DCA Circular 310-P115-1 COMMUNICATIONS SECURITY DDN Security Management Procedures for Host Administrators VOLUME I 1. Purpose. This Circular is the first of two volumes describing security management procedures for the Defense Data Network (DDN). Volume I provides operational security guidance for the DDN and describes the Host Administrator's management responsibilities. It is based on review of Government and industry documents on the DDN, local area networks, and computer security. Volume I establishes methods and procedures for detecting and reporting unauthorized activity. It describes the resources and tools available to the Host Administrator for investigating local incidents. Additionally, it discusses the procedures and tools needed for reporting network related incidents to the DDN Network Security Officer (NSO). Volume II prescribes the policy for enforcing network operational security and describes the management responsibilities of the DDN Network Security Officer (NSO). Volume II will receive limited distribution. 2. Applicability. This Circular applies to DCA Headquarters, DCA field activities, and Government and commercial activities using or managing the operation of the DDN. 3. Policy. DCA continually strives to improve its resources for providing a reasonable level of security for the DDN. These resources include the network access control system and its audit trial analysis capabilities for detecting unauthorized and illegal network activities. These detection and audit capabilities will be used to identify and prosecute unauthorized individuals who access or attempt to access databases or system software of host computers connected to the DDN. In addition, DCA has created the DDN Security Coordination Center (SCC) to gather information regarding DDN security problems and to disseminate problem definition, status, and resolution information under the direction of the NSO. These resources and tools alone are not sufficient. Site personnel such as the Host Administrators need to assume an active role and assure their constituents and the DDN that they are providing for a reasonable level of protection of the ___________ OPR: DODM Distribution: B,J,Special ii DCAC 310-P115-1 network and computing resources under their jurisdiction. Host Administrators are required to report suspicious activities to their network manager. Formal investigations of unauthorized or illegal activities occurring on the DDN must be coordinated with the DDN Network Security Officer. Individuals suspected of unauthorized access or use of host computers over the DDN will be subject to prosecution under Title 18 of the Federal Criminal Code. 4. Procedures. Chapters 4 and 5 describe the procedures for performing the security functions of the Host Administrator. 5. Responsibilities. Chapter 1 describes the responsibilities of the Host Administrator in performing the security functions. 6. Related_Documents. The following documents are recommended reference materials to supplement this document. a. DoD Directive 5200.28, Security_Requirements_for Automated_Information_Systems_(AISs), dated 21 March 1988. b. DCAI 630-230-19, Security_Requirements_for_Automated Information_Systems (draft), dated 18 October 1990. c. Defense_Data_Network_Subscriber_Guide_to_Security Services_1986-1992 (includes the DDN Security Classification Guide at Appendix I). d. Internet_Site_Security_Policy_Handbook (Internet Draft). This document can be obtained by contacting the Network Information Center (NIC), SRI International, 333 Ravenswood Ave., Menlo Park, CA 94025. e. Computer Security Center (CSC-STD-002-85), Department of_Defense_Password_Management_Guideline, aka "The Green Book", dated 12 April 1985. FOR THE DIRECTOR: EDWARD J. HENDERSON, JR. Colonel, USAF Chief of Staff DCAC 310-P115-1 iii CONTENTS BASIC CIRCULAR Paragraph__Page Purpose................................. 1 i Applicability........................... 2 i Policy.................................. 3 i Procedures.............................. 4 ii Responsibilities........................ 5 ii Related Documents....................... 6 ii Illustrations........................... v Glossary of Terms and Definitions....... vii VOLUME I. DDN SECURITY MANAGEMENT PROCEDURES FOR HOST ADMINISTRATORS Chapter Paragraph__Page 1. INTRODUCTION The DDN Security Resources............ 1 1-1 Responsibilities of the Host Administrator....................... 2 1-2 Responsibilities of Other Site Representatives..................... 3 1-2 2. THE DDN SECURITY PROBLEM General............................... 1 2-1 Attack Points......................... 2 2-1 Categories of Network Abusers......... 3 2-1 Common Penetration Techniques......... 4 2-2 Necessary Precautions................. 5 2-4 3. NETWORK ACCESS SECURITY General............................... 1 3-1 TAC Access Control System (TACACS).... 2 3-1 4. OPERATIONAL SECURITY MANAGEMENT OF UNCLASSIFIED NETS General............................... 1 4-1 Access Vulnerability.................. 2 4-1 Risk Assessment....................... 3 4-2 Security Policies and Procedures...... 4 4-2 Education Program..................... 5 4-5 5. OPERATIONAL SECURITY MANAGEMENT OF CLASSIFIED NETS General............................... 1 5-1 Limited Terminal Access Controls...... 2 5-1 Closed Community Characteristics...... 3 5-1 iv DCAC 310-P115-1 Chapter Paragraph__Page Security Awareness.................... 4 5-1 6. DETECTION OF UNAUTHORIZED HOST ACCESS General............................... 1 6-1 Detection Training.................... 2 6-1 Logging Events........................ 3 6-1 Peculiar Behavior..................... 4 6-1 Legal Recourse........................ 5 6-2 Prosecution as a Deterrent............ 6 6-2 Incident Reporting by Subscriber...... 7 6-2 Contacts.............................. 8 6-2 What Information To Report............ 9 6-3 Follow-up Information................. 10 6-3 7. TOOLS FOR INVESTIGATING INCIDENTS AT THE HOST LEVEL General............................... 1 7-1 Host System Logs...................... 2 7-1 Other Tools........................... 3 7-1 TACACS Reports........................ 4 7-1 8. SUMMARY Penetration Techniques................ 1 8-1 Other Topics.......................... 2 8-1 DCAC 310-P115-1 v ILLUSTRATIONS Table Page 1 Vulnerability Analysis/ Operations Management and Processing...................... 9-1 2 Vulnerability Analysis/ Communications.................... 9-3 3 Vulnerability Analysis/ Disasters......................... 9-4 4 Vulnerability Analysis/ Personnel......................... 9-5 5 Vulnerability Analysis/ Training.......................... 9-7 6 Vulnerability Analysis/ People Errors and Omissions....... 9-8 7 Tabulation of Vulnerability Analysis/Self-Assessment Results.......................... 9-9 vi DCAC 310-P115-1 THIS PAGE INTENTIONALLY LEFT BLANK DCAC 310-P115-1 vii GLOSSARY OF TERMS AND DEFINITIONS ADP Automatic Data Processing. CERT Computer Emergency Response Team. DCA Defense Communications Agency. DCS Defense Communications System. FBI Federal Bureau of Investigation. HOTLIST A list of all TAC user identifications which have been stolen, have expired or which otherwise have been compromised. IPTO Information Processing Techniques Office. LAN Local Area Network. MILNET Military Network. NAURS Network Auditing and Usage Reporting System. NIC Network Information Center. NSO Network Security Officer. Focal point for network related operational security matters. OSI Office of Special Investigations. SCC DDN Security Coordination Center. TAC Terminal Access Controller. C/30 computer that connects end user terminals to the network and provides an interface to the DDN. In this document it also refers to a miniTAC which serves the same function as a TAC. TACACS TAC Access Control System. A system that controls terminal access to the MILNET. TACACS GUEST CARDS A temporary TACACS card given to a user who does not have TACACS privileges but temporarily needs them. A guest TACACS card may also be given to an authorized new user who has not yet received a UID or password. TAC CARD A card authorizing