OCR of the Document

View the Document >>

Information Assurance Technology Analysis Center, IA Newsletter Vol. 3, No. 1, Summer 1999. Unclassified.

REPORT DOCUMENTATION PAGE ng z pggi gfag Public reporting burden for this collection of information is estimated to average 1 hour per response including the time for reviewing instructions searching existing data sources gathering and maintaining the data needed and completing and reviewing this collection of information Send comments regarding this burden estimate or any other aspect Of this collection of information including suggestions for reducing this burden to Washington Headquarters Services Directorate for Information Operations and Reports 1215 Jefferson Davis Highway Suite 1204 Arlington VA 22202-4302 and to the Office of Management and Budget Paperwork Reduction Project 0704-0188 Washington DC 20503 1 AGENCY USE ONLY Leave blank 2 REPORT DATE 3 REPORT TYPE AND DATES COVERED Summer 1999 Newsletter Vol 3 No 1 4 TITLE AND SUBTITLE 5 FUNDING NUMBERS IA Newsletter The Newsletter for Information Assurance Technology Professionals 6 Information Assurance Technology Analysis Center 7 PERFORMING ORGANIZATION AND 8 PERFORMING ORGANIZATION REPORT NUMBER IATAC Information Assurance Technology Analysis Center 3190 Fairview Park Drive Falls Church VA 22042 9 SPONSORING I MONITORING AGENCY AND 10 SPONSORING I MONITORING AGENCY REPORT NUMBER Defense Technical Information Center DTIC-IA 8725 John J Kingman Rd Suite 944 Ft Belvoir VA 22060 11 SUPPLEMENTARY NOTES 12a DISTRIBUTION I AVAILABILITY STATEMENT 12b DISTRIBUTION CODE Approved for public release distribution is unlimited A 13 ABSTRACT Maximum 200 Words IA Newsletter is published quarterly by the Information Assurance Technology Analysis Center IATAC IATAC is a sponsored Information Analysis Center administratively managed by the Defense Technical Information Center DTIC Defense Information Systems Agency DISA Featured in the issue USSOUTHCOM Information Sharing Projects Naval IO Wargame '99 Computer Network Defense Law DoD's IAVA Process Automated Intrusion Detection Environment 20001027 066 14 SUBJECT TERMS 15 NUMBER OF PAGES Information Security Information Assurance Intrusion Detection 23 Information Operations 17 SECURITY CLASSIFICATION 18 SECURITY CLASSIFICATION 19 SECURITY CLASSIFICATION 20 LIMITATION OF ABSTRACT OF REPORT OF THIS PAGE OF ABSTRACT UNCLASSIFIED UNCLASSIFIED UNCLASSIFIED None DTIC QUALITY maesossp 4 m wqu 4 33 5wa t 112 321 5 k-ralso insi- DoDs IAVA ProCesz Automated Intru SiOri DQte'ction Environment A on the cover U S Southern Command's Information Sharing Projects Lt Col J Andrew Pettigrew Iii USAF ia initiatives A Brief Look at the law of Computer Network Defense Lt Col Charlie Williamson USAF DoD's Process Helping Mitigate Network Security Risk to the Defense Information Infrastructure LT Beth A Evans USN Naval I0 Wargame 1999 NIOW 99 Daniel R Walters Automated Intrusion Detection Environment Brian Spink and Brad Jobe @5134 New INFOSEC Training Products Raytheon's SitentRonner' Thomas Hudson and Michael Maloney In each Issue IA Tools Summary I Updated intrusion Detection Tools Report IATAC Chat - The Road Robert P Thompson Director Products IATAC Product Order Form Calendar of Events lAnewsletter I Summer eweletter Editors Robert P Thompson Robert J Lamb Creative Director Christina P McNemar Information Processing Robert Weinhoid Information Collection Alethia A Tucker Inquiry Services Peggy O'Connor Contributing Editor Martha EIim IA Newsletter is published quarterly by the Information Assurance Technology Analysis Center IATAC IATAC is a sponsored Information Analysis Center administrative Iy managed by the Defense Technical Information Center Defense Information Systems Agency DISA Inquiries about IATAC capabilities products and services may be addressed to Robert P Thompson Director IATAC 703 289 5454 We welcome your input To submit your related articles photos notices feature programs or ideas for future issues please contact IATAC ATTN Christina P McNemar 3190 Fairview Park Drive Falls Church VA 22042 Phone 703 289 5454 Fax 703 289 5467 STU-ill 703 289 5462 E mail iatac@dtic mil URL Cover and newsletter designed by Christina P McNemar Iliac dtic he U S Southern Com mand USSOUTHCOM pursues a Strategy of Coopera- tive Regional Peacetime Engage- ment founded on hemispheric cooperation The strategy em- phasizes the importance of re gional collaborative multilater- al approaches and the value of communications Essential to this strategy is sharing informa tion with nations in the Area of Responsi bility AOR According Uhite d State's sbuiherh COM AOR By automating in- formation-sharing and commu nications it creates an environ- ment conducive to regional co operation in the Americas and the Caribbean It provides a framework for enhanced politi- cal and military cooperation and facilitates interaction for joint multilateral activities such as humanitarian and civic assistance nation building and peacekeeping The system al- 5 command '5 lt Col J Andrew Pettigrew Ill USAF ational since May 1997 AMNET has been continually upgraded to meet evolving regional en- gagement requirements The In ternet Web site was established with Secure Socket Layer SSL and password protection By using Cold Fusion as a back end Web application server AMNET manages and delivers informa tion dynamically The Web site offers extensive links to U S military home pages Latin American Web re ly USSOUTHCOM is es sources military tablishing information sharing networks using the existing theater in- frastructures such as the Internet and commer- cial satellite connectivi ty as the supporting communications back bone The Americas schools countries of interest briefings and fact sheets Additional features include a Web-integrated real- time chat room a bul letin board with threaded discussion groups and E-mail no tification and a search Net AMNET modeled after the Partnership for Peace initiative in Europe is the most mature of the information- sharing networks that support regional en- gagement strategy The Caribbean Information-Sharing Network CISN is being devel oped Finally the Southern Command Information Ex change System SCIES net- work also in development will support the exchange of re- leasable classified information with AOR nations AMNET consists of an Amer icas' Net file and E mail server a home page and Internet con- nectivity for the U S Military Groups USMILGP and partici- pating nation senior military leadership in the http IIiac dtic milIlATAC lows member nations to share lessons learned immediately participate in planning ex changes directly coordinate ex ercise development on-line and make direct doctrinal com- parisons AMNET archives its mission by using Internet resources An array of Web browseraaccessible software and user-friendly tools afford participating nations password-protected access to and exchange of information concerning a variety of subjects such as security strategies emergency planning profes- sional military education multi- lateral exercises doctrine and policies public affairs and envi- ronmental concerns Fully oper IAnewsletter I Summer 1999 engine AMNET also provides E-mail capability Planned AMNET enhance- ments include modernizing equipment bandwidth and net work infrastructure Password authentication with user access levels for each page in the site is being developed This feature will add security by enabling users to see only what their ac- cess level allows USSOUTHCOM headquarters is assisting military forces and law enforcement agencies in the Caribbean Basin of the US- SOUTI-ICOM AOR in establish ing an information sharing net- work to enhance bilateral and multilateral cooperation in com- bating transnational threats and continued on page 4 3 p 1% 3 m2 12 its3 3 523 see 3 1 3 congealed from page i addressing issues of common concern The CISN network will be established in three phases Phase 1 mail and attachments Phase 2 Virtual Private Network VPN with a central server imple