Home >Documents >Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance...

Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance...

Date post:27-Apr-2020
View:0 times
Download:0 times
Share this document with a friend
  • EditorsRobert P. Thompson

    Robert J. LambCreative Director

    Christina P. McNemarInformation Processing

    Robert L. WeinholdInformation Collection

    Alethia A. TuckerInquiry ServicesPeggy O’Connor

    Contributing EditorMartha Elim

    IAnewsletter is published quarterly by theInformation Assurance Technology AnalysisCenter (IATAC). IATAC is a DoD sponsoredInformation Analysis Center, administrative-ly managed by the Defense TechnicalInformation Center (DTIC), DefenseInformation Systems Agency (DISA).

    Inquiries about IATAC capabilities, productsand services may be addressed to:

    Robert P. ThompsonDirector, IATAC703.289.5454

    We welcome your input! To submit yourrelated articles, photos, notices, featureprograms or ideas for future issues, pleasecontact:

    IATACATTN: Christina P. McNemar3190 Fairview Park DriveFalls Church, VA 22042Phone 703.289.5454Fax 703.289.5467STU-III 703.289.5462

    E-mail: [email protected]: http://iac.dtic.mil/iatac

    Cover and newsletter designed byChristina P. McNemar

    Distribution Statement A:Approved for public release; distribution is unlimited.

    I An ew s l e t t e ron the coverThe Hexagon—A U.S. Joint Forces Command Solutionto Coalition InteroperabilityMr. Craig VroomMr. Allan H. McClure 3

    USEUCOM Information Assurance ConferenceMr. Kent Waller 5

    ia initiatives JTF-CND Intelligence SupportCDR Robert D. Gourley, USN 7

    ZENITH STAR MAJ Gerald Burton, USA Mr. Richard Phares 10

    Distributed Denial of Service Tools1Lt Brian Dunphy, USAF 11

    Air Force Materiel Command’s Information DefenseCol Kevin J. Kirsch, USAF 13

    Information Assurance—The ArmyPrepares for the Next Generation of WarfareMAJ Robert Turk, USACPT Shawn Hollingsworth, USA 15

    The Burning Zone—Containing Contagion in CyberspaceCOL John C. Deal, USAMAJ Gerrie A. Gage, USA Ms. Robin Schueneman 18

    Computing on the Virtual Border—.mil meets .eduLTC Eugene K. Ressler, USA COL Clark K. Ray, USA 24

    In Pursuit of the “Trustworthy” EnterpriseMr. Sean P. O’Neil 27

    in each issueIATAC ChatMr. Robert P. Thompson 29Products 32IATAC Product Order Form 35Calendar of Events Back Cover

    IAnewsletter • Volume 3, Number 3 h t t p : / / i a c . d t i c . m i l / I ATA C

  • h t t p : / / i a c . d t i c . m i l / I ATA C IA n ew s l e t t e r • Vo l u me 3 , N u mb er 3 3

    S upport to coalition oper-ations in the future is ani n formation assurance chal-lenge today. Since 1994, littlehas changed in the methodsand mechanisms we use to pro-vide information to our alliedpartners. As each coalition op-eration (Haiti, Somalia, Bosnia,Kosovo) comes and goes, thelessons learned statements al-ways cry for improved interop-erability within the coalition.The requirements are well doc-umented throughout the De-partment of Defense (DoD).E ven Joint Vision 2010, theDoD road map for the future,states, “It is not enough to bejoint when conducting futureoperations. We must find themost effective methods for in-tegrating and improving inter-o p e rability with allied andcoalition partners.” True inter-operability with our allied part-ners will come only after wehave an information exchange

    system designed from theground up for use by coalitionforces.

    Colonel Dennis Tre e c e ’s arti-cle in the Spring 1999I A n e ws l e t t e r was right on ta rg e tin describing the shortc o m i n g sand challenges of releasing anddisseminating classified mili-tary information to our multi-national partners in a coalitione n v i ronment. As ColonelTreece says, the “really hardpart, the ‘Achilles heel’ of coali-tion information sharing, is themechanism by which any na-tion tra n s f e rs information out-side its own system.” Becauseof valid security policy re s t r i c-t i o n s, we are not allowed toconnect our Defense netwo r k sto multinational netwo r k s,thus creating the need fo r“ s n e a ker nets”—literally, run-ning the releasable info r m a-tion from the U.S. side, acro s san air gap, to the multinationals i d e. Anyone who has ex p e r i-enced the pain of this methodk n o ws its difficulties and limi-ta t i o n s. (In 1994, those of us inU.S. Atlantic Command hadour turn when we provided in-formation support to the 29countries invo l ved in Haitipeace opera t i o n s. )

    U.S. Joint Fo rces Command(USJFCOM, formerly, U.S. At-lantic Command) is re s p o n s i b l ewithin DoD for joint task fo rc e(JTF) intero p e rability. At JointFo rces Command, we have em-b a r ked on building a system fo rs e c u re information exc h a n g e. Itis called the Coalition Multi-l e vel Security (MLS) Hexa g o nP ro totype or CMHP. The CMHPis composed of six functionsthat will allow us to exc h a n g ei n formation with our allies in as e c u re, flexible manner.

    Side 1 of the Hexagon (Fig-ure 1 on page 4), Marking Stan-d a rd s, uses the classificationand control marking standardsadopted by the U.S. intelli-gence community. These stan-dards were coordinated by theControlled Access Program Co-ordinating Office (CAPCO) andcontinue to be fine-tuned byCAPCO as required.

    Side 2 of the Hexagon iscalled Document Marking,which is designed to imple-ment human-readable mark-i n g s. Basically, this softwa re

    THE HEXAGONA U.S. Joint Forces Command Solution to Coalition Interoperability

    “Successful completion of the CMHP pro-ject will require careful transition from riskavoidance to risk management in the wayclassified information is managed and safe-guarded.”

    Admiral Harold GehamCommander in Chief,United States Joint Forces Command

    Mr. Craig VroomMr. Allan H. McClure

    continued on page 4

  • I A n ew s l e t t e r • Vo l u m e 3 , Nu m be r 3 h t t p : / / i a c . d t i c . m i l / I ATA C4

    enables the information origi-nator to mark Microsoft Word,Po we r Point, and Excel docu-ments in accordance with theCAPCO and Executive Order12958 standards. The markingis a simple operation, donewith the point and click of amouse and made still easier bypull-down menus that providechoices for basic classification,c a ve a t s, and “release to” op-tions for countries, coalitions,operations, organizations, andexercises. Once the documentis marked, it is then tra n s-

    formed into a “computer-read-able” label, side 3 of the Hexa-gon. A digital signature atta c h e sthe label to the document,which is then encrypted andsent to the “Coalition Server,”an Oracle 8 relational databasemanagement system.

    Hexagon’s side 4, PersonalAuthentication, is the linchpinof CMHP. A personal to ke ncalled a Hexcard allows us toidentify the user and all of hisor her security attributes. Muchas an automated teller machine(ATM) card does, the Hexcard

    will store a user’s fingerprinttemplate and a credential setbased on his or her clearancelevels, citizenship, and need-to-know roles. Hexcards will beinserted into wo r k s ta t i o nsmart-card readers to identifythe user to the system.

    Side 5 of the Hexagon is thehardware, including NT work-stations, fingerprint scanners,and smart-card re a d e rs, re-quired for the CMHP.

    Hexagon’s side 6 is SecurityManagement. A special staff se-curity officer must be assignedto coordinate system securityre q u i re m e n t s, issue Hexc a rd sto CMHP participants, under-s tand the information assur-ance requirements, and moni-tor the system for impro p e rattempts to access data.

    The Hexagon concept pro-vides the flexibility required incoalition-supported joint ta s kforce operations by encryptingand protecting the object,rather than the network. This isthe key difference betwe e nCMHP and other multilevel se-curity (MLS) solutions. Usingobject protection, we can com-pare the attributes of an indi-vidual with the objects that re-side in the server. If there is amatch, the coalition participantcan retrieve and decrypt thedocument.

    The CMHP will be tested andd e m o n s t rated atthe Joint BattleCenter (JBC) inSuffolk, Virginia, inMay 2000. The ob-j e c t i ve of thedemonstration willbe to bring existingtechnologies to-gether to allowusers with differentc l e a rance leve l sf rom differe n t

    countries to use the same localarea network and gain accessonly to information they area u t h o r i zed to see. After theconcept is demonstrated, theJoint Battle Center will providean independent assessment ofthe system’s military utility.

    The ultimate goal of theHexagon is to provide the jointtask force commander a toolthat increases the effectivenessof communications with alliedor interagency forces. Ï

    Mr. Craig Vroom is the International

    Programs Branch Chief at U.S. Joint

    Forces Command, located in Norfolk,

    V i rginia. He has an underg ra d u a t e

    degree in Computer Science from San

    Diego State University and is currently

    participating in DoD’s Defense

    Leadership and Management Program

    (DLAMP). You may reach him via E-

    mail at [email protected]

    Mr. Allan McClure is a Lead Engineer

    supporting the US Joint Forces Command

    Director for Intelligence. During the last

    seven years, he has helped in the imple-

    mentation of Intelink and developed a

    collaborative architecture for the Non-

    P ro l i f e ration Center, a Dire c tor fo r

    C e n t ral Intelligence (DCI) contro l l e d

    activity. He may be reached at amcclure


    F i g u re 1. Coalition MLS HexagonPrototype

    Figure 2. CMHP HexCard

    continued from page 3

  • h t t p : / / i a c . d t i c . m i l / I ATA C I An e ws l e t t e r • Vo l um e 3 , N um be r 3 5

    Brigadier General CharlesE. Croom, dire c to r, Unit-ed States European Command(USEUCOM)/J6, hosted USEU-C O M ’s first Information Assur-ance Confere n c e, 30 No ve m-ber–2 December 1999, at theA b rams Center in Garmisch-Pa r t e n k i rchen, Germany. Thec o n f e rence had three purposes:

    • To present pressing info r m a-tion assurance (IA) issuesand review associated IAp ro d u c t s

    • To foster teamwork and syn-e rgy among key IA playersin the theater

    • To provide the latest IAi n formational updates fo rtheater IA pers o n n e l .

    F r a m e w o r kThe conference attracted a

    to tal of 162 people, re p re s e n t-ing Headquarters (HQ) USEU-COM, U.S. Army Europe (US-AREUR), U.S. Air Fo rc e sE u rope (USAFE), US Na va lFo rces Europe (USNAV E U R ) ,Marine Fo rces Europe (MAR-FOREUR), Special Opera t i o n sCommand Europe (SOCEUR),the Defense Information Sys-tems Agency (DISA), the Na-tional Security Agency (NSA ) ,and other commands, such asU.S. Special Operations Com-mand (USSOCOM), U.S. Pa c i f i cCommand (USPACOM), andU.S. Central Command (US-C E N TCOM), as well as seve ra l

    other DoD agencies invo l ve din USEUCOM IA.

