REPORT DOCUMENTATION PAGE Public reporting burden for this collection of information is estimated to average 1 hour per response including the time for reviewing instructions searching existing data sources gathering and maintaining the data needed and completing and reviewing this collection of information Send comments regarding this burden estimate or any other aspect of this collection of information including suggestions for reducing this burden to Washington Headquarters Services Directorate for information Operations and Reports 1215 Jefferson Davis Highway Suite 1204 Arlington VA 22024302 and to the Office of Management and Budget Paperwork Reduction Project 0704-0188 Washington DC 20503 1 AGENCY USE ONLY Leave blank 2 REPORT DATE 3 REPORT TYPE AND DATES COVERED Fall 2000 Newsletter Vol 3 No 4 4 TITLE AND SUBTITLE 5 FUNDING NUMBERS IA Newsletter The Newsletter for Information Assurance Technology Professionals 6 Information Assurance Technology Analysis Center 7 PERFORMING ORGANIZATION AND 8 PERFORMING ORGANIZATION REPORT NUMBER IATAC Information Assurance Technology Analysis Center 3190 Fairview Park Drive Falls Church VA 22042 9 SPONSORING I MONITORING AGENCY AND 10 SPONSORING I MONITORING AGENCY REPORT NUMBER Defense Technical Information Center DTIC-IA 8725 John J Kingman Rd Suite 944 Ft Belvoir VA 22060 11 SUPPLEMENTARY NOTES 12a DISTRIBUTION I AVAILABILITY STATEMENT 12b DISTRIBUTION CODE Approved for public release distribution is unlimited A 13 ABSTRACT Maximum 200 Words IA Newsletter is published quarterly by the Information Assurance Technology Analysis Center IATAC IATAC is a sponsored Information Analysis Center administratively managed by the Defense Technical Information Center DTIC Defense Information Systems Agency DISA Featured in the issue USPACOM Theater Network Operations Ensuring Information Superiority for the 21St Century A Retrospective on Computer Network Defense Where There's Smoke There's Firem Keys to the Kingdom Law Enforcement Counterintelligence Support to CND 14 SUBJECT TERMS 15 NUMBER OF PAGES Information Security Information Assurance Global Information 39 Grid PKI 15- PRICE CODE 17 SECURITY CLASSIFICATION I 13 SECURITY CLASSIFICATION 19 SECURITY CLASSIFICATION 20 LIMITATION OF ABSTRACT OF REPORT OF THIS PAGE OF ABSTRACT UNCLASSIFIED UNCLASSIFIED UNCLASSIFIED None rm Ti 4 mm owl-Lil i 20001027 076 Network p ati n5 1 also inside - A Retrospective on Computer Network Defense Where There's Smoke There's - Keys to the Kingdom - Law Enforcement Counterintel- ligence Support to CND REPORT DOCUMENTATION PAGE Public reporting burden for this collection of information is estimated to average 1 hour per response including the time for reviewing inStructions searching existing data sources gathering and maintaining the data needed and completing and reviewing this collection of information Send comments regarding this burden estimate or any other aspect of this collection of information including suggestions for reducing this burden to Washington Headquarters Services Directorate for Information Operations and Reports 1215 Jefferson Davis Highway Suite 1204 Arlington VA 22202-4302 and to the Office of Management and Budget Paperwork Reduction Project 0704-0188 Washington DC 20503 1 AGENCY USE ONLY Leave blank 2 REPORT DATE 3 REPORT TYPE AND DATES COVERED Fall 2000 Newsletter Vol 3 No 4 4 TITLE AND SUBTITLE 5 FUNDING NUMBERS IA Newsletter The Newsletter for Information Assurance Technology Professionals 6 AUTHORIS Information Assurance Technology Analysis Center 7 PERFORMING ORGANIZATION AND 8 PERFORMING ORGANIZATION REPORT NUMBER IATAC Information Assurance Technology Analysis Center 3190 Fairview Park Drive Falls Church VA 22042 9 SPONSORING I MONITORING AGENCY AND 10 SPONSORING I MONITORING AGENCY REPORT NUMBER Defense Technical Information Center 8725 John J Kingman Rd Suite 944 Ft Belvoir VA 22060 11 SUPPLEMENTARY NOTES 123 DISTRIBUTION STATEMENT 12b DISTRIBUTION CODE Approved for public release distribution is unlimited A 13 ABSTRACT Maximum 200 Words IA Newsletter is published quarterly by the Information Assurance Technology Analysis Center IATAC IATAC is a sponsored Information Analysis Center administratively managed by the Defense Technical Information Center DTIC Defense Information Systems Agency DISA Featured in the issue USPACOM Theater Network Operations Ensuring Information Superiority for the 21St Century A Retrospective on Computer Network Defense Where There's Smoke There's Fire Keys to the Kingdom Law Enforcement Counterintelligence Support to CND 14 SUBJECT TERMS 15 NUMBER OF PAGES Information Security Information Assurance Global Information 39 Grid 16 PRICE CODE 17 SECURITY CLASSIFICATION 18 SECURITY CLASSIFICATION 19 SECURITY CLASSIFICATION 20 LIMITATION OF ABSTRACT OF REPORT OF THIS PAGE OF ABSTRACT UNCLASSIFIED UNCLASSIFIED UNCLASSIFIED None on the cover USPACOM Theater Network Operations Brigadier General P James D Bryan USA Ia Initiatives A Retrospective on Computer NetworkDefense Major General John Campbell USAF 70 US Special Operations Command Builds New NOSC Major John J Jordan USA Where There's Smoke There's Brian Bottesini Brenda Angerhofer Keys to the Kingdom Captain Robert West USN Law Enforcement and Counterintelligonce Support to CND Special Agent Michael R Dorsey Information Assurance Training at the us Army's Computer Science School Major Mark V Hoyt USA 25 That's NOT My Final Ms Victoria Alkema 26 v Marine Corps Active Computer Network Defense The Changing face of Warfare - - Major Ted Steinhauser USMC Ret Captain Carl Wright USMC Mobile Code Is It Worth the Risk Maj Boyles USAER DISA Home Products Promote IA Worldwide Edward Smith in each is IATAC Chat 3 3 7 IATAC Product Order form 39 Calendar of Events Back Cover tAnewsletter - Volume 3 Number 4 newsletter Editors Robert P Thompson Robert J Lamb Creative Director Christina P McNemar Information Processing Robert F Scruggs Information Collection Page Y Eastman Inquiry Services Peggy O'Connor Contributing Editor Ellen Loeb lAnewsletter is published quarterly by the Information Assurance Technology Analysis Center IATAC IATAC is a sponsored Information Analysis Center administrative- ly managed by the Defense Technical Information Center DTIC Defense Information Systems Agency Inquiries about IATAC capabilities products and services may be addressed to Robert P Thompson Director IATAC 703 289 5454 We welcome your input To submit your related articles photos notices feature programs or ideas for future issues please contact IATAC ATTN Christina P McNemar 3190 Fairview Park Drive Falls Church VA 22042 Phone 703 289 5454 Fax 703 289 5467 703 289 5462 E-mail iatac@dtic mil URL Cover and newsletter designed by Christina P McNemar Distribution Statement A Approved for public release distribution is unlimited http lliac dtic milliatac Ensuring Information Superi- ority for the 21 Century We are not smart enough to predict the future so we have to get better at reacting to it more quickly General Electric adage Information superiority en- ables the realization of Joint Vision 2010 concepts by trans forming the traditional battle- field functions of move strike protect and sustain into the op erational concepts of dominant maneuver precision engage- ment full-dimensional protec tion and focused logistics These emerging operational concepts are presumed to take advantage of particular ad vances in sensor-to-shooter link- ages and general advances in computing and information transport The resulting con struct gives us a glimpse of net- work centric warfare a concept that asserts that in the future the primary means of generating and sustaining combat power will be a seamless joint network of sensor information and en gagement grids that links sen sors command and control C2 centers and shooters This seamless global information grid GIG will implement network- centric warfare concepts of speed of command self syn- chronization and massed ef fects It is also a critical precur- sor to a knowledge centric force in which context and content co ordination enhance C2 to enable decentralized decision making Iliac dtic milliatac and opera- tions The movement from a plat form-centric to a network-cen- tric warfighting environment however will increase the num- ber of users nodes and links significantly increasing demand on computers and data net works This explosion of command control communications com puters and intelligence C41 re quirements will increase the de- mand and criticality of network troubleshooting network man- agement dynamic bandwidth management information and network protection and spec trum management These func- tions will move from their tradi- tional low visibility support role to a critical high-visibility warfighting capability In short the network will become a weapon system and should have a command relationship com- mensurate with that of normal operational forces 2 1 5 Century War- ghting Environment Whereas warfare in past con flicts was often a sequence of semirindependently unfolding events that could be planned for at a deliberate pace future con ict will be conducted at an un- precedented pace with great flu- idity The 21$t century war- fighting environment will re quire a new mentality for mas IAnewsletter tering the command of a vast array of forces operating at these greater speeds over larger spaces The campaign of the fu- ture will consist of a seamless web of interdependent actions conducted in parallel rather than a sequence of independent actions This new technology- driven approach to warfare will require new processes and orga nizations The enhanced mili- tary capabilities of speed range unprecedented accuracy lethal ity and strategic mobility ex- pressed in Joint Vision 2010 are predicated on United States achievement of information su- periority However the rapid ad vances in computer processing and information transportation technologies that are the foun- dation of information superiori- ty are creating new vulnerabili- ties and challenges for the US military Foremost among these challenges is the need to man - Volume 3 Number 4 Brigadier General P James D Bryan USA Commander JTF-CND and Vice Director DISA Mr Patrick Gonnan age the explosion of information and proliferation of networks while protecting both the infor- mation and the networks that carry it The increased emphasis on achieving information superiori- ty is causing a proliferation of complex webs of interdepen dent links and an explosion in the number of computers and data voice and video networks supporting the warfighter The movement toward split-based operations in which many warfighting functions are per formed in the rear in support of more agile forward based forces is blurring the lines between joint task force JTF forces net works and base post camp and station command control communications and computer C4 systems Moreover this greater dispersion and increased connectivity will demand an un- precedented amount of band width both wired and wireless to support joint and coalition military operations The complexity of the future warfighter's network demands will be compounded by the po tential fragility of the global net worked environment ELIGIBLE RECEIVER the first large-scale exercise to test our ability to re spond to an attack on our infor mation infrastructure demon- strated that hostile forces could penetrate the national infra- structure and networks and could affect DoD s ability to perform certain missions These findings were validated in 1998 by Solar Sunrise a series of at- tacks targeting DOD network do- main name servers Both BLE RECEIVER and Solar Sunrise clearly demonstrated that in the current interconnect ed environment everyone in resides in a shared risk en- IAnewsletter - Volume vironment In a networked world an event anywhere even- tually reaches everywhere through ripple effects The demands of the future warfighting environment and the explosion in both number of users and level of connectivity are leading to the following trends Greater Complexity The sheer number of systems nested within systems makes it difficult to readily isolate and understand events detere mine cause and effect and select appropriate courses of action 0 Greater Interdependency w Information ows and net works that previously were relatively isolated along orga- nizational lines have become interdependent because of the demand for fully integrat- ed joint operations and the drive toward C41 interoper ability - High Tempo Improved in- formation processing systems and networking capabilities have significantly decreased decision time and increased the operations tempo forcing the Joint Force Commander to rapidly sense decide and respond to his environment with minimal delays Timely and assured information delivery is no longer a luxury but a critical warfighting necessity providing a com- petitive edge in warfare - Decreased Predictability - Increased global-level com- plexity and interdependence and rapid rates of technologi cal change make it difficult to prepare and plan for unfore seen events through tradition al organizations and proce dures The competitive advantage will now go to 3 Number 4 those who can quickly and accurately anticipate and respond to rapidly unfolding events The 215 century warfighting environment demands new ca pabilities to improve the agility speed and accuracy of the oper ational forces Achieving inforv mation superiority is at the core of these capabilities and provid- ing assured delivery and pro- tected information is critical to obtaining information superiori- ty Commander's Challenge failure in one part of the infrastructure affects the deli- cate and complex balance of the entire interconnected system Unfortunately the number of these types of events seems to be increasing at the same rate as our reliance on information technology Mr Arthur L Money Assistant Secretary of Defense for Command Control Communications and Intelligence C31 Operational Challenge The emerging network cen- tric warfighting environment and the advent of knowledge centric decision making has caused the Defense Information Infrastructure DII to evolve into a complex web of informa- tion processing and transport systems which are monitored and controlled by different orga- nizations from geographically dispersed locations Under these circumstances it is very difficult for combatant commanders like the Commander in Chief US Pacific Command PAC to maintain cognizance over the various critical infor- mation systems and networks that support operations in their http Iliac dtic milliatac theaters Unfortunately the number and complexity of the networks that can provide infor mation to a theater are rapidly outstripping our ability to man- age those networks protect them against intrusions and at tacks and effectively manage available bandwidth Currently the Commander in Chief CINC has only limited ability to View the status and performance of the theater in formation grid and has no fusion and analysis ability to deter- mine potential joint operational impacts of network outages and attacks no dynamic ability to determine action alternatives and no established C2 structure for prioritizing and executing a theater-wide response to net- work failures and attacks Desired Operational Capabilities Joint Vision 2010 defines in formation superiority as the ca pability to collect process and disseminate an uninterrupted flow of information while ex ploiting or denying an adver- sary's ability to do the same Achievement of information su periority is based on meeting three primary challenges Bat- tlespace awareness J2 infor- mation operations J3 and in formation transport and processing J6 Information transport and processing ITP also comprises four desired op- erational capabilities DOC as surance capacity interoperabil- ity and information management - Assurance DOC Defending against informa tion threats and providing the warfighter with high quality information services when needed to meet the dynami http Iliac dtic milliatac cally changing demands of the future - Capacity DOC ITP-Z Providing the warfighter with a flexible adaptive network to transmit and receive the right volume of information at the right time and the right place - Interoperability DOC 3 Providing universal trans- action services that allow the warfighter to exchange and understand information unimpeded by differences in connectivity or language on a real-time basis regardless of location Information Management DOC Managing an assured real-time scalable information flow throughout the infrastructure A key to meeting these chal- lenges is the global information grid described in more detail below However the current stovepiped environment which is characterized by scores of sep arately managed noninteroper- able networks with varying lev els of network management configuration management and information protection makes it difficult to visualize manage and protect this grid with any degree of effectiveness or effi ciency Moreover management of most of the networks that compose the GIG is conducted as an administrative rather than an operational function with uncertain chains of command Most of the associated technolo gies and procedures re ect a Service centric rather than a joint network-centric warfight ing perspective NETOPS Background In order for the US to exert to the maximum extent possible the power of our military forces in future operations all military IAnewsletter entities and functions must be part of a common integrated in formation in astrudure Defense Science Board 1998 Summer Study Task Force on Joint Operations Superiority in the let Century Global Information Grid The DII together with its sup- porting policies plans and pro- grams was conceived in the early 19903 to align basic infor- mation processing and transport services with DoD's functional area applications and common applications The alignment was intended to improve the ability to execute joint military opera tions and the