Typical Government IS Security Course and Handbook
Note: To sanitize this document, several items have been left blank.
Go to Introduction
What Role Does IS Security Play in the
Overall
Profile?
Why Do We Need Computer Security?
Control Measures to Reduce Potential
Losses
How Our Current Program Evolved
Designated Approval Authority
What to Expect From Us
IS Security Program Compliance
Network Monitoring
IS Quality Assurance Controls
What is Our IS Configuration Management
Role?
Management Solutions
Specifics of the Risk Management
Program
Accreditation
Typical Procedures
IS System Accreditation Request
Form
Interview Process
Interim Accreditation
Period of Validity
Physical Access Control (Area
Control)
Classification Controls
Unclassified Processing
Classified Processing
Contingency Management
Formal Accreditation
Security Test and Evaluation (ST&E)
Computer Security Training and
Awareness
User's Responsibilities
Network Vulnerabilities
External Network Protection
Firewalls
Internal Network Protection
Techniques
Network Procedural Issues (Security Models
& Controls)
Access Control & Password
Management
Modes of Operation
IS/Network Audits
Audit Trails
Incidence/Emergency Response
Activities
Database of Redundant Systems
Network Penetration Control
Virus Control
Virus Reporting
Data Remanence
Procedures to Control Remanence During
Surplussing/Declassification of IS Assets
Software Piracy
Illegal Files
Inappropriate Use of Government
Resources
Waste, Fraud, Abuse
OPSEC
Key Individuals in the
IS Security Office
Typical IS Security Course and Handbook
This course is designed as a basic introduction to computer
security. It attempts to provide an awareness of the many
aspects
of Information System (IS) system security, and also
the
procedures involved in accreditation of XXX computer assets. The
goal of this course is to familiarize users with proper security
practices that will result in a positive impact on the current
XXX
IS security profile.
Information Security (INFOSEC) is an all encompassing term
applied
to the result of any system of administrative policies and
procedures for identifying, controlling, and protecting
information
from unauthorized disclosure. While INFOSEC covers many
often
overlapping security disciplines, the three principle areas of
concern in this course are computer security (COMPUSEC),
communications security (COMSEC), and TEMPEST.
COMPUSEC applies to those measures required to protect
data against
unauthorized (accidental or intentional) disclosure,
modification,
destruction, and the denial of services that process data.
Security includes consideration of all hardware or software
functions, characteristics, and features; operational and
accountability procedures; access controls at the central
computer
facility, remote computer, and/or terminal; management
constraints;
physical structures and devices; and personnel and communications
controls needed to provide an acceptable level of risk for the
computer system and the data or information contained in the
system.
COMSEC is the protection resulting from all measures
designed to
deny unauthorized persons information of value which might be
derived from the possession and study of telecommunications, or
to
mislead unauthorized persons in their interpretation of the
results
of such possession and study. Communications security includes
crypto security, transmission security, emission security and
physical security of communications security materials and
information.
TEMPEST is a highly evolved and well understood security
discipline. It refers to the study of compromising emanations
generated during classified operations. TEMPEST evaluations are
concerned with studying conducted and radiated noise for
meaningful
information. All electronic devices generate electromagnetic
fields when powered. Every electronic device inside a computer
generates a field related to the information it is processing.
When these fields are detectable and can be understood, even with
extensive shielding and filtering implemented, a TEMPEST threat
exists.
An IS is not, strictly speaking, a single computer system. An
IS
is an assembly of hardware, firmware, and software that is
configured to collect, create, communicate, compute, disseminate,
process, store and/or control data or information. An IS
consists
of many components which work together to perform a single
function.
As systems and uses become more sophisticated, new and more
advanced controls will be needed to protect computer information.
Even now, many basic controls are available that can be
implemented
to enhance the security profile of any organization. These
controls should be cost-effective, and appropriate for the level
of
information and systems being protected. Controls that are more
expensive than the value of the information they protect are not
cost-effective.
To achieve acceptable levels of computer security for classified,
sensitive unclassified, and unclassified information,
organizations
must establish a systematic approach that includes making
information security a management priority; identifying
information
resources and determining threats and potential losses; and
auditing and monitoring results.
XXX's IS Security Program is designed to ensure the
confidentiality, integrity, and availability of its computing
assets. It is driven by a primary need. The need to maintain
configuration management controls over equipment that may be
susceptible to identified threats.
The potential risks to computers posed by potential threats,
such as those in Table 1, establishes the basis for controlling
the
configuration management of all IS which process classified and
unclassified but sensitive information. XXX has chosen to
address this control need through the establishment of a Risk
Management Program.
Until a few years ago, XXX maintained a traditional risk
management
security program to protect its computer assets. An asset is any
software information, administrative, physical, communications,
or
personnel resource within an activity. This program evaluated
each
computer individually against a comprehensive set of security
related threats and criteria.
Computer threats are any circumstances or events with the
potential
to cause harm to the computer system or processing activities.
The
presence of a threat does not mean that it will actually cause
harm, only that it represents a potential weakness or
vulnerability
in the security of the system.