the user TAC Access to the MILNET. viii DCAC 310-P115-1 TAC PORT Point where an end user terminal or modem is connected to the TAC. TASO Terminal Area Security Officer. Responsible for enforcing all security requirements implemented by the NSO for remote terminal areas. Also responsible for ensuring that all countermeasures required to protect the remote areas are in place. UID User Identification. WIN WWMCCS Intercomputer Network. WWMCCS Worldwide Military Command and Control System. DCAC 310-P115-1 1-1 CHAPTER 1. INTRODUCTION 1. The_DDN_Security_Resources. This Circular is intended to provide Host Administrators a set of security guidelines to operate on the Defense Data Network (DDN). This Circular will assist you in maintaining the security of your local host computer site, as well as the overall DDN. It does not in any way supersede any current Service Regulations or Procedures governing the security of ADP facilities not related to the DDN. This Chapter provides you with a definition of your security responsibilities as a Host Administrator. You must have contact with certain offices to fulfill these responsibilities. The duties of these offices are discussed here to assist you in understanding their missions. a. DDN_NSO_(Network_Security_Officer). The DDN NSO is the single point of contact for dealing with network-related operational security issues. The DDN NSO also implements applicable policies included in DCAI 630-230-19, Security Requirements for Automated Information Systems. The NSO recommends security policy affecting the DDN and is responsible for its general enforcement. The NSO also works closely with Host Administrators to resolve network and related computer security problems and incidents affecting their sites. b. Host_Administrator. A Host Administrator is the person who has administrative responsibility for the policies, practices, and concerns of a host, or hosts, connected to the DDN, including responsibility for that host's DDN users. Specifically, the Host Administrator is responsible for the following activities: (1) Assisting with network management by ensuring that network policies and procedures are observed by the users. Locally administering the TAC access control system (TACACS), ensuring that all of their host users have been authorized for DDN and TAC access and are registered in the NIC user registration database (WHOIS/NICNAME). (2) Locally managing the network access control procedures and password system. Reporting network-related host break-ins and assisting with investigations as needed. c. NSC_(Node_Site_Coordinator). The NSC has physical control over hardware and software, and coordination responsibility for the DDN circuits and equipment located at the DDN node site. d. NIC_(Network_Information_Center). The NIC registers all users in the WHOIS/NICNAME database and operates the Network Auditing and Usage Reporting System (NAURS) computer system that produces the MILNET TACACS audit and incident reports. Call (800) 235-3155 for more information. 1-2 DCAC 310-P115-1 e. DDN_SCC_(Security_Coordination_Center). The SCC gathers information about DDN computer and network security incidents and works closely with the NSO to disseminate the information necessary to contain, control, and resolve these problems mainly through the DDN Security Bulletins. The hotline number is (800) 235-3155. f. CERT_(Computer_Emergency_Response_Team). The CERT gathers and distributes information about Internet security incidents. They work closely with the NSO and SCC on DDN- related security problems. The hotline number is (412) 268- 7090. 2. Responsibilities_of_the_Host_Administrator. Host administrators have the overall responsibility to provide a reasonable level of protection to host sites from the possibility of network compromises. They must act as liaisons with the NSO, SCC, vendors, law enforcement bodies, and other appropriate agencies to resolve any outstanding security problems and prevent their future recurrence. They are responsible for the enforcement of DDN policy at their site. Because information acquisition and distribution is such a vital part of the responsibility of the Host Administrator, the use of electronic mail is a basic tool to support this function and should be used whenever possible. Not all Host Administrators have access to this valuable tool, but given its value, these sites are strongly encouraged to implement this capability. 3. Responsibilities_of_Other_Site_Representatives. There are several other levels of responsibilities for the provision of security for the DDN. At the most basic level, the individual users should take the necessary precautions to minimize the chances that their accounts could be compromised. They bear the primary responsibility for the protection of their information. If users took this responsibility seriously and acted accordingly, the majority of computer incidents could not occur. System managers have the responsibility to maintain the resources and procedures to establish an environment for "safe" computing (e.g., implementing procedures for proper installation and testing of system software, adequate backups, and reasonable system monitoring). Vendors have the responsibility to notify their customers of problems with their software (especially problems which could compromise system security) and to distribute timely fixes. DCAC 310-P115-1 2-1 CHAPTER 2. THE DDN SECURITY PROBLEM 1. General. a. A computer network is a telecommunications system primarily designed to allow a number of independent devices (i.e., host computers, workstations, terminals, or peripherals) to communicate with each other. Essentially, the DDN is a worldwide collection of computer networks. As the DDN expands its capabilities and resources, and as more consitituents gain DDN access, the risk increases to the overall security of the information and data flowing in the network. Therefore, a major concern is that security problems will rise in response to this expansion. Additionally, the possibility of espionage activity also increases as the network gets larger. b. On November 2, 1988, Robert Tappan Morris, Jr., drastically changed the attitude of network users and administrators regarding security network and computer security problems. He unleashed his infamous Internet Worm which afflicted over 6,000 MILNET and other Internet hosts. The incident caused a fair amount of panic because most of the sites were ill-prepared for such a massive scale of intrusions. It was fortunate that, due to a miscalculation, the attack was unrestrained. In its original manifestation, Morris' Worm might have gone undetected at many sites. The main lesson to be learned from that incident is that everyone connected with the use of network and computing facilities must always take into account the vulnerabilities of network resources to compromise or attack. 2. Attack_Points. The DDN security problem is defined as the accidental or intentional disclosure, destruction, or modification of information flowing or accessed through the DDN. Potential points of attack include terminal-to-network interface connections, terminal-to-terminal interface connections, terminal-to-host interface connections, and interfaces or circuits themselves. 3. Categories_of_Network_Abusers. Identifying the security problem or threat is a key element in determining security risks. Consider the fundamental characteristics of the threats to your assets before you worry about specific techniques (to be discussed in the following section). For example: a. Unauthorized access by persons or programs which amounts to the use of any network or computer resource without prior permission. Such unauthorized access may open the door to other security threats including the use of your facility to access other sites on a network. 