Typical Government IS Security Course and Handbook

Note: To sanitize this document, several items have been left blank.

Go to Introduction
What Role Does IS Security Play in the Overall Profile?
Why Do We Need Computer Security?
Control Measures to Reduce Potential Losses
How Our Current Program Evolved
Designated Approval Authority
What to Expect From Us
IS Security Program Compliance
Network Monitoring
IS Quality Assurance Controls
What is Our IS Configuration Management Role?
Management Solutions
Specifics of the Risk Management Program
Accreditation
Typical Procedures
IS System Accreditation Request Form
Interview Process
Interim Accreditation
Period of Validity
Physical Access Control (Area Control)
Classification Controls
Unclassified Processing
Classified Processing
Contingency Management
Formal Accreditation
Security Test and Evaluation (ST&E)
Computer Security Training and Awareness
User's Responsibilities
Network Vulnerabilities
External Network Protection
Firewalls
Internal Network Protection Techniques
Network Procedural Issues (Security Models & Controls)
Access Control & Password Management
Modes of Operation
IS/Network Audits
Audit Trails
Incidence/Emergency Response Activities
Database of Redundant Systems
Network Penetration Control
Virus Control
Virus Reporting
Data Remanence
Procedures to Control Remanence During Surplussing/Declassification of IS Assets
Software Piracy
Illegal Files
Inappropriate Use of Government Resources
Waste, Fraud, Abuse
OPSEC
Key Individuals in the IS Security Office

Typical IS Security Course and Handbook

Introduction

This course is designed as a basic introduction to computer security. It attempts to provide an awareness of the many aspects of Information System (IS) system security, and also the procedures involved in accreditation of XXX computer assets. The goal of this course is to familiarize users with proper security practices that will result in a positive impact on the current XXX IS security profile.

What Role Does IS Security Play in the Overall Profile?

Information Security (INFOSEC) is an all encompassing term applied to the result of any system of administrative policies and procedures for identifying, controlling, and protecting information from unauthorized disclosure. While INFOSEC covers many often overlapping security disciplines, the three principle areas of concern in this course are computer security (COMPUSEC), communications security (COMSEC), and TEMPEST.

COMPUSEC applies to those measures required to protect data against unauthorized (accidental or intentional) disclosure, modification, destruction, and the denial of services that process data. Security includes consideration of all hardware or software functions, characteristics, and features; operational and accountability procedures; access controls at the central computer facility, remote computer, and/or terminal; management constraints; physical structures and devices; and personnel and communications controls needed to provide an acceptable level of risk for the computer system and the data or information contained in the system.

COMSEC is the protection resulting from all measures designed to deny unauthorized persons information of value which might be derived from the possession and study of telecommunications, or to mislead unauthorized persons in their interpretation of the results of such possession and study. Communications security includes crypto security, transmission security, emission security and physical security of communications security materials and information.

TEMPEST is a highly evolved and well understood security discipline. It refers to the study of compromising emanations generated during classified operations. TEMPEST evaluations are concerned with studying conducted and radiated noise for meaningful information. All electronic devices generate electromagnetic fields when powered. Every electronic device inside a computer generates a field related to the information it is processing. When these fields are detectable and can be understood, even with extensive shielding and filtering implemented, a TEMPEST threat exists.

Why Do We Need Computer Security?

An IS is not, strictly speaking, a single computer system. An IS is an assembly of hardware, firmware, and software that is configured to collect, create, communicate, compute, disseminate, process, store and/or control data or information. An IS consists of many components which work together to perform a single function.

As systems and uses become more sophisticated, new and more advanced controls will be needed to protect computer information. Even now, many basic controls are available that can be implemented to enhance the security profile of any organization. These controls should be cost-effective, and appropriate for the level of information and systems being protected. Controls that are more expensive than the value of the information they protect are not cost-effective.

To achieve acceptable levels of computer security for classified, sensitive unclassified, and unclassified information, organizations must establish a systematic approach that includes making information security a management priority; identifying information resources and determining threats and potential losses; and auditing and monitoring results.

XXX's IS Security Program is designed to ensure the confidentiality, integrity, and availability of its computing assets. It is driven by a primary need. The need to maintain configuration management controls over equipment that may be susceptible to identified threats.

The potential risks to computers posed by potential threats, such as those in Table 1, establishes the basis for controlling the configuration management of all IS which process classified and unclassified but sensitive information. XXX has chosen to address this control need through the establishment of a Risk Management Program.

Control Measures to Reduce Potential Losses

Losses can come from any of the following hazards:

Environmental Hazards - damage from fire, flood, dust, static electricity, or electrical storms;

Hardware and Equipment Failure - mechanical or electrical failure of the computer, its storage capacity, or its communications devices

Software Errors - programming bugs to simple typos in spreadsheet formulas

Accidents, Errors, and Omissions - by anyone using computers or the information that they process

Intentional Acts - fraud, theft, sabotage, and misuse of information by competitors and employees

The controls that should be considered for implementation to prevent losses include:

Administrative Controls - controls include establishing policies and procedures which assign management and individual responsibilities, and conducting computer security training

Physical and Environmental - controls include limiting physical access to information resources to only authorized personnel, and protecting computers from water and fire damage, power outages, and hazardous environmental conditions

Information and Data Controls - controls include authenticating users, establishing and enforcing authorization rules for what information and processes may be accessed, and maintaining a record of user actions

Software Development and Acquisition Controls - controls include purchasing off-the-shelf software from reputable vendors, establishing rigorous controls over the development and use of programs and data for sensitive applications, and applying caution when using public domain software

Backup and Contingency Planning Controls - controls include training employees to respond to emergency conditions, maintaining backup copies of information and programs, and assuring that alternative equipment and software are available for processing if needed.

How The Current Program Evolved

Until a few years ago, XXX maintained a traditional risk management security program to protect its computer assets. An asset is any software information, administrative, physical, communications, or personnel resource within an activity. This program evaluated each computer individually against a comprehensive set of security related threats and criteria.

Computer threats are any circumstances or events with the potential to cause harm to the computer system or processing activities. The presence of a threat does not mean that it will actually cause harm, only that it represents a potential weakness or vulnerability in the security of the system.

It was soon recognized that PC's were being exposed to many more threats as time went on, especially those represented by the hacker/cracker community. Some of the many threats included:

Increasing number of systems
Physical Access
Lack of built-in security mechanisms
Available operating system code
Easily transportable
Lack of user awareness
LAN accessibility

Our major area of concern was that no vulnerability test or program was available to directly evaluate the many ISs monitored by XXX. The ultimate recognition of the potential hacker/cracker threat resulted in an expansion of the existing risk management program as well as the implementation of a new network oriented system testing & evaluation (ST&E) program. The overall IS security program currently in place is more visible and active in testing both stand-alone IS, and also our networks for security weaknesses.

Designated Approval Authority

The Designated Approval Authority or DAA is the final decision maker in all matters concerning IS security. The DAA will make a decision based upon directives dictated by government policy.