It was soon recognized that PC's were being exposed to many
more threats as time went on, especially those represented by the
hacker/cracker community. Some of the many threats included:
Our major area of concern was that no vulnerability test or
program
was available to directly evaluate the many ISs
monitored
by XXX. The ultimate recognition of the potential hacker/cracker
threat resulted in an expansion of the existing risk management
program as well as the implementation of a new network oriented
system testing & evaluation (ST&E) program. The overall IS
security program currently in place is more visible and active in
testing both stand-alone IS, and also our networks for security
weaknesses.
The Designated Approval Authority or DAA is the final decision
maker in all matters concerning IS security. The DAA will make
a decision based upon directives dictated by government policy.
The IS Security Office works in conjunction with the end-user on
a common goal of IS integrity. Together, we keep XXX systems
operating within the prescribed IS security guidelines.
As the designated computer security office, the end-user may
expect
certain services from our office. Our office is available during
regular business hours for any procedural questions that may
concern the user. The computer security office is available
should
problems arise that the user feels cannot be rectified without
some
outside assistance. Typically this can manifest itself in
situations such as the discovery of a virus on a system or a
question concerning the proper disposal of any IS equipment or
storage media.
In addition to our user support, accreditation and training
activities, the IS Security Office is actively involved in
system
test and monitoring of various activities on XXX networks and is
responsible to respond to various IS related incidences. Our
networks are constantly bombarded by off-site hacker/cracker
penetration attempts, as well as susceptibility to virus attacks.
In our network monitor and test role, we provide a quick response
capability as well as actively evaluating and continually
upgrading
network security protection measures for system manager and user.
Incidence response functions will be covered later in this
document.
The IS Security program developed here at
XXX is designed to provide the end-users with good IS
security practices as well as comply with current Government
requirements. This practice establishes good habits within the
XXX
community and narrows the possibility of: disclosure of data,
equipment loss, and misuse of government resources, to name a
few.
XXX's program is required to comply with a number of Public Laws,
DOD, and service standards and instructionals. In particular, our
program is designed around .....
All DoD interest computer systems and related equipment are
intended for the communication, transmission, processing, and
storage of official US Government authorized information only.
US Government telecommunications systems and ADPs are subject to
periodic security testing and monitoring without prior
notification to ensure proper functioning of equipment and
systems including security devices, to prevent unauthorized use
and violations of statutes and security regulations, to deter
criminal activity, and for other similar purposes. Use of any
Government network or equipment constitutes consent to
monitoring.
Any user of a DoD interest computer system should be aware that
any
information placed in the system is subject to monitoring and is
not subject to any expectation of privacy. If monitoring of the
system reveals possible evidence of violation of criminal
statutes,
this evidence and any other related information, including
identification information about the user, may be provided to law
enforcement officials. If monitoring reveals violations of
security
regulations of unauthorized use, employees who are responsible
will
be subject to appropriate disciplinary action. The notice
explaining this information (shown below) is displayed whenever a
user at XXX remotely logs into XXX's networks using ftp or telnet.
The notice prior to login is incorporated
when tcp Wrappers is installed on your server. There is a very good
installation instruction on how to add the pre-login script that comes
with the program.
IS configuration management consists of identifying,
controlling,
accounting for, and auditing all changes made to a particular
system or equipment during its life cycle.
The Trusted Computer System Evaluation Criteria (TCSEC) requires all changes to the TCB for classes B2 through A1 be controlled by configuration management. Although the "rainbow series" documentation mostly relates to software controls for trusted computers, configuration management is not limited to only this function. The TCSEC gives the following as the Assurance Control Objective:
"Systems that are used to process or handle classified or other sensitive information must be designed to guarantee correct and accurate interpretation of the security policy and must not distort the intent of that policy. Assurance must be provided that correct implementation and operation of the policy exists throughout the system's life cycle."
Configuration management can be thought of as a quality-assurance (QA) discipline which incorporates aspects involving both identification and authentication of objects within a system. It controls changes to system software, firmware, hardware, and documentation throughout the life of the AIS. This includes the design, development, testing, distribution, and operation of modifications and enhancements to the existing system. More specifically, configuration management applies direction to: 1) identify and document the functional and physical characteristics of each configuration item for a product; 2) manage all changes to these characteristics; and 3) record and report the status of change processing and implementation. In other words, configuration management is the means used to protect a system against unauthorized modifications, and ensures that all protection properties of a system work only as intended and are maintained after an authorized modification takes place.
Configuration management is really a process of engineering sound and secure operating practices into an AIS. As such, controls are placed on an AIS to insure that every change in hardware, software, firmware, operational procedures, or documentation is verified and approved by the authorized or controlling party for the AIS. These security controls can be broken down into four separate tasks: identification, control, status accounting, and auditing. These tasks are applied through various techniques to ensure correct operation of the system.
XXX applies IS configuration management as a quality-
assurance function. The requirements for trusted systems are
taken
directly from DoDD 5200.28. One of the control objectives is to
assure that the security policy has been implemented correctly by
a particular IS, and that the system's protection-relevant
elements accurately enforce the intent of that policy. This
assurance must include a guarantee that the trusted portion of
the
system works only as intended.