    By design, all levels of IAp ro f e s s i o n a l s, from enlisted tog e n e ral officer gra d e s, partici-pated in the sessions. Thisa r rangement ensured ex p re s-sion of various viewpoints atthe forum and enabled individ-uals with hands-on working ex-perience to interact dire c t l ywith policy make rs at the high-est leve l s.

    Each morning’s general ses-sion started with a senior-leve lkeynote addre s s. The speake rswe re Brigadier General GarySalisbury, DISA/D6; Mr.R i c h a rd Schaeffer, Office of theS e c re tary of Defense (OSD),Command, Control, Communi-c a t i o n s, and Intelligence (C3I);and Mr. Orville Lewis, NSA /DDI Chief of Staff. All addre s s-es we re fo l l o wed by ex t e n d e dq u e s t i o n - a n d - a n s wer sessions

    that immediately indicated avery high level of interest inthe rapidly developing IA field.

    Immediately following thekeynote addresses we re gener-al session pre s e n tations fro mtheater-specific IA leaders. Ato tal of six speake rs (two perday) from USNAVEUR, HQUSEUCOM, USAREUR, USA F E ,and the North Atlantic Tre a t yO rg a n i zation (NATO) pre s e n t-ed issues and fielded ques-t i o n s.

    The afternoons we re dividedi n to three in-depth bre a ko u tt racks in the areas of opera-t i o n s, computer security(COMPUSEC), and communi-cations security (COMSEC).These sessions we re smaller innumber of participants, moretechnical, and more discussionoriented than the general ses-s i o n s.

    O p e rations discussions fo-cused primarily on lessonslearned from Ko s o vo opera-tions and plans for future sup-port. COMPUSEC participantsdealt with information assur-ance vulnerability alerts( I AVA) issues and discussed thetechnical details of dealingwith theater-specific thre a t s.

    The COMSEC sessions,which we re often filled to ca-pacity, ex p l o red the areas ofkey management infra s t r u c-

    Mr. Kent Waller

    continued on page 6

    I n f o rmation Assurance Confere n c e

    U S E U C O M

    Brigadier General Charles E. Croom.

  • I A n ew s l e t t e r • Vo l u me 3 , Nu mb e r 3 h t t p : / / i a c . d t i c . m i l / I ATA C6

    t u re, softwa re test enviro n-ment (STE) migration, DefenseMessage System (DMS) field-ing, and Global Broadcast Ser-vice (GBS) fielding.

    Selected special session pre-s e n t e rs we re invited to displayp roducts and services particu-larly associated with USEU-COM IA issues.

    Theater Action Te a mTo ensure meaningful con-

    f e rence re s u l t s, a Theater Ac-tion Team (TAT) was fo r m e d .Composed of key IA decisionm a ke rs in the USEUCOM the-ater and chaired by BrigadierG e n e ral Croom, the TAT meteach evening to review and de-bate the many issues raised bythe bre a kout tra c k s. After nar-rowing the number of issues,the team selected 20 actionitems; ra n ked each item’s pri-ority as high, medium, or low;and assigned each action to aprimary office of primary re-sponsibility (OPR) with a dead-line for accomplishment.

    The TAT results we re ex-t remely well re c e i ved by allc o n f e rence participants. As aresult of its success, the con-f e rence has led to the deve l o p-

    ment of a new European Info r-mation Assurance SteeringCouncil composed of senior IAl e a d e rs and aimed at pro v i d i n gcontinuing, unified guidanceto theater IA personnel.

    Additional Information

    All conference materials, in-cluding the TAT action items,attendee lists, and briefings area vailable for download fro mthe HQ USEUCOM SIPRNETWeb site.

    The office with primary re-sponsibility for the confere n c ewas the HQ USEUCOM C3I Di-re c to ra t e ’s Defensive Info r m a-tion Wa r fa re Division dire c t e dby Col LaFo r rest Williams, U.S.Air Fo rce (USAF). On behalf ofBrigadier General Croom, thisg roup extends appreciation toall the speake rs who made thec o n f e rence a success. Ï

    M r. Kent Waller is an Info r m a t i o n

    A s s u rance Pro g ram Manager for HQ

    United States European Command. He

    earned his B.S. in Engineering from the

    U n i ve rsity of Oklahoma in 1986 and his

    Master of Public Ad m i n i s t ration fro m

    the Unive rsity of Oklahoma in 1990. He

    may be reached at wa l l e r k l @ e u c o m . m i l .

    continued from page 5

  • h t t p : / / i a c . d t i c . m i l / I ATA C IA n ew s l e t t e r • Vo l u me 3 , N u mb e r 3 7

    T he Joint Task Force forComputer Ne t work De-fense (JTF-CND) is a new orga-nization with a new mission: todirect the defense of all Depart-ment of Defense (DoD) com-puters and networks and thei n formation that moves inthem from any threat, foreignor domestic. Our intelligence(J2) role on this team resem-bles any other JTF-level intelli-gence effort. That mission is top rovide the commander, theJ T F-CND staff, and assignedcomponents with all-sourc e,fused, pre d i c t i ve intelligenceon enemy locations, capabili-ties, and intentions. The JTF-CND J2 must understand theenemy in cybers p a c e, andmust provide decision-makerswith the actionable intelligencerequired to support defensiveoperations.

    That task is easier said thandone. Those who choose to at-tack or exploit our informationsystems operate with gre a tanonymity in globally inter-connected networks. Addition-ally, our adversaries are armedwith software tools that strikeat the speed of light, and usetactics that are hard to detect inthe noise of the net.

    Finding the enemy in cyber-space is also complicated bythe nature of this new terrain.There are few useful charts bywhich to orient us and littleagreement on what the conceptof “cyberspace” means. Perhapsthe most useful definition re-mains William Gibson’s origi-nal explanation of the term:

    C y b e rspace is “a consensualhallucination ex p e r i e n c e ddaily by billions... [an] unthink-able complexity.” Try visualiz-ing enemy locations in that!

    The adversary may be a ter-rorist attempting to attack De-partment of Defense (DoD)networks to draw attention to acause or to slow our responseto an act of physical terror.Threats also come from espi-onage agents seeking to ac-quire sensitive but unclassifiedinformation for use by a foreignstate or criminal organization.We may soon face nation stateadversaries in cyberspace whoseek military advantage, possi-bly by attacking our combatsupport infra s t r u c t u re or, inperhaps the most insidious at-tack, by attempting to manipu-late the perceptions of seniorDoD decision makers.

    Although the computer net-work defense intelligence prob-lem is complex and relativelynew, developing JTF-CND in-telligence ta c t i c s, techniques,and procedures (TTP) has beensimple and straightforward. Wehave based most of our TTPson the existing playbook forJTF intelligence support, theJoint Staff’s Joint Doctrine forIntelligence Support to Opera-tions (Joint Pub 2-0). Using in-telligence doctrine as theb e d rock for JTF-CND intelli-gence TTPs have already paidoff. Following doctrine has in-creased the intelligence com-munity focus on and support ofthe CND mission.

    JTF-CNDIntelligence Support

    CDR Robert D. Gourley, USN

    continued on page 8

  • I A n ew s l e t t e r • Vo l u m e 3 , Nu m be r 3 h t t p : / / i a c . d t i c . m i l / I ATA C8

    Joint Pub 2-0 also directly as-sisted in planning for the U.S.Space Command (SPAC E C O M )assumption of the DoD CNDmission, which occurred 1 Oc-tober 1999. Intelligence sta f fs atand JTF-CND quickly re a l i ze dthe importance of adhering tojoint doctrine where ver possi-b l e. Using joint doctrine al-l o wed us to clarify importa n taspects of the new re l a t i o n s h i p ,including the most efficientmeans of handling intelligencecollection and production re-q u i rements and appropriate di-vision of labor between CINCand JTF intelligence personnel.

    The central principle:K n ow the adve rs a r y. Pe r h a p sJoint Pub 2-0’s most criticalcontribution is a clear articula-tion of the general functionsthat must be conducted by aJTF J2. It also provides guid-ance on how these functionsshould be carried out. The fo l-lowing points show JTF-CND J2application of these principles.

    The fundamental re s p o n s i-bility of the JTF-CND J2 is top rovide JTF-CND decisionm a ke rs with the fullest possi-ble unders tanding of the cybert h reat. This unders ta n d i n gmust include knowledge of thea d ve rs a r y ’s goals, objective s,s t rategy, intentions, capabili-t i e s, methods of operation, vul-n e ra b i l i t i e s, and sense of va l u eand loss. To provide this under-s tanding, the JTF-CND J2 andintelligence staff must deve l o pand continuously refine anability to think like the cybert h reat.

    Intelligence support iscritical to operational suc-c e s s. JTF J2 staff must under-

    s tand the adve rsary in order tosupport opera t i o n s. Intelli-gence must be made action-able by tailoring it into a usefulform and then getting it intothe hands of the commander,the operations division (J3),and other JTF decision mak-e rs. Operations support also re-q u i res J2 assessment of J3 in-tentions from the adve rs a r y ’sp e rs p e c t i ve to determine pro b-able adve rsary re s p o n s e s.

    Intelligence support re-quires the integration of in-telligence efforts at strate-gic, operational, and tacticallevels. Strategic intelligence isused to formulate defensives t rategies and operations at na-tional and theater leve l s, mak-ing both SPACECOM and JTF-CND key consumers ofintelligence produced on thecyber threat to our Nation. Op-e rational intelligence is usedby SPACECOM and JTF-CND todetermine defensive objective sand to support the planningand conduct of CND opera-t i o n s. Tactical intelligence re-q u i red for CND is a new disci-pline that is still in an initials ta g e. When fully deve l o p e d ,tactical intelligence pro c e d u re sand processes will supportrapid reaction to ta c t i c a lt h reats by JTF-CND compo-n e n t s.

    S t ra t e g i c, operational, andtactical intelligence must bee m p l oyed in a way that re-duces our chances of beingd e c e i ved or surprised. D e-ception and surprise are inher-ent fa c to rs in cybers p a c e, how-e ve r, and will probably alwa y sbe concerns.