efficiency of key underlying mission support tasks However achievement of information superiority and other operational tenets of Joint Vision 2010 requires a new as- sured network centric and knowledge centric paradigm that treats information as a criti- cal warfighting resource The need for an affordable interop erable protected information grid is emphasized in the 1996 Information Technology Man- agement Reform Act ITMRD also known as Clinger-Cohen the 1997 Quadrennial Defense Review QDR and Presidential Decision Directive 63 PDD Critical Infrastructure Protec tion CIP The GIG is an C31 initia- tive aimed at improving security and interoperability while re ducing costs by moving from an infrastructure DII to an enter prise GIG approach to achieve information superiority The GIG is envisioned as a globally interconnected end to end set of information capabilities asso ciated processes organizations and personnel for collecting processing storing disseminat Volume 3 Number 4 ing and managing information on demand to warfighters poli- cy makers and support person- nel The GIG includes all owned and leased communications and computing systems and ser- vices software including appli cations data security services and other services necessary to achieve information superiority It provides capabilities from all Ihe Watch Officer in the Pacific Command Iheater C4ISR Coordination Center T during the Y2K rollover operating locations including bases posts camps stations fa- cilities mobile platforms and deployed sites The GIG initiative is divided into three thrust areas re sourcing the enterprise aligning the technology base and enter prise operations Enterprise op- erations are composed of com- puting and communications networks computing and in teroperability and enterprise management network manage ment information dissemina tion management and informa- tion assurance Guidance and policy memorandums have been created for each of the three thrust areas Network Operations Network operations OPS is a Joint Chiefs of Staff JCS C4 initiative to institutionalize networks as a warfighting resource under IAnewsletter - Volume CINC combatant command au- thority At its heart is an organi- zational procedural and tech- nological construct for ensuring information superiority and en- abling speed of command for the warfighter NETOPS will link widely dispersed network opera tions centers through a com mand and organizational rela- tionship establish joint tactics techniques and procedures to ensure a joint procedural con struct and establish a technical framework to create a common network picture for the Joint Force Commander Functional- ly NETOPS is a theater wide ap- proach to providing assured net work access assured infor mation and network protection and assured information deliv ery at the strategic operational and tactical levels through a co- evolution of doctrine processes and technology The goals of 6 NETOPS are as follows - Establish C4I network man agement and network defense as ongoing military operations - Provide the unified CINCS with network situational awareness - Implement control and man agement capabilities that achieve end to-end distrib- uted control while providing a common view and joint use of network management infor- mation - Implement positive control over and security of net- works through a network operations hierarchy - Provide the unified CINCs with authoritative direction over network resources in coordination with Defense Information Systems Agency DISA and the Service Components of the Unified 3 Number 4 Command as a function of the GIG Theater Network Operations is the C31 and pilot program established to develop the organizational procedural and technological construct for implementing NETOPS across the US Pacific Command PACOM area of operations The implementation of NETOPS at USPACOM is already providing lessons concerning the pro- posed constructs it will also as- sist in determining resource im- plications for managing the operational environment in this manner with an to applying similar concepts and lessons across DOD A primary goal of USPACOM NETOPS is to opera tionalize and professionalize the network by using a tiered com- mand relationship within the combatant commander's The ater Information Grid TIG NETOPS Functional Elements Network operations is defined as the ability to monitor coordi nate manage and control the GIG through a three-tiered com mand hierarchy It comprises three mission areas telecom munications network manage- ment TNM for assured net work availability information assurance IA for assured in- formation protection and infor mation dissemination manage- ment IDM for assured information delivery to the right person at the right place at the right time This comprehensive ability will manifest itself in an organizational procedural and technological framework that al lows the CINC J6 to effectively execute CINC priorities while fulfilling tasks identified to sus- tain the GIG http Iliac dtic milliatac Telecommunications Network Management T NM TNM includes the range of transmission systems wired and wireless that carry voice data and video throughout the theater It includes switched net- works Internet Protocol IP based data networks video tele- conferencing VTC networks satellite communications SAT- COM networks wireless net- works and intelligence commu- nity networks that support intelligence surveillance and reconnaissance functions The major components of TNM are network management SATCOM management and frequency spectrum management - Network management corn- prises all measures necessary to ensure the effective and efficient operation of net worked systems The goal of network management is to provide the services and applications of a networked system with the desired level of quality and to guarantee availability and a rapid exi ble deployment of networked resources Network manage- ment comprises the functions of fault configuration accounting performance and security FCAPS manage- ment SATCOM management is the day to day management of all apportioned and nonappor tioned SATCOM resources including appropriate support when disruption of service occurs - Frequency spectrum manage ment ensures that the CINC and subordinate commanders have cognizance over all spec trum management decisions that affect the area of opera- tions Spectrum planning and management involve the effi cient employment of the elec- tromagnetic spectrum including acquisition alloca- tion assignment protection and utilization of radio fre- quency resources This includes cognizance over the automated distribution of management products such as the Joint Standard Operating Instructions JSOI This function is per formed by all military Services sub unified com- mands and JTFs Planning at the installation level at over seas locations frequently includes host nation coordina tion information Assurance IA IA capabilities help ensure the availability integrity identi- fication authentication confi dentiality and nonrepudiation of friendly information and in formation systems while deny ing the adversary access to the same information and systems These capabilities reside throughout the TIG As a subset of Defensive Information Oper ations DIO IA includes pro- viding for restoration of infor mation systems by incorporating protection detec tion and response capabilities Protection capabilities include communications security COMSEC computer security COMPUSEC and information security INFOSEC devices such as network guards and fire- wall systems that are used by all transport and service providers in the theater Detection in- cludes the ability to sense ab normalities in the network through use of intrusion detec- tion systems Timely attack de- tection is key to initiating net IAnewsletter work restoration and response capabilities Response incorpo rates restoration as well as other information operations re sponse processes Capability restoration relies on established mechanisms for prioritized restoration of the minimum es sential networks information Dissemination Management IDM IDM provides the right infor mation at the right place at the right time in accordance with the commander's policies and optimizing use of information infrastructure resources It is a subset of information manage- ment that addresses awareness of access to and delivery of in formation IDM involves the safeguarding compilation cata loging storage distribution and retrieval of data manages infor mation flow to users and en- ables execution of the comman der's information policy IDM divides information into two types planning and sur- vival Planning information is used to determine future action and is generally not time sensi- tive It is used by planners and decision makers throughout the battlespace and is normally stored in databases Web pages or files Survival information is extremely time sensitive and re quires immediate action such as attacking the enemy avoid ing attack and preventing fratri- cide Survival information is normally forwarded over tacti- cal networks and datalinks to tactical commanders and indi vidual weapon systems NETOPS prescribes a tiered organizational task structure corresponding to the levels of war established in the Universal Joint Task List UJTL National Volume 3 Number 4 Theater Operational and Tacti cal This approach provides a network C2 structure that corre- sponds to existing C2 structures for operational forces in the the- ater However the following core capabilities should exist at each level a C2 capability that can respond to and report net- work outages and attacks the ability to operate and manage the information transport infra- structure the ability to operate and manage information ow and the ability to operate and manage information and net- work defense systems NETOPS Implementation Ynfonnation is like eggs the fresher the better General George S Patton The central problem is not collecting and transmitting in- formation but it for the decision maker v Richard Burt former Ambassador to West Germany and former Assistant Secretary of State for Europe Approach USPACOM NETOPS imple mentation is based on a spiral phased development approach with three planning horizons near term mid-term and far- term Near-term planning focus es on achieving essential opera tional capabilities the ability to perform today's mis- sion to support the CINC and JTF commanders Tasks in this planning phase are stop gap measures to obtain situational awareness over the theater in- formation grid and to imple ment a command relationship over subordinate network oper ations centers Mid term plan- ning focuses on achieving the desired operational capabilities described in Joint Vision 2010 IAnewsletter - Volume Information Transport and Pro- cessing This phase employs a' network centric approach to bring together the disparate technologies and capabilities in a coordinated manner Far-term planning aims to achieve Revo- lution in Military Affairs RMA related capabilities and focuses on current Defense Advanced Research Projects Agency DARPA technology and planned process reengineering to create an enterprise wide net work operations and security ca pability The goal is a knowl edge centric capability that will allow the CINC to command the TIG Implementation of PACOM Theater Network Operations links near-term essential opera tional needs to far-term future operational capabilities in each of the NETOPS functional areas telecommunications network management information as surance and information dis semination management Near-Term Goals and Objectives The near term O to 18 months goal is to make net work IA and information appli- cation status visible to the CINC The principal focus in this phase is to create a network common operational picture NETCOP that provides end-to end visibili- ty of mission-critical networks and information systems The near term phase focuses on in corporating existing organiza- tions and procedures into a coor dinated theater-wide capability The near term relies heavily on leveraging existing technologies either already in place or pro grammed for fielding to provide an essential operational capabili- ty within an 18 month planning horizon Near term objectives are as follows- 3 Number 4 Create a common view of the- ater-wide network IA and application Global Command and Control System status through a NETCOP Observe - Implement the ability to quickly understand potential operational impacts of net- work outages degradations and attacks through a TIG mission-critical database Orient - Develop course of-action techniques to aid in the deci- sion-making process Decide - Institute a C2 mechanism to coordinate theaterwwide re- sponse to network outages degradations and attacks Act Mid-Term Goals and Objectives Mid term 0 to 36 month goals are to implement the de sired operational capabilities es tablished by Joint Vision 2010 defend against information as surance IA threats provide the warfighter with a exible adapt able network for transmitting and receiving the right volume of information at the right time and the right place and manage an assured real time scalable information ow throughout the infrastructure IDM The aim is to create a network centric infrastructure that uses interoperable network and information management and protection tools and em- ploys standard processes to en- able near real time collaboration and response capabilities Mid- term objectives are as follows - 0 Create an integrated view of network IA and C2 applica- tion status through the inte- grated NETCOP I-NETCOP Observe ills 35mm Network tenured intentional lethality heighten iriiurmstigm Putters lite - Link the TIC mission critical systems database to COP Orient - Develop semi automated course-of action decision sup- port tools to decrease decision time and increase decision accuracy Decide - Implement a virtual collabo ration capability linking geo- graphically dispersed network managers to decrease imple- mentation time Act Far-Term Goals and Objectives Far-term 0 to 60 month goals are to implement future opera- tional capabilities that enable knowledge-centric enterprise in formation management and pro tection capability across the the- ater This capability includes seamless and interoperable net work IA and information visi- bility using standardized tools and enterprise level processes The ability to command the the- ater information grid is predicat- ed on the ability to merge plan ning and survival information management through an enter- prise-wide network and informa- tion management system Far- term objectives are as follows- - Create an integrated view of network IA application and operational GCCS status that Iliac dtic milliatac is scalable and accessible across the theater at all eche- lons Observe and Orient - Integrate automated course of action decision-support tools and virtual collaboration sys tems to support a near-real- time analysis and collabora- tion capability Decide and Act Conclusion 341 successfully adapting sys- tems have something in com- mon they transform apparent noise into meaning faster than apparent noise comes at them Stephan Haeckel Director of Strategic Studies IBM Advanced Business Institute The ability to implement a joint communications grid with adequate capacity resilience and network management capa bilities to support the opera- tional concepts of Joint Vision 2010 is key to achieving informa- tion superiority As recent oper ations in the Middle East Desert Fox Europe Kosovo and the Pacific have demonstrated the lack of real-time visibility and control of networks manual and latent network management ca pabilities and a fragmented IA architecture have emerged as significant operational chal lenges to support of the warfight- IAnewsletter er NETOPS is an attempt to pro vide organizational proCedural and technological solutions to these challenges in order to achieve information superiority The basic goal of NETOPS is to improve overall performance through more timely reporting and responses to network attacks and failures enhanced situation a awareness of network and IA status and improved decision making These collective im- provements should increase the effectiveness efficiency and ro- bustness of the GIG NETOPS will ensure greater coordination management and control capa- bilities that will allow end-to end distributed control while provid- ing a common View and joint use of theater information process- ing and transport assets Brigadier General P James D Bryan is the Commander and Vice Director for DISA He was most recently Director for Command Control Communications and Computer Systems USPACOM Camp H M Smith Hawaii He graduated from Jacksonville State University with a BS in Education and was commissioned as a Second Lieutenant in the Regular Army He earned his Master of Adult Education degree from North Carolina State University and was inducted into the Phi Kappa Phi National Academic Honor Society Patrick German is a Program Manager for the Pacific Network Operations initia tive at Camp HM Smith Hawaii He graduated with a BA from the University of Maryland and an MA from the George Washington University He may be reached at Endnote 1 Statement before the Senate Armed Services Committee Subcommittee on Emerging Threats and Capabilities Information Warfare and Critical Infrastructure Protection - Volume 3 Number 4 A Retrospective on Computer Network Defense Central Intelligence Agency '50 Major General John Campbell USAF I recently relinquished com mand of the Joint Task Force Computer Network De fense JTF-CND to Brigadier General P James D Bryan US Army Dave's dual assign ment as CJTF-CND and Vice Director for the Defense Infor mation Systems Agency DISA follows his most recent assign- ment as the J6 for US Pacific Command PACOM With his communications background and recent experience in a command with one of the most active information assurance IA programs in the Depart ment of Defense DOD Dave is exactly the right