To accomplish these objectives, the IS Security Manual specifies
that two types of assurance are needed:
Re-evaluation is necessary whenever changes are made that could
affect the integrity of the protection mechanisms. With proper
security evaluation and control functions in place, XXX
feels that the hardware and software interpretation of the
security policy will remain accurate and undistorted for a
particular IS.
Risk management is a process through which
undesirable events can be identified, measured, controlled and
prevented so as to effectively minimize their impact or frequency
of occurrence. This identification of the security posture using
the assets worth, attraction, the probability of a successful
attack, and its vulnerability forms the basis of XXX's IS
security program.
The implementation of effective information security measures
must
be based on a balance between the cost of controls and the need
to
reduce risk or expected loss. "Absolute" security could be
achieved only at unlimited cost. Risk assessments are used to
provide
an analysis of the computer system or network assets,
vulnerabilities and threats to determine the security
requirements
which must be satisfied to ensure the system can be operated at
an
acceptable level of risk. Risk assessments, system test and
evaluation, and contingency planning are all parts of the risk
management process.
Loss, which can be direct (the effort needed to reconstruct a
destroyed file) and indirect (the loss or reduction of an
organization's business function or cash flow due to the
destroyed
file) is the impact a harmful event has on the organization.
Impact is usually measured in monetary values, but may also be
measured in qualitative terms. The process of estimating
potential
loss is called risk analysis.
Risk analysis is the cornerstone of the risk management process
for
computer applications. While risk analysis can be applied to
operational systems, it is most useful when applied to prior to
requirements definition of a computer application. In this way,
the resulting estimates of potential loss can be used to form the
basis for the computer security requirements and countermeasures
being developed.
Audit and Evaluation - Because security requirements should
be
a consideration throughout the entire life cycle of a system,
security measures are best when designed into systems from the
start. Steps should be taken to assure that planned security
mechanisms are implemented and working as intended. Effective
processes for audit recording and review security should be in
place to ensure accountability and to provide a means of
monitoring
potential threats to operational systems.
Contingency Planning - Since computers and networks fail,
often
leaving users unable to accomplish critical processing, NRL has
developed guidance to assist users and managers in providing
effective contingency planning. Effective planning and
operational
procedures are needed to assure that critical applications and
data are available in a timely manner.
By ascertaining what level of risk is acceptable for an
individual
system, the accreditation team can determine which
countermeasures
are necessary in maintaining the level of security required over
the life-cycle of the IS. The formal investigative process
involves data collection and analysis (risk analysis) of the
system's exposure to risk using a risk assessment. The Risk
Assessment addresses matters such as: assessment of threats, in-
place countermeasures, and degree of impact following an asset
loss
or impairment.
The IS Security Office provides technical support to
XXX for the
accreditation of ISs in
accordance
with applicable IS Security Program
standards. The accreditation of a system by the IS security
office
for use in classified or unclassified but sensitive processing
certifies that the system examined is configured in compliance
with
relevant XXX guidelines.
Using the risk management approach to evaluate an IS's security
posture, the IS Security Office considers Risk Analysis
(RA),
Contingency Planning (CP) and Security Test & Evaluation (ST&E)
for
each IS. Risk Management is an ongoing process that will
periodically reaffirm the validity of the previous accreditation
throughout the life of the IS. The IS Security Officer
supports
XXX's risk management program by performing the following
tasks:
When the user decides to purchase a new IS system, he must fill
out several forms. The form that concerns our office is the IS
System Accreditation Request form. By completing this form and
sending it to our office, you are granted interim accreditation
that lasts until our office can initiate a field risk assessment
which will result in final accreditation of the system within 90
days of the examination.
This is the part of the procurement form that is sent to our
office
requesting interim accreditation and notifies our office that a
new
system is entering the lab. This sheet, which is to be filled
out
by the custodian of the new machine, provides our office with
enough pertinent information to enter it in our active database.
The interview process is initiated when an IS is being processed
for final accreditation. Our office conducts an interview with
the
designated custodian for a system, and completes a questionnaire.
This process allows our office to conduct an on site evaluation
of
a system.
Interim accreditation is granted as soon as our office receives
the
IS system accreditation request form, informing us that a new
system is being brought on line at the lab.
Interim accreditation is valid indefinitely until an on-site
evaluation can be scheduled. This type of temporary
accreditation
carries with it the authority to operate at the level of
classification that was requested.
Physical safeguards for ISs are necessary to minimize the
potential for problems caused by certain threats. The level of
physical protection is directly related to the sensitivity and
cost
of the IS. These are the minimum requirements for physical
safeguards for each of the data level categories. There may be
instances where the minimum is not enough protection, but in
general, a selection of the following physical requirements
should
be followed when planning for and/or installing ISs, Networks
and
computer resources.
Only a part of the responsibility of Physical Access Control is
shared by the user at XXX. While the user may believe that all
of
the physical security needs are being handled by resident
security
at XXX, that is not wholly the case. The user is responsible
for personal area security. This may include matters such as
locking your office door after business hours, ensuring that any
visitors to your area go through a checking in process, even if
it
is only a line of sight procedure, or an actual written log.