2-2 DCAC 310-P115-1 b. Disclosure or corruption of information. Depending on the sensitivity of the information, disclosure without modification may have more damaging consequences if the event goes unnoticed. c. Denial of service which prevents users from performing their work. In fact, an entire network may be made unusable by a rogue packet, jamming, or by a disabled network component. (The Morris Worm contained all of these characteristics. If you have considered options to address these general characteristics, you may be well-equipped to handle variations of historic penetration strategies that may evolve in the future.) 4. Common_Penetration_Techniques. In evaluating the security relationships between the security of your host computer and the DDN, you may wish to consider the following penetration techniques. These are methods that may be used to penetrate your computers. Therefore, you must take precaution to prevent the possible success of these types of attacks. Several techniques exist to aid in the unauthorized access to computer system components. These techniques are closely associated with a system's vulnerabilities. Therefore, their successful application first requires identifying a system's vulnerabilities. Through analyzing a systems protection mechanisms (or lack thereof), how they function, and their deficiencies, consideration can be given to how such mechanisms can be circumvented, nullified, or deceived. Many of these techniques can be categorized by the types of activity they involve and the system vulnerabilities they exploit. A particular type of technique may be used to exploit more than one vulnerability, and a vulnerability may be exploited by more than one technique. Some techniques leave signatures (i.e., traces of their utilization), others do not. Such signatures, their detection, and analysis are fundamental to threat monitoring and security auditing. a. Browsing. An individual gains unauthorized access to a user's files by exploiting the vulnerability of a file access authorization mechanism in the operating system. "Browsing" requires knowledge of file names and use of a program, and it characteristically includes the following operations: (1) User's program A references a file not authorized for such use. (2) The operating system does not check the activity and permits access. (3) Program A gains access to the file, reads it, and formats it for printout, or deposits it into a local file under the penetrator's control. Unauthorized system users (if they know all the file names in a system) can use this DCAC 310-P115-1 2-3 technique numerous times to browse through all the files looking for classified or sensitive information. This is not generally possible, however, when files are protected by passwords. b. Masquerading. Gaining unauthorized access to a system component by assuming the identity of another authorized user is called "masquerading". Success of this technique stems from a computer system having no means of establishing a user's identity other than through symbolic identifiers. The easiest method of masquerading is to obtain the password and other identifiers of an authorized user from some report or document that was carelessly left exposed. This situation is most likely to occur in installations that support remote terminals where no option exists to have such identifiers suppressed by the terminal during the SIGN-ON procedure. Even when a suppression capability is provided by the terminal that overtypes any such identifiers before or after their printing, they can still possibly be discerned. A more sophisticated technique for gaining access to an authorized user's identifiers is to wiretap the terminal and intercept the identifiers when they are transmitted in the clear over communication lines. c. Scavenging. This penetration technique exploits the vulnerability of unerased residual data. Both primary and secondary storage media used for processing sensitive information may continue to retain that information after they have been released for reallocation to another use. The latter may then "scavenge" the information by reading the storage media before making any other use of it. d. Unknown_System-State_Exploitation. This method takes advantage of certain conditions that occur after a partial or total system crash. For example, some user files may remain open without an "end-of-file" indication. The user can then obtain unauthorized access to other files by reading beyond that indicator when the system resumes operation. e. Asynchronous_Interrupt. This technique exploits system vulnerabilities arising from deficiencies in the interrupt management facilities of an operating system. If a processor suspends execution of a protection mechanism to process an interrupt and is then erroneously returned to a user program without completing the security check then the protection has been circumvented. f. Spoofing. Spoofing exploits the inability of a system's remote terminal users to verify that at any given time they are actually communicating with the intended system rather than some masquerading system. This deception, also known as a "Mockingbird Attack," can be perpetrated by intercepting the terminal's communication lines and providing system-like responses to the user. A variation of spoofing is 2-4 DCAC 310-P115-1 the use of an application program to provide responses similar to the operating system, so the operator will unknowingly provide the passwords to an applications program and not to the operating system. g. Trojan_Horse. In this technique computer processing is covertly altered by either modifying existing program instructions or inserting new instructions. Once this has been accomplished, whenever the altered processes are used the perpetrator will automatically benefit from unauthorized functions performed in addition to the routine output. This modification is usually done by hiding secret instructions in either the original source-code or the machine-code version of a lengthy program. An even harder to detect method would be to alter the operating and utility system programs so that they make only temporary changes in the target program as it is executing. The hardware version of the Trojan Horse technique is relatively rare. However, the replacement of valid micro-chips with slightly altered counterfeit chips is entirely possible and would be very hard to detect. In either the software or hardware Trojan Horse method, only someone with access to a program or the computer system could become a perpetrator. h. Clandestine_Machine_Code_Change. This technique is closely related to the Trojan Horse technique. This method allows system programmers to insert code into the system that creates trapdoors. At specific times based on certain combinations, these trapdoors can be activated by a user from the user's program. Individuals who initially design the system, contract maintenance personnel who fix the system, or people who are able to gain access to the supervisory state also have this opportunity. The technique could be as simple as users stealing job card information on work that has already gone through the system. They then resubmit this information to the system on their own job card along with another program. This particular job may have dealt with sensitive data and therefore a security violation would have occurred. 5. Necessary_Precautions. The aforementioned techniques are only a few ways that unauthorized access or usage of your host computer system may be obtained. You must enforce proper access control on remote terminals to prevent unauthorized personnel from abusing unattended terminals used for input or data modification. You must also emphasize the physical protection of the terminal and the administration and control of password access and use. Terminal users must be instructed on the importance of protecting their user identification (UID)/password. DCAC 310-P115-1 3-1 CHAPTER 3. NETWORK ACCESS SECURITY 1. General. Access control is the primary method of providing protection from unauthorized access into the DDN. There are two basic kinds of access control systems -- those that detect intrusion and those that stop an intruder from gaining access to the network. Both intrusion detection and network access control are functions of the TAC Access Control System (TACACS) which monitors terminal network access. The security of both the network and connected hosts is greatly enhanced if the Host Administrator can provide local security systems which can complement the TACACS. Possibilities include installing security systems which limit physical access to terminals connected to their hosts. Another weak link in the security chain is dial-up access and host-to-host connections (not under TACACS control). There is a great need to establish some manner of access control with auditing capabilities to cover these situations. 2. TAC_Access_Control_System_(TACACS). This section on TACACS is provided to inform you of the tracking capability that exists if your computer terminal is connected to a Terminal Access Controller (TAC). The information obtained by the TACACS will be quite useful in enforcing proper access control for those users entering the MILNET through TACs. TACACS uses a login procedure to control access to MILNET. When a MILNET user attempts to open a connection to a host, the TAC prompts for the user's TAC user ID and access code. TACACS is automatically monitored; a variety of reports are available for use by the NSO. a. User_Registration. DCA's Data Network Operations Division establishes policy for the MILNET and administers the MILNET TAC access and control system through the Network Information Center (NIC). TACs are used on MILNET to provide controlled network access to most locations. The Host Administrator is responsible for registering all users of their hosts who have network access and who have been authorized for MILNET TAC access through MILNET TACS. All of those users must be registered and given TAC access cards by the NIC. The access cards are valid for one year at which time the TAC User must request a renewal from the Host Administrator. If a password is compromised, the UID/password can be invalidated (hotlisted). b. Guest_Accounts. A limited number of temporary guest cards are available for distribution by each Host Administrator on MILNET. These cards have a limited lifetime and are not for permanent use. They are for users without TACACS privileges who temporarily need network access, or for new users at startup time before they receive their own UID and password. 3-2 DCAC 310-P115-1 c. WHOIS/NICNAME_Database. Every request to authorize a new TAC user or renew an existing TAC user must come from a MILNET Host Administrator. Information about authorized users is kept in the WHOIS/NICNAME database on a host at the NIC. Host Administrators can request information on authorized TAC users that are changed or deleted from the database. The WHOIS/NICNAME database can be accessed by anyone on the MILNET but can be changed only by operators at the NIC. DCAC 310-P115-1 4-1 CHAPTER 4. OPERATIONAL SECURITY MANAGEMENT OF UNCLASSIFIED NETS 1. General. a. This Chapter provides operational guidance on security management of an unclassified network. Chapter 5 provides guidance for operating on a classified net. The potential exists for authorized and unauthorized users to conduct illegal activities on shared communications networks such as the DDN. Network abusers fall into three categories: (1) A person sponsored and authorized on the DDN who engages in an unauthorized activity. (2) A person accessing the network illegally. (3) A person with access to a host system who need not log-in through a TAC and engages in unauthorized activity. b. While your individual databases may be unclassified, compiling large amounts of unclassified data may result in the creation of sensitive information. [SENSITIVE UNCLASSIFIED INFORMATION is defined as any information the loss, misuse, or unauthorized access to, or modification of which adversely might affect U.S. national interest, the conduct of DoD programs, or the privacy of DoD personnel (e.g., FOIA exempt information and information whose distribution is limited by DoD Directive 5230.24.)] Network security can only be as effective as what the local Host Administrator/ADP system security officer does to enforce strict access control procedures. Network security is a principle responsibility of Host Administrators. c. You may wish to investigate additional authentication systems to protect local computing assets (i.e., systems such as smart cards or Kerberos, developed at MIT. This is a collection of software used in a network to establish a user's claimed identity and to control access to a large number of interconnected workstations). 2. Access_Vulnerability. Connection to the DDN will require a reevaluation of the risk assessment concerning threat and vulnerability of your host locations. Users accessing these hosts should be told what level of data security will be provided. For example, do maintenance contracts exist with the system software vendors to fix defects that might otherwise compromise the resources? You should consider what is the level of sensitivity of data that users should store on your systems. It would be unwise for users to store very sensitive information on a vulnerable system whether the information was classified or not. It is also very important that your site does not seem to encourage penetration attempts through the use of a welcome banner as part of the login 4-2 DCAC 310-P115-1 request response of the host. The courts have given great leeway to intruder defendants who claimed that they were encouraged to browse by the banner. Additionally, your login challenge should not include information about the operating system. It helps a would-be abuser determine which penetration techniques would probably be most effective. 3. Risk_Assessment. Risk assessment is a requirement of DCAI 630-230-19. A checklist providing guidelines for reevaluating the threat and vulnerability that results from connecting to the DDN has been included (see Tables 1-6, Vulnerability Analysis). 4. Security_Policies_and_Procedures. This section covers many diverse aspects such as physical security and data security, authorizations, education, and training. a. Physical_Security. Physical security includes the facilities that house computers as well as remote computer terminals. Within security parameters established by the Host Administrator, work areas must be restricted with physical barriers, appropriate placement and storage of equipment and supplies, and universal wearing of identification badges, as applicable. b. Authorization. Another crucial factor that must be considered in devising a security program is user authorization. Only people with a "need to know" and with a realization of proper precautions can be given access to sensitive or proprietary information or to ADP facilities. The use of passwords and terminal access restrictions can provide extra security for highly sensitive information. Passwords can be used to reduce accidental or non-accidental modification by authorized personnel by restricting access to their respective database files. c. Data_Security. Although it is not foolproof, the best known identification/authentication scheme is the use of passwords. The Host Administrator must assure that passwords are kept secret by their users. The Host Administrator must also assure that passwords are long enough to thwart exhaustive attack by changing them often and by adequately protecting password files. (In the case of MILNET TAC Users, the TACACS generates passwords with the proper attributes. The users are not given the option to create their own TAC passwords.) When creating passwords, the following restrictions should be observed. Failure to do so will result in passwords that could be found in a database dictionary, or otherwise easily discovered. (1) Don't use words that can be found in a dictionary. DCAC 310-P115-1 4-3 (2) Don't use traceable personal data. (3) Don't allow users to create their own passwords. (4) Change passwords frequently. (5) Keep passwords private. d. One-Time_Passwords. [The following is excerpted from CSC-STD-002-85.] One-time passwords (i.e., those that are changed after each use) are useful when the password is not adequately protected from compromise during login (e.g., the communication line is