What Is Information Assurance

c

Information Assurance (IA) is defined by the techniques and methods we use to protect and defend automated
information and information systems through risk management techniques in order to provide reasonable stratums of
availability, integrity, authentication, confidentiality, and non-repudiation.
c

Click here to read about AIAP in AR 25-2: AR 25-2, para. 1-4a
The Army Information Assurance Program (AIAP) is a unified approach to protect unclassified, sensitive, or classified
information stored, processed, accessed, or transmitted by Army ISs, and is established to consolidate and focus
Army efforts in securing that information, including its associated systems and resources, to increase the level of trust
of this information and the originating source. The AIAP will secure Army ISs through IA requirements, and does not
extend access privileges to Special Access Programs (SAPs), classified, or compartmentalized data; neither does it
circumvent need-to-know requirements of the data or information transmitted.
The AIAP is designed to achieve the most effective and economical policy possible for all ISs using the risk
management approach for implementing security safeguards. To attain an acceptable level of risk, a combination of
staff and field actions are necessary to:
@ Develop local policy and guidance

@ Identify threats
@ Identify problems and resource requirements
@ Adequately plan for identified resource requirements
An operationally focused IA program requires the implementation of innovative approaches. Through the use of IA
best business practices (BBPs) the best ideas, concepts, and methodologies acquired from industry and Army
resources will be used to define specific standards, measures, practices, or procedures necessary to meet rapidly
changing technology (or IA requirements) in support of Army policy requirements. IA BBPs allow rapid transitional
implementation of IA initiatives to integrate technological or procedural changes as required by policy. BBPs are
located at https://informationassurance.us.army.mil.
The elements of the Defense in Depth (DiD) strategy focus on three areas: people, operations, and defense of the
environment (the latter of which encompasses the computing environment, networks, the enclave boundaries, and
supporting infrastructure).
The AIAP is not a stand-alone program, as it incorporates related functions from other standards and policies such as
operations security (OPSEC), communications security (COMSEC), transmission security (TRANSEC), information
security (INFOSEC), and physical security.
ÿ

@ Respond to the Army's widespread use of Information Systems

@ Respond to increases in risk
@ Reduce security risks to acceptable levels
@ Comply with applicable laws and regulations(AR 25-2, Appendix A)
@ Implement a unified approach to protecting information
@ Consolidate and focus Army efforts
@ Assure operational continuity
@ Achieve the most effective and economical policy possible for all Information Systems
The AIAP applies to ISs, but is not limited to, computers, processors, devices, or environments (operating in a
prototype, test bed, stand-alone, integrated, embedded, or networked configuration) that store, process, access, or
transmit data, including unclassified, sensitive (formerly known as sensitive but unclassified (SBU)), and classified
data, with or without handling codes and caveats. ISs used for telecommuting, or similar initiatives; contractor owned
or operated ISs; ISs obtained with non-appropriated funds; automated tactical systems (ATSs); automated weapons
systems (AWSs); distributed computing environments (DCEs); and systems processing intelligence information are
required to adhere to the provisions of AR 25-2.
Managers of federal information systems are responsible for maintaining a practical level of familiarity and
compliance with appropriate legal requirements. It is important to note that laws and regulations do not customarily
provide detailed instructions for protecting computer-related assets. Instead they specify broad nonspecific solutions
for integrating information assurance activities into your automated information systems.
G G
G G

It is DoD policy that all national security information shall be classified, declassified, and safeguarded in accordance
with national-level policy issuances.
Declassification of information shall receive equal attention with classification to ensure that information remains
classified only as long as required by national security considerations.
The volume of classified national security information shall be reduced to the minimum necessary to meet operational
requirements.
An active security education and training program shall be established and maintained to ensure that DoD military
and civilian personnel who require access to classified national security information in the conduct of official business
are familiar with their responsibilities for protecting such information from unauthorized disclosure.
This directive applies to the Office of the Secretary of Defense, the Military Departments, the Chairman of the Joint
Chiefs of Staff, the Combatant Commands, Inspector General of the Department of Defense, the Defense Agencies,
the DoD Field Activities, and all other organizational entities within the Department of Defense.
G GG
G G

It is DoD policy that the objective of the personnel security program is that military, civilian, and contractor personnel
assigned to and retained in sensitive positions, in which they could potentially damage national security, are and
remain reliable and trustworthy, and there is no reasonable basis for doubting their allegiance to the United States.
No person shall be deemed to be eligible for access to classified information unless such access is clearly consistent
with the interests of national security. Eligibility for access shall not be granted merely by reason of the following:
@ Federal service or contracting

@ Licensee
@ Certificate holder
@ Grantee status
@ Right of privilege
@ A result of any particular title, rank, position, or affiliation
It also applies to all DoD civilian personnel, members of the Armed Forces, contractor personnel, and other personnel
affiliated with the Department of Defense.
G GG

!G

"
It is DoD policy that known or suspected instances of unauthorized public disclosure of classified information shall be
reported promptly and investigated to decide:
@ The nature and circumstances of the disclosure

@ The extent of damage to national security
@ The corrective and disciplinary action to be taken
This directive shall be made applicable to DoD contractors through appropriate contract clauses.
G GG
#$
G G

"%
This directive establishes policy and assigns responsibilities for the security and policy review and clearance of
official DoD information proposed for official public release by the Department of Defense and its employees.
Any official DoD information intended for public release that pertains to military matters, national security issues, or
subjects of significant concern to the Department of Defense shall be reviewed for clearance by appropriate security
review and public affairs offices prior to release.
This directive also applies to all DoD employees.
G GG
&ÿ "
ÿ
'ÿÿ (

Establishes policy and assigns responsibility for GIG configuration management, architecture, and the relationships
with the Intelligence Community (IC) and defense intelligence components.
The GIG shall support all DoD missions with information technology, for national security systems, joint operations,
joint task force, and/or combined-task force commands, the offers the most effective, efficient, and assured
information handling capabilities available, consistent with national military strategy, operational requirements, and
best value enterprise-level business practices.
This directive also applies to information technology and its operation by the DoD intelligence agencies, the service
intelligence elements and the other intelligence activities engaged in direct support of defense missions.
G GG
&
c
G)
)* G