Data is classified into one of the following categories:
Due to the physical barriers represented by the NRL perimeter
fence
and other access safeguards, a locked room is considered adequate
physical security protection at the lab. For systems that handle
sensitive information (Privacy Act, Financial, etc.), simple
physical controlled access may not be adequate protection. This
is
particularly true for networked ISs which will be discussed
later.
In addition, the following vulnerabilities for each ADP will be
addressed during the accreditation process and, if applicable
safeguards will be implemented.
Contingency Management is an essential continuity provision
incorporated into the IS security process. It provides the user
with a backup plan in the event of an emergency involving the
temporary incapacitation of the system. This would prevent loss
of
vital data, time spent trying to organize directly after the
event
occurs, and interruptions of the work process that would cost
precious time and money. The responsibilities of the IS
Security
Group related to its incidence response functions are covered
later
in this document.
Once all requirements for accreditation have been complied with,
formal accreditation for your system is provided. Unless there
is
a major modification, the accreditation will be reviewed every
three years, and will remain in effect until your machine is no
longer used for classified processing. However, if the ADP is to
be replaced or surplussed, this office must be notified so it can
be removed from our database.
Users have rules and procedures that must be followed when they
process classified information. While annual briefings are
intended to remind users of their major responsibilities, there
are
a number of related issues users should also be familiar with.
These are listed below:
Networks offer many advantages to users. Distributed processing
such as we have at XXX allows many people access to large amounts
of data, much of which is sensitive. This creates a condition of
openness in which all types of systems, pc's, workstations, and
mainframes can talk to each other as necessary. When access
becomes widespread, network vulnerabilities increase, and any
coordinated central security control program encounters
difficulty.
With more networks interconnected all the time, the chances
increase that a legitimate user from one network can find an open
path to another network and from there into still other networks
where he has no legal authorization. The possibility of this
occurrence forces network managers to monitor and
audit
their own systems on a continuing basis.
In addition to keeping track of and protecting regular users,
there
are some primary security issues which also confront the network
manager. Among these issues are employees who disregard or
bypass
security protection controls, the disgruntled employee who plants
his own internal bypass in the system for later use, and the
crackers that continually try to break into the network from
outside.
The potential problem created by the legitimate employee who
bypasses the security protection techniques on his workstation
because "it's too much trouble" or so he can work at home or on
the
road via a modem is a serious concern. Downloading software off
a
public network is one of the best ways to insert a virus or some
other bug into your network.
The loss of sensitive or classified data is a major concern when
security techniques are bypassed. Public phone systems are not
secure, especially for portable computers that use cellular
modems.
Even Data Encryption Standard (DES) type encryption has
limitations. DES is best applied in a hardware encryption
application. For protecting networks, using DES based software
encryption is only as good as the password file.
External network protection usually consists of filters or
firewalls. A firewall is made up of various physical components,
software
controls, and system architectures that together provide security
for a network. In essence, it could be considered a filter used
to
control access when connecting an individual's network or machine
to the Internet.
A firewall can consist of a router, a personal computer, a
host, or a collection of hosts. Firewalls represent a
restriction on information flow and, as such, are not always
treated favorably. The following problems restrict
their application and use.
Although there are sometimes problems, packet filtering is
normally
employed using a packet filter router. IP packets can be
filtered
based on source IP address, destination IP address, TCP/UDP
source
port, and TCP/UDP destination port. Adding TCP or UDP port
filtering to IP address filtering adds flexibility to the
firewall
design. Protocols to filter include tftp, X windows, RPC,
rlogin,
rsh, and rexec.
Software applications are also available which forward and filter
connections for services such as TELNET and FTP. These are
referred to as proxy services, and when combined with packet
filter
routers provide higher levels of security and flexibility.
This approach will verify the firewall's ability to stop network
based attacks. Firewall tests/attacks would concentrate on three
primary areas: test each port; test proxy services, test all
services provided by the firewall to ensure they are safe
services.
There are four major security techniques available for network
protection: identification, authentication, authorization, and
auditing. XXX networks employ each of these protection
techniques.
The system manager is the primary individual responsible for
giving
users rights to programs and information contained on their
network. Managers that directly control their networks are
called
ADP System Managers, and have superuser status in their networks.
These individuals must assign user access rights, ensure users
are
properly designated, cleared and briefed, ensure all their
equipment is accredited, ensure the clearing of equipment prior
to its surplussing, and must also keep up to date on all security
advisories affecting their networks. This person also serves as
the direct liaison for coordinating with XXX IS Security Office
staff.
Security models have been developed for each of the network types
at XXX. The network specific models are intended to provide
system
managers with the basic controls needed to initially secure and
then continue to secure their networks. These models are
supplied
to managers as necessary by the IS Security Office. Along with
these recommended controls, the following information is
provided.
Check Last Time You Logged In
Each user should backup files regularly. A user may wish to
backup
data every day, or at the very least every week. Backups should
be
done either to tape or to the lab wide archives. Many users
choose
to keep the backup tape in a separate physical location from the
computer. If a fire, flood, or other catastrophe happens to the
computer, the tape doesn't fall prey to the same catastrophe.
The
system administrator should back up system and user files
regularly, but if a problem does happen, it is the user that
loses
all his/her hard work, so backing up is always a good idea.