person to take command of the As I leave I thought it would be to share some of my observations about where we've been where we are and where we need to go to contin- ue to strengthen DoD's cyber defenses We have made some real progress in the past 2 years To use a tired metaphor the glass is definitely more than half full but the empty part represents a significant challenge Although I am convinced that the real threat we must prepare for re mains the organized struc- tured well resourced state- sponsored attacker it is clear that the danger from the indi- vidual hacker is increasing and represents a real concern for the security of networks We are increasingly seeing so- lAnewsletter - Volume phisticated tools and tech niques that can not only cause significant damage in their own right but also cause us to adopt defensive measures that amount to self inflicted denial of increasingly critical network services I would like to take a mo ment to look back at some key events that have shaped DoD's approach to this mission area and at some of the significant decisions resulting from those events For good or bad we have made progress in primarily when events have demonstrated that a serious threat exists But even in these cases progress has not come easily Determined leadership by a few key individuals most of all former Deputy Secretary of Defense DEPSECDEF John Hamre has helped us over come organizational inertia and institutional bias which have slowed development of an effective DoD wide defensive structure Watershed vents Although our cyber vulnera- bilities had been recognized be fore exercise ELIGIBLE RE- CEIVER 97 ER97 in June 1997 clearly demonstrated our lack of preparation for a coordinated cyber and physical attack on our critical military and civil infrastructures The timing of ER97 resulted in incorporation of many of its observations into the October 1997 Report of the President's Commission on Critical Infrastructure Protec- 3 Number 4 tion PCCIP This report recog- nized the growing vulnerabili- ties of the nation's critical in- frastructures including tele communications banking transportation and govern- ment services The PCCIP re- port also in uenced the devel opment of Presidential De cision Directive 63 PDD-63 in May 1998 set goals for securing the national infra- structure established a nation- al structure to manage chal- lenges recommended a nation- al center to warn of and re spond to attacks required the Government to serve as the model and sought voluntary private-sector participation in critical infrastructure protec tion The observations of ER97 and the PCCIP were reinforced in February 1998 when a series of cyber intrusions called Solar Sunrise generated significant concern about the security of DoD's networks Although these intrusions were eventual 1y traced to teenage hackers in northern California Solar Sun- rise clearly demonstrated the reality of what previous exer cises and studies had predicted Most important Solar Sunrise clearly demonstrated that we had not answered the basic question Who's in charge of the defense of networks and systems Several significant decisions resulted from these events In the interagency arena laid the foundation for the for mation of the National Infra- Iliac dtic milliatac structure Protection Center NIPC NIPC is sponsored by the Department of Justice DOJ and the Federal Bureau of Investigation and includes representatives of and other departments of the Fed- eral Government Although the NIPC has received some criti cism for its law enforce ment centric approach DOJ deserves credit for stepping up to the plate and sponsoring this badly needed capability On the side staffing originat- ing with the ER97 observations and reinforced by the Solar Sunrise activities culminated in December 1998 in a recom mendation by the Chairman of the Joint Chiefs of Staff CJCS approved by the Secretary of Defense SECDEF to establish the The SECDEF charter signed December 4 1998 tasked the with coordinating and directing the defense of computer sys- tems and computer networks The JTF opened its doors in December 1998 and achieved full operational capability in June 1999 While the JTF is physically located at DISA headquarters and DISA pro- vides significant logistical and technical support DISA is not in the JTF chain of command It is important to recognize that the was designed originally as a gap filler orga- nization that is to quickly field a defensive capability pending thorough staffing via the Unified Command Plan UCP process of the proper long-term responsibility for CND As most know UCP99 as- signed the CND mission effec- tive October 1999 to the US Space Command USSPACE- COM Several organizational constructs were considered in http Iliac dtic milliatac building the USSPACECOM CND implementation plan The Commander in Chief US Space Command CINCSPACE eventually decided to retain the JTF-CND as his operational command for CND while build ing a long-term robust CND ca pability at Colorado Springs to perform strategic planning analysis and resource func- tions It is worth noting that the JTF headquarters has relatively little organic capability with only 24 authorized positions We perform our mission by leveraging the capabilities of our components the DISA Global Network Operations and Security Center GNOSC the Computer Emergency Re- sponse Team CERT and our four service components The components provide the real capability for reporting analy sis and execution of remedial actions Additionally the aug- mentation provided to our in- telligence and law enforcement sections has significantly im proved our capabilities Recog- nizing the significant activity under way at USSPACECOM headquarters I would like to brie y discuss the progress of the and offer some observations about the state of the CND mission Successes JTF-CND provided with a focal point for dealing with cyber threats and answered the Who's in charge question During the Melissa virus inci- dent in March 1999 the CND in cooperation with the CERT was able to quickly assess the threat develop a de fensive strategy and direct ap propriate defensive actions Where damage to the private sector totaled in the hundreds lAnewsletter - Volume 3 of millions of dollars ex- perienced relatively little effect and no operational impact After assump tion of command of the CND mission two other events demonstrated the value of cen tralized responsibility and au thority The February 2000 Dis ke 3 Number 4 i2 tributed denial of service DDOS attack which by most estimates slowed the Internet by 20 percent and shut down a number of the most popular In- ternet sites including Yahoo E- Bay among others and the May 2000 Loveletter worm esti- mated to have cost billions worldwide These attacks vivid 1y demonstrate the increasing ability of an individual hacker to cause significant damage to the worldwide cyber infrastruo ture In the case of the DDOS event was not directly tar geted but the organization we have developed allowed us to maintain situational awareness of the attacks progress and to ensure that we understood the status of systems In the case of Loveletter although we were initially caught off guard by the speed of the developing attack we were able to provide CINCSPACE with an assess ment of the situation and to di- rect proper remedial actions to minimize damage to In this case as in the Melissa inci dent suffered no opera- tional impact although signifi- cant numbers of users suffered self-inflicted denial of service because of initial ac- tions including disabling E- mail services and disconnect ing from the Internet The Melissa DDOS and Loveletter incidents clearly demonstrate the increasing threat that indi- vidual hackers represent to DoD s business processes and even its command and control systems In consideration of this threat environment I would like to offer some thoughts on the current state of CND and where we need to improve IAnewsletter - Volume 2ND is a Partnership Effective CND must be a partnership between network operations law enforcement and intelligence Before 1998 these communities operated in dependently with little strate- gic perspective or coordination The formation of the provided a nexus for coopera- tion and an operational focus and assignment of mission re- sponsibility to CINCSPACE fur ther emphasized the impor tance of our networks as weapons systems The intelliv gence and law enforcement communities have invested sig- nificant resources in the CND mission and the command control communications and computer C4 community is emphasizing the network oper ations NETOPS concept which gives regional warfight ers greater visibility and con trol over their networks We need to make sure this partner ship remains balanced_too much emphasis on one area will come at the expense of oth- ers Within the JTF-CND we have a law enforcement coun terintelligence center which is staffed full-time by representa- tives of the service and defense law enforcement organizations We also maintain a robust intel ligence section with liaison of- ficers from the Defense Intelli gence Agency and the National Security Agency who can tap the resources of the intelli gence community These re sources and capabilities com bined with the NETOPS expertise of DISA's Global Net- work Operations and Security Center and the DOD CERT give us an effective CND team 3 Number 4 Senior Leadership Emphasis 15 Critical Effective CND is hard work It requires people and effort and competes with other activ- ities In this process the NE- TOPS intelligence law en- forcement team will properly respond to the priorities estab- lished by senior leadership I am encouraged by the empha- sis that senior uniformed and civilian leadership of the de partment from the CJCS and service chiefs through the se nior communicators to field commanders are placing on such things as Information As surance Vulnerability Alert IAVA compliance and the In formation Operations Condi- tion process As an example the Air Force now treats network incidents like aircraft accidents with a formal investigation and a report to the responsible commander This process recognizes the critical nature of our informa- tion systems by treating them like other weapons systems and providing commanders with the same degree of visibil ity and control The Role of Law Enforcement and Law enforcement and coun terintelligence have critical roles in DoD s computer net- work defense Because the law assumes that an intruder into DOD systems is a U S citizen and is entitled to the rights pro- vided by U S law and the Con stitution almost every cyber incident is initially investigated as a law enforcement problem Although this does not prevent DOD from taking aggressive acu tion to protect its networks and systems it does limit the role of http lliac dtic milliatac intelligence agencies and re quires investigative actions to be conducted in accordance with the laws protecting indi- vidual rights This makes a close relationship with the law enforcement community very important to the nation's over- all CND effort Recognizing this need DoD's Defense Criminal Investigative Organizations Air Force Office of Special Investi- gations AFOSI National Crime Intelligence Service NCIS Defense Criminal In vestigative Service DCIS US Army Criminal Investigation Department USACID and US Army Military Intelligence volunteered to pro vide a team of law enforcement officers and counterintelli- gence officers to staff a law en- forcement counterintelligence center at headquar ters With the exception of one rotating officer who acts as a 1i aison to the CJTF the law en- forcement counterintelligence team members report individu ally to and receive direction from their service command structures and maintain the confidentiality required by their investigative processes The Law Enforcement Coun terintelligence Center alloWs us to coordinate overall activi- ty maintain awareness of the progress of investigations and coordinate activities across multiple services and agencies The law enforcement expertise that these officers provide also give us a much closer relation- ship with NIPC than we would otherwise have had The law enforcement counterintelli gence relationship is one of the real success stories of the past year http Iliac dtic milliatac The Threat Environment The most recent DDOS and virus incidents are a good news bad news story The bad news is that these incidents happen and they are incredi bly fast and destructive The good news is that we have a process for responding to such incidents and that our response is improving Despite the good news we need to take several steps to better position our selves for responding to fast spreading viruses and other at- tacks Early Warning We need an early warning network designed to detect and report events like viruses that are likely to follow the sun or spread westward with the workday One way to do this is to use the Y2K model with organizations in the western Pacific and Europe acting as the early warning sensors This early warning capability will provide us with a few hours of preparation time before the start of the busi- ness day in the continental United States 0 Rapid Notification We need a way of rapidly notify ing organizations of sig- nificant cyber events just as we do for other time sensi tive events A quick reaction teleconference system is probably the answer and in fact USSPACECOM is devel oping such a process In addi tion if we are to be prepared for serious virus events we must also be prepared for some false alarms 0 Involving the Private Sector We need to involve the private sector in the early warning process Just as lAnewsletter has worldwide organizations that can serve as early warn- ing sensors so do many pri- vate sector organizations with global operations - Virus Protection We need standard virus protection measures that we can invoke in response to viruses One thing we should not do is pre emptively disconnect E mail systems or sever access to the Sensitive but Unclassified Internet Protocol Router Network NIPRNET Because more and more of our administrative and sup port systems depend on mail connectivity discon- necting from these systems amounts to a self-in icted denial of service which should be used only in extremes We need more applications that are more virus resistant and better awareness of the virus threat A few software im provements such as control ling mass E-mailings would go a long way toward preventing the spread of viruses Private Sector- information Sharing Government and the private sector need the ability to share information about ongoing at tacks system status and defen sive and remedial actions for several reasons First we need to work together to enable early detection of viruses and worms where a quick reaction is critical to damage limitation Second we need to exchange information in order to assess the scope and intent of a cyber attack ER97 demonstrated the interrelated nature of the infra structures of DOD and the pri- vate sector We need to be able to rapidly understand the big - Volume 3 Number 4 1% picture spanning both the fed- eral and the private sectors Third shares common systems and common vulnera- bilities with the private sector including an increasing reliance on Web based communications and commercial software sys tems Finally we in must be able to pool resources with the private sector to develop de fenses when a cyber event oc curs The Information Sharing and Analysis Center ISAC con cept laid out in the national PPCIP plan is a start today we have ISACs for banking and fi- nance and telecommunications and we are developing close bi lateral relationships with them But ISACs are needed for all the critical infrastructure sectors with an aggressive information- sharing process through the NIPC Some new legal protec- tion like that provided for the Year 2000 Y 2K rollover may be required for the participating ISAC members There is legisla- tion pending that would provide this CND versus CNA As we allocate scarce re sources between computer net work attack CNA and CND we need to ensure we tackle the ba sics first While CNA holds out great long-term possibilities we need to get the CND piece right first My reason for this view point is twofold First while we can pick the time and place for execution of CNA we have to protect our networks across the Defense Information Infrastruc ture DII all the time Second the consequences of failure are greater for CND than for CNA Today CNA is a marginal albeit growing capability and the fail ure to execute it well or at all will not be a deciding factor in lAnewsletter Volume the next conflict However our ability to mobilize deploy and employ our combat forces de pends on the computer net- works of the DII Command and control logistics transportation medical personnel and general administrative and support sys- tems depend on the connectivi- ty provided by the DII net works Failure to defend them carries the risk that we will not be able to get our forces to the fight employ them once they are engaged or support them in the field That said CND and CNA are inextricably related and to do either well requires an apprecia- tion of the other Therefore I be lieve it is important to maintain a close relationship between these areas First the tech niques we use as offensive tools may someday be used against us so offense and defense must be coordinated We can do a bet- ter job of defense if the defend- ers understand offensive tools and techniques In addition we eventually will need to expand our defensive capabilities to in clude active defense or coun- teroffensive tools capable of tak ing the fight back to the attacker Today legal and policy restric tions limit our ability to use even the limited technical capa- bilities we possess but eventual ly as those capabilities improve we will need a commensurate operational command and con- trol structure and an appropri- ate legal and policy environ ment Policy and Regulatory Requirements-3 