Information Assurance Overview Information Assurance IA Metrics Tightening Our Defenses Audits IG Special Interest Item IA Manpower Training Certification Information Assurance Awareness Month Worldwide Web Security Defense Research Engineering Network DREN Public Key Infrastructure PKI 2 Metrics Intrusions Advisory Compliance Intrusion Summary Unauthorized User or Root-level Access Intrusions 1997 Total 39 1998 Total 61 Root Intrusions CY98 - 46 Total Advisory Unpreventable Noncompliance 6 15 New Vulnerability 6 Undetermined 7 Policy Noncompliance Total intrusions 12 due to noncompliance 27 New Vulnerability Undetermined Policy Noncompliance Unpreventable Advisory Noncompliance 15 98-21 4 97-44 3 98-01 2 98-57 2 -98-46 2 98-33 1 9742 1 Policy Noncompliance Policy Noncompliance Advisory 12 Noncompliance Poor Security 4 Default Password 3 Unpreventable Undeleted Account 2 Misconfiguration 1 iDirrect Root Login 1 New Vulnerability Remote Login Undetermined Enabled 1 Unpreventable Unpreventable Undetermined New 6 130 Vulnerability Sniffed l' my Passwords 4 Noncompliance Hacker Personalized Buffer Overflow 2 Advisory Noncompliance Open 21 AFOSI Computer Investigations - CY98 Disproved or Administratively Closed 5 22 cases resolved $3323 out of 43 total 17 Hackers Insiders vs Outsiders Outsiders 9 Insiders 13 Foreign Citizens 3 From CY 98 resolved v US cases Citizens 22 total 6 Advisory Compliance Message Report Card - 1998 MAJCOM 98-01 98-02 98-04 98-05 98-06 98-07 98-08 98-09 AETC AFMC AFSPC AFPC AFPCA AF RC AFSOC AMC ANG PACAF USAFA USAFE 11th WG 98-03 Retracted replaced with 98-04 0 Compliant Responded with exceptions Intrusion ACC AETC AFMC AFSPC AFPC AFPCA AF RC AFSOC AMC ANG PACAF USAFA USAFE 11th WG Compliant 0 Responded with exceptions Compliance due 29 Jan 0 Compliance due 12 Feb FOR OFFICIAL USE ONLY D ST Romania to Randolph Root Level Access Detection Date FOR Location Unit System's Purpose Degree of Access How Access Was Gained Insider Outsider Mission Impact Known Vulnerability Corrective Action System Routed through AFNCC IAVA Issued ACM Issued AFCERT Advisory Issued CITS BIP Installed AFOSI Investigation 24 Jan 99 Randolph AFB AFPC DPAP AFPC Officer Assignments Web Page Root Level Web server was running the software product Front Page that allows web pages to be modified over the Internet Outsider Minimum-Hacker replaced official web page info with hacker message- access was limited to information available to the public Yes System disconnected from the network and backed up for further analysis No No No Yes Advisory 97-60 Yes 13 No but notified Improving the Process Revised process for issuing compliance messages - 15 Feb Process to cover centrally managed systems - 15 Feb Verifi tion On-line tracking mechanism developed Compliance Begin verification process using OLS tools - 1 Mar Route networks through NCCs MAJCOMs report data beginning 15 Feb Operational Reporting AFMAN 10-206 OPREP-3 - 15 Feb 99 AFMAN 10-201 SORTS - Mar 99 1st CSAF SORTS Report - 1 May 99 Audits Audits 7 in progress no new draft or final reports since last briefing 1 follow-on in progress 1 final report with follow-up recommendation 13 projected in next 18 months Findings Vulnerabilities continue Non-compliance with policies Advisory Compliance Message process difficult for bases to follow Difficult to determine if advisory applies to specific system Poor readability of solution set IG Special Interest Item on IA Look at compliance with policy directives procedures Direction from IGI - reframe redo 5-10 objective ques ons Work into inspection cycle Mar IA Manpower NCC manpower standard last applied in Dec 96 1500 additional authorizations awarded 500 in FY99 250 each year FYOO-FYO3 Will request XP review IA manpower in Network Control Centers and IA offices Training Certification Users - IA training certification using IA CBT System administrators maintainers - training certification using IA CBT skill-level CBTs classroom instruction mandate - J6K requesting suspense change Category Current Requested Classified system users 31 Jan 99 31 Mar 99 Classified system 31 Jan 99 31 Dec 99 administrators maintainers Level 1 only Unclassified system usersUnclassified system 31 Dec 00 31 Dec 00 administrators maintainers Level 1 only 3rd Annual IA Awareness Month Feb 99 CSAF message NOTAM AF Web site hosted by AFCA AFISC articles Activities Theme Train users network Professionals A Risk Accepted Scrub publicly accessible by one is a Risk we S'tes Imposed on All Verlfy compliance Passwords Virus scans Patches installed IA Awareness Month SAM Activities SAM Town Meetings AF OSI Forensics Lab - 2 Feb Office of Criminal Investigation Computer Crimes Division - 4 Feb AFOSI Hacker Tracking - 26 Feb Computer Security booth in Pentagon 1-5 Feb 2nd floor corridor 9-10 Web site AFIAAM Web Security Tasks from DEPSECDEF Memo OPR Services OSD Services OSDI Services OSDI Services TASK 1 Scrub web sites 2 Formulate policy 3 Perform security review 4 Develop training program 5 Plan to use Reserves to conduct assessments DATE DUE Due date Status Task 3 Security Review Ensure comprehensive multi- disciplinary security assessment is conducted