OCR of the Document

View the Document >>

Information Assurance Technology Analysis Center, IA Newsletter Vol. 3, No. 2, Fall 1999. Unclassified.

REPORT DOCUMENTATION PAGE Public reporting burden for this collection of information is estimated to average 1 hour per response including the time for reviewing instructions searching existing data sources gathering and maintaining the data needed and completing and reviewing this collection of information Send comments regarding this burden estimate or any other aspect of this collection of information including suggestions for reducing this burden to Washington Headquarters Sewices Directorate for Information Operations and Reports 1215 Jefferson Davis Highway Suite 1204 Arlington VA 22202-4302 and to the Office of Management and Budget Paperwork Reduction Project 0704-0188 Washington DC 20503 1 AGENCY USE ONLY Leave blank 2 REPORT DATE 3 REPORT TYPE AND DATES COVERED Fall 1999 Newsletter Vol 3 No 2 4 TITLE AND SUBTITLE 5 FUNDING NUMBERS IA Newsletter The Newsletter for Information Assurance Technology Professionals 6 AUTHORIS Information Assurance Technology Analysis Center 7 PERFORMING ORGANIZATION AND 8 PERFORMING ORGANIZATION REPORT NUMBER IATAC Information Assurance Technology Analysis Center 3190 Fairview Park Drive Falls Church VA 22042 9 SPONSORING I MONITORING AGENCY AND ADDRESSIES 10 SPONSORING I MONITORING AGENCY REPORT NUMBER Defense Technical Information Center DTIC-IA 8725 John J Kingman Rd Suite 944 Ft Belvoir VA 22060 11 SUPPLEMENTARY NOTES 12a DISTRIBUTION I AVAILABILITY STATEMENT 12b DISTRIBUTION CODE Approved for public release distribution is unlimited A 13 ABSTRACT Maximum 200 Words IA Newsletter is published quarterly by the Information Assurance Technology Analysis Center IATAC IATAC is a sponsored Information Analysis Center administratively managed by the Defense Technical Information Center DTIC Defense Information Systems Agency DISA Featured in the issue Defense in Depth Y2K Computer Security Tips Special Section Component Commands 14 SUBJECT TERMS 15 NUMBER OF PAGES Information Security Information Assurance Defense in Depth 27 Information Operations Computer Security 17 SECURITY CLASSIFICATION 18 SECURITY CLASSIFICATION 19 SECURITY CLASSIFICATION 20 LIMITATION OF ABSTRACT OF REPORT OF THIS PAGE OF ABSTRACT UNCLASSIFIED UNCLASSIFIED UNCLASSIFIED None 20001027 060 information Assempamce Profeggimmals Sp llcial Section on the Cam on the cover Information Assurance Through Defense in Depth Lt Col Select Bradley K Ashley USAF and Gary L Jackson 3 ia initiatives Matrix Mission Planning MMP in Information Operations CDR Mark L Nold USN ACERTI MAJ Glen Teasley USA and David Papas USA and AECERT AIlies in the Information War Capt Karl Grant USAF and 2nd Lt Becca Lege USAF Marine Forces Computer Network Defense MARFDR-CND - lVlajor E H Ted Steinhauser USMC Retired Navy Computer Network Defense Monitoring and Protecting the Global Network MAJ Rod Laszlo USA and CW5 Bruce Gardner USA 20 Computer Security Tips for VZK Preparation Capt Elizabeth A Siemers USAF 22 SHERLOCK A Third Generation Log Analysis Tool Keith J jones - in each issue Chat Leveraging the Technical Area Task TAT Program Robert P Thompson Products ACTPrOduct Order form 2 Calendar of Events Back Cover Anewsletter I Fall 1999 24 newsletter Editors Robert P Thompson Robert J Lamb Creative Director Christina P McNemar Information Processing Robert L Weinhold Information Collection Alethia A Tucker Inquiry Services Peggy O'Connor Contributing Editor Louise Price Anewsletter is published quarterly by the Information Assurance Technology Analysis Center IATAC IATAC is a sponsored Information Analysis Center administrative- ly managed by the Defense Technical Information Center DTIC Defense lnformation Systems Agency DISA Inquiries about IATAC capabilities products and services may be addressed to Robert P Thompson Director IATAC 703 289 5454 We welcome your input To submit your related articles photos notices feature programs or ideas for future issues please contact IATAC ATTN Christina P McNemar 3190 Fairview Park Drive Falls Church VA 22042 Phone 703 289 5454 Fax 703 289 5467 703 289 5462 E-mail iatac@dtic mil URL Cover and newsletter designed by Christina P McNemar httpu liac dtic lhfahmatiah Assurahee Thr czug Duh ar med farcea ihsheasihgly rely eh snitieal digital eleethehie infesma it Bol Select Bradley K Ashley USAF Elam Qa abilltlag EC SCOPE Gar Jackson plhn- arid mmve essential data in planning detecting eaahdimatihg and execute ihg Omahatisns However many of these systems have security weaknesses that can be exploit ed by powerful and sophisticat- ed threats which could result in unauthorized access de- struction disclosure modifica- tion of data or denial of ser- vice Such system vulnera bilities can jeopardize our most sensitive information capabili- ties With deep layered defens- es we can reduce vulnerabili- ties and deter defeat and recover from sustained skill- ful and penetrating assaults Network Operations NE- TOPS provides the framework and procedures to manage the emerging Global Information Grid GIG of networked infor mation capabilities By inte- grating information assurance through Defense in Depth with Network Management and In- formation Dissemination Man agement IDM NETOPS is a key enabler for CINCs to achieve information superiori- ty and accomplish their mis- sions A good physical analogy of the fully developed medieval castle offers two valuable prin- ciples for designing Defense in dtic Depth of information systems 1 formidable layered defenses 2 means to fight back actively These castles were positioned to control the most signi cant terrain serving to secure criti- cal logistics bases and com- mand and control centers for armed forces Castles were built on strong foundations and often on high ground They employed successive barriers including water obstacles meats ditches successive rings of strong and high walls and towers This defense struc- ture allowed a relatively small force of well-supplied person- nel sentries and men-at arms to fight back and prevail against a much larger adversary Just as a castle protected critical military resources in the Mid- dle Ages we must defend and protect our vital military infor- mation today The Defense in Depth ap- proach employs and integrates the abilities of people opera- tions and technology to estab- lish multilayer multidimen sional protectionwlike the defenses of a castle The ap proach employs successive lay- ers using a variety of methods The physical analogy for this strategy is the formidable lay ered defahses of the medieval castle lAnewsleute Fall ass 3 at multiple key locations to prevent the potential break- down of barriers and penetra- tion to the innermost areas of the system In a simple succes- sive-barriers strategy the barri ers might all use the same method present ing an adver- sary who a down one barri- Network Operations NETOPS Model with another and another and another But a simple strategy of redundancy will probably have little effect against differ- ent attack methods To counter the variety of attack methods that may be used today we must employ a comprehensive variety of security mechanisms that provide redundant protec- tion To block attempts to gain access and do harm at different locations in the protected envi ronment we must also deploy defenses at multiple locations No critical sector or avenue of approach into the sensitive do- main of the information system should be uncontested or un- protected People To establish this protection Defense in Depth integrates the abilities of people opera- tions and technology 1% IAnewsIeuer I Fall People using technologies to conduct operations are the strategy s central element Peo- ple design build install oper- ate authorize assess evaluate and maintain protection mech- anisms To gain and maintain the knowledge and exper- tise needed to perform these vital tasks a comprehensive pro- gram of education training practi- cal experi- ence and awareness is need- ed We must re cruit re- tain and Wisely as- sign the best talent available We also need a highly reliable person- nel security system of appro- priate background investiga- tions security clearances credentials and badges to en- sure that only trustworthy per- sons have access Finally pro- fessionalization and certifi- cation are important tools in developing a validated and rec- ognized cadre of experts and providing additional motivation for staff Operations IA operations the second el- ement in the strategy involves policy procedures and execu- tion IA policy drives opera- tions by establishing goals courses of action and stan- dards It formally states the se curity requirements for infor- mation systems what must be protected how resources are used and what must be done and not done Policy also estab- lishes standards that define uniform and common features and capabilities of security mechanisms the rule or basis by which to measure the vari ous dimensions of information assurance and the desired or required level of attainment Standard operating procedures SOP are then needed to en- sure adequate implementation of the prescribed policies The SOP should de ne system con- figuration deployment routine operations and incident re sponse and reporting De ned Information Operations Capabilities Network Operations of the Global Information Grid How NETOPS Fits with Information Operations 