OCR of the Document

View the Document >>

Information Assurance Technology Analysis Center, IA Newsletter Vol. 2, No. 4, Spring 1999. Unclassified.

REPORT DOCUMENTATION PAGE Form Approved OMB No 074-0188 Public reporting burden for this collection of information is estimated to average 1 hour per response including the time for reviewing instructions searching existing data sources gathering and maintaining the data needed and completing and reviewing this collection of information Send comments regarding this burden estimate or any other aspect of this collection of information including suggestions for reducing this burden to Washington Headquarters Services Directorate for Information Operations and Reports 1215 Jefferson Davis Highway Suite 1204 Arlington VA 22202-4302 and to the Office of Management and Budget Paperwork Reduction Project 0704-0188 Washington DC 20503 2 REPORT DATE Spring 1999 1 AGENCY USE ONLY Leave blank 3 REPORT TYPE AND DATES COVERED Newsletter Vol 2 No 4 4 TITLE AND SUBTITLE IA Newsletter Professionals The Newsletter for Information Assurance Technology 5 FUNDING NUMBERS 6 Information Assurance Technology Analysis Center 7 PERFORMING ORGANIZATION AND IATAC Information Assurance Technology Analysis Center 3190 Fairview Park Drive ails Church VA 22042 8 PERFORMING ORGANIZATION REPORT NUMBER 9 SPONSORING I MONITORING AGENCY AND ADDRESSIES Defense Technical Information Center 8725 John J Kingman Rd Suite 944 Ft Belvoir VA 22060 10 SPONSORING I MONITORING AGENCY REPORT NUMBER 11 SUPPLEMENTARY NOTES 12a DISTRIBUTION I AVAILABILITY STATEMENT Approved for public release distribution is unlimited A 12b DISTRIBUTION CODE 13 ABSTRACT Maximum 200 Words Agency DISA Featured in the issue Environment Without Spilling Any OASD OSD Joint Staff Computer Crime Scene Recommended Steps Information Systems Industry Miros Inc na amda IA Newsletter is published quarterly by the Information Assurance Technology Analysis Center IATAC IATAC is a sponsored Information Analysis Center administratively managed by the Defense Technical Information Center DTIC Defense Information Systems Service 5th Signal Commandw Moving Sensitive U S Electrons Around in a Coalition Information Assurance Red Teaming DISA CERT - Meeting the Melissa Virus Head On Information Assurance The Achilles' Systems Command HQCECOM IZWD's Role in Securing the Digitized Force Perspective U S Army Research Lab Using Operations Security Methods to Protect Face Recognition Technology The Key to a More Secure Future Tnkavngf Dann Tn$nvmak4nn Heel of Joint Vision 2010 A 4n 14 SUBJECT TERMS Information Security Virus Operations Security Information Assurance Red Teaming Melissa 15 NUMBER OF PAGES 2 3 16 PRICE CODE 17 SECURITY CLASSIFICATION OF REPORT UNCLASSI FIED 18 SECURITY CLASSIFICATION OF THIS PAGE UNCLASSIFIED 19 SECURITY CLASSIFICATION OF ABSTRACT UNCLASSIFIED 20 LIMITATION OF ABSTRACT None DTIG ennui-r Animus 4 20001027 067 IA Red Teaming The Melissa Virus IA JV 2010 Service so Signal Command 3 Moving Sensitive U S Electrons Around in a Coalition Environment Without Spilling Any 6 Information Assurance Red Teaming DISA DOD CERT 7 Meeting the Melissa Virus Head On 080 Joint Staff JGK 9 Information Assurance The Achilles Heel of Joint Vision 2010 Systems Command HDCECOM 11 Role in Securing the Digitized Force Computer Crime Scene Recommended Steps 12 3 0 Perspective 03 Army Research Lab 14 Using Operations Security Methods to Protect DOD Information Systems Industry Miros Inc 17 Face Recognition Technology The Key to a More Secure Future Puhiic STINET Enhanced 19 Academia JMU 28 Internet-Based Information Security Master's Program to Start in August chat 21 Subscription Accounts 8 Technical Area Tasks wnaeuan 22 IATAC Reports Released Order Form 23 Calendar of Events 24 - IM E No 4 newsletter Editors Robert P Thompson Robert J Lamb I Creative or i Christina P Graphic Artist Ahnie Senft Information Processing Robert Weinhold Information Collection Alethia A Tucker Inquiry Services Peggy O'Connor at Contributing Editor rt Martha Elim 3 a lANewsIetter is published quarterly by the - Information Assurance Technology Analysis Center is a sponsored Information Analysis Center administrativeiy managed by the Defense Technical Information Center Defense Information systems Agency DISA Inquiries about capabilities products j and services may be addressed to Robert P Thompson Director 703 289 5454 We welcome your input To'submit younielat- ed articles photos notices feature programs or ideas forr future issues please canteen ATTN Christina McNemar 3190 Fairview Park Drive Falls Church VA 22042 5 Phone 703 289 5454 Fax 703 289 5467 703 289 5462 E-mail latac@dtic mil URL Cover and newsletter design by Christina P McNemar Movino Sensitive U S Electrons mount in Environment - iinoo Sol inn inn 3 I was nishing this article I had the opportunity to visit with my Hungarian counterparts at the North Atlantic Treaty Organization NATO Partnership for Peace In- teroperability Exercise Com- bined Endeavor 99 What an eye- opener this was As the United States mulls over how to deal safely with our constantly recur- ring Commander Joint Task Force CJTF responsibilities within a largely U S context our future partners are busy looking for truly multinational solutions In my opinion we should be moving faster in that direction ourselves Because as a super power we have traditionally taken on the lion s share of these efforts we have understandably focused on U S solutions to the problems we face Combined En- deavor has been the forum for what will eventually yield an ex- plosion of data sharing among nations such as Albania Estonia and the former Yugoslav Repub- lic of Macedonia and with new and old NATO members I be- lieve we need to take its lessons to heart This effort is still in its infancy but clearly to para- phrase an Estonian sergeant who spoke to me the future success of the alliance will ride on a backbone of fiber-optic cable carrying command and control CZ in the form of e-mail and in le transfers among all the par- ticipants This article lays out one of - cer s observations and views on U S data sharing with our cur- rent and future coalition part- ners Although our own budgets military and experience are larger than our partners in this one respect the playing eld is level All nations have to find a way to balance national security concerns with any military coali- tion s needs to share informa tion is seooniu rhino noia nosoiioliiu Pressure to make data sharing work comes from our seniors who expect to succeed in their missions and likewise expect every asset at their dis- posal to support that success Usually we can but in the area of sharing classi ed and sensi- tive information with other na tions we bump into some pesky U S statutes and high-level Gov- ernment policies Not being pre cisely versed in these statutes commanders and staff officers expect the comms or intel guys to get a waiver or something so our coalition partners can be fully integrated into the U S war room or operations center In my experience most commanders see this as an operational ques- tion Do we believe in our part- Colonel Dennis Treece USA 5th Signal Command U 8 Army Signal Command nership or don t and If we do then let s get the information out on the table so we can win this thing and go home My own opinion is that our se niors simply feel that it's a hospi- tality thing It s just too socially awkward to tell that foreign counterpart he or she has to leave the room so we can discuss U S secrets Americans cultural ly and emotionally simply find it hard to believe we would invite foreign nations to share the sting of battle without sharing every thing else I heard it expressed best one day by one of our gen- erals We're an immigrant cul- ture and we assimilate others well We re just pleased as punch when somebody comes to our house for supper and we get out our best dishes to make them feel welcome True However we can t set the table with ber optic connections to classi ed defense information as readily as we can set out the silverware and napkins That's because it boils down to a security thing not a hospitality thing If other noo re onion is ieonl there s a teen noon to no In our present make it hap- pen environment staffs are often indirectly pressured to do the wrong thing and hope for the best In the coalition connectivi- ty business this approach even- mm a Spring 1593 - Vol 2 No 4 games amiss simmer we Wm tually comes back to haunt us Tb save everybody the headache and legal trouble associated with improperly transferring US in- formation to foreigners we need to get two simple thoughts through everybody's head You can t terminate U S on1y classified information in a coalition of ce or space You can't connect U S classi- fied networks to US unclassi- ed networks UH inoi s oroiiu clear - on now no no flow on information mm ooeroiion Easy at least in concept The best approach is from day 1 to establish a US National Infor- mation Center USNIC as a sep- arate entity from the coalition headquarters USNIC will be the US ops