The legal and policy environ- ment in which we operate is complex and constantly evolv- ing Lt Col Charlie Williamson my Staff Judge Advocate re 3 Number 4 cently published an article in the IAnewsletter Volume 3 Number 1 that provides a good overview of this sensitive area Some imperatives are immedi ately obvious First we need in- ternational agreements for ex- peditious pursuit of those who have violated the law Second we need authorities to allow law enforcement agencies to rapidly conduCt electronic surveillance of those involved in cyber at tacks We also need legislation to encourage information shar ing between the Federal Gov- ernment and the private sector in particular to protect propri- etary information and shield sensitive information from Freedom of Information Act FOIA requests Finally in we need to work with the policy and legal process to se- cure a more active electronic defense including appropriate rules of engagement We have been actively involved in dis- cussions with DOJ since ER97 and several legislative initiatives are on the Hill today so we are making progress but slowly Comman Operatimnai Picture COP As we operationalize and nor malize CND we will have an in- creasing need to provide the warfighter with a real time pic ture of the electronic battle- space so that he or she can un- derstand and visualize the status of networks and quickly devel- op and execute courses of action to defend them We have called this effort the information as surance common operational picture IA COP and more modestly the IA situational awareness tool Under DISA di rection we will be ready to in corporate some initial situation al awareness tools into the http lliac dtic milliatac Global Command and Control System next year This is a small step much work and consider able resources must be ex pended to develop an IA COP for the warfighter of the future Information Operations Condition The Joint Staff instituted the INFOCON process last year This is clearly a step in the right direction INFOCON gives us a means of reacting defensively under attack or proactively to set a DOD wide defense condi- tion when the indications and warning process indicates a de veloping threat We have exer- cised INFOCON a few times and found that while the basic process is sound there is con- siderable room for improve- ment in several areas First we need to flesh out the measures to provide more specificity Sec ond we need to develop more specific criteria for entering and exiting each INFOCON level Fi- nally we need to understand the cost and mission impact of more advanced INFOCON levu els We cannot afford to routine- ly implement a self-imposed de- nial of service as a defensive measure USSPACECOM has taken on the challenge of im proving the INFOCON process and held a DOD wide confer- ence in June to address these is sues INFOCON is the right tool we just need to improve and ex- ercise it An issue related to INFOCON is the vulnerability of the NIPR- NET and the Secret Internet Protocol Router Network SIPR- NET to intrusions from the In- ternet I have frequently heard suggestions that should disconnect from the Internet either permanently or as a de- Iliac dtic milliatac fensive measure in the event of an attack It has become appar- ent however that many of our mission-critical SIPRNET and NIPRNET systems for exam ple the Global Transportation Network receive information from the Internet There are also technical questions since some DOD traffic in fact ows through the Internet We need to improve our understanding of the depen- dencies and technical network factors and develop some basis for decision making in this area We then need to test the discon- nection process before we adopt this as a defensive tool DISA is currently conducting a study to answer some of these technical questions System Administration and Con guration Control The IAVA process was devel- oped in 1998 at the direction of the DEPSECDEF when it be came apparent that we had no way of rapidly implementing time-critical system patches across DOD and providing con trol of compliance Today the IAVA process run by DISA pro- vides a way of achieving these ends Unfortunately the process has still not completely penetrated DOD An analysis of 1999 root-level intrusions in DOD shows that 94 percent of the intrusions could have been prevented if accepted security practices had been followed and existing IAVAs had been imple- mented In other words al- though we are better Off than we were a year ago we must do bet ter Making the needed im- provements will require com mand emphasis since IAVA compliance competes with other mission critical activities for the time of our system ad ministrators There have been promising developments in this area In June CINCSPACE as sumed responsibility for the IAVA program In addition CJCS recently directed Com manders at all echelons to em- phasize IAVA compliance Conclusion I remember all too clearly sit- ting in the DEPSECDEF's con ference room in February 1998 during the Solar Sunrise discus- sion and being asked the basic question I asked earlier in this article Who's in charge We have come a long way since then We have someone in charge CINCSPACE and the beginnings of a proper defen- sive force In October COM will assume the CNA mis- sion and begin developing a robust offensive force to com- plement our defensive capabili- ty The future is truly exciting We just need to keep our on the ball and ensure that we properly support this develop ing mission area I wish all of you in the IA mission the very best of luck Maj Gen John Campbell was commis sioned through the Air Force Reserve Of cer Training Corps in 1969 at the University of Kentucky He is a com- mand Pilot with more than 3600 ying hours and has commanded a fighter squadron a ghter group and two fight- er wings He was the first Director of Information Operations on the joint Staff and was assigned as the Commander of and Vice Director DISA in November 1998 On 9 June 2000 he assumed duty as the Associate Director of Central Intelligence for Military Support in the Central Intelligence Agency IAnewsletter - Volume 3 Number 4 15 Major John J Jordan USA U S Special Operations Command ecognizing that advances in computer and securi ty technology require nearly si multaneous advances in the monitoring capability of the new technology the U S Spe cial Operations Command US- SOCOM recently rebuilt its Network Management Office into a Network Operations and Security Center The NOSC as it is called monitors local area networks wide area networks and net- work security What separates the USSO- COM NOSC from other NOSCs in the Department of Defense DOD is the fact that it moni- tors networks at all classifica- tion levels USSOCOM is the first command in DOD to com- bine intelligence systems and common user systems under one organization This ground- breaking combination has given users in all communities true one stop shopping for their computer and communi- cations needs and has enabled DOD to achieve dramatic sav ings in money and manpower Before their unification under the NOSC two entire computer staffs ran systems This meant two sets of systems administra tion contracts two hardware maintenance contracts two processes for configuration management and two process- es for information assurance By combining these efforts US- SOCOM was able to develop lAnewsletter - Volume one systems administration and systems engineering con tract and one server hardware contract and to combine both configuration management and information assurance process es to satisfy all users This con solidation allowed immediate savings of $1 3 million in con- tract support costs and reduced the size of the staff for running the systems by over 30 persons While joining two staffs that had been separate forever was not without its growing pains the final product has been a smaller staff with no decrease in customer service The security section of the USSOCOM NOSC was devel- oped in response to DoD's in creased emphasis on security issues USSOCOM is extremely serious about the security not only of its forces but also of the information its forces require to carry out USSOCOM mis sions In the information assur- ance arena USSOCOM is pro ceeding with its defense in depth program on all of its 3 Number 4 networks The NOSC is a focal point of this effort USSOCOM's strategy for security is to de- fend the outside of these sys tems as well as the inside To defend the outside of US- three networks the command uses a variety of monitoring hardware and soft ware designed to greatly reduce unauthorized users' ability to gain access to system resources Firewalls access control lists monitors and sensors placed in strategic network locations pro vide much of USSOCOM's de fense against outside attack The NOSC provides a single 24 hour watch cell for monitoring this defense strategy USSOCOM also realizes that attacks on and unauthorized access to computer systems can be caused by people on the inside To help prevent insider damage to its systems USSO- COM uses a combination of training and security proce dures For example password cracking is one of the easiest renamed on pt-ige 2i http lliac dtic milliatac Where There's Smoke There s Fire hen we were young many of us dreamed of becoming doctors firefighters at least in a metaphorical sense This is especially true in the in- formation technology IT world where technology changes every day and IT man- agers routinely face new chal- lenges and fires to put out Just keeping the network up and running involves putting out daily brush fires to prevent a con agration In the world of information assurance IA we have seen a continuing battle between the defenders of our networks and those who intend harm IA pro- fessionals must constantly de- fend networks from viruses in trusions probes and other harmful activities whether these are caused by malicious arsonists or just someone playing with matches Effective IA fire prevention and fire fight ing involve identifying the threats applying effective countermeasures and under standing and accepting the re maining risk to our systems N0 computer network is completely fireproof In fact some say that the only truly safe computer is the stand- alone computer locked in a closet an arrangement that of- fers exceptional security but lit tle utility IA professionals must carefully weigh the needs of their operations against the need for smart security mecha nisms One of the most com- mon IA mechanisms in use today is the firewall A firewall Iliac dtic milliatac is a system designed to prevent unauthorized access to or from a private network Although the firewall is an excellent security defense mechanism by itself it is a Mag- inot Line defense To be effec tive the firewall must be part of a much broader IA architecture that includes several layers of security including antivirus ap plications intrusion detection systems content filtering phys ical and personnel security and other elements The US Navy's and Marine Corps defense-in depth strategy defines such an overall security architecture with multiple layers of assur- ance mechanisms The Fire Code To protect against actual fires the Unit ed States ha instituted standard fire code that speci fies requirements for smoke detec- tors sprinkler systems and so on Why shouldhave a similar standard for the firewalls defending our networks in cy- berspace Such a a a would address what services are allowed an IAnewsletter s Volume 3 Brian Bottesini NAVEUR Brenda Angerhofer NAVEUR and what are not how firewalls should be configured when they are connected to the NIPR- NET Sensitive but Unclassified Internet Protocol Router Net- work and the SIPRNET Secret Internet Protocol Router Net- work and other critical issues We know that a chain is only as strong as its weakest link Similarly multiple intercon nected networks and firewalls can offer sound protection only if all the firewalls prohibit risky services Recent events in the news have illustrated the vul nerability of unprotected come puters to unauthorized intru sions Because there was no firewall standard Number 4 1'7 Md policy the U S Navy Fleet Commanders in Chief CINC implemented a standard eet firewall policy for all eet net- work operations centers pier- side firewalls and selected shore activities see navv mill This policy seeks to standardize the outer layer of computer net work defense and is integral to the Navy's and Marine Corps' defense in depth network secu- rity strategy Hot hot hot but implementing the applica- tion as-is introduces risk to the entire command s information networks behind the firewall Before such risky programs are implemented the following questions should be considered What is the value of opening those holes in the firewall What is the risk to the rest of the network Is there a possible compromise Fire Prevention Anyone How can we ensure The great that everyone is consid American poet ering the necessary Robert Frost - tradevoffs between user said Before I I friendliness accessibility built a wall I d and security This assess- ask to ment is critical and must know What I was walling in or walling out In the IA con text these words can be viewed as a caution against the mindless pursuit of security at the expense of operational needs Too often however IA professionals are required to support an application that re lies on inherently risky ser- vices Several examples have surfaced recently in which a fully developed software appli cation has shown up on the doorstep of a command await ing installation These pro- grams of record are often de- signed with maximum accessibility in mind and mini mum to no security controls To work properly these applica- tions require lots of big holes in the firewall This requirement puts the local Information Sys tems Security Manager and Designated Approval Authority DAA in a difficult position The local command needs to run the application to do its job IAnewsletter - Volume 3 take place at the very start of any development efd fort As the saying goes It's a heck of a lot easier to design security into an applica- tion than it is to add security later on Although occasional- ly it may be possible to paste on a little security late in the project all too often doing so is very costly and cumbersome Thus information systems must address IA requirements and policies early in develop- ment and before fielding into operational networks Recently more than 20 pro- grams of record were identified that conflicted with the current Fleet firewall policy Is the poli cy too restrictive Are the pro grams of record poorly de signed Although the answers to these questions are still being debated one thing is clear there have been known attacks on information networks when certain services such as RPC Number 4 and ActiveX were permitted to pass unchecked through a fire- wall To mitigate the risks of in- corporating these programs into our information networks we must work closely with the pro grams' program managers These program managers must provide the BAA with sufficient documentation to enable him or her to make an informed de cision about implementing the new application on the local network Documentation such as an accreditation package system security authorization agreement risk assessment and transition plan will all help in delineating the proposed ar- chitecture and assessing the risks In addition the local site may require system security engineering before the program of record is integrated into the existing site configuration An- other approach could involve the use of virtual private net- works implemented in parallel with existing firewalls thereby allowing flexibility without compromising security As this discussion has shown there are few easy answers for the IA professional today As Quintus I-Ioratius Flaccus said about 2000 years ago in his Epistles It is your concern when your neighbor s wall is on fire Thus for the foreseeable future IA fire fighting and pre vention will require much painstaking work and constant vigilance In other words we cannot just ride on the back of the fire engine Brian Bottesini' is an Information Assurance Adviser to U S Naval Forces Europe He may be reached at http lliac dtic milliatac Keys to the Kingdom Ot so long ago the De partment of Defense DOD was at the forefront Of information technology IT development In fact the Ad vanced Research Projects Agency Network ARPANET which later spawned that un- ruly child the Internet had its roots in DoD's rich history When ARPANET was under de velopment DOD was leading the information IT revolution however that is no longer the case Today newly emerging information technologies are a part of every viable business enterprise and new technolo- gies affect the lives Of all Amer- icans in ways that were unimaginable only a few years ago The amazing growth in IT over the past several decades coupled with DoD s constantly shrinking budgets has relegat ed DOD to the role of an IT consumer It is simply a fact that we no longer enjoy the technical superiority we once had As a result Of this decline and our increasing depen dence on sophisticated high tech networks for support of operations we have become increasingly vulnerable to out side influence For example DOD like the rest Of the world has become utterly dependent on the Internet Whether sup porting on line contract bid ding and execution ensuring robust logistics support world- wide or maintaining deployed troops with E mail connectivi ty to family members back http lliac dtic milliatac home the Internet has become vital to how we conduct opera- tions With these new dependen- cies has come an increasing awareness of major informa- tion and computer security is sues Let's face it a system whose primary design feature is the ability for any computer in the world to rapidly and effi ciently share information and processes with any other com- puter on the planet must have inherent security vulnerabili- ties And that is the