+ All Categories
Home > Documents > Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance...

Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance...

Date post: 27-Apr-2020
Category:
Upload: others
View: 4 times
Download: 0 times
Share this document with a friend
36
Transcript
Page 1: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The
Page 2: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

EditorsRobert P. Thompson

Robert J. LambCreative Director

Christina P. McNemarInformation Processing

Robert L. WeinholdInformation Collection

Alethia A. TuckerInquiry ServicesPeggy O’Connor

Contributing EditorMartha Elim

IAnewsletter is published quarterly by theInformation Assurance Technology AnalysisCenter (IATAC). IATAC is a DoD sponsoredInformation Analysis Center, administrative-ly managed by the Defense TechnicalInformation Center (DTIC), DefenseInformation Systems Agency (DISA).

Inquiries about IATAC capabilities, productsand services may be addressed to:

Robert P. ThompsonDirector, IATAC703.289.5454

We welcome your input! To submit yourrelated articles, photos, notices, featureprograms or ideas for future issues, pleasecontact:

IATACATTN: Christina P. McNemar3190 Fairview Park DriveFalls Church, VA 22042Phone 703.289.5454Fax 703.289.5467STU-III 703.289.5462

E-mail: [email protected]

URL: http://iac.dtic.mil/iatac

Cover and newsletter designed byChristina P. McNemar

Distribution Statement A:Approved for public release; distribution is unlimited.

I An ew s l e t t e ron the coverThe Hexagon—A U.S. Joint Forces Command Solutionto Coalition InteroperabilityMr. Craig VroomMr. Allan H. McClure 3

USEUCOM Information Assurance ConferenceMr. Kent Waller 5

ia initiatives JTF-CND Intelligence SupportCDR Robert D. Gourley, USN 7

ZENITH STAR MAJ Gerald Burton, USA Mr. Richard Phares 10

Distributed Denial of Service Tools1Lt Brian Dunphy, USAF 11

Air Force Materiel Command’s Information DefenseCol Kevin J. Kirsch, USAF 13

Information Assurance—The ArmyPrepares for the Next Generation of WarfareMAJ Robert Turk, USACPT Shawn Hollingsworth, USA 15

The Burning Zone—Containing Contagion in CyberspaceCOL John C. Deal, USAMAJ Gerrie A. Gage, USA Ms. Robin Schueneman 18

Computing on the Virtual Border—.mil meets .eduLTC Eugene K. Ressler, USA COL Clark K. Ray, USA 24

In Pursuit of the “Trustworthy” EnterpriseMr. Sean P. O’Neil 27

in each issueIATAC ChatMr. Robert P. Thompson 29Products 32IATAC Product Order Form 35Calendar of Events Back Cover

IAnewsletter • Volume 3, Number 3 h t t p : / / i a c . d t i c . m i l / I ATA C

Page 3: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

h t t p : / / i a c . d t i c . m i l / I ATA C IA n ew s l e t t e r • Vo l u me 3 , N u mb er 3 3

S upport to coalition oper-ations in the future is an

i n formation assurance chal-lenge today. Since 1994, littlehas changed in the methodsand mechanisms we use to pro-vide information to our alliedpartners. As each coalition op-eration (Haiti, Somalia, Bosnia,Kosovo) comes and goes, thelessons learned statements al-ways cry for improved interop-erability within the coalition.The requirements are well doc-umented throughout the De-partment of Defense (DoD).E ven Joint Vision 2010, theDoD road map for the future,states, “It is not enough to bejoint when conducting futureoperations. We must find themost effective methods for in-tegrating and improving inter-o p e rability with allied andcoalition partners.” True inter-operability with our allied part-ners will come only after wehave an information exchange

system designed from theground up for use by coalitionforces.

Colonel Dennis Tre e c e ’s arti-cle in the Spring 1999I A n e ws l e t t e r was right on ta rg e tin describing the shortc o m i n g sand challenges of releasing anddisseminating classified mili-tary information to our multi-national partners in a coalitione n v i ronment. As ColonelTreece says, the “really hardpart, the ‘Achilles heel’ of coali-tion information sharing, is themechanism by which any na-tion tra n s f e rs information out-side its own system.” Becauseof valid security policy re s t r i c-t i o n s, we are not allowed toconnect our Defense netwo r k sto multinational netwo r k s,thus creating the need fo r“ s n e a ker nets”—literally, run-ning the releasable info r m a-tion from the U.S. side, acro s san air gap, to the multinationals i d e. Anyone who has ex p e r i-enced the pain of this methodk n o ws its difficulties and limi-ta t i o n s. (In 1994, those of us inU.S. Atlantic Command hadour turn when we provided in-formation support to the 29countries invo l ved in Haitipeace opera t i o n s. )

U.S. Joint Fo rces Command(USJFCOM, formerly, U.S. At-lantic Command) is re s p o n s i b l ewithin DoD for joint task fo rc e(JTF) intero p e rability. At JointFo rces Command, we have em-b a r ked on building a system fo rs e c u re information exc h a n g e. Itis called the Coalition Multi-l e vel Security (MLS) Hexa g o nP ro totype or CMHP. The CMHPis composed of six functionsthat will allow us to exc h a n g ei n formation with our allies in as e c u re, flexible manner.

Side 1 of the Hexagon (Fig-ure 1 on page 4), Marking Stan-d a rd s, uses the classificationand control marking standardsadopted by the U.S. intelli-gence community. These stan-dards were coordinated by theControlled Access Program Co-ordinating Office (CAPCO) andcontinue to be fine-tuned byCAPCO as required.

Side 2 of the Hexagon iscalled Document Marking,which is designed to imple-ment human-readable mark-i n g s. Basically, this softwa re

THE HEXAGONA U.S. Joint Forces Command Solution to Coalition Interoperability

“Successful completion of the CMHP pro-ject will require careful transition from riskavoidance to risk management in the wayclassified information is managed and safe-guarded.”

Admiral Harold GehamCommander in Chief,United States Joint Forces Command

Mr. Craig VroomMr. Allan H. McClure

continued on page 4

Page 4: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

I A n ew s l e t t e r • Vo l u m e 3 , Nu m be r 3 h t t p : / / i a c . d t i c . m i l / I ATA C4

enables the information origi-nator to mark Microsoft Word,Po we r Point, and Excel docu-ments in accordance with theCAPCO and Executive Order12958 standards. The markingis a simple operation, donewith the point and click of amouse and made still easier bypull-down menus that providechoices for basic classification,c a ve a t s, and “release to” op-tions for countries, coalitions,operations, organizations, andexercises. Once the documentis marked, it is then tra n s-

formed into a “computer-read-able” label, side 3 of the Hexa-gon. A digital signature atta c h e sthe label to the document,which is then encrypted andsent to the “Coalition Server,”an Oracle 8 relational databasemanagement system.

Hexagon’s side 4, PersonalAuthentication, is the linchpinof CMHP. A personal to ke ncalled a Hexcard allows us toidentify the user and all of hisor her security attributes. Muchas an automated teller machine(ATM) card does, the Hexcard

will store a user’s fingerprinttemplate and a credential setbased on his or her clearancelevels, citizenship, and need-to-know roles. Hexcards will beinserted into wo r k s ta t i o nsmart-card readers to identifythe user to the system.

Side 5 of the Hexagon is thehardware, including NT work-stations, fingerprint scanners,and smart-card re a d e rs, re-quired for the CMHP.

Hexagon’s side 6 is SecurityManagement. A special staff se-curity officer must be assignedto coordinate system securityre q u i re m e n t s, issue Hexc a rd sto CMHP participants, under-s tand the information assur-ance requirements, and moni-tor the system for impro p e rattempts to access data.

The Hexagon concept pro-vides the flexibility required incoalition-supported joint ta s kforce operations by encryptingand protecting the object,rather than the network. This isthe key difference betwe e nCMHP and other multilevel se-curity (MLS) solutions. Usingobject protection, we can com-pare the attributes of an indi-vidual with the objects that re-side in the server. If there is amatch, the coalition participantcan retrieve and decrypt thedocument.

The CMHP will be tested andd e m o n s t rated atthe Joint BattleCenter (JBC) inSuffolk, Virginia, inMay 2000. The ob-j e c t i ve of thedemonstration willbe to bring existingtechnologies to-gether to allowusers with differentc l e a rance leve l sf rom differe n t

countries to use the same localarea network and gain accessonly to information they area u t h o r i zed to see. After theconcept is demonstrated, theJoint Battle Center will providean independent assessment ofthe system’s military utility.

The ultimate goal of theHexagon is to provide the jointtask force commander a toolthat increases the effectivenessof communications with alliedor interagency forces. Ï

Mr. Craig Vroom is the International

Programs Branch Chief at U.S. Joint

Forces Command, located in Norfolk,

V i rginia. He has an underg ra d u a t e

degree in Computer Science from San

Diego State University and is currently

participating in DoD’s Defense

Leadership and Management Program

(DLAMP). You may reach him via E-

mail at [email protected].

Mr. Allan McClure is a Lead Engineer

supporting the US Joint Forces Command

Director for Intelligence. During the last

seven years, he has helped in the imple-

mentation of Intelink and developed a

collaborative architecture for the Non-

P ro l i f e ration Center, a Dire c tor fo r

C e n t ral Intelligence (DCI) contro l l e d

activity. He may be reached at amcclure

@mitre.org.

F i g u re 1. Coalition MLS HexagonPrototype

Figure 2. CMHP HexCard

continued from page 3

Page 5: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

h t t p : / / i a c . d t i c . m i l / I ATA C I An e ws l e t t e r • Vo l um e 3 , N um be r 3 5

Brigadier General CharlesE. Croom, dire c to r, Unit-

ed States European Command(USEUCOM)/J6, hosted USEU-C O M ’s first Information Assur-ance Confere n c e, 30 No ve m-ber–2 December 1999, at theA b rams Center in Garmisch-Pa r t e n k i rchen, Germany. Thec o n f e rence had three purposes:

• To present pressing info r m a-tion assurance (IA) issuesand review associated IAp ro d u c t s

• To foster teamwork and syn-e rgy among key IA playersin the theater

• To provide the latest IAi n formational updates fo rtheater IA pers o n n e l .

F r a m e w o r kThe conference attracted a

to tal of 162 people, re p re s e n t-ing Headquarters (HQ) USEU-COM, U.S. Army Europe (US-AREUR), U.S. Air Fo rc e sE u rope (USAFE), US Na va lFo rces Europe (USNAV E U R ) ,Marine Fo rces Europe (MAR-FOREUR), Special Opera t i o n sCommand Europe (SOCEUR),the Defense Information Sys-tems Agency (DISA), the Na-tional Security Agency (NSA ) ,and other commands, such asU.S. Special Operations Com-mand (USSOCOM), U.S. Pa c i f i cCommand (USPACOM), andU.S. Central Command (US-C E N TCOM), as well as seve ra l

other DoD agencies invo l ve din USEUCOM IA.

By design, all levels of IAp ro f e s s i o n a l s, from enlisted tog e n e ral officer gra d e s, partici-pated in the sessions. Thisa r rangement ensured ex p re s-sion of various viewpoints atthe forum and enabled individ-uals with hands-on working ex-perience to interact dire c t l ywith policy make rs at the high-est leve l s.

Each morning’s general ses-sion started with a senior-leve lkeynote addre s s. The speake rswe re Brigadier General GarySalisbury, DISA/D6; Mr.R i c h a rd Schaeffer, Office of theS e c re tary of Defense (OSD),Command, Control, Communi-c a t i o n s, and Intelligence (C3I);and Mr. Orville Lewis, NSA /DDI Chief of Staff. All addre s s-es we re fo l l o wed by ex t e n d e dq u e s t i o n - a n d - a n s wer sessions

that immediately indicated avery high level of interest inthe rapidly developing IA field.

Immediately following thekeynote addresses we re gener-al session pre s e n tations fro mtheater-specific IA leaders. Ato tal of six speake rs (two perday) from USNAVEUR, HQUSEUCOM, USAREUR, USA F E ,and the North Atlantic Tre a t yO rg a n i zation (NATO) pre s e n t-ed issues and fielded ques-t i o n s.

The afternoons we re dividedi n to three in-depth bre a ko u tt racks in the areas of opera-t i o n s, computer security(COMPUSEC), and communi-cations security (COMSEC).These sessions we re smaller innumber of participants, moretechnical, and more discussionoriented than the general ses-s i o n s.

O p e rations discussions fo-cused primarily on lessonslearned from Ko s o vo opera-tions and plans for future sup-port. COMPUSEC participantsdealt with information assur-ance vulnerability alerts( I AVA) issues and discussed thetechnical details of dealingwith theater-specific thre a t s.

The COMSEC sessions,which we re often filled to ca-pacity, ex p l o red the areas ofkey management infra s t r u c-

Mr. Kent Waller

continued on page 6

I n f o rmation Assurance Confere n c e

U S E U C O M

Brigadier General Charles E. Croom.

Page 6: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

I A n ew s l e t t e r • Vo l u me 3 , Nu mb e r 3 h t t p : / / i a c . d t i c . m i l / I ATA C6

t u re, softwa re test enviro n-ment (STE) migration, DefenseMessage System (DMS) field-ing, and Global Broadcast Ser-vice (GBS) fielding.

Selected special session pre-s e n t e rs we re invited to displayp roducts and services particu-larly associated with USEU-COM IA issues.

Theater Action Te a mTo ensure meaningful con-

f e rence re s u l t s, a Theater Ac-tion Team (TAT) was fo r m e d .Composed of key IA decisionm a ke rs in the USEUCOM the-ater and chaired by BrigadierG e n e ral Croom, the TAT meteach evening to review and de-bate the many issues raised bythe bre a kout tra c k s. After nar-rowing the number of issues,the team selected 20 actionitems; ra n ked each item’s pri-ority as high, medium, or low;and assigned each action to aprimary office of primary re-sponsibility (OPR) with a dead-line for accomplishment.

The TAT results we re ex-t remely well re c e i ved by allc o n f e rence participants. As aresult of its success, the con-f e rence has led to the deve l o p-

ment of a new European Info r-mation Assurance SteeringCouncil composed of senior IAl e a d e rs and aimed at pro v i d i n gcontinuing, unified guidanceto theater IA personnel.

Additional Information

All conference materials, in-cluding the TAT action items,attendee lists, and briefings area vailable for download fro mthe HQ USEUCOM SIPRNETWeb site.