G'G G ÿ "
ÿ
'ÿÿ
This directive establishes policy and assigns responsibilities for the use of commercial wireless devices, services, and
technologies in the DoD Global Information Grid (GIG).
Directs the development and use of a Knowledge Management (KM) process to promote the sharing of wireless
technology capabilities, vulnerabilities, and vulnerability mitigation strategies throughout the Department of Defense.
Promotes joint interoperability using open standards throughout the Department of Defense of commercial wireless
service, devices, and technological implementations.
This directive also applies to all DoD personnel, contractors, and visitors that enter DoD facilities or that have access
to DoD information. Applies to all commercial wireless devices, services, and technologies, including voice and data
capabilities, that operate either as part of the DoD, GIG, or as part of DoD non-GIG information technology stand
alone systems.
This includes:
@ Commercial wireless networks

@ Portable Electronic Devices (PED) such as laptop computers with wireless capabilities
@ Cellular/Personal Communication System (PCS) devices
@ Audio/Video recording devices
@ Scanning devices
@ Remote sensors
@ Messaging devices
@ Personal Digital Assistants (PDA)
@ Any other commercial wireless devices capable of storing, processing, or transmitting information
G
GG
&

These directives establish policy and assigns responsibilities to achieve Department of Defense (DoD) Information
Assurance through a defense-in-depth approach that integrates the capabilities of personnel, operations, technology,
and supports the evolution to network centric warfare.
They implement policy, assign responsibilities, and prescribe procedures for applying integrated, layered protection of
the DoD information systems and networks. They provide end-to-end protection of DoD information and defend DoD
information systems and computer networks from unauthorized or malicious activity.
They also provide Information Assurance (IA) situational awareness and Command and Control (C2), improve IA
processes through integration and create an empowered IA workforce.
The documents that make up this series are as follows:
@ DoD Directive 8500.1E ± Information Assurance (IA)

@ DoD Directive 8500.2 ± Information Assurance (IA)ImplementationDoD Instruction 8510.01±DoD Information
Assurance Certification and Accreditation Process (DIACAP)
@ DoD Instruction 5200.01 ± DoD Information Security Program and Protection of Sensitive Compartmented
Information (SCI)
@ DoD Instruction 8520.2 ± Public Key Infrastructure (PKI) and Public Key (PK) Enabling
@ DoD Directive 8521.01E ± Department of Defense Biometrics
@ DoD Instruction 8523.01 ± Communications Security (COMSEC)
@ DoD Directive O-8530.1 ± Computer Network Defense (CND)
@ DoD Directive 8530.1-M ± Department of Defense Computer Network Defense (CND) Service Provider
Certification and Accreditation Process
@ DoD Instruction O-8530.2 ± Support to Computer Network Defense (CND)
@ DoD Directive 8551.1 ± Ports, Protocols, and Service Management (PPSM)
@ DoD Instruction 8552.01 ± Use of Mobile Code Technologies in DoD Information Systems
@ DoD Instruction 8560.01 ± Communications Security (COMSEC) Monitoring and Information Assurance (IA)
Readiness Testing
@ DoD Directive 8570.1 ± Information Assurance Training, Certification, and Workforce Management
@ DoD Instruction 8580.1 ± Information Assurance (IA) in the Defense Acquisition System
@ DoD Directive 8581.1 ± Information Assurance (IA) Policy for Space Systems Used by the Department of
Defense
G GG
&+

'
All DoD-owned or -controlled information systems that receive, process, store, display or transmit DoD information,
regardless of mission assurance category, classification or sensitivity, including but not limited to the following:
@ DoD information systems that support special environments including Special Access Programs (SAP) and
Special Access Requirements (SAR), as supplemented by the special needs of the program
@ Platform IT interconnections including weapons systems, sensors, medical technologies and utility
distribution systems to external networks
@ Information systems under contract to the Department of Defense
@ Outsourced information-based processes such as those supporting e-Business or e-Commerce processes
@ Information systems of Non-appropriated Fund Instrumentalities
@ Stand-alone information systems
@ Mobile computing devices such as laptops, handhelds, and personal digital assistants operating in wired or
wireless mode, and other information technologies as may be developed
DoD has defined three mission assurance categories:
@ º High Integrity, High Availability for DoD information systems handling information that is determined
to be vital to the operational readiness or mission effectiveness of deployed and contingency forces in terms
of both content and timeliness
@ º High Integrity, Medium Availability for DoD information systems handling information that is
important to the support of deployed and contingency forces
@ º Basic Integrity, Basic Availability for DoD information systems handling information that is
necessary for the conduct of day-to-day business, but does not materially affect support to deployed or
contingency forces in the short term
A mission assurance category is always teamed with an independent level of confidentiality.
DoD has also defined three levels of confidentiality:
@ High Confidentiality for systems processing classified information

@ Medium Confidentiality for systems processing sensitive information as defined in DoD Directive 8500.1
@ Basic Confidentiality for systems processing public information as defined in DoD Directive 8500.1
This directive applies to the following:

The Office of the Secretary of Defense, the Military Departments, the Chairman of the Joint Chiefs of Staff, the
Combatant Commands, the Inspector General of the Department of Defense, the Defense Agencies, the DoD Field
Activities, and all other organizational entities within the Department of Defense.
G GG
&

'
Implements policy, assigns responsibilities, and prescribes procedures for applying integrated, layered protection for
DoD information systems and networks.
The following enclosures discuss the implementation of this program:
Enclosure 3 ± Information Assurance (IA) Program Implementation
The Department of Defense has a crucial responsibility to protect and defend its information and supporting
information technology. Information is shared across a Global Information Grid (GIG) that is inherently
vulnerable to exploitation and denial of service. Other issues discussed in this enclosure are:
@ The Defense IA Program: Focused on the establishment and promulgation of IA standards, the
development, analysis, and exchange of IA management information; and the coordination of
issues and decisions that have community of Defense-wide impact.
@ Elements of a DoD Component Program: Adequate security of information and supporting IT
assets is a fundamental management responsibility. Each component shall implement and maintain
a program to adequately secure its information and IT assets.
@ Elements of a DoD Information System IA Program: The foundation level of the DoD IA
management structure is composed of IA programs at the individual information system.
Enclosure 4 ± Baseline Information Assurance Levels
This establishes a baseline level of information assurance for all DoD information systems through the
assignment of specific IA controls to each system. Assignments are made according to the Mission
Assurance Category (MAC) and confidentiality level.
This enclosure has five (5) attachments that describe the implementation of the MAC and confidentiality,
integrity, and availability levels.
G G
&G G