case with the Internet today As a major IT consumer DOD invests heavily in infor mation assurance IA The de partment has instituted a lay- ered in depth strategy and is spending millions of dollars each year on sophisticated in trusion detection devices high- assurance firewalls symmetric and asymmetric strong authentication and any other technologies that show promise Additionally DOD has insti tuted a department wide Infor mation Assurance Vulnerabili- ty Alert IAVA program to patch existing technical vul- nerabilities Since the pro gram s implementation in June 1998 26 IAVAs have been pub- lished These alerts have ad- dressed a wide range of techni- cal security issues for DOD networks As a result of this program and other elements in our in-depth strategy we should be close to achieving a lAnewsletter Captain Robert West USN Deputy Commander reasonable level of security on our networks So why is it that outsiders continue to penetrate DOD net works On a routine basis A re cent statistic developed by the Joint Task Force for Computer Network Defense indicates that more than 90 percent of all successful intru- sions into the Sensitive but Un- classified Internet Protocol Router Network NIPRNET in 1999 were accomplished by ex ploiting known vulnerabilities In each case state of the art se curity devices were already in place and the exploited vulner- ability had been identified and addressed with an IAVA In fact implementation of the ex- isting IAVA would have pre vented the unauthorized ac- cess if only the patch had been installed at that location The good news is that DoD s strategy is in fact identifying most technical security vulner abilities The bad news is that - Volume 3 Number 4 1Q Em those responsible for imple menting IAVA patches have not consistently done so Today this security problem is compounded by the fact that almost all unauthorized access es are prolonged by the intrud ers use of additional exploita- tion techniques after he or she first gains access to an account Whether the intruder gains ini tial access by exploiting an un- patched vulnerability by gain- ing physical access to a protected location and stealing the necessary account data by sniffing passwords on-line or by scanning for never-activat ed accounts with still active de- fault passwords the result is the same The unauthorized in dividual achieves user status in the system and from there generally has no trouble gain- ing system administrator or root privileges Tools for gain- ing such privileges are readily available on the Internet today Unfortunately current intru sion detection capabilities have a difficult time distinguishing between authorized users and unauthorized users mas querading as legitimate The experience of the JTF-CND in the past year supports this perm ception With very few excep tions initial incident detection has come not from automated devices but rather from sys- tem administrators who have detected unusual account ac tivity at their site through de tailed system log analysis or other means Only after an ini tial report has been forwarded have we been able to tune the intrusion detection devices to help fill in the details about the nature of the abnormal activity and to assess whether there has been a coordinated or sysu IAnewsletter 0 Volume tematic effort directed against computers across Although we should certain ly continue to pursue technical solutions to security concerns it should be abundantly clear that technical devices alone are inadequate for addressing DoD's ever-increasing security issues It is time for to shift its corporate focus a bit and begin addressing the most pressing security issue of all our people Our system admin istrators are the ones granting network access in the first place in the form of user priv- ileges For this reason they are the ones best positioned to dis- tinguish between legitimate and illegitimate access System administrators also are the ones charged with installing patches when new vul- nerabilities are discovered In short they own the keys to the kingdom It is time we recog- nize just how important this group has become to the suc- cess of any operation What we need now is a top down DOD-wide network secu rity policy that brings consis- tency to system administrator training and certification Op- erational commanders at all levels must make network se curity a top priority At a mini mum all system administra tors should have background checks SECRET or higher 3 Number 4 clearances and direct access to a classified environment for in- cident reporting and coordinat ed response measures Addi tionally system administrators should receive initial and re- fresher security awareness training and formal training on IAVA compliance and incident reporting procedures We can spend every red cent the congress appropriates on better technology and we are going to be no more secure than we are today unlessw re peat unless we start spending significant amounts of money on those who are entrusted with maintaining our opera- tional networks in a high state of readiness After all our sys- tem administrators are the op erators of all of this great tech- nology and they are our front line defenders as well Before we grant that much responsibil ity to any one group of individ uals it only makes sense that those individuals be put through the scrutiny of a back- ground check and that granting of complete access to the inner workings of our networks be coupled with appropriate train ing and certification To do oth- erwise is to ensure that future adversaries will also have ac cess to the keys to our kingdom when it is most imperative for them not to Captain Robert West USN is the Dequ Commander joint Task Force Computer Network Defense As such he is responsible for coordinating and direct ing the defense of DOD computer systems and computer networks CAPT West earned 3 BE Electrical Engineering from Vanderbilt University an MS in Political Science from Auburn University and a JD in General Law from Catholic University of America He may be reached at http lliac dtic milliatac Law Enforcement and Counterintelligence Support to dvances in the personal computing industry the emphasis on information tech nology and in particular the exponential growth of the ln ternet have dramatically changed the focus attention and efforts of law enforcement and counterintelligence CI organizations within the United States In the past 5 years the US law enforcement LE community has struggled to keep pace with dramatic changes in this field since computers are involved in vir- tually all aspects of criminal in vestigations Whether a com puter is used as an instrument of a criminal act is the target of a criminal act or retains criti- cal evidence of a criminal act investigators increasingly en- counter computers and infor- mation technology in their work Similarly the US CI community has found that computers are often at the heart of elaborate espionage cases or are the target of for eign intelligence exploitation through the Internet Informa- tion technology professionals and senior policy experts have publicly warned of the cata- strophic consequences that computer network attacks CNA could have in the near future The sheer numbers and complexity of computer net work intrusions probes and mapping and the proliferation of viruses and worms have caused considerable alarm in public and private sectors The most recent round of distrib- http Iliac dtic milliatac CND uted denial of service attacks on a number of well-known e- commerce sites had a direct impact on the value of high technology stocks and shook the confidence of many e com merce customers For these reasons among others law en forcement and counterintelli gence support must be consid ered an essential layer in any defense in depth strategy de signed to provide a computer network defense CND The law enforcement and counter- intelligence communities are critical in the efforts to assign attribution to network intru sions and are the only authori- ties capable of conducting a de tailed forensics analysis of systems to reconstruct evi- dence of a criminal act Law enforcement and coun- terintelligence have learned a number of valuable lessons in the wake of significant comput- er network intrusions such as the Cuckoo's Egg Ardjta and Solar Sunrise Each of these computer intrusion incidents clearly identified weaknesses in law enforcement authorities' processes and ability to re spond quickly to CNA More important these intrusions have highlighted the wide split between information systems security personnel who clearly need information to protect their networks from further degradation and the LE com- munity which traditionally has held investigative information within its own close circles drawing a solid blue line IAnewsletter Special Agent Michael R Dorsey DCIO CND law Enforcement Counterintelligence Center across which active investigau tive information does not pass As a result of these sometimes competing security objectives senior policy makers have often referred to computer net work intrusion incidents as a matter of national security versus law enforcement By its very nature this dichotomy seems to dictate a win lose sce nario This view has not been of benefit to either the informa- tion systems security commu nity or the LE community Moreover within the Depart ment of Defense DOD this di chotomy has had an injurious effect on the network opera tions community which is charged with the ensuring the continuous flow of information over networks to support mili- tary operations The business operations community too has been torn between the needs of its information security person- nel and the needs of law en forcement when network intru- - Volume 3 Number 4 21 sions occur In both cases criti cal Operational decisions must be made based on the sharing of information among tradition ally distinct groups that in the past have resisted collaborav tion and kept information with in their own circles However this win-lose rela- tionship between national se curity and law enforcement is now being turned into a win win philosophy through the es- tablishment of several joint in- teragency organizations and a willingness to include the LE strategy to protect our national information infrastructure NII from deliberate attacks There was a clear recognition that a central information clearinghouse composed of multiple organizations from the law enforcement intelligence and technical security commu nities was essential to the pro tection of the national infra structure The development of the NIPC included agencies such as the FBI the US Secret Service the Postal Inspections Service NASA the Defense Etmtagit RESFENE Wm Wiffil f i ma maria rsEma martini 41m amass iJli il it Al Kiwanis Earls-tag and af rmation EM mam a and Warring Services trimmings nance at lr'riiaatitns air 6 Filed Teaming Supp-rat Warning 1' l i i fraia ttg ii anazarata Masai Mill Snip part mem and CI personnel as a part of the defense-in depth strategy of information systems security After the resolution of the Solar Sunrise intrusions into networks in 1998 President Clinton signed Presidential De cision Directive 63 establishing the National Infrastructure Pro tection Center NIPC Both this directive and the the NIPC were established to formulate a IAnewsletter - Volume Criminal Investigative Organi zations DCIO the State De partment the CIA the Nation al Security Agency the Air Force Intelligence Agency and various technical security rep resentatives Additionally part nerships were developed with the public utilities critical to the N11 It was envisioned that the NIPC would be able to gath- er information from the public 3 Number 4 and private sectors and provide ample warning of threats ana lyze trends and collaborate to fight the criminal hackers and foreign intelligence organiza- tions exploiting our informa- tion networks This goal neces sitated a change in the traditional thinking of separate insular organizations that were not accustomed to collaborat- ing with each other let alone to sharing sensitive information about ongoing events It has re quired a degree of trust and the building of partnerships which has never before been attempt ed While much work remains in this process considerable progress has occurred and as a result significant accom- plishments have been realized At about the same time that the NIPC was being developed a similar process was occurring within The Office of the Secretary of Defense estab lished the Joint Task Force for Computer Network Defense to protect the De- fense Information Infrastruc ture DII The concept of the was to provide a sin gle organization within that would develop a common operational picture and situa- tional awareness of computer network attacks against the DII To accomplish this task a small cadre of military and civilian personnel with varied professional backgrounds was assembled under one com- mand and co located with the Defense Information Systems Agency DISA The provides joint operational com mand and control of the mi1i tary services computer net- work defense CND organizations As a component of the Commander in Chief US Space Command the JTF- http lliac dtic milliatac CND works closely with each of its military service compo- nents regional commanders in chief CINC and defense agen- cies In addition to the military operations and systems securiu ty personnel that make up the JTF-CND the DCIOs have formed a joint law enforcement and counterintelligence center co-located with the to provide LE and CI support to CND Again the emerging threats of network attacks and exploita- tion have resulted in the forma- tion of nontraditional organiza tional partnerships and necessitated the sharing of in- formation across organizational boundaries to meet and defeat these threats Within co location of diverse expertise and responsibilities from the information security military operations LE and intelli gence organizations has result- ed in close collaboration con cerning the information needed to protect our informa tion infrastructures However if this collaboration is to be suc- cessful there must be recogni tion of the organizational re- sponsibilities and the benefits that the organizational element brings to the problem set This is especially true for the LE and CI communities The win-lose perspective of national securi- ty versus law enforcement sig- nificantly hampered coordina tion and cooperation among traditional military operators information system security professionals law enforce- ment and counterintelligence organizations This reluctance to share information on ongo ing investigations stems from a concern that the target of the investigation or the adversary could be alerted to the investi Iliac dtic milliatac gation and destroy evidence or alter his or her activity to avoid arrest and prevent a successful prosecution Law enforcement professionals in the computer intrusion environment will have to fight against this under- standable reluctance if we are to succeed in our pursuit and assist in the protection of the national information infra- structure In addition technical security professionals and the operations communities of gov- ernment and business must recognize the benefits and ad vantages that LE and CI organi- zations bring to defending com- puter networks During the initial stages of a network intrusion the systems administrator has the opportu nity to gather or capture valu- able information from intru- sion detection systems or systems logs that will later ben- efit technical analysis and aid a law enforcement investigation and subsequent forensics analysis of the attacked system The systems administrator should conduct all actions pos- sible and permissible to him or her under the Electronic Com munications Privacy Act ECPA ECPA permits network owners to conduct certain ac- tivities to protect and defend the health and welfare of their networks However network owners and administrators should also recognize that most intrusions are also violations of Federal law This recognition allows network owners and ad- ministrators to avail them- selves of the greater authorities and powers granted to law en forcement organizations LB or- ganizations will typically re spond to reports of system intrusions by using criminal in- vestigative authorities In the IAnewsletter event of an attack the network owner must decide Whether to immediately shut down the af fected system or network or to allow continued monitoring of the intrusion activity by law enforcement Continued moni- toring of the intrusion activity may present an opportunity to trace the hacker's route and glean valuable intelligence about the tools and techniques being exploited by the hacker The investigative tools used by law enforcement include offi- cial requests for information criminal subpoena court or- ders for records search war rants and undercover opera- tions Additionally Federal law enforcement maintains close partnerships with counterpart agencies all over the world and will frequently request the as- sistance of foreign counterparts if an intrusion activity appears to pass through or originate from other countries This does not mean howev er that a law enforcement in vestigation is not a matter of national security Particularly where systems and net- works are the victim of root level intrusions the DCIOs Air Force Office of Special Investi- gations AFOSI National Crime Intelligence Service NCIS Defense Criminal In- vestigative Service DCIS US Army Criminal Investigation Department USACID and US Army Military Intelligence approach all such ac tivity as a matter of national se- curity because of the potential impact on US military opera- tions and the sensitivity of the information contained in networks However current laws and policies require that we first use the investigative tools and authorities of a crimi- - Volume 3 Number 4 23 SOCOM NOSC continued from page 76 ways for unauthorized users to gain access