and intel hub Don t make the common mistake of es- tablishing a US headquarters with coalition members inside Start international and stay that way for the coalition headquar ters Sure some pain comes from having to remote some of the ops and intel tools you like to have close at hand But this is an acceptable cost of doing business and becomes less painful once you get used to it We were suc- cessful in Riyadh with a Coali- tion Coordination Center nestled in the midst of the U S ops and intel centers This was a physically separate space but near where the US information was coming in and being processed As the Counterintelli- gence Chief for US Central Command I han- dled foreign disclosure for the and while it was complex at rst we gured out a way to Spring 1559 0 Vol No 4 make disclosure happen and it quickly became routine Our procedure gave meaning to the coalition and preserved US in- formation integrity Tb my per sonal knowledge this approach has also been successful with the Egyptians during Bright Star Friendly Forces Coordination Center or FZCZ and is now used every day in both Sarajevo and Tuzla Bosnia Herzegovina Many nations who are part of the United Nations Ustanc- tioned NATO operations in the Balkans have in fact established their own national information centers to handle their national information submit their nation- a1 reports and deal with national administrative matters that natu- rally arise in course of daily op- erations It just makes good sense Lino ovoiuinino also in LIFE Hie is in The Information Sharing 101 First the security guys must articulate what types of information can be shared and with what nations The rules are complex and not for the information management 1M guys to guess at Every commander in chief CINC has a foreign disclosure shop in the J2 Directorate and they publish matrices to facilitate these trans- fers from the US joint task force JTF to the coalition In the Balkans there are numerous groups not a single coalition and they have their own distrib- ution schemes The largest con- sumer base is NATO which is easy to deal with because the United States has been a mem- ber since the beginning and we have well-established Rel guidelines Some Euro pean nations like Russia Swe- den and Finland and a host of other national and multinational entities involved in the Balkans don't belong to NATO and yet have missions in the region Finding a common denominator for information sharing among them is challenging but not im- possible The really hard part the Achilles heel of coalition infor- mation sharing is the mecha- nism by which any nation trans- fers information outside its own system Success requires clear policy on what can be shared clear procedures well-disciplined workforce that sticks to the rules What fol- lows are the methods I ve seen work well and some of the pit falls associated with the process First make sure the material is needed by the coalition is legally releasable and is in a re leasable format national markings are removed and the information is clearly marked as releasable to the coalition Once that s done it s always a good idea to have a second person re- view the material before release When I commanded the US Army Europe USAREUR Eche- lon Above Corps Intelligence Center then called the UCIRF our standard was to have the major on the oor also review the material before actually making a transfer In this busi- ness two sets of eyes are de - nitely better than one although admittedly this step adds to the time the whole procedure takes Second drop the material onto a disk and air gap it via sneaker net from one network to another Scan the disk for viruses and upload accordingly Sounds easy but the rst time you try to download a moderate- ly sized PowerPoint brie ng and nd it s too big for the 1 44 megabyte Mb oppy disk you ITIZC MIL will go to your system adminis- trator for a solution Unless you thought ahead you probably did- n t include any robust zip drives in the deployment kit so what do you do First of course you should immediately order the zip drives necessary to make this method work Having the zip drives not only facilitates the sneaker net but also enables you to make frequent backups that will help preserve your data in case you have to restore a net work following a power surge or outage enemy action etc One of the common nightmares in the data transfer business is an information systems profession- al being hounded by staff of cers under pressure to get the brief- ing onto the coalition network right now When it s too big for the oppy the standard and il- legal solution is to make a direct serial port connection between the Secret Internet Protocol Router Network SIPRNET client and the N Level unclassi- fied but sensitive Internet Pro tocol Routes Network NET client so you can transfer the le Then of course another le is transferred and another and pretty soon this connection is seen as normal Not good The clear message here is that every organization needs a large- capacity removable memory de- vice Our PX sells good ones in the 1 gigabyte Gb range for less than $200 easily within a unit s supply budget That was the bad news The good news There s light at the end of this The way ahead is being forged today in the Balkans An outstanding example of Yankee ingenuity can be found in Multinational Division North DT 1C Ml where they have created a coali- tion wide area network at the coalition Secret level This net- work makes information avail- able to the Russians as well as the Swedes and the Americans and the Brits etc This arrange- ment also takes pressure off the United States to get some sort of automation onto the desktops of key coalition commanders and their staffs The coalition network is not connected in any way with US classi ed or unclassi ed net- works or with the NATO net- works either Only 2 months old at this writing it appears to be working very well Additional good news is that NATO has made great strides in its CRONOS SIPRNET equiva- lent network that runs at the NATO Secret level From what I've observed CRONOS e mail is the clear C2 tool of choice for NATO which greatly eases the burdens on the United States net- work to provide the multinational CZ computer network and try to do it legally This network also solves the problem of having common classified equipment on everyone s desktop at least with- in NMO CRONOS runs the Mi- crosoft Of ce Suite that everyone seems to be familiar with and if the pipe is big enough there s not much you can t send over this system There is of course no connectivity between CRONOS and any US network or with the coalition wide area network Air gap works both ways as long as the information is authorized for release in the direction you take it The only problem to sort out here is getting approval for a CRONOS circuit and then laying it inn-less than easy or quick at this point but it will get better as the staffs on the national and NATO sides get accustomed to taking these actions Nau Hneai Coalition data sharing can be successful without jeopardizing either the success of the coali- tion mission or our national se- curity but to make the process less painful we need several things If we ve learned anything from mili tary events since the Wall came down it s that we don't fight much any more either single service or single nation We ve got to make combined joint planning a given in the data sharing and network building arena So rst we need to edu- cate our ops planners about what the coalition information infra- structure architecture looks like and how it drives the way the fa- cilities are laid out The clearer this connection is in the minds of the planners the clearer it will be in the minds of our comman ders and the less painful it will be to implement When seen as a function of both security and improved ef ciency separate US and coalition enclaves will be more readily acceptable to our commanders They need this clear understanding and buy in to avoid awkward mo- ments in the operations center If the center was built as a coali- tion facility everyone stays in the room when all brie ngs are given and the battle re- mains uninterrupted There are no awkward moments when the non US personnel are asked to leave because U S only informa- tion is to be shown U S com- manders and staff of course at- tend their separate U S -only ops intel briefs at set times serialized Ol page 7 8 Spring 1339 - Vol 2 No 4 Information ssurance Gary Guissanie and Information Assurance wo recent publications offer guidance on applying red teaming to test opera- tional readiness Red teaming responds to the need identified by the Defense- wide Information Assurance Program to use an ef- fective process for routinely as- sessing the operational readi- ness of the Department s infor- mation systems and networks As independent assessments red team activities bring an im- partial perspective to bear on in- formation assurance LA vul- nerabilities that could be ex- ploited by an adversary Many Department of Defense DOD organizations have em braced the concept of red