'G
Cancels DoD Instruction (DoDI) 5200.40; DoD 8510.1-M; and ASD(NII)/DoD CIO memorandum, ³Interim Department
of Defense (DoD) Information Assurance (IA) Certification and Accreditation (C&A) Process Guidance´.
Establishes or continues the following positions, panels, and working groups to implement the DIACAP: the Senior
Information Assurance Officer (SIAO), the Principal Accrediting Authority (PAA), the Defense Information Systems
Network (DISN)/Global Information Grid (GIG) Flag Panel, the IA Senior Leadership (IASL), the Defense (previously
DISN) IA Security Accreditation Working Group (DSAWG), and the DIACAP Technical Advisory Group (TAG).
Establishes a C&A process to manage the implementation of IA capabilities and services and provide visibility of
accreditation decisions regarding the operation of DoD ISs, including core enterprise services- and Web services-
based software systems and applications.
Prescribes the DIACAP to satisfy the requirements of Reference (a) and requires the Department of Defense to meet
or exceed the standards required by the Office of Management and Budget (OMB) and the Secretary of Commerce,
pursuant to Reference (a) and section 11331 of title 40, United States Code.
This Instruction applies to the following:
@ Office of the Secretary of Defense (OSD), the Military Departments, the Office of the Chairman of the Joint
Chiefs of Staff, the Combatant Commands, the Office of the Inspector General (IG) of the Department of
Defense, the Defense Agencies, the DoD Field Activities, and all other organizational entities within the
Department of Defense (hereafter referred to collectively as the ³DoD Components´).
@ DoD-owned ISs and DoD-controlled ISs operated by a contractor or other entity on behalf of the Department
of Defense that receive, process, store, display, or transmit DoD information, regardless of classification or
sensitivity, consistent with DoD Directive 8500.01E, ³Information Assurance (IA)´.
@ Nothing in this Instruction shall alter or supersede the existing authorities and policies of the Director of
National Intelligence regarding the protection of Sensitive Compartmented Information (SCI) and special
access programs for intelligence as directed by Executive Order 12333 (Reference (i)) and other laws and
regulations. The application of the provisions and procedures of this Instruction to SCI or other intelligence
ISs is encouraged where they may complement or discuss areas not otherwise specifically addressed.
G GG
&#
,-
.G',G
This directive establishes the Computer Network Defense (CND) policy, definition, and responsibilities necessary to
provide the essential structure and support to the Commander in Chief, U. S. Space Command (USCINCSPACE) for
CND within the Department of Defense information systems and computer networks.
To implement this program, all will need DoD Directive 8530.1-M, Department of Defense Computer Network
Defense (CND) Service Provider Certification and Accreditation Process Program Manual.
G G
&#

,-
.G',G
This instruction implements policy, assigns responsibilities, and prescribes procedures necessary to provide the
essential structure and support to the U. S. Space Command (USCINCSPACE) for Computer Network Defense
(CND) within the Department of Defense information systems and computer networks.
The following are key enclosures in this instruction:
@ +
# ± Computer Network Defense (CND) Concept: Provides a general overview of the DoD
operational capability in Computer Network Defense and its relationship to national initiatives by identifying
existing and proposed processes, activities and organizations, and describing CND, the strategic
environment, and the CND operational hierarchy.
@ +
/ ± Computer Network Defense (CND) Services: CND services are a standard, certified,
continuously measured suite of services that are organized along the Protect, Monitor, Analyze and Detect,
and Respond paradigm.
@ +
± Computer Network Defense (CND) Support Functions: CND support functions assist in
managing special services and capabilities under development within the CND community. The support
functions aid in the administration, program management, and oversight of CND capabilities on a Defense-
wide basis.
G G
&
)
)
º'º
This instruction implements policy on using ports, protocols, and services in DoD information systems in a manner
that supports the evolution to net-centric operations.
@ Office of the Secretary of Defense, the Military Departments, the Chairman of the Joint Chiefs of Staff, the
Combatant Commands, Inspector General of the Department of Defense, the Defense Agencies, the DoD
Field Activities, and all other organizational entities within the Department of Defense.
@ All existing, new, and planned DoD information systems with ports, protocols, and services that are visible to
DoD managed network components.
G GG
&0G G

*
)
)c
.
º
It provides guidance and procedures for the training, certification, and workforce management of DoD Information
Assurance workforce. It also provides information and guidance on reporting metrics.
To implement this directive, you will need DoD Directive 8570.1-M, Information Assurance Workforce Improvement
Program. It provides guidance and procedures for the training, certification, and management of the DoD workforce
conducting Information Assurance functions in assigned duty positions. This manual has the following nine (9)
chapters:
@ General Information
@ IA Workforce Structure Overview
@ IA Workforce Technical Category
@ IA Workforce Management Category
@ Designated Approving Authority (DAA) Requirements
@ Authorized User Minimum IA Orientation and Awareness Requirements
@ IA Workforce Identification, Tracking, and Assignment
@ IA Workforce Management Reporting and Metrics
@ IA Workforce Implementation Requirements
@ Contracts for personnel providing IA functional services for DoD information systems via appropriate
Defense Federal Acquisition Regulation Supplement (DFARS) clauses.
G G
&&

' G1
This instruction implements policy, assigns responsibilities, and prescribes procedures necessary to integrate
information assurance (IA) into the Defense Acquisition System.
Describes required and recommended levels of IA activities relative to the acquisition of systems and services.
Describes the essential elements of an acquisition IA strategy, its applicability, and prescribes an acquisition IA
strategy submission and review process.
@ Applies to all acquisitions of automated information systems (AIS), outsourced information technology (IT)-
based processes, and platforms or weapon systems with IT interconnections to the Global Information Grid
(GIG).
G GG
&&

'
" G

G
This directive implements the requirements by establishing Information Assurance (IA) policy and assigning IA
responsibilities for all DoD space systems and supplements IA policy and requirements contained in DoD Directive
8500.2.
This Directive applies to:
@ The Office of the Secretary of Defense, the Military Departments, the Chairman of the Joint Chiefs of Staff,
the Combatant Commands, the Office of the Inspector General of the Department of Defense, the Defense
Agencies, the DoD Field Activities, and all other organizational entities in the Department of Defense.
@ All types of DoD-owned or controlled space systems, and the components thereof, that collect, generate,
process, store, display, transmit, or receive national security or DoD sensitive information (e.g., launch
vehicles, satellites, payloads, launch and test ranges, satellite and network operation centers, and user
equipment).
@ Commercial (domestic and foreign), U.S. civil, or foreign government-owned (i.e., those not owned or
controlled by the Department of Defense) space systems, components, or services used by the Department
of Defense to collect, generate, process, store, display, transmit, or receive national security or DoD
sensitive information.
@ Interfaces between space systems covered by this Directive and external systems when it is determined that
the architecture of the space system does not provide for adequate protection against potential threats from
interconnected, external systems.
G Gº
&º#(
-
'( G
G
This memorandum reiterates current policy and provides additional guidance on the acquisition, use, and
development of OSS within DoD.
OSS refers to software that is copyrighted and distributed under a license that provides everyone the right to use,
modify, and redistribute the source code of software. Certain restrictive open source licenses allow users to copy,
modify, and distribute software provided that modified versions are subject to the same license terms and conditions
as the original code.
DoD components acquiring, using, or developing OSS must ensure that the OSS complies with the same DoD
policies that govern Commercial off the Shelf (COTS) and Government off the Shelf (GOTS) software.
G
G'G G ÿ