to computer sys- tems USSOCOM launched a program to ensure that its users passwords are properly configured to reduce the risk of unauthorized access In addi tion all users are required to receive computer security training before gaining access to any USSOCOM system US SOCOM then runs periodic programs to attempt to crack users' passwords If a password is cracked the user must go through a prescribed process to regain accessto USSOCOM sys S NOSC pro- an or- onitor its ssocou 1 provaide its cusm better and more secure service making it easier for forces to carry out their diverse missions i iiz-ijrir jun lief u the Stash-ms b mnch fer U550 Oil-i As he cilia I is or the operations and nmintenace of intelligence collateral and unrit tssi ieti hummer svsienis He retail-ed his BS in mathe matics with a computer concentration from the Universitv oi'M-iue Dame and a ill-7 5 in L'onnurler Science fitnn he of Dayton 1 he may he lt fim ni in tiargj i socoin mii Law Enforcement 1 - no nal investigation before we use the authorities of the Foreign Intelligence Surveillance Act PISA or conduct a counterin- telligence investigation The primary purpose of this re quirement is to ensure that our national intelligence agencies including counterintelligence do not unlawfully collect sensi- tive information about US per- sons as defined in Executive Order 12333 For this process to work effectively law enforce ment and counterintelligence organizations must be able to provide technically relevant in- formation to the systems secu rity and operations community during an investigation At the same time system owners and information security personnel must respect the need of LE and CI organizations to with- hold some specific information about the investigation such as the identity of the suspects confidential source-related in formation and information that was derived from a grand jury subpoena or an electronic intercept order Each compo- nent involved in an intrusion incident must recognize the in- terests of the other compo- nents and work in collabora tion with them to resolve the incident The information se curity community must recog nize that the law enforcement investigative process is me thodical and somewhat slow by nature to ensure the liberties that we enjoy in our democra- cy System owners and opera tors must recognize the value of deterring further network in- trusions through successful in- vestigations and prosecutions of criminal hackers Where for- eign governments intelligence services or terrorist organiza- tions are found to be responsi ble for intrusions and exploita- tion of networks CI operations designed to gather information and manipulate the adversary's perceptions may be the most effective method of defending the national information infra structure Our national information in frastructure will continue to be a viable target of criminals in telligence operatives terrorists and nation-sponsored informa- tion warfare for the foreseeable future The DH presents an at tractive target for each of these groups for a variety of reasons To successfully defend the DH we need to maintain a robust team of technical security pro fessionals military operators intelligence officers and law enforcement and counterintel- ligence investigators This team will continue to develop the process by which it shares information across organiza tional boundaries to protect and defend the DH and will agn gressively pursue those who at- tempt to illegally penetrate the infrastructure Law enforce ment and counterintelligence support to CND is a matter of force protection and is critical to forming a common opera tional picture of the threats af- fecting the security of our mili tary operations Supervisory Special Agent Michael R Dorsey recently completed his duties as the Chief of the DCIO CND Law Enforcement Center He may be reached at his current assignment at MDorsey@ ncisnavym 24 lAnewsletter - Volum- 3 Number 4 http lliac dtic milliatac Information Assurance Training at the U S Army's Computer Science School Because of the increasing number of information warfare attacks directed against the Department of Defense - DOD the US Army has is- sued several directives concern ing security training for system administrators SA and net work managers NM The din rectives originating from the Army s Director of Information Systems for Command Control Communications and Comput ers DISC4 require that all Army military government and civilian SAs and NMs be trained in information systems security depending on their ex perience and skill levels One DISC4 directive states that all Army SAs and NMs will be trained and Phase 1 Informa tion Assurance IA certified All Army SAS and NMs with 3 or more years of experience will be trained to the Phase 2 level and Phase 2 IA certified The deadline for Phase 1 and Phase 2 IA certification is De cember 2000 The US Army s Computer Science School CSS at Fort Gordon is conducting computer SA and NM Level security training to meet Phase 1 and Phase 2 IA certification requirements The primary goal of this security training is to increase the ability of Army SAS NMs and Information Sys- tem Security Officers 1880 to protect friendly information systems by preserving the con fidentiality integrity and avail ability of the systems and the information they contain The CSS offers a free Web based ISSO course requiring ap- proximately 20 to 40 hours to complete The course includ ing the test and certificate gen- eration is completely Web based and is considered equiva lent to Phase 1 IA certification by DISC4 Approximately 2 000 persons have taken the 1880 course and passed the 1380 Web based examination The course is located on the Web at gordon army mil css courses htm The CSS also conducts the majority of Phase 2 IA certifica- tion training for the US Army Phase 2 security certification consists of two 1-week courses usually conducted in sequence Training Deadlines Classification Phase 1 Phase 2 Certi ed by Certi ed by Level 1 31 Jan 1999 Not Required Classified System Level 1 31 Dec 2000 Not Required Unclassified System Level 2 3 31 Jan 1999 31 Dec 2000 Classified System Level 2 3 31 Dec 2000 31 Dec 2000 Unclassified System http lliac dtic milliatac lAnewsletter - Volume 3 Major Mark v Hoyt USA Fort Gordon The first week of Phase 2 se- curity certification is called the System Administrator's Security SAS course This course focus- es on securing the information system platform The first 4 hours of the course are spent primarily on reviewing army regulations public law and ac- cess control measures After the first half day the course focuses on securing the information system's platform by securing the operating system that runs the system During the SAS course 15 hours are spent on hands on training in securing Windows NT platforms The final 14 hours of the course are spent on hands-on training in securing UNIX platforms using Solaris 2 6 The second week of Phase 2 security certification is called the Network Manager's Security NMS course This course fo- cuses on network security The first day provides background information on the Army's Computer Emergency Response Team the Network Security Im- provement Program a briefing by a counterintelligence agent and an overview of common network and information sys tem threats The second day fo cuses first on and then on how to secure a Web server an Internet Information Server is used for the hands on training The third day focuses on the use of routers to secure networks with hands on train ing conducted on CISCO routers The fourth day of the in page 34 Number 4 2E3 That's NOT My Final Your PKI Help Desk Solution and the Answers You Need Ms Victoria Alkema DISA Defense Enterprise Computing Center Detachment @26 he Public Key Infrastruc- ture PKI program is a DOD wide team effort The PKI Program Management Office PMO leads the effort and is supported by the engineers who design and implement the changes Youmour customers are critical to implementing the PKI technology and the Help Desk stands ready to as sist you What can I expect When you initiate a call to the PKI Help Desk there is no need to apologize for not un- derstanding the problem or having to contact us We are quick to dispel these thoughts for that is contrary to our pur- pose which is to assist all personnel in obtaining their PKI certificates Your PKI Help Desk is located at Defense En IAnewsletter - Volume terprise Computing Center DECC Detachment Cham- bersburg and stands ready to assist you Because of the vastness of potential issues the Help Desk is limited to assisting in obtain ing End User Local Registra- tion Authority Registration Au thority and Server Certificates and will troubleshoot connec- tivity issues When you suc cessfully obtain the certificate the actual implementation and usage will be based on vendor specific guidance The Help Desk is not unequivocally re- sponsible for that assistance but does maintain a knowl edge-base of some of the more popular lessons learned from others implementations That information can be easily re called from our knowledge- base and if available offered to further your investigation 3 Number 4 The PKI Help Desk is staffed by technicians ready to assist 24x7 and may be reached by phone at 1 800 582 4764 com- mercial 717 267 5690 DSN 570 or by E-mail at chamb disa mil When you call a technician will listen to your situation ask a few questions and open a trouble ticket Should you choose to Email the Help Desk please include your telephone number IP ad dress 10 character unique identification number if known and a detailed descrip tion of the problem Also in- clude the most convenient time to contact you and we will attempt to comply This trouble ticket is important for it allows the technician to record details of your technical problem our information up dates and final resolution If the technician is unable to find an existing instance of your problem you are likely to be connected to a senior tech- nician at that time The origi- nal technician will remain on the line to hear the problem resolution process and obtain the solution Most often the situation can be resolved over the phone but occasionally it requires more in-depth analy- sis and assistance However the resolution will rarely take more than a day Whatever the case the ticket remains open until you are satisfied and con cur with closure otherwise the ticket returns to the senior technician to continue the work lliac dtic milliatac Am I the only one The PKI Help Desk staff have been performing these specific services for over two years and have compiled a vast knowledge-base of customer re lated issues The questions cover a wide spectrumwfrom novice users to a system engi- neers The PKI hierarchy is the end user will contact the Local Registration Authority the LRA would contact his Reg- istration Authority and ultimately the RA will contact the Help Desk Since there are 24 Help meek iNsA EA tn- Maw Mun-44 it who your LRA or RA is please contact us and we can assist you Each CINC Service Agency is assigned an official point of contact POC for PKI technical representation The FCC list is maintained by the PKI PMO and is provided to our Help Desk The Help Desk uti- lizes a technical representative when an issue arises unique to A These representatives are actively participating in the PKI technical groups repre senting your interests and are Training and MTIPHNE I I and EIPNNET items Mail- int sum-m sam- tan m Misti-am tummy it- lmy Samar M mittmm m if t Class 3 PKI Pilot Architecture less than one hundred RAs and about four hundred LRAs fol lowing the defined hierarchy can better assist the potential 3 2 million end users We realize that is not always possi ble and will respond to all calls accordingly If you do not know Iliac dtic milliatac critical to the Help Desk and you If the Help Desk cannot arrive at a resolution the sub- ject is referred to the PKI PMO who is a constant source of guidance The Help Desk offers you the additional benefit of other partners' information dur ing research As desktop soft lAnewsletter ware evolves we are continual 1y reviewing other knowledge- bases FAQS and help sites readily advising callers of infor mation The PKI PMO is con- tinually posting changes to the PKI Web site http iase disamil This is truly a net work of knowledge and we are pleased to assist you in finding the answer When a situation requires the information be widely dis- seminated to the DOD PKI users an E mail broadcast mes- sage is generated from our Help Desk This is always in compliance of the PKI PMO policy of advising of changes updating status and or giving guidance The PKI PMO and the Help Desk work closely in preparing announcements and responding to customer report ed difficulties The trouble ticket informa tion you supply is read by the PKI PMO weekly This infor mation is analyzed by the PKI PMO and engineers and may determine a program change or identify a training weakness Contacting the PKI Help Desk should never be viewed a weak- ness but a contributory strength to the entire PKI team effort We appreciate you our customers and look for ward to your call Victoria Alkema is the Defense Information Systems Agency PKI Project Lead located at Defense Enterprise Computing Center Detachment in Chambersburg She is con- tinually in touch with PKI program man agement of ce training coordinators and System Engineers to facilitate smooth operations and resolve customer reported outages A trained team of PKI colleagues and team members make this PKI Help Desk successful - Volume 3 Number 4 2'7 Marine Corps Active Computer Network Defense The Changing Face of Warfare WEakness whether that lies in the military political or domes- realm For example in future con icts data lines of communica- tion may be just as important as sea lines of communication and our adversaries Whether they are third world nations transnation- al actors or crime syndicates will attack them General Krulak 31- Commandant of the Marine Corps Today s enthusiastic and un paralleled consumption of information technology by cor porate America and govern- ment has created superior en- terprise scale business process capabilities However in the rush to exploit the advances in information technology an evo lutionary vulnerability has de veloped in connection to the in- terdependencies these systems rely on to function in the global arena From both the corporate and the DOD perspectives the enterprise approach to defend- ing the venture capability has become the predominant weapon in the system security arsenal This article will brie y explore the Active Computer Network Defense ACND model in relation to the Marine Corps success in defending both garrison and deployed tac tical environments Overview Significant progress has been made in defining and articulat- ing the effects of information warfare or cyberwar on the global information grid GIG The majority of these studies concern the information revolu tion the changing face of war lAnewsletter - Volume fare and DoD s need to develop security procedures that ensure that information is available to commanders when required Today's cyber defense efforts indicate that although organiza tions are striving to enhance their security posture through the use of boundary-level secu- rity devices firewalls their focus remains myopically on protecting the front door or forward edge of the battle area Cyber-centric maneuver war fare implies that the adversary will not attempt to effect change or impact via direct frontal as saults on information technolo- gy assets but is far more likely to conduct guerillatype infor- mation warfare penetrating soft targets while ensuring that the defender's limited security re- sources are engaged elsewhere The implication is that the ad- versary will obtain access to tar- geted systems by means of well- orchestrated electronic envelopment and distraction drills eventually achieving pen- etration regardless of defensive security initiatives Therefore enclave compartmentalization distributed defensein-depth mechanisms real-time system battle damage assessments and 3 Number 4 Captain Carl Wright USMC Major Ted Steinhauser USMC Ret immediate recovery techniques will become the critical success factor in the new cyber defense model Active Computer Network Defense ACND Model ACND is predicated on the original defense-in-depth model which is widely used throughout the DOD and the Federal Government The ACND model capitalizes on the multilayered defensive strategy of defense in depth by incorpo rating enterprise business processes strong standardiza- tion and configuration control down to the lowest possible point in the organizational infor mation technology infrastruc ture The more centralized this control the more formidable the defense posture the organi- zation responsible for computer network defense CND can fos ter The ACND model helps an- swer the how of developing deploying and sustaining a se- cure homogeneous enterprise network in a heterogeneous net work environment It is impor tant to understand that ACND does not focus solely on specific security technologies but is more concerned with enterprise business processes and how they integrate with security technology to address the cyber http lliac dtic milliatac centric warfare threat In order to fully understand the Corps' ACND posture a brief overview of their enter- prise network The Marine cyber battlefield is necessary From its inception the Marine Corps Enterprise Network MCEN was built on a founda- tion of securable technologies enabling centralized control sustainment protection and most importantly the defense of Corps Information Infrastruc- ture The MCEN ACND process focuses on creating centralized cross functional information technology support structures resident with the Marine Corps Information Technology Net work Operations Center By means of 24x7 monitoring of all MCEN access points see figure below security related data and logs are securely transmit- ted