Our major area of concern was that no vulnerability test or program was available to directly evaluate the many ISs monitored by XXX. The ultimate recognition of the potential hacker/cracker threat resulted in an expansion of the existing risk management program as well as the implementation of a new network oriented system testing & evaluation (ST&E) program. The overall IS security program currently in place is more visible and active in testing both stand-alone IS, and also our networks for security weaknesses.

Section 4. Responsibilities.

IS Security Representatives act as a central point for all IS security matters and are responsible for maintaining an accurate inventory of computer resources within the division; assisting IS Security Officers in implementing security measures for computers and networks; monitoring the progress in implementing the requirements of the XXX computer security program, especially as it applies to accreditation; ensuring that IS security training is provided on an annual basis; and reporting all significant IS violations

As the designated computer security office, the end-user may expect certain services from our office. Our office is available during regular business hours for any procedural questions that may concern the user. The computer security office is available should problems arise that the user feels cannot be rectified without some outside assistance. Typically this can manifest itself in situations such as the discovery of a virus on a system or a question concerning the proper disposal of any IS equipment or storage media.

In addition to our user support, accreditation and training activities, the IS Security Office is actively involved in system test and monitoring of various activities on XXX networks and is responsible to respond to various IS related incidences. Our networks are constantly bombarded by off-site hacker/cracker penetration attempts, as well as susceptibility to virus attacks.

In our network monitor and test role, we provide a quick response capability as well as actively evaluating and continually upgrading network security protection measures for system manager and user. Incidence response functions will be covered later in this document.

Applicable Statutes

DOD 5200.28-STD (Orange Book)

DODINST 5200.28

......

Relevant Laws/Acts

PL 100-235 - Privacy Act

Computer Security Act of 1987

PL 100-503

Computer Matching and Privacy Protection Act

PL 99-474

Computer Fraud & Abuse Act of 1986

OMB Circular A-130

Mgt. of Federal Information Resources

XXX's program is required to comply with a number of Public Laws, DOD, and service standards and instructionals. In particular, our program is designed around .....

Public Law 100-235 is intended: "To provide for a computer standards program within the National Bureau of Standards, to provide for Government-wide computer security, and to provide for the training in security matters of persons who are involved in the management, operation, and use of Federal computer systems, and for other purposes."

Public Law 1030 (Computer Fraud and Abuse Act) is intended to address actions by those who "knowingly and intentionally access Federal computers with the intent to defraud, cause a loss, modify, or use in an unauthorized means."

OMB Circular A130 Federal ADP guidelines. "The Paperwork Reduction Act (44 U.S.C. Chapter 35) assigns the Director of the Office of Management and Budget (OMB) responsibility for maintaining a comprehensive set of information resources management policies and for promoting the application of information technology to improve the use and dissemination of information by Federal agencies."

Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of the system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring reveals violations of security regulations of unauthorized use, employees who are responsible will be subject to appropriate disciplinary action. The notice explaining this information (shown below) is displayed whenever a user at XXX remotely logs into XXX's networks using ftp or telnet. The notice prior to login is incorporated when tcp Wrappers is installed on your server. There is a very good installation instruction on how to add the pre-login script that comes with the program.

Use of this or any other DoD interest computer system constitutes a consent to monitoring at all times.

This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in this system is subject to monitoring and is not subject to any expectation of privacy.

If monitoring of this or any DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer system reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action.

IS Quality Assurance Controls

The Trusted Computer System Evaluation Criteria (TCSEC) requires all changes to the TCB for classes B2 through A1 be controlled by configuration management. Although the "rainbow series" documentation mostly relates to software controls for trusted computers, configuration management is not limited to only this function. The TCSEC gives the following as the Assurance Control Objective:

"Systems that are used to process or handle classified or other sensitive information must be designed to guarantee correct and accurate interpretation of the security policy and must not distort the intent of that policy. Assurance must be provided that correct implementation and operation of the policy exists throughout the system's life cycle."

Configuration management can be thought of as a quality-assurance (QA) discipline which incorporates aspects involving both identification and authentication of objects within a system. It controls changes to system software, firmware, hardware, and documentation throughout the life of the AIS. This includes the design, development, testing, distribution, and operation of modifications and enhancements to the existing system. More specifically, configuration management applies direction to: 1) identify and document the functional and physical characteristics of each configuration item for a product; 2) manage all changes to these characteristics; and 3) record and report the status of change processing and implementation. In other words, configuration management is the means used to protect a system against unauthorized modifications, and ensures that all protection properties of a system work only as intended and are maintained after an authorized modification takes place.

Configuration management is really a process of engineering sound and secure operating practices into an AIS. As such, controls are placed on an AIS to insure that every change in hardware, software, firmware, operational procedures, or documentation is verified and approved by the authorized or controlling party for the AIS. These security controls can be broken down into four separate tasks: identification, control, status accounting, and auditing. These tasks are applied through various techniques to ensure correct operation of the system.

To accomplish these objectives, the IS Security Manual specifies that two types of assurance are needed:

Passwords should be complex enough to make them difficult to guess. On the other hand, passwords must also be easy to remember by the authorized user. A user must NEVER use a password such as: their name spelled backwards, any personal information such as a pet's name or license plate number, a no nonsense word that is easy to type on the keyboard (such as qwerty), or any word in any language. The average cracker has dictionaries from many languages, including slang, built into their password cracking programs.