The office with primary re-sponsibility for the confere n c ewas the HQ USEUCOM C3I Di-re c to ra t e ’s Defensive Info r m a-tion Wa r fa re Division dire c t e dby Col LaFo r rest Williams, U.S.Air Fo rce (USAF). On behalf ofBrigadier General Croom, thisg roup extends appreciation toall the speake rs who made thec o n f e rence a success. Ï

M r. Kent Waller is an Info r m a t i o n

A s s u rance Pro g ram Manager for HQ

United States European Command. He

earned his B.S. in Engineering from the

U n i ve rsity of Oklahoma in 1986 and his

Master of Public Ad m i n i s t ration fro m

the Unive rsity of Oklahoma in 1990. He

may be reached at wa l l e r k l @ e u c o m . m i l .

continued from page 5

Page 7: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

h t t p : / / i a c . d t i c . m i l / I ATA C IA n ew s l e t t e r • Vo l u me 3 , N u mb e r 3 7

T he Joint Task Force forComputer Ne t work De-

fense (JTF-CND) is a new orga-nization with a new mission: todirect the defense of all Depart-ment of Defense (DoD) com-puters and networks and thei n formation that moves inthem from any threat, foreignor domestic. Our intelligence(J2) role on this team resem-bles any other JTF-level intelli-gence effort. That mission is top rovide the commander, theJ T F-CND staff, and assignedcomponents with all-sourc e,fused, pre d i c t i ve intelligenceon enemy locations, capabili-ties, and intentions. The JTF-CND J2 must understand theenemy in cybers p a c e, andmust provide decision-makerswith the actionable intelligencerequired to support defensiveoperations.

That task is easier said thandone. Those who choose to at-tack or exploit our informationsystems operate with gre a tanonymity in globally inter-connected networks. Addition-ally, our adversaries are armedwith software tools that strikeat the speed of light, and usetactics that are hard to detect inthe noise of the net.

Finding the enemy in cyber-space is also complicated bythe nature of this new terrain.There are few useful charts bywhich to orient us and littleagreement on what the conceptof “cyberspace” means. Perhapsthe most useful definition re-mains William Gibson’s origi-nal explanation of the term:

C y b e rspace is “a consensualhallucination ex p e r i e n c e ddaily by billions... [an] unthink-able complexity.” Try visualiz-ing enemy locations in that!

The adversary may be a ter-rorist attempting to attack De-partment of Defense (DoD)networks to draw attention to acause or to slow our responseto an act of physical terror.Threats also come from espi-onage agents seeking to ac-quire sensitive but unclassifiedinformation for use by a foreignstate or criminal organization.We may soon face nation stateadversaries in cyberspace whoseek military advantage, possi-bly by attacking our combatsupport infra s t r u c t u re or, inperhaps the most insidious at-tack, by attempting to manipu-late the perceptions of seniorDoD decision makers.

Although the computer net-work defense intelligence prob-lem is complex and relativelynew, developing JTF-CND in-telligence ta c t i c s, techniques,and procedures (TTP) has beensimple and straightforward. Wehave based most of our TTPson the existing playbook forJTF intelligence support, theJoint Staff’s Joint Doctrine forIntelligence Support to Opera-tions (Joint Pub 2-0). Using in-telligence doctrine as theb e d rock for JTF-CND intelli-gence TTPs have already paidoff. Following doctrine has in-creased the intelligence com-munity focus on and support ofthe CND mission.

JTF-CNDIntelligence Support

CDR Robert D. Gourley, USN

continued on page 8

Page 8: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

I A n ew s l e t t e r • Vo l u m e 3 , Nu m be r 3 h t t p : / / i a c . d t i c . m i l / I ATA C8

Joint Pub 2-0 also directly as-sisted in planning for the U.S.Space Command (SPAC E C O M )assumption of the DoD CNDmission, which occurred 1 Oc-tober 1999. Intelligence sta f fs atand JTF-CND quickly re a l i ze dthe importance of adhering tojoint doctrine where ver possi-b l e. Using joint doctrine al-l o wed us to clarify importa n taspects of the new re l a t i o n s h i p ,including the most efficientmeans of handling intelligencecollection and production re-q u i rements and appropriate di-vision of labor between CINCand JTF intelligence personnel.

The central principle:K n ow the adve rs a r y. Pe r h a p sJoint Pub 2-0’s most criticalcontribution is a clear articula-tion of the general functionsthat must be conducted by aJTF J2. It also provides guid-ance on how these functionsshould be carried out. The fo l-lowing points show JTF-CND J2application of these principles.

The fundamental re s p o n s i-bility of the JTF-CND J2 is top rovide JTF-CND decisionm a ke rs with the fullest possi-ble unders tanding of the cybert h reat. This unders ta n d i n gmust include knowledge of thea d ve rs a r y ’s goals, objective s,s t rategy, intentions, capabili-t i e s, methods of operation, vul-n e ra b i l i t i e s, and sense of va l u eand loss. To provide this under-s tanding, the JTF-CND J2 andintelligence staff must deve l o pand continuously refine anability to think like the cybert h reat.

Intelligence support iscritical to operational suc-c e s s. JTF J2 staff must under-

s tand the adve rsary in order tosupport opera t i o n s. Intelli-gence must be made action-able by tailoring it into a usefulform and then getting it intothe hands of the commander,the operations division (J3),and other JTF decision mak-e rs. Operations support also re-q u i res J2 assessment of J3 in-tentions from the adve rs a r y ’sp e rs p e c t i ve to determine pro b-able adve rsary re s p o n s e s.

Intelligence support re-quires the integration of in-telligence efforts at strate-gic, operational, and tacticallevels. Strategic intelligence isused to formulate defensives t rategies and operations at na-tional and theater leve l s, mak-ing both SPACECOM and JTF-CND key consumers ofintelligence produced on thecyber threat to our Nation. Op-e rational intelligence is usedby SPACECOM and JTF-CND todetermine defensive objective sand to support the planningand conduct of CND opera-t i o n s. Tactical intelligence re-q u i red for CND is a new disci-pline that is still in an initials ta g e. When fully deve l o p e d ,tactical intelligence pro c e d u re sand processes will supportrapid reaction to ta c t i c a lt h reats by JTF-CND compo-n e n t s.

S t ra t e g i c, operational, andtactical intelligence must bee m p l oyed in a way that re-duces our chances of beingd e c e i ved or surprised. D e-ception and surprise are inher-ent fa c to rs in cybers p a c e, how-e ve r, and will probably alwa y sbe concerns.

Intelligence sources arethe means or systems used

to observe, sense andre c o rd, or convey info r m a-t i o n . J T F-CND J2 staff mustu n d e rs tand the strengths andweaknesses of all intelligences o u rces re l e vant to this mis-sion area. The seven primaryintelligence sources are im-agery intelligence, human in-t e l l i g e n c e, signals intelligence,m e a s u rement and signature in-t e l l i g e n c e, open source intelli-g e n c e, technical intelligence,and counterintelligence. Unityof effort is maintained by ta s k-ing these disciplines in accor-dance with joint doctrine. Allresults are fused to provide thebest possible assessments. In-t e g ration also helps reduce de-ception and surprise.

Intelligence supports allaspects of JTF-CND opera-tions. JTF-CND J2 will partici-pate in planning from the out-set of any operation. Earlyinvolvement in JTF-CND plan-ning will allow the J2 to articu-late intelligence collection andproduction requirements to theintelligence community and toformulate, at an early stage, in-telligence guidance for JTF-CND components. It will alsoallow the J2 to provide intelli-gence at every stage of the de-cision-making process.

P roviding unders ta n d i n gof the enemy to supportcounterintelligence and op-erational security measures.C o n c u r rent with JTF- C N Dplanning and opera t i n gprocess, the J2 will provide thecommander with an under-s tanding of the adve rs a r y ’scommand and control process-es and adversary intelligencecollection capabilities, so ap-propriate operational security

continued from page 7

Page 9: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

h t t p : / / i a c . d t i c . m i l / I ATA C IA n ew s l e t t e r • Vo l u me 3 , N u mb er 3 9

and counterintelligence opera-tions can be implemented.

Evaluating the effects ofdefensive operations. TheJTF-CND J2 will assist the JTFcommander and J3 in evaluat-ing operational results and de-termining when objective shave been attained, so forcesmay be reoriented or opera-tions terminated. Some defen-sive measures that may have tobe taken on DoD networks tothwart a sophisticated adver-sary could affect millions ofDoD computer users, makingintelligence support for ex i tstrategies of paramount impor-tance.

Intelligence systems willbe intero p e ra b l e, usable,scalable, reliable, and user-friendly. Joint Pub 2-0 pro-vides overarching guidance onestablishment of a joint intelli-gence architecture for supportto a JTF. Much of this architec-ture already exists in the mili-tary intelligence communityi n f ra s t r u c t u re. CND intelli-gence architecture is based onthe Joint Worldwide Intelli-gence Communications System(JWICS) and the Joint Deploy-able Intelligence Support Sys-tem (JDISS). By ta i l o r i n gJWICS and JDISS to the JTF-CND mission, JTF-CND joins anetwork linking the entire in-telligence community.

New threat databases arebeing established to supportthis mission, and many new in-telligence fusion, collaboration,and visualization tools arebeing developed to supportCND intelligence analysts. Asthey are developed, strict ad-herence to joint doctrine andjoint sta n d a rds (where theyexist) will help ensure interop-

e rability and proper missionfocus.

Intelligence TTPs must beunderstood by all players. Akey reason for having joint doc-trine is to know how the rest ofthe team will play. IntelligenceTTPs spell these plays out indetail, describing agreed-uponways that organizations inter-act. For exa m p l e, JTF- C N Dcomponents will follow jointdoctrine in stating intelligencecollection and production re-

quirements to JTF-CND for fur-ther validation, prioritiza t i o n ,and tasking. When operationsre q u i re, JTF-CND will issuestatements of intelligence in-tentions to components, clari-fying additional support proce-dures tailored to the particularmission. Component comman-ders will also provide feedbackto the JTF on Service-related is-sues affecting the joint com-mand, and will plan and devel-op implementing instructionsfor wartime intelligence sup-port, including augmenta t i o nof joint forces.

Many aspects of this newmission area have yet to be cov-ered by joint doctrine. That isto be expected in any modernmilitary operation. But by start-

ing with a foundation in jointdoctrine, areas that have yet tobe resolved are being discov-ered quickly and dialog is al-ready underway to addre s sthem.

A Final NoteOperational units in the field

or fleet who have a need for in-telligence on cyberthreats canalso rely on joint doctrine forintelligence. It is the basis forJ2 procedures in every CINCarea of responsibility, and isworth a good read by all uni-formed professionals. Ï

Commander Gourley is the Director

of Intelligence, Joint Task Fo rc e -

Computer Ne t work Defense (J2, JTF-

CND). He received a B.S. in Chemistry

from Middle Tennessee State University

in 1981, an M.S. in National Security

A f fa i rs from the Na val Po s t g ra d u a t e

School in 1985, and an M.S. in Military

Science from the Marine Corps

University in 1996. He may be reached

at gourleyr @jtfcnd.ia.mil.

Endnotes

Gibson, William. Ne u ro m a n c e r,Berkley Publishing Group, Ne wYork, NY, July 1984.

Joint Pub 2-0 Joint Doctrine fo rIntelligence Support to Opera t i o n s,Pentagon, Washington, D.C., 5 May,1995.

Joint Pub 2-0, III-4.

Joint Pub 2-0, vii.

Joint Pub 2-0, xi.

Joint Pub 2-0, x.

Page 10: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

I A n ew s l e t t e r • Vo l u me 3 , Nu mb e r 3 h t t p : / / i a c . d t i c . m i l / I ATA C10

O n 13 and 14 Octo b e r1999, IATAC conducted

an exercise on information op-erations (IO) for computer net-work defense (CND) for theJoint Task Force for CND (JTF-CND). This tabletop exercise,Zenith Star 99-1, was designedto look both at a CND scenariosimilar to that used for EligibleReceiver 97-1, and at the inter-agency working-level coordina-tion necessary to react to sucha scenario. Zenith Star 99-1 alsoexercised the JTF-CND Tactics,Te c h n i q u e s, and Pro c e d u re s(TTPs) and assessed progressmade since the JTF-CND stand-up in December 1998. Al-though the exercise used the El-igible Receiver 97-1 scenario asa base, it did not replay that ex-ercise completely. Instead, itfocused primarily on CND-re-lated events to determine hownew DoD org a n i zations andprocesses built since EligibleReceiver 97-1 affect the CNDcommunity’s response to a sim-ilar crisis.

More than 55 participants at-tended the exercise, includingplayers from U.S. Space Com-mand (SPACECOM), the Na-tional Infrastructure ProtectionCenter (NIPC), the National Se-curity Agency (NSA); the De-fense Intelligence Agency(DIA), the Central IntelligenceAgency (CIA), the Assista n tSecretary of Defense for Com-mand, Control, Communica-

t i o n s, and Intelligence (ASDC3I), the Joint Staff, and JTF-CND and its component com-mands. Several observers fromU.S. Pacific Command(PACOM), U.S. Special Opera-tions Command (SOCOM), U.S.Joint Fo rces Command(JFCOM), the National Com-munications System (NCS),and others also attended. Facil-itators included personnel fromboth IATAC and JTF-CND.

Zenith Star 99-1’s goal was tofoster unders tanding of theprocess and products requiredin interagency coord i n a t i o nand the resulting impacts onthe CND community’s ability toperform its mission. The exer-cise achieved this goal by help-ing participants accomplishfour specific objectives:

• Understanding the roles ofnew CND org a n i zations inresponding to a contingencysimilar to Eligible Receiver97-1 in scope and complexity

• U n d e rs tanding intera g e n c ycoordination requirements

• E xamining processes andp ro c e d u res for JTF- C N Dcoordination with other sup-porting agencies (e.g., NIPC,Intel)

• U n d e rs tanding needs fo rimprovement highlighted byseveral communities—intelli-gence, law enforcement andc o u n t e r i n t e l l i g e n c e, andoperations.

The exe rcise structure in-cluded information briefingsand “hot washes.” Zenith Star

99-1 emphasized team play, soi n formation briefings we rekept to the bare minimum re-q u i red. The exe rcise clockbegan while participants re-c e i ved their “situation brief-i n g ” — exe rcise time and re a ltime were one and the same.Participants were divided intofunctional teams as follows:

• O p e rations team (SPAC E-COM, JTF-CND and its com-ponents)

• Intelligence team (CIA, DIA, NSA)

• Law enforcement/counterin-telligence team (DefenseCriminal Inve s t i g a t i ve Or-ganizations, NIPC)

• Other team (Joint Sta f f ,Office of the Secre tary ofDefense [OSD])

Participants within teamswere allowed to communicatefreely with each other. Commu-nications among teams, howev-er, were strictly regulated. Par-ticipants used either re a lcommunications (the securetelephone units, third genera-tion [STU-III] available in eachteam room or face-to-face meet-ings arranged through the facil-itators) or simulated communi-cations (fax and E-mail).Additionally, the Control Cellb rought participants to g e t h e rin a forum that allowed them toshare information, and work to-gether on their responses.