mentation Phase 3 VPN with multiple servers CISN Phase 1 already opera tional enables users to E mail and attachments using PGP Pretty Good Privacy a commercial software applica- tion from Network Associates Inc CISN Phase 2 will imple ment a VPN and a Collabora- tive Virtual Workspace CVW server Initial operational capa- bility for Phase 2 is scheduled for October 1999 The VPN will be an communica- tions link between CISN re- Diplomatic Clearance Air Task Order I steal Imagery Other INTEL Products Weather Data Tracks of Interest U S Asset Position Updates Air Groundfi Maritime Riverino mote workstations and the CISN intranet that passes through the public Internet The VPN will use a combina- tion of authentication data en and tunneling to cre ate a secure channel between users and the CISN network The VPN will rely on remote access accounts that allow the users to dial in to an Internet service provider ISP establish a connection to the Internet and then identify themselves to the CISN VPN authentication system The CISN VPN will ver ify a user's identity on the basis of user name and password On successful authentication tun- neling or an session will be set up between the VPN user and the CISN VPN server thus protecting the privacy and integrity of data exchanged be SCIES provides Electronic Information sharing capability to participating nations based on existing U S Electronic sharing capabilities and a downgraded version of the same system PN Status of Forces End-Game Results DIP Clearance PN lntel tween the remote workstation and the CISN intranet USSOUTHCOM is also devel oping a multilevel security net work SCIES to share counter- drug planning intelligence and operations data with participat ing nations in the theater The system will consist of off the shelf hardware and software connected to existing local area networks via approved multi level security devices and fire walls Specific functions to be accomplished through SCIES in clude scheduling and approval for diplomatic clearance of over ights and sharing of the re leasable portions of counterdrug intelligence data and the Global Command and Control System GCCS Common Operating Pic- ceril'r'riued on pat re Common Operating Picture 3 Goals JIATFISC COPIWEB Pages - Timely sharing of information for all organizations operating in AOR - Promote regional cooperation via CD Info Sharing Plans Ops lntel technology leveling Reduce coordination confusion - Support future warngaming exercises Figure 1 SCIES Goals and Concept of Operations 9 IAnewsletter I Summer 1999 I Lt Col Charlie Williamson USAF You may have heard the rumor Technology makes computer network defense diffi- cult enough Then along comes some lawyer saying you can't protect your networks the way you want Perhaps this article will give you some encourage ment It briefly reviews some of the rules and suggests that the situation might not be as bad as rumor indicates Most readers of this newslet ter know the threat described in the 1997 report of the Presi- dent's Commission on Critical Infrastructure Protection Com puter networks can undergo anonymous cyber attacks that can be mounted remotely in minutes with little or no de tectable preparation or re hearsal Over the last few years the threat has increased More countries have an- nounced plans to develop infor- mation warfare capabilities and the technology used to mount these attacks is more readily available and easier to use than ever before Likewise many companies are fielding new technologies that protect on- line privacy but also make it harder to track hackers In these circumstances how do we defend our networks We can choose many courses of action The passive options are easy We can shut down our networks or divert the attacker if we know the attacker is com ing and how he will attack Ac- tive options are also easy Arrest him if he s domestic or use the full weight of national power if he s sponsored by a foreign http lliac dtic state if we can find him The hard choice is to get the right in- formation to the decision mak ers so they can take the right ac- tion Meeting that challenge can look like transforming the puz zle on the right of Figure 1 to the one on the left Figure 1 The Law and culture as we would like it A and as it appears How do we make the puzzle pieces fit This article looks brie y at some tools that help pull the pieces together the Computer Fraud and Abuse Act the Electronic Communi- cations Privacy Act the fourth amendment to the U S Consti- tution intelligence oversight rules counterintelligence guid- ance and some international initiatives Overview Qf Dame's tic Criminal Law We must start by understand ing that computer intrusions are crimes most of which are governed by the Computer Fraud and Abuse Act Title 18 United States Code Section 1030 The law is summarized lAnewsletter I Summer 1999 below but the details of partic ular cases can lead to complica tions so consult your lawyer The punishments for each of- fense vary depending on the seriousness of the intent or outcome With this brief definition of what conduct is criminal we can turn to ways of catching the hacker The first line of de fense is often the Electronic Communications Privacy Act service ECPA and its provider exception Title 18 United States Code Section 2511 Generally ECPA makes it illegal to wiretap and pro- vides stiff penalties for viola- tions However it sensibly al lows electronic communication service providers to protect their rights and property by in tercepting successful and at- tempted hacking This provi sion is the legal foundation for deploying intrusion detectors and databases DOD network operators are then supposed to report suspected intrusions to Limiter ed on page 5 5 renamed from page 5 Service law enforcement agen cies At this point the Constitu- tion triggers significant proce dural requirements First the fourth amendment may re- quire a search warrant if the computer owner is entitled to expect privacy However the US Supreme Court has ac knowledged a lowered expecta- tion of privacy in certain work- place situations so a warrant may not be required to search a government computer Also certain government employees may consent to network server searches Check with your lawyer for guidance Statutes also impose require ments Certain statutes address access to subscriber informa- tion and communications stored by Internet service providers ISP Consult your lawyer for help in these com- plicated areas In addition in- vestigators can use pen register devices and trap and-trace de vices to track source and desti- nation addresses on packets going through computers If these devices do not yield suffi- cient information investigators can deploy full-content wire- taps However consent or court orders are required and the procedures can be complicated The defense criminal investi gating organizations imple- ment these rules by following DOD Procedures for Wire Electronic and Oral Interceptions for Law Enforce ment May 1995 Be sure to consult your lawyer for help in these complicated areas Rather than face all these problems why don t we just have some smart military oper ators hack back at the hacker's computer First if the hacker's computer is in the United z sj DJ v a A N maul 5 he i a Prohlbats A A Hacking into a government computer to get classified ' format'onandthen 't Hacking into computers to obtain access and WInformatIon Accessing and affecting the use of nonpublic computers of the U 8 Government and government contractors Hacking and causing damage more than a 000 loss of data or system availability to one or more victims during any 1-year period intentionally recklessly or simply causing damage including viruses TraffIckIng In stolen passwords Attempting any of the offenses listed above my rvM-r-V wuwwcw my 7y w Iable 1 Computer Fraud and Abuse Act Summary States those military operators could be accused of violating the Computer Fraud and Abuse Act If the ISP is foreign our mil- itary operators will probably need approval