team- ing and taken steps to include related activities in their securi- ty assessments Red team methodology has not been stan dardized across the Depart- ment however One organiza- tion may have a totally different understanding of the term than another Consequently it is dif- cult to measure Department readiness or have con dence in its ability to deter an adversary from exploiting vulnerabilities To address this need the Of- ce of the Assistant Secretary of Defense for Command Control Communications and Intelli- gence tasked The MITRE Corporation to develop an IA red team methodology The company met with various red team organizations to cap- ture best practices and lessons learned and the methodology Spring 1999 0 Vol 3 No 4 developed resulted from a col laborative effort involving many red team organizations within the IA community The two recent publications document the methodology for designing de- veloping assembling and con- ducting red team activities The rst Defense 1nformation As- surance Red Team Methodology emphasizes DoD needs The second Infor- mation Assurance Red Tbam Handbook applies to users throughout the Government By publicizing a well-de ned repeatable process that captures the insights and expertise of Government and industry red team specialists seeks to ensure that all red team activities have a consistent purpose a common structure and meaningful and compara- ble results IA red team activities are not limited to computer network at tacks The DIAP de nes them as an ii-tdependent and threatw based effort by an interdiscipli nary simulated opposing force which after proper safeguards are established uses both active and passive capabilities on a formal ti'meubounded tasking to eagtiose and eaploit IA vulnerabilities of iendly forces as a means to im prove the readiness of DOD Com- ponents By this de nition IA red team activities may employ physical measures social engi- neering operational security and other resources to mount various types of attacks Al- though red teams are essentially exploitative they can adopt a Wide range of approaches from covert no-notice events to overt training for example and their scope can vary dramatically from small-scale applications such as embedded system test- ing to DOD wide operations Accordingly the pub- lication addresses the broad spectrum of attack types and in- tended operational impacts The methodology presented ac- commodates both narrowly fo- cused attacks and those that en compass the full IA spectrum including physical cal and automated data process- ing attacks The range of intend ed targets spans both limited- scope sing1e function activities and broad ranging operations that in uence worldwide US military operations The methodology is designed with enough exibility to accommo- date limited impact attacks such as notional attacks and container page 8 MEEiinu HIE Head in ED ii 0f COMBINE timergencu iB iil C iifi i iliS HIE Vii U5 arly Friday evening March 26 1999 the hotline at the Defense Information Sys- tems Agency s DISA De partment of Defense Computer Emergency Response Ream DOD CERT formerly known as the ASSIST received an un precedented number of tele phone calls from anxious cus- tomers ranging from local units in the Washington DC area to system administrators in Asia During the rst half hour Of the incident DOD CERT which is a component and the techni- cal arm Of the Joint Task Force- Computer Network Defense JTECND IA Newsletter Win- ter 98 99 received conflicting reports Comments varied from Oh my gosh I ve been hacked to don t know what is going on with my system but it s running help me After quickly sorting through avail- able facts DOD CERT personnel realized they were confronting the so called Melissa virus They took initial steps to stop the virus spread inform DOD intru- sion detection and virus experts and eradicate the virus as quick ly as possible DOD CERT matured its under- standing of the virus by commu nicating with the Computer Emergency Response Them Co- ordination Center at Carnegie Mellon and developing a detailed analysis of the virus underlying Visual Basic applica- tion code Information from the excellent collabora- tion among the service CERTs WWi- ii INFACJITICJRIL Used by artist permission As first seen Forum Of Incident Response Support Team FIRST members around the world and open source data collection led the DOD CERT to recognize that the virus was affecting the entire country not just DOD With this knowledge the DOD CERT quickly took the following actions 0 Sent an initial alert to the Commanders in Chief CINC services agencies DISA Regional CERTS and other appropriate DOD organiza- tions about the virus through telephone calls and written messages 0 Coordinated actions and tech- nical recommendations with of letain id were in Federal Computer page Captain Freddie R Rosas USAF Chief Computer Emergency Response Team Daily Operations the the service DISA Regional CERTs and the antivirus software vendors Although DOD organizations initially differed in their grasp Of the problem they quickly devel- oped a common comprehen- sion - Collected information from open sources 0 Provided Melissa virus and antivirus software informa tion on the DOD CERT Nonclassified Internet Protocol Router Network NIPRNET and Secret Internet Protocol Router Network SIPRNET Web continued on page ti Spring nae Vol 2 No 4 if itii it Meeting the Melissa Virus Heat in terminated from page 7 sites directed users to the sites and continued to update this information throughout the weekend and the follow ing week By early Saturday morning the four military service components also had virus information on their Web sites 0 Delivered 24-hour technical support throughout the week- end answering numerous telephone calls e-ma s and faxes Saturday afternoon EST after initial advisories and phone calls the sent an of - cial immediate AUTODIN message to its four military ser- vice components including the service and other DOD organizations to inform them about the widespread virus and direct them to take the appropri- ate actions to inform their em- ployees and stop the virus This step was essential to protect the Department from a communi- cation denial of service DOD users eagerly sought the information In fact the number of hits to the DOD CERT Web sites at cert mil NIPRNET and SIPRNET was 300 percent greater than the number generu ated by its typical vulnerability bulletin release Customers not only sought information about the virus but also wanted to download the antivirus software signatures that eradicated the Melissa Macro virus permanent ly The demand prompted the DOD CERT to reexamine the ex- Euring 1993 - Vol 2 No 4 isting Web server con guration and ensure that it had enough system resources to handle the enormous number of informa- tion downloads during this crisis and others The Web sites were one of the most effective ways to dissemi- nate timely information on events and countermeasures to such a large community As a result Of this incident DOD CERT recognized that continu- ing to educate the Department about its information reposito- ries like the Web sites is crucial to ensuring that DOD is pre- pared to face other computer in- cidents effectively The rapid containment of this virus resulted from three key factors lThe Department's ability to rapidly blanket DOD with in- formation on the virus through Open lines of communication and data sharing Rapid response from the an tivirus software vendors Proactive system administra- tors HEll Teaming revetment item page 8 fully functional attacks on oper- ational systems Both D-IAKT and the hand book outline the activities asso- ciated with the 4 phases of red teaming preplanning planning attack and postattack In pre- planning the red team objec- tives are determined in relation to the activity s goals During planning speci c targets attack mechanisms and resources are selected legal review is per- formed and permissions are ac quired In the attack phase the activity is conducted During postattack results are accumu- lated analyzed interpreted and disseminated Both publications are avail- able in hard copy and on a CD ROM that provides a red team tutorial as well as the docu- ments is available to DOD and its contractors The handbook is available to US Government agencies and their contractors Tb obtain a copy of either publication contact the Information Assurance Tech- nology Analysis Center IATAC at 703 289-5454 or via e-mail at iatac@dtic mil 1 A Management Process for a Defense wide Information Assurance Program DIAP November 15 1997 Capt Rosas was most recently the Chief Daily Operations Information Assurance O icer at the Defense Information System Agency DISA Department of Defense Computer Emergency Response Ikam DOD CERT in Arlington Virginia He received his B S in Computer Science from McMurry University in May 1995 and his MS in Systems Engineering from George Mason University in May 1999 He may be reached at frosasl 169@aol com Gary Guissanie is a program analyst with the Infrastructure 8 Information Assurance Directorate