Team play was driven by“Red Force” actions: teams re-ceived injects describing specif-

MAJ Gerald Burton, USAMr. Richard Phares

continued on page 14

Page 11: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

h t t p : / / i a c . d t i c . m i l / I ATA C I A n e w s l e t t e r • Vo l u me 3 , N u mb e r 3

I t was a dark and stormynight…With nothing else to

do, you search for “places thatdon’t rain” using your favoriteWeb search engine only to getan ominous “Error 404.” It isquite possible that the searchengine’s Web site is under at-tack from hundreds of systemsat once, just as Yahoo’s pagewas in mid-February for 3+hours. Could such a coordinat-ed attack occur in reality? Un-fortunately, a single individualcould, with relative ease andlittle chance of repercussion,stage such an attack using anew breed of tools referred toas Distributed Denial of Service(DDoS) tools.

Reality #1The number of poorly con-

figured systems connected tothe Internet is rapidly increas-ing. This is partially the resultof well-connected unive rs i t yd o r m i tories and high-speedconnections to the home,(cable-modems and DSL con-nections).

Reality #2Based on the observed rate

of network-wide probes andpublicly available hacker tools,intruders are more interestedin the number of compromisedhosts rather than specific tar-gets.

The reality is that, usingpublicly available tools, a deter-mined intruder can compro-mise 100+ systems Internet-wide in a matter of days. Sadly,

the number of vulnerable sys-tems riding the Internet hasoutpaced a typical intruder’sability to do something usefulwith the compromised sys-tems. Distributed intruder toolshave matured in this environ-ment and now enable an in-truder to use a large number ofcompromised systems in a co-ordinated and collective man-ner. The first widely used ex-ample of distributed intrudertools is denial of service tools,though others are expected tofollow shortly. With the currentgeneration of tools and little ef-fort, an intruder can flood a tar-get with a massive amount oftraffic from hosts around theworld. These DDoS tools arecalled names such as Trin00,Tribe Flood Network (TFN) andStacheldraht and are availableon UNIX and Windows sys-tems. It is believed that vari-ants of these tools were used tosuccessfully launch large-scalea t tacks against such popularWeb sites such as Yahoo, E-bay,CNN and others. Many of thevictims have been very wellconnected sites with over a gi-gabit per second of sustainedbandwidth.

The current generation ofDDOS tools requires an intrud-er to install a “daemon” on eachof the compromised systems.At least one “master” systemkeeps track of the daemon sys-tems and directs the atta c k .When prompted by an intruderthe master contacts each of thedaemons and specifies the tar-

11

1Lt Brian Dunphy, USAF

continued on page 12

Distributed Denialof Service To o l s

Page 12: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

I A ne w s l e t t e r • Vo l um e 3 , Nu mb e r 3 h t t p : / / i a c . d t i c . m i l / I ATA C

get and method of attack. Fromthe victim’s perspective, theyappear to be under attack fromh u n d reds of systems fro maround the world all at once.

There are two primary com-puter network defense goalswith relation to the recent dis-tributed attacks:

1Don’t be a partici-pant in an attack.

The Internet community isa l ready struggling with thescale of these atta c k s. Vu l n e ra-ble DoD systems can be unwit-ting participants in a DDoS net-work serving only to incre a s ethe scale and complexity.

The current set of DDoStools are installed after a sys-tem is compromised by an in-truder and does not exploit anyspecific vulnerability. Based onpast incidents, most DoD com-promises are the direct result ofunpatched vulnerabilities thatDoD’s Information AssuranceVu l n e rability Alert (IAVA )P rocess has documented( h t t p : / / w w w. c e r t . m i l / i a va ) .Sites are encouraged to routine-ly check their systems for IAVA

compliance. Sites are also ad-vised to do the following:

• Periodically run DDoSscanning to o l s. Sites aree n c o u raged to use eithervendor or government devel-oped tools to detect knowninstances of DDoS tools.

—The National Infra s t r u c -t u re Protection Center(NIPC) has produced ahost based scanning toolto detect known DDoStools. The tool only runson Solaris and Linux atthe time of this article.The tool is available onthe DoD-CERT ’s home-page (http://www. c e r t .m i l / re s o u rc e s / s e c u r i t y _ tools.htm).

—The current DoD con-tracted antivirus vendors,Symantec and McAfee,have developed signaturesto detect the Windows ’variants of the DDoS tools.

• Sites are encouraged top re s s u re their ve n d o rs( a n t i v i r u s, intrusion detec-tion, etc) to update their

detection signatures if theyhave not already done so.

• Enable anti-spoofing rulesat enclave perimeter. Sitesshould configure theirperimeter firewall and routerto only allow out traffic withvalid source IP addre s s e s.Many of the tools spoof theirsource IP address to makethe attack look like it is origi-nating from somewhere else.

• Disable directed broadcast ate n c l a ve perimeter. Sitesshould configure their routerand firewall to disallow net-work traffic destined for theirbroadcast address.

2D o n ’t be a victimof a DDoS attack.

While it has not happened todate, it is possible that DoD sys-tems will (or could) be targetedin the future by such attacks.

From a potential victim’sperspective, the best advice isto be prepared to be a victim.The current denial of serviceattacks only rely on a site’s abil-ity to receive network trafficthrough a finite network con-nection. These attacks take ad-vantage of the large number ofvulnerable systems connectedto the Internet, so there is nosimple “fix” for these attacks.Once a site has been targeted,there are a number of thingsthat can be done to restore ser-vice in a timely manner. Sys-tems owners are advised to beprepared in the following man-ner:

• Identify mission-essentialsystems that must be avail-able to users from theInternet. If a denial of ser-

12

continued on page 34

Figure 1. Example DDoS network

continued from page 11

Page 13: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

h t t p : / / i a c . d t i c . m i l / I ATA C I A ne w s l e t t e r • Vo l um e 3 , N um b er 3 13

Air Fo rce systems and net-works are ta rg e t s. Pro-

tection of our systems and datais the new challenge, and AirFo rce Materiel Command(AFMC) is structuring itself tomeet that challenge with a ded-icated effort addressing all as-pects of information assura n c e(IA).

E f forts to attack, sabota g e,and corrupt government and in-dustrial systems and data ,sometimes in “sport” and some-times as a conspiracy, have be-come a widespread pro b l e mplaguing everyone from thesmallest businesses to thebiggest government org a n i za-t i o n s. Ne t work defenses andvigilance have been the twomost common re s p o n s e s, butwaiting for the next hacker is aninsufficient approach to net-work protection. In AFMC weh a ve ta ken a pro a c t i ve appro a c hto protecting our systems.

In an aggressive effort begin-ning in late 1998, AFMC devel-oped and deployed a team ofn e t work security and opera-tional experts under the bannerof O p e ration Pa l i s a d e. T h eteam’s continuing mission is toseek out network securityweaknesses before they can beexploited and to remove themthrough the implementation ofsecurity network practices andtechnologies. The effort is fo-cused on the single goal of pro-tecting the mission-critical in-formation contained on AFMC

networks throughout the Unit-ed States and the world. Thechallenge is particularly daunt-ing because AFMC’s relation-ships with various re s e a rc hcenters and contractors meanthat our networks have a larg-er-than-expected number of po-tentially open components.

The primary foundation onwhich Operation Pa l i s a d ebuilds is the full application ofthe Air Fo rc e ’s Barrier Re e fprocess. This proven methodol-ogy is designed to cre a t eboundary protection for allAFMC base intranet networks,protect those networks at theirentry points to the Internet,provide specific network secu-rity training to base networkmanagers, and increase AFMCnetwork monitoring and audit-ing as soon as security weak-nesses are identified. We feelthat our Operation Palisade ef-forts, combined with the man-dated actions laid out in applic-able Air Force regulations andi n s t r u c t i o n s, have positioned

us not only to respond to prob-lems, but to prepare our subor-dinate bases and organizationsto position themselves proac-tively for the threats that surelylie just around the corner.

Are we where we want to beor need to be in our defensiveposture? The answer is clearly“no.” We need to move beyondBarrier Reef and Operation Pal-isade. We need to address allthe capabilities of the AirFo rc e ’s Defensive Counter-in-formation (DCI) Opera t i o n sprogram, including not only in-formation assurance, but alsooperations security, electronicprotection, counterintelligence,and other capabilities, asspelled out in Air Force PolicyDirective 10-20. In the processof moving forward, AFMC hasput the IA lead in charge of theoverall command DCI programand given me the responsibilityto coordinate all of the effortsin the realm of Defensive Infor-mation Operations.

By consolidating IA and DCIOperations leadership, we haveput ourselves on a path for con-tinuous impro ve m e n t — a n dc reated a self-initiated chal-lenge to succeed. There ismuch to do. AFMC is a target-rich environment for both the

Air Force Materiel Command’s

I n f o rmation Defense

Col Kevin J. Kirsch, USAF

Cyberterrorism, Internet attacks, malicious intrusions,

and hacker activity are on the rise. Credit card data for

thousands of people is offered for sale over the net.

continued on page 14

Page 14: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

recreational hacker and the in-dustrial spy. On the otherhand, our challenges are nodifferent from those faced byindustry, other Air Force MajorCommands (MAJCOM), or oursister services.

We are proud to be part ofthe large team, working hardwith the other MAJCOMs, theServices and in industry to stayone step ahead of the next inci-dent. We feel we have a posi-tive story to tell, but recognizethat others do also. For everygood idea we have, we seekmultiple opportunities to gath-er the best practices of othersand to explore, in the field or inthe lab environment, the bestuse of current capabilities andinformation on products underdevelopment. Ï

Colonel Kirsch is the Chief, Mission

Support, Network Operations & Security

Division, HQ Air Fo rce Material

Command, Wright-Patterson AFB, OH.

He was commissioned as a 2nd

Lieutenant following completion of the

ROTC program and graduation from

Duquesne University in Pittsburgh PA.

He has held a variety of base level and

tactical positions to include four com-

mand positions, ranging from a detach-

ment in Iceland to Insta l l a t i o n

Commander of RAF Cro u g h to n ,

England. In his current position he is

responsible for assessment of the opera-

tional effectiveness and efficiency of

information, security, applications and

systems for customers throughout Air

Force Materiel Command, and is the

overall lead for the command Defensive

Counter Information program.

I A n e w s l e t t e r • Vo l u m e 3 , Nu m be r 3 h t t p : / / i a c . d t i c . m i l / I ATA C14

ic events from the facilitators atpredetermined times. The par-ticipants were expected to eval-uate the events in real time andformulate a re s p o n s e. Whilethis sounds relatively simple,the intent of Zenith Star 99-1was to examine interagency co-ordination—thus the teams hadto present a coordinated re-sponse to the Control Cell for aspecific event. If the partici-pants recommended an appro-priate action within a reason-able amount of time, longd u ration events would bes topped pre m a t u rely by theControl Cell. Otherwise, eventscontinued until terminated asdetermined by the scenario.

Coordination between teamswas conducted using the com-munications available to thep a r t i c i p a n t s. All coord i n a t i o nactivities, such as phone calls,simulated E-mails, and fa xe swe re re c o rded on templatesp rovided to the participants.Facilitators were also present atany fa c e - to - face meetings.Using the exercise scenario asground truth, facilitators weretherefore able to assess situa-tional awa reness within andacross teams, and determinethe overall state of the exerciseat the end of each day. Theseassessments helped facilitatorsidentify lessons learned and is-sues for future consideration.

Participants generally foundthe exercise to be beneficial.Zenith Star 99-1 showed thatthe CND community is makingsignificant progress toward de-veloping an effective CNDp ro c e s s. Specifically, the on-

going efforts to increase CNDc o o rdination between opera-tors, intelligence, and law en-fo rcement are paying divi-d e n d s. Continued planningi n i t i a t i ves and exe rcises willhelp to refine processes fur-ther, and prove valuable to theCND community as a whole.

The Zenith Star 99-1 After Ac-tion Report (AAR) is availableon the JTF-CND SIPRNET Website. Questions and commentsare welcomed and encouraged.Ï

Major Gerald Burton, USA, is a

Defensive IO Planner in the JTF–CND

J5/7 Section. He is an Info r m a t i o n

Operations Functional Area Officer, and

holds an M.S. from Central Michigan

University. He may be reached at

[email protected].

Mr. Richard Phares is a member of

the IATAC, and designs, develops, and

executes Information Opera t i o n s

wargames for various clients. He holds

an M.S. from the Naval Postgraduate

School, Monterey, CA.He may be

reached at [email protected].

Zenith Starcontinued from page 10continued from page 13

Air Force Material Command

Page 15: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

h t t p : / / i a c . d t i c . m i l / I ATA C IA n ew s l e t t e r • Vo l u me 3 , N u mb e r 3

A s the Army prepares todigitize the force, a new

threat is developing—one thatis unlike any the Army hasseen before. Rather than spend-ing billions of dollars on ma-teriel, our enemies are now in-vesting in information warfare(IW). Future conflicts are ex-pected to be asymmetric,which means that IW forceswill inflict substantial damageon large, computer-dependentadversaries.

In the Wa s h i n g ton Times, theChinese Pe o p l e ’s Libera t i o nArmy (PLA) publicly an-nounced its plans to conduct In-ternet wa r fa re against the Unit-ed Sta t e s. The PLA is gearing upfor wartime computer atta c k son networks and the Internetthat will affect everything fro mbanking to our milita r y ’s com-munications structure.

In the past year, attempts togain unauthorized access to theArmy’s networks have greatlyi n c re a s e d — f rom the M e l i s s avirus to computer atta c k sagainst the Pentagon by an Is-raeli hacker and two teenagersfrom California. The Army isnow placing as much attentionon protecting communicationsnetworks as it spent in prepar-ing for the rollover to the year2000 (Y2K). The U.S. Army Sig-nal Center, Fort Gordon, Geor-gia, has responsibility for thecombat developments of tacti-cal, stra t e g i c, and susta i n i n gbase communications systemsand the security systems thatprotect them. The Signal Cen-ter represents the warfighter in

the development of informa-tion assurance (IA) ta c t i c s,techniques, and procedures toprotect our tactical networksfrom our enemies.

During a recent IA IndustryDay Confere n c e, LieutenantGeneral David Kelley, Director,Defense Information SystemsAgency (DISA), stated that an“Information Pearl Harbor” isimminent. It is not a matter ofwhether such an attempt willbe made, but when. The SignalCenter is taking this new threatinto consideration as the Armymigrates to the Warfighter In-formation Ne t wo r k – Ta c t i c a l(WIN–T), which will re p l a c ethe Tri-Services Tactical Com-munications (TRI–TAC) andthe Mobile Subscriber Equip-ment (MSE) switch systems.