1999 Iliac dtic procedures for addressing inci dents are particularly critical After an intrusion is detected incident information must be reported through established channels to appropriate author- ities and specialized analysis and response centers Incident response should then begin with immediate local emer- gency damage-limitation and survivability actions These steps should all be stated in the SOP and implemented prompt- ly Regional and national ex perts might need to become in volved when more sophisticated methods are nec- essary to con rm attacks de- termine effects and track down perpetrators Execution of these tasks may be quite dif- ficult When distributed coordi- nated low-visibility network- based attacks occur across many systems over an extend ed period of time Careful ef- fective and timely decisions must be made concerning ap- propriate additional responses such as declaring a higher level security situation or infor- mation operations condition INFOCON isolating affected systems or pursuing legal diplomatic economic or mili- tary actions Operations also in- cludes improving situational awareness conducting IO-relat ed exercises and performing vulnerability assessments to improve our security posture Technology The technology element of Defense in Depth focuses on four major areas Networks that link enclaves Enclave boundaries Local computing environ ments or enclaves and Supporting infrastructures iao cltic miI iATACI Technology to Defend Netwopke Redundant and multiple data paths offer more than one available alternate physical medium or route for data trans port These measures serve to ensure continued transmission when intermediate enclaves or network components are de- graded or inoperable Enclaves should be able to disconnect from external networks in a cri sis lter traf c to prevent the use of risky message segments and control throughput Provi- sions against denial of service should be included in agree- ments for commercial ser- vices to avoid a single point of failure In addition automated tools for system monitoring and management should be employed on the network to collect and analyze observable phenomena and maintain knowledge of the status of sys terns These tools should be able to detect disruption and degradation that can indicate security problems TeohnolOgy to Defend the Enclave Boundary Defense of the enclave boundary is geared toward en suring that all outside systems that seek access meet the secu- rity criteria of the enclave Boundary defenses protect in- side data and services from out- side dangers They also protect systems within the enclave that do not have their own self-de- fense capabilities Some of the technologies to defend the en- clave boundary are 0 Identi cation and authenti cation tools 0 Personal Identification Numbers PINS lAneweletter Fali 0 Passwords Biometric mechanisms 0 Firewalls - Malicious code and virus detectors 0 Intrusion detection and response tools and 0 Guards Technology to Defend the Local Computing Envllaonment In defending the local com- puting environment the IA challenge is to provide selected mechanisms such as protected distribution systems for pro- tection In addition effective tools must be used to deepen the defense by protecting the end-systems and capabilities and their internal components and associated peripheral de-- vices Technologies used for this purpose include Passwords PINS tokens and biometrics 0 0 Digital signatures 0 System monitoring and man- agement tools 0 Intrusion detection tools 0 Malicious code and virus detectors 0 Backup technologies and 0 Software with its own access control features Supporting All military organizations and operations including IA require a logistics structure to provide essential resources and support for maintenance re pair and other vital services Many of these services are pro- vided across garrison and de- ployed environments IA De- fense in Depth also requires specialized support from 4999 It continued from page 5 unique capabili- ties and organized incident re- porting and response The function must be resourced and man- aged to meet or exceed all re- quirements without disclosure or theft We must continue to design and eld equipment and We are only as strong as our weakest link associated software that are re- liable fast and secure There must be a strong system to pro- duce distribute and manage public and private keys as well as digital certi cates Efforts are under way to improve the system by merging the current primary infrastructures for classi ed keys Electronic Key Management System and un- classified public keys DOD Public Key Infrastructure Detection reporting and re sponse infrastructures are es- sential in discerning whether an intrusion is a local isolated event or part of a more wide spread sustained dangerous attack The outputs from local use of tools and intrusion de tection and reSponse actions must be delivered to organized capabilities in the chain of command especially at the Military Department and Ser- vice regional and national global levels Intrusion detec- tion information must be for- warded to Specialized struc- tures with the ability to perform more sophisticated analysis and correlation of indi cations from a range of sources and agencies DOD is now con- structing and improving a glob a1 infrastructure to manage in- cident reporting and enable a coordinated coherent re- sponse Ef cient operation of this infrastructure requires standardized reporting formats and procedures automated support to transfer and analyze relevant data and effective in- terface with other response ca pabilities The information assurance Defense in Depth approach will give us the ability to meet the tremendous IA challenges we face today and will face in the future The complexity and power of electronic digital com- puting and telecommunications systems will increase and our forces will continue to take full advantage of these capabilities 4E IAnewsletter Fall 1999 in all types of operations At the same time however adver- saries will be able to acquire and use these technologies against our critical and mission-essen tial systems Therefore we must maximize the contribu- tions of certi ed experts em- ploy disciplined operations guided by policies and using sound successful procedures and eld proven reliable tech- nological solutions In these ef- forts the human factor is and will continue to be essential It takes people to make and use technologies and to conduct IA operations IA Defense in Depth depends on each of us We must master new technologies watch for new and changing threats and vulnerabilities and contin- ue vigorous efforts to build a for- midable IA Defense in Depth 8 Lieutenant Colonel Select Bradley K Ashley US Air Force is the Senior Information Operations IO Policy and Doctrine Of cer Joint Staff C4 Systems Directorate 1-6 Washington D C He is also the lead joint Staff Officer for Information Assurance IA policy and doctrine IO education training and awareness joint and CINC IO exercises and a member of the IO Response Cell responding to real world computer network attacks He received his MS from the U S Naval School in 1990 He may be reached at ashley bk@js pentagon mil Gary L Jackson received his in Government from Georgetown University in 1985 He is a former sta Fellow in Politicaleilitary studies at the Center for Strategic and International Studies CSIS and a retired U 8 Army Military Intelligence o icer Doctor Iackson sup- ports the oint Staff 16 C4 Systems Directorate as a senior systems engineer working in the eld of information secu- rity He may be reached at 703 676 4160 1995 I left the comfort and sanctuary of the Navy s EA- 6B community at Whidbey Is- land Washington to assume the post of Fleet Electronic Warfare Of cer of the US Second Fleet in Norfolk Virginia On the way I attended a newly created course at the Armed Forces Staff College AFSC in Norfolk called Command and Control Warfare CZW Little did I know when I attended this course that within a month of my arrival at Second Fleet I would be up to my neck in what is now known as infor- mation operations IO My as signment as eet Electronic Warfare officer was twofold First draft the rst-ever CZW appendix to a large force exer- cise operations order OPORD Second develop a fully integrat- ed Joint Task Force JTF CZW strategy supporting the com- mander s intent and objectives The rst task was a snap My training at AFSC provided me with the fundamentals I needed to breeze through the OPORD writing process The CZW ap pendix was completed in record time The remaining task how- ever was daunting to say the least I was overwhelmed AFSC taught me the goals of a CZW strategy but never showed me how to actually build one Since I was the only trained CZW guy on the Second Fleet s staff the task of executing CZW doctrine fell squarely on my shoulders Emitter Matrix Mission Manning IIiac dtic mil IATAC It soon became readily appar- ent that the one thing an infor- mation operations planner needs most is information and lots of it I studied the objectives of both the Commander-in- Chief CINC and the JTF Com- mander to derive a clear under- standing of the operations timeline and the implied and speci ed tasks of the subordi- nate commanders Armed with this knowledge I still could not CDR Mark l Mold USN could use this format to balance CZW capabilities with JTF 0b- jectives and tasks Figure 2 on page 8 I