Information Security
USER AWARENESS TRAINING
1999
by Bill Cleveland
INFORMATION SECURITY STAFFUSAID Information Systems Security Officer Jim Craft <[email protected]> (202) 712-4559
Senior Security Consultants: Mike Fuksa <[email protected]> (202) 712-1096 Ante Penaso <[email protected]>(703) 465-7008
Security Training and Awareness Consultant
Bill Cleveland <[email protected]>
(703) 465-7054
BRIEFING OBJECTIVESAIS SECURITY
Why is it important? What is Automated Information
Security / Computer Security? Current Issues (Threats/Vulnerabilities/
Countermeasures) Contingency Planning Conclusion Open Discussion
Information Security
Why is it important?
COMPUTER SECURITY
Definition - Measures required to protect against unauthorized (accidental or intentional) disclosure, modification or destruction of Automated Information System, networks and computer resources or denial of service to process data.
We are a computerized society Nearly everything we do
utilizes computers How much data do you
maintain that isn’t contained on a computer somewhere?
All computers are vulnerable
NUMBER ONE
NUMBER TWO
Much of what we compromise is done through unclassified open source publications, conventions, consortiums, patents, etc.
All this tied together provides a pretty complete paint-by-the-numbers picture.
IN THE PAST FEW COMPUTERS WERE
AVAILABLE, AND ONLY SPECIALISTS COULD USE THEM
TODAY, COMPUTERS ARE COMMON EQUIPMENT, AND (ALMOST) ANYONE CAN USE
THEM...
HEADLINESECURITY STORIES
Security Breaches UpDramatically on Milnet
By Florence Gore Army, Navy, Air Force and Defense Department
Youths charged in
computer plot
CHICAGO- Two high school ju
n-
iors from suburban Palatin
e have
6,000
Computer
Securit
y Brea
ches
Detaile
d in A
gricultu
re Dep
t. Rep
ort
by Robert
Pear
Washington Star
Staff W
riter
Agricultu
re Dep
artmen
t pro
cedures
and data
files
contai
ning
large a
mounts of s
ensit
ive in
formati
on, inclu
ding the n
ames
of
persons w
ho rece
ived gove
rnmen
t chec
ks w
ere brea
ched
to th
e
Marines Faulted Over Care of Secrets
By Neil Roland
United Press International
Sensitive unclassified and classified material could go undetected,
auditors found. Auditors did not say they had found instances of
espionage. But the report said Marine Corps personnel sometimes
granted civilian contractors access to classified documents even
though the civilians needed security clearances. Maj Ron Stokes, a
Peace Activist Found Guiltyof Wrecking DoD Computer
By Eric FredellSpecial to GCN
Some computers just ask for a good whacking. In June at Vandenburg Air Force Base in California a peace activist was found destroying a computer. She gave it a right with a
Security becomes more and more work, as
we all are learning.....
WHAT IS AIS SECURITY / COMPUTER SECURITY?
AIS Security
Provides a reasonable level of protection against destruction or partial destruction of your computer systems that could result in partial or total denial of services to the system users.
The Protection of data and software from unauthorized access.
AIS SECURITY PERTAINS TO -
Physical Personnel Hardware Software Communications Emanations Administrative/Operations Data/Information
PHYSICAL SECURITY
Physical security is that part of security concerned with physical measures designed to safeguard personnel, to prevent unauthorized access to equipment, installations, material, and documents, and theft. Physical security and AIS security go hand in hand.
AIS SECURITY IS COMPLEX
INFOSEC
TEMPEST
COMSEC
ADMIN
PHYSICAL
AISSECURITY
HARDWARE
SOFTWARE
PERSONNEL
IS SYSTEM =
HARDWARE
+
FACILITIES
+
+
PEOPLE
SOFTWARE / DATA
WHY INFORMATION SECURITY?
Mission Cost Data/Software Dependence
SS
WHY -
Two Reasons:It makes senseIt’s the law
COMPUTER SECURITY ISEVERYONE’S RESPONSIBILITYCooperation and support from all personnel throughout the activity is an essential key to a successful program!
