REPORT DOCUMENTATION PAGE 032572 551 5783 Public reporting burden for this collection of information is estimated to average 1 hour per response including the time for reviewing instructions searching existing data sources gathering and maintaining the data needed and completing and reviewing this collection of information Send comments regarding this burden estimate or any other aspect of this collection of information including suggestions for reducing this burden to Washington Headquarters Services Directorate for Information Operations and Reports 1215 Jefferson Davis Highway Suite 1204 Arlington VA 22202-4302 and to the Office of Management and Budget Paperwork Reduction Project 0704-0188 Washington DC 20503 1 AGENCY USE ONLY Leave blank 2 REPORT DATE 3 REPORT TYPE AND DATES COVERED Winter 98 99 Newsletter Vol 2 No 3 4 TITLE AND SUBTITLE 5 FUNDING NUMBERS IA Newsletter The Newsletter for Information Assurance Technology Professionals 6 Information Assurance Technology Analysis Center 7 PERFORMING ORGANIZATION AND 8 PERFORMING ORGANIZATION REPORT NUMBER IATAC Information Assurance Technology Analysis Center 3190 Fairview Park Drive Falls Church VA 22042 9 SPONSORING I MONITORING AGENCY AND 10 SPONSORING I MONITORING AGENCY REPORT NUMBER Defense Technical Information Center 8725 John J Kingman Rd Suite 944 Ft Belvoir VA 22060 11 SUPPLEMENTARY NOTES 12a DISTRIBUTION I AVAILABILITY STATEMENT 12b DISTRIBUTION CODE Approved for public release distribution is unlimited A 13 ABSTRACT Maximum 200 Words IA Newsletter is published quarterly by the Information Assurance Technology Analysis Center IATAC IATAC is a sponsored Information Analysis Center administratively managed by the Defense Technical Information Center DTIC Defense Information Systems Agency DISA This issue continues the focus on current information assurance initiatives underway within academia and industry In addition an overview of current collection of Antiwvirus Tools in provided Also featured in the issue 0313 CINC USACOM Service U S Army Systems Command NAWCAD Perspective Sandia National Labs Academia Purdue University Industry Harris Corporation 14 SUBJECT TERMS 15 NUMBER OF PAGES Information Security Information Assurance Information Warfare ll 16 PRICE CODE 17 SECURITY CLASSIFICATION 18 SECURITY CLASSIFICATION 19 SECURITY CLASSIFICATION 20 LIMITATION OF ABSTRACT OF REPORT OF THIS PAGE OF ABSTRACT UNCLASSI FIED UNCLASSIFIED UNCLASSIFIED None 20001027 070 Assurance Technology Professionals Joint Task Force for Computer Network Defense contents l' I IAIeWSIetter Editor figs Robert Thompson WW Creative Director lnIttatIves r RobertWeinhold 031 Information Cotlection Alethia A Tucker Joint Task Force for Computer Network Defense Inquuy SerVIces CINC USACOM 5 P iggyo grlm Information Certification Kim Heanue - Program by Captain Roderick Johnson - Service DISC4 6 Information Systems Security The New Arms Race for the Information Age by Mr Phillip Loranger COL Michael Brown COL John Deal Systems Command AWC AD 10 information Assurance Technm Risk-Based Decision Making by Gary Lohman I Center IATAC IATAC '8 a Doiysponsored ph_D Information Analysis Center administrative- ly managed by the Defense Technical Government R810 Labs Sandia National Labs 1 5 Information Center DTIC underthe DOD Program This issue continues the focus on current information assurance ini- tiatives underway within academia Sandia Researches the Next Generation of Security Engineering Tools by Rick Craft Academia' Purdue University 16 and industry In addition an overview of the Educating the Next Generation of Computer current collection of Anti Virus Tools Is pro- vided I Security Specialists by Sofie Inquiries about IATAC capabilities products ndustr 2 Harris Cor oration 19 and services may be addressed to Exactly How Secure is Your Computer by William Wall RObertThompson' Director IATAC NF ECT Do I 05 raInIng 8 Awareness Products 9 703 289 5455 001 Order For rn 21 We welcome your input To submit your related articles photos notices feature prgrams or ideas for fIItIJre' Issues please contact IATAC I ATTN Christina McNemar 3190 Fairview Park Drive Falls ChurCh VA 22042 Phone 703 289 5454 Fax 703 289 5462 STU-ill 703 289 5467 chat 18 Providing New EA Support to the Warfighter 9A Tools Summary 12 Anti-Virus Tools What's New 22 Anti-Virus Tools Report Now Available to Registered DTIC Users E-mail iatac@dtic mil URL About the Cover 22 The JTF- Is collocated with Global 24 Operations and Security Center GOSC in alendar Washington DC if Hillier 98 99 - Vol 2 ll 3 Joint Task Fo rceg fOr Compu ter'NethOrk Defense E Lieutenant Colonel Robert J Lamb DISA nformation superiority w- the ability to collect and process an interrupted flow of in- formation while denying the enemy the ability to do the same is not a new concept for the Department of Defense DOD The increased use of and dependence on computer technology to access and protect this information however is mak- ing the task of maintaining infor- mation security far more complex than before The DOD like other public and private sector communities is a computer-dependent organization The Defense Information Infra- structure Dll and the DOD com- puter networks that control and operate within it are becoming in- creasingly vulnerable to electronic attacks This information su- perhighway is becoming a cyber battlefield where the protection afforded by previous traditional geographical boundaries is dimin- ished and a threat to one DOD computer system is potentially a threat to all DOD computer sys- tems Recognizing this threat the DOD created the Joint Task Force-Com- puter Network Defense JTF-CND the first DOD organization of its kind to be the department's focal point for the defense of its computer systems and networks Following an extensive review Of the proposed location mission and organization it was de- cided to locate the JTF-CND in Washington DC with the Defense Information Systems Agency DISA as its supporting agency This would allow the JTF-CND to be collocated with DISA's Global Operations and Security Center GOSC and to lever- age DISA's existing global presence with the unified commands its es- tablished liaisons with the law en- forcement community and its net- timmii work Operational View intrusion analysis and core technical capabili- ties The JTF-CND is under the command of Air Force Maj Gen John H Campbell pictured above Defense Secretary William Cohen assigned the the following mission Suty ect to the authority di- rection and control of the SECDEF JTF-CND will in conjunction with the unified commands Services and agencies be responsible for coordi- nating and directing the defense of DOD computer systems and com- puter networks This mission in- cludes the coordination of DOD de- fensive actions with non-DOD gov- ernment agencies and appropriate private organizations With the JTF-CND's location command and mission in place the Director Joint Staff DJS directed a working group be formed composed of representatives from the military services Joint Staff Defense agen- cies and unified commands These experts were asked to fur- ther refine the mission help de- termine mission organizational functions command relationships budget and manpower authoriza- tions and lastly develop the con- cept of the operations CONOP for the JTF-CND In August the working group began meeting daily to build the JTF-CND The group agreed to several key assumptions - DISA would support the CND and provide administra- tive resource management logistical and public affairs sup- port The would not be a deployable asset - The JTF-CND would depend on intelligence community support - Initial operational capability IOC was established on 30 December 1998 requiring at least 10 personnel and would need to fulfill 7 Of the TI mission organiza- tional functions - Full Operational capability FOC would need to be achieved no later than 6 months after IOC The working group's first task was to further develop the 11 mission or- ganizational functions Those func- tions included key responsibilities such as determining whether the DII was under a strategic attack de- termining the impact an attack could have on military Operations coordinating and directing actions to stop contain and restore DoD's crit- ical networks and assessing the ef- fectiveness Of computer network at- tack restoration actions 1 53 fl Witt Dis atlar Slat Judge maintain 3 Ciszri i A ifi i' i i i it thou- 1 A AMUSIS 5 'IVi' aii' - 3 -- CND Ma ys l s COMMANDER 4' 4 - 3RD graphical boundaries The JTF-CND although responsible for CND throughout the DH would not direct a CINC how to defend that CINC's networks within his or her AOR Third the identification of forces Service compo- nents was unknown That particular challenge extended to the Services as each grappled with se- lecting a force that could blend a network opera- - Figure 1 JTF-CND Organization Given the assumptions mission organizational functions and large area of responsibility AOR the working group then determined the organizations' personnel structure see Figure The group decided that the JTF-CND would have 24 people which included traditional staff com- ponents The small number of per- sonnel assigned to the JTF-CND dic- tated that some of the traditional staff elements be combined and and that DISA em ployees provide administrative re- source management logistical and public affairs support It was deter- mined that the JTF-CND would also have its own Staff Judge Advocate to remain current with the laws affecting information operations intelligence oversight and counter-intelligence including domestic and international laws affecting information defense op- tions The working group's greatest challenge was defining how the JTF- CND would actually conduct its mis- sion to coordinate and direct the computer network defense of the DH There were several issues to consider First the JTF-CND had a unique DOD mission that did not correlate well to the traditional JTF structure For example the reported to the Secretary of Defense not a commander in-chief CINC and was analogous to a supporting command Second the AOR crossed traditional unified command and military service and agency geo- rt tion with intrusion analy- sis and network defense All were available but not within