Section 4. Responsibilities.

IS Security Representatives act as a central point for all IS security matters and are responsible for maintaining an accurate inventory of computer resources within the division; assisting IS Security Officers in implementing security measures for computers and networks; monitoring the progress in implementing the requirements of the XXX computer security program, especially as it applies to accreditation; ensuring that IS security training is provided on an annual basis; and reporting all significant IS violations

What to Expect From Us

The IS Security Office works in conjunction with the end-user on a common goal of IS integrity. Together, we keep XXX systems operating within the prescribed IS security guidelines.

As the designated computer security office, the end-user may expect certain services from our office. Our office is available during regular business hours for any procedural questions that may concern the user. The computer security office is available should problems arise that the user feels cannot be rectified without some outside assistance. Typically this can manifest itself in situations such as the discovery of a virus on a system or a question concerning the proper disposal of any IS equipment or storage media.

In addition to our user support, accreditation and training activities, the IS Security Office is actively involved in system test and monitoring of various activities on XXX networks and is responsible to respond to various IS related incidences. Our networks are constantly bombarded by off-site hacker/cracker penetration attempts, as well as susceptibility to virus attacks.

In our network monitor and test role, we provide a quick response capability as well as actively evaluating and continually upgrading network security protection measures for system manager and user. Incidence response functions will be covered later in this document.

IS Security Program Compliance

The IS Security program developed here at XXX is designed to provide the end-users with good IS security practices as well as comply with current Government requirements. This practice establishes good habits within the XXX community and narrows the possibility of: disclosure of data, equipment loss, and misuse of government resources, to name a few.

Applicable Statutes

DOD 5200.28-STD (Orange Book)
DODINST 5200.28
......

Relevant Laws/Acts
PL 100-235 - Privacy Act
Computer Security Act of 1987
PL 100-503
Computer Matching and Privacy Protection Act
PL 99-474
Computer Fraud & Abuse Act of 1986
OMB Circular A-130
Mgt. of Federal Information Resources

XXX's program is required to comply with a number of Public Laws, DOD, and service standards and instructionals. In particular, our program is designed around .....

Public Law 100-235 is intended: "To provide for a computer standards program within the National Bureau of Standards, to provide for Government-wide computer security, and to provide for the training in security matters of persons who are involved in the management, operation, and use of Federal computer systems, and for other purposes."

Public Law 1030 (Computer Fraud and Abuse Act) is intended to address actions by those who "knowingly and intentionally access Federal computers with the intent to defraud, cause a loss, modify, or use in an unauthorized means."

OMB Circular A130 Federal ADP guidelines. "The Paperwork Reduction Act (44 U.S.C. Chapter 35) assigns the Director of the Office of Management and Budget (OMB) responsibility for maintaining a comprehensive set of information resources management policies and for promoting the application of information technology to improve the use and dissemination of information by Federal agencies."

Network Monitoring

All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official US Government authorized information only. US Government telecommunications systems and ADPs are subject to periodic security testing and monitoring without prior notification to ensure proper functioning of equipment and systems including security devices, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Use of any Government network or equipment constitutes consent to monitoring.

Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of the system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring reveals violations of security regulations of unauthorized use, employees who are responsible will be subject to appropriate disciplinary action. The notice explaining this information (shown below) is displayed whenever a user at XXX remotely logs into XXX's networks using ftp or telnet. The notice prior to login is incorporated when tcp Wrappers is installed on your server. There is a very good installation instruction on how to add the pre-login script that comes with the program.

Use of this or any other DoD interest computer system constitutes a consent to monitoring at all times.

This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in this system is subject to monitoring and is not subject to any expectation of privacy.

If monitoring of this or any DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer system reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action.

IS Quality Assurance Controls

IS configuration management consists of identifying, controlling, accounting for, and auditing all changes made to a particular system or equipment during its life cycle.

The Trusted Computer System Evaluation Criteria (TCSEC) requires all changes to the TCB for classes B2 through A1 be controlled by configuration management. Although the "rainbow series" documentation mostly relates to software controls for trusted computers, configuration management is not limited to only this function. The TCSEC gives the following as the Assurance Control Objective:

"Systems that are used to process or handle classified or other sensitive information must be designed to guarantee correct and accurate interpretation of the security policy and must not distort the intent of that policy. Assurance must be provided that correct implementation and operation of the policy exists throughout the system's life cycle."

Configuration management can be thought of as a quality-assurance (QA) discipline which incorporates aspects involving both identification and authentication of objects within a system. It controls changes to system software, firmware, hardware, and documentation throughout the life of the AIS. This includes the design, development, testing, distribution, and operation of modifications and enhancements to the existing system. More specifically, configuration management applies direction to: 1) identify and document the functional and physical characteristics of each configuration item for a product; 2) manage all changes to these characteristics; and 3) record and report the status of change processing and implementation. In other words, configuration management is the means used to protect a system against unauthorized modifications, and ensures that all protection properties of a system work only as intended and are maintained after an authorized modification takes place.

Configuration management is really a process of engineering sound and secure operating practices into an AIS. As such, controls are placed on an AIS to insure that every change in hardware, software, firmware, operational procedures, or documentation is verified and approved by the authorized or controlling party for the AIS. These security controls can be broken down into four separate tasks: identification, control, status accounting, and auditing. These tasks are applied through various techniques to ensure correct operation of the system.

What is Our IS Configuration Management Role?

XXX applies IS configuration management as a quality- assurance function. The requirements for trusted systems are taken directly from DoDD 5200.28. One of the control objectives is to assure that the security policy has been implemented correctly by a particular IS, and that the system's protection-relevant elements accurately enforce the intent of that policy. This assurance must include a guarantee that the trusted portion of the system works only as intended.

To accomplish these objectives, the IS Security Manual specifies that two types of assurance are needed:

They are life-cycle assurance and operational assurance. Life-cycle assurance refers to steps taken by an organization to ensure that the system is designed, developed, and maintained using formalized and rigorous controls and standards. Computer systems that process and store sensitive or classified information depend on the hardware and software to protect that information. It follows that the hardware and software themselves must be protected against unauthorized changes that could cause protection mechanisms to malfunction or be bypassed completely.

Re-evaluation is necessary whenever changes are made that could affect the integrity of the protection mechanisms. With proper security evaluation and control functions in place, XXX feels that the hardware and software interpretation of the security policy will remain accurate and undistorted for a particular IS.

Risk management is a process through which undesirable events can be identified, measured, controlled and prevented so as to effectively minimize their impact or frequency of occurrence. This identification of the security posture using the assets worth, attraction, the probability of a successful attack, and its vulnerability forms the basis of XXX's IS security program.