could now easily lay out a general CZW strategy that truly complemented JTF objec- tives and fully integrated C2W in support of the campaign Our meager staff of three worked 3 w Hewrmmcumstit-tea 7313manna 'i A trial sr' 4393 an 1w Am grif n um u_l at it 4 it ii at 1 in WM 1 mm mm sir-hid A Zil b 3 a an Figure 1 Matrix of JTF Objectives and Tasks tie all the information together After a number of frustrating at tempts I began to lay out JTF objectives and tasks in a matrix to visualize the sequence of events that would take place in the operation Figure 1 Light- ning struck I realized that I lAnewsletter I Fall diligently to develop the general C2W strategy that we would pre- sent to the TF commander see Figure 3 on page 8 The boss was impressed and we embarked on the develop- ment of specific matrices Fig- continued on page 8 1999 '7 continued mm page 7 ure 3 for each of the CZW ca- pabilities in our arsenal OPSEC military deception PSYOP destruction and elec- tronic warfare The matrices provided us with detailed plans for each capability which were along the same timeline with the general CZW strategy allowing us to identify showstoppers specify required assets and ensure that our strategy was sound and exe- cutable Figure 4 In addition we created speci c matrices for other capabilities that would be integral to the strategy Special Operations Forces support sur- veillance and C2 Protect see Figure 2 Once the CZW IO Cell was established aboard the flag ship U S S Mt Whitney the gem eral and speci c matrices were submitted for refinement and nalization of the strategy The nished product allowed the cell to generate the CZW target set needed for facilitating the strategy and to begin lobbying component representatives to rank our targets high on the Joint Integrated Prioritized Tar- get List J IPTL We heart decree it But we still had to see our plan through to execution There were a thousand moving parts each one critical to the plan To manage this behemoth we pulled every event from the matrices and created a single execution checklist Figure 5 which described each event in detail in terms of date time ex ecuting unit target linked or other dependent events and objectives The Current Opera tions branch of the cell not a a IAnewsletter I Fall Matt Wu i gm 3% gm saw W1 15 Wig as f i i memwwawiw his Figure 2 Balancing 02W Capabilities with JIF Objectives doctrinal entity tracked the progress of this checklist Cur- rent Operations then provided feedback to the cell where the strategy was reassessed and modi cations were developed based on its success or failure in particular events The exercise was a success from an IO point of View and matrix planning was the key The process has evolved since that rst effort but the ap proach pioneered in the initial attempt has been repeated suc cessfully several times since its creation g the at Karim ETtit whisk s enema memwew vi- WC 5 32W an it term 'wmu #24 i 311 am as we 352-231 We a My pin-amid stratum tents 7 A a mew-wearer w- a 1 th I inf-wasEggwan Haida a m3 1 63 -- - A 8th 1 $553 wi f f i wmwr rw aw-I - aumaw mm i are-arty Mummy mums 159 ne Figure 3 CZW Capability Speci c Matrices 1 999 http lliac dtic Matrix mission planning can work for you It provides a sound mechanism that ensures that 10 is fully integrated as it was intendedu as a synergistic supporting strategy that opti mizes capability in relation to need As the 10 arena expands the need for an organized ap- proach to 10 strategy planning becomes more and more criti- cal MMP is a vehicle that can ensure future capabilities are integrated seamlessly and ef fectively in information opera- tions Matrix Mission Planning methods are now taught as part of the Armed Forces Staff Col- lege Joint Command and Con- trol and Information Warfare School JCIWS curriculum Commander Nold received his 8 5 in biology from Fort Hays State University in 1978 and commissioned a Second Lieutenant in the US Marine Corps In 1989 he transferred to the US Navy Nold obtained his MBA in Business Administration Quality Management from City University in 1994 and assumed command of the Electronic Attack Weapons School in April of 1999 He may be reached at noldml@yahoo com Iliac dtic Figure 4 Executable Checklist new mail l' iWW' l a Mae-m raiswlimw it u it 31 F ii fl aih 1 a amine 5 Ni new use may Wm 6 W313 w ts-m hw nl a WE Wm nstn It miniml thah Jungian it i - rumawn Ym alh mp 5 a i new Iii sshw tr are on i rst a fwm v 3 t' in mi kw a baa-tam erg I i i - an aim v-rrnamia awnuwwaMl Figure 5 Detailed Planning IAnewsletter I Fall 1 999 MAJ Glen Teasley USA MAJ David Papas BSA As the Army expanded its efforts against hackers the Army Computer Emer- gency Response Team ACERT expanded its protec- tion of the Army s ways using the latest in technolo- gy and the best in expertise The ACERT is the Army s op- erational element for comput- er network defense It con- ducts command and control protection operations in sup- port of the US Army to en sure the availability integrity and confidentiality of the in- formation and information systems used by commanders I electronic high worldwide The ACERT is a di- vision of the Land Information Warfare Activity LIWA locat- ed within the US Army Intel- ligence and Security Com- mand at Fort Belvoir Virginia The ACERT consists of three branches the regional CERT RCERT branch the coordina- tion center branch and the computer defense assistance branch Figure 1 The RCERT branch manages the functional and operational support requirements of the four field Pa cific at Fort Shafter Hawaii RCERT Europe in Mannheim Germany the RCERT Conti- nental United States CONUS Shin M2311 Minion MEET Katina Figure 1 Mil llrganizatiunal Structure lAnewsletter- Fall 1899 at Fort Huachuca Arizona and RCERT Korea in Taegu Korea The RCERTs are 00-10- cated with Army Signal Com- mand s ASC Theater Net- work and Systems Operation Centers TNSOC By leverag- ing both the A803 network op- erational function and the network security function each area of respon- sibility receives enhanced net work support and constant vig- ilance for network security The close working relationship between the ACERT RCERTs and the TNSOCs ensures the Army's ability to communicate worldwide is successful and accomplished in a secure man- ner The coordination center branch receives computer inci- dent and intrusion reports conducts analysis of vulnera- bilities provides technical as- sistance to network and sys tern administrators and managers analyzes new virus es and anti-Virus software and monitors network intrusion devices that support the Crim- inal Investigation Command better known as CID investi- gations The computer defense assis- tance branch provides a tool for Army commanders and their staffs to use in assessing their network security The program is designed as a white hat external assess- ment the results are shared only with the unit assessed Commanders use the informa- tion to improve their network security and lessen the vulner- abilities that may allow unau- thorized access Program objectives focus on ensuring the overall security configuration of the networks and identifying potential points of unauthorized access into networks Objectives also focus on validating vulnerabil- ities and assessing the depth and degree of a potential com- promise and recommending methods techniques and con- figuration modifications need- ed to secure the scanned net- works In December 1998 the Army deputy chief of staff designat- ed the ACERT as the Army force for the Joint Task Force - Computer Network Defense JTF-CND In this capacity the director of the LIWA serves as the commander of Army forces and ensures the securi- ty of all Army networks On a daily basis the ACERT is fully engaged as a component of the team protecting Department of Defense DOD networks worldwide The ACERT in its mission to protect Army networks coor dinates daily with organiza- tions both internal and exter- nal to the Army Coordination within the Army includes the offices of the deputy chief of staff for operations Office of the Director of Information Systems for Command Con- trol Communications and Computers ODISC4 Deputy Chief of Staff for Intelligence ASC and CID The ACERT co- ordinates with the following organizations and agencies outside of the Army Air Force CERT Navy Computer Inci- dent Response Team CERT Marine Corps Marine Intrusion Detection Analysis Section MIDAS Coast Guard CERT Federal CERT Carnegie Mellon University CMU CERT and the Federal Bureau of Investigation s FBI Nation- al Infrastructure Protection Center Coordination encom- passes collaboration and tech nical efforts involving vulnera- bilities and their recommended solutions continuation page 12 Army information Assurance Vulnerability Process 'I'eiggers I MSG UWSM Directed italirlaiion - Reported Case of NEW WEISS '5 Vendor-identified Working ees Working Days CERT identified Issues IIEHT Wilt Page IBEHT alum MEEIM - Be lift Eon ance lacidenb intrueien as 'hfifte Eantrall g 9 Analysis Vialbliity Managed AER inset mg liniitin oo Average of 5m noose Suwanee to MEN 515$ aria il l im 5i E Sli Receipt Figure 2 Army Information Assurance Vulnerability Process Average of 14 33 Positive Bontrol MMHM glori cation e riot ion nite-nee For mine Surveillance lAnewsietter Fall 1989 Contacting the ACERTS and RCERTS ACERT Commercial Internl DSN Comm Fad RNET E mail 81 PRN ET E mail a 11533511164111 s1 army smil mil FICEFIT