from the Nation- al Command Authorities but that discussion is beyond the scope of this article Second our operators have to find the target To trace the hacker attack back to its source they would nor mally need to contact some ISPs between themselves and the tar get If an ISP does not cooper- ate do they hack into the ISP and steal its log data Obviously this tactic is a bad idea It's clear- ly wrong it's a crime and it would take even longer than using the legal process Finally suppose our smart military op- erators succeed in finding the hacker and erasing his hard drive The hacker immediately reloads his hard drive from a CDHROM and hacks again min- utes later It may be frustrating from a military viewpoint to work through the law enforce ment process but often this may be the only way to develop 6 lAnewsletter I Summer 1999 enough information to identify and stop the intruder Overview of intellim gamma and Counterw intelligence Rules Foreign state threats natural ly concern DOD even more than domestic threats because of a state's potential to concen trate resources At the same time intelligence operators must be able to gather and ana- lyze data without treading on US citizens rights This area can become convoluted very quickly so again consult your lawyer balances these con- cerns by complying with signif- icant oversight rules that apply to the intelligence community and counterintelligence ele ments of the US Government The primary statute is the For eign Intelligence Surveillance Act Title 50 United States Code Sections 1801 1829 It allows highwlevel administra- tive approvals for foreign sur- veillance but requires court or ders for electronic surveillance in counterintelligence opera tions against US citizens sus pected of espionage It estab- lishes significant procedural re- quirements similar to wiretap court orders under ECPA In ad- dition the court must conclude there is probable cause that the target is an agent of a foreign power Probable cause can often be difficult to establish especially early in a hacking case In addition significant guidance on intelligence activi ties affecting U S citizens comes from Executive Order 12333 Dec 1981 DOD Directive 5240 1 Apr 1988 and Dec 1982 Because these rules greatly predate the Internet their use of phrases like electronic surveillance and concealed monitoring merits cautious analysis Final- ly the intelligence community agencies each have regulations to guide their collection and dissemination actions The key point is that the mission of the intelligence community is to gather and disseminate intelli- gence on foreign threats and leave domestic threats to law enforcement and counterintel- ligence As a result deci- sion makers may not get one- stop shopping when trying to figure out where a hacker comes from This area too can become convoluted very quick- ly Again consult your lawyer internakinnai Initiatives What happens when we do find a foreign hacker The un- pleasant reality is that many countries do not even outlaw hacking For instance New Zealand one of our close allies and a sophisticated country is outlawing hacking only this year Many countries that out law hacking do not make it an offense that allows extradition to the United States Further more US punishments may be so mild that extradition may not be All of these factors makes investigation and prosecution either difficult or impossible Two initiatives may improve this situation First the Group of 8 is negotiating a fast freeze agreement that would enable one country to have an other order ISPs freeze data while law enforcement seeks evidence across borders Sec- ond the Council of Europe is negotiating an agreement that may require signatory nations to pass laws making certain computer conduct criminal providing for extradition for certain offenses and allowing cross border access to evi dence What Can You Do Now that you have seen this brief outline what can you do First tell the intelligence com munity members what prod- ucts you want They want to produce useful intelligence and they need real cases for analysis to see what can and cannot be done Second use the ECPA service provider ex ception to widely but wisely deploy intrusion detection sys tems and share databases Third commanders and net- work operators need to seek case status from their law en forcement and counterintelli- gence agents This information will lead to security improve ments Finally commanders and investigators should work closely with their lawyers Make them write their opinions and alert them they will be working in Information Opera- tions cells Lawyers need to start working now to come up IAnewsletter I Summer 1999 to speed in this challenging area An old curse says May you live in interesting times These are interesting times for law as we enter the Information Age New prob lems need new thinking and team effort but the end re- sult-national securitye is worth the hard work 1 The Group of 8 G8 was estab- lished in October 1975 to facilitate economic cooperation among the developed countries DCs that par ticipated in the Conference on International Economic Cooper ation CIEC held in several ses sions between December 1975 and June 1977 Membership includes Canada France Germany Great Britain Italy Japan Russia and the United States Lt Col Charlie Williamson is current- ly the Staff Judge Advocate SJA for the joint Task Force- Computer Network Defense He pre viously served as the SJA of the 314th Airlift Wing Little Rock AFB Arkansas He had previous JAG assignments at Castle AFB California and Minot AFB North Dakota along with an assignment as a ight test manager at Hill AFB Utah He received his juris doctor from the University of Utah College of Law and his bachelor of science in mechani- cal engineering from the University of Southern California Establishing trust in a highly distributed network centric computing environment is a fundamen- tal issue today for the Department of Defense and its Defense Information Infrastructure Dll Widely known and documented vulnerabilities exist throughout the networks and because of our increasing reliance on net- works these vulnerabilities have the capacity to se verely degrade our operational readiness and therefore endanger national security We must shift the current view that information assurance systems security con cerns are secondary considerations to core readiness issues Everyone from the highest senior levels of management to the soldiers and office workers must understand their responsibility as a stakeholder in the vitality and security of our information systems - mDr John Hamre Deputy Secretary of Defense he Department Of De- fense DOD Computer Emergency Response Team CERT a branch within the Defense Information Systems Agency DISA is responsible for providing information as- surance procedures and guid ance to the DOD community for protection of the Defense Information Infrastructure Dll Accordingly the Deputy Secretary of Defense instituted a notification process in 1998 known as the Information As surance Vulnerability Alert process and designated DISA as its manager The IAVA process was created because DOD recognized the need for the Commanders-in-Chief CINC Services and Agencies A to have a positive con trol mechanism to ensure that their system administrators re ceived acknowledged and complied with vulnerability alert notifications and to en sure that corrective actions were taken against new and critical vulnerabilities IAVA is a Web-based process that incorporates identification and evaluation of new vulnera- bilities disseminates technical responses and tracks compli ance within the DOD commu- nity As the LAVA process man ager DISA is responsible for disseminating the vulnerabili ty notifications to points of contact and providing an automated means for the points of contact to report re 8 lAnewsletter I Summer 1999 Helping Mitigate Network Security Risk to the Defense Information Infrastructure lieutenant Beth A Evans USN DISA D333 ceipt of and compliance