"
'
DoD components are directed to ensure that all PII not explicitly cleared for public release is protected according to
Confidentiality Level Sensitive, as established in DoD Directive 8500.2. Additionally, all DoD information and data
owners shall conduct risk assessments of compilations of PII and identify those needing more stringent protection for
remote access or mobile computing. The attachment provides detailed implementation guidance.
This policy applies to:
The Office of the Secretary of Defense (OSD), the Military Departments, the Chairman of the Joint Chiefs of Staff
(CJCS), the Combatant Commands, the Inspector General of the Department of Defense, the Defense Agencies, the
DoD Field Activities, and all other organizational entities within the Department of Defense.
All DoD-owned or controlled information systems that receive, process, store, display or transmit DoD information,
throughout the entire system life cycle (SLC) and regardless of classification or sensitivity.
G G

The Office of Management and Budget and DoD issued policy on privacy and data collection activities at Government
web sites. That policy prohibits the use of web technology to collect identifying information to build profiles on
individuals, and prohibits the use of persistent cookies unless certain conditions are met, including obtaining the
personal approval of the head of the agency.
Examples of the information-gathering technology are:
@ Persistent cookies
@ Third-party cookies
@ Web bugs
Policy requires the display of a privacy notice at principal web sites and locations where substantial personal
information is collected from visitors. A privacy notice should inform visitors that the web site is public information and
uses software programs to monitor for prohibited activities. In addition, the privacy statement should provide a point
of contact for the web site.

* ÿ '*ÿ ,
', ÿ
STIG and NSA guides are the configuration standards of DoD IA and IA-enabled devices and systems. They are
currently being implemented throughout the government and by numerous entities as a security baseline for their
systems.
STIG are checklists with settings and option selections that minimize the security risks associated with each
computer hardware and software that is likely to become widely used within the Federal Government. The most up-
to-date STIG can be found on the DISA website.
NSA guides cover proprietary and open source hardware and software. Their work to enhance the security of
software is motivated by one simple consideration, use our resources as efficiently as possible to give customers the
best possible security options in the most widely employed products. These guides can be found on the NSA website.

In January 1996, the United States, United Kingdom, Germany, France, Canada, and the Netherlands released a
jointly developed evaluation standard for a multinational marketplace. This standard is known as the Common Criteria
for Information Technology Security Evaluation (CCITSE) now referred to as the Common Criteria (CC).
The Common Criteria is an international set of standards developed allowing a level of standardization for Information
Technology thusly providing a unified baseline. It is used to find requirements for security features that match specific
risk assessments and that have rating for those specific features. It is also used to publish security requirements so
that vendors can design products that meet those standards.
@ CCITSE is a multinational effort to write a successor to the Trusted Computer System Evaluation Criteria
(TCSEC) and Information Technology Security Evaluation Criteria (ITSEC) that combines the best aspects
of both.
@ TCSEC is a collection of criteria that was previously used to grade or rate the security offered by a computer
system product and was known as the Orange Book of the DoD Rainbow Series.
@ ITSEC are European developed criteria. Its aim is to demonstrate conformance of a product or system,
referred to as a Target of Evaluation (TOE) against its security target.
More information on the Common Criteria can be found by going to the National Institute of Standards and
Technology (NIST) or DISA website at http://www.nist.gov or http://www.disa.mil.
â

" " $$2'â
These standards require measures to be taken to secure health information while in the custody of entities covered
by HIPAA as well as in transit between covered entities and from covered entities to others.
All health care providers must ensure that the confidentiality, integrity, and availability of electronic protected health
information they collect, maintain, use, or in transmit is protected.
+

$&2
Essentially, this means that unless you have the permission of either party involved in a communication in any form,
or you are a law enforcement officer with the expressed permission from an authorized court (this means a court
order to search warrant), you are not permitted to intercept any communication regardless of how it was transmitted.
On the basis of its own investigations and of published studies, the Congress makes the following findings:
@ Wire communications are normally conducted through the use of facilities which form part of an interstate
network. The same facilities are used for interstate and intrastate communications. There has been
extensive wiretapping carried on without legal sanctions, and without the consent of any of the parties to the
conversation. Electronic, mechanical, and other intercepting devices are being used to overhear oral
conversations made in private, without the consent of any of the parties to such communications. The
contents of these communications and evidence derived there from are being used by public and private
parties as evidence in court and administrative proceedings and by persons whose activities affect interstate
commerce. The possession, manufacture, distribution, advertising, and use of these devices are facilitated
by interstate commerce.
@ In order to protect effectively the privacy of wire and oral communications, to protect the integrity of court
and administrative proceedings, and to prevent the obstruction of interstate commerce, it is necessary for
Congress to define on a uniform basis the circumstances and conditions under which the interception of wire
and oral communications may be authorized, to prohibit any unauthorized interception of such
communications, and the use of the contents thereof in evidence in courts and administrative proceedings.
@ Organized criminals make extensive use of wire and oral communications in their criminal activities. The
interception of such communications to obtain evidence of the commission of crimes or to prevent their
commission is an indispensable aid to law enforcement and the administration of justice.
@ To safeguard the privacy of innocent persons, the interception of wire or oral communications where none of
the parties to the communication has consented to the interception should be allowed only when authorized
by a court of competent jurisdiction and should remain under the control and supervision of the authorizing
court. Interception of wire and oral communications should further be limited to certain major types of
offenses and specific categories of crime with assurances that the interception is justified and that the
information obtained thereby will not be misused.