Access control is simply controlling the access to a machine
against unauthorized use. Both physical access and network
access
is important. The less susceptible a machine is to physical or
network access from a large group of people, the less chance it
has of having it's security breached.
System administrators, or end users for that matter, must look to
their current auditing procedure for ensuring access protection
when logging into their systems. Logging machine activity
consists
of anything from a hand written sign-in log at the workstation to
installing a software package that logs the identity of each user
accessing the machine during a period of time.
Password management is essential in circumstances where security
must be ensured. Passwords are often overlooked as possible
security loopholes, resulting in the most easy way for an
outsider
to break into a machine.
PASSWORD GUIDELINES
Passwords should be complex enough to make them difficult to guess. On
the other hand, passwords must also be easy to remember by the
authorized user. A user must NEVER use a password such as: their
name spelled backwards, any personal information such as a pet's
name or license plate number, a no nonsense word that is easy to
type on the keyboard (such as qwerty), or any word in any
language.
The average cracker has dictionaries from many languages,
including
slang, built into their password cracking programs.
A good password should consist of at least seven characters, of
which there should be at least three "special" characters
involved.
Special characters consist of numbers, capitalization of a few of
the letters, and the special characters located above the numbers
on the keyboard (ex., #, &, ^, @, etc.), and or numbers. This
password configuration need not be difficult to remember. A user
can simple choose a word and substitute special characters for
individual letters in the word. An example of this might be the
word, 'daylight' spelled d@YL1gHt*, with an asterisk thrown in at
the end for good measure.
Using this method, the user can be reasonably sure that a cracker
will have a hard enough time attempting to crack your password
and move on to somebody else's machine. If you're worried that a
cracker will decipher the first few letters of your password and
then figure the rest of it out in short order, you needn't be
worried.
Password cracking programs only figure out the entire password.
They cannot break a password one letter at a time. Remember that
there is no such thing as an unbreakable password. Eventually a
password can be broken by a program, although with a carefully
chosen password, this cost the cracker more resources than they
have at their disposal and could conceivably take many years.
Passwords should also be easy enough for the end user to type
quickly to prevent wandering eyes from deciphering what it is.
Users should never type their password with someone else in line
of sight with the keyboard.
Passwords should be regulated and changed every so often, a good
rule is change after six months of use. Passwords should be
protected with great care. A user should never write his or her
password down anywhere, nor should they consider giving it to
anyone else. If you are fearful that you will forget it, then a
solution might be to write it down and secure it in a safe only
accessible to those who have accounts of the same nature as
yours.
Mode of operation relates to the way the system is configured and
operates when generating classified information. For single user
stand alone systems, it is easy to implement a dedicated mode of
operation when processing classified, since the user physically
controls his actions. However, in the network environment,
various
"flavors" of operation can exist. Some systems are controlled
internally, while others must be physically controlled to operate
in the desired manner. The various classified modes are
described
below.
A Trusted Computer System is a system that employs formal
hardware
and software integrity measures sufficient to allow its use for
processing sensitive or classified information. These systems
are
given a designation based on how many measures are employed.
While
some large lab systems meet full high level trusting
capabilities,
most personal computers at XXX are designated class C2
functionality. This designation means the ADP must employ
discretionary access control, memory clearing before reuse,
individual accountability, and audit trails before approval to
process classified data. These controls do not need to be
automated into the operating system.
Obviously, users performing classified processing on a stand
alone
system in a dedicated mode can easily incorporate physical
safeguards such as removable drives, user approval, audit trail
log
books, or other controls based on their needs. Networked
systems,
however, have a number of audit controls, some of which are
automatically incorporated into their network software.
Fully trusted systems that process classified information at XXX
require formal audit procedures. These procedures are normally
built into trusted systems prior to their certification.
According
to the National Computer Security Center's Trusted Computer
System
Evaluation Criteria (TCSEC) the audit mechanism should be capable
of
monitoring every time a system is accessed, who accessed it, and
which file was accessed. Auditing on trusted systems primarily
concerns audit trails and controls for computer access.
The minimum trust requirements for all DoD computer systems at
NRL
is level C2 functionality. C2 is considered the benchmark for
audit trails. The following sections, derived from NCSC-TG-001,
describe the audit requirements for class C2.
The audit trail provides for detection of the actions to be
recorded, the actual recording, and auditing support. It
provides
information for auditors to verify the validity of system
controls
and the results of processing. The audit trail must be complete,
or at least must select what to record in a way that cannot be
predicted and that covers all actions that may later have to be
audited.
Audit trails must also record information about significant
security events occurring in the following areas:
For networked (non-standalone) ISs operating in a dedicated
mode,
only the identity and time of access by each person on the system
needs to be recorded. This is because the system administrator
has
network software which will record important user information.
However, other information such as maintenance and repair
records,
initiation of pertinent security related events, and a
description
of the hardcopy output must be kept individually.
Incidents involving self replicating-computer viruses in computer
systems and networks, and crackers/hackers gaining access to
systems via the networks have underscored the need for improved
XXX-
wide coordination and support. The IS Security Group works
closely with other federal agencies to coordinate identification
and response efforts when acute computer and telecommunications
security incidents are detected.
The IS Security Group has developed a plan of action to be
followed when various IS security related incidences occur.