Europe DSN Comn'iercial Iii mail 38 5232 49 062 730 5232 rcerter rj h Ssigcm army il SIPRN ET E mail sigOO @Gtimiarmy smil mil RL IPRNET nail Ssi mdarmymil L trig asst who Anewsletter Fall continued rem page 1 1 To capture the massive amounts of data required to maintain situational aware- ness the ACERT has devel- oped a database that stores data on all reported or identi- ed incidents and intrusions to Army automated informa- tion systems In addition the JTF-CND and the service com ponents have developed the Joint CERT Database This database will allow the ACERT other service DOD CERT and the to share information and con- duct analyses on incidents In this way all DOD CND ele- ments can share information and protect against identi ed possible threats A system administrator op erator who detects any auto mated information system se- curity incident is required by regulation AR 380-19 to im- mediately report it to the in- formation systems security of- ficer who will notify the installation systems security manager Concurrently the system administrator opera- tor will notify the appropriate RCERT and request technical assistance The RCERT veri es that an incident or intrusion has occurred and reports it to the ACERT If an intrusion has occurred the ACERT reports it to DCSOPS Information War- fare Office DAMO-ODI ODISC4 DOD CERT and Joint Task Force-Computer Network Defense The ACERT also noti- es both the Army Com puter Crime Resident Agency and the Army Central Control Of ce US Army Intelligence and Security Command The ACERT monitors the Army s Information Assur- 1 BBQ ance Vulnerability Alert IAVA process The IAVA process is a DOD-mandated process for disseminating in- formation and required ac- tions on serious vulnerabili- ties to or attacks on automated information sys- tems The ACERT publishes IAVA messages to disseminate information and required ac- tions on new and critical vul- nerabilities to automated in- formation systems IAVA messages are disseminated by a general service message GENSER to all Army major commands and by the ACERT list server to all subscribers IAVA messages are directed by the CERT Army ODISC4 or the ACERT The IAVA process for the Army requires that informa- tion assurance officers at major commands report re- ceipt of an IAVA message With in 5 days and report oomph- ance with the required actions or submit a waiver Within 30 days This timeline can be ac- celerated based on the critica liness of the vulnerabilities ad- dressed see figure 2 on page 11 The status of major com- mands IAVA compliance is monitored in the Army by both the ODISC4 and deputy chief of staff for operations and in DOD by JTF-CND and the deputy secretary of de fense Two initiatives guide ACERT into the future a fully inte- grated incident database and predictive analysis The predictive analysis process identifies potential at tacks against Army networks Predicting network attacks provides the commander a continued on page 17 5 With the constant threat of computer attack looming in today s expanding realm of information opera tions 10 it is vital that we employ the most advanced tactics in computer network defense CND The expan- sion of global communication lines and the development of new technologies bring with them an increased vulnerabili- ty to exploitation The Joint Task Force Computer Net- work Defense JTF- 3ND allows us to better integrate re- sources and to our adver- saries The Air Force I a - 7 tion War- fare Center dtic mill ATAC Allies in erect a powerful defense barri er against and AFCERT the Information War has been desig- nated as Commander Air Forces COMAFFOR for the Among its responsi- bilities is coordination of joint defense against computer at- tacks on information sys- tems The AFIWC co located with the Air Intelligence Agency is the Air Force information war- fare IW center of excellence It explores applies and dis- seminates offensive and de- fensive information warfare IAnewsletter warfighter in contingencies Capt Karl Grant USAF 2nd lt Becca Leg USAF capa- bilities for We operations a i i - tion and vides IW ser testing The center pro vices to the and exercises through quantitative analysis modeling and simulation database and technical expertise in com- munication and computer se- curity The AFIWC's team of more than 1 000 military and civilian personnel is skilled in operations engineering oper- on page 'i 4 I Fall 1999 l3 continued from page i3 ations research intelligence radar technology communica- tions and computer applica tions Within the AFIWC the Air Force Computer Emergency Response Team AFCERT under the COMAFFOR is the execution element for the JTF-CND Established in 1992 the AFCERT is the oldest orga- nization of its kind in the De- partment of Defense and is the focal point for information Since its inception the AFCERT has grown and re- fined its intrusion detection techniques to counter the con- stantly changing threat to Air Force networks The team s 94 military civil service and contractor personnel monitor networks at more than 120 10- cations worldwide The moni- toring of these sites is an enor- mous undertaking For example an estimated 6 bil lion connections were screened in 1998 Of those connections 68 were identi Captain Jay Sehwitzgabel oversees Sta Sergeant Todd Michael s review of suspi- cions network connections protection of Air Force net worked command control communications and comput- er systems The pri- mary mission is to provide in- trusion detection vulnera- bility assessments and inci dent response operations 24 hours a day 7 days a week 24x7 fied by the AFCERT as at- tempts to disrupt or exploit Air Force operations To aid in screening connec- tions the AFCERT relies on a tool called Automated Security Incident Measurement ASIM ASIM looks for suspicious or malicious traf c crossing Air Force networks providing 4 lAnewsletter Fall 1999 both a real-time warning and detailed information about the activity The warning and in- formation enable comman- ders to know where any suspi- cious activity originates whether critical information has been compromised or changed and whether the sys- tem in question can be trust ed On the preventive side the AFCERT conducts vulnerabili- ty assessments on Air Force networks with a software tool set called On line Survey OLS OLS looks for security holes in a network and can de- tect vulnerabilities that a hacker may use to gain access to an Air Force system In ad- dition because OLS opera- tions appear to users and sys- tem administrators as unauthorized activity OLS is used to exercise the bases or units activity detection and reporting ability Incident response is one of most important ser- vices When a suspicious or malicious activity on a system meets a predetermined threshold the AFCERT - IGNATES IT AS AN INCI- DENT initiating a urry of ac- tivity in a very short time First the chain of command is notified by the using organiza tion with the help of the Inci- dent Response Team and the Air Force Officer of Special In- vestigations De- pending on the criticality of the affected computer system a decision is made on whether to isolate the system and pull it off the network If the com- puter system is not deemed mission critical it may be left on line so more information can be collected about the hacker If any type of illegal http iec dtic activity is found the gets involved AFOSI has the option of initiating its own on- site monitoring and pursuing prosecution The AFCERT pro- vides technical assistance to AFOSI investigations as need- ed If it is determined that the base does not have the re- sources to secure the system or return it to normal opera tions the base commander may request AFCERT aug- mentation AFCERT and its sister divisions joint incident response teams stand ready to recover such systems and can deploy to any location with less than 2 hours notice To perform intrusion detec tion vulnerability assessment and incident response opera- tions effectively the AFCERT relies on several organiza- tions The Counter- measure and Computer Seou- rity Engineering Teams provide research and red- teaming support to Air Force organizations and can augn ment AFCERT operations dur- ing OLS assessments incident responses and peak periods Threat Analysis branch provides intelligence inputs and the 690th Intelli- gence Operations Squadron s Cyberwatch provides indica- tions and warning data The Air Force s Network Opera tions Center is the Air Force s execution element for block- ing connections recommend- ed by the AFCERT at the Air Force enterprise-wide routers Network Operations and Secu- rity Centers NOSCs and Net- work Control Centers NCCs provide Major Command level and base-level support thereby channeling vital infor- mation to the AFCERT and en- suring that downward-directed Iliac dtic tasks are completed The con- tinued success of the AFCERT is due in part to the outstand- ing assistance and support that these organizations pro- vide As the Air Force component lead to the JTF-CND the AFCERT reports intrusion de- tection and incident response information and coordinates Air Force support to meet CND directives In addition the AFCERT assists with poli- cy and procedural develop ment and implementation The AFCERT and AFIWC have been involved in several CND initiatives to standardize reporting processes across the Unified Command Comman- der-in-Chief Agency spectrum Among the many projects to which the AFCERT its