the same command structure With these challenges identi ed how will the JTF-CND execute its mission First the JTF-CND will leverage existing capabilities through a host of agencies and orga- nizations particularly the DISA GOSC and its standing relationships within the CND community The 30305 intrusion detection and analysis through its Automated Sys- tem Security Incident Support Team ASSIST will serve as the immediate technical arm of the JTF-CND The JTF-CND and the GOSC sharing the same will ensure a close working relationship and provide for the further leveraging of all techni cal capabilities throughout DISA The J3 Director of Operations will coordinate with the National Mili- tary Command Center N MCC and the operation centers in the unified commands to ensure CND efforts are coordinated and planning and course of action devel- opment are conducted with a de- tailed view of existing operations and plans The J2 Director for Intel- ligence wiil pull existing intelli- gence products throughout the intel- ligence community including those available from the National Security Agency the Defense Intelligence Agency the military services and the National Infrastructure Protec- tion Center NIPC Operating on a 24-hours 7adays-a- week basis the JTF-CND will fuse the operational intelligence and technical view of computer net- works riding the DII In turn the JTF-CND will develop and promul- gate cohesive and co- ordinated CND solutions to mitigate and defeat computer network at- tacks on the Dll The speed of at- tacks the boundless nature of cyber- space and the challenges of identi- fying the enemy demand the JTF- CND work in near real-time to ac- complish its mission Although many questions still must be answered and new proce- dures established the is com mitted to defending its computer networks and gaining and maintain- ing information superiority And today the JTF-CND can help lead this crucial fight tilt learnt remixed his 8 5 in General Eliginet'iririg item l ii- zst Point and a MS in Ei i ftit aiitu'i 1 er the of South Camlina Me is currendv the Dam-inst In ui marion Systems Agency 191% raisin to the joint Task Emit- 3 for Computer Network Dii'ftmse with ongoing mili- tary operations Sim- ilarly the Di- rector for Plans and Exercises will reach out to the comman- der-in-chief informa- tion operations cells and the National Co ordinating Center will for Telecommunica- cm tions of the National Communications Semicalniei System to ensure JTF-CN in -2 meets mats stars w mesa g3 MFG Him one up mis- cm to cells Gilli in y CPT Roderick Johnson USACOM Information Assurance Certi cation Program U S Atlantic Command US- ACOM Headquarters the Infor- mation Assurance IA Branch - established in November 1997 is responsible for ensuring the availabi l- ity integrity con dentiality nonre- pudiation and authentication of col- lateral automated information sys- tems AIS and the information with- in those systems in support of com- mand control communications and computers As the number of Depart- ment of Defense DOD systems are interconnected through local and wide area networks increasesso do the opportunities for concerted at- tacks against USACOM AIS assets To protect command systems and the data they contain from being ex- ploited the IA Branch has developed training programs invested in intru- sion detection tools developed securi- ty policies and created an IA Certifi- cation Program For a truly effective security program all these aspects of protecting computer systems must be consistently used throughout US- ACOM Additionally the cooperation of all command personnel is required to protect the integrity of shared data To highlight one of the ways the IA Branch is maintaining USACOM's AIS security posture this article focuses on the IA Certification Program IA CERTIFICATION PROGRAM WORKS The IA Certification Program is mandatory for all assigned users and system administrators SA and is divided into the following three courses - New Users addresses the local area network operating environ- ment e-mail transmissions and various application software pro- grams along with physical and system security teem ti - Security Refresher includes cur- rent security information along with information gathered from various computer security updates - System Administrators-follows an intense training track involving computer-based training CBT modules and a skill-level checklist The fol lowing overview each course paragraphs NEW USERS COURSE New users are required to View the Information Security INFOSEC Awareness CBT compact disc CD The INFOSEC CBT CD is distributed by the Defense Information Systems Agency DISA and contains informa- tion on public law information secu- rity malicious logic external threat methodologies and techniques along with the individual's role and respon- sibility in protecting information available through computer systems For the New Users course US- ACOM has incorporated the informa- tion contained in the INFOSEC CBT CD with an instructor-led class certi- fication testing and the requirement for all new users to sign a letter ac- knowledging their roles and responsi- bilities for protecting the security of the systems to which they have been granted access Before new users are issued a certi cation certificate they must complete each part of the New Users course SECURITY REFRESHER COURSE Users who commit serious security violations sharing passwords misclassifying documents are re- quired to retake the certification test required of all new users and de- scribed in the course above and to at- tend the Security Refresher Course Their network accounts are locked until they successfully complete the process for recertification SYSTEMS COURSE Various military exercises have re- vealed the need to ensure consistent veri able skill sets for individuals who function as systems administrators in the system security arena USACOM developed procedures for SA certifica- tion based on Interim Guidance For the Systems Administrators course SAs are required to complete Operational Information System Se- curity CBT Volumes I and II in addi- tion to the DOD INFOSEC CBT The additionai CBTs address several topics including legal and regulatory issues security incidents trusted systems workstation security network securi- ty risk management auditing and Additionally SAs along with their supervisors are required to complete a Job Qualification Requirements JQR checklist which identifies the SAS skill level in performing neces- sary tasks on the USACOM systems The checklist in conjunction with the CBTs and SA-signed letter of acknowledgement is a key factor of USACOM's SA certification process USACOM's Certification Program is only the rst step of many to bring se- curity to the forefront in our informa- tion dependent environment must understand that it takes a coor- dinated effort by all to protect our in- formation networks Captain johnsan receiver his BS in Cbmpui rr Scimre 1 in North Carolina Stare He is currently the Cairiri'iunira ions Ct'iriipurrir Susren'is E'ifurmariun Officer at in the Jni r'iniiatiori Assn Brandi is framing and ii tO Criiripuit v Intrusion Rostrinsa New le may be reacted materials-lollies ii We' Mr Phillip Loranger COL Michael Brown COL John C Deal DISC4 hen Almon B Strowger was an undertaker in Kansas City in 1889 he discovered a local telephone operator was compromising his funeral busi- ness Apparently each time prospective customers called the local telephone operator to inquire about available undertakers the operator-who happened to be the girlfriend of Strowger's local comm petition in the undertaking busi- ness across town-would direct them to her friend In response Strowger decided to create an au- tomatic switchboard that would eliminate all operator interven- tion that is he set out to remove human access to the control of the switch mechanism Not only did the first Strowger Switch go into commercial operation in the Unit- ed Kingdom in 1892 but also many remain in operation today 1 The key point behind Strowger's invention to deny human access to the control of the information sys- tem remains a critical aspect in pro tecting modem data networks from being compromised by hackers Un- fortunately protecting today's data network architecture in which con- trol pathways are mixed with com- munications pathways and global systems are increasingly intercon- nected via the Internet is a far more complicated task than isolating one circuit switch as Strowger did Modern data networks are based on information packets that are exchanged between the ele- ments that compose the network These various commands origi- nate from both client terminals and server terminals including packet data switches and instruct the network when to set up a con- nection tear down a connection transfer a file allow remote inter- Information Systems The New Arms Race for the Information Age action etc The vulnerability this open architecture creates is a hacker need only compromise one of these commands to gain access to an information source connect- ed to a network When this ex- ploitation has occurred the entire network becomes vulnerable to further attacks Now consider that about 3 mil- lion computers and 20 million users compose the Internet Daily an increasing number of business and financial processes and ser- vices are automated These new networks are continually placed on the World Wide Web The cur rent metric is that this global net- work of networks is doubling every 8 months The high degree of interoperability of this burgeon- ing network is achieved via an es- tablished and mandated set of pro- tocols specified by the Internet Ar- chitecture Board The enforce- ment mechanism applied is sim- ple-if you bring your network to the Internet it either complies with these protocols or it doesn't connect This ever-increasing reliance on data networks by the corporate world and small businesses and governmental agencies is creating an environment where organiza- tions' data networks are becoming increasingly interconnected This exponential growth in intercon- nects in turn creates more avail- able pathways for hackers to ex ploit Thus the dilemma facing the corporate world small busi- ness and government is how to balance the openness of today's networks