WIN–T is the Army’s ForceXXI command, control, com-munications, computers, intel-l i g e n c e, surve i l l a n c e, and re-connaissance (C4ISR) ta c t i c a lcommunications network, andit will integrate joint, multina-tional, commercial, and battle-field networks into an intranetthat provides mobile, secure,s u r v i va b l e, and multimediaseamless connectivity betweenall elements within the battle-space from theater to battalionl e vel. WIN-T’s backbone willsupport multiple security lev-els (MSL)—TOP SECRET/Spe-cial Compartmented Informa-tion (TS/SCI), SECRET, andS e n s i t i ve but Unclassified(SBU)—and various modes ofi n formation, including vo i c e,data, video, and imagery.

Ne t work-based monito r i n gtechnology within the DefenseI n formation Infra s t r u c t u re(DII) is being mandated on al a rge scale across the DoD.WIN-T will include IA securityf e a t u res throughout the net-work that will employ theDoD’s defense-in-depth strate-gy to protect, detect, and re-spond to attacks on the mili-tary’s information systems. IAoffers authentication (verifica-tion of the originator), nonre-pudiation (incontestable proofof participation), ava i l a b i l i t y(unimpeded access to autho-r i zed users), confidentiality(protection from unauthorizeddisclosure), and integrity (pro-tection from information dam-age).

The layering of IA technolo-gy solutions is the fundamentalprinciple of the defense-in-depth strategy, which includesthree key areas of protection:external perimeter, internalnetwork, and local computerhosts.

Protected electronic perime-ters are needed for local en-claves because many end-usersystems have little built-in pro-tection against external access.These systems are difficult toadminister well enough to pro-vide an effective defense. Pro-tected perimeters are like cas-tle walls and gates, whichenable professional administra-

15

MAJ Robert Turk, USACPT Shawn Hollingsworth, USA

continued on page 16

Information AssuranceThe Army Prepares for theNext Generation of Warfare

Page 16: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

I A n ew s l e t t e r • Vo l u me 3 , Nu mb e r 3 h t t p : / / i a c . d t i c . m i l / I ATA C

tors to control flow in and out.They also enable tra f f i cthrough the gate to enter andleave at various levels duringchanging information condi-tions and allow specific ser-vices to be deactivated if theycome under successful attack.

The external perimeter safe-guards include firewalls, intru-sion detection, inline encryp-to rs, and where necessary,physical isolation. Internal net-work protection consists of acombination of security guards,

firewalls, and/or router filter-ing devices to serve as barriersbetween echelons and/or func-tional communities. Host-based monitoring technologiescan detect and eradicate mali-cious software (e.g., virus); de-tect softwa re changes; checkc o n f i g u ration changes; andgenerate an audit, audit reduc-tion, and audit report.

The defense-in-depth strate-gy will provide a robust and re-silient infrastructure designedto limit, contain, and re p a i rdamage that results from at-tacks. Fundamental criteria of

the defense-in-depth strategy isthat no single attack can lead tothe failure of a critical functionand that no critical function orsystem is protected by a singlep rotection mechanism. Thisstrategy is a key element in thesuccessful implementation ofIA in the WIN-T network.

The illustration below de-picts the WIN-T’s conceptualsecurity arc h i t e c t u re, whichfollows the layered protectionstrategy. Each layer will consistof a different configuration ofIA tools designed to prevent awould-be intruder from gaining

16

continued from page 15

Information AssuranceThe Army Prepares for the

Next Generation of Warfare

Figure 1. Layered Protection for a Secret High Backbone Supports Multiple Security Levels.

Page 17: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

h t t p : / / i a c . d t i c . m i l / I ATA C I An e ws l e t t e r • Vo l um e 3 , N um b er 3

access to all systems by defeat-ing one layer.

External LayerThe strongest layer of pro-

tection in the network, is thefirst line of defense in the de-fense-in-depth arc h i t e c t u re.The primary focus of theperimeter is protecting the in-side from the outside, but en-clave boundaries also providesome protection against mali-cious insiders (e.g., those whouse the enclave to launch at-tacks). Protection measures in-clude fire wa l l s, filteringro u t e rs, replication serve rs,strong authentication, authen-tication servers, Internet Proto-col (IP) security/virtual privatenetworks (VPN), and measuresto defend against back doorsthat circumvent firewalls, suchas internal use of cellularphones or modems (e.g., send-ing data through voice publicbranch exchanges). The exter-nal layer and its suite of IAequipment will interface withexternal connections, such asthe Secret IP Router Network(SIPRNET), SBU IP Router Net-work (NIPRNET), and JointWorldwide Intelligence Com-munications System (JWICS).

Network LayerThis layer focuses on net-

work-based monitoring (intru-sion detection), thereby provid-ing the capability to identifyattacks and suspicious networkactivity. It captures and fo r-wards event data to a prede-fined IA cell or the RegionalComputer Response Te a m(RCERT).

User LevelCommand and control (C2)

protect tools will be employedon the individual host worksta-

t i o n s. Host-based monito r i n gwill reside on servers and end-user systems and will detect at-tacks against individual hosts.The detect capability of thistype of monitoring is moref i n e - g rained than netwo r k -based monitoring and can bethe best line of defense in de-tecting malicious insiders.Local host protection softwareconsists of Transmission Con-trol Protocol (TCP) Wrappersfor individual access control, asecurity profile inspector (SPI),a Simple Watch (SWATCH) foralerting when audit anomaliesoccur in the pro f i l e, andMcAfee virus protection. ThisC2 package is the last line of de-fense against unauthorized useand entry.

Voice subscribers will be ableto place and re c e i ve securetelephone calls to subscriberslocated on switched networksthat incorporate National Secu-rity Agency (NSA) Type I-ap-proved devices. WIN-T will pro-vide selected users with ahandheld device that will con-nect via terrestrial and avail-able satellite means to the WIN-T infra s t r u c t u re, and viaairborne platforms to commu-nicate within the area of opera-tions, both in and around com-mand posts/tactical operationscenters (TOC). It will have a se-cure (NSA-approved) capabilitythat provides voice, data, andvideo communications.

Another form of IA that willbe available to the user is thePublic Key Infra s t r u c t u re(PKI). PKI refers to the frame-work and services that providefor the generation, production,distribution, control, and ac-counting of public key certifi-cates. It provides critical sup-port to security applicationsp roviding confidentiality, au-

thentication of network trans-actions, data integrity, and non-repudiation.

WIN-T is not designed tocounter a specific threat. How-ever, certain security IA com-ponents are designed to protectWIN-T from the IW threat. Aspart of this strategy, IA protectsthe Army’s C2 information net-work from attempts to pene-trate the network to obtain, dis-rupt, or manipulate theresident information. It allowssimultaneous access and pro-cessing protection for users atdifferent security levels.

IA and the security featureswithin the WIN-T network willcontinue to change after then e t work is fielded in 2005.Even as technology evolves andthe threat changes, the Armymust continue to protect itsv i tal communications net-works. Ï

Major Robert Turk, USA, is the acting

Branch Chief, Switching and Networks

Branch, Materiel Requirements Division,

D i re c to rate of Combat Deve l o p m e n t s,

United States Army Signal Center. He

received his B.S. and M.S. in Computer

Science from Alabama A. and M.

U n i ve rsity, Huntsville, Alabama and

Towson University, Towson, Maryland.

He may be reached at turkr@emh.

gordon.army.mil.

Captain Shawn Hollingsworth, USA,

is the IA officer, Switching and Networks

Branch, Materiel Requirements Division,

D i re c to rate of Combat Deve l o p m e n t s,

United States Army Signal Center. He

re c e i ved his M.S. in Te c h n o l o g y

Management from Mercer Unive rs i t y ,

Atlanta, Georgia. He may be reached at

[email protected].

17

Page 18: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

I A n ew s l e t t e r • Vo l u me 3 , Nu mb e r 3 h t t p : / / i a c . d t i c . m i l / I ATA C

The recent “denial of ser-vice” attacks against

America Online, Yahoo, andother ISP and ContentP ro v i d e rs suggests that comput-er networks are vulnerable tow i d e s p read attack from a va r i-ety of adve rs a r i e s. Complicat-ing these issues are the globaln a t u re of such activities and thed i s p a rate nature of the kinds ofa t tacks these services have tog u a rd against.

Critical to this discussion isthe fact that the dispersal of thetookkits available to hacke rsm a kes it all but certain thatsniffing out, tracking down, andeliminating these threats willoccupy the best network mindsfor some time to come.

As we b m a s t e rs, systems ad-m i n i s t ra to rs, and network secu-rity managers rethink the pro b-lem, they will, out of necessity,focus a large part of their effo r ton mitigating virus atta c k s — i nall their fo r m s.

The similarity between com-puter network systems and bio-logical systems is uncanny.This comparison is commonboth within Information Te c h-nology publications and amongu s e rs of computer network sys-t e m s. Ad d ressing computer net-works as living systems fro mthe standpoint of health make s

one re c o g n i ze the plethora ofv u l n e rabilities that exist. One ofthe greatest threats to thehealth of an org a n i za t i o n ’s com-puter networks is computerv i ral infections or conta g i o n .C o n taining these contagion ande radicating them befo re thehealth of a network is degra d e dre q u i res unders tanding andreal-time vigilance on the partof users, network administra-to rs and softwa re deve l o p e rs.

The Pathology ofComputer Vi ru s e s

A computer virus is a pro-g ram, or softwa re code, de-signed to replicate and spre a d ,g e n e rally with the victim beingoblivious to its ex i s t e n c e. Them e re mention of “c o m p u t e rvirus” sends computer novicesand experts scrambling todownload the latest update ofNo r ton, McAfee, or IBM anti-virus softwa re. Their reaction isjustified. Every large corpora-tion and org a n i zation has ex p e-rienced a virus infection—mostexperience them monthly. Ac-c o rding to data from IBM’s HighIntegrity Computing Labora to-ry, corporations with 1,000 orm o re personal computers (PC)now experience a virus atta c ke very 2 to 3 months—and thatf requency will likely double ina year.1 The number of virus at-tacks may seem unusually highif it is viewed independently.H o we ve r, when Symantec Cor-p o ration (a supplier of DoD an-

t i v i ral softwa re) defines and cat-e g o r i zes 21,389 known virusesand McAfee (the other supplierof antiviral softwa re to DoD)c a t e g o r i zes more than 40,000viruses—the number of virusa t tacks is put in a new light.These viruses, usually benignor annoying, can slow perfo r-m a n c e, absorb re s o u rc e s,change screen displays and inthe end, disrupt or deny serviceto such an extent that it affectso rg a n i zations’ bottom line—p rofit or mission accomplish-m e n t .

Computer viruses come fro ma variety of sources and spre a dby attaching themselves toother pro g rams (e.g., wo rdp ro c e s s o rs or spreadsheet appli-cations) or to the boot sector ofa disk. When the infected file isa c t i vated or executed, or whenthe computer is started from aninfected disk, the virus itself isalso executed. Viruses can alsolurk in computer memory,waiting to infect the next pro-g ram that is activated, or then ext disk that is accessed.

D a ta q u e s t ’s 1991 study ofmajor U.S. and Canadian com-puter users for the Na t i o n a lComputer Security Associationfound that most users blame in-fected diskettes (87 percent) asthe source of a virus. Fo r t y -t h ree percent of the diske t t e sresponsible for introducing avirus into a corporate comput-ing environment we re bro u g h tf rom home. Nearly thre e - q u a r-

18

Containing Contagion in Cyberspace

COL John C. Deal, USAMAJ Gerrie A. Gage, USA

Ms. Robin Schueneman

Page 19: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

h t t p : / / i a c . d t i c . m i l / I ATA C IA n ew s l e t t e r • Vo l u me 3 , N u mb e r 3

t e rs (71 percent) of infectionso c c u r red in a netwo r ked envi-ronment, making rapid spre a da serious risk. Seven percent ofcomputer users said they hada c q u i red their virus whiledownloading softwa re from ane l e c t ronic bulletin board ser-vice or Web site. Other sourc e sof infected diskettes includeddemo disks, diagnostic disksused by service technicians,and shrink-wrapped softwa redisks; these other sources con-tributed 6 percent of re p o r t e di n f e c t i o n s.2 Although no news tatistics are currently ava i l-a b l e, networking, enterprisecomputing, and inter-org a n i za-tional communications areg rowing. Accompanying theg rowth in telecommuting andn e t working is an increase in in-f e c t i o n s.

Viruses are growing in com-p l exity and variety. In 1986,t h e re we re just four known PCv i r u s e s. In to d a y ’s virus rich en-v i ronment, more than thre eviruses are created every day,for an ave rage of 110 new virus-es created in a typical month.T h e re are seve ral variations ofv i r u s e s, but there are only thre eways that a virus can access asystem. “Computer Viruses:Past, Present and Fu t u re” de-scribes these three methods asfo l l o ws:

File Vi ru s e sMost of the thousands of

viruses known to exist are filev i r u s e s, including the Friday the1 3 t h v i r u s. These viruses infectfiles by attaching themselves toa file, generally an exe c u ta b l efile—the .EXE and .COM filesthat execute applications andp ro g ra m s. The virus can insertits own code in any part of thef i l e, provided it changes theh o s t ’s code somewhere along

the way, misdirecting pro p e rp ro g ram execution so that it ex-ecutes the virus code firs t ,rather than the legitimate pro-g ram. When the file is exe c u t e d ,the virus is executed firs t .

