CCRI Vulnerabilities

  • Published
  • By Senior Airman Veronica McMahon
  • 325th Fighter Wing Public Affairs
TYNDALL AIR FORCE BASE, Fla. --  As Tyndall Air Force Base moves closer to the Command Cyber Readiness Inspection on May 17, users need to be made aware of the CCRI categories of vulnerabilities inspectors will be looking for.

There are three different categories of vulnerabilities - CAT I, CAT II and CAT III. The inspection will look at physical security, network assurance and information awareness and will determine if there are any deficiencies or vulnerabilities on Tyndall's networks. The inspection team will be assessing Tyndall's ability to secure unclassified and classified networks, both electronically and physically, by eliminating/mitigating all CAT I and CAT II vulnerabilities or by having an approved plan of action and milestones in place to resolve these vulnerabilities.

Of the three vulnerability severity codes, CAT I is when we are most at risk. It is very serious and must be addressed immediately, according to Lt. Col. Clorinda Trujillo, 325th Communications Squadron Commander.

A CAT I vulnerability severity code means any vulnerabilities that may result in a total loss of information or that provides an attacker immediate access into a machine, grants privileged user access, bypasses a firewall, or results in a denial of service. For example, having laptops on a classified network with their internal wireless network cards still installed is a CAT I vulnerability.

A CAT II vulnerability severity code means any vulnerability that provides information that has a high potential of giving access to an intruder or gives an unauthorized person the means to circumvent security controls, such as having unsecured communication rooms and cabinets. And a CAT III vulnerability code means any vulnerability that provide information that could potentially lead to a compromise or unauthorized access. For instance, not having strong authentication on authorized wireless networks would be a CAT III vulnerability.

"If you have a CAT I vulnerability, someone is able to exploit it and they could cause problems or obtain information without you knowing they are on the network," said Colonel Trujillo. "With a CAT II vulnerability someone couldn't get as much access to the network, but is still very important to take the measures to fix these."

More information on how users can make their systems ready for Tyndall's CCRI will be released as the inspection approaches.