    Intelligence sources arethe means or systems used

    to observe, sense andre c o rd, or convey info r m a-t i o n . J T F-CND J2 staff mustu n d e rs tand the strengths andweaknesses of all intelligences o u rces re l e vant to this mis-sion area. The seven primaryintelligence sources are im-agery intelligence, human in-t e l l i g e n c e, signals intelligence,m e a s u rement and signature in-t e l l i g e n c e, open source intelli-g e n c e, technical intelligence,and counterintelligence. Unityof effort is maintained by ta s k-ing these disciplines in accor-dance with joint doctrine. Allresults are fused to provide thebest possible assessments. In-t e g ration also helps reduce de-ception and surprise.

    Intelligence supports allaspects of JTF-CND opera-tions. JTF-CND J2 will partici-pate in planning from the out-set of any operation. Earlyinvolvement in JTF-CND plan-ning will allow the J2 to articu-late intelligence collection andproduction requirements to theintelligence community and toformulate, at an early stage, in-telligence guidance for JTF-CND components. It will alsoallow the J2 to provide intelli-gence at every stage of the de-cision-making process.

    P roviding unders ta n d i n gof the enemy to supportcounterintelligence and op-erational security measures.C o n c u r rent with JTF- C N Dplanning and opera t i n gprocess, the J2 will provide thecommander with an under-s tanding of the adve rs a r y ’scommand and control process-es and adversary intelligencecollection capabilities, so ap-propriate operational security

    continued from page 7

  • h t t p : / / i a c . d t i c . m i l / I ATA C IA n ew s l e t t e r • Vo l u me 3 , N u mb er 3 9

    and counterintelligence opera-tions can be implemented.

    Evaluating the effects ofdefensive operations. TheJTF-CND J2 will assist the JTFcommander and J3 in evaluat-ing operational results and de-termining when objective shave been attained, so forcesmay be reoriented or opera-tions terminated. Some defen-sive measures that may have tobe taken on DoD networks tothwart a sophisticated adver-sary could affect millions ofDoD computer users, makingintelligence support for ex i tstrategies of paramount impor-tance.

    Intelligence systems willbe intero p e ra b l e, usable,scalable, reliable, and user-friendly. Joint Pub 2-0 pro-vides overarching guidance onestablishment of a joint intelli-gence architecture for supportto a JTF. Much of this architec-ture already exists in the mili-tary intelligence communityi n f ra s t r u c t u re. CND intelli-gence architecture is based onthe Joint Worldwide Intelli-gence Communications System(JWICS) and the Joint Deploy-able Intelligence Support Sys-tem (JDISS). By ta i l o r i n gJWICS and JDISS to the JTF-CND mission, JTF-CND joins anetwork linking the entire in-telligence community.

    New threat databases arebeing established to supportthis mission, and many new in-telligence fusion, collaboration,and visualization tools arebeing developed to supportCND intelligence analysts. Asthey are developed, strict ad-herence to joint doctrine andjoint sta n d a rds (where theyexist) will help ensure interop-

    e rability and proper missionfocus.

    Intelligence TTPs must beunderstood by all players. Akey reason for having joint doc-trine is to know how the rest ofthe team will play. IntelligenceTTPs spell these plays out indetail, describing agreed-uponways that organizations inter-act. For exa m p l e, JTF- C N Dcomponents will follow jointdoctrine in stating intelligencecollection and production re-

    quirements to JTF-CND for fur-ther validation, prioritiza t i o n ,and tasking. When operationsre q u i re, JTF-CND will issuestatements of intelligence in-tentions to components, clari-fying additional support proce-dures tailored to the particularmission. Component comman-ders will also provide feedbackto the JTF on Service-related is-sues affecting the joint com-mand, and will plan and devel-op implementing instructionsfor wartime intelligence sup-port, including augmenta t i o nof joint forces.

    Many aspects of this newmission area have yet to be cov-ered by joint doctrine. That isto be expected in any modernmilitary operation. But by start-

    ing with a foundation in jointdoctrine, areas that have yet tobe resolved are being discov-ered quickly and dialog is al-ready underway to addre s sthem.

    A Final NoteOperational units in the field

    or fleet who have a need for in-telligence on cyberthreats canalso rely on joint doctrine forintelligence. It is the basis forJ2 procedures in every CINCarea of responsibility, and isworth a good read by all uni-formed professionals. Ï

    Commander Gourley is the Director

    of Intelligence, Joint Task Fo rc e -

    Computer Ne t work Defense (J2, JTF-

    CND). He received a B.S. in Chemistry

    from Middle Tennessee State University

    in 1981, an M.S. in National Security

    A f fa i rs from the Na val Po s t g ra d u a t e

    School in 1985, and an M.S. in Military

    Science from the Marine Corps

    University in 1996. He may be reached

    at gourleyr @jtfcnd.ia.mil.


    Gibson, William. Ne u ro m a n c e r,Berkley Publishing Group, Ne wYork, NY, July 1984.

    Joint Pub 2-0 Joint Doctrine fo rIntelligence Support to Opera t i o n s,Pentagon, Washington, D.C., 5 May,1995.

    Joint Pub 2-0, III-4.

    Joint Pub 2-0, vii.

    Joint Pub 2-0, xi.

    Joint Pub 2-0, x.

  • I A n ew s l e t t e r • Vo l u me 3 , Nu mb e r 3 h t t p : / / i a c . d t i c . m i l / I ATA C10

    O n 13 and 14 Octo b e r1999, IATAC conductedan exercise on information op-erations (IO) for computer net-work defense (CND) for theJoint Task Force for CND (JTF-CND). This tabletop exercise,Zenith Star 99-1, was designedto look both at a CND scenariosimilar to that used for EligibleReceiver 97-1, and at the inter-agency working-level coordina-tion necessary to react to sucha scenario. Zenith Star 99-1 alsoexercised the JTF-CND Tactics,Te c h n i q u e s, and Pro c e d u re s(TTPs) and assessed progressmade since the JTF-CND stand-up in December 1998. Al-though the exercise used the El-igible Receiver 97-1 scenario asa base, it did not replay that ex-ercise completely. Instead, itfocused primarily on CND-re-lated events to determine hownew DoD org a n i zations andprocesses built since EligibleReceiver 97-1 affect the CNDcommunity’s response to a sim-ilar crisis.

    More than 55 participants at-tended the exercise, includingplayers from U.S. Space Com-mand (SPACECOM), the Na-tional Infrastructure ProtectionCenter (NIPC), the National Se-curity Agency (NSA); the De-fense Intelligence Agency(DIA), the Central IntelligenceAgency (CIA), the Assista n tSecretary of Defense for Com-mand, Control, Communica-

    t i o n s, and Intelligence (ASDC3I), the Joint Staff, and JTF-CND and its component com-mands. Several observers fromU.S. Pacific Command(PACOM), U.S. Special Opera-tions Command (SOCOM), U.S.Joint Fo rces Command(JFCOM), the National Com-munications System (NCS),and others also attended. Facil-itators included personnel fromboth IATAC and JTF-CND.

    Zenith Star 99-1’s goal was tofoster unders tanding of theprocess and products requiredin interagency coord i n a t i o nand the resulting impacts onthe CND community’s ability toperform its mission. The exer-cise achieved this goal by help-ing participants accomplishfour specific objectives:

    • Understanding the roles ofnew CND org a n i zations inresponding to a contingencysimilar to Eligible Receiver97-1 in scope and complexity

    • U n d e rs tanding intera g e n c ycoordination requirements

    • E xamining processes andp ro c e d u res for JTF- C N Dcoordination with other sup-porting agencies (e.g., NIPC,Intel)

    • U n d e rs tanding needs fo rimprovement highlighted byseveral communities—intelli-gence, law enforcement andc o u n t e r i n t e l l i g e n c e, andoperations.

    The exe rcise structure in-cluded information briefingsand “hot washes.” Zenith Star

    99-1 emphasized team play, soi n formation briefings we rekept to the bare minimum re-q u i red. The exe rcise clockbegan while participants re-c e i ved their “situation brief-i n g ” — exe rcise time and re a ltime were one and the same.Participants were divided intofunctional teams as follows:

    • O p e rations team (SPAC E-COM, JTF-CND and its com-ponents)

    • Intelligence team (CIA, DIA, NSA)

    • Law enforcement/counterin-telligence team (DefenseCriminal Inve s t i g a t i ve Or-ganizations, NIPC)

    • Other team (Joint Sta f f ,Office of the Secre tary ofDefense [OSD])

    Participants within teamswere allowed to communicatefreely with each other. Commu-nications among teams, howev-er, were strictly regulated. Par-ticipants used either re a lcommunications (the securetelephone units, third genera-tion [STU-III] available in eachteam room or face-to-face meet-ings arranged through the facil-itators) or simulated communi-cations (fax and E-mail).Additionally, the Control Cellb rought participants to g e t h e rin a forum that allowed them toshare information, and work to-gether on their responses.

    Team play was driven by“Red Force” actions: teams re-ceived injects describing specif-

    MAJ Gerald Burton, USAMr. Richard Phares

    continued on page 14

  • h t t p : / / i a c . d t i c . m i l / I ATA C I A n e w s l e t t e r • Vo l u me 3 , N u mb e r 3

    I t was a dark and stormynight…With nothing else todo, you search for “places thatdon’t rain” using your favoriteWeb search engine only to getan ominous “Error 404.” It isquite possible that the searchengine’s Web site is under at-tack from hundreds of systemsat once, just as Yahoo’s pagewas in mid-February for 3+hours. Could such a coordinat-ed attack occur in reality? Un-fortunately, a single individualcould, with relative ease andlittle chance of repercussion,stage such an attack using anew breed of tools referred toas Distributed Denial of Service(DDoS) tools.

    Reality #1The number of poorly con-

    figured systems connected tothe Internet is rapidly increas-ing. This is partially the resultof well-connected unive rs i t yd o r m i tories and high-speedconnections to the home,(cable-modems and DSL con-nections).

    Reality #2Based on the observed rate

    of network-wide probes andpublicly available hacker tools,intruders are more interestedin the number of compromisedhosts rather than specific tar-gets.

    The reality is that, usingpublicly available tools, a deter-mined intruder can compro-mise 100+ systems Internet-wide in a matter of days. Sadly,

    the number of vulnerable sys-tems riding the Internet hasoutpaced a typical intruder’sability to do something usefulwith the compromised sys-tems. Distributed intruder toolshave matured in this environ-ment and now enable an in-truder to use a large number ofcompromised systems in a co-ordinated and collective man-ner. The first widely used ex-ample of distributed intrudertools is denial of service tools,though others are expected tofollow shortly. With the currentgeneration of tools and little ef-fort, an intruder can flood a tar-get with a massive amount oftraffic from hosts around theworld. These DDoS tools arecalled names such as Trin00,Tribe Flood Network (TFN) andStacheldraht and are availableon UNIX and Windows sys-tems. It is believed that vari-ants of these tools were used tosuccessfully launch large-scalea t tacks against such popularWeb sites such as Yahoo, E-bay,CNN and others. Many of thevictims have been very wellconnected sites with over a gi-gabit per second of sustainedbandwidth.