Boot Sector / Part i-tion Table Vi ru s e s

Although there are onlyabout 200 boot sector viruses,they make up 75 percent of allvirus infections. Boot secto rviruses include S toned, the mostcommon virus of all time, andM i c h e l a n g e l o, perhaps the mostn o to r i o u s. These viruses are sop re valent because they are dif-ficult to detect. They do notchange a file’s size or slow PCp e r fo r m a n c e, so they are fa i r l yinvisible until their triggere vent occurs. Events such as re-formatting a hard disk or scan-ning a disk serve as a trigger.The boot sector virus infectsfloppy disks and hard disks byinserting itself into the boot sec-tor of the disk, which conta i n scode that is executed during thesystem boot-up pro c e s s. Boot-ing from an infected floppy al-l o ws the virus to jump to thec o m p u t e r ’s hard disk. The virusexecutes first and gains contro lof the system boot pro g ra mcode even befo re the opera t i n gsystem (OS) is loaded. Becausethe virus executes befo re the OSis loaded, it is not OS-specificand can infect any PC opera t i n gsystem platfo r m — M S - D O S ,W i n d o ws, OS/2, PC-NFS, orW i n d o ws NT. The virus entersthe random access memory(RAM) and infects every diskthat is accessed until the com-puter is rebooted and the virusis re m o ved from memory. Pa r-tition table viruses attack theh a rd disk partition table bymoving it to a different secto r

19

Trojan Horse

L i ke its classical namesake, the Tro-jan Horse virus typically masquera d e sas something desirable; e.g., a legiti-mate softwa re pro g ram. The Tro j a nH o rse generally does not replicate (al-though re s e a rc h e rs have discove re dreplicating Trojan Horses). Ra t h e r, itwaits until its trigger event and thendisplays a message or destroys files ord i s k s. Alongside the Trojan Horse is theTrojan Mule, which fools authorize du s e rs into giving their LOGIN info r m a-tion, passwo rd s, and user-IDs. Once auser types in the valid user-ID/pass-wo rd LOGIN information, the virussends that information to the file im-p l e m e n t e rs and displays a LOGIN erro rm e s s a g e. As the authorized user re-types the information, the virus has al-ready exited, the real LOGIN pro g ra mregains control, and the user never sus-pects that LOGIN information has beenre vealed. The difference between theTrojan Horse and Trojan Mule virusesis that the mule does not even try top e r form a useful function (e.g., game,application) and it disappears from thesystem once its done its work, where a sthe horse remains in the system until itis cleaned out.

File OverwritersThese viruses infect files by linking

t h e m s e l ves to a pro g ram, keeping theoriginal code intact and adding them-s e l ves to as many files as possible. In-nocuous ve rsions of file ove r - w r i t e rsmay not be intended to do anythingm o re than replicate but, even then,they ta ke up space and slow perfo r-m a n c e. And because file ove r - w r i t e rs,l i ke most other viruses, are oftenf l a wed, they can damage or destro yfiles inadvertently. The wo rst file ove r -w r i t e rs remain hidden only until theirtrigger eve n t s. Then they can deliber-ately destroy files and disks.

continued on sidebar of page 20

continued on page 20

Page 20: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

I A n e w s l e t t e r • Vo l u m e 3 , Nu mb e r 3 h t t p : / / i a c . d t i c . m i l / I ATA C

and replacing the original parti-tion table with the virus’ owninfectious code. These virusess p read from the partition ta b l eto the boot sector of floppydisks as floppy disks are ac-cessed.

M u l t i p a rtite Vi ru s e sThese viruses combine the

ugliest features of both file andboot sector/partition ta b l ev i r u s e s. They can infect any ofthese host softwa re compo-n e n t s. And while tra d i t i o n a lboot sector viruses spread onlyf rom infected floppy boot disks,multi-partite viruses can spre a dwith the ease of a file virus—butthey still insert an infectioni n to a boot sector or partitionta b l e. This tendency make sthem particularly difficult toe ra d i c a t e. Te q u i l a is an exa m p l eof a multi-partite virus.

Although there are onlyt h ree ways to infect a system,t h e re are hundreds of va r i a t i o n sof viruses. The sidebars (pages17 through 21) contain descrip-tions of virus variations ta ke nf rom “Computer Viruses: Pa s t ,P resent and Fu t u re,” “Demysti-fying Computer Viruses,” and“Computer Security Basics. ”This list is not all-inclusive, butit describes some of the com-mon variations to date.

Viruses affect computers andn e t works differently. The pur-pose of most viruses is to re-main undetected, thereby al-lowing them to spre a dt h roughout the org a n i za t i o nuntil they degrade perfo r m a n c eor destroy data. Most virusesg i ve no symptoms of their in-fection, thus driving the use ofanti-virus to o l s. Anti-virus to o l sallow users to identify thesequiet killers. Howe ve r, manyviruses are flawed and do pro-vide some tip-offs to their infec-

tion. Here are some indicationsto wa tch fo r :3

• Changes in the length of pro-g rams

• Changes in the file date ortime stamp

• Longer pro g ram load times • S l o wer system operation • Reduced memory or disk

space • Bad secto rs on the floppy • Unusual error messages • Unusual screen activity • Failed pro g ram execution • Failed system boot-ups when

booting or accidentally boot-ing from the A: drive

• U n expected writes to a drive.

This list of virus va r i a t i o n sand symptoms is not all-inclu-s i ve. Additional info r m a t i o ncan be found at the fo l l o w i n gWeb sites:4

• h t t p : / / w w w. ro o t s h e l l . c o m( ex p l o i t s )

• h t t p : / / w w w. i n s e c u re. o rg /s p l o i t s.html (ex p l o i t s )

• h t t p : / / c i a c. l l n l . g o v / c i a c /C I ACV i r u s D a ta b a s e. h t m l(virus info r m a t i o n )

• h t t p : / / w w w. s n a f u . d e /~ m a d o ka n / m v i c / v i r u s c o n t .html (virus cre a to rs )

• h t t p : / / w w w. s y m a n t e c. c o m /a vc e n t e r / i n d ex.html (virusi n fo r m a t i o n )

• h t t p : / / v i l . m c a f e e.com (virusi n fo r m a t i o n )

• h t t p : / / w w w. v i r u s b t n . c o m(virus info r m a t i o n )

The viruses discussed abovea re only the most common va r i-ations of computer viruses andtheir sympto m s. Computerviruses have cost companiesworldwide nearly $2 billionsince 1990, with those costs ac-c e l e rating to $1.9 billion in1994. This cost is directly re l a t-ed to virus cleanup, not loss ofp rofit. Profit loss caused by

20

Polymorphic Viruses

More and more of today’s virusesare polymorphic in nature. The re-cently released Mutation Engine,which makes it easy for virus creatorsto transform simple viruses into poly-morphic ones, ensures that polymor-phic viruses will only proliferate overthe next few years. Like the humanAIDS virus, which mutates frequentlyto escape detection by the body’s de-f e n s e s, the polymorphic computervirus mutates to escape detection byanti-virus software that compares it toan inventory of known viruses. Codewithin the virus includes an encryp-tion routine to help the virus hidefrom detection, plus a decryption rou-tine to restore the virus to its originalstate when it executes. Polymorphicviruses can infect any type of hostsoftware. Although polymorphic fileviruses are most common, polymor-phic boot sector viruses have alreadybeen discovered.

Stealth VirusesThese viruses are specially engi-

neered to elude detection by tradition-al anti-virus tools. The stealth virusadds itself to a file or boot sector, butwhen the host software is examined, itappears normal and unchanged. Thestealth virus performs this trickery bylurking in memory when it is execut-ed. There, it monitors and interceptsthe OS’s calls. When the OS seeks toopen an infected file, the stealth virusraces ahead, disinfects the file, and al-lows the OS to open it—all appearsnormal. When the OS closes the file,the virus reverses these actions, there-by re-infecting the file. Boot sectorstealth viruses insert themselves inthe system’s boot sector and relocatethe legitimate boot sector code to an-other part of the disk. When the sys-tem is booted, they retrieve the legiti-mate code and pass it along to

continued on the sidebar of page 21

continued from the side bar of page 19

Page 21: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

h t t p : / / i a c . d t i c . m i l / I ATA C I An ew s l e t t e r • Vo l u m e 3 , N u m be r 3

viruses is impossible to calcu-l a t e. Org a n i zations are combat-ing the virus problem with anti-virus softwa re. The cost of thiss o f t wa re is expected to gro wf rom $700 million in 1997 to$2.6 billion by 2001 .5

So what can an org a n i za t i o ndo to pre vent computer viral in-f e c t i o n s, and what is the best re-sponse in the event of an infec-tion? These questions are besta n s we red by analyzing a re a le vent. This event is current andre p resents the best possible re-sponse to date by the Fe d e ra lG o vernment, DoD, and indus-try. As reported by SANS (Sys-tem Ad m i n i s t ration, Ne t wo r k-ing, and Security) Institute, theresponse of these org a n i za t i o n swas “impre s s i ve.”

Containing Contagion:A Case Study

H i s tory will remember seve r-al notable landings: the landingof the lunar module on June 20,1969; the landing of ET the ex-t ra t e r restrial in movie cinemasin 1982; the landing of MarkM c G w i re in re c o rd books withhis 70th home run in Septem-ber 1998; and the landing ofMelissa in commercial, mili-tary, educational, and homePCs on March 26, 1999.

One might ask, “Who is M e l i s-s a?” The question is in fa c t ,“What is M e l i s s a?” M e l i s s a is av i r u s, conceivably the fa s t e s ts p reading virus PCs have seensince the infamous M o r r i sWo r m, which infected morethan 6,000 computers in a mat-ter of hours (ftp://coast. cs. p u r-d u e. e d u / p u b / d o c / m o r r i s _ wo rm / GAO-rpt.txt) in No ve m b e r1988. By March 30, 1999, M e l i s-s a had successfully infectedabout 70,000 E-mails. It was thef i rst virus to have pro m p t e dFe d e ral law enfo rcement to

send out a warning about com-puter viruses; the Fe d e ral Bu-reau of Investigation (FBI)joined with the National Infra-s t r u c t u re Protection Center(NIPC) to issue a warning in an-ticipation of the tidal wa ve of E-mails that M e l i s s a was ex p e c t e dto genera t e.

M e l i s s a is a m a c ro virus,which means that its infectiouscode is resident in a macro (asymbol, name, or key that re p-resents a list of commands, ac-t i o n s, or ke y s t ro kes) conta i n e din a Microsoft Wo rd document(see right side bar). In M e l i s s a ’sc a s e, the macro has instructionsto disable macro detection ca-p a b i l i t i e s, read the first 50names in a re c i p i e n t ’s Micro s o f tOutlook address book, and fo r-wa rd itself as an attachment tothose individuals, or groups ofi n d i v i d u a l s. When this fo r wa rd-ed E-mail message is re c e i ve dand opened, the macro beginsagain its cycle of E-mail genera-tion, thus bogging down and po-tentially crashing mail serve rst h rough its exponential rate ofinfection. This type of attack isknown as a denial of service.

While the shutdown of elec-t ronic mail serve rs is destruc-t i ve enough, there is at leastone other potentially haza rd o u sresult of this virus. M e l i s s a i ss p read through a Micro s o f tWo rd document. Howe ve r, thisvirus is constructed in such away that it infects whateve rdocument is open at the timethe infected attachment is dis-played, and that document isthe one that is fo r wa rded withthe virus. Imagine this sce-nario: You are typing a classi-fied document when you re-c e i ve M e l i s s a. When you openthe attachment, i.e., the macrov i r u s, it now places itself on

21

accomplish the boot. Under examina-tion, the boot sector appears normal,but the boot sector is not in its normallocation.

Macro VirusesMacros are, in essence, mini-pro-

grams that take much of the legworkout of repetitive or template-orienteddocuments. For example, to minimizethe work involved in typing the date incorrespondence, a user could programa macro to insert the day, month, andyear all at once when the letter “D” istyped. Macro viruses are carried in thetypes of data files that business com-puter users most often exchange: wordp rocessed documents and spre a d-sheets. Also, because these data filesare often exchanged by E-mail, theysometimes bypass the checks thatvirus-aware organizations already havein place. Experts estimate that 40 per-cent of virus attacks are made thisway. Macro viruses are created withthe aid of the macro routines con-tained within all word processing andspreadsheet application software, suchas Microsoft Word and Excel. They at-tach themselves to any document filesthat include the macro code, so thatthey can then be executed through theapplication software. The whole pur-pose of macro languages is to insertuseful functions into documents,which are then executed as the docu-ments are opened. This is what makesmacro viruses easy to write. But one ofthe reasons they have become soprevalent is the success of MicrosoftOffice, which has 80 percent of theglobal market for integrated pack-ages—a tempting ta rget for macrovirus writers.

M e m o ry-Resident Vi ru s e s

The memory resident characteristicis the most common among viruses.When viruses load into memory via ahost application, they remain in mem-ory until the computer is turned off. At

continued on the sidebar of page 22continued on page 22

Page 22: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

I A n ew s l e t t e r • Vo l u m e 3 , N um b e r 3 h t t p : / / i a c . d t i c . m i l / I ATA C22

your already opened Wo rd doc-ument and fo r wa rds THAT doc-ument to the first 50 addre s s e e sin your address book.

S e ve ral aspects of this virush a ve helped its seemingly glob-al pro l i f e ration. One of themost significant aspects is itsuse of a user’s own addre s sbook to fo r wa rd the infectiousE-mail. This means that an or-dinary user, who would be sus-picious of E-mail from an un-known sourc e, re c e i ves thevirus as if a friend, co-wo r ke r,family member, etc. sent it,t h e reby instilling a false senseof security. In addition, thisvirus is spread with the help ofM i c rosoft Wo rd and Micro s o f tOutlook, two pro g rams that areresident in a vast majority ofPCs today due to the ove r-whelming popularity of Mi-c rosoft Office.6

The DoD’s and Services’ In-formation Assurance pro c e s s e shelped ensure that M e l i s s a ' s i m-pact on DoD and the Serviceswas minimal. The Army beganreceiving the virus shortly be-fo re 5:00 p.m. on Friday, Marc h26, 1999. Half an hour later, theArmy Computer Emerg e n c yResponse Team (AC E RT) beganreceiving notices from its Re-gional CERTs (RC E RT), and by6:00 a.m., the virus had spre a dt h roughout DoD systems wo r l d-w i d e.

Once users began re c e i v i n gE-mail from known acquain-tances but with an “out-of-char-acter” attachment, they beganc o n tacting their local systemsa d m i n i s t ra to rs who, in turn,alerted the AC E RT at Ft.B e l vo i r, Virginia, and the tech-nical support staff at Micro s o f t(which created the softwa re thevirus was designed to run on),and McAfee and No r ton, twoanti-virus companies. After the

virus was discove red, a re s t r i c-tion was placed on the size of E-mail atta c h m e n t s. A messagewas distributed to all E-mailu s e rs, instructing them to notopen attachments or enablem a c ros in Microsoft Wo rd docu-ments they re c e i ved via E-mailunless they we re sure of thed o c u m e n t ’s origin.