End User Supervisors
New Employees
End Users
DATA CLASSIFICATIONS
CLASSIFIED (CONFIDENTIAL, SECRET, TOP SECRET)
SENSITIVE BUT UNCLASSIFIED (TECHNICAL, PROPRIETARY, PROGRAM
SPECIFIC)
UNCLASSIFIED
DATA CLASSIFICATIONCLASSIFIED
Confidential - Secret - Top Secret To Access Classified Material -
- Appropriate Clearance Level
- Need-to-Know
- Access Approval Special Handling and Storage Requirements
- Magnetic media may not be shredded, only burned or degaussed by an approved
degausser (TS may only be destroyed)
CLASSIFIED PROCESSING
Unless your computer has been certified by NSA as meeting the trusted computer base criteria for B2 certification (secure multi-level mode), as soon as you introduce classified data into your system, all data on all media and devices associated with the system is classified at the highest level of data contained on the system.
The system and all of its data (100%), remains classified at that level until the system has been sanitized (declassified) by use of approved methods.
DATA CLASSIFICATIONSENSITIVE BUT UNCLASSIFIED
Sensitive
Unclassified
Includes:
- For Official Use Only (FOUO)
Sensitive
Unclassified
DATA CLASSIFICATIONSENSITIVE BUT UNCLASSIFIED
Includes:
- For Official Use Only (FOUO)
- Privacy Act Information
Sensitive
Unclassified
Includes:
- For Official Use Only (FOUO)
- Privacy Act Information
- Contract Information
DATA CLASSIFICATIONSENSITIVE BUT UNCLASSIFIED
Sensitive
Unclassified
Includes:
- For Official Use Only (FOUO)
- Privacy Act Information
- Contract Information
- Technical Information
DATA CLASSIFICATIONSENSITIVE BUT UNCLASSIFIED
Sensitive
Unclassified
Includes:
- For Official Use Only (FOUO)
- Privacy Act Information
- Contract Information
- Technical Information
- Budget Information
DATA CLASSIFICATIONSENSITIVE BUT UNCLASSIFIED
Sensitive
Unclassified
Includes:
- For Official Use Only (FOUO)
- Privacy Act Information
- Contract Information
- Technical Information
- Budget Information
- Financial / Payroll Information
DATA CLASSIFICATIONSENSITIVE BUT UNCLASSIFIED
Includes:
- For Official Use Only (FOUO)
- Privacy Act Information
- Contract Information
- Technical Information
- Budget Information
- Financial / Payroll Information
- Proprietary Information
Sensitive
Unclassified
DATA CLASSIFICATIONSENSITIVE BUT UNCLASSIFIED
Requires Special Handling, Storage and Destruction
DATA CLASSIFICATIONSENSITIVE BUT UNCLASSIFIED (Cont.)
DATA CLASSIFICATIONSENSITIVE BUT UNCLASSIFIED (Cont.)
Requires Special Handling, Storage and Destruction If kept on desk, turn over or store in
desk, file cabinet or notebook
Requires Special Handling, Storage and Destruction If kept on desk, turn over or store in
desk, file cabinet or notebook Destruction must be done in such a way to
prevent reconstruction.
DATA CLASSIFICATIONSENSITIVE BUT UNCLASSIFIED (Cont.)
DATA CLASSIFICATIONSENSITIVE BUT UNCLASSIFIED (Cont.)
Requires Special Handling, Storage and Destruction If kept on desk, turn over or store in
desk, file cabinet or notebook Destruction must be done in such a way to
prevent reconstruction.
Requires Special Handling, Storage and Destruction If kept on desk, turn over or store in
desk, file cabinet or notebook Destruction must be done in such a way to
prevent reconstruction.
OOPS,
DROPSIES
DATA CLASSIFICATIONSENSITIVE BUT UNCLASSIFIED (Cont.)