3
" $&2
The original act was very narrow in defining what a computer crime was. The act covered only:
@ Classified defense or foreign relations information

@ Records of financial institutions or credit reporting agencies
@ Government computers
Unauthorized access or access in excess of authorization became a felony on classified information and a
misdemeanor for financial information; it also became a misdemeanor to access a government computer with or
without authorization should the governments use of the computer be affected.

$&0
The act states that the security and privacy of federal computer systems are in the public interest. It gives to NIST the
computer security mission, including the development of standards. The Act requires that each U.S. federal agency
provide its employees with training in computer security awareness and practice and to set up a security plan for
each of its systems.
* 3

$0/
The Privacy Act means that is it illegal for any U.S. Government agency to release information that it has acquired
about you:
@ Without your express consent

@ Unless it is required directly for their job and will not be disclosed publicly
@ Unless requested officially by a court of the jurisdiction

"

* %1

("

*

' *%(*
The purpose of the USA PATRIOT Act is to deter and punish terrorist acts in the United States and around the world,
to enhance law enforcement investigatory tools, and other purposes. It is made up of the following titles:
@ Title I - Enhancing Domestic Security Against Terrorism

@ Title II - Enhanced Surveillance Procedures
@ Title III - International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001
@ Title IV - Protecting the Border
@ Title V - Removing Obstacles to Investigating Terrorism
@ Title VI - Providing For Victims of Terrorism, Public Safety Officers, and Their Families
@ Title VII - Increased Information Sharing for Critical Infrastructure Protection
@ Title VIII - Strengthening the Criminal Laws Against Terrorism
@ Title IX - Improved Intelligence
@ Title X ± Miscellaneous

%
Army regulations, like all Department of Defense regulations, are implemented in a hierarchical fashion. Each
regulation builds upon and supports the higher level regulation. All Army regulations are constructed in such a way as
to not conflict with higher level Department of Defense regulations. As an Information Assurance Security Officer,
there are a slew of pertinent army regulations, directives, manuals, and BBP¶s to reference and enforce. You will be a
representative of the requirements contained within those regulations. Within this lesson you will be introduced to the
main regulations but it is your responsibility to become knowledgeable with content of those regulations as they
pertain to your job.
%4
5 -º
*
The AR 25-1 establishes Army policies for information technologies, policies to manage information knowledge, and
policies to assign responsibilities for the carrying out of those policies. It applies to the United States Army, the United
States Army Reserves, and the Army National Guard. Within those components, this regulation applies to information
technologies in support of Command and Control (C2) and business systems. It may also apply, when noted, to
intelligence systems and National Security Systems that apply to the Army. It does not, however, directly apply to
operational support for intelligence or Electronic Warfare (EW) systems. Those areas of concentrations would have
their own regulations (Intelligence Community Directives).
AR 25-1 defines Information Technology as any system, subsystem, or equipment used in the automatic acquisition,
storage, control, interchange, transmission, display, or manipulation of information. It includes computing devices and
their software, firmware, and hardware, as well as any support services and their related resources.
The ultimate goal of Army knowledge management is to produce a net-centric, knowledge-based force in support of
the Global Information Grid (GIG). The infrastructure will be managed in an enterprise fashion and will be enhanced
with centralized, information-sharing, collaborating resources such as Army Knowledge Online (AKO).
AR 25-1 specifically creates the roles of Army Chief Information Officer (CIO/G6) and Army Network Enterprise
Technology Command / 9th Signal Command (NETCOM/9SC) and then goes on to delineate their responsibilities.
The CIO/G6 is the primary advisor to the Secretary of the Army regarding Information Technology matters. AR 25-1
also defines roles and responsibilities for the Under Secretary of the Army and the various Assistants to the Secretary
of the Army. Responsibilities for RCIO¶s (Regional Chief Information Officer) and DOIM¶s (Director of Information
Management) can be located in this regulation.
AR 25-1 reinforces the requirement, initially set at the Department of Defense level, of an Information Assurance
program. AR 25-1 establishes key IA roles and then directs the creation of AR 25-2, which is the Army Information
Program. AR 25-1 points Information Assurance Security Officers to AR 25-2 for a litany of IASO responsibilities. We
will cover those responsibilities shortly.
AR 25-1 requires all information systems to go through a formal certification and accreditation process called DIACAP
(DoD Information Assurance Certification and Accreditation Process). NETCOM is tasked with the responsibility of
verifying systems are in DIACAP compliance. Furthermore, AR 25-1 requires information systems to be purchased
from the Army¶s IA APL (Approved Products List) located at the https://informationassurance.us.army.mil website.
System Administrators are to use the Army Gold Standards (AGM) for security configurations. Any alterations must
be approved by the Designated Accrediting Authority (DAA) and then documented accordingly.
AR 25-1, as well as other DoD and Army regulations, is concerned with inappropriate use of its communication
technologies. As an IASO it is your duty to become familiar with these regulations and their specific communication
prohibitions. Army communication systems will not be used to promote particular candidates for public elections,
promote personal financial gain opportunities, or promote unlawful activities. Email systems will not be used to
transmit chain-letters, spam, or hoaxes Email systems will not be used for broadcasts to large groups of email users
(entire organizations), instead relegate the transmissions to the relevant audience. Large files are not to be
promulgated to groups of accounts via email but should instead be centrally managed with a service such as AKO.
Security incidents will be handled with the utmost timeliness. Whenever an incident occurs, whether successful or
unsuccessful, it will be reported to the chain-of-command and the next highest IA-level. All incidents will be
investigated to determine their cause and a solution to mitigate its reoccurrence will be applied.
%4