A retired Army Signal Corps officer he received a BS in Physics from the Polytechnic Institute of Brooklyn in 1971 an M S in Systems Management from Univ of So Calif in 1975 and attended the School of Information Warfare and Strategy at National Defense University in 1994 95 He may he reached at in Joint Vision 2010 JV2010 published in July 1996 by the Chairman Of the Joint Chiefs of Staff identi es four operational concepts dominant maneuver precision engagement full di- mensional engagement and fo- cused logistics The linchpin Of these operational concepts is in formation superiority the ca- pability tO collect process and disseminate an uninterrupted ow of information while ex- ploiting or denying an adver sary s ability to do the same Without information superiori- ty W2010's new concepts be- come little more than the cur- rent operational concepts Of man neuver strike protection and logistics As such information assur ance CIA information Opera- tions 10 that protect and de- fend information and informa- tion systems by ensuring their availability integrity authenti- cation con dentiality and non repudiation is critical to the success of the new operational concepts described in JV2010 However the DOD cyberspace environment has demonstrated it has inherent vulnerabilities that require new thinking and defenses if JV 2010 is to succeed Int Environment The DOD infrastructure con- sists of more than 2 1 million computers 10 000 local area networks and 1 000 long dis- tance networks More than 95 'lr lrl'firC MIL i nan percent Of DoD s systems use public communications net- works available tO the general public These networks are clas- si ed as the global national and defense information infra- structures GII N11 and D11 Although these names imply in- dependence they all use an in terconnected transport medium linked to public switches that route data between geographi cally separated systems This multitude Of automated systems allows DOD to command con- trol protect pay supply and inform the force JV 2010 drives efforts to further interconnect these systems and migrate to a network centric environment Yet as DOD's dependence on in- creasingly interconnected infor mation systems grows so does DoD's vulnerability Protecting lint Snstems Is a ailu Battle All that is required to attack DOD computers today is a home computer access to the Inter- net and a little ingenuity Un- like the tools of conventional warfare the tools of this trade require no long-term acquisi tion training and fielding process tO mount an attack As the typical PC has become more powerful and easier tO use so has the sophistication Of the weapons that information ad- versaries have at their disposal A comparatively low technology adversary with minimal fund- ing training staf ng and de Major Bradley K Ashley USAF Joint Staff J6K Information Assurance Division fense infrastructure is capable of employing these weapons on short notice from anywhere worldwide In this cyberspace environment securing one's in- formation through IA is critical to successful military Opera tions The IA process ensures that Authorized users have guar- anteed access to appropriate friendly information systems availability Friendly information systems are protected from unautho- rized change or tampering integrity 0 Authorized users are veri ed authentication a The information within the system is protected from unauthorized disclosure con- dentiality Friendly information systems provide an undeniable record Of proof Of user participation and transactions non-repudi- ation Any information system or process that lacks these IA com- ponents is vulnerable to adver sary disruption or exploitation Jnint Visinn E i u- nlu Hs Strung H5 Its NenHest Linir TO test DOD planning and cri- sis action capabilities when faced with attacks on DOD infor- mation infrastructures a nO no- tice Joint Staff Exercise ELIGI- BLE RECEIVER ER was held June 9-13 1997 This exercise Spring 1335 - inl lin 4 l involved DOD Joint Staff the Services USACOM USPACOM USSPACECOM USSOCOM US- TRANSCOM NSA DISA NSC DIA CIA FBI NRO and the Departments of State Justice and Transportation Key observations of the exer Cise included 0 Poor informational opera tional security practices con- tributed tO DOD vulnerabili- ties at Attribution Of attacks determining who and why is very dif cult a DOD has little capability to detect or assess cyber attacks a Detection reporting re- sponse processes are unre- sponsive to the speed Of cyber attacks ER '97 demonstrated 4n a real-world exercise that DOD is not properly organized for de- tecting reporting and respond- ing to IO attacks in a timely manner A case that recently underscored the ndings Of ER '97 was SOLAR SUNRISE Heal-World Example of IH SUNRISE SOLAR SUNRISE was a series of DOD computer network at- tacks that occurred from 1 to 26 February 1998 The attack pat- tern was indicative Of prepara tion for a follow-on attack on the D11 At least 11 attacks on Air Force Navy and Marine Corps computers worldwide followed the same pro le Attacks were widespread and appeared to be from sites such as Israel the United Arab Emirates UAE France Taiwan and Germany Furthermore the attacks oc- curred when the United States was preparing for potential mil- 5urinu 1339 - Vol 2 Na 4 itary action against Iraq in re- sponse to UN weapons inspec- tion disputes and could have been aimed at disrupting de- ployments and operations In the end the attackers turned out to be two teenagers from California and one teenag- er from Israel not Iraq terror- ists foreign intelligence ser- vices nation states or hackers for hire Although the attacks did not cause any serious dam- age to DOD systems they could have severely affected DOD dur- ing heightened tensions with Iraq SOLAR SUNRISE recon- rmed the vulnerabilities of DOD computer networks and need to make some changes in its approach to IA As Dr John J Hamre Deputy Secretary of Defense said this should serve as a serious wake- up call If high-school teenagers can in ltrate DOD systems with ease imagine the damage that could be done to US security by skilled profes sionals or potential adversaries in future asymmetric con icts Malling HVianIe Enncepr In 1996 for the third consec utive year the Defense Science Board DSB concluded that a need exists for extraordinary ac tion to deal with the present and emerging challenges of defend ing against possible information attacks Accordingly the DSB recommended more than 50 ac- tions designed to better prepare DOD for this new form of war- fare Of the 13 major DSB recom mendations the author Of this article believe ve are essential to maintaining the integrity of DOD systems and providing an appropriate environment for ex- ecuting Joint Vision 2010 Designate an accountable IO focal point The Secretary of Defense must have a single focal point charged with pro- viding leadership Of the com- plex activities and interrela- tionships that are involved in this new warfare area a Organize for IO-Defense IO- D Speci c capabilities and organizations must pro- vide or support the capabili- ties a Increase awareness Senior- level government and indus- try leaders must be more aware of the vulnerabilities and implications 6 Staff for success A cadre of high quality trained profes- sionals with recognized career paths is essential for defending present and future information systems a Provide the resources DSB estimated achieving its 13 imperatives would cost approximately $3 1 billion over scal years 1997 through 2001 The services win efforts to de- fend their systems and process- es against adversarial action are elding a wide variety of In- trusion Detection Systems IDS unilaterally setting detection features and reporting differ- ently The Army has developed a three phased Network Securi- ty Improvement Program NSIP to implement the recommendations The Air Force and Navy are developing their own plans in the absence of a single agency consolidating service efforts However these parochial efforts conducted along service-speci c lines are not consistent with the JV 2010 caravmarf on page 713 IATAC Rule in Sewtilj lhe IZEII Force war ghter must rely on the timeliness accuracy and integrity of information to make effective decisions Modern weapon systems are highly automated and execute mission functions based on in- formation provided by a variety of sources Automation is used in almost every operation from controlling weapon system re to providing medical attention Command and control CZ sys- tems of the modern battle eld rely heavily on current automa- tion products enabling collabo- rative activities among dispersed forces electronic mail for the transmission of data across eche- lons and out-of theater and telecommunication technolo- gies developing the seamless in- terface between the foxhole and the high command Any disrup- tion of this battle eld informa- tion used by commanders in fu- ture engagements will provide new targets of opportunity for foreign attack Developers of systems inter facing to the digitized C2 envi- ronment must provide informa- tion