sister divisions and the AFIWC have contributed are the Joint Threat and the Joint CERT databases These are two sys- tems that will improve the ability to correlate incoming information and co- ordinate an appropriate re- sponse to suspicious activity that crosses bound- aries The AFCERT its sister divisions and the AFIWC have represented Air Force inter- ests at numerous conferences and exercises and will continue to provide the support needed for the suc- cessful defense of Air Force and network systems The interface between the AFCERT and operational units is the Information Warfare Flight IWF at the Numbered Air Forces It is critical that the CINCs have the tools and the knowledge they need to make informed decisions for their units about CND One of IAnewsletter I Fall the roles of the IWF is to prom vide this support by integrat- ing 1W activities into the nor- mal campaign planning and execution process By giving AFFOR a single IW focal point the IWFs provide the structure to plan and execute IW for the warfighter In doing so they provide the reach-back capa bility to enable units to con- duct 24 7 operations real- time As Col Richard Stotts said in his address to the Armed Forces Commu- nications and Electronics As- sociation Symposium 'Ib op- erationalize Defensive Counter Information we must look at all the resources necessary to promote our information re- source as a weapon system if we are to achieve the greatest use and protection of our in- formation With the support and resources to the IWFs we can ensure that our units are well informed and prepared to handle any attack on their networks Information superiority is critical in today s defense of computer systems and networks Coordination of ef- fort in the JTF-CND and inte- gration of resources in all facets of IO enables us to fight aggressively and win the infor mation war Captain Grant received his BS in Computer Science from Embry Riddie University Prescott Arizona He sup- ports AFCERT Operations at the Air Force Information Warfare Center He may be reached at 210 977 3158 2nd Lieutenant Leg received her BS in physics from Loyola University New Orleans Louisiana She may be reached at raiege @aiiwc aia a mil 1999 i5 a Marine Forces Comp uter Network Defense LW hail 503 ES ny Marine will tell you that the Fleet Marine Force FMF is the place to be if you want to be a real Marine Operational commitments de- ployments leadership in the face of adversity all the activi ties you've read about -hap- pens out in the FMF Unfortu- nately a set of orders to report to a job inside the beltway the highway surrounding the Wash ington D C metropolitan area is usually the rst step toward a lifelong commitment as a desk jockey and sworn enemy of the nation s forests You trade all the fun of being an FMF Ma- rine for 2 hours a day in a Route 95 van pool that now dic tates the exact number of hours you spend at work The Marines with whom you sweat ed struggled and persevered in the streets of Pohang are now replaced by government service employees and contrac- tors who really don t under stand what s so enjoyable about pulling CAT 5 through the sands of SWA at 02 00 while in MOPP 4 But just within the past year the establishment of the Joint Task Force Computer 1E3 IAnewsletter Fall 1999 Major E H Ted Steinhouser USMC Retired Network Defense along the sheltered suburban streets of Washington DC helped bring back some of the operational feel of wearing a set of utilities at the crossroads of the Corps The JTF-CND was the result of Presidential Decision Direc- tive 63 and events such as Eli- gible Receiver and Solar Sun- rise Protection of the Nation s Critical Information Infrastruc ture Under its charter the JTF-CND is respon sible for establishing a fully operational JTF capable of coordinating the defense of the De- fense Information In frastructure D11 Each service was tasked with providing a component to the JTF in mutual support of the D11 sub ordinate elements The Marine Forces Comput- er Network Defense is the Marine Corps compo- nent of a standing JTF No set working hours no predictable sched even has a real enemy which is not only per- ceived to be out there but also routinely probes the Listening Posts LPs and Obser- vation Posts OPS to see if they're awake A renewed sense of purpose has been instilled in the Marines working to support the connec- tivity for the Marine Corps En terprise Network MCEN The easiest part of bringing the on line was recognizing that it had an out standing high ground from which to defend Those of us in the information security busi- ness all know that to achieve anything resembling a secure network we must view the sys- tem from the perspective of pessimistic vulnerability hunters who are unwilling to accept that today s working so- lution will stand up against to- morrow's emerging threat The Marine Corps did it right as they ve always done Nearly from its conception the MCEN was engineered with security in mind The big picture was thoroughly examined to ensure an understanding of why the system was brought into exis- tence and built the system with the aim of providing glob- al support to the deployed com mander By dismissing the complexity caused by geo- graphical separation the Marines employed the funda mental aspects of true enter prise network symmetry and simply put did what needed to be done From the rst scrib- bles of a few network engineers on restaurant napkins to conversations over a couple of beers the plan to construct a global network that was sustained maintained ad ministered protected and de fended from a central location was put into place In conjunction with the truly expeditionary nature of the Ma rine Corps the Marines want to expand their iac dtic capability beyond the MCEN garrison network In a contin ued effort to protect the Marine Corps deployed information architectures the Marines will be elding deployed security interdiction devices DSID to the FMF communication battal- ions The DSID is designed to provide a defense in-depth boundary-level architecture composed of best of breed commercial off-the-shelf COTS security technologies This de- sign will enable the next gener- ation of Marines to carry with them to the eld technology that allows a tactical computer network defense in depth The instrumental catalyst that makes the Marine Corps component unique among the JTF components is operations security OPSEC This article did not include many details about the way in which the Ma- rine Forces Component achieved this success because we know that any information about the tools of information system security success is merely a new essential ele- ment of information EEI for our enemy to use against us The Marines understand tactics well Although the successes produced by the are unlikely to result in a new verse of the Marines Hymn the Marines have assumed this newest mission with as much seriousness and intensity as they have applied to any past battle a Mr Steinhauser has been actively engaged as the MARFOR-CND Plans Of cer in the conception and establish- ment of the Marine Corps component of the joint Task Force Computer Network Defense He may be reached at stein hauserth@noc usme mil IAnewslette Fall 19539 continued from page lE proactive 'i'neans for selecting the best course of action for protecting networks The ACERT analytical sections pre dictive analysis capability is integrated into a multimtacr rted anaiyticai architecture This structure also includes vulnerability assessment analysis via the information operations vuinerability as sessment division and Com- puter Defense Assistance Pro- gram reverse engineering and technical analysis of hacker tools via the LIWA Lal'im atory and threat analysis via the in telligence branch As a key Army element responsible for ensuring inform niation assurance the ACERT in its capacity as the IND maintains a vigilant wt or the numerous risks I to Armyautomat mation syStems and Army s Com may be 5 33a teas 13th it'a' belt air iiajm Daniel Proms Shier Coon lination are far- the Land l'i'irn fare Activity at Hm Helene i-r A He holds 8 8 degrees in computer sciatica software programi- mun and systems engineering University of Allississimn and is l gynalnah of the Army's Coriander saw me School he Navy Component Task Force Computer Net work Defense is a component of and directly supports the CND mission of the Joint Task Force Computer Network Defense JTF-CND missions include 0 Determining when Navy sys- tems are under computer network attack CNA assess ing an attacker s impact on military operations and capa- bilities and notifying the JTF-CND and the user com munity of the threat 0 Coordinating and directing appropriate Navy actions to stop CNA contain damage restore functionality and provide feedback to the user community 0 Developing contingency plans tactics techniques and procedures to defend Navy Computer Network Defense Navy computer networks and supporting the CND plan ning of Fleet Commanders-in- Chief CINCs Assessing effectiveness of defensive actions and main- tain current assessment of operational impact on the Navy Coordinating as required with the Naval Computer and Telecommunications Command NCTC the Fleet Information Warfare Center FIWC the Naval Security Group the Office of Naval Intelligence the Naval Criminal Investigative Service NCIS and other agencies and private sector partners to defend Navy net works Monitoring status of Navy