Working in concert with in-dustry, Government officialswe re able to detect and atta c kthe virus and implement fixe sthat we re distributed to systemsa d m i n i s t ra to rs and users inre c o rd time. RC E RTs went to aheightened level of manage-ment and detection, and theArmy Signal Command dire c t-ed the information manage-ment officials at 18 major fa c i l i-ties to scan E-mail serve rs usingan application re c e i ved fro mM i c rosoft and delete E-mailt raffic infected with the virus.T h roughout the night, AC E RTc o o rdinated re p o r t s, orc h e s t ra t-ed solutions to the virus withMcAfee and No r ton, and assist-ed system administra to rs withi n s talling fixe s. By Monday,M a rch 29, 1999, the virus wa sc o n tained and eradication wa swell on its way. This re a c t i o ne s tablished a process termed“ Po s i t i ve Control,” and thep ro a c t i ve efforts of all invo l ve dmade this rapid conta i n m e n thappen, along with the closec o o p e ration with the softwa rei n d u s t r y .7

Disinfecting M e l i s s a was ac-tually a fairly simple pro c e s s,e ven if labor intensive. Ord i n a r-ily, the fix would have mere l yi n vo l ved retrieving the latestvirus definitions from a re p-u table virus-scanning sourc e,such as No r ton or McAfee, andscanning client and server hardd r i ve s. The glitch in M e l i s s a ’scase was that these virus-scan-

this stage of their existence, virusescan easily replicate into boot sectorsor subsequently launched applica-tions.

N o n - M e m o ry - R e s i d e n tViruses

These viruses can infect the systemonly when the host application is run-ning. When the host application isclosed, the virus is closed down aswell. There fo re, if applications areopened after a host application isclosed, there is no danger of infectingthe system with that specific virus atthat time.

Companion VirusesTo unders tand this chara c t e r i s t i c, it

is helpful to have a basic unders ta n d-ing of the sequential order of how sys-tem files work. In launching an exe-c u table file, either the user manuallyissues a command or the interface ex-ecutes a command. Most applicationsh a ve a file-type (FT) extension of*.EXE. When invoking these com-m a n d s, the user or the computer en-t e rs the name of the application with-out the extension. The computerexecutes other system files with thesame name befo re executing the *.EXEa p p l i c a t i o n ’s FT. A companion virusc reates a name that matches the *.EXEfile name but with a different ex t e n-sion (e.g., *.COM). The *.EXE still exe-cutes; howe ve r, the *.COM (infectedfile) launches first and infects the sys-tem. Most antiviral softwa re packa g e scan identify this chara c t e r i s t i c.

BombA bomb is a type of Trojan Horse

that is used to release a virus, a worm,or some other system attack. It is ei-ther an independent program or apiece of code that has been planted bya system developer or a programmer.A bomb works by triggering somekind of unauthorized action when aparticular date, time, or condition oc-

continued on the sidebar of page 23

continued from the side bar of page 21

Page 23: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

h t t p : / / i a c . d t i c . m i l / I ATA C I An e ws l e t t e r • Vo l u m e 3 , N u m be r 3 23

n e rs we re caught re l a t i vely offg u a rd with this virus. No r m a l l y ,anti-virus softwa re companiesknow about new viruses longb e fo re they are released and,t h e re fo re, are able to re l e a s eupdated virus definitions totheir clients befo re the dangera r r i ve s. For some reason, M e l i s-s a was kept under close wra p suntil its release on March 26. Inthe end, the damage caused byM e l i s s a will be measured in themillions of dollars. But thelessons learned from this atta c ka re being institutionalized. Con-tagion in cyberspace can bec o n ta i n e d . Ï

Colonel Deal is the Commander, U.S.

Army Information Systems Engineering

Command, Ft. Huachuca, Arizona. He

earned an M.S. in Electrical Engineering

f rom the Na val Post Graduate School and

an M.A. in National Security Studies

f rom the Na val War College, and an M.A.

in International Relations from Salve

Regina Unive rs i t y .

Major Gage is the Operations Officer

for the Ne ws Systems Training Office,

D i re c to rate of Combat Deve l o p m e n t ,

306th MI BN, Ft. Huachuca, AZ. She has

a B.S. in Biology from Florida Southern

C o l l e g e, an M.S. in Material Ac q u i s i t i o n

Management from Florida Institute of

Technology, a M.S. in Engineering

Management from Unive rsity of

M i s s o u r i - Rolla, and a M.A. in Computer

I n formation Re s o u rce Management fro m

Webster Unive rs i t y .

Robin Schueneman supports the

A r m y ’s Information Assura n c e

D i re c to rate of DISC4. She is the DISC4

lead to the Information Assura n c e

Vu l n e rability Alert (IAVA) Compliance

Verification Team (CVT). Ms.

Schueneman earned a B.A. in

Communications from UNC-Chapel Hill,

North Carolina in 1994.

Endnotes

1. Symantec Corporation, C o m p u t e rViruses: Past, Present and Fu t u re,Anti-Virus Research Center, March29, 1999.

2. Ibid.3. Lowenthal, Overview of Computer

V i r u s e s, I n formation Pa p e r, SA I S -IAS, March 1999.

4. Ibid.5. Davy, Jo Ann, “Virus Protection,”

Managing Office Technology, 1998.6. Schwartz, John, “New Virus Snarls

E-Mail Systems,” The Wa s h i n g to nPost, p. E1 (March 30, 1999).

7. Singer, Jeremy, “Melissa blunted byresponse teams QUICK RESPONSEMAKES ARMY SYSTEMS VIRTUAL-LY IMMUNE TO E-MAIL VIRUS,”Inside the Army (April 5, 1999).

Bibliography

Corbitt, Terry, “Datafiles in Danger,”Ac c o u n ta n c y, available online at:h t t p : / / p ro q u e s t . u m i . c o m / p q d e b(January 1999).

Davy, Jo Ann, “Virus Pro t e c t i o n , ”Managing Office Technology, avail-able online at: http://pro q u e s t .umi.com/pqweb (1998).

J a r v i s, Kenneth, “DemystifyingComputer Viruses,” M a n a g e m e n tAc c o u n t i n g, available online at:h t t p : / / p ro g q u e s t . u m i . c o m / p q d we b(April 1997).

L o wenthal, “Overview of ComputerViruses,” Information Paper, SAIS-IAS (March 1999).

Russell, Deborah & Gangemi, G.T.,Ed., “Viruses and Other Wildlife,”Computer Security Basics ( U n i t e dS tates of America, O’Rilley andAssociates, Inc., 1991) pp. 79-88.

SANS Newsbites, available online at:http://www.sans.com (March 1999)and http://securityportal.com

Schwartz, John, “New Virus Snarls E-Mail Systems,” The Washington Post,p. E1 (March 30, 1999).

Singer, Jeremy, “Melissa blunted byresponse teams QUICK RESPONSEMAKES ARMY SYSTEMS VIRTUAL-LY IMMUNE TO E-MAIL VIRUS,”Inside the Army (April 5, 1999).

Symantec Corporation, “ComputerViruses: Past, Present and Future,”Anti-Virus Research Center avail-able online at: http://www.syman-t e c. c o m / a vc e n t e r / re f e re n c e / c o r p s t.html (March 29, 1999).

curs. There are two types of bombs:time and logic. A time bomb is set togo off on a particular date or aftersome period of time has elapsed. TheFriday the 13th virus was a time bomb.A logic bomb is one that is set to go offwhen a particular event occurs. Soft-ware developers have been known toexplode logic bombs at key momentsafter installation—if, for example, thecustomer fails to pay a bill or tries tomake an illicit copy.

SpoofThis is a generic name for a pro-

gram that tricks unsuspecting usersinto giving away privileges. Often, thespoof is perpetrated by a Trojan Horsemechanism in which an authorizeduser is tricked into inadvertently run-ning an unauthorized program. Theprogram then takes on the privilegesof the user and may run amok.

BacteriaThese are programs that do nothing

but make copies of themselves, but bydoing so they will eventually use up allsystem resources (i.e., memory, diskspace).

RabbitsThis is another name for rapidly re-

producing programs.

CrabsThese programs attack the display

of data on computer terminal screens.

SalamiSalami slices away (rather than

hacking away) tiny pieces of data. Forexa m p l e, salami alters one or twonumbers or a decimal point in a file, orit shaves a penny off a customer’s bankinterest calculations and deposits thepennies in the intruder’s account.

Page 24: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

I A n ew s l e t t e r • Vo l u me 3 , Nu mb e r 3 h t t p : / / i a c . d t i c . m i l / I ATA C

T he U.S. Military Academy(USMA) at West Po i n t

confronts a novel informationage challenge—to balance theneeds of a dynamic, technolo-gy-rich undergraduate experi-ence for 4,000 cadets with theavailability, security, and inter-operability concerns for an en-terprise local area netwo r k(LAN) operating within the De-partment of Defense (DoD)network infrastructure. Despite

resource, technology, and cul-ture challenges, this balancingact has been unusually success-ful over an evolution spanningthe 10 years since the USMAnetwork was created in 1989.Perhaps surprisingly, cadets’education benefits from them o d e rate discipline imposedby operating the network in ac-c o rdance with DoD re q u i re-ments and professional bestp ra c t i c e s. Typical unive rs i t ydata networks, by contrast, op-erate as mostly unfettered ser-vices in which almost “a n y-

thing goes” with regard to hard-ware, software, protocols, andmodes of use. Although this ap-proach affords great individualfreedom, its overall effect maybe to reduce network useful-ness. Recent trends in campuscomputing seem to be drawingthe rest of academe closer tothe computing model em-ployed at West Point.

West Point occupies a rarecrossroads of “.edu” and “.mil”domains. This is literal in thesense that many network hostshave names in each domain.Browsing www.usma.army.milwill take a virtual visitor to thesame place as www.usma.eduand www. westpoint.edu. TheAcademy is first and foremost aprimary commissioning sourcefor Army officers. It is an Armypost, and the post network is anArmy information system. “Dotmil” naming and conformanceto DoD/Department of theArmy (DA) standards is expect-ed and required. However, WestPoint is also a tier I, accreditedacademic institution withs t rong ties to the academiccommunity for re s e a rch andother professional exc h a n g e s.M i l i tary and civilian fa c u l t ymembers find that in some set-tings, an “.edu” address commu-nicates the seriousness withwhich the USMA views its rolein underg raduate teaching,learning, and research.

Attracting the best qualifiedof American’s high school grad-uating class each year is an es-sential aspect of the West Pointprogram. Among bright, knowl-

edgeable high school students,sophisticated technological in-frastructure is high on the listof criteria for college choices.After admission, cadet familiesexpect and deserve electronicmail (E-mail) and other elec-tronic contact with their cadets.It follows that a principle of in-formation assurance (IA) atWest Point is to support tech-nology programs and systemsthat meet the expectations ofdiverse clients outside the gate.Connecting with the Americanpublic is essential to fulfillingits institutional mission, soWest Point can seldom afford toescape risk by reducing access.

The military/educational du-ality continues inside the gate.Inquiry is the soul of learning,and inquiry has incre a s i n g l ycome to invo l ve innova t i veuses of technology. The com-puting environment at We s tPoint must provide cadet stu-dents and faculty members thef reedom to experiment withhardware and software and toexchange information wo r l d-wide with great conveniencewhile still providing informa-tion assura n c e. Cadets pur-chase their own computers andsoftware much as they do text-books and other tools of theacademic pro g ram, so theyhave a reasonable expectationof control over their computers’c o n f i g u ration. On the otherhand, the USMA network is amilitary facility where officialbusiness takes precedence. TheArmy reasonably expects to en-force usage policies and config-

24

Computing on the Vi rtual Bord e r

.mil meets .eduLTC Eugene K. Ressler, USA

COL Clark K. Ray, USA

Figure 1. Work at a Z-248, circa 1988.

Page 25: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

h t t p : / / i a c . d t i c . m i l / I ATA C I An e ws l e t t e r • Vo l um e 3 , N um b er 3

u ration management of net-work resources.

To be sure, universities andcolleges share many of USMA’schallenges. Although few havea dual presence on the Inter-net, each campus has businessto conduct in security and withhigh reliability while also pro-viding academic freedom of in-quiry. Educating students onacceptable use of technologyfacilities is a shared concern.Students everywhere stay onthe leading edge of new infor-mation services. Downloadablesoftware of all varieties,music in “MP3” (com-pressed) form, and elec-tronic stock trading il-l u s t rate deve l o p m e n t sthat have put college of-ficials in catc h - u pm o d e, deciding whatstudents can pro p e r l yand legally do, deter-mining their own legaland ethical institutionalresponsibilities, and fig-uring out how to en-force their policies.

USMA differs from itspeer academic institu-tions in the way it con-fronts IA challenges. Akey example is theUSMA approach to stu-dent computing. Al-though cadets do own and payfor their computers, the config-u ration is sta n d a rd, chosenthrough a “best value” competi-t i ve government solicita t i o n ,with software installed in ad-va n c e. Although some diskspace is reserved for cadets toc o n f i g u re howe ver theyc h o o s e, a precondition fo rphysical connection to theUSMA network is use of a gov-e r n m e n t - i n s talled, contro l l e d ,managed, and monitored oper-ating environment. For exam-

ple, all cadet computers mustcurrently run WindowsNT astheir operating system whenconnected to the network, andexcept for selected individuals,users may not exercise full ad-ministrator privileges.

Acceptance of these limita-tions is a modest sacrifice forthe services provided in return:Internet and intranet access;shared files, printers, and pub-lic bulletin boards; and stan-dard directory and E-mail facil-i t i e s. Configuration sta n d a rd sat West Point allow the orga-

nized planning and delivery ofa wide spectrum of services, arange exceeding that at mostschools. A current project willprovide each cadet with a highreliability network home direc-tory that is Web-accessible viaH y p e r t ext Transfer Pro to c o l(HTTP). IA measures, such asantivirus software updates, op-erating system patches (oftenissued in response to Army

Computer Emergency Re-sponse Team [ACERT] alerts),software upgrades, and neces-sary configuration changes aredispensed each time cadets login to their network accounts.Army intrusion detectors alertUSMA technicians to Interneta t tacks on cadet computers.Teams are usually able to clearor repair any damage beforethe cadet knows what has hap-pened. The latest cadet com-p u t e rs include hard wa re fea-t u res for central monito r i n gthat have averted significant

maintenance problems.Technical support is

another differe n c e.Most American stu-dents come to collegewith a computer of theirown choosing. To an un-c o m fo r table degre e,they must fend fo rt h e m s e l ves in solvingsoftware, hardware, andconfiguration problems.Some institutions arec u r rently finding thatstudents on stipend canfill some of this gap intechnology support.West Point has madecadet Information Sys-tems Officers (ISO) partof the Corps of Cadetchain of command for

more than a decade. A smallteam of government techni-cians mentors ISOs in a rangeof system administration tasksconsidered to be “second eche-lon” support (fo rgotten pass-words, installation of hardwared r i ve rs, and the like). Thiss t r u c t u re provides an exc e p-tional deve l o p m e n tal ex p e r i-ence for the ISOs and an effec-tive, zero-dollar (although notze ro person-hour) source ofsupport. Government and con-

25

F i g u re 2. Typical cadet work spacetoday.

continued on page 26

Page 26: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

I A n e w s l e t t e r • Vo l u m e 3 , Nu m be r 3 h t t p : / / i a c . d t i c . m i l / I ATA C

tract personnel perform moresophisticated repairs. All cadetstake a one-semester course incomputing fundamentals intheir first year. Ad d i t i o n a l l y ,each year as many as 20 per-cent of cadets select academicmajors or sequences (minors)in disciplines directly related toinformation technologies, pro-viding a level of expertise toclassmates who share their liv-ing areas not found at manyother institutions.