with security These opposing concepts have created an environment in which hackers are continually develop- ing new ways to exploit data net- works while network administra- tors are scrambling to develop ad ditional ways to protect these same networks The result is a new arms race for weapons that will either penetrate or protect networks The irony of conducting such a race in today's new infor- mation age is that in many cases the Web itself-with more than 30 000 sites devoted to how to ex- ploit data networks offers would- be hackers a wealth of easy-to-ac- cess information on attacking computer systems HOW HACKERS OPERATE Hackers begin their attack by first conducting a reconnaissance of their target networks using common hacking tools such as WHOIS - gathers information from the InterNIC - DNSLOOKUP - identifies associ- ated network systems - FINGER - identifies users and accounts - NetScan - provides a suite of information gathering tools - WhatsUp - provides a network mapping and monitoring utility - Strobe - provides an automated port scanning tool Each of these tools is easily ob- tained at no cost via the various hacker Web sites The only excep- tion is NetScan which costs about $30 Yet hackers can always use another tool to bypass the need for proper registration and avoid pay- ing this fee After conducting their recon- naissance hackers then exploit the network they've chosen to at- tack by compromising common protocols that are built into the tar- get network itself File Trans- fer Protocol FTP Remote Shell RSH and Trivial File Transfer Protocol TFTP in an attempt to capture the password file The lo- cated password file is then cracked using a software tool such as John the Ripper-the latest password-cracking software on the market At this point the hacker achieves root access and super user privileges and creates a back- door account into the network so the hacker can reenter the net- work at any time without detec tion Finally the hacker covers his tracks by eliminating all traces that he has manipulated the sys- tem except for the presence of the innocuous backdoor 2 WHAT NETWORK ADMINISTRATORS CAN DO TO PROTECT THEIR NET- WORKS Without question the best de- fense against hackers exploiting known vulnerabilities in a net- work is for network administrators to exercise good password manage ment But what readily available defensive tools do network admin- istrators have at their disposal to ensure this Consider the follow- ing security techniques - To limit access servers can con- tain lists of authorized users and their passwords so that to con- nect to the server a client must enter an authorized UserID and password 0 To ensure UserlD and pass- words are not sniffed by hack- ers during the login process Secure Socket Layer can be employed Most network and Web servers support connec- tions over SSL which the session from the user's Web client to the Web server This occurs before any user login or data transfer process begins It protects the login process and the data trans- ferred to and from the Web serv- er Unfortunately the tion algorithms used are not robust enough for classified material and can be broken by timmtl #3 52 33 27 a rI Elma fil'I a t If 7i off-line processing in as little as 3 days using machines that cost as little as 250K - To limit access to all registered hosts and workstations in a spe- cific Internet domain most Web server software has a configuration option that implements Reverse DNS Lookup When any Internet client connects to an Internet server the con- nection process provides the server the IP address and host- name of the Internet client Reverse DNS Lookup takes the provided IP address and queries the domain name server to get the hostname If the DNS lookup process is successful it indicates that the client is a domain member a member of ARMYMIL and the IP address and hostname match a crude form of identification and authentication of the Internet client Only ifthe Reverse DNS Lookup is successful is the client allowed to access the Web server application on the Internet server - To further restrict access a list of authorized IP networks or individual IP host addresses can be created This list of allowed and denied addresses can be entered at the Web serv- er For UNIX machines a TCP Wrapper or a hostsdeny list can be used For NT Servers running Microsoft Web Server this technique is managed through the Web software 0 To authenticate users to Web servers user-level X 509 certifi- cates can be used in place of UserID passwords These certifi- cates provide a more scalable solution than creating individual accounts on each Web server - To limit who UserID can access a file many operating systems allow files to have assigned Access Control Lists ACL If a user login is used ACLs can further restrict access to areas on the Web server to authorized users theories AXENT SWAT Team Forty three percent of organiza - tiOnS that experienced a security breach-If 5 said it cost them morethan 5 million - Infermatiois s9urltx NEWS Companies wiII spe $6 3 this yea spend neariy $13 billion Dataquest 3 - To further limit who sees what on a Microsoft Web server Microsoft offers Active Server Pages ASP which allows each Microsoft Web page to be dynamically created depending on who is signed on Because this tool is for Microsoft prod- ucts only it should be used with caution and not considered a standard means to protect Web access - For Windows NT servers user access can further be restricted to specific hours and days of the week If this tool is enabled specific UserIDs can access the Web server only during specific time periods In addition to these techniques network administrators can build far more elaborate network securi ty architectures For example In- trusion Detection Software IDS systems will constantly screen all Internet Protocol IP traffic for unauthorized entries To achieve this IDS scans data traffic for pro- than 600 000 sstesii devoted to co ptrac er lam About 25 percent of all attacks ar denial of service One of the most pop- ular hacker attacks remains denial of ser- vice initiatives that disrupt phone banking e-commerce and other key infrastructure services but do not actually steal any elec- tronic data One of the easiest ways to gain access to information is to get a job 44 percent of computer security breaches are from unauthorized employee access to information The threat from outside the corn - pany has skyrocketed 54 percent of companies report that their Internet connec- tion is a frequent point of hacker attacks Sixty-four percent of companies securny breaches between March 1997 and February 1998 Seventy-two percent of these reported computer breaches caused financial losses damages Computer Security Institute The number of Internet users rose more than 150 percent last year with more than 130 miliion users already online IDC Research In addition the num ber of remote access users will grow from more than 15 million in 1997 to more than 54 million users by the year 2002 Gartner Group More than 250 000 laptop comput - ers were reported stolen in 1996 representing a 27 percent increase from 1995 and a loss of more than $800 million in hard- software assets Safeware ware and Insurance Arrests for computer crimes sky - rocketed 950 percent from four in fis- cal 1996 to 42 in fiscal 1997 Convictions increased 88 percent from 15 to 30 F131 reports 33 i 3y I if g3 files within data packets that indi- cate hacker activity These pack- ages are normally installed on a workstation connected to a device known as a security router which routes all IP traffic to the IDS The IDS system is installed where the private network connects to the public Internet Firewalls which are designed to deny entry by unauthorized users can also be in- stailed at network entry points or in front of a server with company sensitive information Other evolving capabilities include pub- lic key infrastructure PKI which uses pubiic and private keys for all data transactions over the Internet or within an Intranet and virtual private networks VPN which literally create a pri- vate network within a public net- work Overall defensive measures can be divided into three parts-pre vention detection and response or reaction Prevention consists of procedural fixes such as pass- words user certification firewalls as well as both physical and per- sonal security measures For ex ample awareness training among a company's workforce can be highly effective in building defens es against breaches of security Detection of intrusion can be achieved either by constantly re- viewing systems logs for unautho- rized activity or by installing IDS systems that can be connected to alarm and alert notification sys- tems Finally responses consists of timely activities such as- Changing all password files - Requiring all users to authenticate - Rerouting data traffic Tightening lP filters and fire- walls Enforcing certificate revocation - Taking the system down and rebooting it - Disconnecting a network com- pletely from all external net- works re- This last response the most ex- treme measure of ail works for ex- ternal attacks but not internal at- tacks Tracking an insider is both easy and challenging easy be- cause the attacker is contained and can be traced and challenging because this attacker usually pos- sesses inside information he or she knows the network and all its faults and traps THE CATCH-22 IN DEFENDING WORKS FROM HACKER ATTACKS Ultimately the same sophisti- cated technologies available to network administrators are also available to hackers Consequent- ly as defensive measures are en- hanced so are the tools of the hacker trade The recently re- leased Back Orifice by the Cult of the Dead Cows for example rep- resents a significant threat to exist- ing defensive capabilities This tool was revealed at a hacker con- vention called DEFCON 6 0 from August 1 to 2 1998 The conven- tion is an annual gathering of about 2 500 active anarchists and hackers from around the United States and is organized by person- nel of several information technol- ogy vendors most headquartered in the Washington DC area The significance of this ORI- is that the product works effectively against all Microsoft op- erating systems with a version ex- pected soon to work against