computer networks Monitoring Computer Incident Response Team CIRT alerts warnings and advisories and serving as a critical node in the indica- tions and warnings 18W reporting cycle Participating in Navy exercis es to conduct computer net- work defense training Assessing threats to Navy computer systems based on all-source fused intelligence from potential CNAs against Navy computers and net works Providing information to and receiving direction from the and providing liaison to Navy organiza- tions as required Coordinating and directing appropriate actions to ensure that Navy pages resident on the World Wide Web are in compliance with prescribed DOD and Navy doctrine or policy 0 Serving as the Navy's report ing agent for Information Assurance Vulnerability Alert IAVAs The NCTF-0ND is com- prised of 14 of cers enlisted persons and civilians It is co- located with the NCTC to pro- vide a comprehensive View of Navy networks This network operations view in combina- tion with the network security picture provided by FIWC al- lows NCTF-CND to rapidly identify threats to computer networks In its rst trial NCTF-CND working closely with the FIWC's Navy Computer Inci- dent Response Team NAV- CIRT was able to disseminate critical timely information about the Melissa Virus which contributed to the rapid con- tainment of the virus on Navy networks In comparison many civilian networks were taken off-line for days or weeks to recover from the damage this virus did partnership with the NAVCIRT division of FIWC ex- tends beyond this one incident As Navy's information opera- tions center of excellence FIWC conducts forensic analy- sis of computer intrusion inci- dents and provides technical assistance to commands to re- store networks NAVCIRT also conducts on-line surveys of networks to identify vulnera- bilities to command leadership users and system administra tors NCTF-CND has also been vested with several significant network security related mis- sions including Information Operations Condition INFO- CON Navy Web-page Risk As sessment NWRAC and IAVA and compliance reporting As the manager of the INFO- CON program NCTF-CND through the Chief of Naval Op- erations ONO N6 issues guid ance Navy wide on implemen- tation of the program and makes Service-level INFOCON posture recommendations to CNO NCTF-0ND coordinated a Navy wide INFOCON exercise which was conducted from late November to early December 1999 to ensure that level implementation and the associated operational impacts are well understood by all Navy commands NCTF-CND also has responsibility for assessing the operations security posture of publicly accessible Navy Web sites In collaboration with FIWC and Commander Naval Security Group the Comman- der Naval Reserve Security Group is developing a Web- based database and reporting mechanism that signi cantly improves Naval Reserve Securi- ty Group operators ability to check web pages for compli- ance with established and Navy instructions and their ability to expeditiously notify commands of their ndings IAVAs alert network users to vulnerabilities in oper- ating system and application software and dire ct corrective measures NCTF-CND has as sumed the IAVA mission and with system development sup- port from NCTC is implement ing a Web-based compliance tracking system that signifi cantly improves the timeliness and quality of IAVA compli- ance At the vortex of Navy net- work operations the CND has coordinated with all Navy second-echelon com- mands on the performance of several data collection efforts in support of the NavymMarine Corps intranet and the Assis- tant Secretary of Defense for Command Control Communi cations and Intelligence Unclassified but Sensitive Internet Protocol Router Network Internet gateway survey Early on NCTF-CND recog- nized the need to create a tool to capture critical network and organizational information marrying network Domain Name Service DNS server in- formation and Internet Proto- col addresses with organiza- tional and chain-of command information The result is bet ter and more timely dissemina tion of network defense infor- mation and direction Navy-wide and improved re- porting timeliness of compli- ance with TF and NCTF task- ing and direction The preceding examples highlight the di- verse missions The rst line of network defense is still the skill and operational awareness of network system administra- tors and users A well-trained well informed cadre of system administrators and users cou- pled with a system of rapidly disseminated advisories and di rection are key ingredients in the success of the computer network defense mission As and Navy move forward together into the next millenni- um will play an in- creasing role in the develop ment and implementation of strategies that ensure that Navy networks are available when needed in peace crisis and war and the return to peace 8 lAnewsietter' Fall 1999 h MAJ Ami laszln BWE Bruce Bardner he protection and defense of operational networks is the mission of the Global Net- work Operations and Security Center GNOSC which is part of the Defense Information Systems Agency DISA opera- tions directorate The GNOSC consists of ve branches The Field Security Operations branch at Letterkenny Army Depot provides security ser- vices to the De fense Megacen- ters and to the Commanders in Chief owes The Plans branch provides long-range strategic planning for the De fense Information Infrastructure DII The Support branch provides support for daily internal operations of the GNOSC The Operations branch located at DISA headquarters in Arlington Virginia is responsible for the day to-day management of the D11 The re- maining branch the Department of Defense Computer Emergency Re sponse Team DOD-CERT is the joint-level CERT for DOD Within the GNOSC direct day to day monitoring and pro- tection the Operations branch This branch which is staffed 24 hours a day 7 days a week is responsible for managing by exception network faults or outages in all components of the D11 including the Unclassi- ed-but-Sensitive Inter net Protocol Router Network NIPRNET the Secret IP Router Network SIPRNET the Integrated Digital Network Exchange IDNX the Defense Red Switched Network DRSN commercial and military satel- lites video teleconferencing and applications such as the Global Command and Control System and the Defense Mes- sage System These networks are managed through ve sub- ordinate Regional Network Op- erations and Security Centers RNOSCS provide network management and control and CERT support by region in- cluding the European Paci c Central Command and United States areas of responsibility In the event of a crisis the GNOSC can manage coordi nate and direct the actions of the RNOSC lAnewsletter' Fall 1999 Monitoring and Protecting the The GNOSC also is the component responsible for the Joint Task Force Computer Network Defense JTF-CND In this role it and reports CND-related informa tion from all organiza- tions CINCS Services and Agencies wand provides direct access to technical and engi- neering expertise throughout DISA The is co-locat- ed with DISA and the Watch Officer sits in the same command center where the GNOSC performs network management This re- lationship allows the to obtain real-time information about the networks that it defends and permits the GNOSC in coordination with the to sug- gest appropriate re sponses to an attack against the networks The networks that the GNOSC manages and pro tects can be likened to a weapons system They must be monitored managed and manipulated so that they can be protected One key to such network protection is the cor rect identification of the caus es of network incidents Net- work faults outages and congestion can appear suit from computer network attacks but might also be due to a cable cut caused by a back- hoe Immediate analysis and decon iction of events is es- sential for development of proper courses of action in- The DOD-CERT the fifth branch of the GNOSC pro- vides network defense ser- vices through sensor monitor ing correlation of intrusion incident data anti-virus prod- uct support to and reme- cluding recovery and reconsti- tution The co-location of the JTF-CND and the GNOSC facil- itates such network defense The GNOSC Operations branch also includes a Com- puter Network Defense As- sessment Tham a Worldwide Network Manager and a Worldwide Satellite Manager Each of these functions pro- vides information to the Sys- tems Control Officer SCO who ties all events together and is the customer s contact at the GNOSC The SCO plays a crucial role in determining whether an event is a network or a security problem To en- sure quality of service for the customer the GNOSC Operaw tions branch addresses net- work performance issues and security On the performance side the Network and Satellite Managers monitor the global network picture and work closely with the RNOSCs to en- sure that customers have a re- sponsive and supportive net- work for a multitude of applications traversing the net- works On the security side the Computer Network Defense Assessment Team working closely with the customer the JTF-CND and the CERT helps to assess and prioritize the customer s problem and refer it to the proper branch of the DOD-CERT dtic diation of the effects of intru- sive activity It is the joint level DOD-CERT for strategic technical coordination among all of the other Service and Agency CERTs and Computer Incident Response