with the alerts Managing the IAVA DOD CERT has created a three tiered vulnerability hi erarchy for notifications The first-tier notification an alert or IAVA is disseminated when DOD CERT documents a new vulnerability that poses an im mediate potentially severe threat to DOD systems The IAVA requires that As re port both receipt of the alert after disseminating it to sub- ordinate organizations and their compliance with the cor rective action 3 The second-tier notification a bulletin or IAVB addresses new vulnerabilities that do not pose an immediate threat to DOD systems but are signifiu cant enough that noncompli- ance with the corrective action could escalate the threat Like the IAVA the IAVB requires 8 As to report receipt of the bulletin but compliance re porting is not required com- pliance requirements and deci sions are made by the local commander However the IAVB must be disseminated down to the system adminis trator level within the organi- zation The third tier notification the technical advisory is gen- erated when new vulnerabili- ties exist but are generally cat egorized as low risk Potential escalation of these vulnerabili ties is deemed unlikely but the advisories are issued so that any risk of escalation in the future can be mitigated Reporting is not required in re- sponse to a technical advisory The IAVA process allows waivers of the required compli ance actions to be granted in response to a specific alert Waivers are reviewed and granted by a A s Designat- ed Approval Authority DAA The DAA must consider the risks involved to both the local network and the greater DII when granting a waiver Determining Neti catien Type The CERT learns of new vulnerabilities through in cidents reported to DOD and civilian CERTs public Internet resources and vendor notifica- tions On notification of a new vulnerability DOD CERT as sesses the threat that the vul- nerability poses to the DH using criteria such as the type of operating system and infra structure affected by the ex- ploit the access gained by the exploit the number of exploits reported and the nature of the exploit s potential end result denial of service for exam- ple After the initial evaluation a request for comments is sent to a coordination team consist ing of the Joint Task Force Computer Network De- fense Service CERTs and joint system program managers This team provides input in determining the type of notifi- cation to be generated After coordination the notification is disseminated in a variety of ways Record message traffic Automatic Digital Network http lliac dtic and Defense Mes- sage System is sent re- leasing an IAVA or IAVB to the points of contact The message is primarily for notifi- cation purposes as well as as signment of reporting time- lines The message directs re cipients to the CERT Web site for technical specifics and correc tive action s An Email con- taining the technical informa tion is also disseminated to all IAVA list serve addressees for the IAVA IAVB and technical advisories List registration can be requested by sending an mail to cert@cert mi1 Dissem- ination is restricted to mil and gov domains The reporting of receipt compliance and waiver infor- mation is accomplished via the unclassified or classified IAVA Web site Normal reporting timelines are 5 days for report ing receipt IAVA and IAVB and 30 days for reporting com- pliance Significant progress is being made in the automation of receipt acknowl edgement and compliance re porting and as of October 1 1999 have access to a greatly improved utility pro viding a more robust and effec tive automated mechanism to report their status information LT Beth A Evans USN is the Technical Analysis Division Chief for the DOD Computer Emergency Response Team Defense Information Systems Agency Arlington Va She received her BS in Business Administration from the University of California Berkeley CA in December 1990 LT Evans is cur rently pursuing her MS in Information Systems from George Mason Uni versity Fairfax Va She may be reached at evansb@ncrdisa mii IAnewsletter The following vulnera bilities were addressed in the alerts and bul- letins disseminated by the end of July 1 999 uinerability I Daniel R Walters I June 8-10 the Naval Information Operations Wargame 1999 NIOW 99 at tracted participants from the Fleet Commander in Chief CINC Numbered Fleet Carri er Battle Group CVBG Am phibious Ready Group ARC and Marine Expeditionary Unit MEU staffs Including ob- servers more than 85 partici pants from 29 joint and naval commands took part in the wargame Personnel from the Fleet In formation Warfare Center FIWC together with techni- cal staff from the Information Assurance Technology Analy sis Center IATAC facilitated this seminar The game was held at the Shifting Sands Con- ference Center located at the Fleet Combat Training Center Atlantic Darn Neck Virginia Beach Virginia NIOW '99 goals were to ex amine operational and tactical information operations 10 planning at the CVBG and level and to assess Naval IO Mission-Essential Tasks NMETs To achieve these goals the wargame had four objectives - To educate participants and provide a professional forum to discuss and evaluate cur- rent and future naval IO issues - To evaluate several IO relat ed issues resulting from the 10 information warfare IW at Sea Conference held at FIWC in March 1999 - To identify and document IO MissionvEssential Tasks METs and doctrine issues arising from the game - To generate and disseminate operational and tactical IW guidance to support IW staffs deployed and ashore consistent with role as the Naval IW Center of Excellence The wargame structure in- cluded informational briefings team play and hot washups On June 8 a series of informa tion and background briefings educated the players and pre pared them for the game play sonnel from joint and commands functioned as game play mentors data col lectors and observers The principle portion of the wargame occurred on June 9 10 as the players participat- ed in three moves Each move began with in-depth briefings on the intelligence scenario the current situation and the operational or tactical IO mis sion the players were to plan In Move 1 the players consid- ered tactical IO planning for routine operations in a South- west Asia scenario Move 2 presented the players with op- erational and tactical IO plan ning for nonpermissive Non- combatant Evacuation Opera tion NEO operations in a cri Following briefings on strate- gic and joint 10 policy naval IW and FIWC IW initiatives the players were separated into three teams one repre senting a CVBG IW staff a sec- ond representing an MEU IW staff and the third representing the IW interests of both Numbered Fleet and Fleet CINC staffs A fourth team of experienced IO per IAnewsletter I Summer 1999 sis scenario with the CVBG and acting as a joint task force Finally Move 3 involved the players in con ducting an evaluation of IO- specific METs as a result of their planning efforts during Moves 1 and 2 The moves all concluded with debriefings by each team to summarize the team's per spective on IO planning for http lliac dtic USS Theodore Roosevelt BUN 71 aircraft carrier Navy pho- tograph by Photographer's Mate 2nd Class George A DelMoral the scenario evaluate its capa bility to plan and execute IO at the operational and tactical levels of conflict and offer feedback on Naval IO METs The hot wash focused on cap turing lessons learned from the game Participants reached consensus on a number of key points some of which are summarized as follows - IO planning is a difficult process and areas of respon- sibility for coordination and execution of 10 are unclear especially at the CVBG and level - IO planning for the CVBG and must start long before operations com mence and must be integrat- ed throughout the Inter Deployment Training Cycle IDTC - The need to integrate 10 in all operations is critical Key to 10 integration is develop- ment and implementation of significantly improved IO planning tools at the num- bered fleet CVBG and level - Planning requirements and responsibilities for tactical IO http lliac dtic planning and for a joint task force differ significantly 0 Current intelligence produce tion requirements are not focused to support 10 requirements - Naval personnel need more IO training and education than they now receive Analysis of participant feed back indicated that NIOW '99 was educational and produc- tive providing an outstanding forum for evaluating the naval IO planning process and METs Most participants said that the game was an effective lAnewsletter I Summer 1999 overview of naval IO planning and that they left with an in- creased appreciation and un- derstanding of CVBG and IO coordination is- sues Because of the success of the first naval IO wargame FIWC plans to conduct games on an annual basis to explore various aspects of naval ID All wargame material in cluding a list of game partici- pants all briefings team de- briefings the wrap-up mes sage and post wargame slide presentation are available on the FIWC Secret Internet Pro- tocol Router Network NET Web site fiwc navy smil mil Questions and comments are welcomed and encouraged Daniel R Walters is Technical Director Fleet Information Warfare Center Norfolk VA He is also serves as Captain US Navy Reserve Crisis Response Planner for the Office of Secretary of Defense Personnel and Readiness Readiness and Training Plans and Policy Division He received his BS in Chemistry from Wilkes University in 1972 and graduated from the Naval War College in 1997 He may be reached at td@fiwc navy mi1 11 COMPANY URL AAEID Purdue University ACME Intermidia AID Brandenburg University ALVA GE Corporate Alert Plus Computer Security Products Argus Carnegie Mellon University argusn1 7 beta le ARMD George Mason University http gmuedu jllin system University of Illinois jacques software arpmon html ASAX University of Namu cri DOCS asax html ASIM US Air Force Black Ice Network ICE blackice Bro Lawrence Berkely Laboratory Centrax CyberSafe Corporation CMDS ODS Networks Inc CyberCop Network Associates Dragon Network Security Wizards EMERALD SRI International Flight Jacket Anzen Computing Gabriel Los Altos Technologies http gabehtm University of CAM-Davis grids welcomehtml Hummer University of Idaho hummer Ifstatus IBM http com davy software INTOUCH INSA Touch Technologies Inc 1 2 IAnewsletter I Summer 1999 http http lliac dtic milIIATAC TITLE ZOMPANY URL IST Internet Security Systems iss net prod isb php3 ITA AXENT Technologies Inc axent com product smsbu JiNao http anr mcnc org iNao htm1 KSM RSA Security Inc intrusion NADIR Los Alamos National Lab gov 80 cic3 Net Stat University of CA Santa Barbara kemm netstat html NetRanger Cisco Systems Inc cisco mkt security NF Network Flight Recorder Inc NID Lawrence Livermore Lab http ciac llnl gov cstc nid nid htm1 NIDES SRI International NOCOL Marquette University POLYCENTER Compaq Computer Corp http PreCis PRC Inc indexhtm RealSecure Internet Security Systems SecureNet PRO MimeStar Inc Session Wall-3 Computer Associates abirnet com sw3intro htm1 Snort Stanford Telecommunications Inc roesch Stake Out Harris Corporation Swatch Stanford University http atkins swatch Tripwire Tripware Security Systems T sight En Garde Systems Inc UNICORN En Garde Systems Inc USTAT University of CA Santa Barbara http http lliac dtic milIIATAC 13$ IAnewsletter I Summer 1999 ncreased reliance on infor mation systems requires maximum system integrity Al though absolute system integri- ty is not achievable it is possi ble to warn commanders of at- tempted system attacks in real time This warning has limited utility if it concerns only the local level Effective defensive information operations DIO entails a comprehensive under- standing of system operations on a global level A critical DIO component is the ability to warn of suspicious activities across various command lev- Tool Technologies Intrusion Detection Interface Layer Integration Infrastructure Firewall Correlation A A SW Integrity Hit-I Virus L a ta Checkers Visualization Network Renew Law Enforcement Operations Communication intelligence Computers Figure 1 Architecture of the AIDE System 14 Automated Intrusion Detection Environment els The objective is to secure local networks detect coordi nated attacks at designated re gional levels and enhance the global picture of real-time threats to DOD-wide systems The Automated Intrusion De- tection Environment AIDE is designed to address the chal- lenge of determining whether the information grid is under attack AIDE's goal is to reduce false positive reporting and create a tactical warning capability across the warfighters' infor mation grid To this end AIDE IAnewsletter I Summer 1999 I Brian T Spink Brad Jobe will create a multitiered inte- gration environment incorpo- rating stand alone sensors and correlating sensor information at different command echelons AIDE leverages existing com mercial off the shelf COTS and government off-the shelf COTS technologies that in- clude intrusion detection en terprise management object oriented design process visual ization and knowledge engi neering Deployed Systems GNOSC LCC AEDE Arehiteo ture The AIDE architecture shown in Figure 1 is composed of sensors sensor interfaces normalization integration en- vironment data storage and the communication topology An AIDE goal is to incorporate whatever sensors are in place at an installation rather than prescribing certain sensors To determine the desired baseline of intrusion detection network management and firewall products an AIDE team sur veys installation sites Once it identifies the sensors the sen sor interfaces to send data to the AIDE integration environ- ment are developed Gensym's G2 intelligent en- terprise management software creates the basic integration in- frastructure This software ap- plies real-time rule-based rea' soning to network manage- ment data activity sensor data and intrusion detection infor mation derived from distrib- uted sources in real time Raw sensor data and corre- lated event information are stored in an Oracle database Users from local regional and global sites can gain access to detailed data from the Web server installed on the system This feature allows the system to push small amounts of infor- mation while allowing users at all levels to pull the supporting data they need to the appropri ate level The communication topolo- gy requires secure hierarchical and lateral reporting The over all AIDE concept calls for three-tier reporting local con trol centers LCC report to re- gional computer emergency re- sponse teams which report to a global network oper ations and security center GNOSC Figure 2 depicts the Let LCCJ Figure 2 Hierarchical Reporting Structure hierarchical reporting struc ture Systems at each level can also report laterally LCC to LCC or to Each node in the system can be dynamically configured to send its alerts to any or all of the other nodes in the network A node receives all alerts sent to it that is the configuration speci- fies only outbound constraints This capability allows AIDE to be customized to conform to each site's reporting policy improving Network wide Detection Network connectivity signifi cantly improves the ability to detect network wide coordinat- ed attacks Individual sites can detect local intrusions in isola- tion but regional centers can correlate intrusions reported by multiple local sites This function is actually the major purpose of an When more than one local site report ing to the same reports intrusive behavior the AIDE operator can immediate ly compare the behaviors and draw conclusions about the na- ture of the attack This capabil- IAnewsIetter I Summer 1999 ls LCQ g 757 ity allows the to alert its other LCCs that an attack may be forthcoming and pro vide a consolidated report to the GNOSC The GNOSC can serve the same function correlating events at local sites that report to different The GNOSC provides a single per spective on the state of the en tire network covered by the AIDE system It can alert