Unix operating systems It is designed to be used by people of little tech- nical capability and can be sent to a system as a software upgrade to any Microsoft operating system It is only 123 kilobytes in size and can be totally configured to in- clude name and port of operation and be and appended to any appiication on the system When it is attached the infected system acts as a client to the pro- gram and full operation of the sys- tem belongs to the sending server The only systems that cannot be affected are those that never con- nect to the Internet 3 continued 011 @901 I i I I Operational IyiformatIon Systems Secu- rity OISE Vol 1 This interactive CD-ROM pro vides the user with an introduction to OISS including its definition evolution 5 and legal and regulato- 33 WC ry issues associated A with OISS Topics cov- ered include threats to information Systems Security examples of secu- rity violations incident indicators and reporting procedures Trusted Systems and the certi cation and accreditation of systems The roles and responsibilities of the ISSO ISSM SISSM and SDSO are dis- cussed In addition users may per- form exercises at the end of each module to test their comprehension A glossary of terms and points of contact within the INFOSEC com- munity are provided for reference This product is based upon the NSA course ND225 Operational Informa- tion Systems Security 1998 EMMA Award nominee Operational Information Systems Secu- rity OISS Vol 2 This interactive CD- ROM continues with W OISS including work- station network and storage media security as well as malicious ac- tivity risk management and audit- ing Topics covered include worksta- tion and operating systems basics network basics including vulnera- bilities examples of violations and security services devices and types handling of storage media se- curity malicious code including the spread and detec- tion prevention of malicious code with an emphasis on viruses fun damentals of risk management and auditing goals are also discussed In addition users may perform exercis- es at the end of each module to test their comprehension The can be linked to your website fer testing purposes A glossary of terms and points of contact within the INFOSEC com- munity are provided for reference This product is based upon the NSA course ND225 Operational Informa- tion Systems Security DOD INFOWAR Basics This interactive CD- ROM defines Defen- sive Information War- fare and details its evolution Basic principles of INFOWAR are dis- cussed as wei as user roles and re- sponsibilities Points of contact with- in the Information Assurance com- munity are provided DOD INFOSEC Awareness This interactive CD- ROM explains the need for information sys- tems security and cites recent examples of se- curity violations The user will learn the definition of INFOSEC public laws relevant to INFOSEC and gov- ernment policies pertaining to IN- FOSEC Other topics covered in clude external threats to information security the evolution of INFOSEC user roles and and malicious logic A glossary of terms and a directory of where to find help within the INFOSEC community are provided for reference Federal INFOSEC A wareness This interactive CD- ROM explains the need for information sys- tems security and cites recent examples of se- curity violations This product is in- tended for a Federal non-DOD audi- ence The user will learn the defini- tion of INFOSEC public laws rele- vant to INFOSEC and government policies pertaining to INFOSEC Other tbpics covered include exter- nal threats to information security the evolution of INFOSEC user roles and responsibilities and malicious logic A glossary of terms and points of contact within the Federal INFOS- EC community are provided for ref- erence 1998 New Media Invision Award nominee introduction to the Defense Infor mation Technology Security Certification 8 Ac creditation Process DITSCAP - This interactive CD- ROM provides the user with an overview of the DITSCAP includ- ing its definition the evolution of information systems se- curity and roles and responsibilities Modules 2 through 5 cover Defini- tion Verification Validation and Post-Accreditation All modules in clude an overview of topics covered a description of process activities and individual team and group roles and responsibilities information Age Technology This interactive CD- ROM includes an overview of basic infor- mation technology in- frastructures such as the Defense Information Infrastruc- ture DII National Information In- frastructure NII Global Informa- tion Infrastructure GI I and Intelli- gence Information Infrastructure Topics covered include consid- erations in information transporta- tion such as speed throughput se- curity cost and distance Various types of media for sending messages across the information infrastructure are also discussed One module highlights the hardware and re- sources used to support the informa- tion infrastructures with an empha sis on communication devices used to access process and transmit in- ctint niim on page 20 ii initiatives Gary E Lohmanr Naval Air Warfare Center Aircraft Division 0 you feel secure in your decisions There are many descriptive and pre scriptive theories for risk- based decision making The ker nel of these theories is a drive to- wards security as measured by reasonable assurances in conjunc- tion with acceptable risks Such se- curity is a relative feeling or per- ception of comfort that differs SECURITY Assurance te rtaintf among people and situations thus giving rise to fundamentally differ- ent decision making styles Specif- ically some decision makers take greater risks while other decision makers seek greater assurances Good decision makers tend to be skilled at both assessing risks and managing assurances Based on this understanding of decision- making styles the term security can be readily defined as follows Security is a level of confidence based on both the assurance that a system can perform as required and the risk-related certainty that a system will perform as required given an inherent dynamic threat environment in which the system exists in short security is the intersec- tion of can and will as depicted by the Venn-diagram in Figure Accurate information is essen- tial for making good Decisions are in essence conclu- sions drawn from information de- rived from the decision making processes Data feeding into the decision processes derive from the business operations specifically from the information in operations 1375 if lliiter98 99 - 2 No 3 i 1 as well as the intelligence and counterinteliigence processes In- herent in business operations in- formation for example are the no tions of quality and configuration control information along with both internal and external compet- itive forces and trends Conse quently decisions resulting from such information tend to be direc- tive in nature feeding back into the business operations through the established business processes of the particular business or orga nization The evolution of technology and the drive of competitive forces in the 20th century however have drastically transformed business processes operations and organi- zational structures across industri - alized societies These factors have propelled business systems along an evolutionary path of automa- tion federation and now integra- tion Integration goes beyond the automated processes systemsr and businesses across common in- frastructures Integration dictates that these components share com- mon information across the com- mon infrastructuresto create ef- fective value chains in product de- velopment in this environment information dominance and infra- structure superiority are essential foundations for conducting inte- grated business operations Well-integrated information op- erations IO provide the function al information link within busi- ness operations between the input and output of the decision process Figure 2 depicts this information perspective of the decision process information assurance IA information warfare IW and information-in-operations form the three functional D9 is i a kl 9 groups under the IO umbrella within business operations Furu ther division of these functional groups depends on the specifics of a particular organization's busi- ness operations as defined through the business value chain support- ing the product development cycle Applying this to would entail a detailed analysis of the coupled life-cycle acquisition sup- port and crisis response processes across CINC's Services and Agen- cies as applied to products such as humanitarian aid peace-keeping or peacevmaking and is thus out side the scope of this article The net effect of this develop- ment on today's decision-making process is an increased reliance on closely coupled long and short term decisions in maintaining an active business stability in an in- formation-rich highly changeable environment This is in direct contrast to traditional business sta- bility achieved by the inertia of hi- erarchical organizational struc tures and redundant processes etc Active stability equates to rapid and deliberate decision mak- ing based on the near-real-time coupling of information to and from the business operations The fundamental decision process has thus not changed but our active reliance on the process has dra- matically increased within the in formation age and thus fueled the interest in risk-based decision making methods STEADY STATE For every situation some mini- mum acceptable security based on some measure of assurance and measure of certainty risk exists Figure 3 relates this concept to a heuristic minimum of acceptable security As the figure of merit in- dicates the ideal decision case is one of perfect assurance and per- fect certainty the realistic deci- sion cases however tend to be within the acceptable certainty risk and reasonable assurance ranges The figure of merit ap- plies the Venn-diagram definition of security Figure as the prod- uct of assurance and certainty As- suming these are normalized quantities defined on the in- terval of 12x20 then certainty can be interpreted as the relative ab- sence of risk or simply 1-Risk Consequently we obtain a rather elegant algebraic expression for se- curity That is security is defined by the assurance