    The current generation ofDDOS tools requires an intrud-er to install a “daemon” on eachof the compromised systems.At least one “master” systemkeeps track of the daemon sys-tems and directs the atta c k .When prompted by an intruderthe master contacts each of thedaemons and specifies the tar-


    1Lt Brian Dunphy, USAF

    continued on page 12

    Distributed Denialof Service To o l s

  • I A ne w s l e t t e r • Vo l um e 3 , Nu mb e r 3 h t t p : / / i a c . d t i c . m i l / I ATA C

    get and method of attack. Fromthe victim’s perspective, theyappear to be under attack fromh u n d reds of systems fro maround the world all at once.

    There are two primary com-puter network defense goalswith relation to the recent dis-tributed attacks:

    1Don’t be a partici-pant in an attack.The Internet community is

    a l ready struggling with thescale of these atta c k s. Vu l n e ra-ble DoD systems can be unwit-ting participants in a DDoS net-work serving only to incre a s ethe scale and complexity.

    The current set of DDoStools are installed after a sys-tem is compromised by an in-truder and does not exploit anyspecific vulnerability. Based onpast incidents, most DoD com-promises are the direct result ofunpatched vulnerabilities thatDoD’s Information AssuranceVu l n e rability Alert (IAVA )P rocess has documented( h t t p : / / w w w. c e r t . m i l / i a va ) .Sites are encouraged to routine-ly check their systems for IAVA

    compliance. Sites are also ad-vised to do the following:

    • Periodically run DDoSscanning to o l s. Sites aree n c o u raged to use eithervendor or government devel-oped tools to detect knowninstances of DDoS tools.

    —The National Infra s t r u c -t u re Protection Center(NIPC) has produced ahost based scanning toolto detect known DDoStools. The tool only runson Solaris and Linux atthe time of this article.The tool is available onthe DoD-CERT ’s home-page (http://www. c e r t .m i l / re s o u rc e s / s e c u r i t y _ tools.htm).

    —The current DoD con-tracted antivirus vendors,Symantec and McAfee,have developed signaturesto detect the Windows ’variants of the DDoS tools.

    • Sites are encouraged top re s s u re their ve n d o rs( a n t i v i r u s, intrusion detec-tion, etc) to update their

    detection signatures if theyhave not already done so.

    • Enable anti-spoofing rulesat enclave perimeter. Sitesshould configure theirperimeter firewall and routerto only allow out traffic withvalid source IP addre s s e s.Many of the tools spoof theirsource IP address to makethe attack look like it is origi-nating from somewhere else.

    • Disable directed broadcast ate n c l a ve perimeter. Sitesshould configure their routerand firewall to disallow net-work traffic destined for theirbroadcast address.

    2D o n ’t be a victimof a DDoS attack.While it has not happened to

    date, it is possible that DoD sys-tems will (or could) be targetedin the future by such attacks.

    From a potential victim’sperspective, the best advice isto be prepared to be a victim.The current denial of serviceattacks only rely on a site’s abil-ity to receive network trafficthrough a finite network con-nection. These attacks take ad-vantage of the large number ofvulnerable systems connectedto the Internet, so there is nosimple “fix” for these attacks.Once a site has been targeted,there are a number of thingsthat can be done to restore ser-vice in a timely manner. Sys-tems owners are advised to beprepared in the following man-ner:

    • Identify mission-essentialsystems that must be avail-able to users from theInternet. If a denial of ser-


    continued on page 34

    Figure 1. Example DDoS network

    continued from page 11

  • h t t p : / / i a c . d t i c . m i l / I ATA C I A ne w s l e t t e r • Vo l um e 3 , N um b er 3 13

    Air Fo rce systems and net-works are ta rg e t s. Pro-tection of our systems and datais the new challenge, and AirFo rce Materiel Command(AFMC) is structuring itself tomeet that challenge with a ded-icated effort addressing all as-pects of information assura n c e(IA).

    E f forts to attack, sabota g e,and corrupt government and in-dustrial systems and data ,sometimes in “sport” and some-times as a conspiracy, have be-come a widespread pro b l e mplaguing everyone from thesmallest businesses to thebiggest government org a n i za-t i o n s. Ne t work defenses andvigilance have been the twomost common re s p o n s e s, butwaiting for the next hacker is aninsufficient approach to net-work protection. In AFMC weh a ve ta ken a pro a c t i ve appro a c hto protecting our systems.

    In an aggressive effort begin-ning in late 1998, AFMC devel-oped and deployed a team ofn e t work security and opera-tional experts under the bannerof O p e ration Pa l i s a d e. T h eteam’s continuing mission is toseek out network securityweaknesses before they can beexploited and to remove themthrough the implementation ofsecurity network practices andtechnologies. The effort is fo-cused on the single goal of pro-tecting the mission-critical in-formation contained on AFMC

    networks throughout the Unit-ed States and the world. Thechallenge is particularly daunt-ing because AFMC’s relation-ships with various re s e a rc hcenters and contractors meanthat our networks have a larg-er-than-expected number of po-tentially open components.

    The primary foundation onwhich Operation Pa l i s a d ebuilds is the full application ofthe Air Fo rc e ’s Barrier Re e fprocess. This proven methodol-ogy is designed to cre a t eboundary protection for allAFMC base intranet networks,protect those networks at theirentry points to the Internet,provide specific network secu-rity training to base networkmanagers, and increase AFMCnetwork monitoring and audit-ing as soon as security weak-nesses are identified. We feelthat our Operation Palisade ef-forts, combined with the man-dated actions laid out in applic-able Air Force regulations andi n s t r u c t i o n s, have positioned

    us not only to respond to prob-lems, but to prepare our subor-dinate bases and organizationsto position themselves proac-tively for the threats that surelylie just around the corner.

    Are we where we want to beor need to be in our defensiveposture? The answer is clearly“no.” We need to move beyondBarrier Reef and Operation Pal-isade. We need to address allthe capabilities of the AirFo rc e ’s Defensive Counter-in-formation (DCI) Opera t i o n sprogram, including not only in-formation assurance, but alsooperations security, electronicprotection, counterintelligence,and other capabilities, asspelled out in Air Force PolicyDirective 10-20. In the processof moving forward, AFMC hasput the IA lead in charge of theoverall command DCI programand given me the responsibilityto coordinate all of the effortsin the realm of Defensive Infor-mation Operations.

    By consolidating IA and DCIOperations leadership, we haveput ourselves on a path for con-tinuous impro ve m e n t — a n dc reated a self-initiated chal-lenge to succeed. There ismuch to do. AFMC is a target-rich environment for both the

    Air Force Materiel Command’s

    I n f o rmation Defense

    Col Kevin J. Kirsch, USAF

    Cyberterrorism, Internet attacks, malicious intrusions,

    and hacker activity are on the rise. Credit card data for

    thousands of people is offered for sale over the net.

    continued on page 14

  • recreational hacker and the in-dustrial spy. On the otherhand, our challenges are nodifferent from those faced byindustry, other Air Force MajorCommands (MAJCOM), or oursister services.

    We are proud to be part ofthe large team, working hardwith the other MAJCOMs, theServices and in industry to stayone step ahead of the next inci-dent. We feel we have a posi-tive story to tell, but recognizethat others do also. For everygood idea we have, we seekmultiple opportunities to gath-er the best practices of othersand to explore, in the field or inthe lab environment, the bestuse of current capabilities andinformation on products underdevelopment. Ï

    Colonel Kirsch is the Chief, Mission

    Support, Network Operations & Security

    Division, HQ Air Fo rce Material

    Command, Wright-Patterson AFB, OH.

    He was commissioned as a 2nd

    Lieutenant following completion of the

    ROTC program and graduation from

    Duquesne University in Pittsburgh PA.

    He has held a variety of base level and

    tactical positions to include four com-

    mand positions, ranging from a detach-

    ment in Iceland to Insta l l a t i o n

    Commander of RAF Cro u g h to n ,

    England. In his current position he is

    responsible for assessment of the opera-

    tional effectiveness and efficiency of

    information, security, applications and

    systems for customers throughout Air

    Force Materiel Command, and is the

    overall lead for the command Defensive

    Counter Information program.

    I A n e w s l e t t e r • Vo l u m e 3 , Nu m be r 3 h t t p : / / i a c . d t i c . m i l / I ATA C14

    ic events from the facilitators atpredetermined times. The par-ticipants were expected to eval-uate the events in real time andformulate a re s p o n s e. Whilethis sounds relatively simple,the intent of Zenith Star 99-1was to examine interagency co-ordination—thus the teams hadto present a coordinated re-sponse to the Control Cell for aspecific event. If the partici-pants recommended an appro-priate action within a reason-able amount of time, longd u ration events would bes topped pre m a t u rely by theControl Cell. Otherwise, eventscontinued until terminated asdetermined by the scenario.

    Coordination between teamswas conducted using the com-munications available to thep a r t i c i p a n t s. All coord i n a t i o nactivities, such as phone calls,simulated E-mails, and fa xe swe re re c o rded on templatesp rovided to the participants.Facilitators were also present atany fa c e - to - face meetings.Using the exercise scenario asground truth, facilitators weretherefore able to assess situa-tional awa reness within andacross teams, and determinethe overall state of the exerciseat the end of each day. Theseassessments helped facilitatorsidentify lessons learned and is-sues for future consideration.

    Participants generally foundthe exercise to be beneficial.Zenith Star 99-1 showed thatthe CND community is makingsignificant progress toward de-veloping an effective CNDp ro c e s s. Specifically, the on-

    going efforts to increase CNDc o o rdination between opera-tors, intelligence, and law en-fo rcement are paying divi-d e n d s. Continued planningi n i t i a t i ves and exe rcises willhelp to refine processes fur-ther, and prove valuable to theCND community as a whole.