The implementation of effective information security measures must be based on a balance between the cost of controls and the need to reduce risk or expected loss. "Absolute" security could be achieved only at unlimited cost. Risk assessments are used to provide an analysis of the computer system or network assets, vulnerabilities and threats to determine the security requirements which must be satisfied to ensure the system can be operated at an acceptable level of risk. Risk assessments, system test and evaluation, and contingency planning are all parts of the risk management process.

Loss, which can be direct (the effort needed to reconstruct a destroyed file) and indirect (the loss or reduction of an organization's business function or cash flow due to the destroyed file) is the impact a harmful event has on the organization. Impact is usually measured in monetary values, but may also be measured in qualitative terms. The process of estimating potential loss is called risk analysis.

Risk analysis is the cornerstone of the risk management process for computer applications. While risk analysis can be applied to operational systems, it is most useful when applied to prior to requirements definition of a computer application. In this way, the resulting estimates of potential loss can be used to form the basis for the computer security requirements and countermeasures being developed.

Audit and Evaluation - Because security requirements should be a consideration throughout the entire life cycle of a system, security measures are best when designed into systems from the start. Steps should be taken to assure that planned security mechanisms are implemented and working as intended. Effective processes for audit recording and review security should be in place to ensure accountability and to provide a means of monitoring potential threats to operational systems.

Contingency Planning - Since computers and networks fail, often leaving users unable to accomplish critical processing, NRL has developed guidance to assist users and managers in providing effective contingency planning. Effective planning and operational procedures are needed to assure that critical applications and data are available in a timely manner.

Specifics of the Risk Management Program

By ascertaining what level of risk is acceptable for an individual system, the accreditation team can determine which countermeasures are necessary in maintaining the level of security required over the life-cycle of the IS. The formal investigative process involves data collection and analysis (risk analysis) of the system's exposure to risk using a risk assessment. The Risk Assessment addresses matters such as: assessment of threats, in- place countermeasures, and degree of impact following an asset loss or impairment.

Accreditation

The IS Security Office provides technical support to XXX for the accreditation of ISs in accordance with applicable IS Security Program standards. The accreditation of a system by the IS security office for use in classified or unclassified but sensitive processing certifies that the system examined is configured in compliance with relevant XXX guidelines.

Using the risk management approach to evaluate an IS's security posture, the IS Security Office considers Risk Analysis (RA), Contingency Planning (CP) and Security Test & Evaluation (ST&E) for each IS. Risk Management is an ongoing process that will periodically reaffirm the validity of the previous accreditation throughout the life of the IS. The IS Security Officer supports XXX's risk management program by performing the following tasks:

- development and maintenance of the XXX accreditation schedule.

- Perform a risk assessment and analysis by analyzing threats to the ADP and vulnerabilities to the IS in relationship to the sensitivity of the data processed by the IS.

- Ensure a contingency plan is in place for the continuity of operations in an emergency situation and that the developed plans are exercised.

-Ensure that required countermeasures are implemented.

-Ensure that security tests, TEMPEST tests, and other inspections are conducted as required.

- Perform technical review for security-related waiver requests.

Typical XXX Procedures

When the user decides to purchase a new IS system, he must fill out several forms. The form that concerns our office is the IS System Accreditation Request form. By completing this form and sending it to our office, you are granted interim accreditation that lasts until our office can initiate a field risk assessment which will result in final accreditation of the system within 90 days of the examination.

IS System Accreditation Request Form

This is the part of the procurement form that is sent to our office requesting interim accreditation and notifies our office that a new system is entering the lab. This sheet, which is to be filled out by the custodian of the new machine, provides our office with enough pertinent information to enter it in our active database.

Interview Process

The interview process is initiated when an IS is being processed for final accreditation. Our office conducts an interview with the designated custodian for a system, and completes a questionnaire. This process allows our office to conduct an on site evaluation of a system.

Interim Accreditation

Interim accreditation is granted as soon as our office receives the IS system accreditation request form, informing us that a new system is being brought on line at the lab.

Period of Validity

Interim accreditation is valid indefinitely until an on-site evaluation can be scheduled. This type of temporary accreditation carries with it the authority to operate at the level of classification that was requested.

Physical Access Control (Area Control)

Physical safeguards for ISs are necessary to minimize the potential for problems caused by certain threats. The level of physical protection is directly related to the sensitivity and cost of the IS. These are the minimum requirements for physical safeguards for each of the data level categories. There may be instances where the minimum is not enough protection, but in general, a selection of the following physical requirements should be followed when planning for and/or installing ISs, Networks and computer resources.

Signs, locked doors, cipher locks
ID cards and/or badges
Access log
Closed-circuit TV
No unauthorized unescorted entry

Only a part of the responsibility of Physical Access Control is shared by the user at XXX. While the user may believe that all of the physical security needs are being handled by resident security at XXX, that is not wholly the case. The user is responsible for personal area security. This may include matters such as locking your office door after business hours, ensuring that any visitors to your area go through a checking in process, even if it is only a line of sight procedure, or an actual written log.

Classification Controls

Data is classified into one of the following categories:

Level I - Classified
Level II - Unclassified Sensitive
Level III - Unclassified

Unclassified Processing

Due to the physical barriers represented by the NRL perimeter fence and other access safeguards, a locked room is considered adequate physical security protection at the lab. For systems that handle sensitive information (Privacy Act, Financial, etc.), simple physical controlled access may not be adequate protection. This is particularly true for networked ISs which will be discussed later. In addition, the following vulnerabilities for each ADP will be addressed during the accreditation process and, if applicable safeguards will be implemented.

a. Temperature and humidity
b. Lighting and electrical service
c. Cleanliness
d. Precautionary measures against water damage
e. Fire safety

Classified Processing

In addition to the requirements for protecting unclassified data, the following are applicable for all systems handling classified data:

a. For PCs and microcomputers: PCs and microcomputers that contain internal hard disks will not be used to process, handle or store classified information unless they are physically protected to the highest level of information ever handled by the system. This level of protection must continue throughout the system's life. This protection must continue when relocating the equipment outside its secured room and during maintenance. No medium that has ever contained classified data may leave XXX until it has been declassified by one of the two approved methods. Therefore, for most applications, the use of removable media is necessary.

b. For minicomputers and mainframes: The philosophy is much the same as that prescribed for PCs- Either a secured facility, providing the same physical protection as an equivalent level security container, or all media must be removable and stored in a security container when not under the supervision of a cleared person.

c. TEMPEST requirements must be strictly adhered to.

d. When the requirement exists to operate a system that cannot have removable media or that operates without the direct supervision of security personnel, a secured facility must be created to house and protect the system and information from unauthorized access, disclosure and modification.

Contingency Management

Contingency Management is an essential continuity provision incorporated into the IS security process. It provides the user with a backup plan in the event of an emergency involving the temporary incapacitation of the system. This would prevent loss of vital data, time spent trying to organize directly after the event occurs, and interruptions of the work process that would cost precious time and money. The responsibilities of the IS Security Group related to its incidence response functions are covered later in this document.