Incident
response planning (break-ins and asses loss), virus control,
remanence control, software piracy, and software write protection
control are all part of this control effort.
Major natural disasters including earthquakes, tornadoes, floods,
fires, etc. can create any of a number of IS operational
incidences. Incidences can also occur from intentional actions
such as bombs, terrorist and virus attacks, and also from
equipment
failures such as power or cable problems. With such a varied
range
of major and minor incidences to address, some recovery
strategies
can be applied to all incidence types, while other strategies
must
be incidence specific.
When a major incident occurs, the Disaster Response
Plan details procedures for plan initiation and recovery.
The IS Security Group is responsible for
identifying the location and capability of equivalent processing
resources when an incident causes the loss of computing resources.
To recover from an event which could affect multiple IS
computing
resources at XXX, the principal requirement will be to recover
the
capability to perform equivalent processing capability in the
shortest possible time period after the incident. The second
requirement will be to recover with the least economic burden.
This recovery capability could take the form of either
stand-alone
processing or network resources and operations. Most incidences
will not be large enough to require full implementation of the
response plan.
Recovery of applications and peripheral devices are the
responsibility of the ADP System Administrator. The IS Security
Office carries information concerning the processors, points of
contact, and the system's accreditation status. The IS Security
Office can also develop a list of candidates at the site that
could
potentially be used for backup support.
In the event of denial of service for a specific system, the IS
Security Office can determine the existence of another similar
system.
General recovery of LAN server hardware/software failures,
communications node failures, the loss of mission critical LAN
servers, or a major LAN cable cut are the responsibility of the XXX
networking group.
The XXX IS Security Group will respond to two types of
incidences, (1) a network security breach and (2) the
notification through various sources that a network vulnerability
has been identified.
Incidences are either reported by the system administrator, the
user, or by one of various monitoring agencies. If the user has
followed the computer security model provisions supplied by the
IS Security Group on his/her system, the networked computer
should be configured to print out the user's last time and
location each time the user is granted access. Users should
verify that the last session logged in was really them. They
should also get in the habit of looking at the last log to
see if there are any irregularities. In UNIX this can be done
with the command : last
When files in directories are identified that don't belong, an
incidence exists. With UNIX, intruders like to hide files by
naming them something that starts with a period (.) because these
files are not listed when the standard ls command is given. Get
in the habit of checking for these types of files.
Other incidences include promiscuous network interface commands
and unusual network connections. These can include the presence
of Ethernet sniffers, a Trojaned netstat, etc.
Any user (person/department/agency) having knowledge of a
suspected network security violation must contact the appropriate
operations center/area communications operations center,
etc. to report the violation. If
possible, reporting should be via secure means.
The initial action following a network incident discovery is
containment. The system should be isolated immediately by the
user either by shutting down the network interface or
disconnection. Following this action, either the user or the
system administrator check other systems for similar intrusion
actions and determine further action to be taken.
To eradicate the problem and the resource, the system
administrator will remove the exploited vulnerability by
installing patches identified by the CERT, and
running a vulnerability test program. Use a
trusted source to re-install damaged files and retire the name
and IP address.
Follow-up should include an assessment of the factors that
allowed the intrusion to occur, updating the security policy
which addressed this incident, and additional education for users
and administrations.
A virus is a quickly spreading program that
"infects" other programs by modifying them to include a copy of
itself. Once activated, the program can cause various
detrimental effects to normal system operation. The impact can
range from the annoying, including various messages, to the
damaging, resulting in destruction of data and software to actual
operating system damage.
Worms are a virus-like program that spreads through a system by
copying itself from one location to another. Worms do not infect
other programs as do viruses, but they can compete for computing
resources with other programs such as what occurred from the
notorious DECnet worm.
A Trojan Horse is a program that masquerades as a useful program
but does something malicious. This program does not replicate or
infect other programs. The effects to a system are akin to those
of viruses.
The primary reason viruses are such a problem is the
vulnerability of IS resources. Safeguard programs take time to
run, and many users are in too much of a hurry to wait. Another
reason viruses spread is that users often simply are not
aware of the viruses presence until it is too late. This is true
for both stand-alone and networked computers. If it can't be
seen it is seldom given much thought.
Generally, there are two main classes of viruses. The first
class consists of the FILE INFECTORS which attach themselves to
ordinary program files. These usually infect executable files.
The second category is SYSTEM or BOOT-RECORD INFECTORS: those
viruses which infect executable code found in certain system
areas on a disk which are not ordinary files.
On DOS based systems, there are ordinary boot-sector viruses,
which infect only the DOS boot sector, and MBR viruses which
infect the Master Boot Record on fixed disks and the DOS boot
sector on diskettes. Examples include Brain, Stoned, Empire,
Azusa, and Michelangelo. Such viruses are always resident
viruses. Finally, a few viruses are able to infect both (the
Tequila virus is one example). These are often called
MULTI-PARTITE viruses or BOOT-AND-FILE viruses.
It is not possible to give an exact number of how many viruses
there are because new ones are being created literally every day.