sites to intrusions as they are hap- pening so administrators can take immediate action to limit any damage and reduce the at- tack s effectiveness Brian Spink is an electronic engineer with the Air Force Research Laboratory in Rome NY He received his BS ECE from Clarkson University and his MS ECE from Syracuse University He may be reached at Brad Jobs is a senior program analyst for Litton PRC in Rome NY He received his B S from South Dakota State University and his MBA from Colorado State University He may be reached at jobeb@ri af mii 15 CyberProtect An interac tive computer network defen- sive exercise that looks and feels like a video game It is intended to familiarize players with information se- 1 curity INFOSEC ter- minology concepts and policy Players learn about defensive security tools and seek to deploy them judiciously on a simulated network They face a spectrum of security threats and must make practi cal decisions about allocating resources in quarterly incre- ments using risk analysis and risk management considera tions Play is divided into four sessions simulating a fiscal year After each session play- ers receive feedback on how well they are doing At the end of the last session players are given a report summarizing their cumulative operational readiness rating The report also details every attack by type origin and effectiveness of defensive tools System Administrator In- cident Preparation and Response for Windows NTw is an interactive multime- 3 dia training CD- ROM 4 3 1t provides a virtual 33 hands on experience 3 taking the student through the steps nec- a essary to configure networks to collect and protect event information that may be 16 useful for investigating suspect ed unauthorized activity The user learns what techniques are often used to commit com puter crimes what information to collect before an incident how to prepare systems for pos- sible incidents how to imple- ment policies how to log and recognize unauthorized activi ty and how to respond to sus pected unauthorized activity Other topics covered include policies and procedures to sim plify a computer emergency in vestigation audit strategy audit implementation recogni tion of unauthorized activity and security incident notifica tion and reSponse strategies A glossary of terms and links to service and agency computer emergency response teams are provided for reference This CD-ROM is a product of the DOD Computer Investigations Training Program DCITP 1 3a are Protect Your AIS The Se- quel This U S Government video dramatizes lated concerns in the work place The scenes demonstrate the need for password protec tion virus prevention data safeguards user identification ID security and controlled access to computer equipment 30 minutes Dr D Stroye wThis U S Gov- ernment video discusses cor rect methods for magnetic media destruction while pro IAnewsletter I Summer 1999 The information Assurance Program Management dffice at the Defense Information Systems Agency now offers the training and awareness CD ROMs and videos iisted in this article Use form to order viding humorous examples of how not to destroy data safely 8 minutes The Scarlet V This US Government video discusses the need to use virus-scanning software on a regular basis to prevent file infection It comi- cally depicts the life of an indi vidual who inadvertently intro duces a virus into a networked system 8 minutes Safe Data It s Your Job This Department of Labor video is relevant to be cause it focuses on the need to safeguard sensitive but unclas- sified data such as medical records and personnel files It discusses ways to secure data to prevent sensitive information from getting into the wrong hands and emphasizes the role of the end user in computer and network security It also of fers tips for preventing data from being compromised by hackers and unauthorized users such as good password management virus protection and physical security 19 min utes Think Before You Re spond This NRO video deals with Internet security stress- ing the need for viewers to be careful about the information they share It encourages cau- tion when discussing topics in live chat sessions or responding to requests for information 3 minutes DOD INFOSEC Training and Awareness Products Order or INFOSEC Program Management Of ce 5113 Leesburg Pike Suite 110 Falls Church VA 22041 -3204 Attn Product Distribution Commercial 703-681 7944 3476 DSN 761 How did you hear about our products Fax-703-581-1336 0 World Wide Web 0 Word Of Mouth E-mail DODIAETA@ncr disa mil Homepage 0 Conference 0 Ciass Other Specify Customer Information Name Title Date Command Org Agency Dept Mail Code Phone DSN Address Fax City State Zip 4 E-Mail NOTE if you have ordered IPMO Products before and your address has changed mark here 0 Mark appropriate organization 0 OSD OJoint Staff OCINC 0 Army 0 Navy 0 Marines OAir Force 0 Coast Guard 0 Defense Agency name 0 Non-Defense Agency name 0 Government Contractor Agency contracting with Other Order Form Products are unclassi ed and available at no cost Videos may be reproduced for government use only without further permission Multimedia CD-ROMs Videos 0 DOD 0 Federal Awareness v 1 0 Understanding PKI DOD 13 min Select One Networks at Risk NCS 10 min 0 Operational Information Systems Security nformation Front Line IW 10 min OISS Vols 1 and 2 V 1 2 Set of two Bringing Down the House 11 min 0 Fortezza Installers Course for Windows NT 4 0 Computer Security 101 DOJ 11 min Computer Security - The Executive Role DOJ 9 min 0 Introductionto the v 1 1 Safe Data Your Job DOL 19 mm 0 Information Age Technology V1 03 Think Before You Respond US Gov 3 mm - - Protect Your AIS US Gov 6 vignettes for AUd'tors and Eva'uators' '04 Protect Your AIS The Sequel us Gov 30 min 0 Designated Approving Authority DAA Basics V 1 Dr Stroye US Gov 8 min The Scarlet US Gov 7 min 0 CyberProtect V 1 New 0 System Administrator Incident Preparation Response SAIPR for Windows NT V 1 1 for System Administrators New 0 Exploring MISSI 10min Upcoming Products Information Operation Fundamentals - Vl inter 99 Multimedia CD-ROM To register for the IA Newsletter visit rev 23 Sept 99 i IAnewsietter I Summer 1999 ilentRunner is a network security tool kit recently released by Raytheon It is a passive multifunctional net work discovery visualization and analysis DVA system that provides real-time auditing and monitoring The analytical en- gine replicates network activity and provides a wide variety of two and three-dimensional 2D 3D Views to enhance users understanding of com- plex networks Operationally SilentRunner maps topology and displays net work data for analysis It shows network activity and links in formation concerning each ter minal It also shows both physi cal and virtual relationships who contacts whom communi- cation paths and traffic ow and density SilentRunner can play back recorded data se quences for detailed 'net- work analysis and can in- tegrate other types of data to provide a complete pic- ture of the activity under investigation For example SilentRunner may receive external sensor data inputs and present the inputs in a common view with the network data External sensor data such as physi- cal security logs private branch exchange pbx logs and intru sion detection probe data have successfully been assimilated displayed and analyzed Silen- tRunner can be used for post intrusion analysis comple- menting administrative net work security efforts As de- scribed below the DVA modules 18 use both data and meta-data to perform context analysis on re- constructed information SilentRunner's software tool kit has four patent applications pending The system is com posed of six discrete software modules and is available in two versions laptop computer and enhanced workstation The software modules are the col lector module CM knowledge base KB data parsing analyti- cal engine AE display man machine interface MMI and external sensor ES The en hanced workstation provides more analytical capability than the deployable laptop