Formal Accreditation

Once all requirements for accreditation have been complied with, formal accreditation for your system is provided. Unless there is a major modification, the accreditation will be reviewed every three years, and will remain in effect until your machine is no longer used for classified processing. However, if the ADP is to be replaced or surplussed, this office must be notified so it can be removed from our database.

Security Test and Evaluation (ST&E)

The ST&E function is the active auditing part of the XXX's IS security configuration management procedure. ST&Es gather empirical data on individual systems and are examined by the DAA in the evaluation procedure. This process evaluates the effectiveness of in-place countermeasures against incidents that would affect the IS in a negative manner. If the in-place countermeasures are inadequate, the ST&E will uncover this fact and they can then be rectified.

Computer Security Training and Awareness

For ISs which process classified information, proper training and awareness for the user are key integrity factors. Awareness by the end-user of good security techniques can cut down on security incidents. Security starts with the custodian of the machine.

Briefings and Training Requirements

Annual computer security briefings are available on ........ XXX uses an enhanced briefing form which is intended to provide both a registration vehicle and to meet the requirement for annual computer security training. All individuals who use a computer at XXX, contractor and Government employees alike, must read and return the web notice or the signed form sent with the briefing to be authorized to perform processing each year.

Briefings define what an IS is, identify the responsibilities of managers, users, and IS Security Group individuals, and describe storage requirements, processing modes, access controls, audit trails, and disaster recovery.

Section 5 General IS Security Requirements.

"d. IS security training must be given to each new user of a computer, and refresher training must be given periodically to all personnel involved with use or operation of a computer. Such training should include security, emergency, and fire procedures as appropriate."

Additional Briefing Notes for ISs Which Process Classified Information:

1. At XXX, the annual briefings (available on the IS Security Web Page) are written so as to also provide refresher training in accordance with annual training requirements.

2. The IS System Manager will ensure a list of personnel with classified processing authorization is provided to the IS Security Office.

User's Responsibilities

Users have rules and procedures that must be followed when they process classified information. While annual briefings are intended to remind users of their major responsibilities, there are a number of related issues users should also be familiar with. These are listed below:

1. Be familiar with your IS classified processing access and operational regulations.

2. Know the marking requirements for your IS data.

All storage media must be properly labeled with the highest level of data contained on the media.

3. Know the audit controls (Classified Material) imposed on your sessions.

4. Know the Navy regulations concerning personal equipment (Software, Games, etc.)

Personal software must not be present on government IS resources. This includes games, software packages that have not been acquired through normal procedures, and any data of a personal nature. These are government systems and are to be used for official business only.

5. Know your responsibilities for the physical protection of IS equipment

IS resources should be protected against damage or theft. Eating, drinking, and smoking can all affect a system.

6. Know the actions you must take in the event of a disaster.

Contingency Plan is required for each machine that is to receive final accreditation. This plan is simply the backup plan in the event that a machine is temporarily out of service. How the user plans to continue the work that they had been performing on the primary machine that may become unusable for a period of time. This typically involves a secondary machine that can pick up the extra duties of the non-functioning system.

7. Know how your system is configured and how it is intended to operate.

Networks Are Vulnerable

Networks offer many advantages to users. Distributed processing such as we have at XXX allows many people access to large amounts of data, much of which is sensitive. This creates a condition of openness in which all types of systems, pc's, workstations, and mainframes can talk to each other as necessary. When access becomes widespread, network vulnerabilities increase, and any coordinated central security control program encounters difficulty.

With more networks interconnected all the time, the chances increase that a legitimate user from one network can find an open path to another network and from there into still other networks where he has no legal authorization. The possibility of this occurrence forces network managers to monitor and audit their own systems on a continuing basis.

In addition to keeping track of and protecting regular users, there are some primary security issues which also confront the network manager. Among these issues are employees who disregard or bypass security protection controls, the disgruntled employee who plants his own internal bypass in the system for later use, and the crackers that continually try to break into the network from outside.

The potential problem created by the legitimate employee who bypasses the security protection techniques on his workstation because "it's too much trouble" or so he can work at home or on the road via a modem is a serious concern. Downloading software off a public network is one of the best ways to insert a virus or some other bug into your network.

The loss of sensitive or classified data is a major concern when security techniques are bypassed. Public phone systems are not secure, especially for portable computers that use cellular modems. Even Data Encryption Standard (DES) type encryption has limitations. DES is best applied in a hardware encryption application. For protecting networks, using DES based software encryption is only as good as the password file.

External Network Protection

External network protection usually consists of filters or firewalls. A firewall is made up of various physical components, software controls, and system architectures that together provide security for a network. In essence, it could be considered a filter used to control access when connecting an individual's network or machine to the Internet.

Problems With Firewalls

A firewall can consist of a router, a personal computer, a host, or a collection of hosts. Firewalls represent a restriction on information flow and, as such, are not always treated favorably. The following problems restrict their application and use.

1. Firewalls block some services to the outside world such as TELNET, FTP, X Windows, and NFS that users inside the network want. In some cases, these services are needed by the network and would require major network re-structuring if blocked.

2. Firewalls do not protect against back door attacks. A back door attack could include a modem attack which could allow the use of a Serial Line IP (SLIP) or a Point-to-Point Protocol (PPP) connection.

3.Inside the network (insider) attacks are not restricted by a network firewall.

4. Information servers and clients such as those for World Wide Web, gopher, WAIS, etc. expose firewalls to data-driven attacks whereby the data processed by the clients can contain instructions to the clients.

5. Encapsulated packets, such as those used for multicast IP transmissions, are forwarded through the firewall without an examination of their contents. These packets can contain viruses or commands which could alter security mechanisms in place.

Where is Protection Applied

Although there are sometimes problems, packet filtering is normally employed using a packet filter router. IP packets can be filtered based on source IP address, destination IP address, TCP/UDP source port, and TCP/UDP destination port. Adding TCP or UDP port filtering to IP address filtering adds flexibility to the firewall design. Protocols to filter include tftp, X windows, RPC, rlogin, rsh, and rexec.

Software applications are also available which forward and filter connections for services such as TELNET and FTP. These are referred to as proxy services, and when combined with packet filter routers provide higher levels of security and flexibility.

Firewall Attacks/Testing

This approach will verify the firewall's ability to stop network based attacks. Firewall tests/attacks would concentrate on three primary areas: test each port; test proxy services, test all services provided by the firewall to ensure they are safe services.

- Source routing attacks against the firewall to verify that source routing and it's associated problems are not vulnerabilities.

- Attacks against every TCP/UDP port on the firewall to verify that the ports that the firewall are supposed to close are in fact closed.

- Attacks on any proxy services to try and gain access. Proxy services should only allow limited use and this test would verify that they could not be compromised. Especially useful when attacked via source routing tests.

- Tests of all sendmail daemons and checks to see if mail attacks would be effective on systems beyond the firewall (after mail has been forwarded or allowed to pass).

- Active attacks with various routing protocols in an attempt to destroy the current routing tables modify the routing tables for use in further attacks etc.