suspected of being tapped). The difficult part of using one-time passwords is in the distribution of new passwords. If a one-time password is changed often because of frequent use, the distribution of new one-time passwords becomes a significant point of vulnerability. There are products on the market that generate such passwords through a cryptographic protocol between the destination host and a hand-held device the user can carry. e. Failed_Login_Attempt_Limits. [The following is excerpted from CSC-STD-002-85.] In some instances, it may be desirable to count the number of unsuccessful login attempts for each user ID, and base password expiration and user locking on the actual number of failed attempts. (Changing a password would reset the count for that user ID to zero.) f. Monitoring_Terminal_Use. The Host Administrator should also have some method of monitoring terminal use. A log-in sheet is convenient to provide an audit trail if the host has no automated access control and audit capability. This record should contain such information as login and logout times, purpose, project being worked on, project classification, and anything else deemed necessary by you as the Host Administrator. Additionally, the classification level at which the terminal may be used should be prominently displayed at the terminal location. You will need to work closely with the system manager to assure that host activities are monitored as well. This information will be extremely valuable in conjunction with TAC connections and will be the primary information for incidents where access originated from an external host and no network audit data is available. g. Terminal_Usage. You must also ensure that proper procedures are enforced when using computer terminals. The 4- following points should be considered: (1) Automated login procedures that include the use of stored passwords should not be allowed. (2) Terminals logged onto the DDN network or to the host computer should not be left unattended. 4-4 DCAC 310-P115-1 (3) Some form of access control for dial-up telephone connections, such as dial-back procedures, should be used. [Note: Dial-back is not acceptable on lines that may be subject to Call Forwarding.] (4) Unclassified sensitive information in printed form or in terminal display should be revealed on a "need to know" basis only. (5) Proper disposal of printed information (i.e., tearing, shredding, or otherwise obliterating such material) is mandatory. (6) Securing of terminals and access lines during non-business hours. (7) Securing of software programs and stored data during non-business hours. (8) Recording of equipment, custodians, serial numbers, and equipment locations to aid in identifying lost or stolen equipment. h. Electronic_Mail. Any electronic mail host administrator should have written procedures for users to follow in the event that any mail in the host is determined to be classified. The Host Administrator must be notified immediately to purge any backup files containing the classified mail, retrieve it from addresses and mail boxes, and remove it from the active data base. Such an event is an administrative security violation that must be reported to the offender's organization security officer immediately. i. Internal_Controls. Even the most sophisticated access control system is ineffective if an organization has weak internal controls. Case studies of commercial firms often describe abuses made by employees who have resigned from a company, but still have active user IDs and passwords. It is just as important for Military or DoD organizations to remove network access, as well as local host computer access, from anyone being transferred, retired, or otherwise leaving the organization. Changing (all of) the password(s) associated with a user's account(s) should be part of the local exit procedures. Every Host Administrator should have written procedures for retiring e-mail accounts. Consideration should also be given to establishing a procedure to reevaluate an individual's requirement to access the network when the person is transferred within the organization. It is the Host Administrator's responsibility to enact the following: (1) Procedures to remove individuals' access to the DDN upon that individual's departure. DCAC 310-P115-1 4-5 (2) If sponsoring a non-DOD organization's access to the DDN, procedures must be established to require a written agreement that the non-DOD organization will have an individual's access to the DDN removed upon that individual's departure. j. Encryption. Another method of securing data is encryption, a powerful method of protecting information transmitted between the host computer and remote terminals. It limits access to information stored in the computer's data base. An individual user not possessing the proper encryption key has little chance of gaining usable information from a computer protected in this manner. 5. Education_Program. Security training is a key element of a security program. Evaluating the risks within a DDN environment and implementing an active DDN security program requires properly trained personnel. An effective training program will provide both formal and informal instruction. Depending on the size and complexity of the ADP environment and the level of data being processed, the instruction will range from security awareness education for top-level management, to highly technical security training for DDN operations personnel. (See DCAI 630-230-19). a. General_Information. Users of the host system should be provided with information regarding their computing and network environment and their responsibilities within that setting. Users should be made aware of the security problems associated with access to the systems via local and wide-area networks. They should be told how to properly manage their account and workstation. This includes explaining how to protect files stored on the system, and how to log out or lock the terminal/workstation. Policy on passwords must be emphasized. An especially important point that must be emphasized is that passwords are not to be shared. b. Specific_Topics. The below listed training areas must be taught at the appropriate administrative, management, and staff levels. You must also implement testing plans to assure that personnel will know their responsibilities in emergency situations. Drills should be scheduled periodically to determine that the emergency procedures are adequate for the threat to be countered. The Host Administrator's security training program should include specifics in the following areas as applicable: (1) General security awareness. (2) User security. (3) Security administration. (4) Transition control and computer abuse. 4-6 DCAC 310-P115-1 (5) Software security. (6) Telecommunications security. (7) Terminal/device security. (8) System design security. (9) Hardware security. (10) Physical security. (11) Personnel security. (12) Audit. (13) Data security. (14) Risk assessment. (15) Contingency/backup planning. (16) Disaster recovery. (17) Security accreditation. (18) Security test and evaluation (ST&E). (19) DDN security and contractor interface. (20) Common penetration techniques. DCAC 310-P115-1 5-1 CHAPTER 5. OPERATIONAL SECURITY MANAGEMENT OF CLASSIFIED NETS 1. General. Unauthorized user activities obviously pose a greater threat to the classified nets. Since the classified communications nets are closed communities, classified hosts must maintain their own access control and audit system to detect and analyze problems. For specific details concerning security in the WIN Communications System (DSNET 1), refer to JCS Pub 6-03.7, Security_Policy_for_the_WWMCCS_Intercomputer Network (Unclas), dated April 88. For specific details concerning security in the Sensitive Compartmented Information Network (DSNET 3), refer to the following documents: DIAM 50- 3, Physical_Security_Standards_for_SCI_Facilities (FOUO); DIAM 50-4, Security_of_Compartmented_Computer_Operations (C), dated June 80; and DCID 1/16, Security_Policy_for_Uniform_Protection of_Intelligence_Processed_in_Automated_Information_Systems_and Networks (S), dated July 88. 