Teams in and is the focal point for all computer in- cident and event reporting Thus it is the first place where a worldwide assess- ment of the status of CND throughout the DOD can be made The can cor- relate data from all Services and from the RNOSCs with data gathered directly by net- work sensor devices and then assemble a global picture of the defensive state of the net work In closing the synergy that results from the co-location of the JTF-CND and the GNOSC cannot be overestimated It is critical to the ability to see the networks that are being de- fended and the ability to gauge the impact of an attack on a network by seeing its components The synergy of the JTECND and the GNOSC is also critical to seeing how best to stop or contain an at- tack But just as important are the relationships forged by working side by side every day allowing the JTF-CND and the GNOSC to react as one in protecting the D11 3 lAnewsletter Fall Major Laszlo is Deputy Operations Manager at the GNOSC He received his 3 8 in Geography from Portland State University in 1988 He is currently work- ing toward completing his M S in Information Resource Management from Central Michigan University He may be reached at laszlor@ncr disa mil Chief Warrant Of cer Gardner is an information assurance o icer at the GNOSC He received his B S from Brown University and his MBA from the University of Utah He is currently com pleting a MS in computer science from James Madison University He may be reached at garderb@ncr disa mil Military and civilian prolessionals in IllSA s Global Network Bperations and Security center monitor the health and welfare of the llefense Information Infrastructure 1 5399 cf er 93 15 1 53 U 5 5 CL Capt Elizabeth A Siemers USAF DOD-CERT I ith less than one month before the Year 2000 Y2K rollover many DOD and non DOD organizations have asked the DOD-CERT how to protect their computer sys- tems from security threats dur- ing the Y2K rollover period In response the DOD-CERT has put together some tips and rec- ommendations for administra- tors of computer systems The DOD-CERT and many computer security experts warn system administrators that they can expect the follow- ing types of problems during the Y2K rollover Intruders may use the Y2K rollover period as a window of opportunity for intruding on DOD computer systems I Y2K problems may mimic a denial of service DOS attack 0 There may be an increase in network noise probes and scans 0 There may be an increase in malicious code infection viruses Trojan horses and worms 0 Intruders may exploit system administrators' fears that a Y2K x did not work or that Y2K testing was inadequate 22 IAnewsletter I Fall The following 10 recommendations address new vari- ants of malicious activity oc- curring on the Internet today denial of service and E- mail tunneling attacks as well as attacks intending disruption during Y2K logic bombs These recommendations are geared toward countering the actions of malicious insiders and outsiders who may initiate incidents during the Y2K rollover Recommendatiung 2 Security it ment all of the latest se- curity fixes or patches espe cially for mission-critical systems and servers that are likely targets For information on current Information Assur- ance Vulnerability Alerts IAVAs see http Wm Anti-virus Signatures dime Update all virus and in trusion detection signatures For current anti virus products and signatures see http rus htm For current intrusion 1 999 Preparation detection signatures contact each product s vendor Wigs Anti virus Software on We Mail Servers This is a good time to implement anti virus scanning at E-mail gate- ways where it is not already in use Secure System Configu- ti ration Verify the securi ty of system configurations paying particular attention to countering the vulnerabilities and exploit scripts described in advisories leading up to the Y2K rollover period Ensure that all systems are backed up before the Y2K rollover For ad- ditional computer security ad- visories see cert org and http ciac v f Verify Trust Relation- ss ships-Verify and con rm all remote access accounts and delete all remote access ac- counts that cannot be positive- ly veri ed Identify Mission Criti- cal Systems- Identify systems that will be needed by legitimate users during the hol- iday period and ensure that protection of these systems is properly prioritized Verify and Enforce Se- curity Policy-Warn all users and administrators not to install any patches during the Y2K rollover period without con rmation from an autho- rized source that the patches are authentic This effort is de- signed to counter an expected increase in hoaxes that warn of the urgent need to install Y2K or other patches or to update virus signatures Standardize Network and System Time-Syn- chronize time on all systems and networks from a trusted source such as tick usnogps navymil or tookusnogps navymil to ensure that inci- dent reporting is not complicat- ed by timing inconsistencies Minimize Network Traffic-Limit non-mis sion-critical network traffic Web sur ng during the rollover period so that problem areas on the networks can be more quickly identi ed Establish a Normal Baseline Just be- fore the Y2K rollover period ob- serve system performance met- rics and establish baselines for ordinary activity Use the base- lines to gauge unusual levels of disk activity central processing unit CPU use or network traf thereby allowing earlier de- tection of viruses and denial of service attacks The DOD-CERT and all re- gional and Service CERTS and will maintain 24-hour a day operations during the Y2K rollover period to support the eld and will maintain heightened awareness concern- ing all computer security-relat- ed events that may occur dur- ing that time For up-to-date security infor- mation users can visit the CERT Web site at either or Users can also contact the CERT via the following meth- DSN 327 4700 Commercial 703 607 4700 800 357 4231 Unclassified E-mail cert@cert mi1 Classified E-mail cert@cert disa smilmil 327 4009 703 607 4009 DSN Fax Comm Fax Captain Elizabeth A Siemers USAE is the Chief of Plans and Standards for the Computer Emergency Response 'Raam Defense Information Systems Agency Arlington VA She received her BA in history with a certi cate in busi- ness administration from Indiana University in May 1995 Capt Siemers is now pursuing her MS in engineering management with concentration in sys terns engineering from George Washington University in Washington D C She may be reached at eas@cert mil lAnewsletter' Fall 9953 Keith J Jones I he typical computer net- work includes a variety of components often including routers rewalls intrusion de- tection systems IDS network sniffers clients and servers Each of these components is capable of producing network activity logs of various types These logs are often in a proprietary for- mat adhering to no single standard De- pending on the level of auditing and the ac- tivities monitored logs can range from a few hundred kilobytes to several gigabytes in size Furthermore log formats may differ among different ver- sions of the same product Modern security professionals and computer crimes investigators have only a few log analysis tools at their disposal none ideally suited to the task The crudest method correlates activity entries across many different log print- outs With this method even a highly trained individual can perform only limited analyses when the log les are very large First-generation search tools grep perl scripts etc are a better approach for per- forming searches on large data sets but require considerable skill to use The tools must be con gured for each log format and search effort This ap- proach offers more ef ciencyWe new I I I I rid Generation Log Analysis Tool but skill and human error are still large factors Several vendors of network security products have created second-generation log analysis tools These tools are capable of more sophisticated searches and limited correlation analysis but typically work only with the vendor's proprietary log de- vices Such tools are unsuitable for heterogeneous networks be cause of their inability to ana- lyze different log formats gen- erated by other vendor's products A new third-generation tool produced by SyteX addresses some shortcomings of the earli er generation of products This product called SHERLOCK can operate in heterogeneous network environments and im port multiple types of log for- mats into standard databases Sherlock has a platform-inde- pendent Web based interface and provides point-and click generation of Structured Query Language SQL queries It can 4 IAnewsletten Fall 1999 a mm a be used by multiple investiga tors to query multiple network logs simultaneously Sherlock has features that fa- cilitate both immediate and ret- rospective analysis of network activity For instance it cap tures log data directly from net- work devices permitting im mediate analysis of and response to po- tential intrusions Administrators can thus detect a port scan and then block the offending source Internet Protocol In addition data are stored in read-only form to preserve in- truders footprints in system logs Sherlock was de- signed as an advanced network security ana- lytical tool but it can be scaled to handle various types and sizes of log analysis efforts In- formation on Sherlock may be obtained from the Sy tex Infor mation Warfare Center at or by phone at 410 312 9114 