Furthermore, different anti-virus researchers use different
criteria to decide whether two viruses are different or one and
the same. Most researchers agree that there are more than 1500
PC viruses. However, very few of the existing viruses are
widespread. Only about three dozen of the known IBM PC viruses
cause most of the reported infections. These common viruses
include the Jerusalem, Stoned, Brain and Eddie viruses.
There are various symptoms which indicate a virus is present.
Symptoms include messages, music and graphical displays.
However, the main indicators are changes in file sizes and
contents. Virus detection packages provide some assurance by
checking for the code of known viruses, but with the continuing
emergence of new viruses, this is not always reliable.
VIRUS INFECTION INDICATORS
Anti-virus programs scan files for virus code or check for
changes
in file size using checksums. Even though not always reliable,
it
is wise to arm yourself with the latest anti-viral software.
There
are a number of packages on the market that detect for viruses.
PREVENTION
A computer virus infection is a reportable security incident.
XXX policy requires that each computer
security incident be reported to the XXX IS Security office
as soon as
possible.
If a virus or a suspected virus is detected by a user at XXX,
take
the following actions:
The IS Security Office will make an immediate and thorough
investigation of all virus infections reported.
Scan all disks before they are used. Be cautious of all newly
acquired software. Check new software for infection before it is
run for the first time. Never boot from an unprotected diskette.
Backup files and programs. Watch for unusual operation
indicators.
Use virus detection software.
Networks at greatest risk to virus like (worms, etc.) infections are users of UNIX
and
PC-DOS, loosely administered networks, networks which permit
dial-up access, homogeneous networks where most systems employ the
same
operating systems or hardware, and open networks which allow any
organization to be connected. Defense organizations such as NRL
not only need to be concerned because of the potential damage a
virus might cause, but also because of potential news media
attention and organizational oversight.
Incidents involving
self replicating-computer viruses in computer systems and
networks
have underscored the need for XXX wide coordination and support.
The IS Security Group will work closely with other federal
agencies to coordinate identification and response efforts when
acute computer network security incidences of this type are
detected. The group will ensure suggested corrective
actions are implemented. Upon initial discovery of a previously
undetected network related virus infection, the ADP Security
Office
will contact higher authority immediately to formulate a combined
response.
Data remanence is nothing more then the information left on a
storage device once the file or other information has been
deleted
or moved to another location. The data in this case is
classified
or otherwise protected information subject to dissemination
restrictions.
On DOS systems, deleting a file involves deleting the first
character of an index pointing file. This indicates to the
computer that the space (sectors) are again available for use.
Moving a file to another location occurs in applications programs
nearly every time the data is saved. This is because in most
programs, the old file is deleted only after the new file is
saved.
There is also a problem with unused sector space. If a new file
is
written to a sector previously used to store other data, the new
data only overwrites the previous locations until it is fully
stored. Any data taking up more space than the new file will
remain on the disk, even though not available for use again.
The third problem involves computers which temporarily store data
to a hard drive as part of an application program operation, or
during automatic timed backup. Macintosh computers and some DOS
programs exhibit this characteristic as a means of protecting
work
from accidental program failure.
Threats to the hidden data can come from two sources. The first
is
a directed attack using special software programs that can view
the
contents of a disk sector by sector. One of the most common
commercial programs available is the Norton Utilities. Included
in
the Norton package are applications that can be used to view,
write to, or copy from virtually any sector or position of a
storage disk.
The second form of threat requires direct access to the disk for
laboratory investigations. When data is stored on a disk, a
magnetic field is used to change the electromagnetic
characteristics of the material in the disk. Once changed, the
application of an opposite polarity field is used to again change
these characteristics. Coercivity, measured in oersteds, is the
property of magnetic material used as a measure of the amount of
applied magnetic field (of opposite polarity) required to reduce
magnetic induction to zero from its previous state.
In some cases, especially if data was left stored at a specific
location on the disk for some length of time, simply re-writing
new
data over the old location does not fully change the
electromagnetic characteristics (ones and zeros or charge and
reverse charge) of the disk material. When investigated with
sensitive equipment, the slight but consistent differences in
charge strength makes reading the old data fairly simple. This
is
the primary reason for life cycle safeguards to fully destroy old
disks.
Systems that have processed but not stored classified information
can be declassified through being subjected to a thorough disk
wiping procedure. By utilizing a Government approved program
similar to Norton Disk Wipe, the user can totally wipe the hard
disk clean of all information previously stored.
For floppies that have actually stored classified information,
the
same process is acceptable if the disk is to be reused. However,
the cleared disk must be protected, and can only be reused to
store
information at the same level of classification as it previously
held. For downgrading hard disks, two downgrade procedures are
allowed. After wiping, the user must physically inspect the disk
using Norton, and then certify that no data is present, or the
alternative is the ISs nonvolatile memory must be degaussed
before
it can be surplussed. Make sure the disk has first been at least
reformatted before degausing.
In the event classified information is discovered on a reissued
hard drive, notify the XXX Security Office
immediately. In the event sensitive but unclassified
information is discovered, notify the XXX IS Security Office.
Upon notification, the security office will assign an
investigation to determine the source and extent of any potential
damages.