2. Limited_Terminal_Access_Controls. Terminal access controllers, when used on the classified subnetworks, are currently limited to controlling access into the network. The TACs do not collect and forward audit information of network activity to a central location for analysis, usage data collection, and processing as is done on the unclassified networks. The TAC Access Control System (TACACS), necessary for dial-in access, has not been implemented on the classified networks because there is no dial-in access. In the WIN Communications System, for example, TACs are not used; network access is controlled by the interconnected hosts. The WWMCCS Intercomputer Network (WIN) hosts also collect audit data of user activity at each host location. 3. Closed_Community_Characteristics. Most, if not all, of the guidance given in Chapter 4 is incorporated in creating a "closed" community. A major difference in access control of classified networks is that no dial-up access is allowed. Also, personnel having access to a facility will have, as a minimum, a system high clearance level for their site. There are multiple classification levels at some locations. The Host Administrator must take special precautions to ensure that the classification of passwords and the access authority of operating personnel are at or above the classification level of the operation being performed. 4. Security_Awareness. Because of the nature of classified systems and the greater threat that security infractions can cause, it is incumbent that the host administrator assure that there exists sufficient exposure to security awareness and training. The listed training areas must be taught at the appropriate administrative, management, and staff levels. You must also implement testing plans to assure that personnel will know their responsibilities in emergency situations. The Host Administrator's security training program must 5-2 DCAC 310-P115-1 include specifics in the following areas: (1) General security awareness. (2) User security. (3) Security administration. (4) Transition control and computer abuse. (5) Software security. (6) Telecommunication security. (7) Terminal/device security. (8) System design security. (9) Hardware security. (10) Physical security. (11) Personnel security. (12) Audit. (13) Data security. (14) Risk assessment. (15) Contingency/backup planning. (16) Disaster recovery. (17) Security accreditation. (18) Security test and evaluation (ST&E). (19) DDN security and contractor interface. (20) Most common penetration techniques. DCAC 310-P115-1 6-1 CHAPTER 6. DETECTION OF UNAUTHORIZED HOST ACCESS 1. General. Because you, as the Host Administrator, are responsible for the security of the host computer, early detection of potential abuse will serve to prohibit losses. Effective monitoring will also deter potential perpetrators from attempting to experiment with illegal schemes if the probability of detection is high. The following points provide guidance for the types of events you should look for to detect unauthorized activity: a. Unexplained use of disk space. b. Unknown files listed in the directory. c. Repeated failed attempts to access the host. d. Unusual log-in times. e. A file being accessed by someone who has no authorization to be in that file. f. Excessive time (hours) on line or a pattern of unusually short access times (less than one minute). 2. Detection_Training. Detection of unauthorized activities at host locations is a responsibility shared by all personnel within the work place. The Host Administrator, however, may find it necessary to educate personnel on this point and delegate responsibilities. Apart from the measures taken to manage the security environment, Host Administrators must act with diligence regarding technical or quasi-technical areas affecting security. For example, their responsibilities might include enforced cycling of password changes, compartmentalizing proprietary information away from the generally accessible system and limiting its accessibility to those with a bona fide "need-to-know," monitoring access logs and maintaining audit trails to facilitate detection of unusual activity, and using security systems and services offered by their network systems and service providers. 3. Logging_Events. Illegal attempts to gain access into sensitive areas (i.e., trespassing or guessing at passwords in order to sign on or access files from remote terminals) should be logged and reviewed regularly. One effective detection of unauthorized activities is to display the last log-on time and date on the screen after the user has successfully logged onto the system. Statistics of access violations should be collected with regard to details of the particular terminals being abused and the files being accessed. The results should be reviewed by the NSO. 4. Peculiar_Behavior. If not typical of or appropriate for your organization, beware of unsupervised work especially if a 6-2 DCAC 310-P115-1 person regularly volunteers for overtime work and is allowed to stay on the premises unsupervised. Have two-man control procedures for sensitive information work. In addition, be advised that many computer crimes occur during holiday periods, or during times when host computers are experiencing low traffic. Pay particular attention to peculiar activities during these periods. 5. Legal_Recourse. Public Law 98-473, known as the "Counterfeit Access Device and Computer Fraud and Abuse Act of 1984" added Section 1030 to Title 18 United States Code on October 12, 1984. It was the first federal computer crime law that criminalized unauthorized access to classified national security information or information in certain financial records. Additionally, it criminalized certain unauthorized accesses to computers operated on behalf of the Government. 6. Prosecution_as_a_Deterrent. When there is adequate evidence collected for conviction, the perpetrator should always be prosecuted. This action would serve as a serious warning to others contemplating making similar attempts and can be extremely effective as a deterrent. However, as recent world events have revealed, this really doesn't deter abuse adequately. Therefore, you must assure proper protection of your computer systems. 7. Incident_Reporting_by_Subscriber. The flow of security incident reporting should be from the end user to the Host Administrator, or other appropriate individual who determines if the problem is local or network related. If the problem is network related, the problem should be referred to the appropriate Network Manager/Security Officer. The Network Manager/Security Officer would contact the DDN NSO, if appropriate, for assistance in obtaining audit trail data from the NIC for MILNET. Depending on the seriousness of the incident, the DDN NSO would assure that the appropriate investigating agency was involved, and support requests for information for formal investigations. 8. Contacts. To correspond with the DDN NSO, use any one of the following methods of contact: a. Via network mail to: SCC@NIC.DDN.MIL or DCA-MMC@DCA-EMS.DCA.MIL b. Via U.S. mail to: HQ Defense Communications Agency, Code: DODM, Attn: DDN-NSO, Washington, DC 20305-2000 c. Via commercial phone to: (800) 451-7413, or (800) 235-3155 for the SCC d. Via DSN/AUTOVON to: 312-222-2714/5726 e. Via AUTODIN to: DCA WASHINGTON DC//DODM// DCAC 310-P115-1 6-3 f. Classified correspondence must be forwarded via AUTODIN or U.S. mail using procedures appropriate for its classification level. 