and in cludes BID display visualization recorded data playback and context analysis CM is the application's front end It contains a family of au- Figure 1 SilentRunner network view shown in 2-D tonomous passive local-area- network LAN monitoring data acquisition tools Additional tools for wide area network WAN computer code and network heuristics are under development The CM LAN tool collects data presents 2D dis- plays and stores the formatted data for the subsequent mod- IAnewsletter I Summer 1999 I Thomas Hudson Michael Maloney ules This very robust module updates the 2D displays and databases in real time while providing packet decoding for up to 2 500 simultaneously ac- tive terminals without interfer- ing with the host network Fig ure 1 SilentRunner dynami- cally graphs the network topol ogy reconstructs sessions for seven standard protocols and identifies and labels unknown packets It incorporates opera tor-definable Boolean queries for alerts and displays network activity levels statistically for individual protocols and termi nals on the network The KB data parsing module uses a family of algorithms to transform the data stored in CM into formatted categories that the analytical engine modules require The module currently con sists of eight indepen dent selectable func- tions with each function having many selectable sub-functions Major parsing modules are parse E mail join Web tool graphics summing file tool and column Parse formats traffic data into 15 selectable options For example parse can sort data by domain host Internet Protocol IP address MAC address and other fields The join Web tool graphics summing file tool and column parsing modules have similar sorting capabili- ties AB is the dynamic graphic module that accepts data from the KB data-parsing module and presents an array of relational data sets in a 2D display The module's basic function is to render large hundreds of megabytes data files into visual representations that convey meaningful information about the data This module consists of two distinct sub modules that run on different platforms On the laptop AE operates in a Mi crosoft Windows NT environ ment whereas the enhanced workstation is a Unix platform Compared with the laptop the enhanced workstation has a higher central processing unit CPU speed giving it greater analytical power and additional analytical features such as net work traffic playback context analysis of text and graphics The 3D display module ac quires data from the enhanced AE or KB data parsing modules The analyst specifies a third axis for display purposes This module can capture and display in 3D a variety of complex rela tional data sets that would be obscured by traditional 2D dis play methods The module can display a large number of nodes up to 10 000 simultane- ously The node diagrams are produced by using node im- plode and explode techniques The imploded diagram main tains full functionality with re- spect to every node in the origi- nal diagram Animation of the nodal diagram a unique fea- ture permits different types of network traffic to be shown as colored icons as the traffic moves between nodes while the operator rotates the entire node diagram to any position MMI and ES are the last two modules in the SilentRunner architecture The MMI software provides the operator with a user-friendly interface This module also controls equip ment configuration data collec- tion data storage visualization and analysis ES integrates ex ternal data for DVA purposes SilentRunner should com- plete the National Security Agency NSA Security Proof of Concept Keystone SPOCK ver- ification by mid November 1999 SPOCK verification is con ducted by an NSA sponsored consortium of government sys- tern integrators and commercial information security EC solution developers that meet regularly to discuss emerging solutions and en abling technologies When unique tools like SilentRunner are introduced the consortium forms a team to verify vendor claims The final SPOCK report on SilentRunner should be published before year-end The Raytheon Lithicum office is re- sponsible for developing and sustaining SilentRunner Tom Hudson is the Director of Integrated Information Systems with Raytheon Systems Company A retired Army Intelligence Of cer he received a Masters in Computer Science and Civil Engineering from West Virginia University He was the Deputy Director of the Army Land Information Warfare Activity LIWA 1994 98 He may be reached at thudson @re ro com Mike Maloney is the inventor and lead program manager for this project at Raytheon Systems Company Prior to joining Raytheon Mike was a I chnical Director at the National Security Agency NSA While at NSA he was involved in the design and development of all types of collection and processing systems In 1978 he received his MS in Engineering from George Washington University and has an B S in Electronic Engineering from the University of Detroit He may be reached at m5m @hrb com LAN HILANDiscovery tool External Sensor Operator Software Interface Figure 4 SilentRunner' network DVA Tool http lliac dtic lAnewsletter I Summer 1999 19 a x51 w a mi he IATAC Steering Com mittee recently convened to review ongoing activities and provide technical guidance and direction for future IATAC oper ations In addition the steering committee also provides a forum to discuss critical issues facilitate the exchange of ideas and build upon the expanding knowledge base for informa tion assurance and defensive information operations Come mittee members represent the broad Information Assur- ance community to include op- erations policy research and development and soon to in clude acquisition elements As a result of the meeting IATAC has undertaken several new initiatives to enhance opera tions and respond to emerging warfighter needs These initia- tives include the following Information Assur- ance IA Newsletter IATAC will transition to elec- tronic distribution of the IA Newsletter Hard copies of the newsletter will be available upon request and at confer- ences and symposia 20 Collectimn Activities insider Threat IATAC has increased its col- lection activities on the insider threat Collection activities focus on the technology aspect of the insider threat and not necessarily on social engineer- ing or the human element Specifically what tools tech nologies or research and devel opment activities are available that can be applied to respond to the insider threat problem 1A Tools Reparts The scope of the IA Tools Re ports Intrusion Detection Vulnerability Analysis Fire- walls will change from its cur- rent format of providing de scriptions of tools to an im- proved format that focuses on the evaluation of individual tools IATAC will provide short descriptions of the tool refer- ence evaluations conducted by other entities and possibly commercial reviews and pro vide an assessment of state of the art for that particular tech nology IAnewsletter I Summer 1999 a Mr Robert P Thompson Director IATAC Technimai Newark Visualizatian Warfighters are inundated with massive amounts of data related to network monitoring and intrusion detection This data must be fused and cross referenced with intelligence data as well as technical intru sion data To address this data fusion problem IATAC will conduct a survey and develop a state of the-art report SCAR on visualization technologies and its application to informa- tion operations and informa tion assurance Teahninai wept-art wefeneednumeptn Security architecture associ ated with Defense In Depth re quires further definition IATAC will develop a technical report that focuses on emerging tech nologies that support a Defense- In Depth strategy at User System Administrator Enclave and Network levels Technical Repmrt What is Good Enough Seaurity IATAC will develop a report that examines information as surance metrics and security architectures that answer the question how do you know your security is any good For more information on IATAC initiatives contact Bob Thompson at 703 