AR 25-2 is the Army¶s Information Assurance Program. This regulation holds important information about the entire
gamut of Information Assurance as well as specific roles assigned to the IASO. AR 25-2 mandates Defense-in-Depth
to protect resources and borrows security axioms from COMSEC, INFOSEC, TRANSEC, and physical security. It is
your duty as an IASO to uphold these regulations. Failure to do so can make your actions, or lack of actions, subject
to the UCMJ (military) or prosecution in US District Court (civilian).
The Information Assurance Program Manager (IAPM) develops, maintains, and manages the formal IA security
program. The IAPM defines the IA personnel structure and assigns the Information Assurance Network Manager
(IANM), Information Assurance Network Officer (IANO), and the Information Assurance Security Officers (IASO).
The IASO is ultimately assigned by the commander or manager of an activity. The IASO can be assigned to one
Information System or to multiple ISs. They must obtain and maintain the appropriate IA certification(s). The
Department of Defense regulations will often refer to the IASO as the IAO.
IASOs must enforce the IA policy, IA guidance, and training requirements derived in the Army and DoD regulations.
The IASO must also ensure all users meet regulation requirements prior to granting user access to information
systems. The users are to receive annual IA awareness training to support their access.
The IASO is tasked with reviewing system logs and judge the ramifications system changes have on the security
posture. They must make sure their systems are certified, accredited, and reaccredited when the time comes. All
software must be properly licensed and verified. Any security violations and incidents will be reported to the
applicable RCERT.
System and Network Administrators will fulfill the duties of IASO when an IASO is not available. Any personnel acting
as an IASO must, once appointed, complete the IASO course within 6 months. The administrator must be both, IA
certified, and certified for the Information System on which they will be working (computing environment). They will
also sign a Privileged-level Access Agreement (PAA) and a Non-Disclosure Agreement (NDA).
Administrators will perform vulnerability assessments, maintain antivirus definitions, and ensure proper patch
management of their Information System. Any system changes due to patch management will be reported to the
IAM/IASO. The administrator will also implement and test data backups for that Information System.
Administrators will review user accounts for legitimacy, neutralizing any default accounts or guest accounts.
Departing users will have their user accounts removed before the user leaves the organization and if inactive
accounts are no longer required after 45 days then they will be terminated. Any user accounts involved in knowingly
harming Army Information Systems are to be suspended.
The administrator will have two separate accounts: one for privileged-level administrative access and the other a
general use, non-privileged access for routine procedures. The terms to be met by general users apply to
administrators as well. The administrator must comply with the command¶s Acceptable Use Policy (AUP) and sign the
AUP before initially accessing their account. They also must remember to log off their accounts at the end of the day
and enable password-enabled screen locks within 15 minutes of last activity. Both accounts belonging to the System
Administrator must show signs of activity within 45 days or be subject to termination.
Though the default lockout threshold (i.e. password-enable screen saver) should initiate within 15 minutes of system
inactivity, there are situations in which the lockout may impede mission readiness. These occurrences are rare, but
the System Owner (SO) may override the lockout threshold so that activation occurs later as long as the system is
not unattended during the extended period, additional safeguards are implemented to reduce the risks, and there is a
minimum of risk to overall system readiness (i.e. the network and its connected devices). The lockout feature may
never be disabled however. Exceptions will never be granted for convenience or ease of use. Examples where the
lockout may be extended past 15 minutes are: standalone systems for audience presentations, or medical systems to
aid triage units.
Any system that supports account lockouts will have a threshold set to 3 attempts. The system must not indicate that
the identity challenge or the authentication challenge was incorrectly provided. IA personnel will verify the reason for
the lockout and the user¶s identity before unlocking the account within 72 hours. The reason will be documented and
maintained for 1 year by the administrator. Automatic unlocking may only be approved by the DAA.
Network Access Controls (NAC) will be implemented when systems attempt remote access. The systems will meet
security configuration requirements such as Information Assurance Vulnerability Management (IAVM) that includes
system patches, certification and accreditation standards, and host-based safeguards (i.e. updated antivirus and a
firewall) before being granted access to network resources. The log-in credentials will be encrypted as they traverse
trusted and untrusted networks. Each user will annually read and sign security and end-user agreements as a
condition for continued access.
System Administrators will maintain audit logs for all systems for no less than 90 days. An audit trail should be
detailed enough to reconstruct events so that the cause of a system compromise can be determined. Centralized,
enterprise audit servers will be utilized to ingest audit logs from client machines in order to minimize exposure. Audit
logs will be reviewed at least weekly. Centralized audit server logs will be maintained for a minimum of 1 year. Retain
classified and sensitive Information System audit files for 1 year (5 years for SCI systems, depending on storage
capability).
The Administrator can remove any file, email, or attachment that interferes with the operation of an Information
System without consent of the originator or recipient. The System Administrator or Network Administrator must notify
the sender and receiver of the removal. The Administrator is not allowed to access individual information or data files
unless authorized to do so under explicit scenarios. An administrator may access the file if conducting a search on
behalf of management. The search must be sensible and pertinent to the occasion. For example, the administrator is
not allowed to access the user¶s email account when merely searching for a word document that would be stored in
the user¶s personal folder. The administrator may also access user files when conducting an authorized
administrative search. Lastly, user files may be accessed in support of an authorized investigation.
Information Assurance Vulnerability Alert (IAVA) is a process within the C2 system that provides for a sensing of valid
information about events and the environment, reporting information, assessing the situation and associated
alternatives for action, deciding on an appropriate course of action, and issuing messages directing corrective action.
Additionally, IA protects those information and information-based systems essential to the minimum operations of the
Army. They include, but are not limited to, telecommunications, weapons systems, transportation, personnel, budget,
BASOPS, and force protection. (See also AR 25±2 for more policy on information assurance).
IA components will be designed to protect information from the wide-ranging threats to the Army¶s critical information
infrastructures, to include the basic facilities, equipment, and installations needed for the function of a system,
network, or integrated network that will support the National Security of the United States and the continuity of
Government.
IA seeks to maintain effective C2 of friendly forces by protecting critical information infrastructures from unauthorized
users, detecting attempts to obtain or alter information, and reacting to unauthorized attempts to obtain access to or
change information. These measures focus on the integrity, confidentiality, availability, authentication, verification,
protection, and nonrepudiation of the infrastructures and the information contained within. Per DODD 8500.1, IA-
enabling technologies such as Public Key Infrastructure (PKI) and biometrics will be used to protect information.
%#&4
AR 380-5 is the Army¶s Information Security Program. It addresses the techniques to safeguard, classify, declassify,
and destroy information. From authentication techniques to device hardening, this regulation is essential for IA
physical security.
Whenever data is written to a storage medium and then later deleted, the data isn¶t truly erased. Data remanence is
the pattern of ones and zeroes that are still left on the storage device after the user had ³deleted´ the file. Through
software or sensitive forensic equipment, the old data can be recovered, reconstructed, and ultimately lead to
unauthorized disclosure of information.
Removing data remanence from storage media, such as hard disks, floppy disks, and magnetic tapes, can be
conducted in two distinct ways: clearing and purging. Simply reformatting a hard drive will not due. The media is
cleared by writing a series of randomized ones and zeroes over the previous ones and zeroes. This is sometimes
referred to as zeroization. Clearing is appropriate for object reuse within the same security compartment (for
example, reusing a hard disk at the same security level within the same facility).
However, if we want to use the storage media for a different security level then we need to be more aggressive at
removing data remanence. Purging is defined as the unequivocal erasing of data from the storage device in such a
way so that the data may never be recovered. Storage media that maintains the data as magnetic bits, such as tapes
and hard disks, will employ degaussing. Degaussing is the act of running a strong magnetic disturbance through the
magnetic field of the storage device, effectively resetting the magnetic field to its original, unintelligible shipping state.
It is important to purge the storage media before declassification occurs. Some magnetic tapes are impervious to
degaussing so it may be best to just destroy the tapes when they are no longer needed.
The varied techniques in destroying information are well documented in AR 380-5 but the destruction of choice is to
incinerate the medium that holds the data. Whether the medium is paper, microfiche, or equipment such as hard
drives, simply incinerate it. No other single destruction method has been found to be as effective, versatile, and
secure, as incineration.
%#&4#
AR 380-53 is the Army¶s Information Systems Security Monitoring regulation. It stipulates the minimal training
required to participate in Information Systems Security Monitoring and specifies who can conduct Information
Systems Security Monitoring.
AR 380-53 mandates that sending classified information over non-secure communication channels is prohibited and
users must be made aware of this mandate. A Warning Banner will be presented to users before they are
authenticated stating their communications are subject to eavesdropping. Acceptance of the Warning Banner
notification implies the user¶s consent to monitoring at any time. An example Warning Banner message is provided in
AR 380-53 but the required Warning Banner message is dictated in AR 25-2 paragraph 4-5(m).
Appendix B of this regulation covers the Computer Defense Assistance Program (CDAP) and describes ACERT¶s
Role in this program. CDAP is primarily concerned with mitigating threats to Information Operations. The primary
goals of those threats would be compromise of information, the corruption of data, and the disruption of operations. A
diagram depicting the CDAP process is provided within the Appendix.
Annex A pertains to penetration testing. It regulates the conduct of the penetration test by specifying when testing can
be conducted and what will be tested.
^^
6
As stated in the Army Information Assurance Program Best Business Practices document: The BBPs will be
evolutionary documents that will define approaches and methods the Army will employ to address changes and
implement Information Technology (IT) policy or requirements. The Army has a goal to maintain an operationally and
technically efficient Army Information Assurance Program (AIAP); focused on the most effective and innovative
methods of implementing IT.
The purpose and goal of developing Army Best Business Practices (BBPs) is to establish the following:
@ To provide foundational directives and guidance in securing and enhancing the trust and trusted
relationships of Army information, systems, and networks through application of information assurance
initiatives and technology.
@ To provide implementing directives and guidance for Army regulations and policy.
@ To provide centralized accountability and repository of IA or IT published doctrine.
@ To provide administrative, operational, and technical systems security requirements.
@ To establish and enhance baseline information assurance levels of the AEI.
@ To define and mandate methods to implement the Defense in Depth (DiD) Strategy.
@ To promote the use of efficient best practices and cost-effective, computer-based security features and
assurances.
@ To implement the concepts of mission assurance category, levels of confidentiality, and levels of robustness
of information.
@ To implement Army Regulation AR 25-2 (Information Assurance); DoD Directive 8500.1 (Information
Assurance); DoD Instructions 8500.2 (Information Assurance Implementation) and 5200.40 (DoD
Information Assurance Security Certification and Accreditation Process (DIASCAP)); and CJCSM 6510.01
(Information Assurance and Computer Network Defense) and other DoD or service guidance to align Army
IA goals and objectives to support the DoD Information Management Strategic Plan.
@ To assist Designated Approving Authorities (DAAs) in meeting the system accreditation polices and IA
requirements before fielding or accepting systems or networks.
@ To assist Commanders in the implementation of a Configuration Management Process.
@ To assist in the development of Continuity of Operations Plans (COOP).
@ To establish and implement specific policy, measures, and practices.
@ To meet changing technology or IA requirements.
@ To provide the foundation for the Networthiness Certification Program.
^^