to the centralized data repos- itory for detailed analysis by highly trained Marines support- ed by government civilians and contractor personnel Depend- ing on the situation corrective action may be directed by the Commander CND after the situation is as sessed by the MARFOR-CND staff at which time the defen- sive response may be enacted at the lowest point in the infra- structure the user s desktop In maneuver m5 335 33 Hm Beware 5 55 sea em ten new as aim umntimt concert with the technological ability to direct defensive re- sponse across the enterprise the ACND response process pro vides real-time defense to MCEN users no matter where they are or what time of day an incident occurs Deployed Security Inter-diction Device DSID Technology plays an instru mental part of the Corps ACND methodology From its initial use in protecting and defending the MCEN environment the Marine Corps has expanded the ACND model to the Fleet Ma rine Force FMF for use in the deployed tactical environment The Deployed Security Interdic tion Device DSID is a integrated package of best of breed commercial off the-shelf technology similar to that of the garrison perspective that direct ly supports the Marine Corps ACND process DSID gives the deployed tactical commander the same boundary level securi ty architecture that Marine Corps forces enjoy in the MCEN garrison environment Its pri mary function is to provide a layered defense of the bound- ary-level point-of presence tacti- cal network The DSID package integrates routers advanced ac cess control lists firewalls net e Elma Marine Corps Active Computer Network Defense Architecture IAnewsletterr - Volume 3 Number 4 work intrusion detection sys tems IDS host-level IDS virtu 31 private network technology and vulnerability assessment software to provide a compre hensive enterprise network se- curity system Currently DSID is an organic asset of the Marine Expeditionary Force Communi cation Battalion In the de- ployed tactical environment the DSID infrastructure resides between the Defense Informa- tion Systems Agency's Strategic Tactical Entry Point STEP and the deployed unit s network ar chitecture in the states DSID provides the deployed comman der with the utility of joint in- formation systems in which a deployed unit reaches back to leverage information stores nor mally resident within the garri son environment More impor- tant DSID provides this capability to the commander in a robust secure manner In conclusion the Marine Corps enterprise ACND ap proach to integrating technolo- gy and security core competen cies has laid the foundation for the first deployed tactical CND system business process within The Marine Corps ACND approach ensures the integrity availability and confidentiality of the deployed commander's information regardless of the commander s location foreign or domestic Captain Wright and Mr Steinhauser have been actively engaged in the defense of the MCEN since the conception and establishment of the Marine Corps' com- ponent of the Captain Wright may be reached at @noc usmc m1 1 and Mr Steinhauser may be recached at steinhauserth noc usmc mi 2% 'lciD CERT Major Boyles USAFR ram magine you are logged onto an NT workstation as a user in the Domain Admin group You are doing research on mo bile code and your research takes you to a site off the beat- en path Without your knowl edge the registry self adminis- tered maintenance SAM file from your workstation is E- mailed to an account at one of the popular free Email providers Several weeks later your network experiences seri- ous problems The network ad ministrator tracks those prob- lems to a remote access to your network by someone using your account OOPS Or perhaps while you are surfing the Web a script called hack bat is deposited in your Startup menu The next time you log on to your system the hack bat script runs and changes the password for every user on your network and the networks of all trusting do mains including the password of the domain administrator In addition every NT system on the network has a strategic file removed preventing each sys tem from booting up after a shutdown Finally every NT system on the network is re motely shut down including yours OOPS Malicious mobile code can do this Should you be worried Yes You put your system and your network at risk every time you open an E mail attach- ment or not and every time you browse the Web IAnewsletter - Volume Is It Worth the Risk Warning Signs One of the first demonstra tions of our vulnerability to mo- bile code occurred in January 1997 when three German hackers showed a television au- dience how a Web page click- bait could use an ActiveX con trol to generate a clandestine electronic transfer of funds using Quicken In 1998 users of Microsoft s Hotmail and QUACOMM Inc s Eudora were presented with a Trojan horse logon screen gen erated by a JavaScript embed- ded in their E-mail When the users filled out the logon screen the account informa tion and the Internet Protocol IP addresses were E mailed to the author of the hack The recent Guninski Exploit demonstrated how accessing a Web page or opening a hyper- text markup language HTML formatted E mail could allow a malicious mobile code to take control of a user's workstation This exploit used the object for constructing type libraries for scriptlets Ac- tiveX control The computer security com pany Finjan now offers a live demonstration of a harmless Trojan horse called Bill Vote At- tack which demonstrates how mobile code can be used to cre- ate a new folder on the Win dows desktop filled with files copied from the hard drive 3 Number 4 What is Mobile Code Mobile code is any exe- cutable or interpreted program script or application that is in- troduced to a local system from a remote location and executed without the user's consent This broad definition includes the viruses that were once com monplace on oppy disk in the days of stand-alone computers and encompasses viruses ap plication macros MS Word MS Excel etc files executed by applications such as Adobe Ac- robat files and some code executed by Web browsers or E mail applications Mobile code is sometimes referred to as applets or downloadable code Mobile code is not in itself bad In fact it is a cornerstone of client server computing It enables our applications and al- lows us to create dynamic pro grams even if we are not skilled programmers Its jazzes up our Web pages and Email with sound video and animation allows on-line chatting auto mates work ow and enables Web sites to automatically up- date software such as Windows NT MS Explorer and antivirus applications Mobile code is be coming a requirement for en terprise networking e-com merce and data sharing The problem is security and pro tecting our computer systems and networks from people with malicious intent Macro virus es such as Melissa are now Iliac dtic milliatac considered the most wide spread malicious mobile code on the Internet For the sake of this discus- sion let us refine our definition of mobile code to code that is transmitted by a network If I receive an E-mail message with an executable file say a game attached I have the choice of executing that pro gram or not This is not mobile code according to our defini- tion Although the code moved from somewhere in cyber space to my workstation I made the choice of executing it knowingly assuming the risk that the game might contain malicious content If on the other hand I open up an E- mail and inadvertently execute a code written in JavaScript I have experienced mobile code Where did this mystery code come from What did it do With the Web-enabled E-mail applications available today previewing E-mail may be all it takes to give away protected in formation or to crash a work- station or a network For exam ple the proof of concept worm BubeeBoy is activated simply by viewing an affected E-mail in the Preview pane of Mi- crosoft Outlook or Outlook Ex press This worm when acti vated performs a mass E mail a la Melissa then updates the user s registry BubeeBoy is written in Visual Basic Script and uses Microsoft s ActiveX control mobile code There are many types of Web-related mobile code Ex amples are Microsoft s ActiveX and Visual Basic for Applications VBA Sun Mi crosystem's Java Applets and JavaScript and a whole slew of plug ins http lliac dtic milliatac Scripted mobile code such as JavaScript LotusS cript and VBA ar- rives in the form of text that must be interpreted at run time It is possible to discern the scripted text's potential for harm by viewing a Web page or an E mail source or macro For brevity's sake in our con- sideration of the compiled class of mobile code we will limit our discussion to the most pop- ular forms Java and ActiveX Java runs in most Web browsers including Netscape s Communicator and Microsoft's Internet Explorer It is com piled into an intermediate ar- chitecturally neutral format called byte code This byte code must be executed within a Java Virtual Machine JVM in order to run JVM is included in most Web browsers Currently Ac- tiveX is exclusive to Explorer although it will run with a plug- in on Communicator This code known as a control has been compiled into binary spe- cific 32 bit windows and is es sentially the same as the Dy- namic Link Library DLL files that are common to all Win- dows-based workstations Ac- tiveX is the most powerful of the mobile codes and therefore presents the greatest risks It is native Windows and can do anything Windows can do de pending on the permissions of lAnewsletter the user read write copy and delete files run applica tions and connect to net- work resources send Email How Mobile Code Works When you browse a Web page with ActiveX code embed ded in it you are trusting the Web page to do the right thing and not take advantage of you When you connect to the Web page code is downloaded from the Web server onto your com- puter s local environment and executed on your workstation with your privileges and local system resources This allows you to interact with the Web site enabling you to fill out in formation and send it back to the Web server for processing submit forms open spread- sheets execute database queries and perform other pro ductivity related functions The mobile code running on your local workstation can deter- mine information about you who you are your permissions your group membership and grant you access to data and in- formation without your need- ing to log in or authenticate This is most valuable in an in- tranet environment where ap plications are Web enabled and run on the server but is also valuable for Internet use Mo- bile code saves you from hav- ing to download and install ap plications on your local workstation It also allows ap plications to manage your file system create directories and files update your registry and prepare your environment for whatever In addition mobile code will jazz up your Web ex- perience by creating dynamic images and dialog Much of what mobile code does can be - Volume 3 Number 4 32 accomplished by server side applications with the use of Java servlets SQL CGI gif895 and many other helpful tools However a downside is that server-only Web pages are re- source intensive and require users to log in and authenti cate Without authentication all users are treated the same by the server and are considered anonymous with vastly re- duced privileges Scripting was developed be cause plain I-ITML wasn't enough and JavaScript are not nearly as powerful as ActiveX but still put systems at risk Java Ap- plets present the least threat because they employ a security wrapper called a Sandbox Guarding Against Malicious Mobile Code The risk from mobile code can be mitigated by proper management What this entails depends on the type of code ActiveX has an all-or nothing approach to security based on digital signatures contained in the ActiveX controls Your browser can be configured to allow downloading of ActiveX controls from trusted sources only based on these digital sig- natures Nontrusted sources will then cause your browser to prompt you if you want to run an ActiveX control All ActiveX controls run with the same privileges regardless of their source In my experience only a small percentage of Web sites 1 to 2 percent actually have ActiveX applications and choosing not to run ActiveX in most cases prevents only a sin- gle action from occurring Therefore the Web page will continue to function if ActiveX does not run The area in IAnewsletter - Volume which ActiveX mobile code is taking off is Web enabled appli cations such as MS Access running on a server Even then preloading ActiveX will prevent it from becoming mobile and being downloaded to your sys- tem A good security practice is to disable ActiveX in your mail and to require your brows er to prompt you each time it is requested Then you can de cide in each case whether to as- sume the risk In the future ex- pect Department of Defense DOD sites to restrict ActiveX at the firewall and to enforce a policy on the browser of no Ac- tiveX This practice will still allow you to use ActiveX plug ins and to have ActiveX associ- ated with installed applications through DLLs just not mobile code JavaScript and are more popular than ActiveX It is estimated that more than 80 percent of Web sites contain ei ther JavaScript or These active scripts still repre- sent some risk to your private information and system and network integrity Unlike Ac tiveX these scripts do not have associated digital signatures However you can restrict Ac- tive Scripting on most Web browsers although doing so may severely affect Web access and many Web sites may not perform properly if Active Scripting is disabled Java or Java Applets were designed from the ground up with security in mind Java uses what Sun refers to as a Sandbox Each applet is wrapped by a set of rules that prevents it from accessing sys tern resources Java Applets therefore may not interact with file systems There are only 10 system variables that Java Ap 3 Number 4 plets can retrieve These vari- ables are needed for the Java Applets to perform their job This still represents an all-or- nothing approach to security because no distinctions are made based on the level of trust associated with the source of each applet The biggest risk is associated with Java's com plexity and known security breakdowns Java Applets have been around for a long time They have reached a mature level and should be considered safe Unfortunately the very things that make Java Applets safe limit their usefulness for enterprise computing 0n the Horizon Sun is extending Java's secu- rity to include more ActiveX like capabilities and is incorpo- rating a digital signature as well This updated version is referred to as the Java 2 securi- ty model Its major improve ment over ActiveX security is the assignment of different per mission levels based on local security policy and trust levels assigned to each applet's source These improvements will make Java Applets more competitive with ActiveX but incorporates many of the same security risks Not one to give up the lead Microsoft is mak ing noises about extending the security model for ActiveX as well Other mobile code that puts your systems at risk includes MacroMedia s ShockWave Real- Networks' RealPlayer Sun's Save-Tel and other pluguins that you add to your browser When you connect to a Web page that contains code requir- ing one of these plug ins to function properly the code will be downloaded to your local http lliac dtic milliatac workstation and activate the as- sociated plug in If you have not installed the particular plug in your browser will gen- erate an error message These plug ins don t offer the same exibility as ActiveX but nonetheless pose some risk What is even riskier is the plethora of new plug-ins that are anticipated in the near fu- ture as more and more compa nies try to market to the Inter- net And hold onto your hats just around the corner is the mobile agent mobile code that can jump from one system to another This prospect will be reserved for a future discus sion It is likely that over the next 18 months will be re quired to replace all mobile code enabled Web pages on its vast network of over 2 500 pri- mary Web sites with server- only Web pages This will be a tremendous undertaking but will result in a mobile code free environment Achieving this will set the stage from the next step Forcibly re- stricting access to mobile code on all networks In the meantime an ever growing number of security products on the market provide some level of protection from malicious mobile code Some of these products are Finjan s En terprise Desktop Security SurfinGate and SurfinShield Trend Micro's Interscan WebProtect and Web VirusWall and Computer Asso- ciates' Unicenter TNG Safe- Gate Security 7 SafeAgent Security 7 and SessionWall For now what can and should be done The following list contains some reasonable precautions - Lock down your browser lliac dtic milliatac Include only those plug-ins that are required for your job Entertainment should stay at home Set your browser to a high security setting Prompt for ActiveX and Active Scripting Refuse to accept the first time around If you find you need to run the mobile code think care fully before you try it Never surf as a privileged user Domain Admin Account Operator etc Use a sanitized machine Never surf from a server or system containing important data Back up your hard drive often If prompted to open or save a file always save executables and run a virus scan on the file before and after execu- tion Be careful compressed files may defeat a virus scan Don t assume that a negative scan means you are safe Virus software will not detect new viruses Trojan horses or unique malicious code Network administrators should consider ways of restricting mobile code at the firewall System administrators should consider 1 using third-party software that evaluates mobile code for privileged access or mali- cious intent and 2 preload- ing