289 5454 or via e-mail at iatac@dtic rnil USSOUTHCOM continued from page 4 ture The system will ini- tially be bilateral between the United States and par- ticipating nations PNs but can later be expanded to multilateral if all partici pants agree Like all the COM information-sharing networks SCIES is intend ed primarily to expedite event coordination pro- mote data sharing between United States and partici pating nations encourage bilateral and multilateral data sharing increase the effectiveness of US sup port to participating na- tions' operations and most importantly promote re gional cooperation These networks provide a cost-ef fective approach to achiev ing these objectives through the use of informa tion technology to share in formation and disseminate it to participating nations IATAC readers may ac- AMNET IA ew 5 le tte CAerisericas' Nety at its cybe 5 pa ce americasnet The follow- ing identifier and password an my he IAnewsletter will be available for electronic distribution will allow readers access pdf format beginning with the Fall 1999 issue Please take a user name iatacguest moment and either E mail iatac@dtic mil or fax 703 289 5467 password 67Pm3Rp8 your format preference for receiving future issues of the newslet- ter including the following information Lt Col Pettigrew is the Chief Information Assurance Division Full Name Directorate of Command Control Communications Computers and Mailing Address Intelligence C4D USSOUTHCOM He received his BS from King College in Bristol TN and his in 1 987 from the E-mail Address University of Arizona Tucson Lt Col Pettigrew may be reached at I would like to receive CI Electronic Ci Hard copy pettigij@reddeiasamericas net http lliac dtic milIlATAC IAnewsletter I Summer 1999 21 i - intrusion Detection Tools Report This newly updated report provides an index of intrusion detection tool descriptions contained in the IA Tools Data- base Research for this report identified 47 intrusion detec- tion tools currently employed and available an a lawn 5 th pir Data Embedding for Information Assurance SCAR Provides an assessment of the state-of the art in data embed ding technology and its applica tion to information assurance It is particularly relevant to infor- mation providers concerned about intellectual property pro- tection and access control formation consurners who are concerned about the security and validation of critical infor- mation and law enforcement military and corporate organi- zations concerned about efforts to communicate covertly The report has been specifically de- signed for readers who are not experts in data embedding For those desiring more in-depth in- formation the bibliography pro vides an extensive list of author itative sources from which the 22 l rm an x reader can obtain additional technical detail Computer Forensiosm Tools and Methodology The primary focus of this re- port is a comparative analysis of currently available software tools that are used in computer forensic examinations For read- ers who are unfamiliar with computer forensics this report provides a useful introduction to this specific area of science and offers practical high level guidance on how to respond to computer system intrusions For all readers however this re- port provides a useful analysis of specific products including their respective capabilities unique features cost and asso- ciated vendors Firewail Tools Report This report provides users with a brief description of avail able firewall tools and contact information Currently the IA tools database contains 46 fire wall tools that are available in the commercial marketplace Malicious Code Detection SGAR This report includes is a tax onomy for malicious software providing a better understand- ing of commercial malicious software An overview of the state-of the-art commercial products and initiatives as well as future trends is presented The report presents observa tions and assertions to support the DOD as it grapples with this problem entering the let cen- tury This report is classified and has a limited release lAnewsletter I Summer 1999 0115 Modeling Eimuiaw tion Teehnieel meteor-t This report released Decem ber 1997 describes the models simulations and tools being used or developed by organiza- tions within DOD Data collec tion efforts focused on the defi nitions of Information Opera- tions Information Warfare and IA as described in Direc- tives 88600 1 and 6510 1 As well as the definitions prescribed by DMSO for model and simula- tion Biometrics Fingerw print Identi cation Systems Focuses on fingerprint bio metric systems used in the veri fication mode Such systems often used to control physical access to secure areas also allow system administrators ac- cess control to computer re- sources and applications Infor mation provided in this docu ment is of value to anyone de siring to learn about biometric systems The contents are pri marily intended to assist those individuals who are responsible for effectively integrating fin gerprint identification products into their network environ- ments to support the existing se- curity policies of their respec- tive organizations Anaiysiss Toots Report This report summarizes pertie nent information providing users with a brief description of available tools and contact infor- mation Currently the IA Tools database contains descriptions of 35 tools that can be used to support vulnerability and risk assessment @iiecdkern Worm IM 0 RTANT NOTE All IATAC Products are distributed through DTIC If you are NOT a_ registered DTIC user you must do so PRIOR to ordering any IATAC products TO REGISTER Name Organization Ofc Symbol Address Phone E-mail Fax Organization YES NO If NO complete Limweo DESTRIBUTION section below LIMITED DISTRIBUTION In order for organizations to obtain LIMITED DISTRIBUTION products a formal written request must be sent to IAC Program Of ce ATTN Sherry Davis 8725 John Kingman Road Suite 0944 Ft Belvoir VA 22060-6218 Contract No For contractors to obtain reports request must support a program be veri ed with COTR COTR Phone Technical Reports CI Biometrics Computer Forensics Modeling Simulation IA Tools Report Firewalls Intrusion Detection Vulnerability Analysis State-of-the-Art Reports Data Embedding for Information Assurance Malicious Code Detection TOP SECRET El Security POC Security Phone UNLIMITED DISTRIBUTION Newsletters Limited number of back issues available Vol 1 No 1 El Vol 1 No 2 I3 Vol 1 No 3 CI Vol 2 No 1 El Vol 2 No 2 soft copy only Volt 2 No 3 El Vol 2 No 4 Vol 3 No 1 Please list the Government that the product s will be used to support Once completed fax to IATAC at 103 289 5467 http lliac dtic milIIATAC IAnewsletter I Summer 1999 23 October 31- November 3 calendar Information Systems Security Expo 1858 '99 Arlington VA Cali J Spargo Associates 703 631 6200 Techblet Europe 99 Renaissance London Heathrow Hotel ShadowCon NSWC Dahigren VA Call 877 921 0612 iViiLCOlVi 1999 Into the Next Millennium- Evoiution of Data Into Knowledge Atlantic City NJ Fort LewisIDiSC4 information Assurance Workshop Accreditation Program Tacoma WA Call 877 921 0612 25m Annual Computer Security Conference Exposition Washington DC Marriott Wardman Park TechNet Asia Pacific 99 Honolulu Hi Cali J Spargo Associates 703 631 6200 information Assurance Technology Analysis Center 3190 Fairview Park Drive Faits Church VA 22042 December 1- 2 8 9 February 8 10 9- ll Space 8 Missile Systems Center information Assurance Technoiogy Forum San Pedro CA Cali 877 9210612 The Colorado Springs Military information Assurance Technology Forum Colorado Springs CO Dec 8th - Schriever AFB Dec 9th Peterson AFB Cali 877 9210612 DESA 4th Annual IA Workshop Holiday Inn Hampton Hotel Hampton VA AFCEA West 2000 San Diego Convention Center San Diego CA SPACECOM 2000 Space Communications Key to information Operations Colorado Springs CO Call Michael J Varner 719 590 1051 infoSec World Cont 8 Expo Orlando FL Call 508 879 7999 Fiesta lniormacion 2000 San Antonio TX Call J Spargo Associates 703 631 6200