'
0G"

)$
* G G

" , "
08-CO-M-0001 IT Contingency Plans and Testing 11 Apr 08
03-DC-O-0001 Information Assurance Tools 11 Mar 05

06-DC-M-0002 Certification and Accreditation (C&A) 21 Nov 06
06-DC-M-0003 C&A DAA 21 Nov 06
06-DC-M-0004 C&A Certification Authority (CA) 21 Nov 06
06-DC-M-0005 C&A Agent of the CA 21 Nov 06
07-DC-M-0006 Installation Level DAA 06 Jun 07
07-DC-M-0007 Connection Approval Process (CAP) 23 Jan 09
07-DC-M-0008 Terms of Connectivity to ISP/ICAN 12 Oct 07
07-DC-M-0009 IA Strategies 23 Oct 07
08-DC-M-0010 C&A Standalone IS and CRN 10 Oct 08
09-DC-M-001 Army SAP C&A Guidance 28 Apr 09
07-EB-O-0001 Cross Domain Solutions 19 Mar 07

08-EB-O-0003 Enclave Firewall 18 Jan 08
08-EB-O-0004 Network Data Switch 08 Aug 08
08-EB-O-0005 Network Router 03 Sep 08
08-EB-T-0002 Web Applications and SQL Injection 16 Jan 08
04-EC-M-0003 Web Filtering 1 May 04

05-EC-M-0005 Deployment Planning for Information Systems 1 Sep 05
09-EC-M-0003 Wireless Security Standards 22 June 04 02 Jan 09
03-EC-O-0001 Acquiring SIPRNET Connectivity 7 Dec 05
04-EC-O-0004 Network Assessment Scanning 7 July 04 11 Aug 06
06-EC-O-0007 "Road Warrior" Laptop Security 17 Feb 06 18 Mar 09
06-EC-O-0008 Data at Rest (DAR) Protection 12 Oct 06
07-EC-O-0009 DAR for Apple FileVault on Mac OS X 23 Feb 07
03-EC-T-0002 Data Transfer Across Security Domains 15 Oct 03 23 May 06
04-IA-O-0001 Army Password Standards 15 Dec 04 01 May 08

09-IA-O-0002 Digitally Signing Email 20 Apr 09
03-PE-O-0002 Reuse of Army Computer Hard Drives 23 Jan 04 02 Jun 09
04-PR-M-0001 Family Member Support 1 May 04

05-PR-M-0002 Information Assurance Training 28 Feb 06 30 Nov 09
06-PR-M-0003 Privileged Level Access Agreement AUP 03 Nov 06
03-VI-O-0001 Classified Spillage on Information Systems 20 Apr 07

06-VI-M-0009 Network Incident Classification 22 Sep 06
The BBPs can be obtained by going to https://informationassurance.us.army.mil. Check this site on a periodic basis
for new and updated BBPs. The proceeding sections will provide brief overviews of several BBPs.