    The Zenith Star 99-1 After Ac-tion Report (AAR) is availableon the JTF-CND SIPRNET Website. Questions and commentsare welcomed and encouraged.Ï

    Major Gerald Burton, USA, is a

    Defensive IO Planner in the JTF–CND

    J5/7 Section. He is an Info r m a t i o n

    Operations Functional Area Officer, and

    holds an M.S. from Central Michigan

    University. He may be reached at

    [email protected]

    Mr. Richard Phares is a member of

    the IATAC, and designs, develops, and

    executes Information Opera t i o n s

    wargames for various clients. He holds

    an M.S. from the Naval Postgraduate

    School, Monterey, CA.He may be

    reached at [email protected]

    Zenith Starcontinued from page 10continued from page 13

    Air Force Material Command

  • h t t p : / / i a c . d t i c . m i l / I ATA C IA n ew s l e t t e r • Vo l u me 3 , N u mb e r 3

    A s the Army prepares todigitize the force, a newthreat is developing—one thatis unlike any the Army hasseen before. Rather than spend-ing billions of dollars on ma-teriel, our enemies are now in-vesting in information warfare(IW). Future conflicts are ex-pected to be asymmetric,which means that IW forceswill inflict substantial damageon large, computer-dependentadversaries.

    In the Wa s h i n g ton Times, theChinese Pe o p l e ’s Libera t i o nArmy (PLA) publicly an-nounced its plans to conduct In-ternet wa r fa re against the Unit-ed Sta t e s. The PLA is gearing upfor wartime computer atta c k son networks and the Internetthat will affect everything fro mbanking to our milita r y ’s com-munications structure.

    In the past year, attempts togain unauthorized access to theArmy’s networks have greatlyi n c re a s e d — f rom the M e l i s s avirus to computer atta c k sagainst the Pentagon by an Is-raeli hacker and two teenagersfrom California. The Army isnow placing as much attentionon protecting communicationsnetworks as it spent in prepar-ing for the rollover to the year2000 (Y2K). The U.S. Army Sig-nal Center, Fort Gordon, Geor-gia, has responsibility for thecombat developments of tacti-cal, stra t e g i c, and susta i n i n gbase communications systemsand the security systems thatprotect them. The Signal Cen-ter represents the warfighter in

    the development of informa-tion assurance (IA) ta c t i c s,techniques, and procedures toprotect our tactical networksfrom our enemies.

    During a recent IA IndustryDay Confere n c e, LieutenantGeneral David Kelley, Director,Defense Information SystemsAgency (DISA), stated that an“Information Pearl Harbor” isimminent. It is not a matter ofwhether such an attempt willbe made, but when. The SignalCenter is taking this new threatinto consideration as the Armymigrates to the Warfighter In-formation Ne t wo r k – Ta c t i c a l(WIN–T), which will re p l a c ethe Tri-Services Tactical Com-munications (TRI–TAC) andthe Mobile Subscriber Equip-ment (MSE) switch systems.

    WIN–T is the Army’s ForceXXI command, control, com-munications, computers, intel-l i g e n c e, surve i l l a n c e, and re-connaissance (C4ISR) ta c t i c a lcommunications network, andit will integrate joint, multina-tional, commercial, and battle-field networks into an intranetthat provides mobile, secure,s u r v i va b l e, and multimediaseamless connectivity betweenall elements within the battle-space from theater to battalionl e vel. WIN-T’s backbone willsupport multiple security lev-els (MSL)—TOP SECRET/Spe-cial Compartmented Informa-tion (TS/SCI), SECRET, andS e n s i t i ve but Unclassified(SBU)—and various modes ofi n formation, including vo i c e,data, video, and imagery.

    Ne t work-based monito r i n gtechnology within the DefenseI n formation Infra s t r u c t u re(DII) is being mandated on al a rge scale across the DoD.WIN-T will include IA securityf e a t u res throughout the net-work that will employ theDoD’s defense-in-depth strate-gy to protect, detect, and re-spond to attacks on the mili-tary’s information systems. IAoffers authentication (verifica-tion of the originator), nonre-pudiation (incontestable proofof participation), ava i l a b i l i t y(unimpeded access to autho-r i zed users), confidentiality(protection from unauthorizeddisclosure), and integrity (pro-tection from information dam-age).

    The layering of IA technolo-gy solutions is the fundamentalprinciple of the defense-in-depth strategy, which includesthree key areas of protection:external perimeter, internalnetwork, and local computerhosts.

    Protected electronic perime-ters are needed for local en-claves because many end-usersystems have little built-in pro-tection against external access.These systems are difficult toadminister well enough to pro-vide an effective defense. Pro-tected perimeters are like cas-tle walls and gates, whichenable professional administra-


    MAJ Robert Turk, USACPT Shawn Hollingsworth, USA

    continued on page 16

    Information AssuranceThe Army Prepares for theNext Generation of Warfare

  • I A n ew s l e t t e r • Vo l u me 3 , Nu mb e r 3 h t t p : / / i a c . d t i c . m i l / I ATA C

    tors to control flow in and out.They also enable tra f f i cthrough the gate to enter andleave at various levels duringchanging information condi-tions and allow specific ser-vices to be deactivated if theycome under successful attack.

    The external perimeter safe-guards include firewalls, intru-sion detection, inline encryp-to rs, and where necessary,physical isolation. Internal net-work protection consists of acombination of security guards,

    firewalls, and/or router filter-ing devices to serve as barriersbetween echelons and/or func-tional communities. Host-based monitoring technologiescan detect and eradicate mali-cious software (e.g., virus); de-tect softwa re changes; checkc o n f i g u ration changes; andgenerate an audit, audit reduc-tion, and audit report.

    The defense-in-depth strate-gy will provide a robust and re-silient infrastructure designedto limit, contain, and re p a i rdamage that results from at-tacks. Fundamental criteria of

    the defense-in-depth strategy isthat no single attack can lead tothe failure of a critical functionand that no critical function orsystem is protected by a singlep rotection mechanism. Thisstrategy is a key element in thesuccessful implementation ofIA in the WIN-T network.

    The illustration below de-picts the WIN-T’s conceptualsecurity arc h i t e c t u re, whichfollows the layered protectionstrategy. Each layer will consistof a different configuration ofIA tools designed to prevent awould-be intruder from gaining


    continued from page 15

    Information AssuranceThe Army Prepares for the

    Next Generation of Warfare

    Figure 1. Layered Protection for a Secret High Backbone Supports Multiple Security Levels.

  • h t t p : / / i a c . d t i c . m i l / I ATA C I An e ws l e t t e r • Vo l um e 3 , N um b er 3

    access to all systems by defeat-ing one layer.

    External LayerThe strongest layer of pro-

    tection in the network, is thefirst line of defense in the de-fense-in-depth arc h i t e c t u re.The primary focus of theperimeter is protecting the in-side from the outside, but en-clave boundaries also providesome protection against mali-cious insiders (e.g., those whouse the enclave to launch at-tacks). Protection measures in-clude fire wa l l s, filteringro u t e rs, replication serve rs,strong authentication, authen-tication servers, Internet Proto-col (IP) security/virtual privatenetworks (VPN), and measuresto defend against back doorsthat circumvent firewalls, suchas internal use of cellularphones or modems (e.g., send-ing data through voice publicbranch exchanges). The exter-nal layer and its suite of IAequipment will interface withexternal connections, such asthe Secret IP Router Network(SIPRNET), SBU IP Router Net-work (NIPRNET), and JointWorldwide Intelligence Com-munications System (JWICS).

    Network LayerThis layer focuses on net-

    work-based monitoring (intru-sion detection), thereby provid-ing the capability to identifyattacks and suspicious networkactivity. It captures and fo r-wards event data to a prede-fined IA cell or the RegionalComputer Response Te a m(RCERT).

    User LevelCommand and control (C2)

    protect tools will be employedon the individual host worksta-

    t i o n s. Host-based monito r i n gwill reside on servers and end-user systems and will detect at-tacks against individual hosts.The detect capability of thistype of monitoring is moref i n e - g rained than netwo r k -based monitoring and can bethe best line of defense in de-tecting malicious insiders.Local host protection softwareconsists of Transmission Con-trol Protocol (TCP) Wrappersfor individual access control, asecurity profile inspector (SPI),a Simple Watch (SWATCH) foralerting when audit anomaliesoccur in the pro f i l e, andMcAfee virus protection. ThisC2 package is the last line of de-fense against unauthorized useand entry.

    Voice subscribers will be ableto place and re c e i ve securetelephone calls to subscriberslocated on switched networksthat incorporate National Secu-rity Agency (NSA) Type I-ap-proved devices. WIN-T will pro-vide selected users with ahandheld device that will con-nect via terrestrial and avail-able satellite means to the WIN-T infra s t r u c t u re, and viaairborne platforms to commu-nicate within the area of opera-tions, both in and around com-mand posts/tactical operationscenters (TOC). It will have a se-cure (NSA-approved) capabilitythat provides voice, data, andvideo communications.

    Another form of IA that willbe available to the user is thePublic Key Infra s t r u c t u re(PKI). PKI refers to the frame-work and services that providefor the generation, production,distribution, control, and ac-counting of public key certifi-cates. It provides critical sup-port to security applicationsp roviding confidentiality, au-

    thentication of network trans-actions, data integrity, and non-repudiation.

    WIN-T is not designed tocounter a specific threat. How-ever, certain security IA com-ponents are designed to protectWIN-T from the IW threat. Aspart of this strategy, IA protectsthe Army’s C2 information net-work from attempts to pene-trate the network to obtain, dis-rupt, or manipulate theresident information. It allowssimultaneous access and pro-cessing protection for users atdifferent security levels.

    IA and the security featureswithin the WIN-T network willcontinue to change after then e t work is fielded in 2005.Even as technology evolves andthe threat changes, the Armymust continue to protect itsv i tal communications net-works. Ï

    Major Robert Turk, USA, is the acting

    Branch Chief, Switching and Networks

    Branch, Materiel Requirements Division,

    D i re c to rate of Combat Deve l o p m e n t s,

    United States Army Signal Center. He

    received his B.S. and M.S. in Computer

    Science from Alabama A. and M.

    U n i ve rsity, Huntsville, Alabama and

    Towson University, Towson, Maryland.

    He may be reached at [email protected]


    Captain Shawn Hollingsworth, USA,

    is the IA officer, Switching and Networks

    Branch, Materiel Requirements Division,

    D i re c to rate of Combat Deve l o p m e n t s,

    United States Army Signal Center. He

    re c e i ved his M.S. in Te c h n o l o g y

    Management from Mercer Unive rs i t y ,

    Atlanta, Georgia. He may be reached at

    [email protected]


  • I A n ew s l e t t e r • Vo l u me 3 , Nu mb e r 3 h t t p : / / i a c . d t i c . m i l / I ATA C

    The recent “denial of ser-vice” attacks againstAmerica Online, Yahoo, andother ISP and ContentP ro v i d e rs suggests that comput-er networks are vulnerable tow i d e s p read attack from a va r i-ety of adve rs a r i e s. Complicat-ing these issues are the globaln a t u re of such activities and thed i s p a rate nature of the kinds ofa t tacks these services have tog u a rd against.