9. What_Information_To_Report. Your incident reports must include certain minimal information to enable the DDN NSO to take action. The DDN NSO requires a brief, unclassified description of the incident and the name, telephone number, and organization of the person reporting the incident. If the incident's occurrence is classified, the report and any classified discussions between the DDN NSO and officials at the affected organization must take place using secure modes of communication. The following is the minimum information necessary for an incident report: a. Date of report (Day-Month-Year, e.g., 01 Jan 87) b. Date and time period of incident(s) (Zulu time) c. Personal data of person reporting the incident: (1) Name (2) Telephone number (3) Organization d. Network involved (e.g., MILNET, DSNET 1, 2, or 3) e. Did unauthorized access come from the DDN, if known? (If not, refer reporting person to his/her Host Administrator). f. Presumed classification of incident (i.e., Unclassified, Confidential, Secret, Top Secret, Top Secret/Sensitive Compartmented Information. [Note: Contact the DDN NSO should you have any questions concerning the level of classification of a particular incident.] g. Brief description of incident (Unclassified). 10. Follow-up_Information. Follow-up contact with Host Administrators might be required to obtain more detailed information that may not have been initially available. The DDN NSO would try to determine the following factors: a. Where the activity was initiated (i.e., at another host or specific TAC) b. What routines the intruder ran on the host system c. What files the intruder accessed on the host system 6-4 DCAC 310-P115-1 d. What user identification log-in was used. For example, was there a password? Was the password the same as the log-in? Was the account password protected? Did the user change the password initially provided? Security incidents that are discovered to be a local problem will be investigated at the Host Administrator level. DCAC 310-P115-1 7-1 CHAPTER 7. TOOLS FOR INVESTIGATING INCIDENTS AT THE HOST LEVEL 1. General. This Chapter will help you, the Host Administrator, with investigations of security incidents that are determined to be a local problem. The tools available for investigating network incidents are products of audit trail data collected in the TAC Access and Control System for the unclassified networks and in the audit data collection systems of the individual hosts (if they exist) in both the classified and unclassified networks. The network traffic data collected by the network utilities at the community of interest monitoring centers is useful for network control and design purposes, but its use for network security investigative purposes is limited. 2. Host_System_Logs. The host system can provide a wealth of information that can complement the network data. Most operating systems automatically store numerous bits of information in log files. Examination of these log files on a regular basis is often the first line of defense in detecting unauthorized use of the system. Lists of currently logged in users and past login histories can be compared. Most users typically log in and out at roughly the same time each day. An account logged in outside the "normal" time for the account may be in use by an intruder. System logging facilities, such as the UNIX "syslog" utility, should be checked for unusual error messages from system software. For example, a large number of failed login attempts in a short period of time may indicate someone trying to guess passwords. Operating system commands which list currently executing processes can be used to detect users running programs they are not authorized to use, as well as to detect unauthorized programs which have been started by a cracker. 3. Other_Tools. The tools available for conducting an incident investigation on unclassified nets consist of the TACACS reports, provided to the DDN NSO, and the Host audit and log book, if used. Additionally, personnel may be interviewed to provide necessary insight. The tools available for conducting an investigation on classified nets include the Host audit, system logs, physical log book, and personnel as well. Additionally, the UID/password and the specific terminal will provide further useful information. No TACACS reports are available for the classified nets. 4. TACACS_Reports. TACACS incident reports are reviewed by the DDN NSO for unauthorized network activity. Other TACACS reports are available to the DDN NSO to help investigate illegal or unauthorized network activity. You as the Host administrator can request investigative assistance from the DDN NSO to obtain TACACS audit data for MILNET. Assistance may also be requested by the Host Administrator to involve an investigating agency (e.g., FBI, OSI, NIS, MI, etc.). 7-2 DCAC 310-P115-1 THIS PAGE INTENTIONALLY LEFT BLANK DCAC 310-P115-1 8-1 CHAPTER 8. SUMMARY 1. Penetration_Techniques. This document has provided you, as Host Administrators, guidelines for securing your host computer locations. Security problems arise and espionage activity may increase as access to computers increases. Therefore, you must apply these instructions because you are ultimately responsible for the security of the DDN. This instruction has covered common penetration techniques you must guard against. 2. Other_Topics. The major items this document emphasizes are the following: a. Proper access control procedures b. Reevaluation of the risk assessment of your host site c. Security education training d. Detection of unauthorized or suspected unauthorized access e. Incident reporting f. Tools for local incident investigation g. Assistance from the DDN NSO for network incident investigations 8-2 DCAC 310-P115-1 THIS PAGE INTENTIONALLY LEFT BLANK DCAC 310-P115-1 9-1 TABLE 1: VULNERABILITY ANALYSIS ------------------------------------------------------------- **Operations Management and Processing** ------------------------------------------------------------- Item Response Comments (Yes, No, N/A) ------------------------------------------------------------- Has a systems security officer | | been appointed? | | ------------------------------------------------------------- Have procedures been developed | | defining who can access the | | computer facility, and how and | | when that access can occur? | | ------------------------------------------------------------- Have procedures been established | | to provide physical protection of | | local and remote terminal access | | equipment? | | ------------------------------------------------------------- Have procedures been established | | to provide physical protection of | | host computers? ------------------------------------------------------------- Is someone designated as a terminal | | area security officer? | | ------------------------------------------------------------- Have procedures been established to | | positively identify transactions | | occurring to and from remote | | locations? | | ------------------------------------------------------------- Have security procedures been | | established for the microcomputers | | which will communicate with the DDN? | | ------------------------------------------------------------- Have procedures been established | | for providing physical security over | | these microcomputers and the data | | processed by them? | | ------------------------------------------------------------- Have procedures been established | | to protect data within the custody | | of the microcomputer user? | | ------------------------------------------------------------- Have alternate means of processing | | been established in the event either | | the individual or the personal | | computer is lost? | | ------------------------------------------------------------- 9-2 DCAC 310-P115-1 TABLE 1: VULNERABILITY ANALYSIS (con't) ------------------------------------------------------------- Item Response Comments (Yes, No, N/A) ------------------------------------------------------------- Is the security over the micro- | | computer environment regularly | | reviewed? | | ------------------------------------------------------------- Have the vendor installed pass- | | words been changed? | | ------------------------------------------------------------- Does someone verify that all current | | passwords are different from a list | | of commonly used or vendor installed | | passwords? | | ------------------------------------------------------------- DCAC 310-P115-1 9-3 TABLE 2: VULNERABILITY ANALYSIS ------------------------------------------------------------- **Communications** ------------------------------------------------------------- Item Response Comments (Yes, No, N/A) ------------------------------------------------------------- Is sensitive information transmitted | | over common carrier lines protected | | (e.g., through cryptography)? | | ------------------------------------------------------------- Can data being transmitted or | | processed be reconstructed in | | the event either main processing | | or remote processing loses integrity?