CURRENT ISSUES
THREATS / VULNERABILITIES /
COUNTERMEASURES
THREATS An activity, deliberate or
unintentional, with the potential for causing harm to an Automated Information System
Manifestation of a threat results in degraded mission accomplishment
Threat identification includes both known threats and reliably postulated threats. Lack of evidence does not rule out the existence of a threat
CATEGORIES OF THREATS
NATURAL - Hurricane, Fire, Flood, Earthquake
Man-Made - Intentional Viruses, Espionage, Sharing Passwords, Inadequate Backups
Unintentional - Accidental Power loss, Forgetting Password, Unattended Terminal Display, Food/Drinks
SOME AIS SECURITY THREATS
Fire Flood / Water Damage Wind Damage Snow / Ice Storms Power Loss Unauthorized Access Espionage Food / Drinks
Sabotage Unauthorized Software / Data
Modification System / Application Programmer
Errors Operator/User Errors and Omissions Communications Failure Fraud and Abuse
SOME AIS SECURITY THREATS
JAVA Issues
Denial of service
import java.applet.*;
import java.awt.*;
public class InfiniteThreads extends Applet implements Runnable
{
Thread wasteResources = null;
boolean StopThreads = false;
public void run ()
{
while (!StopThreads)
{
wasteResources = new Thread(this);
wasteResources.setPriority(Thread.MAX_Priority);
wasteResources.run();
}
}
}
Web Spoofing
Easy to do Spectacular
effect Impossible to
prevent Pre-warned is
Pre-armed!!!!!
E-mail Spoofing
Forge a false e-mail Easy to do Impossible to
prevent Authenticate Sign internal
messages
Social Engineering
Easy to do Easy to prevent Don’t share
passwords
Userid: mreiter
password: mreiter
Share my System!
WRONG!
COMPUTER VIOLATIONS, FRAUD, AND ABUSE
70 - 80% of annual loss related to computers is committed by employees
20% of the total computer-related loss is committed by disgruntled employees
60% of the total computer-related loss is caused through human errors or accidents
have been destroyed by negligence
Disgruntledemployeesabotagesclassified
15 Computers
FLASH
AIS Systems
No one here would ever do that!Would they?
THREATSIMPACTS ON COMPUTER RESOURCES
Destruction Modification Disclosure Denial of Service
How will I ever get
my work done now
!!!!!!
THREAT - VIRUS
Virus - run antivirus programs on a regular basis.
Do not use any outside floppies/ disks on your system without running a virus scan first. Many viruses are introduced because virus scanning was not performed.
No illegal duplication of S/W rule - this reduces the spread of virus and avoids legal headaches
DR. NEAT GAMESCAN
VULNERABILITY
A vulnerability is a flaw or weakness that may be exploited by a threat agent to cause harm to an AIS system or network.
SOME VULNERABILITIES
Open Building / Room Policy Disgruntled Employees Lack of Security Awareness Inadequate Supervision Software / Hardware
THREAT / VULNERABILITY
Data Alteration, Outside Access - This is why audit trails are so important. Checks data processing against tasking and logged computer time for suspicious discrepancies.
In the case where Laptops/portables are used by multiple users, keep a written log of who checked it out and when it was returned.
Toshiba, LaptopMINOR 109999
NAME DATE
THREAT / VULNERABILITY RELATIONSHIP
Sabotage (Threat)
Possible Vulnerabilities Disgruntled Employee(s) Activists / Protesters Inadequate Building Access
Control
Hey man,this base is
great! Not too many guards and the shoreline and many buildingsare open. Thisplace is easy!
Alert our protestgroup, wereon tonight.
SAFEGUARDS / COUNTERMEASURES
Any action, device, procedure, technique or other measure that reduces the vulnerability of a system.
Examples:
Security Operating Procedures
Fire/Smoke Alarms
Intrusion Detection System
Firewall
Awareness Training
IN CONCLUSION
I John Walker
have received my
annual Security
Briefing
SECURITY
BRIEFING
COMMON STATEMENTS #1
Aw come on,
It’s only a
Personal
Computer
But It Still Requires Safeguarding
Many have more capacity and capabilities than some of the mainframes in our inventory.
The only small features are their physical size, the cost, and their security features.
It’s-Only-a-Personal-ComputerFacts
WE
HAVE
TO
TRUST
OUR
PEOPLE...
COMMON STATEMENTS #2
Hi, I downloaded those programs from my PC like you wanted. I’m at my car getting ready to drive over now. See you soon.
I see a computer,,tell me the password so I can check it for you
WE HAVE TO TRUST OUR PEOPLE We like to think we can - but always remember to check on and report suspicious activities
Be on the lookout for people who you do not recognize in your environment.
If you see persons without badges, challenge them.
If you hear someone talking about things they shouldn’t be, let them know. If they continue, report it.
COMMON STATEMENT#3
We
Only
Process
Unclassified
On Our PC’s.....