    Critical to this discussion isthe fact that the dispersal of thetookkits available to hacke rsm a kes it all but certain thatsniffing out, tracking down, andeliminating these threats willoccupy the best network mindsfor some time to come.

    As we b m a s t e rs, systems ad-m i n i s t ra to rs, and network secu-rity managers rethink the pro b-lem, they will, out of necessity,focus a large part of their effo r ton mitigating virus atta c k s — i nall their fo r m s.

    The similarity between com-puter network systems and bio-logical systems is uncanny.This comparison is commonboth within Information Te c h-nology publications and amongu s e rs of computer network sys-t e m s. Ad d ressing computer net-works as living systems fro mthe standpoint of health make s

    one re c o g n i ze the plethora ofv u l n e rabilities that exist. One ofthe greatest threats to thehealth of an org a n i za t i o n ’s com-puter networks is computerv i ral infections or conta g i o n .C o n taining these contagion ande radicating them befo re thehealth of a network is degra d e dre q u i res unders tanding andreal-time vigilance on the partof users, network administra-to rs and softwa re deve l o p e rs.

    The Pathology ofComputer Vi ru s e s

    A computer virus is a pro-g ram, or softwa re code, de-signed to replicate and spre a d ,g e n e rally with the victim beingoblivious to its ex i s t e n c e. Them e re mention of “c o m p u t e rvirus” sends computer novicesand experts scrambling todownload the latest update ofNo r ton, McAfee, or IBM anti-virus softwa re. Their reaction isjustified. Every large corpora-tion and org a n i zation has ex p e-rienced a virus infection—mostexperience them monthly. Ac-c o rding to data from IBM’s HighIntegrity Computing Labora to-ry, corporations with 1,000 orm o re personal computers (PC)now experience a virus atta c ke very 2 to 3 months—and thatf requency will likely double ina year.1 The number of virus at-tacks may seem unusually highif it is viewed independently.H o we ve r, when Symantec Cor-p o ration (a supplier of DoD an-

    t i v i ral softwa re) defines and cat-e g o r i zes 21,389 known virusesand McAfee (the other supplierof antiviral softwa re to DoD)c a t e g o r i zes more than 40,000viruses—the number of virusa t tacks is put in a new light.These viruses, usually benignor annoying, can slow perfo r-m a n c e, absorb re s o u rc e s,change screen displays and inthe end, disrupt or deny serviceto such an extent that it affectso rg a n i zations’ bottom line—p rofit or mission accomplish-m e n t .

    Computer viruses come fro ma variety of sources and spre a dby attaching themselves toother pro g rams (e.g., wo rdp ro c e s s o rs or spreadsheet appli-cations) or to the boot sector ofa disk. When the infected file isa c t i vated or executed, or whenthe computer is started from aninfected disk, the virus itself isalso executed. Viruses can alsolurk in computer memory,waiting to infect the next pro-g ram that is activated, or then ext disk that is accessed.

    D a ta q u e s t ’s 1991 study ofmajor U.S. and Canadian com-puter users for the Na t i o n a lComputer Security Associationfound that most users blame in-fected diskettes (87 percent) asthe source of a virus. Fo r t y -t h ree percent of the diske t t e sresponsible for introducing avirus into a corporate comput-ing environment we re bro u g h tf rom home. Nearly thre e - q u a r-


    Containing Contagion in Cyberspace

    COL John C. Deal, USAMAJ Gerrie A. Gage, USA

    Ms. Robin Schueneman

  • h t t p : / / i a c . d t i c . m i l / I ATA C IA n ew s l e t t e r • Vo l u me 3 , N u mb e r 3

    t e rs (71 percent) of infectionso c c u r red in a netwo r ked envi-ronment, making rapid spre a da serious risk. Seven percent ofcomputer users said they hada c q u i red their virus whiledownloading softwa re from ane l e c t ronic bulletin board ser-vice or Web site. Other sourc e sof infected diskettes includeddemo disks, diagnostic disksused by service technicians,and shrink-wrapped softwa redisks; these other sources con-tributed 6 percent of re p o r t e di n f e c t i o n s.2 Although no news tatistics are currently ava i l-a b l e, networking, enterprisecomputing, and inter-org a n i za-tional communications areg rowing. Accompanying theg rowth in telecommuting andn e t working is an increase in in-f e c t i o n s.

    Viruses are growing in com-p l exity and variety. In 1986,t h e re we re just four known PCv i r u s e s. In to d a y ’s virus rich en-v i ronment, more than thre eviruses are created every day,for an ave rage of 110 new virus-es created in a typical month.T h e re are seve ral variations ofv i r u s e s, but there are only thre eways that a virus can access asystem. “Computer Viruses:Past, Present and Fu t u re” de-scribes these three methods asfo l l o ws:

    File Vi ru s e sMost of the thousands of

    viruses known to exist are filev i r u s e s, including the Friday the1 3 t h v i r u s. These viruses infectfiles by attaching themselves toa file, generally an exe c u ta b l efile—the .EXE and .COM filesthat execute applications andp ro g ra m s. The virus can insertits own code in any part of thef i l e, provided it changes theh o s t ’s code somewhere along

    the way, misdirecting pro p e rp ro g ram execution so that it ex-ecutes the virus code firs t ,rather than the legitimate pro-g ram. When the file is exe c u t e d ,the virus is executed firs t .

    Boot Sector / Part i-tion Table Vi ru s e s

    Although there are onlyabout 200 boot sector viruses,they make up 75 percent of allvirus infections. Boot secto rviruses include S toned, the mostcommon virus of all time, andM i c h e l a n g e l o, perhaps the mostn o to r i o u s. These viruses are sop re valent because they are dif-ficult to detect. They do notchange a file’s size or slow PCp e r fo r m a n c e, so they are fa i r l yinvisible until their triggere vent occurs. Events such as re-formatting a hard disk or scan-ning a disk serve as a trigger.The boot sector virus infectsfloppy disks and hard disks byinserting itself into the boot sec-tor of the disk, which conta i n scode that is executed during thesystem boot-up pro c e s s. Boot-ing from an infected floppy al-l o ws the virus to jump to thec o m p u t e r ’s hard disk. The virusexecutes first and gains contro lof the system boot pro g ra mcode even befo re the opera t i n gsystem (OS) is loaded. Becausethe virus executes befo re the OSis loaded, it is not OS-specificand can infect any PC opera t i n gsystem platfo r m — M S - D O S ,W i n d o ws, OS/2, PC-NFS, orW i n d o ws NT. The virus entersthe random access memory(RAM) and infects every diskthat is accessed until the com-puter is rebooted and the virusis re m o ved from memory. Pa r-tition table viruses attack theh a rd disk partition table bymoving it to a different secto r


    Trojan Horse

    L i ke its classical namesake, the Tro-jan Horse virus typically masquera d e sas something desirable; e.g., a legiti-mate softwa re pro g ram. The Tro j a nH o rse generally does not replicate (al-though re s e a rc h e rs have discove re dreplicating Trojan Horses). Ra t h e r, itwaits until its trigger event and thendisplays a message or destroys files ord i s k s. Alongside the Trojan Horse is theTrojan Mule, which fools authorize du s e rs into giving their LOGIN info r m a-tion, passwo rd s, and user-IDs. Once auser types in the valid user-ID/pass-wo rd LOGIN information, the virussends that information to the file im-p l e m e n t e rs and displays a LOGIN erro rm e s s a g e. As the authorized user re-types the information, the virus has al-ready exited, the real LOGIN pro g ra mregains control, and the user never sus-pects that LOGIN information has beenre vealed. The difference between theTrojan Horse and Trojan Mule virusesis that the mule does not even try top e r form a useful function (e.g., game,application) and it disappears from thesystem once its done its work, where a sthe horse remains in the system until itis cleaned out.

    File OverwritersThese viruses infect files by linking

    t h e m s e l ves to a pro g ram, keeping theoriginal code intact and adding them-s e l ves to as many files as possible. In-nocuous ve rsions of file ove r - w r i t e rsmay not be intended to do anythingm o re than replicate but, even then,they ta ke up space and slow perfo r-m a n c e. And because file ove r - w r i t e rs,l i ke most other viruses, are oftenf l a wed, they can damage or destro yfiles inadvertently. The wo rst file ove r -w r i t e rs remain hidden only until theirtrigger eve n t s. Then they can deliber-ately destroy files and disks.

    continued on sidebar of page 20

    continued on page 20

  • I A n e w s l e t t e r • Vo l u m e 3 , Nu mb e r 3 h t t p : / / i a c . d t i c . m i l / I ATA C

    and replacing the original parti-tion table with the virus’ owninfectious code. These virusess p read from the partition ta b l eto the boot sector of floppydisks as floppy disks are ac-cessed.

    M u l t i p a rtite Vi ru s e sThese viruses combine the

    ugliest features of both file andboot sector/partition ta b l ev i r u s e s. They can infect any ofthese host softwa re compo-n e n t s. And while tra d i t i o n a lboot sector viruses spread onlyf rom infected floppy boot disks,multi-partite viruses can spre a dwith the ease of a file virus—butthey still insert an infectioni n to a boot sector or partitionta b l e. This tendency make sthem particularly difficult toe ra d i c a t e. Te q u i l a is an exa m p l eof a multi-partite virus.

    Although there are onlyt h ree ways to infect a system,t h e re are hundreds of va r i a t i o n sof viruses. The sidebars (pages17 through 21) contain descrip-tions of virus variations ta ke nf rom “Computer Viruses: Pa s t ,P resent and Fu t u re,” “Demysti-fying Computer Viruses,” and“Computer Security Basics. ”This list is not all-inclusive, butit describes some of the com-mon variations to date.

    Viruses affect computers andn e t works differently. The pur-pose of most viruses is to re-main undetected, thereby al-lowing them to spre a dt h roughout the org a n i za t i o nuntil they degrade perfo r m a n c eor destroy data. Most virusesg i ve no symptoms of their in-fection, thus driving the use ofanti-virus to o l s. Anti-virus to o l sallow users to identify thesequiet killers. Howe ve r, manyviruses are flawed and do pro-vide some tip-offs to their infec-

    tion. Here are some indicationsto wa tch fo r :3

    • Changes in the length of pro-g rams

    • Changes in the file date ortime stamp

    • Longer pro g ram load times • S l o wer system operation • Reduced memory or disk

    space • Bad secto rs on the floppy • Unusual error messages • Unusual screen activity • Failed pro g ram execution • Failed system boot-ups when

    booting or accidentally boot-ing from the A: drive

    • U n expected writes to a drive.