less that portion of assurance sacrificed through risk Zero risk which corresponds to a threat-free environment implies that our security is defined simply by assurance our confidence that the system can perform Con- versely total risk Of unity i e Risk l would completely sacri- fice the assurance and yield zero security as one would expect Short-term or tactical decisions are Witwatiatae timmii generally made in direct response to a perceived threat The accept- able risk given a threat scenario with respect to the minimum ac- ceptable security in light of de fined assurance can thus be char- acterized as follows The degree of risk can be Characterized through a sim- ple figure of merit illustrat- ed in figure 4 based on the product of im- pact and vul- nerability As the heuristic maximum risk accep- tance curve in figure 4 suggests high impact coupled with low vul- nerability or high vulnerability coupled with low impact are both of lesser concern than a moderate impact combined with a moderate vulnerability Because human na- ture tends to lead us to focus on extremes ei- ther in terms of impact or vulnerability we usually ig- nore the more common mod- erate-moderate situations in between Not only can these in-between sit- uations be more disconcerting but their underlying causal relations can result in domino effects with- in the middle region that further enhance the expected concavity of the risk acceptance curve in the figure of merit As the additional Venn-diagram in figure 4 indicates vulnerability itself can be viewed as a com- pound quantity obtained from as sessing potential system weak- nesses weighted by the estimated probability or frequency of ex- ploitation based on an underlying understanding of threat Vulnera- bility can thus be interpreted as a iiliiwijilii Jl'l'l'il ijy weighted measure of likelihood Impact however relates to the po- tential result of sacrificed assur- ances Consequently defining se- curity at any point in time relies on assessing have and sacri- ficed assurances relative to re- quired assurances Two key sets of metrics required assurances and applicable threats emerge as central to making tactical deci- sions based on the time-slice per- spective of security Required assurances and applic- able threats are both related to the mission and vision of the respec- tive organization Consistently successful decision makers usual- ly have a firm grasp of their vision in terms of goals and the critical success factors that determine how well the goals are being achieved The point of identifying required assurances is to define the set of criteria representing both the necessary and sufficient assurances relative to the critical success factors In this way we focus on correctness rather than completeness Necessary assur- ances for business operations in- clude functionality reliability sur- vivability maintainability afford- ability etc Sufficiency of each of these assurances can be ensured by mapping the defined criteria to the assurance services of confiden- tiality integrity availability ac- countability etc Based on an as- surance matrix of the required cri- teria assurances can be parame- terized and weighted An assess- ment at any point in time relative an gage -lol 2 No 3 a NAME Quick Heal Command Antivirus InoculatelT V- nd Security Toolkit Wave Anti-Virus F-Secure Anti-Virus Adinf Dr Web EMD Armor ESafe Protect Enterprise ESafe Protect Gateway AVG Anti-Virus System lRiS Anthirus Plus Antiviral Toolkit Pro VirusBuster Virus ALERT PC ScanMaster for Server ScanMaster for NT Dr Solomon's Anti-Virus Toolkit McAfee VirusScan NetShieldNT See What's New on page 22 for summary 81 ordering information COMPANY Cat Computer Services Command Software Systems Inc Computer Associates Cybersoft Cybersoft Data Fellows Dialogue Science Dialogue Science EMD Enterprises Esafe Technologies Esafe Technologies ESET Grisoft lRiS Antivirus Kaspersky Labs Leprechaun Software Look Software Netpro Netpro Network Associates Inc Network Associates lnc Network Associates Inc URL 7 NAME lnvircible ResQProf Norman Virus Control ThunderBYTE DisQuick Diskettes Panda Antivirus Protector Plus DiskNet MlMEsweeper VirusNet LAN VirusNet PC AVAST See What's New on page 22 for summary 8 ordering information COMPANY NetZ Computing NetZ Computing Norman Data Defense Systems Norman Data Defense Systems OverByte Corporation Panda Software URL For Windows 95 98 Netware and NT Re ex Magnetics Content Technologies inc Safetynet Safetynet Securenet System Boot Areas Anti-Virus Crash Recovery Sophos Sweep Integrity Master Antigen 5 for Lotus Notes Antigen 5 for Microsoft Exchange Norton Anti-Virus lnDefense Of ceScan ServerProtect VET Anti Virus Sophos Software Stiller Research Sybari Sybari Symantec Corporation Tegam International Trend Micro Trend Micro VET Anti-Virus Software Pty LTD SBABR 7 CAD it 5 a from page to this matrix yields the have and sacrificed assurances with respect to the required assur- ances In terms of the previously derived definition of security this yields a relation of the following form Required assurances and applic- able threats are related closely and must in practice be developed and assessed concurrently Threat sce- narios must be developed based on motives methods and opportu- nities consistent with the required assurances but also from the per- spective of the threat agent For tactical decisions made in re sponse to a threat it is the proba- bilistic likelihood that is crucial to the decision maker thus yield- ing the following tactical decision- making figure of merit TIME-INTEGRATED DECISION MODEL The deliberate decision process guarantees a decision made by a defined decision authority as op- posed to a decision reached by committee The deliberate deci- sion process has always been an important asset of the military based on the concept that it is riskier not to make a decision allow the decision to be made for you than to risk making a wrong decision The timely availability of information combined with the ability to interpret the information in terms of required assurances and probable risks are the keys to making consistent tactical deci- sions using the steady-state deci- sion model Furthermore seldom does the outcome of a situation depend on a single decision Con- sistency may not guarantee that every decision will be correct but it will guarantee likelihood of ex- pected outcome leveraged across the individual decisions of a com mon strategy The time-slice or instantaneous notions of assur- ance and risk are important for in- dividual tactical decisions but the time-integrated perspective be- comes essential for strategic deci- sions Decisions are discrete in nature If we consider the security result ing from a typical decision as a function of time we note that se- curity due to inherent uncertain- ty starts out comparatively low but increases to a level at which point in time the real benefits from the decision can be harvest- ed Due to an inherently changing environment decreasing assur- ance with increasing risk securi- ty wiil tend to decrease after some point in time without re-evalua- tion and correction of required as- surances with respect to new and evolving threats This re- evaluation and correction of re- quired assur- ances forms an important basis for strategic or long-term deci- sions Strategi- cally it is impor- tant to make the long-term deci- sions before the major decrease in security occurs so as to allow a transition without a significant de- crease in security prior to some sunset point In this way the tac- tical decisions become intimately coupled with the strategic deci- sions within the overall frame- work of the organization s vision and the evolution of an inherent threat environment Figure 5 shows this strategic perspective by considering such long-term deci- sions as investments In terms of assurances the required have and sacrificed factors are all time-dependent Similarly threats and subsequently vulnera- bilities can also be expected to evolve over time Finally note the initial reinvestment security in fig- ure 5 is higher than the initial investment security so that the algebraic sum of the ongoing investment security with the rein- vestment security at every point in time is within the minimum ac- ceptable security levei Too early or too late reinvestment results in insecurity similar to late transi- tions and sunsets The overall in- vestment strategy must be in line with acceptable minimum securi- ty and consistent with the overar- ching vision TAKE HOME it is generally held that people both fear and dislike change Yet good decision makers are able to embrace change and harness its potential to their advantage Ef fective and consistent decision making depends on a systemic method for interpreting assurance and risk in such a way so as to leverage tactical decisions within a strategic framework Well- planned strategic decisions in con- Junction with properly leveraged tactical decisions are the key to smooth sailing through risky wa- ters In the end decision making is neither as precise as a science nor as subjective as an art form but it is a statistically predictable skill that anyone can in principle master Gary Loinnan is Sandia Researches The Next Generation of Security Engineering Tools ecurity engineering as it is practiced today is largely a manual process Although soft- ware tools do exist to automate some portion of the security-engi- neering life cycle none yet support the full spectrum of activities that can be performed when securing a system In general these tools are based on an oversimplified view of the system assume that known vul- nerabilities are the only avenues of attack open to an adversary and tend to apply safeguards in a pre- scriptive fashion that fails to ac count for both the unique aspects of the system at hand and the hidden costs associated with selecting spe- cific safeguards Although these tools are useful as far as they go they are also dangerous if trusted blindly Because security engineering is a manual process it is also time- consuming and expensive Fur- ther it can be an error-prone process because the quality of the process' results is often directly re- lated to the expertise of the ana- securing the system At the core of these problems is the