WE ONLY PROCESS UNCLASSIFIED ON OUR PC’s....
However if it’s private information, it is considered SENSITIVE BUT UNCLASSIFIED and must be treated as such.
If your system is accreditated for Unclassified, that is all that your allowed to process. You must be accreditated for classified processing in order to use your computer for classified work.
Software
Trouble
Report
OPEN DISCUSSION
Yeah, it really got to him!
SECURITY POP QUIZ
WHAT’S WRONG HERE?
BE
WHAT’S THE PROBLEM HERE??
P3D4Oh$
PASSWORD DON’TS:
DO NOT USE ANY PERSONAL NAMES, NICKNAMES, PLACES, BIRTHDAYS, ETC FOR YOUR PASSWORD.
DO NOT USE ANYTHING THAT CAN BE TRACED BACK TO YOU (E.G. AUTO LICENSE NUMBER, BANK ACCOUNT NUMBERS, ANNIVERSARY DATE).
DO NOT USE ANYTHING THAT HAS TO DO WITH YOUR PROFESSION (E.G. JOB TITLE, DEGREE, ETC.).
DO NOT USE THE SAME PASSWORD FOR ALL SYSTEMS.
PASSWORD DO’S:
USE CHARACTERS WITH NUMBERS AND PUNCTUATION.
INTERSPERCE CAPITALS WITH LOWER CASE (EX: Aih4B/3).
DO USE, IF POSSIBLE, AT LEAST SEVEN CHARACTERS IN YOUR PASSWORD.
DO CHANGE YOUR PASSWORD REGULARLY.
**REMEMBER - IF YOU SUSPECT YOUR PASSWORD HAS BEEN COMPROMISED - REPORT IT IMMEDIATELY TO A SYSTEM
ADMINISTRATOR.
SODA
SODA
WHAT’S WRONG HERE?
VisitorEscort Req’d
Protect Your Equipment
You should always try and protect your equipment from situations that can cause damage, i.e. extreme heat, smoke, a leaky roof, etc.
Do not drink or eat around your equipment. Many keyboards have had to be replaced due to drinks being spilled. (If a computer system is on your desk, please keep any food or drink away from it.)
When working on classified, protect your screen from unauthorized viewing.
Prevention from virus. Install and run an anti-virus program often. Do not use any “foreign” magnetic media without running a virus scan on it first.
WHAT’S WRONG HERE?Check out the neat software I brought in. My friend gave it to me. He got it at work. He said it hasn’t got a virus on it, so we don’t need to scan it.
COOL, LETS RUN
IT!
When downloading files from the Internet for use in official business, there are legal considerations, as well as concern such as the introduction of viruses, bugs or other ill effects.
Registration cannot be required with the understanding that it may be used for commercial purposes. In particular, the Government may not be later identified as a user of the s/w or otherwise presented as endorsing the program.
S/W download must not obligate the Government to provide anything in return. In the case of beta software, there cannot be any requirement for the Government to submit an evaluation report in return for the download.
Registration cannot be required with any expectation that the Government may later be obligated to purchase a copy of the s/w.
Finally, where registration causes terms for nondisclosure and use of the s/w, the downloader must take care not to breach any of its
Copyrighted, Licensed or Proprietary Information/Downloading Files:
terms. (For example - in situations where a program is found to be beneficial, the s/w may not be simply duplicated and distributed to others if registration is required from each individual user. On the other hand, if a program is found not to be of use, the downloader must take appropriate steps to remove and/or destroy the s/w.
All users who download files for PC access, should have a virus scan run prior to usage.
Remember to run a virus scan on disks and floppies received from outside our Department. Many virus’ have been passed from Department to Department, because no-one ran a virus-scan. If you need assistance contact the ISSO, or Asst. ISSO.
And don’t forget that use of LANs to domains outside is for Official Business Only. This is a monitored service, and any misuse is subject to disciplinary action or loss of access.
Copyrighted, Licensed or Proprietary Information/ Downloading Files: (CONTINUED)
F I N I T OIt’s Over
Fertig(Please go back to work now. No running please, single file, no pushing or shoving. Yes, you may hold hands with the one behind you. Don’t try to be the first one out if it requires pushing someone else out of your way. Take nothing but the knowledge with you, leave nothing but empty seats. Thank you very much. That’s all I can say, so have a nice day.)