- Bombardment of the firewall with various denial of services attacks in an attempt to shut down communications and/or crash the firewall including ICMPs broadcast storms brought about by IP forwarding from a remote network etc.

Internal Network Protection Techniques

There are four major security techniques available for network protection: identification, authentication, authorization, and auditing. XXX networks employ each of these protection techniques.

The system manager is the primary individual responsible for giving users rights to programs and information contained on their network. Managers that directly control their networks are called ADP System Managers, and have superuser status in their networks. These individuals must assign user access rights, ensure users are properly designated, cleared and briefed, ensure all their equipment is accredited, ensure the clearing of equipment prior to its surplussing, and must also keep up to date on all security advisories affecting their networks. This person also serves as the direct liaison for coordinating with XXX IS Security Office staff.

Network Procedural Issues

Security models have been developed for each of the network types at XXX. The network specific models are intended to provide system managers with the basic controls needed to initially secure and then continue to secure their networks. These models are supplied to managers as necessary by the IS Security Office. Along with these recommended controls, the following information is provided.

Sub-networks

If a user has accounts on more than one sub-network, different passwords should be used on each sub-network. If one computer on a sub-network is compromised, other computers are still protected.

Home Directory Permissions

In UNIX, a user's home directory should not be world writable. A world writable directory allows anyone to substitute one of their files for one of the users. For instance, an unauthorized user might replace a user's login file with one that does undesired things. To set the directory permission use:xxxxxxxxxxxxxxxxxxxx

X-windows

When running X windows, only grant access to the display to clients from specified machines. Use xhost + machine name instead of xhost +. This will retard others from running clients on the display without your permissions

Leaving the Console Unattended

If a user has to leave the terminal, he/she should either use a screen locker program to prevent others from using the account, or logout.

Unattended Telnet Sessions

Don't leave telnet session unattended for long periods of time, such as overnight. It is possible to break into a telnet session and assume the identity of the user who originated the session.

Many screen lockers, such as xlock, don't prevent others from accessing your machine over the network. They only lock the keyboard. Logout instead of using a screen locker over night and over weekends.

Check Last Time You Logged In

The computer should be configured to print out the user's last time and location each time the user is granted access. Users should verify that the last session logged in was really them. They should also get in the habit of looking at the last log to see if there are any irregularities. In UNIX this can be done with the command : last .

Strange Files

Keep an eye out for files in directories that don't belong. With UNIX, intruders like to hide files by naming them something that starts with a period (.) because these files are not listed when the standard Is command is given. Get in the habit of checking for these types of files.

Finding an Unauthorized Access

If a user discovers an unauthorized access, or suspects one has happened, he/she should contact the system administrator immediately! Contact the system administrator either with a personal visit, or a phone call. Sending email to the system administrator runs the risk of alerting the unauthorized user that he/she has been found when the unauthorized user intercepts the mail message.

If unauthorized access is discovered, the following platform specification documents should be supplied by the user to the IS Security Office:

1. Specific security models
2. Specific testing procedures
3. Specific investigation procedures

Backup Data

Each user should backup files regularly. A user may wish to backup data every day, or at the very least every week. Backups should be done either to tape or to the lab wide archives. Many users choose to keep the backup tape in a separate physical location from the computer. If a fire, flood, or other catastrophe happens to the computer, the tape doesn't fall prey to the same catastrophe. The system administrator should back up system and user files regularly, but if a problem does happen, it is the user that loses all his/her hard work, so backing up is always a good idea.

Access Control & Password Management

Access control is simply controlling the access to a machine against unauthorized use. Both physical access and network access is important. The less susceptible a machine is to physical or network access from a large group of people, the less chance it has of having it's security breached.

System administrators, or end users for that matter, must look to their current auditing procedure for ensuring access protection when logging into their systems. Logging machine activity consists of anything from a hand written sign-in log at the workstation to installing a software package that logs the identity of each user accessing the machine during a period of time.

Password management is essential in circumstances where security must be ensured. Passwords are often overlooked as possible security loopholes, resulting in the most easy way for an outsider to break into a machine.

PASSWORD GUIDELINES

No repeat guesses
Log unsuccessful attempts
Review logs regularly
Never write down sensitive combinations
Choose hard to guess passwords
Change frequently
Don't share or disclose

Passwords should be complex enough to make them difficult to guess. On the other hand, passwords must also be easy to remember by the authorized user. A user must NEVER use a password such as: their name spelled backwards, any personal information such as a pet's name or license plate number, a no nonsense word that is easy to type on the keyboard (such as qwerty), or any word in any language. The average cracker has dictionaries from many languages, including slang, built into their password cracking programs.

A good password should consist of at least seven characters, of which there should be at least three "special" characters involved. Special characters consist of numbers, capitalization of a few of the letters, and the special characters located above the numbers on the keyboard (ex., #, &, ^, @, etc.), and or numbers. This password configuration need not be difficult to remember. A user can simple choose a word and substitute special characters for individual letters in the word. An example of this might be the word, 'daylight' spelled d@YL1gHt*, with an asterisk thrown in at the end for good measure.

Using this method, the user can be reasonably sure that a cracker will have a hard enough time attempting to crack your password and move on to somebody else's machine. If you're worried that a cracker will decipher the first few letters of your password and then figure the rest of it out in short order, you needn't be worried.

Password cracking programs only figure out the entire password. They cannot break a password one letter at a time. Remember that there is no such thing as an unbreakable password. Eventually a password can be broken by a program, although with a carefully chosen password, this cost the cracker more resources than they have at their disposal and could conceivably take many years.

Passwords should also be easy enough for the end user to type quickly to prevent wandering eyes from deciphering what it is. Users should never type their password with someone else in line of sight with the keyboard.

Passwords should be regulated and changed every so often, a good rule is change after six months of use. Passwords should be protected with great care. A user should never write his or her password down anywhere, nor should they consider giving it to anyone else. If you are fearful that you will forget it, then a solution might be to write it down and secure it in a safe only accessible to those who have accounts of the same nature as yours.

Modes of Operation

Mode of operation relates to the way the system is configured and operates when generating classified information. For single user stand alone systems, it is easy to implement a dedicated mode of operation when processing classified, since the user physically controls his actions. However, in the network environment, various "flavors" of operation can exist. Some systems are controlled internally, while others must be physically controlled to operate in the desired manner. The various classified modes are described below.

Multi-level: An IS that uses an operating system and associated system software to provide separation of personnel and material on the basis of security clearance and need-to-know .

Compartmented: An IS that provides separation of materials by establishing separate physical devices and areas of memory for the exclusive use of the assigned user.

Controlled: An IS that does not provide separation of users within the system. Separation and control is maintained by means of procedural or physical safeguards.