assurance IA tools to meet the expected information war- fare IW threat The Army s Communication and Electronic Command s Intelligence and In- formation Warfare Directorate IZWD provides data analysis and testing to support system hardening for the future IW en- vironment objectives are to not only identify command control communication com- puters and intelligence C41 network and host based vulnerabilities but also work with the ap propriate material developers to resolve problems areas IZWD is supporting the devel- opment of IA products for the tactical environment TWO ef forts being executed in 1999 are the Command and Control Pro- tection Advanced Technology Demonstration ATD and the supporting tactical security ar chitecture development In the rst effort the Com- mand and Control Protection ATD is a research and develop- ment R8D effort focused on the application of IA to the Tac- tical Internet The Tactical Inter- net is the CZ system being used at brigade and below for trans- mission of C2 data situation awareness and voice The Tacti- cal Internet uses protocols simi- lar to commercial telecommuni- cation systems IZWD is con ducting information assess ments of the Tactical Internet Evaluations include analysis of the disruption of radio frequen- cy RF data transmission and computer network vulnerabili- ty The analysis has been exe- cuted in both laboratory and eld tests evaluating the IA state of the current network and performance of R8D IA tools In the second effort IZWD is supporting the development of the security architecture for di- vision level C2 systems These systems are integrated in a simi- lar manner to conventional wide area network WAN architec tures The architecture relies heavily on the commercial mar- ketplace for network compo- Vincent Simpson HQCECOM nents and security features These systems have incorporat ed security into the design and have integrated IA tools as part of the con guration IZWD will be responsible for stress system components The stress test will evaluate the adequacy of the tools for the tactical environ- ment and the operator interac- tion required The 1999 effort is part of an ongoing process to evaluate the security of digitized C2 architecture IZWD supports these projects by using recently developed ca- pabilities in computer network analysis and leveraging tradi- tional in signals collec tion and electronic warfare The technologies have kept pace with the maturing telecommu- nications industry IZWD collab orates with other outside agen- cies which provide information regarding operational environ- ments and applicable emerging technologies IZWD's past expe- rience and knowledge of the en- vironment enable the execution of vulnerability analysis based on realistic 1W environments The results will alert material developers to any security risks associated with their systems and will provide a basis for cor- rective action Vincent Simpson holds a masters degree in electrical engineering and is a branch chief at the Communication Electronics Command Intelligence and Information Warfare Directorate located at Ft Monmouth His current focus area is performing telecommunication systems vulnerability assessments Spring 1999 2 No 4 in recOrding c0 ecover from th turned ad DESIGNA One person person Wili be the incident cials as they b' BEGIN RECORDING Cosrsv NECESSARY TO RECOVER FROM THE INCIDENT in criminal prosecutions the value of your effort as well as direct costs for restoring the 53 be admissible during the penalty phase of a trial Los A more than just loss of equipment and software You should MAKE PRINT LOG stolen lost or damaged productive time lost on the system l I 8 costs of alternate systems necessary for day to-dav opera tions while the investigation is proceeding etc place appropriate value on information that may have been This is the beginning of your evidence collection efforts within your compro- mised system The best evi- dence will be an image of the system if this is imprac tical make a logical copy A I I Do not copy the backup or the log files onto the com print log files Keep track of everythingyou do This th 3 will not only assist the irwestigator but promised The anCS' incident may be crucial for the prosecutor during tigator Will 3'50 need the trial The general rule is if you didn't most recent routine record it it didn't happen va THEORIZE trator and the team assembled know more about the system such as Your theory on how the intruder got in Attacks on the system in the past both success- ful and unsuccessful Unusual patterns of activity on the system AN EVIDENCE CUSTODIAN should be in charge of all evidence recovered at this stage This esponsible for the inlormation's security and for documenting its recovered it when and where it was recovered This person will Iain-of-custody and will receive the evidence you have gathered General system vulnerabilities ocumentation assocrated With your initial ellorts alter discovering is same person will be a point of contact for law enforcement offi ll sin NW '33 Spring i939 int 3 tn 4 Using peratinns Securiru Methods to Protect lullInformation ustems 5 the Department Of De- fense DOD increases its 5 reliance on commercial I off-the-shelf products and connections to public networks there is a heightened need for safeguarding DOD information Enemies who learn essential el- ements of friendly information EEFI about DOD systems may use this knowledge to further their economic military politi- cal or strategic objectives En- suring the integrity of these sys- tems requires a comprehensive approach that incorporates De- fensive-Information Warfare Information Assurance IA and Operations Security OPSEC This article focuses on the ways a com- ponent of and IA can prevent enemy EEFI collection Key EEFI data for informa- tion systems include u - Individual system character- istics and services 0 Network characteristics and services 0 Susceptibilities of systems and networks to exploitation 0 Vulnerabilities of systems and networks that guarantee a successful attack 0 Personal information on sys- tem administrators network managers and individual users Access to such information assists intruders in learning a Sprint 1959 - W- great deal about individual sys tems or networks before perpe- trating their attacks EEH if ll l Collectively EEFI can be leveraged by intruders to readi ly identify the tools to use in exploiting system weaknesses To grasp how easy it may be for attackers to compromise a sys- tem s integrity consider the following scenario By default information systems out-Of- the-box turn on all types Of services--such as the mail appli- cation program SendMail writ ten by Eric Allman Although a particular operating element may not require this service for completing its mission certain computer manufacturers auto matically include SendMail in their initial startup script for booting their systems An inex- perienced system administra- tor may fail tO check which ser- vices are running and be com pletely unaware that SendMail has been installed Enemies meanwhile may launch probes or port scans to determine what network services exist Once these enemies learn SendMail is running they can use numerous attack and ex ploitation scripts available in the public domain to interro- gate SendMail Consequently the information system with SendMail is vulnerable to suc- cessful penetration even though neither the administra Chris McDonaEd US Army Research Laboratory tor nor any user has conscious- ly done anything wrong How Protects EEFI An effective OPSEC program includes regular reviews of DOD systems by informed re- viewers who possess the tech nical knowledge to detect breaches in security Such a program receives both manage rial and technical emphasis to ensure reviews are effectively conducted One OPSEC coun- termeasure elimination Of un- necessary services would have prevented the scenario depicted above from occurring Other OPSEC countermeasures are highlighted as follow Implement External Blushing f El 19 5l SlEll LEVEI Some Operating systems lack any built-in monitoring or blocking features For these systems third-party solutions may or may not be available However one possible software solution for UNIX operating systems could be tO install TCP_wrappers written by Wi- etse Venema which can moni- tor and block incoming re- quests for network services such as systat nger ftp tel- net rlogin rsh exec tftp and talk System administrators can con gure wrapper programs to support access control for an individual system service or both System administrators can also activate auditing to capture unsuccessful attempts to access wrapped services External illneliinn at the individual Hnutel llnteuinu nr Firemnll Level As stated no assurance ex ists that a system will have the built in capability to block and monitor services There is also no guarantee individual system administrators even if techni- cally competent will install a program such as TCP_wrappers correctly As such this coun termeasure which in the sim- plest implementation might be a packet- ltering CISCO router