reali- ty that security engineering is still more art than science For these reasons in 1996 San- dia National Laboratories began to investigate the development an open framework that would inte- grate all the activities associated with the engineering of secure sys- tems As it was conceived this framework would support the analysis and safeguarding of multi technology systems notjust infor- mation systems and would allow a broad range of security engineer- ing tools to be used in a mix and match fashion After studying many of the methodologies used both inside and outside the information secu- rity community the research team formulated an approach to security engineering that unified various security engineering methods by means of an explicit system model In this approach the system is modeled as a collec tion of cooperating components These components can represent tangible items such as computers people or buildings or abstract entities such as mission-level functions or software processes In building the model the analyst documents how the various com- ponents in the system being as- sessed influence one another and how each component reacts under various influences Component vulnerabilities are treated as ex- tensions to the component's be- havior Threat agents and safe- guards are treated as additional system components that send re- ceive or block flows in the system Attacks are defined as the series of component interactions that con- nect initiating events with unde sired outcomes within compo- nents or flows between compo- nents Given the system model analyses consist of selecting a point in the system model to in- vestigate and then slicing out of the system model those parts of the model that affect the selected point either directly or indirectly or those parts that are affected by the selected point The research team showed that such analysis can be done automatically with the help of software tools and can be used to support several flow- based analysis techniques fault-tree analysis or failure modes and effects analysis To assess the feasibility of this security-engineering approach ii 53 Parzipasiil Rick Craft Sandia National Laboratoriies the research team pro- duced a prototype tool kit in 1998 based in part on the Rational Rose CASE tool This work is con- tinuing in the context of a source code assessment tool being devel- oped at Sandia By the end of FY99 the research team expects to deliver a first version of the source code assessment tool kit which will include the ability to model the software system's context the external non-software devices with which the software interacts and to assess the system and its context as a whole The final ver- sion of this tool kit is expected to be ready by the end of FY01 Although Sandia's research has pointed the way to the next gener- ation of security engineering tools the research has also highlighted several problems for which the se- curity community currently has no good answers Any organiza- tions wishing to discuss the results of this research or the problems identified can contact the author at 505-844-8873 or rlcraft@san- dia gov Rick Craft is a senior filtT iilbm of he echnicai staff at Sandie National Laboratories when he has worked since He holds an MS in electrical Ei igl'd nearing and has spent the iznajority or his carer-3r in system ai lazriysis and software engineering Since 1992 he has Wt'iri'tie'ci as a security in the Iiniom larion ysrems Surely cia 35 n fniei ii and as part of S anciiais Design Assurance Red Team HEART activity ya by Sofie Purdue University he public perception of com- puter security is shaped by sensationalism such as com- puter virus scares and stories of teenagers breaking into sensi- tive military systems Professor Eugene Spafford Director of the Center for Education and Research in Information Assurance and Se- curity CERIAS at Purdue Univer- sity Indiana states but informa- tion and computing security is far more complex than that and in- volves disciplines including sociol- ogy criminology po- litical science ethics manage- ment and economics That s why the CERIAS pronounced seri- ous takes a multidisciplinary ap proach to information protection With nearly 20 faculty members from eight Purdue departments and the aim to work with re- searchers in industry govern- ment and other academic institu- tions worldwide CERIAS is devot- ed to tackling areas of information security and assurance from vari ous perspectives including- - Computer and network security - Communications security 0 Public policy regarding informa- tion security - information management and policy development - Social legal and ethical aspects of information use and abuse - Economics of information assurance - Electronic commerce security - Risk management for comput- ing systems and networks Awareness and training meth- ods for INFOSEC professionals cm i 1 The Next Generation of Computer Security Specialists Computer crime investigation and response Information warfare issues The center which was founded in May 1998 leverages the of Purdue's Computer Operations Audit and Security Technology COAST laboratory Spafford established the COAST laboratory in 1992 to meet the growing need for research and ed ucation in the information securi- ty arena Since then the COAST laboratory has designed and devel- oped many widely used tools and education materials in computer security operations systems and software engineering Govern- ment agencies businesses and academic institutions worldwide have hailed these products as models for their usefulness Today the COAST works as a part- ner with the newly established center Because of its association with CERIAS COAST is now one of the largest academic computer research groups in the world Ad- ditionally many of the CS-specific laboratory efforts of COAST have become CERIAS efforts providing these existing efforts with access to a greater resource base than be- fore Information security is the combination of computer security and communications security un- fortunately little educational infra- structure exists for training people to deal with these issues and none take a broad view of the problems involved states Spafford In addition to its inclusion of COAST resources and faculty the its center status-can leverage resources and staff from any department or school Accord ing to Spafford No other place in the world is taking the big picture that we do CERIAS given its broad re- sources and the established repu- tation of COAST has already at- tracted professors and students from 13 countries In addition 40 percent of the students are female The diversity of the faculty and students in CERIAS is reflected in its numerous ongoing COAST re- search tdpics which span from in- trusion detection firewall and software evaluation authentica- tion and security archive to vuim nerabilities database and testing The following paragraphs describe some of these efforts DEVELOPING A DIFFERENT AR PROACH TO INTRUSION DETECTION intrusion detection ID is a field within computer security that has grown rapidly during the last few years The AAFID Au- tonomous Agents for Intrusion De tection project focuses on improv- ing ID methods Traditional intrusion detection systems collect data from one or more hosts and process the data in a central machine to detect anomalous behavior This ap- proach however prevents scaling of the IDS to a large number of ma- chines because of the storage and processing limitations of the host that performs the analysis The AAFID architecture uses many independent entities called autonomous agents which work simultaneously to perform distrib- uted ID Each agent monitors cer- tain aspects of a system and re- ports anomalous behavior or do- currences of specific events For example one agent may search for incorrect permissions on system files another agent may search for iataetdtie improper configurations of a FTP server and yet another may search for attempts to perform at- tacks by corrupting the ARP Ad- dress Resolution Protocol cache of the machine The results the agents produce are collected on a per-machine level permitting the correlation of events reported by different agents that may be caused by the same attack Furthermore reports produced by each machine are ag- gregated at a higher per-network level allowing the system to de- tect attacks involving multiple ma- chines The AAFID group consists of 10 graduate and undergraduate students within the COAST labo- ratory They released a prototype implementation that can be found at the AAFID project web page at projects autonomous- Tripwirer'c One of COAST's better known projects is Tripwire it was pri- marily a project of Gene Kim and Professor Spafford The product is now the most widely deployed in- trusion detection security tool worldwide Tripwire is an integri- ty monitor tool for Linux and Unix systems It uses message digest ai- gorithms to detect tampering with file contents as might be caused by an intruder virus In December 1997 Visual Computing Corpora- tionTM obtained an exclusive li- cense from Purdue University to develop and market new versions of the product For more informa- tion visit curity com Underfire Underfire is an ongoing project started in 1997 The Underfire team consists of seven COAST stu- dents The purpose of the team's efforts is to gain direct experience in installing evaluating configur- ing and using different firewall systems to investigate new tech- nologies for network perimeter de- mi map omen Commas to the monitor ti 1 Messages - 905486222 Status 2 1 Harm gont 0heck1net 1 03 2 - 905436325 Status 18 Message NOTYPE - 905486335 Status n Message w NOTYPE 905486342 Shams 1 1 ii-i fenses including next-generation networks such as ATM and to in- vestigate the integration of host- and network-based security mech- anisms with network perimeter defenses The Underfire team's goal is to create an architecture for automated firewall testing The final product will be an engine that will test a firewall without human interaction This will be achieved with a modular system composed of an engine a packet sniffer and scripted attacks The engine will execute the attacks and use the packet Sniffer or other networking protocols to test the success or failure of the attack