Dedicated: An IS, that at any given time, is used exclusively for a particular category of data, and all users have clearance and need-to-know for all of the data in the system. (note: unclassified is not permitted on this system when classified work is in process)

System High: An IS operated in accordance with the requirements for the highest category and type of material then contained in the system. All personnel having IS access shall have a security clearance, but not necessarily a need-to-know for all material contained in the system. In this mode, the design and operation of the IS must provide the control of concurrent available classified material in the system on the basis of need-to-know. (note: unclassified is permitted in this mode when classified work is in process)

Limited Access: An IS processing UNCLASSIFIED data that requires implementation of special controls to restrict access to individuals who, by their job function, have a need-to-know. Types of data processed in the limited access mode include FOUO, proprietary, and Privacy Act data.

ADP/Network Audits

A Trusted Computer System is a system that employs formal hardware and software integrity measures sufficient to allow its use for processing sensitive or classified information. These systems are given a designation based on how many measures are employed. While some large lab systems meet full high level trusting capabilities, most personal computers at XXX are designated class C2 functionality. This designation means the ADP must employ discretionary access control, memory clearing before reuse, individual accountability, and audit trails before approval to process classified data. These controls do not need to be automated into the operating system.

Obviously, users performing classified processing on a stand alone system in a dedicated mode can easily incorporate physical safeguards such as removable drives, user approval, audit trail log books, or other controls based on their needs. Networked systems, however, have a number of audit controls, some of which are automatically incorporated into their network software.

Fully trusted systems that process classified information at XXX require formal audit procedures. These procedures are normally built into trusted systems prior to their certification. According to the National Computer Security Center's Trusted Computer System Evaluation Criteria (TCSEC) the audit mechanism should be capable of monitoring every time a system is accessed, who accessed it, and which file was accessed. Auditing on trusted systems primarily concerns audit trails and controls for computer access.

The TCSEC gives the following as the Accountability Control Objective:

"Systems that are used to process or handle classified or other sensitive information must assure individual accountability whenever either a mandatory or discretionary security policy is invoked. Furthermore, to assure accountability the capability must exist for an authorized and competent agent to access and evaluate accountability information by a secure means, within a reasonable amount of time and without undue difficulty."

Formal Audit Requirements for Trusted Systems

The minimum trust requirements for all DoD computer systems at NRL is level C2 functionality. C2 is considered the benchmark for audit trails. The following sections, derived from NCSC-TG-001, describe the audit requirements for class C2.

6.1.1 Auditable Events: The following events shall be subject to audit at the C2 class:

1. Use of identification and authentication mechanisms
2. Introduction of objects into a user's address space
3. Deletion of objects from a user's address space
4. Actions taken by computer operators and system administrators and/or system security administrators
5. All security-relevant events (as defined in Section 5 of this guideline)
6. Production of printed output

6.1.2 Auditable Information

The following information shall be recorded on the audit trail at the C2 class:

1. Date and time of the event
2. The unique identifier on whose behalf the subject generating the event was operating
3. Type of event
4. Success or failure of the event
5. Origin of the request (e.g., terminal ID) for identification/authentication events
6. Name of object introduced, accessed, or deleted from a user's address space
7. Description of modifications made by the system administrator to the user/system security databases

Audit Trails

The audit trail provides for detection of the actions to be recorded, the actual recording, and auditing support. It provides information for auditors to verify the validity of system controls and the results of processing. The audit trail must be complete, or at least must select what to record in a way that cannot be predicted and that covers all actions that may later have to be audited.

The audit trail has four important security goals:

1. It must allow the review of patterns of access to individual objects, access histories of specific processes and individuals, and the system use of various protection mechanisms.

2. It must allow discovery of repeated attempts to bypass the protection mechanisms.

3. It must allow discovery of any use of privileges that may occur when a user assumes a functionality with privileges greater than his or her own.

4. It must act as a deterrent against habitual attempts to bypass protection mechanisms.

The audit trail is a significant deterrent to fraud. The audit trail allows post-process auditing to reconstruct a sequence of actions: who initiated them, the time, and the results, be selectively and dynamically started and stopped.

Audit trails must also record information about significant security events occurring in the following areas:

1. Interactivity between users of the system and system support personnel.

2. Activity within the IS environment, such as changes to operational security.

3. Internal computer activity.

4. Unsuccessful log on attempts.

For networked (non-standalone) ISs operating in a dedicated mode, only the identity and time of access by each person on the system needs to be recorded. This is because the system administrator has network software which will record important user information. However, other information such as maintenance and repair records, initiation of pertinent security related events, and a description of the hardcopy output must be kept individually.

Incidence/Emergency Response Activities

Incidents involving self replicating-computer viruses in computer systems and networks, and crackers/hackers gaining access to systems via the networks have underscored the need for improved XXX- wide coordination and support. The IS Security Group works closely with other federal agencies to coordinate identification and response efforts when acute computer and telecommunications security incidents are detected.

The IS Security Group has developed a plan of action to be followed when various IS security related incidences occur. Incident response planning (break-ins and asses loss), virus control, remanence control, software piracy, and software write protection control are all part of this control effort.

Operational Incidences

Major natural disasters including earthquakes, tornadoes, floods, fires, etc. can create any of a number of IS operational incidences. Incidences can also occur from intentional actions such as bombs, terrorist and virus attacks, and also from equipment failures such as power or cable problems. With such a varied range of major and minor incidences to address, some recovery strategies can be applied to all incidence types, while other strategies must be incidence specific.

Determination of a Major Incidence

When a major incident occurs, the Disaster Response Plan details procedures for plan initiation and recovery. The IS Security Group is responsible for identifying the location and capability of equivalent processing resources when an incident causes the loss of computing resources.

Recovering Essential Processing Resources (if applicable)

To recover from an event which could affect multiple IS computing resources at XXX, the principal requirement will be to recover the capability to perform equivalent processing capability in the shortest possible time period after the incident. The second requirement will be to recover with the least economic burden. This recovery capability could take the form of either stand-alone processing or network resources and operations. Most incidences will not be large enough to require full implementation of the response plan.

Database of Redundant Systems

Recovery of applications and peripheral devices are the responsibility of the ADP System Administrator. The IS Security Office carries information concerning the processors, points of contact, and the system's accreditation status. The IS Security Office can also develop a list of candidates at the site that could potentially be used for backup support.

In the event of denial of service for a specific system, the IS Security Office can determine the existence of another similar system.

Network Penetration Control

General recovery of LAN server hardware/software failures, communications node failures, the loss of mission critical LAN servers, or a major LAN cable cut are the responsibility of the XXX networking group. The XXX IS Security Group will respond to two types of incidences, (1) a network security breach and (2) the notification through various sources that a network vulnerability has been identified.

Determination of Break-in Incident

Incidences are either reported by the system administrator, the user, or by one of various monitoring agencies. If the user has followed the computer security model provisions supplied by the IS Security Group on his/her system, the networked computer should be configured to print out the user's last time and location each time the user is granted access. Users should verify that the last session logged in was really them. They should also get in the habit of looking at the last log to see if there are any irregularities. In UNIX this can be done with the command : last .