    This list of virus va r i a t i o n sand symptoms is not all-inclu-s i ve. Additional info r m a t i o ncan be found at the fo l l o w i n gWeb sites:4

    • h t t p : / / w w w. ro o t s h e l l . c o m( ex p l o i t s )

    • h t t p : / / w w w. i n s e c u re. o rg /s p l o i t s.html (ex p l o i t s )

    • h t t p : / / c i a c. l l n l . g o v / c i a c /C I ACV i r u s D a ta b a s e. h t m l(virus info r m a t i o n )

    • h t t p : / / w w w. s n a f u . d e /~ m a d o ka n / m v i c / v i r u s c o n t .html (virus cre a to rs )

    • h t t p : / / w w w. s y m a n t e c. c o m /a vc e n t e r / i n d ex.html (virusi n fo r m a t i o n )

    • h t t p : / / v i l . m c a f e e.com (virusi n fo r m a t i o n )

    • h t t p : / / w w w. v i r u s b t n . c o m(virus info r m a t i o n )

    The viruses discussed abovea re only the most common va r i-ations of computer viruses andtheir sympto m s. Computerviruses have cost companiesworldwide nearly $2 billionsince 1990, with those costs ac-c e l e rating to $1.9 billion in1994. This cost is directly re l a t-ed to virus cleanup, not loss ofp rofit. Profit loss caused by


    Polymorphic Viruses

    More and more of today’s virusesare polymorphic in nature. The re-cently released Mutation Engine,which makes it easy for virus creatorsto transform simple viruses into poly-morphic ones, ensures that polymor-phic viruses will only proliferate overthe next few years. Like the humanAIDS virus, which mutates frequentlyto escape detection by the body’s de-f e n s e s, the polymorphic computervirus mutates to escape detection byanti-virus software that compares it toan inventory of known viruses. Codewithin the virus includes an encryp-tion routine to help the virus hidefrom detection, plus a decryption rou-tine to restore the virus to its originalstate when it executes. Polymorphicviruses can infect any type of hostsoftware. Although polymorphic fileviruses are most common, polymor-phic boot sector viruses have alreadybeen discovered.

    Stealth VirusesThese viruses are specially engi-

    neered to elude detection by tradition-al anti-virus tools. The stealth virusadds itself to a file or boot sector, butwhen the host software is examined, itappears normal and unchanged. Thestealth virus performs this trickery bylurking in memory when it is execut-ed. There, it monitors and interceptsthe OS’s calls. When the OS seeks toopen an infected file, the stealth virusraces ahead, disinfects the file, and al-lows the OS to open it—all appearsnormal. When the OS closes the file,the virus reverses these actions, there-by re-infecting the file. Boot sectorstealth viruses insert themselves inthe system’s boot sector and relocatethe legitimate boot sector code to an-other part of the disk. When the sys-tem is booted, they retrieve the legiti-mate code and pass it along to

    continued on the sidebar of page 21

    continued from the side bar of page 19

  • h t t p : / / i a c . d t i c . m i l / I ATA C I An ew s l e t t e r • Vo l u m e 3 , N u m be r 3

    viruses is impossible to calcu-l a t e. Org a n i zations are combat-ing the virus problem with anti-virus softwa re. The cost of thiss o f t wa re is expected to gro wf rom $700 million in 1997 to$2.6 billion by 2001 .5

    So what can an org a n i za t i o ndo to pre vent computer viral in-f e c t i o n s, and what is the best re-sponse in the event of an infec-tion? These questions are besta n s we red by analyzing a re a le vent. This event is current andre p resents the best possible re-sponse to date by the Fe d e ra lG o vernment, DoD, and indus-try. As reported by SANS (Sys-tem Ad m i n i s t ration, Ne t wo r k-ing, and Security) Institute, theresponse of these org a n i za t i o n swas “impre s s i ve.”

    Containing Contagion:A Case Study

    H i s tory will remember seve r-al notable landings: the landingof the lunar module on June 20,1969; the landing of ET the ex-t ra t e r restrial in movie cinemasin 1982; the landing of MarkM c G w i re in re c o rd books withhis 70th home run in Septem-ber 1998; and the landing ofMelissa in commercial, mili-tary, educational, and homePCs on March 26, 1999.

    One might ask, “Who is M e l i s-s a?” The question is in fa c t ,“What is M e l i s s a?” M e l i s s a is av i r u s, conceivably the fa s t e s ts p reading virus PCs have seensince the infamous M o r r i sWo r m, which infected morethan 6,000 computers in a mat-ter of hours (ftp://coast. cs. p u r-d u e. e d u / p u b / d o c / m o r r i s _ wo rm / GAO-rpt.txt) in No ve m b e r1988. By March 30, 1999, M e l i s-s a had successfully infectedabout 70,000 E-mails. It was thef i rst virus to have pro m p t e dFe d e ral law enfo rcement to

    send out a warning about com-puter viruses; the Fe d e ral Bu-reau of Investigation (FBI)joined with the National Infra-s t r u c t u re Protection Center(NIPC) to issue a warning in an-ticipation of the tidal wa ve of E-mails that M e l i s s a was ex p e c t e dto genera t e.

    M e l i s s a is a m a c ro virus,which means that its infectiouscode is resident in a macro (asymbol, name, or key that re p-resents a list of commands, ac-t i o n s, or ke y s t ro kes) conta i n e din a Microsoft Wo rd document(see right side bar). In M e l i s s a ’sc a s e, the macro has instructionsto disable macro detection ca-p a b i l i t i e s, read the first 50names in a re c i p i e n t ’s Micro s o f tOutlook address book, and fo r-wa rd itself as an attachment tothose individuals, or groups ofi n d i v i d u a l s. When this fo r wa rd-ed E-mail message is re c e i ve dand opened, the macro beginsagain its cycle of E-mail genera-tion, thus bogging down and po-tentially crashing mail serve rst h rough its exponential rate ofinfection. This type of attack isknown as a denial of service.

    While the shutdown of elec-t ronic mail serve rs is destruc-t i ve enough, there is at leastone other potentially haza rd o u sresult of this virus. M e l i s s a i ss p read through a Micro s o f tWo rd document. Howe ve r, thisvirus is constructed in such away that it infects whateve rdocument is open at the timethe infected attachment is dis-played, and that document isthe one that is fo r wa rded withthe virus. Imagine this sce-nario: You are typing a classi-fied document when you re-c e i ve M e l i s s a. When you openthe attachment, i.e., the macrov i r u s, it now places itself on


    accomplish the boot. Under examina-tion, the boot sector appears normal,but the boot sector is not in its normallocation.

    Macro VirusesMacros are, in essence, mini-pro-

    grams that take much of the legworkout of repetitive or template-orienteddocuments. For example, to minimizethe work involved in typing the date incorrespondence, a user could programa macro to insert the day, month, andyear all at once when the letter “D” istyped. Macro viruses are carried in thetypes of data files that business com-puter users most often exchange: wordp rocessed documents and spre a d-sheets. Also, because these data filesare often exchanged by E-mail, theysometimes bypass the checks thatvirus-aware organizations already havein place. Experts estimate that 40 per-cent of virus attacks are made thisway. Macro viruses are created withthe aid of the macro routines con-tained within all word processing andspreadsheet application software, suchas Microsoft Word and Excel. They at-tach themselves to any document filesthat include the macro code, so thatthey can then be executed through theapplication software. The whole pur-pose of macro languages is to insertuseful functions into documents,which are then executed as the docu-ments are opened. This is what makesmacro viruses easy to write. But one ofthe reasons they have become soprevalent is the success of MicrosoftOffice, which has 80 percent of theglobal market for integrated pack-ages—a tempting ta rget for macrovirus writers.

    M e m o ry-Resident Vi ru s e s

    The memory resident characteristicis the most common among viruses.When viruses load into memory via ahost application, they remain in mem-ory until the computer is turned off. At

    continued on the sidebar of page 22continued on page 22

  • I A n ew s l e t t e r • Vo l u m e 3 , N um b e r 3 h t t p : / / i a c . d t i c . m i l / I ATA C22

    your already opened Wo rd doc-ument and fo r wa rds THAT doc-ument to the first 50 addre s s e e sin your address book.

    S e ve ral aspects of this virush a ve helped its seemingly glob-al pro l i f e ration. One of themost significant aspects is itsuse of a user’s own addre s sbook to fo r wa rd the infectiousE-mail. This means that an or-dinary user, who would be sus-picious of E-mail from an un-known sourc e, re c e i ves thevirus as if a friend, co-wo r ke r,family member, etc. sent it,t h e reby instilling a false senseof security. In addition, thisvirus is spread with the help ofM i c rosoft Wo rd and Micro s o f tOutlook, two pro g rams that areresident in a vast majority ofPCs today due to the ove r-whelming popularity of Mi-c rosoft Office.6

    The DoD’s and Services’ In-formation Assurance pro c e s s e shelped ensure that M e l i s s a ' s i m-pact on DoD and the Serviceswas minimal. The Army beganreceiving the virus shortly be-fo re 5:00 p.m. on Friday, Marc h26, 1999. Half an hour later, theArmy Computer Emerg e n c yResponse Team (AC E RT) beganreceiving notices from its Re-gional CERTs (RC E RT), and by6:00 a.m., the virus had spre a dt h roughout DoD systems wo r l d-w i d e.

    Once users began re c e i v i n gE-mail from known acquain-tances but with an “out-of-char-acter” attachment, they beganc o n tacting their local systemsa d m i n i s t ra to rs who, in turn,alerted the AC E RT at Ft.B e l vo i r, Virginia, and the tech-nical support staff at Micro s o f t(which created the softwa re thevirus was designed to run on),and McAfee and No r ton, twoanti-virus companies. After the

    virus was discove red, a re s t r i c-tion was placed on the size of E-mail atta c h m e n t s. A messagewas distributed to all E-mailu s e rs, instructing them to notopen attachments or enablem a c ros in Microsoft Wo rd docu-ments they re c e i ved via E-mailunless they we re sure of thed o c u m e n t ’s origin.