3 Keith I Jones holds the position of Software Development Team Leader at Sytex Inc He currently works out of the Columbia MD of ce with the rest of the technical operations team Previously he has completed two 3 8 degrees in com- puter engineering and electrical engi neering and an additional MS degree in electrical engineering Keith can he reached at the following e-mail address kjones@sso sytexinc com iac cltic ne of the objectives of the Department of Defense DOD Information Analysis Center IAC Program is to maintain technical centers of excellence that can be called upon to facilitate use of existing scienti c and technical informa- tion STI to meet DOD re- search acquisition operational and logistics requirements As a DOD institution IATAC provides the foundation through which data gathering studies analy- ses and other scienti c and technical activities can be ac- complished IAC operations are comprised of core functions and technical area task TAT activities Core functions include basic services such as the collection of scien- ti c and technical information STI inquiry support data base operations current awareness activities IAnewsletter and generation of technical re- ports TATs fall within the scope of the IAC mission but are not CAPABILITIES Policy Doctrine Studies Reports Meetings Conferences Research Analysis Training Exercises http lliac dtic Leveraging the Technical Area Task TAT Program funded as a part of the basic services Typically techni- cal and analytical in nature TATs are more labor intensive and complex and may involve extensive gathering or creation of STI analysis and preparation and dissemination of the infor- mation IATAC services available via the TAT program support a broad spectrum of information assurance technical disciplines These capabilities include poli- cy and doctrine development research and analyses studies and reports training and exer- cises and conference and event planning disciplines see ugre below include vari ous aspects of information as- surance and information opera- tions to include certi cation and accreditation computer foren- sics biometrics infrastructure protection malicious code pen- etration testing operations public key infra- structure and secure enterprise Robert P Thompson Director mm management to name a few IATAC is providing TAT support to the plans and policy research and development acquisition and operational communities The products generated via the TAT are developed in re- sponse to requirements delin- eated by the requesting activity In addition products are en- tered into the IATAC collection thus contributing to the growth of the information assurance IA knowledge-base Other DOD organizations can access the STI developed through the TAT and leverage prior research and analyses to support their 1A requirements Releasability of TAT products are coordinated with the originating organiza- tion to ensure compliance with secondary distribution instruc- tions For more information on available products generated through the TAT program con- tact IATAC at 703 289 5454 01 iatac@dtic mi1 EXPERTISE Certification Accreditation Computer Forensics - Data Embedding Information Assurance Operations Malicious Code Detection lAnewsletter I Fall 1999 Ops Security - Penetration Testing Public Key infrastructure Security Test 8 Evaluation Vulnerability Assessment Data Mining This report provides an overview of data mining techniques ap plications and sifting through large amounts of stored data Data mining has ap- plications in marketing infor- mation assurance risk manage- ment and fraud management Tb help users select a product that best meets their objectives data mining tool evaluation cri teria are provided A table sum- marizing the features of avail- able products is also provided lntnueicn Detection chle Flier-acct This newly updated report provides an index of intrusion detection tool descriptions con- tained in the IA Tools Database Research for this report identi- ed 46 intrusion detection tools currently employed and avail- able Date Embedding for IA Provides an assessment of the state of the art in data embed- ding technology and its applica tion to IA It is particularly rele- vant to information providers concerned about intellectual property protection and access control information con sumers who are concerned about the security and validation of critical information - and law enforcement military and cor porate organizations concerned about efforts to communicate covertly The report has been speci cally designed for readers who are not experts in data em- bedding For more in depth in formation the bibliography pro- vides an extensive list of authoritative sources from which the reader can obtain ad- ditional technical deta Computer Forensice w Tracie and Methodology This report provides a com- parative analysis of currently available software tools used in computer forensic examina- tions It provides a useful intro- duction to this specific area of science and offers practical high level guidance on how to respond to computer system in- trusions This report provides a useful analysis of speci c prod ucts including their respective capabilities unique features cost and associated vendors Fineweil Tracie Report This report provides users with a brief description of avail able rewall tools and contact in- formation Currently the IA tools database contains 46 re wall tools that are available in the commercial marketplace Malicious Code Detection SCAR This report includes is a tax- onomy for malicious software providing a better understand- ing of commercial malicious software An overview of the state-of the-art commercial prod- ucts and initiatives as well as fu- 4 lAneweletten Fall 1999 ture trends is presented The re- port presents observations and assertions to support the DOD as it grapples with this problem en- tering the let century This re port is classified and has a limit- ed release Mcdeiing 9imuie ' cicn Technicei Report This report released Decem- ber 1997 describes the models simulations and tools being used or developed by organizations Within DOD Bicmetnice Fingen print identification Systems Focuses on ngerprint bio- metric systems used in the veri- cation mode Such systems often used to control physical ac- cess to secure areas also allow system administrators access control to computer resources and applications Information provided in this document is of value to anyone desiring to learn about biometric systems The contents are primarily intended to assist individuals responsible for effectively integrating nger- print identi cation products into their network environments to support the existing security policies of their respective orga- nizations Vuinerebility Aneiyeie Tools Report This report summarizes perti- nent information providing users with a brief description of available tools and contact infor mation Currently the Tools database contains descriptions of 35 tools that can be used to support vulnerability and risk assessment iac dtic mil lATAC y I I I i I IMPORTANT NOTE Ail IATAC Products are distributed through DTIC If you are registered DTIC user you must do so PRIOR to ordering any IATAC products TO REGISTER ON-LINE I Ih Name Organization Ofc Symbol Address Phone E-mail Fax Organization YES CI NO If NO complete LIMITED section below LIMITED DISTRIBUTION In order for Non-DoD organizations to obtain LIMITED DISTRIBUTION products a formal written request must be sent to IAC Program Office ATTN Sherry Davis 8725 John Kingman Road Suite 0944 Ft Belvoir VA 22060-6218 Contract No For contractors to obtain reports request must support a program be veri ed with COTR COTR Phone Technical Reports Biometrics CI Computer Forensics CI Data Mining Modeling Simulation IA Tools Report Firewalls CI Intrusion Detection 2nd Ed CI Vulnerability Analysis State-ot-Ihe-Art Reports CI Data Embedding for Information Assurance Malicious Code Detection Cl TOP SECRET CI Security POC Security Phone UNLIMITED DISTRIBUTION Newsletters Limited number of back issues available El Vol 1 No 1 Vol 1 No 2 El Vol 1 No 3 El Vol 2 No 1 Vol 2 No 2 soft copy only El Vol 2 No 3 Vol 2 No 4 CI Vol 3 No 1 Vol 3 No 2 Please list the Government that the product s will be used to support Once completed fax to MAC at 703 289 5467 IAnewsletteP Fall 1999 calendar FEDIIJEII ll 3 8-10 March l4 -lB lA Technical Framework Forum Meeting Linthicum MD Call Mr John Niemczuk 410 684 6246 4th Annual EA Workshop Holiday Inn Hampton Hotel Hampton VA Call Maureen Premo 703 681 5789 or Tracy Grubar 703 681 7933 AFCEA West 2000 San Diego Convention Center San Diego CA SPACECOM 2000 Space Communications Key to Information Operations Colorado Springs CO Call Michael J Varner 719 590 1051 COME SEE OUR Federal information Systems Security Education Assoc Cont Gaithersburg MD fissea html information Assurance Technology Analysis Center 3190 Fairview Park Drive Falls Church VA 22042 March is 37 3l Hpril 3 5 EE-E7 r2 Information Assurance Technical Framework Forum Linthicum MD Call Mr John Niemczuk 410 684 6246 DoDllS lA Training Forum Bolling AFB Washington DC Call Mr Paul Woeppel 210 977 3396 or Mr John Venit 202 231 5818 IntoSec World Cent 8 Expo Orlando FL Call 508 879 7999 Fiesta lntormacton 2000 San Antonio TX Call J Spargo Associates 703 631 6200 COME SEE OUR 2000 Annuai USPACOM 3A Conference Ilikai Hotel Honolulu HI Call Maj Veronica Baker 808 477 1046 vlbaker0@hq pacom mil