When files in directories are identified that don't belong, an incidence exists. With UNIX, intruders like to hide files by naming them something that starts with a period (.) because these files are not listed when the standard ls command is given. Get in the habit of checking for these types of files.

Other incidences include promiscuous network interface commands and unusual network connections. These can include the presence of Ethernet sniffers, a Trojaned netstat, etc.

Formal Notification of Break-in to DDN

Any user (person/department/agency) having knowledge of a suspected network security violation must contact the appropriate operations center/area communications operations center, etc. to report the violation. If possible, reporting should be via secure means.

Recovering Essential Network Resources

The initial action following a network incident discovery is containment. The system should be isolated immediately by the user either by shutting down the network interface or disconnection. Following this action, either the user or the system administrator check other systems for similar intrusion actions and determine further action to be taken.

To eradicate the problem and the resource, the system administrator will remove the exploited vulnerability by installing patches identified by the CERT, and running a vulnerability test program. Use a trusted source to re-install damaged files and retire the name and IP address.

Follow-up should include an assessment of the factors that allowed the intrusion to occur, updating the security policy which addressed this incident, and additional education for users and administrations.

What Are Viruses?

A virus is a quickly spreading program that "infects" other programs by modifying them to include a copy of itself. Once activated, the program can cause various detrimental effects to normal system operation. The impact can range from the annoying, including various messages, to the damaging, resulting in destruction of data and software to actual operating system damage.

Worms are a virus-like program that spreads through a system by copying itself from one location to another. Worms do not infect other programs as do viruses, but they can compete for computing resources with other programs such as what occurred from the notorious DECnet worm.

A Trojan Horse is a program that masquerades as a useful program but does something malicious. This program does not replicate or infect other programs. The effects to a system are akin to those of viruses.

Why Are Viruses a Problem?

The primary reason viruses are such a problem is the vulnerability of IS resources. Safeguard programs take time to run, and many users are in too much of a hurry to wait. Another reason viruses spread is that users often simply are not aware of the viruses presence until it is too late. This is true for both stand-alone and networked computers. If it can't be seen it is seldom given much thought.

VULNERABILITIES

Lack of user awareness
Inadequate security controls
Ineffective use of existing security controls
Bugs and loopholes in system software causing network susceptibility
Unauthorized system use

Generally, there are two main classes of viruses. The first class consists of the FILE INFECTORS which attach themselves to ordinary program files. These usually infect executable files. The second category is SYSTEM or BOOT-RECORD INFECTORS: those viruses which infect executable code found in certain system areas on a disk which are not ordinary files.

On DOS based systems, there are ordinary boot-sector viruses, which infect only the DOS boot sector, and MBR viruses which infect the Master Boot Record on fixed disks and the DOS boot sector on diskettes. Examples include Brain, Stoned, Empire, Azusa, and Michelangelo. Such viruses are always resident viruses. Finally, a few viruses are able to infect both (the Tequila virus is one example). These are often called MULTI-PARTITE viruses or BOOT-AND-FILE viruses.

How Many Viruses Are There?

It is not possible to give an exact number of how many viruses there are because new ones are being created literally every day. Furthermore, different anti-virus researchers use different criteria to decide whether two viruses are different or one and the same. Most researchers agree that there are more than 1500 PC viruses. However, very few of the existing viruses are widespread. Only about three dozen of the known IBM PC viruses cause most of the reported infections. These common viruses include the Jerusalem, Stoned, Brain and Eddie viruses.

Does My Computer Have a Virus?

There are various symptoms which indicate a virus is present. Symptoms include messages, music and graphical displays. However, the main indicators are changes in file sizes and contents. Virus detection packages provide some assurance by checking for the code of known viruses, but with the continuing emergence of new viruses, this is not always reliable.

VIRUS INFECTION INDICATORS

Odd system behavior
Decrease is system response
Memory reduction
Change in size or date of files
Application program failures
Alteration of commands
Unusual error messages
System down time increase
System slowdown
Consistent output loss
Unusual noises or tones
Increase in bad sectors
Program failures

Anti-virus programs scan files for virus code or check for changes in file size using checksums. Even though not always reliable, it is wise to arm yourself with the latest anti-viral software. There are a number of packages on the market that detect for viruses.

How We Protect Systems

PREVENTION

Never boot from an unprotected diskette.
Never use untested software.
Backup files and programs.
Minimize software sharing.
Do not use unapproved software.
Watch for unusual operation indicators.
Use virus detection software.

Virus Reporting (Stand-Alone Systems)

A computer virus infection is a reportable security incident. XXX policy requires that each computer security incident be reported to the XXX IS Security office as soon as possible.

If a virus or a suspected virus is detected by a user at XXX, take the following actions:

1. Notify your IS System Manager and the IS Security Office of the infection and take the necessary actions to minimize the spread of the virus within your activity.

2. Notify all activities that may have received infected diskettes or network files from your activity. Everyone concerned must know about the virus so that it may be stopped and removed.

3. If possible, capture samples of the virus(es) on diskette (no more than 1 diskette per virus). Forward them with the information below for analysis.

4. Use a commercial antiviral software to remove the infection.

5. Provide the following information to IS Security.

a) Name of the virus
b) How the virus was first detected and identified
c) Damage or observations resulting when the virus triggers
d) Damage caused to your systems, if any
e) Source of the virus, if known
f) Other locations, within or outside of your activity, possibly infected as a result of sharing infected media or files
g) Number and types of systems infected (i.e. hard disks and servers)
h) Number of floppy diskettes infected (approximate)
i) Method of clean-up (removal software, format disk, etc.)
j) Number of work hours expended to remove the infection (approximate)
k) Your name, phone and location

The IS Security Office will make an immediate and thorough investigation of all virus infections reported.

Virus Prevention

Scan all disks before they are used. Be cautious of all newly acquired software. Check new software for infection before it is run for the first time. Never boot from an unprotected diskette. Backup files and programs. Watch for unusual operation indicators. Use virus detection software.

Network Virus Protection

Networks at greatest risk to virus like (worms, etc.) infections are users of UNIX and PC-DOS, loosely administered networks, networks which permit dial-up access, homogeneous networks where most systems employ the same operating systems or hardware, and open networks which allow any organization to be connected. Defense organizations such as NRL not only need to be concerned because of the potential damage a virus might cause, but also because of potential news media attention and organizational oversight.

Network Protection Precautions

System administrators can take a number of steps to minimize the potential for a virus attack.

1. Change passwords frequently
2. Prohibit the introduction of any unapproved software
3. Continuously monitor and investigate performance utilization changes or other unusual activities
4. Continuously update and maintain access controls and integrity measures
5. Maintain updated program and operating system access
6. If possible, restrict write access to particular data objects on an individual basis
7. Train users to report unusual behavior or results immediately
8. Ensure remote diagnostic lines are only connected when needed
9. Set system software defaults in positions which reduce potential security vulnerabilities

Incidence Response Activities (Network Virus/Worm Attack)

Incidents involving self replicating-computer viruses in computer systems and networks have underscored the need for XXX wide coordination and support.