The ethical and moral as-pects of cadet deve l o p m e n tprograms are another essentialpart of IA at West Point. Insidethe West Point firewall, designsto safeguard systems and dataare able to assume that mali-

cious intent on the part of usersis a rare—and readily punish-a b l e — o c c u r re n c e. Cadets areinstructed to consider technol-ogy system abuses to be failingsof personal conduct or ethics.In short, USMA’s students areasked and required to be part ofthe IA effort. West Point’s in-tranet security intends to “keephonest people honest” and todetect the occasional outlyingbad behavior. On the otherhand, most campus netwo r k

designers frequently have nochoice but to assume that manystudents will intentionallyabuse institutional systems.The Athena project at the Mass-achusetts Institute of Technolo-gy (MIT) and the proliferationof virtual LANs and other elab-orate security control mecha-nisms on campuses stand as ex-amples.

The upshot of USMA’s meth-ods is better education andt raining for cadets. On anygiven day, approximately 99.6percent of cadet computers area vailable on the USMA net-work. At other institutions, thepopularity of campus-wide stu-dent computer purchase pro-grams is growing. These often

include limited standard con-figuration efforts. However, fewpublished data measure overallavailability statistics. Whereasmost campuses sport an eclec-tic array of sta n d a rd s, We s tPoint cadet, faculty, and staffc o m p u t e rs run identical E-mail, office suite, mathematics,and multimedia softwa re, al-lowing faculty members to giveinstructions and assignmentsthat incorporate configurationd e ta i l s. Technology support

and security costs are reduced,so available dollars can be fo-cused on improving capabili-ties rather than on security andmiddle ware. Although cadetsdo not have complete freedomto connect devices and run dis-approved software in the USMAn e t work environment, cadetswith bona fide educationalneeds to operate nonstandardconfigurations are able to do soin controlled circ u m s ta n c e sunder the guidance of a facultymentor.

The lessons of ex p e r i e n c eare somewhat counterintuitive.The military and governmente n v i ronment of education atWest Point benefit its cadet stu-dents rather than detra c t i n gfrom their experience. A com-prehensive approach to IA forstudent computing is part ofthe solution, rather than aproblem to be solved. Ï

Lieutenant Colonel Eugene K. Ressler,

Jr., is Professor of Computer Science and

Associate Dean for Information and

Educational Technology at the United

States Military Academy (USMA) at West

Point, New York. He has served as an

Army engineer and computer scientist in

various assignments. He graduated from

the USMA in 1978 and received a mas-

ter’s degree in computer science from the

University of California at Berkeley in

1984 and a Ph.D. in computer science

from Cornell University in 1993. He may

be reached at [email protected].

Colonel Clark K. Ray is the USMA

Computer Science Program Director in

the Department of Electrical Engineering

and Computer Science and has previous-

ly served in Army engineering and

automation assignments. He is a 1976

graduate of USMA and received his mas-

ter’s and Ph.D. degrees in computer and

systems engineering from Re n s s e l a e r

Polytechnic Institute. He may be reached

at [email protected].

26

Page 27: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

h t t p : / / i a c . d t i c . m i l / I ATA C IA ne w s l e t t e r • Vo l u me 3 , N u mb er 3

E d i to r ’s Note: Inclusion ofthis product within theI A n e ws l e t t e r does not consti-tute as an endorsement byI ATAC or DoD.

T o d a y ’s consumers may beimmediately concerned

with protecting their Visa cardn u m b e rs during on-line pur-c h a s e s, and until just a fewweeks ago, government info r-mation technology (IT) man-a g e rs we re primarily obsessedwith exterminating the year2000 (Y2K) bug. Howe ve r, indi-viduals in both private and pub-lic secto rs feel growing appre-hension about security thre a t sf rom the Internet.

S h a red Concern s — I n-side and Outside theB e l t w a y

C i t i zens and gove r n m e n tm a n a g e rs alike re c o g n i ze notonly the potential dangersposed by hacke rs, computervirus writers, Web saboteurs,and other Internet atta c ke rs,but also the need to incre a s ethe soundness of ove rall Inter-net security infra s t r u c t u re.

Just as businesses and con-s u m e rs are beginning to tap theI n t e r n e t ’s potential for electro n-ic commerce (e-commerc e )p u r p o s e s, government agenciesa re leve raging the power of theWeb to deliver enhanced ser-vices and information. Howe v-e r, with the efficiencies offere dby the Internet come opportu-nities for disaster. As the wo r l drushes into the Internet age, theopportunities for securityb reaches and cyber terro r i s mcontinue to escalate.

The Internet opens the e-c o m m e rce door to millions ofu s e rs, while simultaneously ex-posing Web sites and placing atrisk invaluable corporate data ,mission-critical business appli-c a t i o n s, and consumers’ confi-dential information. We b - e n-abling technologies also havethe potential to compromise theintegrity of government net-works and crucial defense re-s o u rc e s. The Internet may soons e r ve, in effect, to launch com-m e rcial hijackings and cybert e r rorism directed against theU.S. national infra s t r u c t u re s.

A Real and ImminentD a n g e r

Ac c o rding to the FBI, the av-e rage American corpora t i o nwill experience a major elec-t ronic intrusion once every 2y e a rs. On the government side,the General Accounting Officehas warned that federal gove r n-ment systems such as tax col-lection, national defense, andair traffic control networks mayface serious threats of seve redisruption unless adequate de-

fense measures are quickly putin place.

Fortunately, sophisticatedtools are now available to pro-tect E-commerce tra n s a c t i o n s,IT assets, and network re-s o u rc e s. The most powerful ofthese e-commerce securitytools are equally effective ins e n s i t i ve government IT envi-ro n m e n t s — w h e re property andl i ves are at sta ke, not just dol-l a rs and credit ra t i n g s.

Computer Associates Inter-national, Inc., (CA) has deve l-oped such a tool. Its eTrust se-curity solutions are used atg o vernment and commerc i a lsites to safeguard info r m a t i o nand maintain the integrity ofv i tal enterprise re s o u rc e s.e Trust protects mission-criticalIT re s o u rces and offers bro a dfunctionality, including risk as-sessment, attack detection, andconsolidated administration ofpolicy and audit tra i l s. eTr u s tsolutions can also be scaled tosuit an environment of any size.

G o vernment agencies andc o m m e rcial entities deploye Trust as either sta n d - a l o n ep roducts or as a compre h e n s i vesecurity suite. eTrust was de-signed to be used with CA’s Uni-center TNG enterprise manage-ment solution, thus offering ITm a n a g e rs a consistent ap-p roach to building, deploying,and managing security as partof the larger IT administra t i o nand control task.

By supporting and ex p l o i t i n gsecurity features of the OS/390,

27

In Pursuit of the “Trustworthy”Enterprise

Mr. Sean P. O’Neil

continued on page 28

Page 28: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

I A n ew s l e t t e r • Vo l u me 3 , Nu mb e r 3 h t t p : / / i a c . d t i c . m i l / I ATA C

UNIX, and Windows NT opera t-ing systems and applications,e Tr u s t ’s open, expandable ar-c h i t e c t u re allows org a n i za t i o n sto leve rage their existing tech-nology inve s t m e n t s. Public ke yi n f ra s t r u c t u re (PKI), LDA P, ands m a r t - c a rd products are a few ofthe sta n d a rds-based technolo-gies used by Global 2000 cus-to m e rs and government clientsin conjunction with CA’s enter-prise management and securityp ro d u c t s.

When the Fire w a l l sCome Tu m b l i n gD o w n

Together with network intru-sion detection systems, fire-walls have traditionally pro v i d-ed firs t - l e vel defense againstexternal atta c k s. Howe ve r,holes must be punched thro u g hf i re walls to grant legitimate ac-cess to Web-enabled applica-t i o n s. Implementing these ap-plications concurre n t l yp rovides an opportunity fo rh a c ke rs to exploit application ors e r ver vulnerabilities andb reach security contro l s.

Equally disconcerting is thefact that moving to e-commerc eand Internet-enabled enviro n-ments has done nothing toeliminate traditional securityt h re a t s. On the contrary, thesed e velopments have escalatedv u l n e rabilities by incre a s i n gthe number of people with ac-cess to specific internal ser-v i c e s. For these re a s o n s, con-ventional security devices areno longer effective by them-s e l ve s. Simultaneously imple-menting seve ral stand-alone se-curity tools is also ineffectivebecause it results in a patc h-work solution that leaves we a kspots unprotected.

P rotecting AgainstSecurity Threats onAll Fro n t s

Using eTrust, CA has part-n e red with government andc o m m e rcial custo m e rs to pro-vide a complete security solu-tion ta i l o red to specific re q u i re-ments and org a n i zation goals, asolution that supports Internetuse and also protects the infra-s t r u c t u re. Tight integra t i o namong eTrust offerings give sg o vernment agencies and busi-ness org a n i zations enter-prisewide security and also al-l o ws them to adopti n c re m e n tally eTrust solutionsthat seamlessly work with onea n o t h e r. Solutions include—

• e Trust Access Control, whichp rovides policy-based contro lto determine who can accessspecific systems, what theycan do with them, and whenaccess is allowe d

• e Trust Admin, which simpli-fies user and re s o u rce admin-i s t ration, reducing its com-p l exity, ex p e n s e, and suscep-tibility to error

• e Trust Audit, which collectsenterprisewide security andsystem audit info r m a t i o n

• e Trust Content Inspection,which safeguards systemsconnected to the Internetf rom malicious code atta c k s

• e Trust Dire c tory, whiche n s u res high perfo r m a n c eand reliability of criticald i re c tory service applications

• e Trust Encryption, whichseamlessly safeguards info r-mation against intrusion as itis tra n s f e r red across aTransmission Contro lP ro tocol /Internet Pro to c o l( TCP/IP) netwo r k

• e Trust OCSPro, which pro-vides a scalable, distributedOnline Certificate Sta t u s

P ro tocol (OCSP) re s p o n d e ri m p l e m e n tation, giving clientapplications the current sta-tus of a digital certificatef rom a trusted authority inreal time

• e Trust Fire wall, which con-t rols Internet, intranet, andex t ranet access to mission-critical applications, exc l u d-ing unauthorized users

• e Trust Intrusion Detection,which delive rs advanced net-work protection and includesan integrated antivirusengine with automatic signa-t u re updates

• e Trust Policy Compliance,which enables org a n i za t i o n sto protect against unautho-r i zed usage or attacks byidentifying potential we a kpoints in security policies,a u tomatically generating cor-re c t i o n s, and constantly mon-i toring the netwo r k

• e Trust VPN, which delive rss e c u re Internet communica-tions and safeguards all virtu-al private network (VPN)u s e s.

CA also offers a Security In-tegrity Services (SIS) portfo l i o ,which includes a completerange of consulting services fo rsecurity assessment, policy de-velopment, product insta l l a-tion, support, implementa t i o n ,and outsourcing. For further in-formation on CA’s eTrust pro d-ucts and services, seeh t t p : / / w w w. c a i . c o m / s o l u-t i o n s / e n t e r p r i s e / e t r u s t . Ï

Sean P. O’Neil is a freelance writer and

P resident of Write Hand

C o m m u n i c a t i o n s, Inc. He holds an

M . B.A. from Dowling College, as well as

a B.A. in English from State Unive rsity of

New York at Albany. He may be re a c h e d

at [email protected].

28

continued from page 27

Page 29: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

http://iac.dtic.mil/IATAC IAn ews l e t t e r • Vo l ume 3 , Numbe r 3

IATAC recently attended theThird International Informa-

tion Hiding Workshop in Dres-den, Germany. This workshopis the primary forum for scien-tists engaged in the field of In-formation Hiding techniques,

including steganography anddigital watermarking. Theworkshop focused on algo-rithms and techniques, ratherthan on systems and policy.The information presented atthis workshop is intended to

provide a comprehensive viewof the current state-of-the-art indata embedding research.

Conference sessions wereseparated into steganographyand watermarking tracks. Thesteganography track was divid-ed into sessions on fundamen-tals, paradigms and examples,asymmetric steganography, en-gineering, and attacks. The wa-termarking track featured ses-sions on proofs of ownership,detection and decoding, water-marking techniques, protectingprivate and public watermark-ing information, new designs,robustness, and software andhardware protection.

The steganography sessionsillustrated that steganographyresearch is improving, and cer-tain institutions are gaining ex-pertise, along with more opera-tional insight than is usuallyexpected in academia. In gener-al, steganography is designed tomake it more difficult to detectembedded data. Researchersand developers are beginning tomake more realistic assump-tions about host data files; manyare stating that initial assump-tions about Least Significant Bit(LSB) substitution appear to befalse and the security of thesetechniques is questionable. Al-gorithm developers are payingmore careful attention to whereto hide data, focusing on areas

29

Third International InformationHiding Workshop

iiaattaacc cchhaatt

Mr. Robert P. ThompsonDirector, IATAC

Figure 1. Watermarking System continued on page 30

Page 30: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

I A ne w s l e t t e r • Vo l u me 3 , Nu mb e r 3 h t t p : / / i a c . d t i c . m i l / I ATA C

with specific statistical pro p e r-ties rather than hiding datat h roughout the host file.

In the digital wa t e r m a r k i n gs e s s i o n s, the IATAC sta t e - o f - t h e -art report on Data Embeddingfor Information Assurance con-cluded that advances in wa t e r-marking attacks we re, in turn,fo rcing advances in wa t e r m a r k-ing techniques. Yet the re s e a rc hp resented at the wo r k s h o pl a rgely ignored knowledge ofcommon attack methods. In-stead, the pre s e n tations de-scribed minor variations of ex-isting techniques. There we res e ve ral attempts to add theore t-ical rigor to watermarking tech-niques and pro to c o l s. While themathematics presented we reg e n e rally sound, the pro o fsmade assumptions that had nos t rong basis in reality, and noattempt was made to pro ve thatthe assumptions we re va l i d .T h u s, it is hard to use the theo-retical results to draw any con-clusions about operational wa-termarking systems.

