable personally identifiable information provide never-ending job security for security professionals.  They also provide never-ending security risks for the security professionals who are charged with protecting the information and information systems.  What seems common sense to those whose life’s work revolves around all things cyber security, most users have little to no understanding of computer networks, application development, social engineering, or malware.  These concepts are not their areas of specialization, so it is unrealistic to assume common users have the requisite knowledge to recognize the wide variety of threats facing them.  Therefore, users need a few, easy to remember, yet inclusive, “safety rules” to promote Internet safety and protect user’s information and information systems. 

The United States Marine Corps recognized a similar situation.  By training and necessity, every Marine is considered to be a “Rifleman”  capable of employing a rifle if called upon, but there are varying levels of weapons handling proficiency across the Marine Corps.  Combat arms Marines are expected to have the highest levels while Marines in other occupational specialties who do not regularly exercise their weapons handling skills will have less.  Regardless, a Marine is expected to employ any weapon in a safe and professional manner, to shoot only valid targets, and exercise discipline to ensure the weapon is operated in safe manner.  Human nature does intervene and inevitably, “things happen”.  Marines do fire weapons in the wrong place, at the wrong time, or at the wrong target.  Commonly referred to as a “negligent discharge” such acts are punishable under the Uniform Code of Military Justice1.   The Marine Corps took action to prevent negligent discharges and developed the “Four Weapons Handling Safety Rules ” that every Marine knows by heart.  The Four Safety Rules are:

    1. Treat every weapon as if it were loaded.
    2. Never point a weapon at anything you do not intend to shoot.
    3. Keep your finger straight and off the trigger until you are ready to fire.
                                                                4. Keep the weapon on SAFE until you intend to fire.2 

The Four Safety Rules will guide development of “Four Internet Safety Rules” for everyday Internet users’ application to protect their information and information systems.  The First Weapons Handling Safety Rule, “Treat every weapon as if it were loaded” charges the Marine to maintain a proper mindset when handling and using a weapon.  Likewise, computer users must maintain a proper mindset when using computer devices, whether a personal desktop, mobile device, or work computer.  This leads to the:

First Internet Safety RuleTreat your device and information as if it were constantly under threat.

Users must be mindful that their device and the information on the device is under a varying level of threat every time the device connects to the Internet.  Threat types and levels vary per user; therefore, users need to periodically review the threats affecting their environment and then plan appropriately.   Maintaining a proper defensive mindset will guide each decision the user makes regarding security settings, choice of passwords, timely operating system and application software updates, and use of anti-virus and anti-malware protection.  Protecting information also means developing and executing an appropriate data backup plan and then verifying that the plan works as designed.  Maintaining a defensive mindset on a network requires timely reporting if anything seems amiss.  A noted problem on a network can affect other users on the same network.

The Second Weapons Handling Safety Rule, “Never point a weapon at anything you do not intend to shoot” reminds Marines to be mindful of the damage a weapon could cause if a projectile struck an unintended object.  Similarly, users must be mindful of where they “point” their browsers , what emails they open, what they download, and the links they click.  This mindfulness leads to the:

Second Internet Safety Rule:  Do not access websites, download applications, or open email with which you are not familiar.

Accessing unfamiliar or questionable websites, downloading non-authentic applications, or opening spam email can lead to installing unwanted malware on an unknowing user’s device.  The unintended consequences resulting from the malware can lead to information theft or corruption, slower operating devices, and even complete information loss via ransomware.  Constant awareness of where a device “points” is a necessary condition to avoiding the resultant damage.

The Third Weapons Handling Safety Rule, “Keep your finger straight and off the trigger until you are ready to fire” makes use of external safety measures to ensure that a weapon can fire only if a Marine engages a key external component, in this case, the trigger finger.  In this case, it is the absence of an external component that provides a measure of safety.  The weapon will not function properly unless this component is added in the course of normal operations.  In the case of cyber security, it is the addition of external safety measures that provide extra measures of security.  Users have an ability to make use of external safety measures appropriate to their use to maintain and increase their security level.  These measures lead to the:
Third Internet Safety Rule:  Keep all applications, firmware, middleware, operating systems, and anti-malware program software patched  and up to date. 

Using external application, operating system, and anti-malware update servers to patch and detect known vulnerabilities will help users reduce the number of vulnerabilities on their devices and make them harder to exploit.  Hardened targets will dissuade all but the most dedicated attackers and cause them to search for easier targets.  A safe course of action is for users to learn how to enable their auto-update settings.  Auto-update will ensure patching occurs on a regular basis; however, it is smart practice to periodically check and ensure that auto-update functions correctly.   