ActiveX code needed to support known Web based applications Developers should adopt server-only solutions using development software such as Cold Fusion Security administrators should issue policies and guidelines on the use of mobile code lAnewsletter Users should receive training concerning the risk associat- ed with mobile code and how to manage the settings in their browser software to mit igate these risks So Is mobile code worth the risk Yes But only if you fully understand what those risks are and take appropriate mea- sures to protect your data your workstation and your network References Angel Jonathan Mobile Code Security NetworkMagazine com December 1999 available on-line at http NetworkMag azine com Blacharski Dan Mobile Code Handle with Care NetworkMagazine com December 1999 available on-line at Ne1 workMagazinecom Brown Doug Spangler Tod Weighs JavaScript Ban Inter@crjve Week November 22 1999 Clark Elizabeth Mobile Code Safety NetworkMagazine com December 1999 available on-line at http NetworkMagazine com Ferris Nancy Weighs Ban on Advanced Web Technology GovExec com October 7 1999 available on line at http gov exec com Frequently Asked Questionse-Java Security Java Web site available on-line at ava sun com accessed July 22 1998 Karve Anita Securing Java and ActiveX NetworkMagazine com December 1998 available on-line at hitp NetworkMagazine com McGraw Gary 8 Felten Ed Securing Getting Down to Business with Mobile Code John Wiley Sons Inc January 1999 Mendel Brett Mail Hacks Affirm Mobile Code Fear LanTimes September 14 1998 Nelson Matthew BubbleBoy Worm lnfects without Opening File InfoWord Services November 10 1999 available on-line at http i nfoword com Richardson Robert Taking a Flying Leap NetworkMagazine com December 1999 available on line at 0 Volume 3 Number 4 33 IA Training continued from page 25 course focuses on firewalls with hands on training on the Raptor Eagle firewall The final day includes an introduction to intrusion detection systems IDS with hands-rm training on the Real Secure IDS 'l he pri- mary aim of the router firewall and IDS training is to give the SAs and NMs hands-on training with these network security tools so that students know the tools capabilities although not necessarily how to use a specif ic tool or application The main goal of the SAS and the Nix l8 courses is to educate and train SAs and NMs in how to secure their ii'iformation sys tem platforms and networks A secondary goal is to give stu dents additional resources and relerence material to help them secure their information tems at their duty stations To support this secondary goal in addition to the 2 weeks of train- ing each student is given hand outs including an NT security checklist and a UNIX security checklist along with a CD that includes all class material and atlditionai references and sources he CSS has trained more than 1 000 personnel to the Phase 2 IA security certifi- cation level All three of the courses de scribed above are continually changing because of the rapid changes occurring in operating systems security tools and reg ulations The CSS remains com mitted to provitling these cours es keeping them up to date and l'ielping SAS and NlVis win the IA battle sllajor A iark l4 Hoyt may be reached at ho tni s goitfonx'mn amt 4 lAnewsietter Volum DISA IPMO Products Promote Information Assurance Worldwide Edward Smith he Defense Information Systems Agency DISA Information Assurance Pro- gram Management Office IPMO produces award-win ning interactive CD-ROMS and videos for use by information assurance IA professionals throughout the Department of Defense DOD and the Federal Government With titles like Operational Information Sys tems Security 0188 Cyber Protect and Federal INFOSEC Awareness these CD-ROMS seek to enhance computer se curity awareness across all lev- els of every government agency at no cost to the user More than 175 000 of these products have been disseminat ed since July 1997 Several IPMO products have been nominated for industry awards CyberProtect was a big winner taking two of NewMe dI'a magazine's 1999 Gold Invi- sion Awards Best Overall De- sign and Technical Training and the 1999 Cinema in Indus- try CINDY Competition Silver Award CyberProtect also re ceived a favorable review in Federal Computer Week in De cember 1999 DISA and other defense orga- nizations use a combination of OISS INFOSEC Aware ness and CyberProtect in the Level 1 certification of their system administrators In fact these products have been so successful in reaching and edu 3 Number 4 new rim Mi-sing -- examiner CyberProtect cating the end user that several Federal agencies have tailored IPMO CDHROMs for use in their organizations New products are in the works including Secret and Below Interoperability SABI and UNIX Security for System Administrators These new courses will be Web delivered cutting down on distribution costs and giving users instant Internet access to the informa tion and to product updates Finally the IPMO has devel oped an on-line automated product order form that will allow paperless receipt and dis- tribution of products To order the user simply fills out the form at our Web site and sub- mits the order electronically to our shipping department In most cases the order will be sent out within a few hours Best of all the user can track the progress of the shipment using his or her order number or E mail address To order CD-ROMs and videos at no charge or to obtain a complete list of product de scriptions visit our new Web site at ProductOrder htm1 or use the order form on the next page http Iiac dtic milliatac DOD INFOSEC Training and Awareness Products Order or INFOSEC Program Management Office 5113 Leesburg Pike Suite 110 Falls Church VA 22041-3204 Attn Product Distribution Commercial DSN 761 How did you hear about our products Fax-703-581-1386 0 World Wide Web 0 Word of Mouth E mail DODlAETA@ncr disa mil Homepage 0 Conference 0 Class Other Specify Customer Information Name Title Date Command Org Agency Dept Mail Code Phone DSN Address Fax City State Zip 4 E Mail NOTE If you have ordered IPMO Products before and your address has changed mark here 0 Mark appropriate organization 0 OSD 0 Joint Staff OCINC specify 0 Army 0 Navy 0 Marines OAir Force 0 Coast Guard 0 Defense Agency name 0 Non-Defense Agency name 0 Government Contractor Agency contracting with Other Products are unclassi ed and available at no cost Videos may be reproduced forgovernment use only without further permission Multimedia CD-ROMs Videos DOD 0 Federal INFOSEC Awareness v 1 0 Understanding PKI DOD 13 min Select One Networks at Risk NCS 10 min 0 Operational Informatlon Systems Security Information Front Line IW IC 10 min OISS Vols 1 and 2 V 1-2 Set of MO Bringing Down the House 11min 0 Fortezza installers Course for Windows NT 4 0 V 1 - Computer Security 101 DOJ 11 min Computer Security - The Executive Role DOJ 9 min 0 lntrOdUC-tlon to the DITSCAP Safe Data It s Your J0b DOL 19 min 0 Information Age Technology Think Before You Respond US Gov 3 min - Protect Your AIS US Gov 6 vignettes 0 IA for Auditors and Evaluators 0 Protect Your A18 The Sequel US Gov 30 min 0 Designated Approving Authority DAA Basics V 1 Dr Stroye US Gov 8 min The Scarlet US Gov 7min CyberProtect V 1 New 0 System Administrator incident Preparation 8 Response SAIPR for Windows NT for System Administrators New 0 Exploring 10 min Upcoming Products Information Operation Fundamentals Winter 99 Multimedia CD-ROM http Iliac dtic milliatac IAnewsletter - Volume 3 Number 4 35 11 ng A Leveraging the Institution - What kind of documents do you collect - How do I nd out about inquiries you've processed - What scienti c and technical information STI has been developed through the TAT program Mr Robert P Thompson Director IATAC hese questions have been generated by our users as they seek answers to their In formation Assurance IA re- quirements To support our users demand for additional IA information IATAC has intro- duced two new products to pro mote current awareness of lam-1mm ML 5 44% i 35%me 3E Montana has am my mm IATAC products and services Collection Acquisitions CD- ROM and the Quarterly Bul letin IATAC is chartered to collect IA related STI Our collection activities are focused on an es lAnewsletter - Volume tablished set of resources from the research and development policy acquisition and operational communities that have traditionally produced related STI In an effort to transfer that knowledge to the IA community IATAC has gen erated a CD-ROM of new acqui- sitions to the IA collection Pro duced on a bi annual basis the initial Collection Acquisitions CD-ROM includes Joint Vision 2020 Kosovo After-Action Report - Information Assurance Legal Regulatory Policy and Organizational Considera tions Joint Staff Defense in Depth Brochure - Defending America s Cyberspace National Plan for Information Systems And To obtain a copy of the IA Collection Acquisitions ROM simply complete the IATAC order form page 39download and complete the product form on the IATAC home page Information Analysis Cen- ters IACs are structured such that other organizations can leverage the results of pre- 3 Number 4 viously acquired STI resulting from the inquiry process and the technical area task TAT program The STI developed in response to technical inquiries are entered into the acquisition holdings for further access and use by other organizations with similar technical questions In addition the products devel- oped through the TAT program are entered into the acquisition holdings and can be leveraged by other DOD users to address their IA requirements Sec ondary distribution of TAT products are processed in ac- cordance with distribution statements To further dissemi- nate information developed through the inquiry and TAT programs IATAC is producing the Quarterly Bulletin that pro vides a summary of inquiries and identifies new STI devel oped through the TAT program Contact IATAC via Email at iatac@dtic mil to be added to the distribution list for the Quarterly Bulletin The IATAC Collection Acquiw sition and the Quar- terly Bulletin are a result of continuing examina tion of ways to better support the IA Community and our continuing resolve to Sup- port the Warfighter Hiac dtic milliatac WM-ev Visualization Technologies State of the Art SOAR Report his report provides a syn- opsis of the information visualization industry the in dustry's associated technolo- gies and visualization method ologies It is written for a broad audience principally for those unfamiliar with this technolo- gy new to the industry or seeking visualization capabili- ties for the first time This re port is written for system users Visualization is by nature user centric Visualization tech- nologies for example allow users to interact with informa tion systems Therefore users must first understand what vi sualization is what its capabili ties and restrictions are and what ideas factor into its use This SOAR should help read ers decide whether visualiza- tion is appropriate to their needs determine what types of visualization technologies are available and relevant and for mulate possible strategies for implementing a visualization solution To order this report and our other products com plete the form on page 39 EA Metrios RITA This report establishes the fundamentals of metrics devel opment methodology and met- rics program establishment It answers the following ques- tions - What are IA metrics http lliac dtic milliatac - Why do organizations need them - How can they be used - What is the process for devel oping IA metrics - What are some of the IA met rics already and what are their weaknesses - What is the future direction for IA metrics This report is intended to further facilitate the IA metrics discussion within the IA com munity assist organizations in developing IA metrics and pro vide guidance to organizations about how to establish their IA metrics programs It provides examples of specific metrics that can be derived using the proposed methodology The re- port also describes several on going metrics development collection and application ef- forts A database of metrics col lected from multiple sources is available from IATAC IAnewsIetter Defense in Depth CRITA This report describes the im pact of evolving technology on the defense in depth strategy The execution of the strategy requires a sig nificant num ber of different security and networking technologies This report fo- cuses on exam- ining the trends and giv- ing an over View of the rel evant technologies It reviews the strategy and discusses its implementation in the Defense Information Infrastructure DII Key elements of the strategy and current imple- mentation of the strategy are discussed Volume 3 Number 4 38 Data Mining CRITA This report provides an overview of data mining tech niques applications and COTS data mining software products Data mining is used to discover previously unknown and mean- ingful relationships by sifting through large amounts of stored data Data mining has applica- tions in marketing information assurance risk management and fraud management To help users select a product that best meets their objectives data min ing tool evaluation criteria are provided A table summarizing the features of available prod- ucts is also provided Data Embedding for IA SCAR Provides an assessment of the state of the art in data embed- ding technology and its applica- tion to IA It is particularly rele- vant to information providers concerned about intellectual property protection and access control information con sumers who are concerned lAnewsletter - Volume about the security and validation of critical information and law enforcement military and cor- porate organizations concerned about efforts to communicate covertly The report has been specifically designed for readers who are not experts in data em bedding For more in depth in- formation the bibliography pro vides an extensive list of authoritative sources from which the reader can obtain ad- ditional technical detail Computer Foren- sics Tools and Methodology This report provides a com parative analysis of currently available software tools used in computer forensic examina- tions It provides a useful intro- duction to this speci c area of science and offers practical high-level guidance on how to respond to computer system in- trusions This report provides a useful analysis of specific prod ucts including their respective capabilities unique features cost and associated vendors Malicious Code Detection SCAR This report includes is a tax- onomy for malicious software providing a better understand ing of commercial malicious software An overview of the state of-the art commercial prod- ucts and initiatives as well as fu ture trends is presented The re port presents observations and assertions to support the as it grapples with this problem en- tering the let century This re port is classi ed and has a limit ed release 3 Number 4 right as at mummy Masada-int Rum Biometrics Finger print Identi cation Systems Focuses on fingerprint bio metric systems used in the veri- fication mode Such systems often used to control physical ac cess to secure areas also allow system administrators access control to computer resources and applications Information provided in this document is of value to anyone desiring to learn about biometric systems The contents are primarily intended to assist individuals responsible for effectively integrating finger print identification products into their network environments to support the existing security policies of their respective orga nizations Order Form on Page 39 Iliac dtic milliatac - Li LP IMPORTANT NOTE All IATAC Products are distributed through DTIC If you are NOT a registered DTIC user you must do so PRIOR to ordering any IATAC products TO REGISTER ON- LINE dtic mil dtic re rocess html Name DTIC User Code Organization Ofc Symbol Address Phone E-mail Fax Organization CI YES CI NO If NO complete LIMZTED section below LIMITED In order for organizations to obtain LIMITED DISTRIBUTION products a formal written request must be sent to IAC Program Of ce ATTN Sherry Davis 8725 John Kingman Road Suite 0944 Ft Belvoir VA 22060-6218 Contract No For contractors to obtain reports request must support a program be veri ed with COTR COTR Phone IA Collection Acquisitions CD- ROM LII June 2000 Critical Review and Technolo Assessment Reports Biometrics Computer Forensics CI Defense' In Depth Data Mining CI IA Metrics Modeling Simulation IA Tools Report Firewalls Intrusion Detection 2nd Ed Vulnerability Analysis 2nd Ed State- of-the-Art Reports SOARs CI Data Embedding for Information Assurance CI Visualization Technologies Malicious Code Detection TOP SECRET Ci Security POC Security Phone UNLIMITED DISTRIBUTION Newsletters Limited number of back issues available Ci Vol 1 No 1 CI Vol 1 No 2 CI Vol 1 No 3 Vol 2 No 1 Vol 2 No 2 soft copy only Vol 2 No 3 Vol 2 No 4 El Vol 3 No 1 CI Vol 3 No 2 Ci Vol 3 No 3 CI Vol 3 No 4 Please list the Government that the product s will be used to support Once completed fax to IATAC at 703 289 5461 IAnewsletter Volume 3 Number 4 3% http Iliac dt ic milliatac September 1344 25 28 27 -28 Geteber 3w5 calendar J j i If Biometric Consortium 2000 Conference Gaithersburg MD affairs confpage 000913 htm e-Gov 2000 Alexandria VA Second Annual Commonwealth of Virginia information Technology Symposium Lexington VA Held at the Virginia Military Institute information User's Conference San Antonio TX POC Kari Garcia 210 977 2870 DSN 969 Information Assurance Technology Analysis Center 3190 Fairview Park Drive Falls Church VA 22042 November 8 9 12 13 The Hacker Phenomenon Toots and Penetration Techniques Atlanta GA Do Security Managers Conference Williamsburg VA Fhircl information Survivability Workshop Boston MA Sponsored by Computer Society and the US State Department Army IA Industry Days 2000 Hilton Hotel City VA at Reagan National Airport POC Mr Zadil Ansari 703 604 6865 DSN 664 Users Forum Las Vegas NV