M s. Elke Franz, from theD resden Unive rsity of Te c h n o l-ogy, presented a paper on“ S t e g a n o g raphy Secure AgainstC o ver-Stego At ta c k s.” The paperdescribed techniques for avo i d-ing steganography detectionwhen the atta c ker has a copy ofthe overt host image (some-times called the cover image).M s. Franz proposed a steganog-raphy method that simulatesthe image scanning pro c e s s.F i rst, a scanner’s statistics aremodeled by repeatedly scan-ning the same image to obtain a“noise” profile of the scanner byobserving the differences be-t ween each scanned image file.M s. Franz described how anembedding algorithm had been

designed to generate the samescanner model. She claims thatthe embedding process will beindistinguishable from animage obtained from a specifics c a n n e r.

M s. Franz then provided theworkshop attendees significantinsight into the steganogra p h ydetection pro c e s s. She observe dthat the details of a digitize dimage depend on the acquisi-tion method. Common open-s o u rce steganography methodsi g n o re this fact. She also ob-s e r ved that the details of theembedded data, such as thec o m p ression and encryptionmethods used and the type ofo vert host, could affect the abil-ity to detect embedded data .M s. Franz explained two meth-

ods that an atta c ker might useto manipulate overt host andembedded data. The firs tmethod is to establish a Web sitethat is an attra c t i ve and conve-nient source of overt host dataf i l e s, except that the files are se-lected to be poor candidates fo rembedding data. The secondmethod is to seed fre e wa re ors h a re wa re compression and en-cryption pro g rams on the we b.These pro g rams would be de-signed to pre p a re embeddedd a ta in a way that makes it eas-ier to detect.

For more information on theworkshop and a summary ofsignificant papers pre s e n t e d ,c o n tact IATAC at 70 3 . 2 8 9 . 5 4 5 4or via E-mail at iata c @ d t i c. m i l .

Ï

30

Figure 2. Example of a Generic Steganography System

continued from page 29

Page 31: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

h t t p : / / i a c . d t i c . m i l / I ATA C I A ne w s l e t t e r • Vo l um e 3 , N um b er 3 31

IACAwarenessConference

May 16, 2000Hope Hotel

Wright Patterson AFBDayton, OH

“Key Challenges” toMeet Joint Vision 2010

The theme of this confer-ence is “Key Challenges” thatneed to be conquered to en-able us to meet Joint Vision2010. The meeting is open toall Department of Defense(DoD) and associated industrypersonnel. This meeting willpromote IAC Awareness withan emphasis on the needs ofthe warfighter.

The objective of this confer-ence is to explore the strategicdirection and the resulting re-q u i rements of info r m a t i o ntechnology and services neces-sary to support DoD. To thatend, an aggre s s i ve agendawith senior-level participantswill provide an opportunity to

discuss and share valuable in-sights between Research andD e velopment and thewarfighter community.

Those in attendance will in-clude policy makers, DoD pro-g ram managers, re s e a rc h e rs,analysts, information provid-e rs, and information users.This conference will addressthe information needs of thewarfighter, along with the cur-rent and future info r m a t i o ntechnology initiatives to sup-port those needs in the newmillennium. The impact ofchanges in the policies, proce-dures, and technologies of in-formation now and in the fu-t u re and the subsequent

impact on DoD will also be ad-dressed.

DoD IACs will have exhibitsin the display area highlight-ing their capabilities, products,and services.

RegisterElectronically athttp://iac.dtic.mil/surviac/

announce

AdditionalInformationDonna Egner, SURVIAC

937.255.4840E-mail: [email protected].

Page 32: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

A ttacks on DoD systemshave expanded from

simple wiretaps and viruses tosession hijacks and trojan hors-es, and the types and sophisti-cation of these attacks are con-stantly evolving. In response tothese threats, DoD responsehas also evolved. In recognitionof the growing threat and com-plexity of this problem, DoDdeveloped the defense in depthstrategy to protect its networksand information systems.

This report describes the im-pact of evolving technology on

the defense in depth strategy.The execution of the strategyrequires a significant numberof different security and net-working technologies. This re-port focuses on examining thetrends and giving an overviewof the relevant technologies.This report reviews the defensein depth strategy and discussesits implementation in the De-fense Information Infrastruc-ture (DII). Key elements of thestrategy and current imple-mentation of the strategy arediscussed.

I A n ews l e t t e r • Vo l ume 3 , Numbe r 3 http://iac.dtic.mil/IATAC32

pprroodduuccttssproductsDefense in Depth Critical Review & Tech-

nology Assessment (CR/TA) Report

This newly updated reportprovides an index of the vulner-ability analysis tool descriptionscontained in the IATAC Informa-tion Assurance Tools Database.It summarizes the pertinent in-formation, providing users with

a brief description of availabletools and contact information.As a living document, this reportwill be updated periodically asadditional information is en-tered into the Information As-surance Tools Database. Cur-rently the IA Tools databasecontains descriptions of 38 toolsthat can be used to support vul-nerability and risk assessment.

Data Mining CR/TAThis report provides an

overview of data mining tech-niques, applications, and COTSdata mining software products.Data mining is used to discoverpreviously unknown and mean-ingful relationships by siftingthrough large amounts of storeddata. Data mining has applica-tions in marketing, informationassurance, risk management,and fraud management. To helpusers select a product that bestmeets their objectives, data min-

ing tool evaluation criteria areprovided. A table summarizingthe features of available prod-ucts is also provided.

Intrusion DetectionTools Report 2nd Ed.

This newly updated reportprovides an index of intrusiondetection tool descriptions con-tained in the IA Tools Database.Research for this report identi-fied 46 intrusion detection toolscurrently employed and avail-able.

Vulnerability Analysis Tools Report 2nd Edition

Page 33: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

h t t p : / / i a c . d t i c . m i l / I ATA C IA n ew s l e t t e r • Vo l u me 3 , N u mb e r 3

Data Embedding for IA SOAR

P rovides an assessment of thes tate-of-the-art in data embed-ding technology and its applica-tion to IA. It is particularly re l e-vant to: information “pro v i d e rs ”concerned about intellectualp roperty protection and accessc o n t rol; information “c o n-s u m e rs” who are concernedabout the security and va l i d a t i o nof critical information; and lawe n fo rcement, military, and cor-p o rate org a n i zations concernedabout efforts to communicatec o vertly. The report has beenspecifically designed for re a d e rswho are not experts in data em-bedding. For more in-depth in-formation, the bibliography pro-vides an ex t e n s i ve list ofa u t h o r i ta t i ve sources fro mwhich the reader can obtain ad-ditional technical deta i l .

Computer Foren-sics—Tools andMethodology

This report provides a com-p a ra t i ve analysis of curre n t l ya vailable softwa re tools used incomputer fo rensic exa m i n a-t i o n s. It provides a useful intro-duction to this specific area of

s c i e n c e, and offers pra c t i c a lh i g h - l e vel guidance on how torespond to computer system in-t r u s i o n s. This report provides auseful analysis of specific pro d-u c t s, including their re s p e c t i vec a p a b i l i t i e s, unique feature s,cost, and associated ve n d o rs.

Firewall Tools ReportThis report provides users

with a brief description of ava i l-able fire wall tools and contact in-formation. Currently the IAtools database contains 46 fire-wall tools that are available inthe commercial marke t p l a c e.

Malicious Code Detection SOAR

This report includes is a ta x-onomy for malicious softwa rep roviding a better unders ta n d-ing of commercial maliciouss o f t wa re. An overview of thes tate-of-the-art commercial pro d-ucts and initiative s, as well as fu-t u re trends is presented. The re-port presents observations andassertions to support the DoD asit grapples with this problem en-tering the 21st century. This re-port is classified and has a limit-ed re l e a s e.

Modeling & Simula-tion Technical Report

This report, released Decem-ber 1997, describes the models,simulations and tools being usedor developed by org a n i za t i o n swithin DoD.

Biometrics: Finger-print IdentificationSystems

Focuses on fingerprint bio-metric systems used in the ve r i-fication mode. Such systems,often used to control physical ac-cess to secure are a s, also allowsystem administra to rs accessc o n t rol to computer re s o u rc e sand applications. Info r m a t i o np rovided in this document is ofvalue to anyone desiring to learnabout biometric systems. Thecontents are primarily intendedto assist individuals re s p o n s i b l efor effectively integrating finger-print identification products intotheir network environments tosupport the existing securitypolicies of their re s p e c t i ve org a-n i za t i o n s.

Order Formon Page 35

33

p ro d u c t s p ro d u c t s p ro d u c t s

Page 34: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

I A n ew s l e t t e r • Vo l u m e 3 , Nu m be r 3 h t t p : / / i a c . d t i c . m i l / I ATA C

DoD ComputerCrime Workshop May 8–12Ta rgeting 3 Key Functions

• Information Assurance Officer• Installation Crimial Inve s t i g a to r• Installation Staff Judge Ad vo c a t e

Colorado Springs, CO

www.TechnologyForums.com

or call

877.448.3976

Sponsored by DIAP

34

vice attack occurs, connectiv-ity may have to be restoredselectively starting with criti-cal systems.

• Define what is acceptableas an outage. Most of theo b s e r ved attacks have onlylasted 3-5 hours. A possibleresponse may be to wait forthe attack to subside on itsown. Any useful responsemay ta ke seve ral hours todiagnose and execute.

• Be able to rule out normalnetwork outages and con-figuration errors. Most out-ages that a site experiencesare the result of normal hard-ware failures and configura-tion errors rather than theresult of a malicious attack. Itis essential that the truecause of an outage be identi-fied so the proper fix-actionplan can be applied.

• Be prepared to use a net-work sniffer/analyzer onthe enclave ’s NIPRNETconnection. If a site is undera network attack, informationf rom these tools will beinvaluable in taking prudentc o u n t e r m e a s u re s. Re m e m -b e r, remotely contro l l e d /accessed sniffers will likelybe inaccessible as a result ofthe attack.

• Know who your upstreamprovider is. If a site is underan attack, blocking the attackmust happen upstream of thetarget to be effective. Sitesshould contact either theirappropriate Service CERTs or

the DoD-CERT for support inthe event of an attack. Ï

For more inform a t i o nDoD-CERT has released both

technical tool reports and situa-tional awareness reports on theknown Distributed Denial ofService tools on their home-page: http://www.cert.mil/reports/tools/index.htmlh t t p : / / w w w. c e r t . m i l / re p o r t s /sitaware/index.html

In addition, DoD-CERT andother security leaders from theindustry attended a “Distrib-uted-Systems Intruder To o l s ”workshop hosted by CERT/CCin November 1999. The resultsof the workshop may be ob-tained at: http://www.cert.org/reports/dsit_workshop.html

For up-to-date security infor-mation, users can visit the DoD-CERT Web site at http:/www.cert.mil. Users can also contactthe DoD-CERT via the followingmethods:

Phone: 703.607.4700800.357.4231DSN 327.4700

E-mail: [email protected]

1Lt Brian Dunphy, USAF, is on the

Senior Technical Staff of the DoD

Computer Emergency Response Te a m ,

Defense Information Systems Agency,

Arlington, VA. He received his B.S. in

Electrical and Computer Engineering

from Carnegie Mellon University in May

1996. He may be reached at

[email protected].

continued from page 12

Distributed Denial of Service Tools

Page 35: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

h t t p : / / i a c . d t i c . m i l / I ATA C I A ne w s l e t t e r • Vo l um e 3 , N um b er 3 35

order formIMPORTANT NOTE: All IATAC Products are distributed through DTIC. If you are NOT a registered DTIC user,you must do so PRIOR to ordering any IATAC products. TO REGISTER ON-LINE: http://www.dtic.mil/dtic/regprocess.html.

Name________________________________________________________DTIC User Code ________________________

Organization ______________________________________________________Ofc. Symbol ________________________

Address________________________________________ Phone _________________________________________

______________________________________________ E-mail _________________________________________

______________________________________________ Fax ___________________________________________

DoD Organization? o YES o NO If NO, complete LIMITED DISTRIBUTION section below.

LIMITED DISTRIBUTION

Technical Reportso Biometrics o Computer Forensics o Defense in Depth o Data Miningo IA Metrics o Modeling & Simulation

IA Tools Reporto Firewalls o Intrusion Detection ( 2nd Ed.) o Vulnerability Analysis (2nd Ed.)

State-of-the-Art Reportso Data Embedding for Information Assurance o Visualization

o Malicious Code Detection [ o TOP SECRET o SECRET]

Security POC Security Phone

UNLIMITED DISTRIBUTION

Newsletters (Limited number of back issues available)

o Vol. 1, No. 1 o Vol. 1, No. 2 o Vol. 1, No. 3

o Vol. 2, No. 1 o Vol. 2, No. 2 (soft copy only) o Vol. 2, No. 3 o Vol. 2, No. 4

o Vol. 3, No. 1 o Vol. 3, No. 2 o Vol. 3, No. 3

Please list the Government Program(s)/Project(s) that the product(s) will be used to support:_________________________

___________________________________________________________________________________________________

___________________________________________________________________________________________________

Once completed, fax to IATAC at 703.289.5467

In order for Non-DoD organizations to obtain LIMITED DISTRIBUTION products, a formal written request must be sent toIAC Program Office, ATTN: Sherry Davis, 8725 John Kingman Road, Suite 0944, Ft. Belvoir, VA 22060-6218

Contract No. _______________________________________________________________________________________For contractors to obtain reports, request must support a program & be verified with COTR

COTR _________________________________________ Phone _____________________________________________

Page 36: Editors - CSIAC · 2018-05-22 · to CMHP participants, under-s t and the information assur-ance requirements, and moni-tor the system for impro p e r attempts to access data. The

DISA Annual DII Conference

Arlington, VA

Call Ms. Linda Scofield

703.607.6514

[email protected]

Fiesta Informacion 2000

San Antonio, TX

Call J. Spargo & Associates

703.631.6200

COME SEE OUR BOOTH!

DoD Computer Crime Workshop

Colorado Springs, CO

Call 877.4IT.EXPO

(877.448.3976)

www.TechnologyForums.com

IAC Awareness and Business

Meeting

Dayton, OH

Call Donna Egner, SURVIAC

937.255.4840

E-mail: [email protected]

COME SEE OUR BOOTH!

2000 Annual USPACOM

IA Conference

Ilikai Hotel, Honolulu, HI

Call Maj Veronica Baker

808.477.1046

[email protected]

Information Assurance

Technical Framework Forum

Gaithersburg, MD

Subject: PKI/KMI

Call Mr. John Niemczuk

410.684.6246

http://www.iatf.net

Information Assurance

Technical Framework Forum

Linthicum, MD

Subject: “Detect and Respond”

Call Mr. John Niemczuk

410.684.6246

http://www.iatf.net

April25–27

25–27

May8 - 12

Information Assurance Technology Analysis Center3190 Fairview Park DriveFalls Church, VA 22042

16

June6–9

June8

July20


Recommended