can block exterior access to pc- tentially vulnerable services through an Access Control List ACL A more so- phisticated implementation might involve a bastion-host firewall with proxy services and detailed audit mechanisms to record both successful and unsuccessful connections The countermeasure can ensure uniform application of an orga nization's access control poli- cies because all information systems behind the blocking point are subject to the identi- cal ACL and cannot avoid this ltering control Establish Enrnnienensive Hn- month to Password Protection With the availability of pass- word cracking or guessing programs previous counter- IATAC measures that emphasized dif- cult toguess passwords based on composition and length are no longer effective Today the following password protection countermeasures should be en- forced 1 Protect all reusable passwords in transmis- sion Reusable passwords remain the DoD s primary au thentication mechanism Users who connect remotely via a network from one system to another are subject to sniffing of their password or having their transmission intercepted To prevent this either through hardware soft ware or both should be used Adopt one-time pass- words in a software im- plementation Programs such as One Password in Every- thing OPIE and S Key pro- vide this protection Use smartcard token- based or biometric au- i thentication hardware These devices have matured to the point where they are attrac- tive options No longer should these devices be considered highetech high-cost items In- tegration of such technologies into an overall OPSEC program is advisable Such hardware is extremely reliable for identify- ing and authenticating individu- als for access to information sys- tems Unlike the conventional password smartcards and bio- metric devices such as retinal scanners hand geometry read- ers and voice analyzers present robust defenses against attack Limit the number of in- f correct password at- tempts allowed and maintain an audit record of all attempts The strength of password-guessing programs Neva - may 5 i such as Crack and demonstrates the absolute ne- cessity for restricting access to les and ensuring strong tography of les Limiting in- correct attempts delays speci c types of attacks Meanwhile an audit record highlights poten- tial attacks and indicates where an authorized user is having a problem in establishing a legiti- mate connection This counter- measure helps administrators deny EEFI to an enemy and depending on the sophistica tion of the record may assist in obtaining EEFI on the attacker network address nf Pnner-Hnsen a A comprehensive plan must exist for the protection trash collection and final destruc tion of any material that ad dresses key elements of an or ganization including remov- able and nonremovable media arriving at property disposal This plan should include policy that enforces the need-to-know principle and addresses respon- sibilities and procedures associ- ated with disposing of hard- ware and software 'Eiluente lle ersnlinnt Electronic mail email pro- vides ample EEFI collection op- portunities with a low risk of detection The address of senders may be spoofed and even if the address is not spoofed the sender s intent for soliciting information may be suspect An aggressive educa- tion program should 1 renamed on page M new edge e 1993 - llnl 2 let 15 0 Alert users to the risks of e- mail collection 0 Provide policy and training on speci c actions to take should an email request EEFI 0 Ensure consistent e-mail account naming policies and procedures are used it Offer onwline user friendly procedures to determine cor- rect e-mail addresses Establish Written Pnlitu fill Creating lien Sites The World Wide Web is the easiest most lucrative source of collection for an enemy Many Web sites appear overnight in response to man- agerial direction to immediately establish a site creating chal lenges for applying consistent OPSEC controls Reasonable written policy should exist on the approval es- tablishment purpose registra tion and security testing of all Web servers including realistic written policy on the review of all information before its release on a Web server Speci c coun- termeasures for limiting EEFI compromises via the Web in- clude 0 Activate audit records on the Web server Written proof that certain addresses have visited the site viewed speci c information and per- haps downloaded material provide essential information for detecting suspect behav- ior Such records also may jus tify the cost associated with creating and maintaining the site by proving the site is actively visited For a Web site that has imposed restrictions such as access control lists password authentication and token-based authentication-- Spring 1993 - Vol 2 No 4 or one that uses for all or certain connections an audit record indicates activity that violates such controls This information along with records from a site's router gateway or re- wall platforms provide sys- tem administrators a valuable overview of Web site activi- ties I Enforce continuous pro- grams to identify rogue or unauthorized servers Periodically scanning one's networks to identify servers for which no of cial autho rization exists is advisable If someone has violated written policies regarding the estab- lishment of a Web site then an active and an effective pro- gram must exist to identify violators - Implement access control lists at the router gateway or firewall level System administrators can limit all incoming Web server connec- tions to speci c network addresses of approved Web sites Administrators may limit these connections at the router gateway or rewall level Thus even if an unau thorized site appears within the network administrators may be able to deny outside connections By establishing a policy that determines Web services must run on speci c ports typically ports 80 443 for secure Web connections and 8080 this blocking can be applied Enemies have both the moti- vation and the sophisticated technologies to exploit informa tion systems which are appeal- ing targets given their wide dis tribution and diversity In com bination with IW-D and IA how- ever the OPSEC countermear sures described in this article can help deter EEFI collection thereby protecting sys tems Chris McDonald is with the US Army Research Laboratory Survivabil- ity Lethality Analysis Directorate White Sands Missile Range NM He is a Certi ed Infonniation Systems Security Professional CISSP and a member of ACM CSI ICSA and ISSA He may be reached at mil Jnint Visinn E i air tinned from liege til sophisticated network centric environment must appoint an IQ in- tegrator for all the services to ensure synergy is achieved re- dundant parallel efforts are eliminated and suboptimiza tion is detected otherwise ef ciencies will not be realized and risks accepted by one will be shared by all DOD must act now to make IA a top priority and protect the security of its future needs more trained personnel on DOD response teams a quick detect report response capability and additional auto mated intrusion detection capa- bilities This can only be ac- complished by increasing train- ing budgeting for success ag gressively fixing our known vul- nerabilities and improving de- tect report respond processes Major Ashley is the Senior Infor- mation Operations IO Policy 8 Doctrine Of cer joint Staff 16K He is the lead joint staff o icer for LA policy and doc- trine IO education training aware- ness Joint and CINC IO exercises Mayjor Ashley may he reached at ashleybk@js pentagon mil Fm Et uniriun the Han to a More Secure Future Administrators and se- curity personnel have followed trends and deployed with varying degrees of success tools such as close circuit television cam eras rewalls and virus protection software Al- though these tools have proven somewhat effective they have not solved the issue of user au- thentication In the past corpo rate information security has consisted of passwords person- al identi cation number PIN or tokens to protect networks and desktops In many places passwords are considered the only barrier between a hacker and privileged proprietary and networked information Unfortunately passwords can wither so easily that a hacker can guess them or so dif cult that they are burdensome Tb- kens can be forgotten lost or stolen People often keep their cards at their desks or acciden- tally leave them behind at the terminal where anyone can take them With internal and external security on the rise many corporations are seeking a solution that does not involve cards PINS or passwords Up until now there has not been a secure yet convenient mechanism with which to iden- tify users and verify their ac cess to restricted information With the advent of biometric solutions face recognition has proven to be an effective user- friendly system L Face recognition may be the most consumer-accepted method in exis- tence It is one of the few biometrics that does not re- quire expensive ad- ditional hardware By far the easiest and most intuitive technology to use it is simply as easy