for AF web sites through 23 Mar 99 Part of IA Awareness Month Complete review required NLT 23 Mar 99 per draft AF memo Due date Status Task 4 Training Program Develop training program to address information security on web AFISC lead OPS INTEL information security legal PA FOIA privacy act 23 Mar 99 Workgroup Managers - initial training Web server administrators workgroup managers in-depth training Developing comprehensive training plan to include PA AQ communities 24 Due date Status Task 5 Reserve Component Explore Reserve Component role in web site assessments AF Reserve Affairs 23 Mar 99 concurred with OSD Joint Web Risk Assessment Cell CONOPs - will provide 2 bodies USAF CONOPs in review Establish Reserve presence at MAJCOM NOSCs Web Security Way Ahead Team with OSD Clarify Sensitive information Aggregation OPSEC concerns Identify automated tool set Develop training plan Team with AFRC Develop CONOPS Establish IA mission Update to DEPSECDEF 3 Feb 99 ON THE FASTRACK BILL HOLBROOK War V00 REAW nus D 9 1 m5 5 40m 10 - OOI 4 I Hosanna mom mownq 7 Defense Research Engineering Network DREN Under cognizance of Director of Defense Research and Engineering Purpose - link scientists and engineers to high-performance computing centers and each other Provides WAN services at bandwidths commensurate with user requirements Currently 63 sites 14 AF sites D ST FOR Internet Backbone Router NIPRNET ATM Switch Major Unit Level Router DREN contractor edu sites OC-3 AFMC HQ BIP External Router ABW Boundary Protection MSRC B-Ring X-Ring ABW - Air Base Wing AFIT - AF Institute of Technology AFRL - AF Research Lab ASC - Aeronautical Systems Center MSRC - Major Shared Resource Center AFIT ASC A-Ring AFRL 29 DREN Solution Problem sites connected to the DREN were vulnerable to attack AFCA teamed with WPAFB to develop solution Initial 90% solution completed by 23 Dec 98 Place remaining backdoor connections through NCC by 30 Apr 99 Solution sent to remaining AF sites by 30 Jan 99 Costs for WPAFB AMC funded for remaining 13 AF sites unfunded D ST FOR MSRC DREN NIPRNET Profiler Router ASIM SSH Switch Web DNS Mail Web DNS Mail Switch Backbone Router Router 31 Public Key Infrastructure PKI PKI underpins DEPSECDEF mandate to move to electronic commerce and paperless contracting PKI ensures Sender is the originator Receiver is the intended recipient Information is not intercepted Data integrity is not compromised What We ve Done Established PKI as Air Force standard Uses industry standard certificates for Web and application and digital signatures Easy to migrate existing programs assignment system utilizing other brands Participation in pilot programs High assurance PKI via Fortezza for DMS Teamed with business managers electronic commerce to incorporate digital signatures PKI Funding 2000 POM PE 33112 Base Information Infrastructure Total 3080 5014 0 5 0 4 4 4 5 4 6 37 5 3400 11 0 16 1 32 4 17 4 17 7 18 0 112 6 3080 Registration certificate directory servers Local registration workstations Smart card tokens and peripheral upgrade for active duty civilian guard and reserve personnel Registration support personnel for all bases Legacy software integration Support help desk PKI Program Schedule 00 O1 04 05 Field Registration Components Mar-Dec 00 Mar 04-Mar 05 Field Smart Cards and Readers Jun 01 Sep 05 Train Local Registration Authority Personnel Jul 99 Sep 05 Provide PKI Help Desk Personnel Jan 00 Sep 05 Ad Hoc Register Jan 99 Jun 01 Register all USAF thru Local Registration Authority Mar 00 Sep 03% Backups Root Intrusions Vulnerabilities Exploited Advisory Noncompliance Domain Name Server DNS Buffer Overflow 98-21 98-24 4 Internet Message Access Protocol IMAP 97-44 3 Initial Sun Remote Procedure Call SUNRPC Probe 97-42 1 Netbus 98-57 2 Status Daemon STATD Buffer Overflow 98-01 2 ToolTalk 98-46 2 Unix File System UFS Restore 98-33 1 Policy Noncompliance Internet Information Server IIS Web Misconfiguration 1 Default Password 3 Poor Security 4 Undeleted Account 2 Direct Root Login 1 Remote Login Enabled 1 Root Intrusions Vulnerabilities Exploited New Vulnerability Domain Name Server DNS Buffer Overflow 98-21 98-24 1 Netbus 98-57 3 Mount Daemon LINUX 99-01 1 X11 XConsole Buffer Overflow 1 Unpreventable Sniffed Passwords 4 Hacker Personalized Buffer Overflow 2 ACM 98-01 ACM 98-02 ACM 98-04 ACM 98-05 ACM 98-06 ACM 98-07 ACM 98-08 ACM 98-09 Advisory Compliance Messages ACM - 1998 Nov Remote Buffer Overflow Malicious Code Server Software Multi-purpose Internet Mail Extension Clients Stack Overflow in Tooltalk CISCO lnternetworking Operation System IOS Vulnerability Silicon Graphics Inc SGI Buffer Overflow Internet Message Access Protocol IMAP Post Office Protocol POP 40 Advisory Compliance Messages ACM - 1999 ACM 99-01 29 Jan Remotely Exploitable Buffer Overflow Vulnerability in MOUNTD ACM 99-02 12 Feb Trojanized Version of TCP Wrappers D ST FOR AFCERT Advisory DISA IAVA released Compliance Message Sent by AFCERT DISA Reporting 30 days Comm Sq CCs Wing CCs Wing Command Posts Wing and MAJCOM IP Offices AFRC Comm Flt CCs ANG Wing SPTG CCs NAF CC SCs MAJCOM SCs MAJCOM SC 42 This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu