information security user awareness training 1999 by bill cleveland

Information Security

USER AWARENESS TRAINING

1999

by Bill Cleveland

INFORMATION SECURITY STAFFUSAID Information Systems Security Officer Jim Craft <[email protected]> (202) 712-4559

Senior Security Consultants: Mike Fuksa <[email protected]> (202) 712-1096 Ante Penaso <[email protected]>(703) 465-7008

Security Training and Awareness Consultant

Bill Cleveland <[email protected]>

(703) 465-7054

BRIEFING OBJECTIVESAIS SECURITY

Why is it important? What is Automated Information

Security / Computer Security? Current Issues (Threats/Vulnerabilities/

Countermeasures) Contingency Planning Conclusion Open Discussion

Information Security

Why is it important?

COMPUTER SECURITY

Definition - Measures required to protect against unauthorized (accidental or intentional) disclosure, modification or destruction of Automated Information System, networks and computer resources or denial of service to process data.

We are a computerized society Nearly everything we do

utilizes computers How much data do you

maintain that isn’t contained on a computer somewhere?

All computers are vulnerable

NUMBER ONE

NUMBER TWO

Much of what we compromise is done through unclassified open source publications, conventions, consortiums, patents, etc.

All this tied together provides a pretty complete paint-by-the-numbers picture.

IN THE PAST FEW COMPUTERS WERE

AVAILABLE, AND ONLY SPECIALISTS COULD USE THEM

TODAY, COMPUTERS ARE COMMON EQUIPMENT, AND (ALMOST) ANYONE CAN USE

THEM...

HEADLINESECURITY STORIES

Security Breaches UpDramatically on Milnet

By Florence Gore Army, Navy, Air Force and Defense Department

Youths charged in

computer plot

CHICAGO- Two high school ju

n-

iors from suburban Palatin

e have

6,000

Computer

Securit

y Brea

ches

Detaile

d in A

gricultu

re Dep

t. Rep

ort

by Robert

Pear

Washington Star

Staff W

riter

Agricultu

re Dep

artmen

t pro

cedures

and data

files

contai

ning

large a

mounts of s

ensit

ive in

formati

on, inclu

ding the n

ames

of

persons w

ho rece

ived gove

rnmen

t chec

ks w

ere brea

ched

to th

e

Marines Faulted Over Care of Secrets

By Neil Roland

United Press International

Sensitive unclassified and classified material could go undetected,

auditors found. Auditors did not say they had found instances of

espionage. But the report said Marine Corps personnel sometimes

granted civilian contractors access to classified documents even

though the civilians needed security clearances. Maj Ron Stokes, a

Peace Activist Found Guiltyof Wrecking DoD Computer

By Eric FredellSpecial to GCN

Some computers just ask for a good whacking. In June at Vandenburg Air Force Base in California a peace activist was found destroying a computer. She gave it a right with a

Security becomes more and more work, as

we all are learning.....

WHAT IS AIS SECURITY / COMPUTER SECURITY?

AIS Security

Provides a reasonable level of protection against destruction or partial destruction of your computer systems that could result in partial or total denial of services to the system users.

The Protection of data and software from unauthorized access.

AIS SECURITY PERTAINS TO -

Physical Personnel Hardware Software Communications Emanations Administrative/Operations Data/Information

PHYSICAL SECURITY

Physical security is that part of security concerned with physical measures designed to safeguard personnel, to prevent unauthorized access to equipment, installations, material, and documents, and theft. Physical security and AIS security go hand in hand.

AIS SECURITY IS COMPLEX

INFOSEC

TEMPEST

COMSEC

ADMIN

PHYSICAL

AISSECURITY

HARDWARE

SOFTWARE

PERSONNEL

IS SYSTEM =

HARDWARE

+

FACILITIES

+

+

PEOPLE

SOFTWARE / DATA

WHY INFORMATION SECURITY?

Mission Cost Data/Software Dependence

SS

WHY -

Two Reasons:It makes senseIt’s the law

COMPUTER SECURITY ISEVERYONE’S RESPONSIBILITYCooperation and support from all personnel throughout the activity is an essential key to a successful program!

End User Supervisors

New Employees

End Users

DATA CLASSIFICATIONS

CLASSIFIED (CONFIDENTIAL, SECRET, TOP SECRET)

SENSITIVE BUT UNCLASSIFIED (TECHNICAL, PROPRIETARY, PROGRAM

SPECIFIC)

UNCLASSIFIED

DATA CLASSIFICATIONCLASSIFIED

Confidential - Secret - Top Secret To Access Classified Material -

- Appropriate Clearance Level

- Need-to-Know

- Access Approval Special Handling and Storage Requirements

- Magnetic media may not be shredded, only burned or degaussed by an approved

degausser (TS may only be destroyed)

CLASSIFIED PROCESSING

Unless your computer has been certified by NSA as meeting the trusted computer base criteria for B2 certification (secure multi-level mode), as soon as you introduce classified data into your system, all data on all media and devices associated with the system is classified at the highest level of data contained on the system.

The system and all of its data (100%), remains classified at that level until the system has been sanitized (declassified) by use of approved methods.

DATA CLASSIFICATIONSENSITIVE BUT UNCLASSIFIED

Sensitive

Unclassified

Includes:

- For Official Use Only (FOUO)

Sensitive

Unclassified


Includes:


- Privacy Act Information

Sensitive

Unclassified

Includes:



- Contract Information


Sensitive

Unclassified

Includes:




- Technical Information


Sensitive

Unclassified

Includes:





- Budget Information


Sensitive

Unclassified

Includes:






- Financial / Payroll Information


Includes:






- Financial / Payroll Information

- Proprietary Information

Sensitive

Unclassified


Requires Special Handling, Storage and Destruction

DATA CLASSIFICATIONSENSITIVE BUT UNCLASSIFIED (Cont.)


Requires Special Handling, Storage and Destruction If kept on desk, turn over or store in

desk, file cabinet or notebook


desk, file cabinet or notebook Destruction must be done in such a way to

prevent reconstruction.





OOPS,

DROPSIES


CURRENT ISSUES

THREATS / VULNERABILITIES /

COUNTERMEASURES

THREATS An activity, deliberate or

unintentional, with the potential for causing harm to an Automated Information System

Manifestation of a threat results in degraded mission accomplishment

Threat identification includes both known threats and reliably postulated threats. Lack of evidence does not rule out the existence of a threat

CATEGORIES OF THREATS

NATURAL - Hurricane, Fire, Flood, Earthquake

Man-Made - Intentional Viruses, Espionage, Sharing Passwords, Inadequate Backups

Unintentional - Accidental Power loss, Forgetting Password, Unattended Terminal Display, Food/Drinks

SOME AIS SECURITY THREATS

Fire Flood / Water Damage Wind Damage Snow / Ice Storms Power Loss Unauthorized Access Espionage Food / Drinks

Sabotage Unauthorized Software / Data

Modification System / Application Programmer

Errors Operator/User Errors and Omissions Communications Failure Fraud and Abuse

SOME AIS SECURITY THREATS

JAVA Issues

Denial of service

import java.applet.*;

import java.awt.*;

public class InfiniteThreads extends Applet implements Runnable

{

Thread wasteResources = null;

boolean StopThreads = false;

public void run ()

{

while (!StopThreads)

{

wasteResources = new Thread(this);

wasteResources.setPriority(Thread.MAX_Priority);

wasteResources.run();

}

}

}

Web Spoofing

Easy to do Spectacular

effect Impossible to

prevent Pre-warned is

Pre-armed!!!!!

E-mail Spoofing

Forge a false e-mail Easy to do Impossible to

prevent Authenticate Sign internal

messages

Social Engineering

Easy to do Easy to prevent Don’t share

passwords

Userid: mreiter

password: mreiter

Share my System!

WRONG!

COMPUTER VIOLATIONS, FRAUD, AND ABUSE

70 - 80% of annual loss related to computers is committed by employees

20% of the total computer-related loss is committed by disgruntled employees

60% of the total computer-related loss is caused through human errors or accidents

have been destroyed by negligence

Disgruntledemployeesabotagesclassified

15 Computers

FLASH

AIS Systems

No one here would ever do that!Would they?

THREATSIMPACTS ON COMPUTER RESOURCES

Destruction Modification Disclosure Denial of Service

How will I ever get

my work done now

!!!!!!

THREAT - VIRUS

Virus - run antivirus programs on a regular basis.

Do not use any outside floppies/ disks on your system without running a virus scan first. Many viruses are introduced because virus scanning was not performed.

No illegal duplication of S/W rule - this reduces the spread of virus and avoids legal headaches

DR. NEAT GAMESCAN

VULNERABILITY

A vulnerability is a flaw or weakness that may be exploited by a threat agent to cause harm to an AIS system or network.

SOME VULNERABILITIES

Open Building / Room Policy Disgruntled Employees Lack of Security Awareness Inadequate Supervision Software / Hardware

THREAT / VULNERABILITY

Data Alteration, Outside Access - This is why audit trails are so important. Checks data processing against tasking and logged computer time for suspicious discrepancies.

In the case where Laptops/portables are used by multiple users, keep a written log of who checked it out and when it was returned.

Toshiba, LaptopMINOR 109999

NAME DATE

THREAT / VULNERABILITY RELATIONSHIP

Sabotage (Threat)

Possible Vulnerabilities Disgruntled Employee(s) Activists / Protesters Inadequate Building Access

Control

Hey man,this base is

great! Not too many guards and the shoreline and many buildingsare open. Thisplace is easy!

Alert our protestgroup, wereon tonight.

SAFEGUARDS / COUNTERMEASURES

Any action, device, procedure, technique or other measure that reduces the vulnerability of a system.

Examples:

Security Operating Procedures

Fire/Smoke Alarms

Intrusion Detection System

Firewall

Awareness Training

IN CONCLUSION

I John Walker

have received my

annual Security

Briefing

SECURITY

BRIEFING

COMMON STATEMENTS #1

Aw come on,

It’s only a

Personal

Computer

But It Still Requires Safeguarding

Many have more capacity and capabilities than some of the mainframes in our inventory.

The only small features are their physical size, the cost, and their security features.

It’s-Only-a-Personal-ComputerFacts

WE

HAVE

TO

TRUST

OUR

PEOPLE...

COMMON STATEMENTS #2

Hi, I downloaded those programs from my PC like you wanted. I’m at my car getting ready to drive over now. See you soon.

I see a computer,,tell me the password so I can check it for you

WE HAVE TO TRUST OUR PEOPLE We like to think we can - but always remember to check on and report suspicious activities

Be on the lookout for people who you do not recognize in your environment.

If you see persons without badges, challenge them.

If you hear someone talking about things they shouldn’t be, let them know. If they continue, report it.

COMMON STATEMENT#3

We

Only

Process

Unclassified

On Our PC’s.....

WE ONLY PROCESS UNCLASSIFIED ON OUR PC’s....

However if it’s private information, it is considered SENSITIVE BUT UNCLASSIFIED and must be treated as such.

If your system is accreditated for Unclassified, that is all that your allowed to process. You must be accreditated for classified processing in order to use your computer for classified work.

Software

Trouble

Report

OPEN DISCUSSION

Yeah, it really got to him!

SECURITY POP QUIZ

WHAT’S WRONG HERE?

BE

WHAT’S THE PROBLEM HERE??

P3D4Oh$

PASSWORD DON’TS:

DO NOT USE ANY PERSONAL NAMES, NICKNAMES, PLACES, BIRTHDAYS, ETC FOR YOUR PASSWORD.

DO NOT USE ANYTHING THAT CAN BE TRACED BACK TO YOU (E.G. AUTO LICENSE NUMBER, BANK ACCOUNT NUMBERS, ANNIVERSARY DATE).

DO NOT USE ANYTHING THAT HAS TO DO WITH YOUR PROFESSION (E.G. JOB TITLE, DEGREE, ETC.).

DO NOT USE THE SAME PASSWORD FOR ALL SYSTEMS.

PASSWORD DO’S:

USE CHARACTERS WITH NUMBERS AND PUNCTUATION.

INTERSPERCE CAPITALS WITH LOWER CASE (EX: Aih4B/3).

DO USE, IF POSSIBLE, AT LEAST SEVEN CHARACTERS IN YOUR PASSWORD.

DO CHANGE YOUR PASSWORD REGULARLY.

**REMEMBER - IF YOU SUSPECT YOUR PASSWORD HAS BEEN COMPROMISED - REPORT IT IMMEDIATELY TO A SYSTEM

ADMINISTRATOR.

SODA

SODA

WHAT’S WRONG HERE?

VisitorEscort Req’d

Protect Your Equipment

You should always try and protect your equipment from situations that can cause damage, i.e. extreme heat, smoke, a leaky roof, etc.

Do not drink or eat around your equipment. Many keyboards have had to be replaced due to drinks being spilled. (If a computer system is on your desk, please keep any food or drink away from it.)

When working on classified, protect your screen from unauthorized viewing.

Prevention from virus. Install and run an anti-virus program often. Do not use any “foreign” magnetic media without running a virus scan on it first.

WHAT’S WRONG HERE?Check out the neat software I brought in. My friend gave it to me. He got it at work. He said it hasn’t got a virus on it, so we don’t need to scan it.

COOL, LETS RUN

IT!

When downloading files from the Internet for use in official business, there are legal considerations, as well as concern such as the introduction of viruses, bugs or other ill effects.

Registration cannot be required with the understanding that it may be used for commercial purposes. In particular, the Government may not be later identified as a user of the s/w or otherwise presented as endorsing the program.

S/W download must not obligate the Government to provide anything in return. In the case of beta software, there cannot be any requirement for the Government to submit an evaluation report in return for the download.

Registration cannot be required with any expectation that the Government may later be obligated to purchase a copy of the s/w.

Finally, where registration causes terms for nondisclosure and use of the s/w, the downloader must take care not to breach any of its

Copyrighted, Licensed or Proprietary Information/Downloading Files:

terms. (For example - in situations where a program is found to be beneficial, the s/w may not be simply duplicated and distributed to others if registration is required from each individual user. On the other hand, if a program is found not to be of use, the downloader must take appropriate steps to remove and/or destroy the s/w.

All users who download files for PC access, should have a virus scan run prior to usage.

Remember to run a virus scan on disks and floppies received from outside our Department. Many virus’ have been passed from Department to Department, because no-one ran a virus-scan. If you need assistance contact the ISSO, or Asst. ISSO.

And don’t forget that use of LANs to domains outside is for Official Business Only. This is a monitored service, and any misuse is subject to disciplinary action or loss of access.

Copyrighted, Licensed or Proprietary Information/ Downloading Files: (CONTINUED)

F I N I T OIt’s Over

Fertig(Please go back to work now. No running please, single file, no pushing or shoving. Yes, you may hold hands with the one behind you. Don’t try to be the first one out if it requires pushing someone else out of your way. Take nothing but the knowledge with you, leave nothing but empty seats. Thank you very much. That’s all I can say, so have a nice day.)

information security user awareness training 1999 by bill cleveland

Documents

ais security computer

security training

computer security breaches

security clearances

senior security consultants

computer systems

bill cleveland slide

open discussion slide