The Fourth Weapons Handling Safety Rule, “Keep the weapon on SAFE until you intend to fire” makes use of internal safety measures and defenses purposefully designed into the device.  A service rifle has a built-in safety feature that prevents a weapon from firing even if the Marine squeezes the trigger.  This built-in safety feature aids in preventing negligent discharges and the Marine should disable this feature and select FIRE only when ready to employ the weapon.  At all other times the weapon should be on SAFE.  Likewise, users need to make use of internal operating system settings, security application controls, and ancillary peripherals to the maximum extent practical to reduce risk to personal information and information systems.  Lack of knowledge or inexperience is a common reason why internal controls are not used properly or to the fullest extent.  For example, users commonly deploy wireless routers “out of the box” with easy to find default configurations and passwords, post to social media sites that don’t have proper security settings checked, and place misconfigured servers online.  These common mistakes lead to the:

Fourth Internet Safety Rule:  Know and use maximum level security settings to keep online personal information as safe as possible.

Applying Moore’s Law , phones, tablets, laptop and desktop computers, applications, and networking devices will be smaller, faster, more complex, and more capable.  The old joke used to be about how hard it was to program a VCR.  Today, a mobile device can easily overwhelm a novice user in terms of privacy settings, default configurations, and what is considered a trusted application.  Fortunately, the same Internet that poses danger at every turn also provides help in the form of Google searches and YouTube instructional videos.  Users can search for “how-do-I-…?” instructions and can receive a wealth of content in return.  Blogs, manufacturer websites, communities of interest, and videos all provide tips, tricks of the trade, and more, but users must beware of illegitimate sites.  Surfing to reputable sites is best, starting with the manufacturer and branching out from there.  Trusted friends, co-workers, or the “IT guy” are good sources too.  Above all, users need to ask if unsure.


Thus, the Four Internet Safety Rules are:
1. Treat your device and information as if it were constantly under threat.
2. Do not access websites, download applications, or open email with which you are not familiar.
3. Keep all applications, firmware, middleware, operating systems, and anti-malware program software patched and up to date.
4. Know and use maximum level security settings to keep online personal information as safe as possible.

Prior to every Marine Corps live-fire exercise, the Officer-in-Charge or Range Safety Officer conducts a safety brief for every participating shooter.  Without a doubt, the Four Weapons Handling Safety Rules are discussed and each shooter will restate each Safety Rule.  Since the Rules are ingrained in every Marine, each shooter can easily rattle them off.  Generally, the briefer will discuss each Rule and ensure that the weapons handling knowledge is front and center in each shooter’s mind prior to starting the exercise.  So it should be with the Four Internet Safety Rules.  How each office, shop, unit, or organization chooses to indoctrinate and reiterate the Four Internet Safety Rules is a matter of analysis, decision, and execution.  Publishing policy that addresses each Rule, user expectations and consequences, and, most importantly, why the Four Internet Safety Rules are important, is the best place to start.  Publicly addressing and “selling” the policy and Four Internet Safety Rules provides the leadership the opportunity to look users in the eye and reinforce the need for Internet safety and each user’s role in ensuring that safety for the entire organization.  Leaders who take the opportunity to remind users of the importance of Internet safety and use novel discussion methods will eventually drive the point home, if only to remind users that when they see the leadership walking about Internet safety will come to mind.  Posting the Four Internet Safety Rules on websites, in break rooms, on log-on banners, and on pop-ups will reinforce the message.  Developing a very public award system for users or departments that go the longest without cybersecurity incidents introduces the natural competitive spirit and peer pressure to reduce incidents.  Likewise, developing and discussing use cases of users reported by news agencies who suffered the consequences of not following the Rules will add a needed dose of “It really can happen to you” to any instruction or discussion period.  Regardless of how well users accept the Four Internet Safety Rules presented in this article, users do need a few, simple, and general rules to guide their Internet use and remain reasonably secure in the course of their online activities. 



About the Author

A Marine Communications Officer, Lieutenant Colonel John Dobrydney is an experienced cybersecurity and network operations planner. He recently served as the Commanding Officer of Marine Wing Communications Squadron – 18, the Executive Officer of 7th Communication Battalion, the Network Operations Officer for the III MEF G6, and served as the Enterprise Information Assurance Branch Head at Headquarters, Marine Corps C4 Directorate. He currently serves as the Cybersecurity Division Chief, Joint Staff J6. Lieutenant Colonel Dobrydney has a Masters of Security Studies from the Marine Corps War College and a Master of Science in IT Management from the Naval Postgraduate School.



--------------
1UCMJ art. 134 (2012).
2U.S. Marine Corps. (2012). Rifle marksmanship REVISED (MCRP 3-01A). Albany, GA:
Author. 

Image credits (in order of appearance):  marinerecruitmom.blogspot.com, techtarget.com, intel.com