Fi- nally a report may be generated automatically that will explain the weak points of the firewall based on the attack data The Underfire team having fin- ished its design and initial imple- mentation of the engine is script- ing known attacks The automatic report generator wiil need to be completed in the future Until now Underfire has taken only pro- toco ievel attacks into account a future step will be to extend test- ing to the application level such as i RPC and X11 For more informa- tion see Achieving Next Generation Authentication Using biometrics devices and tokens such as smart cards and iButtons several research and ap- plication development projects are being conducted in the COAST lab- oratory to develop ways to authen- ticate users to systems The first method is to standardize a com- mon programming interface utiliz- ing on a PC SC-compliant smart card resource manager written in and libraries based on the Public Key raphy Standards and PKCS-15 specifications The re- source manager allows secure re- mote authentication by using se- cure channels to communicate be- tween multiple resource man- agers The resource manager will be used to develop many applica tions including secure login ssh xlock ftp telnet etc using plug- gable authentication modules PAM along with smart card secu- rity Additionally students are in- i by Robert P Thompson Director IATAC 0 support emerging warfighter Information Assurance IA needs has initiated ef- forts to create two technical re- ports supporting criticai informa- tion assurance IA technologies-- a state-of the-art report SOAR on Data Embedding for Information Assurance and a critical review and technology assessment report on Computer Forensics Tools and Methodolo- gy Each report aims to provide the warfighter with a broader un- derstanding of its sub_ject matter enabling the warfighter to apply that knowledge when executing his or her IA roles and responsibil- ities The following paragraphs briefly describe each report DATA EMBEDDING FOR INFORMATION ASSURANCE This SOAR introduces data em- bedding assesses the state-of the- art technologies in various data embedding applications and ex- amines the IA applications of data embedding technologies The in- troduction to data embedding re- views relevantterminology offers a historical perspective of steganography and digital water- 7 - 2 No 3 Providing New IA Support to the Warfighter marking and describes in detail the types and uses of data embed- ding A state-of-the art assessment is provided for the following appii- cations steganography and covert communications information pro- tection inteilectual property pro- tection and defenses and attacks The report examines IA applica- tions of data embedding such as technologies and applications that may pose a specific threat have an offensive application and those that may be used for defenseive measures COMPUTER TOOLS AND METHODOLOGY This report introduces computer forensics protocols and procedures and forensic tools The introduction to computer forensics examines legal require- ments and reviews traditional computer crimes crimes of commerce violence and new crimes telecommunications fraud computer intrusion Proto- cols and Procedures details the computer forensic process includ- ing acquisition issues examina- tion variants and examination output utilization Commercial-off- the-shelf COTS and government- off-the-shelf GOTS forensic tools are assessed regarding their ability to support evidence preservation and collection activities The re- port also identifies analysis tools that support data recovery pattern and string matching and file and fiie type identification The SOAR on Data Embedding for Information Assurance and report on Computer Foren- sics--Too s and Methodology are scheduled for release in March 1999 For more information on available technical reports contact IATAC at 703 902-3177 or via e- mail at iatac@dtic mil erlni lit by bWilliam Wall Harris Corporation Ex is Your WindowsNT new security tool available from Harris Corporation's Electronic Systems Sector Harris may help users detect analyze and correct known security vulnerabili4 ties associated with the Microsoft Windows NT operating system The Security Test and Analysis Tool STAT uses a database of more than 350 NT vulnerabilities that have been verified and tested in Harris software laboratories to iden- tify existing vulnerabilities in a user's NT network With STAT users can assess vulnerabilities in a single computer multiple computers or an entire domain Additionally via an annual subscription service avail- able from Harris users can electron- ically update the A data- base as new secu- TM Computer When the test is complete and vulnerabilities have been detected an analysis detailing the security vulnerabilities is provided The analysis includes the name of the identified vulnerability and its de- scription and risk level The analysis also offers a solution to correct the vulnerability and links to related web sites and Microsoft knowledge base articles Fixes can be imple- mented manually or by an auto-fix feature After a fix is implemented for a particular vulnerability users can immediately retest that vulnera- bility to ensure the fix was success- ful STAT also lets users compare previous and current assessments to identify any changes that may have occurred Following the analy- sis a report of the do- it Haiti Ail nun Nu rity vulnerabili- ties are identified patches are re- leased and enhancements to the functionality of the tool are made How STAT works STAT automatically installs itself on a server or workstation and queries the network to determine which domains and hosts are pre- sent Users then choose whether to operate STAT across single or multi- ple domains STAT then identifies nodes by name address and operat ing system After the domain has been identified the program can ac- cess either individual hosts or the entire domain for security vulnera- bilities The default configuration tests for all vulnerabilities currently available in the STAT database how- ever configuration files allow users to select specific vulnerabilities that they would either like to test or ig- nore for a particular assessment main and host status can ei- ther be printed or exported and saved as a text file that can be viewed with any text viewer Users can format the reports to include se- lected hosts or entire domains Users can also customize these reports to create a view of the network's status that is appropriate for executives su- pervisors or technicians For more information visit our website at Iine com for a product overview This web site also features a security article of the week frequently asked questions and links to other com- puter security sites b ii Mini is a senior con'iputez security engineer at Hizirris l'le received his BS in Physics from Lci'ioir Elli tic and his B E Silent the Air Forte lns'iuutc of locl'inolog He is a attired Air FOIIXZ and has Ems a security analyst for the Air Hutt- nnr i NASA The New Arms Continued from page 8 Next year another DEFCON convention will be held and still more new weapons will be released Although the outcome of our information age arms race isyet to be determined vigilant and relentless applica- tion of the defensive measures described in this article will go a long way toward thwart- ing malicious attacks Continued research and development of new technologies such as VPN and PKE also promise significant protection in the near future in the end however all these modern technologies are still based on denial of human access to the control pathways of a computer network- once again reinforcing how Strowger s con- cept from 100 years ago remains our best de- fense today ENDNOTES 1Freeman Roger L Elecommuni cation System Engineering 3rd Ed John Wiley 8 Sons Inc 1996 p 101 zMeinel Carolyn P How Hackers Break How They Are Caught Scienti c American October 1998 pp 98-105 This edition provides a number of excellent articles on Network Security to include new defensive tdols being implemented and in development See pages 98-117 3interview with Mr Phil Loranger SS-14 Chief C2 Protect Division Office of the Director of Information Systems for Command Control Communications and Computers Headquarters Depart-ment of the Army 10 Army Pentagon Washington DC 20310-0107 30 November 1998 Mr Loranger was a gov- ernment participant at DEFCON 6 0 Mr Loranger is the Army DISC4 Command and- Control Protect division chief for the development of the Army s Command and Control Protection pro gram He received his B S in Business Administra- tion and Management from University of Maryland a Master of Technology with a concentration in Information Security from Eastern Michigan Universigx Colonel Mike Brown is the Director of the Information Assurance Of ce of Director of Information Systems for Command Control Communications and Computers DISC4 Colonel John Deal is the Executive Of cer for the Director of Information Systems for Command Control Communications and Computers 131304 xi Iii formation across teiecommunica- tions systems Another module dis- cusses transportation modes for in- formation flow via local area net- works LANs metropolitan area networks MANs and wide area networks WANs Finally a module on information flow discusses tools for managing network resources Examples and real life analogies are given throughout the presentation The Resources section contains sev- era web sites to learn more about topics discussed in this CD-ROM Information Assurance iA for Auditors 82 Evaluators xi This interactive CD- ROM begins by identi- I fying categorizing and - detailing examples of a it a computer crime Topics of IA covered include threats coun- termeasures confidentiality integri- ty and availability risk and risk management and the of net worked systems Laws and directives related to IA are also discussed Overviews of certification 8 accredi- tation and the DITSCAP are encap- sulated in one module Additionally there is a module on reiiability risk data testing general controls appli- cation controls access controls re- porting on evidence and key steps in assessing reliability Finally there is an in-depth interactive practical exercise that allows the user to as- sess reliability risk examine system controls