Regarding destruction, IS storage media,
both
classified and unclassified, will be destroyed as soon as it is
no
longer required. Prior to destroying magnetic media, the media
should be degaussed. For the case of hard disk drives, the IS
Security Office is to be notified when disks (or systems) that
have
been approved for classified processing are to be replaced.
Software piracy is the process of making and using unauthorized
copies of copyrighted software. This practice is a serious
issue,
especially when discussing Federal ISs. Under Title 17 of the
US
Code, it is strictly forbidden to make or distribute copies of
distributed software. This is a federal offense and violations
are
monitored by the Software Publishers Association (SPA). 17 USC
506(a) states that "any person who infringes a copyright
willfully and for purposes of commercial advantage or private
financial gain shall be punished as provided in Section 2319 of
Title 18."
According to the SPA:
XXX will neither commit nor tolerate the making or use of
unauthorized software copies under any circumstances, and will
enforce strong controls to prevent its occurrence. As the
custodian of your machine, it is your responsibility to ensure
that
there is a legally licensed copy of any commercial software
residing on your system. The only exception would be the
situation
where a user is allowed to make a backup copy of the software for
personal use only in the event that the original software is
damaged as the result of a virus or like circumstance.
All DoD interest computer systems and related equipment are
intended for the communication, transmission, processing, and
storage of official US Government authorized information only.
Any
user of a DoD interest computer system should be aware that any
information placed in the system is subject to monitoring and is
not subject to any expectation of privacy. If routine monitoring
by the IS Security Group reveals possible evidence of violation
of
criminal statutes, this evidence and any other related
information,
including identification information about the user, may be
provided to law enforcement officials. If monitoring reveals
violations of security regulations of unauthorized use, employees
who are responsible may be subject to appropriate disciplinary
action.
Accessing, manipulating or otherwise using sexually explicit
material with Government equipment, from Government leased
equipment, or on Government time is inappropriate and will be
considered to be a misappropriation of public resources.
Further,
it is contrary to published XXX policy which demands
that
the workplace be free of sexual harassment in any form.
Should unlicensed software be detected during routine monitoring,
appropriate disciplinary actions may be undertaken against the
individuals responsible. Detected violations by the IS Security
Group will be reported by letter to the appropriate authority with
any actions against the employee the responsibility of that
office.
The storage and transmission of illegal files will be covertly
investigated by the IS Security Office.
The results of such
investigations will be forwarded to the appropriate authority
upon
completion with follow-up activities the responsibility of that
office.
The subject of waste, fraud, and abuse is an important and highly
visible issue at XXX. Waste, fraud, and abuse occurs when any
government IS asset is utilized in a capacity outside that of
the
scope of government tasking for that particular system. This
could
mean storing files or programs not authorized, such as games and
pornography, as well as using Government resources for personal
endeavors. Any personnel involved in operating Federal IS
resources for personal use or gain will be in direct violation of
government standards.
Introduction
What Role Does IS Security Play in the Overall
Profile?
Why Do We Need Computer Security?
Control Measures to Reduce Potential Losses
How The Current Program Evolved
Designated Approval Authority
What to Expect From Us
IS Security Program Compliance
Network Monitoring
IS Quality Assurance Controls
What is Our IS Configuration Management Role?
They are life-cycle
assurance and operational assurance. Life-cycle assurance refers
to steps taken by an organization to ensure that the system is
designed, developed, and maintained using formalized and
rigorous
controls and standards. Computer systems that process and store
sensitive or classified information depend on the hardware and
software to protect that information. It follows that the
hardware
and software themselves must be protected against unauthorized
changes that could cause protection mechanisms to malfunction or
be
bypassed completely.
Specifics of the Risk Management Program
Accreditation
Typical XXX Procedures
IS System Accreditation Request Form
Interview Process
Interim Accreditation
Period of Validity
Physical Access Control (Area Control)
Classification Controls
Unclassified Processing
Classified Processing
Contingency Management
Formal Accreditation
User's Responsibilities
Networks Are Vulnerable
External Network Protection
Problems With Firewalls
Where is Protection Applied
Firewall Attacks/Testing
Internal Network Protection Techniques
Network Procedural Issues
Backup Data
Access Control & Password Management
Modes of Operation
ADP/Network Audits
Formal Audit Requirements for Trusted Systems
Audit Trails
Incidence/Emergency Response Activities
Operational Incidences
Determination of a Major Incidence
Recovering Essential Processing Resources (if applicable)
Database of Redundant Systems
Network Penetration Control
Determination of Break-in Incident
Formal Notification of Break-in to DDN
Recovering Essential Network Resources
What Are Viruses?
Why Are Viruses a Problem?
How Many Viruses Are There?
Does My Computer Have a Virus?
How We Protect Systems
Virus Reporting (Stand-Alone Systems)
Virus Prevention
Network Virus Protection
Network Protection Precautions
Incidence Response Activities (Network Virus/Worm Attack)
Data Remanence
The Remanence Threat
Procedures to Control Remanence During
Surplussing/Declassification
of ADP Assets
In Event of a Clearing Failure
Destruction of IS resources
Software Piracy
Determining a Violation
Illegal Files
Inappropriate Use of Government Resources (Sexually Explicit
Material)
Initial Violation Reporting Procedures and Follow-up
Waste, Fraud, Abuse