as having your picture taken The growth Keith Ange COO Miros Inc of videoconferenc- ing has propagated the use of inexpensive video cameras A growing percentage of corpora- tions have already attached the cameras to their users personal computer These corporations are ordering only video- equipped monitors In addition because many rms have a video bias and or database of employee photos face recogni- tion technology is an obvious choice in many different busi ness settings and applications Face recognition technology has become increasingly user- friendly One such product is TrueFace by Miros Inc With TiueFace a person simply sits down at a desktop or laptop and the software tracks the person s face and stores those images into a database Then when the same person at- tempts to access information stored on the desktop or laptop the software will rst locate the person s face in any back- ground and then verify or iden- tify that person from a database of faces These products are in- creasingly intuitive allowing fast simple access to corporate networks Intranets Extranets the World Wide Web or build ings and still possess the core technology to photograph any one attempting to access onto the desktop or network Especially tting for the nancial transactions govern- ment security health care and electronic commerce e-com merce markets face recogni- tion software enables these in- dustries to conduct business efw ciently and securely Face recognition technology applications include the follow- mg 0 Intranet extranet and inter- net access where veri ca tion is used to ensure safe transactions online continued on page it reggae M'i i gm - Surinn 1399 Vol 2 No 4 it tron page i 0 Physical security into build- ings and restricted areas where passwords or cards do not provide enough high level security or are too cost- 1y 0 Medical records manage- ment where the usage of gloves prohibits other securi- ty systems 0 Corporate network data human resource records and nancial information securi- ty which allows not only sensitive corporate informal - tion to be protected from hackers but also the capabil- ity of auditing who is access ing What information 0 E-commerce where transac- tions warrant feelings of con- dence and privacy on the customer's part In check cashing environ- ments face recognition has been successful in reducing fraud One such company Mr Pay- roll has conducted more than $250 million in self service 24 hour check cashing transac- Vls' trivrralE i ln-r ii 1993 - Vol 2 HM Get Reference Face Yes tions using face recognition technology This technology further enabled them to suc- cessfully stop three check cash- ing fraud rings Face recognition technology is easily integrated into existing environments without user re- sistance because it does not re quire people to act stand or look different from their usual appearance This hygienic nonintrusive tool requires no special expertise to operate Face recognition technology will enable not only corporate environments to feel safe knowing their information and surroundings are secure but also individuals to feel more comfortable conducting busi- ness in today's technology cen tric society Keith Angeli directs a diverse range of Miros activities including nance engi- neering production customer support sales and marketing He holds an M B A in Finance from Louisiana State University and a BS in Engineering form Duke University Mr Angeli has authored and co-authored more than 40 publications and has presented at more than 50 technical conferences He may be reached at kangell@miros com Ennlitinn Environment continued from page 5 every day Coalition counterparts likewise nd time during the day to attend their own separate na- tional meetings Daily battle quickly accommodates these separate national and coali- tion events Second we need to plan re- sources for the extra spaces wiring and automation equip- ment that coalition operations re- quire Three separate networks require three sets of all the pieces and parts and people to make that happen Get used to it There is no acceptable way to merge them in the short term anyway if ever Fact of life in the business of mov- ing electrons if you can do busi- ness through it you can do mali cious business through it Fur- ther if you can do authorized business through it you can make unintentional mistakes through it Air gapping is likely to be with us for a long time Lastly we need to have stand- ing operating procedures SOPs that describe in detail all the how to s and we need to exercise them often so everybody gets up to speed and stays there The bet- ter we get at doing this right the first time the better we will be at avoiding the emergency solu- tions that get us all in trouble Col 'D eece is the 62 of 5th Signal Command in Mannheim Germany and the IA Program Manager for US Army Europe He has had multiple assignments in coalition operations including 7 years assigned to NATO at SHAPE Belgium and at AFSOUTH in Naples Italy He has worked with Balkans coalition information sharing issues on and of for a total of 6 years He has worked at the GINO the Service component and the national policy level on classi cation and disclosure issues treeced@hq 53igcmdanny mil a ublic STINET which pro- vides free access to cita tions to unclassi ed un- limited documents en- tered into technical re- ports collection since 1985 has been enhanced with the Ful- crum SearchServerTM search en- gine and a new look and feel The result is improved ease of use greater search capabilities numerous new features and improved communications be- tween DTIC and our cus- tomers The new look and feel pro- vides a site map and a nd it feature which make STINET easier to navigate and nd in- formation There are numerous additional searchable databases on STINET from other DTIC and Federal collections Read on to discover some of the new search capabilities and features New Search capabilities 0 Quick Search-An all elds Quick Search of the unclassi fied unlimited technical reports collection can be con- ducted from the main STINET page The Quick Search can also be used for a multi database search on the Scienti c and Ilechnical Documents page Such data- bases as the Descriptive Summaries RDDS the How To Get It DODISS the DTIC Thesaurus and the Technical Reports Collection can be searched simultaneouslyThe maximum number of citations returned with this search is 25 per database searched 0 Fielded Search Searching by speci c eld s narrows search results Two elded search options are available The Simple Fielded Search allows you to search by sever- al key elds The Advanced Fielded Search allows you to search from selected elds in the database Proximity Searching Pro- vides a method of locating citations in which the words entered appear within a defined distance of each other 0 Report Date Searching Search for citations to docu- ments by a Speci c date or date range 0 Stop Words There are no stop words with this new search engine All words may be used in a search 0 Custom Search Results Customize your search results by selecting the elds that you want displayed - Enhanced Help Help 'Ibpics and Help icons are available throughout STINET to help you nd your way around Eli - Online Troubleshooting An Online Troubleshooting capability has been incorpo- rated to enhance communi- cations between STINET staff members and our cus- tomers This service func- tions as a web-based elec- tronic bulletin board with capabilities for posting cus tomers questions and DTIC responses 0 Shopping Cart - Select mul- tiple items from STINET search results and send one consolidated order NOTE Only DTIC registered users may order documents di- rectly from DTIC STINET staff continues to lis ten to our customers needs If you have any suggestions problems or comments please submit them via the web using the following Comment Form p report html If you want to contact a STINET representative direct- ly call Ms June Doezema at 703 427-8047 or Ms Pat Tillery at 703 767- 427-8267 Email stinet@dtic mil or bcporder@ dtic mil l0 SllNEl Will Follow Surinu 1993 - Vol 2 Ho 4 ames Madison University has announced an entirely Internet-based master s program in computer sci- ence with concentration in in- formation security Classes begin August 28 1999 In March 1999 NSA recognized James Madison University s contributions to information security education by designatw ing JMU as a Center of Excel- lence in Information Assurance Education The program began in Janu- ary 1997 and has drawn stu- dents from industry and busi- ness the Department of De fense the MILDEPs the Feder- al Reserve Board the Federal Bureau of Investigation and the National Security Agency as well as other agencies According to director Allan Berg the program is designed for working professionals and requires no physical time in a classroom Once every 7 weeks students take a proc- tored exam at an individually arranged location Students abroad may sit for exams at US military installations around the world Enrolled stu dents log into the virtual class- room for Streaming Audio over PowerPoint