    Working in concert with in-dustry, Government officialswe re able to detect and atta c kthe virus and implement fixe sthat we re distributed to systemsa d m i n i s t ra to rs and users inre c o rd time. RC E RTs went to aheightened level of manage-ment and detection, and theArmy Signal Command dire c t-ed the information manage-ment officials at 18 major fa c i l i-ties to scan E-mail serve rs usingan application re c e i ved fro mM i c rosoft and delete E-mailt raffic infected with the virus.T h roughout the night, AC E RTc o o rdinated re p o r t s, orc h e s t ra t-ed solutions to the virus withMcAfee and No r ton, and assist-ed system administra to rs withi n s talling fixe s. By Monday,M a rch 29, 1999, the virus wa sc o n tained and eradication wa swell on its way. This re a c t i o ne s tablished a process termed“ Po s i t i ve Control,” and thep ro a c t i ve efforts of all invo l ve dmade this rapid conta i n m e n thappen, along with the closec o o p e ration with the softwa rei n d u s t r y .7

    Disinfecting M e l i s s a was ac-tually a fairly simple pro c e s s,e ven if labor intensive. Ord i n a r-ily, the fix would have mere l yi n vo l ved retrieving the latestvirus definitions from a re p-u table virus-scanning sourc e,such as No r ton or McAfee, andscanning client and server hardd r i ve s. The glitch in M e l i s s a ’scase was that these virus-scan-

    this stage of their existence, virusescan easily replicate into boot sectorsor subsequently launched applica-tions.

    N o n - M e m o ry - R e s i d e n tViruses

    These viruses can infect the systemonly when the host application is run-ning. When the host application isclosed, the virus is closed down aswell. There fo re, if applications areopened after a host application isclosed, there is no danger of infectingthe system with that specific virus atthat time.

    Companion VirusesTo unders tand this chara c t e r i s t i c, it

    is helpful to have a basic unders ta n d-ing of the sequential order of how sys-tem files work. In launching an exe-c u table file, either the user manuallyissues a command or the interface ex-ecutes a command. Most applicationsh a ve a file-type (FT) extension of*.EXE. When invoking these com-m a n d s, the user or the computer en-t e rs the name of the application with-out the extension. The computerexecutes other system files with thesame name befo re executing the *.EXEa p p l i c a t i o n ’s FT. A companion virusc reates a name that matches the *.EXEfile name but with a different ex t e n-sion (e.g., *.COM). The *.EXE still exe-cutes; howe ve r, the *.COM (infectedfile) launches first and infects the sys-tem. Most antiviral softwa re packa g e scan identify this chara c t e r i s t i c.

    BombA bomb is a type of Trojan Horse

    that is used to release a virus, a worm,or some other system attack. It is ei-ther an independent program or apiece of code that has been planted bya system developer or a programmer.A bomb works by triggering somekind of unauthorized action when aparticular date, time, or condition oc-

    continued on the sidebar of page 23

    continued from the side bar of page 21

  • h t t p : / / i a c . d t i c . m i l / I ATA C I An e ws l e t t e r • Vo l u m e 3 , N u m be r 3 23

    n e rs we re caught re l a t i vely offg u a rd with this virus. No r m a l l y ,anti-virus softwa re companiesknow about new viruses longb e fo re they are released and,t h e re fo re, are able to re l e a s eupdated virus definitions totheir clients befo re the dangera r r i ve s. For some reason, M e l i s-s a was kept under close wra p suntil its release on March 26. Inthe end, the damage caused byM e l i s s a will be measured in themillions of dollars. But thelessons learned from this atta c ka re being institutionalized. Con-tagion in cyberspace can bec o n ta i n e d . Ï

    Colonel Deal is the Commander, U.S.

    Army Information Systems Engineering

    Command, Ft. Huachuca, Arizona. He

    earned an M.S. in Electrical Engineering

    f rom the Na val Post Graduate School and

    an M.A. in National Security Studies

    f rom the Na val War College, and an M.A.

    in International Relations from Salve

    Regina Unive rs i t y .

    Major Gage is the Operations Officer

    for the Ne ws Systems Training Office,

    D i re c to rate of Combat Deve l o p m e n t ,

    306th MI BN, Ft. Huachuca, AZ. She has

    a B.S. in Biology from Florida Southern

    C o l l e g e, an M.S. in Material Ac q u i s i t i o n

    Management from Florida Institute of

    Technology, a M.S. in Engineering

    Management from Unive rsity of

    M i s s o u r i - Rolla, and a M.A. in Computer

    I n formation Re s o u rce Management fro m

    Webster Unive rs i t y .

    Robin Schueneman supports the

    A r m y ’s Information Assura n c e

    D i re c to rate of DISC4. She is the DISC4

    lead to the Information Assura n c e

    Vu l n e rability Alert (IAVA) Compliance

    Verification Team (CVT). Ms.

    Schueneman earned a B.A. in

    Communications from UNC-Chapel Hill,

    North Carolina in 1994.


    1. Symantec Corporation, C o m p u t e rViruses: Past, Present and Fu t u re,Anti-Virus Research Center, March29, 1999.

    2. Ibid.3. Lowenthal, Overview of Computer

    V i r u s e s, I n formation Pa p e r, SA I S -IAS, March 1999.

    4. Ibid.5. Davy, Jo Ann, “Virus Protection,”

    Managing Office Technology, 1998.6. Schwartz, John, “New Virus Snarls

    E-Mail Systems,” The Wa s h i n g to nPost, p. E1 (March 30, 1999).

    7. Singer, Jeremy, “Melissa blunted byresponse teams QUICK RESPONSEMAKES ARMY SYSTEMS VIRTUAL-LY IMMUNE TO E-MAIL VIRUS,”Inside the Army (April 5, 1999).


    Corbitt, Terry, “Datafiles in Danger,”Ac c o u n ta n c y, available online at:h t t p : / / p ro q u e s t . u m i . c o m / p q d e b(January 1999).

    Davy, Jo Ann, “Virus Pro t e c t i o n , ”Managing Office Technology, avail-able online at: http://pro q u e s t .umi.com/pqweb (1998).

    J a r v i s, Kenneth, “DemystifyingComputer Viruses,” M a n a g e m e n tAc c o u n t i n g, available online at:h t t p : / / p ro g q u e s t . u m i . c o m / p q d we b(April 1997).

    L o wenthal, “Overview of ComputerViruses,” Information Paper, SAIS-IAS (March 1999).

    Russell, Deborah & Gangemi, G.T.,Ed., “Viruses and Other Wildlife,”Computer Security Basics ( U n i t e dS tates of America, O’Rilley andAssociates, Inc., 1991) pp. 79-88.

    SANS Newsbites, available online at:http://www.sans.com (March 1999)and http://securityportal.com

    Schwartz, John, “New Virus Snarls E-Mail Systems,” The Washington Post,p. E1 (March 30, 1999).

    Singer, Jeremy, “Melissa blunted byresponse teams QUICK RESPONSEMAKES ARMY SYSTEMS VIRTUAL-LY IMMUNE TO E-MAIL VIRUS,”Inside the Army (April 5, 1999).

    Symantec Corporation, “ComputerViruses: Past, Present and Future,”Anti-Virus Research Center avail-able online at: http://www.syman-t e c. c o m / a vc e n t e r / re f e re n c e / c o r p s t.html (March 29, 1999).

    curs. There are two types of bombs:time and logic. A time bomb is set togo off on a particular date or aftersome period of time has elapsed. TheFriday the 13th virus was a time bomb.A logic bomb is one that is set to go offwhen a particular event occurs. Soft-ware developers have been known toexplode logic bombs at key momentsafter installation—if, for example, thecustomer fails to pay a bill or tries tomake an illicit copy.

    SpoofThis is a generic name for a pro-

    gram that tricks unsuspecting usersinto giving away privileges. Often, thespoof is perpetrated by a Trojan Horsemechanism in which an authorizeduser is tricked into inadvertently run-ning an unauthorized program. Theprogram then takes on the privilegesof the user and may run amok.

    BacteriaThese are programs that do nothing

    but make copies of themselves, but bydoing so they will eventually use up allsystem resources (i.e., memory, diskspace).

    RabbitsThis is another name for rapidly re-

    producing programs.

    CrabsThese programs attack the display

    of data on computer terminal screens.

    SalamiSalami slices away (rather than

    hacking away) tiny pieces of data. Forexa m p l e, salami alters one or twonumbers or a decimal point in a file, orit shaves a penny off a customer’s bankinterest calculations and deposits thepennies in the intruder’s account.

  • I A n ew s l e t t e r • Vo l u me 3 , Nu mb e r 3 h t t p : / / i a c . d t i c . m i l / I ATA C

    T he U.S. Military Academy(USMA) at West Po i n tconfronts a novel informationage challenge—to balance theneeds of a dynamic, technolo-gy-rich undergraduate experi-ence for 4,000 cadets with theavailability, security, and inter-operability concerns for an en-terprise local area netwo r k(LAN) operating within the De-partment of Defense (DoD)network infrastructure. Despite

    resource, technology, and cul-ture challenges, this balancingact has been unusually success-ful over an evolution spanningthe 10 years since the USMAnetwork was created in 1989.Perhaps surprisingly, cadets’education benefits from them o d e rate discipline imposedby operating the network in ac-c o rdance with DoD re q u i re-ments and professional bestp ra c t i c e s. Typical unive rs i t ydata networks, by contrast, op-erate as mostly unfettered ser-vices in which almost “a n y-

    thing goes” with regard to hard-ware, software, protocols, andmodes of use. Although this ap-proach affords great individualfreedom, its overall effect maybe to reduce network useful-ness. Recent trends in campuscomputing seem to be drawingthe rest of academe closer tothe computing model em-ployed at West Point.

    West Point occupies a rarecrossroads of “.edu” and “.mil”domains. This is literal in thesense that many network hostshave names in each domain.Browsing www.usma.army.milwill take a virtual visitor to thesame place as www.usma.eduand www. westpoint.edu. TheAcademy is first and foremost aprimary commissioning sourcefor Army officers. It is an Armypost, and the post network is anArmy information system. “Dotmil” naming and conformanceto DoD/Department of theArmy (DA) standards is expect-ed and required. However, WestPoint is also a tier I, accreditedacademic institution withs t rong ties to the academiccommunity for re s e a rch andother professional exc h a n g e s.M i l i tary and civilian fa c u l t ymembers find that in some set-tings, an “.edu” address commu-nicates the seriousness withwhich the USMA views its rolein underg raduate teaching,learning, and research.

    Attracting the best qualifiedof American’s high school grad-uating class each year is an es-sential aspect of the West Pointprogram. Among bright, knowl-

    edgeable high school students,sophisticated technological in-frastructure is high on the listof criteria for college choices.After admission, cadet familiesexpect and deserve electronicmail (E-mail) and other elec-tronic contact with their cadets.It follows that a principle of in-formation assurance (IA) atWest Point is to support tech-nology programs and systemsthat meet the expectations ofdiverse clients outside the gate.Connecting with the Americanpublic is essential to fulfillingits institutional mission, soWest Point can seldom afford toescape risk by reducing access.

    The military/educational du-ality continues inside the gate.Inq

Click here to load reader

Reader Image
Embed Size (px)