| | ------------------------------------------------------------- Are processing actions restricted | | based on the point of origin or the | | individual making the request? | | ------------------------------------------------------------- Have procedures been established | | for providing host connection | | access control over remote terminals | | and on-site terminals? | | ------------------------------------------------------------- Is a log maintained of accesses | | to computer resources? | | ------------------------------------------------------------- Do non-employees have access to | | communications facilities (except | | where the system specifically is | | designed for those non-employees)? | | ------------------------------------------------------------- 9-4 DCAC 310-P115-1 TABLE 3: VULNERABILITY ANALYSIS ------------------------------------------------------------- **Disasters** ------------------------------------------------------------- Item Response Comments (Yes, No, N/A) ------------------------------------------------------------- Have the types of potential | | disasters been identified? | | ------------------------------------------------------------- Has equipment been provided to | | deal with minor disasters, such | | as fire and water damage? | | ------------------------------------------------------------- Have alternate processing | | arrangements been made in the | | event of a disaster? | | ------------------------------------------------------------- Have procedures been established | | to provide back-up equipment or | | automatic data processing (ADP) | | processing capabilities in event of | | loss of primary ADP resources? | | ------------------------------------------------------------- Have simulated disasters been | | conducted to ensure that disaster | | procedures work? | | ------------------------------------------------------------- Are critical programs and data | | retained in off-site storage | | locations? | | ------------------------------------------------------------- Have users been heavily involved | | in developing disaster plans for | | applications that affect their areas?| | ------------------------------------------------------------- DCAC 310-P115-1 9-5 TABLE 4: VULNERABILITY ANALYSIS ------------------------------------------------------------- **Personnel** ------------------------------------------------------------- Item Response Comments (Yes, No, N/A) ------------------------------------------------------------- Are formal reports required for | | each reported instance of computer | | penetration? | | ------------------------------------------------------------- Are records maintained on the most | | common methods of computer | | penetration? | | ------------------------------------------------------------- Are records maintained on damage | | caused to computer equipment and | | facilities? | | ------------------------------------------------------------- Is one individual held accountable | | for each data processing resource? | | ------------------------------------------------------------- Does management understand threats | | posed by host connection to DDN? | | ------------------------------------------------------------- Is management evaluated on its | | ability to maintain a secure computer| | facility? | | ------------------------------------------------------------- Are the activities of any non- | | employees in the computer center | | monitored? Is an escort policy | | enforced? | | ------------------------------------------------------------- Are contractor personnel subject to | | the same security procedures as other| | non-employees? | | ------------------------------------------------------------- Are procedures installed to restrict | | personnel without a "need to know"? | | ------------------------------------------------------------- Have procedures been established | | to limit the damage, corruption, or | | destruction of data base information?| | ------------------------------------------------------------- Has a security incident report form | | been created? | | ------------------------------------------------------------- 9-6 DCAC 310-P115-1 TABLE 5: VULNERABILITY ANALYSIS ------------------------------------------------------------- **Training** ------------------------------------------------------------- Item Response Comments (Yes, No, N/A) ------------------------------------------------------------- Are employees instructed on how to | | deal with inquiries and requests | | originating from individuals without | | a "need to know"? | | ------------------------------------------------------------- Has an adequate training program | | been devised to ensure that employees| | are aware of the requirements to pro-| | tect their equipment from unauthor- | | ized use or unauthorized purposes? | | ------------------------------------------------------------- Have personnel been advised on | | penalties of the Federal Computer | | Crime Law for unauthorized access to | | Government ADP systems? | | ------------------------------------------------------------- DCAC 310-P115-1 9-7 TABLE 6: VULNERABILITY ANALYSIS ------------------------------------------------------------- **People Errors and Omissions** ------------------------------------------------------------- Item Response Comments (Yes, No, N/A) ------------------------------------------------------------- Are errors made by the computer | | department categorized by type | | and frequency, such as programming | | errors? | | ------------------------------------------------------------- Are records maintained on the | | frequency and type of errors | | incurred by users of data | | processing systems? | | ------------------------------------------------------------- Are users provided a summary of | | the frequency and types of user- | | caused errors identified by the | | application system? | | ------------------------------------------------------------- Are the losses associated with | | data processing errors quantified? | | ------------------------------------------------------------- Are records maintained on the | | frequency and type of problems | | occurring in operating systems? | | ------------------------------------------------------------- Are abnormal program terminations | | on computer software summarized | | by type and frequency so that | | appropriate action can be taken? | | ------------------------------------------------------------- Are personnel trained to recognize | | attempts to access their system by | | common penetration techniques? | | ------------------------------------------------------------- 9-8 DCAC 310-P115-1 TABLE 7: TABULATION OF VULNERABILITY ANALYSIS ------------------------------------------------------------- **Self-Assessment Results** --------------------------- HOW TO IDENTIFY VULNERABILITIES ------------------------------------------------------------- | # of | Rank for | Component | "No's" | Action | Comments ------------------------------------------------------------- Operations Management | | | and Processing | | | ------------------------------------------------------------- | | | Communications | | | ------------------------------------------------------------- | | | Disasters | | | ------------------------------------------------------------- | | | Personnel | | | ------------------------------------------------------------- | | | Training | | | ------------------------------------------------------------- People Errors and | | | Omissions | | | ------------------------------------------------------------- Downloaded From P-80 International Information Systems 304-744-2253