A good password should consist of at least seven characters, of which there should be at least three "special" characters involved. Special characters consist of numbers, capitalization of a few of the letters, and the special characters located above the numbers on the keyboard (ex., #, &, ^, @, etc.), and or numbers. This password configuration need not be difficult to remember. A user can simple choose a word and substitute special characters for individual letters in the word. An example of this might be the word, 'daylight' spelled d@YL1gHt*, with an asterisk thrown in at the end for good measure.

Using this method, the user can be reasonably sure that a cracker will have a hard enough time attempting to crack your password and move on to somebody else's machine. If you're worried that a cracker will decipher the first few letters of your password and then figure the rest of it out in short order, you needn't be worried.

Password cracking programs only figure out the entire password. They cannot break a password one letter at a time. Remember that there is no such thing as an unbreakable password. Eventually a password can be broken by a program, although with a carefully chosen password, this cost the cracker more resources than they have at their disposal and could conceivably take many years.

Passwords should also be easy enough for the end user to type quickly to prevent wandering eyes from deciphering what it is. Users should never type their password with someone else in line of sight with the keyboard.

Passwords should be regulated and changed every so often, a good rule is change after six months of use. Passwords should be protected with great care. A user should never write his or her password down anywhere, nor should they consider giving it to anyone else. If you are fearful that you will forget it, then a solution might be to write it down and secure it in a safe only accessible to those who have accounts of the same nature as yours.

Formal Audit Requirements for Trusted Systems

The minimum trust requirements for all DoD computer systems at NRL is level C2 functionality. C2 is considered the benchmark for audit trails. The following sections, derived from NCSC-TG-001, describe the audit requirements for class C2.

6.1.1 Auditable Events: The following events shall be subject to audit at the C2 class:

1. Use of identification and authentication mechanisms

2. Introduction of objects into a user's address space

3. Deletion of objects from a user's address space

4. Actions taken by computer operators and system administrators and/or system security administrators

5. All security-relevant events (as defined in Section 5 of this guideline)

6. Production of printed output

6.1.2 Auditable Information

The following information shall be recorded on the audit trail at the C2 class:

1. Date and time of the event

2. The unique identifier on whose behalf the subject generating the event was operating

3. Type of event

4. Success or failure of the event

5. Origin of the request (e.g., terminal ID) for identification/authentication events

6. Name of object introduced, accessed, or deleted from a user's address space

7. Description of modifications made by the system administrator to the user/system security databases

Generally, there are two main classes of viruses. The first class consists of the FILE INFECTORS which attach themselves to ordinary program files. These usually infect executable files. The second category is SYSTEM or BOOT-RECORD INFECTORS: those viruses which infect executable code found in certain system areas on a disk which are not ordinary files.

On DOS based systems, there are ordinary boot-sector viruses, which infect only the DOS boot sector, and MBR viruses which infect the Master Boot Record on fixed disks and the DOS boot sector on diskettes. Examples include Brain, Stoned, Empire, Azusa, and Michelangelo. Such viruses are always resident viruses. Finally, a few viruses are able to infect both (the Tequila virus is one example). These are often called MULTI-PARTITE viruses or BOOT-AND-FILE viruses.

How Many Viruses Are There?

It is not possible to give an exact number of how many viruses there are because new ones are being created literally every day. Furthermore, different anti-virus researchers use different criteria to decide whether two viruses are different or one and the same. Most researchers agree that there are more than 1500 PC viruses. However, very few of the existing viruses are widespread. Only about three dozen of the known IBM PC viruses cause most of the reported infections. These common viruses include the Jerusalem, Stoned, Brain and Eddie viruses.

Does My Computer Have a Virus?

There are various symptoms which indicate a virus is present. Symptoms include messages, music and graphical displays. However, the main indicators are changes in file sizes and contents. Virus detection packages provide some assurance by checking for the code of known viruses, but with the continuing emergence of new viruses, this is not always reliable.

VIRUS INFECTION INDICATORS

Anti-virus programs scan files for virus code or check for changes in file size using checksums. Even though not always reliable, it is wise to arm yourself with the latest anti-viral software. There are a number of packages on the market that detect for viruses.

How We Protect Systems

PREVENTION

Incidence Response Activities (Network Virus/Worm Attack)

Incidents involving self replicating-computer viruses in computer systems and networks have underscored the need for XXX wide coordination and support.

The IS Security Group will work closely with other federal agencies to coordinate identification and response efforts when acute computer network security incidences of this type are detected. The group will ensure suggested corrective actions are implemented. Upon initial discovery of a previously undetected network related virus infection, the ADP Security Office will contact higher authority immediately to formulate a combined response.

Determining a Violation

XXX will neither commit nor tolerate the making or use of unauthorized software copies under any circumstances, and will enforce strong controls to prevent its occurrence. As the custodian of your machine, it is your responsibility to ensure that there is a legally licensed copy of any commercial software residing on your system. The only exception would be the situation where a user is allowed to make a backup copy of the software for personal use only in the event that the original software is damaged as the result of a virus or like circumstance.