The IS Security Group will work closely with other federal agencies to coordinate identification and response efforts when acute computer network security incidences of this type are detected. The group will ensure suggested corrective actions are implemented. Upon initial discovery of a previously undetected network related virus infection, the ADP Security Office will contact higher authority immediately to formulate a combined response.

Data Remanence

Data remanence is nothing more then the information left on a storage device once the file or other information has been deleted or moved to another location. The data in this case is classified or otherwise protected information subject to dissemination restrictions.

On DOS systems, deleting a file involves deleting the first character of an index pointing file. This indicates to the computer that the space (sectors) are again available for use. Moving a file to another location occurs in applications programs nearly every time the data is saved. This is because in most programs, the old file is deleted only after the new file is saved.

There is also a problem with unused sector space. If a new file is written to a sector previously used to store other data, the new data only overwrites the previous locations until it is fully stored. Any data taking up more space than the new file will remain on the disk, even though not available for use again.

The third problem involves computers which temporarily store data to a hard drive as part of an application program operation, or during automatic timed backup. Macintosh computers and some DOS programs exhibit this characteristic as a means of protecting work from accidental program failure.

The Remanence Threat

Threats to the hidden data can come from two sources. The first is a directed attack using special software programs that can view the contents of a disk sector by sector. One of the most common commercial programs available is the Norton Utilities. Included in the Norton package are applications that can be used to view, write to, or copy from virtually any sector or position of a storage disk.

The second form of threat requires direct access to the disk for laboratory investigations. When data is stored on a disk, a magnetic field is used to change the electromagnetic characteristics of the material in the disk. Once changed, the application of an opposite polarity field is used to again change these characteristics. Coercivity, measured in oersteds, is the property of magnetic material used as a measure of the amount of applied magnetic field (of opposite polarity) required to reduce magnetic induction to zero from its previous state.

In some cases, especially if data was left stored at a specific location on the disk for some length of time, simply re-writing new data over the old location does not fully change the electromagnetic characteristics (ones and zeros or charge and reverse charge) of the disk material. When investigated with sensitive equipment, the slight but consistent differences in charge strength makes reading the old data fairly simple. This is the primary reason for life cycle safeguards to fully destroy old disks.

Procedures to Control Remanence During Surplussing/Declassification of ADP Assets

Systems that have processed but not stored classified information can be declassified through being subjected to a thorough disk wiping procedure. By utilizing a Government approved program similar to Norton Disk Wipe, the user can totally wipe the hard disk clean of all information previously stored.

For floppies that have actually stored classified information, the same process is acceptable if the disk is to be reused. However, the cleared disk must be protected, and can only be reused to store information at the same level of classification as it previously held. For downgrading hard disks, two downgrade procedures are allowed. After wiping, the user must physically inspect the disk using Norton, and then certify that no data is present, or the alternative is the ISs nonvolatile memory must be degaussed before it can be surplussed. Make sure the disk has first been at least reformatted before degausing.

In Event of a Clearing Failure

In the event classified information is discovered on a reissued hard drive, notify the XXX Security Office immediately. In the event sensitive but unclassified information is discovered, notify the XXX IS Security Office. Upon notification, the security office will assign an investigation to determine the source and extent of any potential damages.

Destruction of IS resources

Regarding destruction, IS storage media, both classified and unclassified, will be destroyed as soon as it is no longer required. Prior to destroying magnetic media, the media should be degaussed. For the case of hard disk drives, the IS Security Office is to be notified when disks (or systems) that have been approved for classified processing are to be replaced.

Software Piracy

Software piracy is the process of making and using unauthorized copies of copyrighted software. This practice is a serious issue, especially when discussing Federal ISs. Under Title 17 of the US Code, it is strictly forbidden to make or distribute copies of distributed software. This is a federal offense and violations are monitored by the Software Publishers Association (SPA). 17 USC 506(a) states that "any person who infringes a copyright willfully and for purposes of commercial advantage or private financial gain shall be punished as provided in Section 2319 of Title 18."

According to the SPA:

"All software is copyrightable. Copyright protection is available regardless of the format in which software exists, the media on which it resides, or the functions it performs. This same US law applies to software in source code form and object code form. Operating systems that control the internal operation of a computer are copyrightable, as is application software such as accounting software and video games. Likewise, whether a given software product involved communication to humans or simply interacts with a machine has no impact on copyrightability."

Determining a Violation

XXX will neither commit nor tolerate the making or use of unauthorized software copies under any circumstances, and will enforce strong controls to prevent its occurrence. As the custodian of your machine, it is your responsibility to ensure that there is a legally licensed copy of any commercial software residing on your system. The only exception would be the situation where a user is allowed to make a backup copy of the software for personal use only in the event that the original software is damaged as the result of a virus or like circumstance.

Illegal Files

All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official US Government authorized information only. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If routine monitoring by the IS Security Group reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring reveals violations of security regulations of unauthorized use, employees who are responsible may be subject to appropriate disciplinary action.

Inappropriate Use of Government Resources (Sexually Explicit Material)

Accessing, manipulating or otherwise using sexually explicit material with Government equipment, from Government leased equipment, or on Government time is inappropriate and will be considered to be a misappropriation of public resources. Further, it is contrary to published XXX policy which demands that the workplace be free of sexual harassment in any form.

Initial Violation Reporting Procedures and Follow-up

Should unlicensed software be detected during routine monitoring, appropriate disciplinary actions may be undertaken against the individuals responsible. Detected violations by the IS Security Group will be reported by letter to the appropriate authority with any actions against the employee the responsibility of that office.

The storage and transmission of illegal files will be covertly investigated by the IS Security Office. The results of such investigations will be forwarded to the appropriate authority upon completion with follow-up activities the responsibility of that office.

Waste, Fraud, Abuse

The subject of waste, fraud, and abuse is an important and highly visible issue at XXX. Waste, fraud, and abuse occurs when any government IS asset is utilized in a capacity outside that of the scope of government tasking for that particular system. This could mean storing files or programs not authorized, such as games and pornography, as well as using Government resources for personal endeavors. Any personnel involved in operating Federal IS resources for personal use or gain will be in direct violation of government standards.

OPSEC

Government OPSEC covers the information protection areas not addressed in traditional security programs. Traditional programs focus primarily on classified information protection. The possible availability of information on XXX computer systems that could potentially help an adversary gain an advantage is a concern we should all recognize.

KEEP IT OFF YOUR SYSTEM UNLESS ABSOLUTELY NECESSARY

Key Individuals at XXX

Summary

In closing, we would like to leave you with a few thoughts. Computer security is everyone's obligation. Security starts with the user. Our office is the authority in all IS security matters, but the responsibility for daily observation of regulations is the user's.