presentations from the course professor retrieve and complete assignments and conduct discussions with the professor and fellow students all in the virtual classroom The program is taught asyn- chronously meaning the pro- fessor and students do not have Internet-Based Informatio n Seemiru to be on-line at the same time Berg says time zones and dis tance have no relevance in being able to take the program If you have a good ISP you can reach us from anywhere K lfl liilil'i nun-g mm 7w We Prior to the grOups cohorts that start this August students were required to spend the rst and last Saturday of every course in the classroom The rst cohort of students that started January 1997 nished the program in March 1999 a NSA cohort that began the pro- gram in June 1997 will nish in August 1999 The two cohorts that started August 1998 will nish September 2000 The ve cohorts that start this August will consist of three open co- horts and two federally funded closed cohorts and will com- plete the program in November 2001 The program emphasizes in- formation technologies admin- istrative operations and laws and regulations Studies ad Master s Pmuram to Start in dress information confidentiali- ty and protection risk manage- ment data and system integri ty and authenticity network security among other topics Classes focus on the under- standing use and management of information security con- cepts principles methods and practices While appreciating the differences in procedures used by organizations ranging from industry to DOD and agencies to private businesses Students spend 18 months and earn 30 credits to complete the Master of Science in Com- puter Science with a concentra tion in Information Security More time may be necessary for students who need to take prerequisite courses to develop or refresh the skills necessary to complete the program The program is aimed at stu- dents with an undergraduate degree who have majored in computer science or gained technical experience with in formation systems Entrants take classes in a required se- quence taking 7 weeks to com- plete each of the nine core courses and the capstone pro- ject Additional program informa- tion appears on the web site at Director Allan Berg s telephone number is 540-568-8773 and his E-mail address is bergaX@ jmuedu Application informa- tion can be obtained by calling 540 568 8772 IATAC Sutscrirriicn and Technical Hrca iasirs ubscription accounts and the Technical Area Task TAT program provide or- ganization's with an op- portunity to obtain value added technical support that exceeds those services provided through basic information analysis center IAC opera tions These activities fall With- in the scope of the IATAC mis- sion but are tailored to meet the speci c needs of the re- questing activities Funding to establish a Subscription Ac- count and or TAT is provided by the sponsoring activity Subscription accounts per- mit Government and Non-Gov ernment activities to establish deposit accounts that may be drawn upon to obtain a number of IATAC services These ser- vices include technical inquiry assistance attendance at IATAC-sponsored conferences meetings symposia work- shops educational and training activities and other IATAC products for which fees may be charged Subscription accounts may be used to support in- quiries processed on a cost re- covery basis typically those in- quiries requiring between 8 80 hours to complete These in- quiries are categorized as EX- tended User Inquiry Search and Summary and Review and Analysis The Subscription Ac- count establishes a formal rela- tionship between IATAC and the sponsoring activity The bene t of a Subscription Ac- count is that it provides users with a technical repository and resource to draw upon in re- sponse to emerging informa- tion assurance requirements Ibchnical Area Tasks TATS facilitate the development of scienti c and technical infor- mation STI as well as the ex- tension and expansion thereof to provide data acquisition studies analyses and research Robert P Thompson Director IATAC and development to support DOD information assurance re quirements TATs are analytical and technical in nature and the actual scope and level of effort may vary depending upon the requirements of the sponsoring activity IATAC TAT areas of ex- pertise address the broad spec- trum of information assurance activities Furthermore IATAC TATs contribute to the growth of the information assurance IA knowledge-base and pro- mote awareness and use of IA resources by applying the re- sults of previous IA investment to current problems As a re- sult TATs contribute to in creased ef ciencies and effec tiveness of current DOD scien- ti c technical and operational activities For more information on subscription accounts and the TAT program contact IATAC at 703 289 5454 or via email at iatac@dtic mil IATAC DTIC I L Embedding for Information Hssurante Provides an assessment of the state-of the-art in data em bedding technology and its ap- plication to information assurn ance It is particularly relevant to information providers con- cerned about intellectual prop- erty protection and access con- trol information consumers who are concerned about the security and validation of criti- cal information and law en- forcement military and corpo- rate organizations concerned about efforts to communicate covertly The report has been speci cally designed for read- ers who are not experts in data embedding For those desiring more in-depth information the bibliography provides an exten- sive list of authoritative sources from which the reader can ob- tain additional technical detail Era trait tumpuier Forensics-w- inuls and Meinudulunu The primary focus of this re- port is a comparative analysis of currently available software tools that are used in computer forensic examinations For readers who are unfamiliar with computer forensics this report provides a useful intro- duction to this specific area of science and offers practical high-level guidance on how to respond to computer system in trusions For all readers how- ever this report provides a use ful analysis of speci c prod- ucts including their respective capabilities unique features cost and associated vendors Identification Eusiems Focuses on ngerprint bio metric systems used in the ver- i catlon mode Such systems ofte used to control physical acc ss to secure areas also allo system administrators ao- ces control to computer re sources and applications As a re ult fingerprint identi ca- ti systems have become a vi- a solution for security policy forcement Information pro- vrded in this document is of alue to anyone desiring to liearn about biometric systems i'l he contents are primarily in ftended to assist those individu als who are responsible for ef- fectively integrating ngerprint identification products into 4 their network environments 1 0 support the existing security policies of their respective or- ganizations IATAC I I IMPORTANT NOTE All IATAC Products are 1' distributed through DTIC If you are NOT a registered DTIC user you must do so PRIOR to ordering any IATAC products TO REGISTER ON-LINE Name Organization I Ofc Symbol Address Phone E-mail Fax Organization CI YES CI NO If NO complete LIMITED DISTRIBUTION section below LIMITED DISTRIBUTION In order for organizations to obtain LIMITED DISTRIBUTION products a formal written request must be sent to IAC Program Of ce ATTN Sherry Davis 8725 John Kingman Road Suite 0944 Ft Belvoir VA 22060-6218 Contract No For contractors to obtain reports request must support a program be ven' ed with CO TR COTR Phone Technical Reports CI Biometrics CI Computer Forensics CI Modeling Simulation IA Tools Report Anti-Virus Tools CI Firewalls Intrusion Detection I3 Vulnerability Analysis State-ot-the Art Reports CI Data Embedding for Information Assurance CI Malicious Code Detection SOAR Cl TOP SECRET El Security POC Security Phone UNLIMITED DISTRIBUTION Newsletters Limited number of back issues available Vol 1 No 1 Vol 1 No 2 Vol 1 No 3 El Vol 2 No 1 CI Vol 2 No 2 CI Vol 2 No 3 Vol 2 No 4 Please list the Government that the product s will be used to support Once completed tax to IATAC at 703 289 5467 ownSpring 1993 Vol 2 No 4 ti Symposium Exposition Securing the Futur 3 Through Technology Ft Bragg NC Sponsored by AFCEA North Carolina Chapter Call 910 483 2221 Space 0 Conference Peterson AFB CO 703 549 1600 14th Annuai Mid Atlantic inteltigence Symposium Johns Hopkins Applied Physics Lab Laurel MD Call Ed Kesselman CSC 410 691 4077 information Systems Security Expo ISSE '99 Arlington VA Call J Spargo Associates 703 631 6200 Tochhlet Europe 99 Renaissance London Heathrow Hotel Information Assurance Technology Analysis Center 3190 Fairview Park Drive Falls Church VA 22042 Hill 3 N ll 15-11 i an -ll HPH 35-37 MILCDM 1999 Into the Next Millennium Evolution of Data Into Knowledge Atlantic City NJ TechNet Asia Pacitic '99 Honolulu HI Call J Spargo Associates 703 631 6200 AFCEA West 2000 San Diego Convention Center San Diego CA Fiesta lntormacion 2999 San Antonio TX Call J Spargo Associates 703 631 6200