and determine the degree of data testing required The user will use information presented in a fictional animated film to follow the audit trail of a rogue's missile pur- chases using techniques learned in this CD-ROM A glossary and re- sources section is included in this product FORTEZZA Instaliers Course for in- dows NT This interactive CD- ROM is designed to pro- gigging 5 vide installers with a basic level of instruc- tion needed to install card readers card drivers and FORTEZZA enabled applIcatIons on PCs running WindoWs NT Topics covered include concepts of PC card technology including PC card hosts and sockets mechanical electrical aspects and software and PC card use and compatibility The installa- tion of PC card readers and drivers is also covered The user will learn about FORTEZZA installers con- cepts security algorithms security services and certifi- cates as well as FORTEZZA applica- tions such as MS ArmorMall and Secret Agent The final lesson is a diagnostics and troubleshooting session that allows the user to prac- tice problem resolution Networks at Risk A lO minute video produced by NCS that deais with hackers net- work intrusion and computer secu rity in the workplace Topics cov ered inciucie the selling of electron ic information prevention of net work intrusions password protec- tion and the importance of auditing network security Protect Your AIS A 15-minute video containing six iNFOSEC-related dramatizations of security concerns in the workplace These sketches demonstrate the need for password protection virus prevention user ID security and controlled access to computer equipment The Information Fr ontline A 30-minute video on Defensive Information Warfare aware ness that demonstrates how infor mation is easy to exchange but diffi cult to protect the types of WV threats that exist and the vuinera- of information systems Also describes inteliigence agencies that perform functions Bringing Down the House A 30 minute video describing various hacker intrusions and how they relate to information Warfare The main portion of the video cov- ers how hackers use the informa ten- r gik w Computer Security TOT DOJ John Walsh of America's Most Wanted hosts this 11 minute video about safeguarding computer infor- mation Three aspects of computer security are disci _issed sensitive in- formation what kind of informa tion needs to be protected risk management reasons why com- puter security is in'iportant and ac- countabii ity assuming ty for protecting ones sconiputei Computer Security The Executive Role This 9 minute video stresses the need to protect information terns at ali ievels of government The user should be aware that the Office of Management and Budget OMB has classified ali federal in- formation as sensitive To this end steps to secure workspaces and protect data are deiineated Topics covered include the Computer Se- curity Act of 1987 types of threats to information tems and risk management Understanding PKI DOD This 13-minute video introduces the concept of Public Key infra- structure PKI and how it can be used to ensure the security and pri- vacy of cyber based transactions Topics covered include examples of how PKI works why it is necessary to protect the Defense information Infrastructure DH and Nationai information infrastructure N I I and how it ensures the confidential- ity integrity nonrepudiation and authentication of electronic mes- sages through digital signatures Expioring MISSI This iO minute video describes framework for systems secu- rity across the Defense Information Infrastructure and the Nation- i information infrastructure Nll Steps that have been taken to en sure the integrity and safety of in- formation discussed It 'taoidt DOD INFOSEC Training and Awareness Products Form lurusec ngram Management miss 5111Leesburg Pike uite Fells Cereh VAHUM-SEUE Attn Pre dust Distribttien Comm 0 3- EB 1- 9 14 1344 DEN 1- F944 How did you hear about new urn-duets Fax ins 53 1 1335 DI SSF allth WW WWU 910 th 0 Hmspags tp w issmih'infesee unferenee O Othe' Spesify' Mailing Information Name Title Date WNW Assess emmsn de an SN Address FBI City State 2i p 4 E-Msil #1st 55 0pr Liaise-gauze CI eint Staff O rmy C New 0 AF Msn n es 00 SD 0 efsns AgemyInsm e eer sf ens Ag she's rem e1 0 ortrect or emye mtrseh ng wit 0t her Dr r F Drm Pmducts ape unclassmedand amass at no asst dew-E excluding JD-ROME be Epndmed use only Mimi fu luerpeisbn stes wr husd Mu imedia CD-HOMs mm-mm 1m Dunne-as sin - 0 nun ar_ QFedsnI lessee neness v 1 mummy- Emmi-E tht mm m s Select One 0 Exploring was 0 mo mm 3 Urdu-sunning e mire j paathml Ir nm nn vslam Sandy 1m 1 111 1 Bperathml mm UPCOMING PROD UCTS Salami Issu imsdis GD-HOMs j Fons-m halalens mm r w HT ms MM 3 th nmj i WnAgETmuimwm O DOD INF-03 NEWS- e eriz- i mmaw mm 0 Add he Mailing List 0 Rem me from Msjling List Wefsos 3 Address Change Ma min Pm Ilium-anion Furl Linewmq rm Bringing mini wn What s New Ethane-Mm Stummnuv xed-u - w A lrr w aim-rival km an 1' la esteem Eu it In Vulnerability Analysis Tools Report This report provides an index of vulnerability analysis tool descrip tions contained in the IA Tools data- base It summarizes pertinent infor mation providing users with a brief description of available tools and contact information It currently contains descriptions of 35 tools that can be used to support vulner- ability and risk assessment Modeling 8 Simulation Tech- nical Report This report describes the mod- els simulations and tools being used or developed by selected organizations that are chartered with the IA mission Data collec- tion efforts focused on the current definitions of Information Operations Information Warfare and IA as described in IA Anti Viros Tools report now available to registered DTIC usersI The report provides an index of anti-virus tools that are contained in the IATAC IA Tools database Each entry provides an overview of the product as well as contact information Research for this report entailed reviewing various Journals and open source data A total of 60 tools were identified and are cur- rently available in the commercial marketplace The products listed have all been tested on various platforms to include DDS Win- 50tl1'er Products Directives 33600 1 Information Operations and Chairman Joint Chiefs of Staff Instruction 6510 1A Defensive Information Warfare Policy In addition the definitions prescribed by DMSO for model and simulation were used to deter- mine what entities should be included in this IA models simu- lations and tools report Intrusion Detection Report This report provides an index of intrusion detection tool descrip- tions contained in the IATAC IA Tools Database Information was obtained via open source methods including direct Interface with var ious agencies organizations and vendors Research for this report identified 43 intrusion detection tools currently employed and available dows Windows 95 Windows 98 Windows NT Workstation Win- dows NT Server 08 2 Warp and Netware For instructions on obtaining a copy of the report refer to the IATAC Product Order Form oppo- site on page 21 COMING IN MARCH Data Embedding for Information Assurance Computer Forensics-m Tools and Methodology Malicious Code Detection State of-the-Art Report SOAR This SOAR includes a taxonomy for malicious software to provide the audience with a better under- standing of commercial malicious software An overview of the cur- rent state-of-the-art commercial products and initiatives as well as future trends is presented The same is then done for current state-of-the art in regards to DOD Lastly the report presents obser- vations and assertions to support the DOD as it grapples with this problem entering the 2'Ist century This report is classified and has a limited release i Wt 2 i 3 I IMPORTANT NOTE All Products are distributed through the Defense Technical Information Center DTIC If you are NOT a registered DTIC user you must do so to ordering any products To register with DTIC go to 1 35 Name Organization Ofc Symbol Address Phone E-mail Fax Organization YES NO If NO complete LIMITED section below LIMITED DISTRIBUTION QTY PRICE EA EXTD In order for NON-DOD organizations to obtain LIMITED DISTRIBUTION products a formal written request must be sent to IAC Program Office ATTN Sherry Davis 8725 John Kingman Road Suite 0944 Ft Belvoir VA 22060 6218 Contract No For contractors to obtain reports request must support a program 8 be veri ed with COTR COTR Phone CI Modeling Simulation Technical Report No Cost CI IA Tools Report Firewalls No Cost IA Tools Report Intrusion Detection No Cost IA Tools Report Vulnerability Analysis No Cost El Malicious Code Detection SOAR TOP SECRET SECRET No Cost Security POC Security Phone UNLIMITED DISTRIBUTION QTY PRICE EA EXTD PRICE CI Newsletters Limited number of back issues available Vol 1 No 1 CI Vol 1 No 2 CI Vol 1 No 3 No Cost Vol 2 No 1 Vol 2 No 2 l2 Vol 2 No 3 ORDER TOTAL Please list the Government that the product s will be used to support Once completed Fax to IATAC at 703 902 3425 RAAER 9 1i EJifVi'trt inn 3 San Diego CA Features in-depth courses taught by SANS faculty call 301 951 0102 Southeast Command Control Communications Computers Intelligence Conference and Exposition Tampa FL Sponsored by the AFCEA Tampa- St Petersburg Chapter call J Spargo 8 Associates Inc 703 631 6200 wwaspargocom events htm Fourth Warfighter information Assurance Symposium Kossiakoff Center Johns Hopkins University Laurel MD Sponsored by the National Security Agency Information Systems Security Organization call 410 850 7156 warfighter@mcneiltechmd com we've mavea 3190 Fairview Park Drive Falls Church VA 22042 703 289 54 54 Phone Fax 703 289 5452 Information Assurance Technology Analysis Center 3190 Fairview Park Drive Falls Church VA 22042 RAAEQ 15 17 18w21 tram 9 15 STU --E ii Erma lnfoSec World Open Systems Security 99 and Annual Conference Orlando FL Topics include intrusion detec- tion single sign on smart card security and hacker tools and trends Association of Old Crows AOC 99 San Antonio TX Sponsored by the Billy Mitchell Chapter ADC and cosponsored by AFCEA Alamo Chapter call 210 732 7697 8th international Conference on System Admlnistraticn'i Networking and Security Baltimore MD Cowers networking security and intrusion detection 703 289 5467 iata c i C mi