*
^^4%4º4
The IA workforce focuses on the operation and management of IA capabilities for Department of Defense (DoD)
systems and networks. IA ensures that adequate security measures and established IA policies and procedures are
applied to all Information Systems (IS) and networks. The IA workforce includes all privileged users, specialty
positions, and IA managers who perform any of the functions described in DoD 8570.01-M, Change 1 Chapters 3 - 5
and 10-11 regardless of occupational specialty, or whether the duty is performed full-time or part-time as an
additional/embedded duty (DoD 8570.01-M par C1.4.4.4). All civilian new hires appointed to IA positions must be
certified within 6 months. All existing contracts must be modified to specify certification requirements NLT 31 Dec
2010. New contracts must state the contractor personnel will agree as a ³condition of employment´ to obtain the
appropriate baseline certification upon contract award. The DoD 8570.01-M, Change 1 paragraph C2.1.7 states: The
IA workforce training and certification program establishes a baseline of validated (tested) knowledge that is relevant,
recognized, and accepted across the Department of Defense.
The IA training audience includes military, civilian, foreign nationals and contractor personnel in Deployed and
Generating Forces organizations. In addition to being able to demonstrate the required level of technical, specialty,
and/or management skills and experience, it is DoD policy (DoDD 8570.1-M, Change 1) that ³the IA workforce
knowledge and skills be verified through standard certification testing.´ Consequently, Army IA personnel must attain
and maintain Information Technology (IT)/IA certifications appropriate for the technical, specialty and/or management
positions. In some cases, this will include passing one or more certification exams.The IASO will complete, at a
minimum, the requirements set forth for a DoD Level 1 manager within 6 months of assuming the IA position. Those
requirements are:
@ Completing the online IASO course (https://ia.signal.army.mil/IASO/default.asp)

@ Completing the online Security+ Army e-Learning Program. This course is waived for personnel who already
hold a Security+ certification or higher.
@ Obtain one of the DoD 8570.01M Management Level 1 certifications. As of this typing the list of certifications
includes Security+, GISF, or GSLC. The type of baseline certification will be determined by the IASO¶s
supervisor during the performance evaluation process.

-

^^/44(4
Passwords or PINs are used for a variety of purposes. Some of the more common uses include user level accounts,
web accounts, email accounts, screen saver protection, voicemail password, and local router logins.
The most common password vulnerabilities are:
@ Accounts have weak, default, publicly known, or nonexistent passwords.

@ Users fail to protect the passwords.
@ Users fail to choose strong passwords.
@ The operating systems create administrative accounts with weak, non-existent or publicly known passwords.
@ Password hashing algorithms are known and often these hashes are stored such that they are visible by
anyone, or easily exploited through automated means.
@ Insufficient or non-existent password verification and assessment policies.
@ Insufficient or non-existent account verification and assessment procedures.
Army password requirements:
@ All system-level accounts and privileged-level accounts using passwords will be a minimum of 15-characters
long and changed every 60 days
@ All user-level accounts using passwords will be at least 14-characters long and changed every 60 days
@ All passwords will be strong passwords containing the following characteristics:
@ at least two numbers
@ at least two special characters
@ at least two upper-case characters
@ at least two lower-case characters
@ The password history will be set to 10
@ The password Observation Window account lockout setting will be set to no more than 60 minutes with a
lockout duration set to 0, and the number of attempts set to 3. A system administrator is to unlock the
account when needed.
@ Disable ³Remember Password´ features built into applications.
@ SA/NM¶s will test accounts utilizing passwords for password weakness at least quarterly by using a
password cracker
Army Smart Card (i.e. Common Access Card) requirements:
@ PIN¶s will be 6-8 digits long

@ PIN¶s have no requirement to be changed on a regular basis
@ the cardholder will be limited to 3 chances to type the PIN correctly
c

^^#4+4º4#
This document establishes best practice standards for the deployment and use of local wireless network technologies
for the Department of the Army. It intends to protect Army resources and data from security threats, improve incident
response for wireless issues, and mitigate interference among wireless technologies. Wireless network devices offer
a simple, convenient, and inexpensive solution to extend local area network (LAN) accessibility by reducing the
requirements of physical infrastructure. Wireless networking removes the encumbrance of wire connections on
portable devices, and can also enable laptop and handheld users the ability to travel beyond traditional network
boundaries (e.g. between buildings) without losing network connectivity. This flexibility however, introduces several
unique vulnerabilities in addition to the inherent risks associated with any wired network.
Since wireless signals are radio transmissions, they can be intercepted by suitable radio receiving devices, jammed
intentionally by other devices, sometimes even devices operating outside the intended service area. If data
transmissions are not encrypted or are inadequately encrypted, the intercepted data can be read and understood in a
matter of seconds. Any data transmission sent through the wireless network is at risk, including orders to execute,
research correspondences, usernames and passwords, financial data, and other sensitive information. Because
wireless transmissions circumvent traditional perimeter firewalls, those existing protections established to prevent
unauthorized access are ineffective. Advances in wireless signaling technology may increase transmission distances,
further exacerbating the problem of unauthorized reception that increases the standoff capabilities of our adversaries.
Advances in wireless signaling technology have allowed for increased transmission distances. As a result, our
adversaries have increased standoff capabilities utilizing unauthorized reception exploitation methods. Without the
use of encryption and authentication protocols, transmitted data can be read and deciphered by unintended recipients
in a matter of seconds.
Exposure of sensitive data is not the only concern for the Army. If improperly implemented, a wireless network allows
an unauthenticated or unauthorized user an internal Army IP address with all the benefits offered to any
authenticated user. Using one of these trusted IP addresses; attacks could be launched against the Army or any
outside network accessible through the Army¶s infrastructure. Web sites devoted to open access points throughout
the country are expanding and are likely to include open access points (³hot spots´) within the Army. Since wireless
network devices operate using radio signals, their proliferation in the Army can lead to Radio Frequency Interference
(RFI) among these and other radio devices using the same frequency bands. This Best Business Practice (BBP)
serves as the foundation for a comprehensive risk mitigation strategy; enhanced by published security standards and,
where applicable, a more granular IA specific standard.
The following requirements should not be construed as a complete listing of wireless requirements. Consult the
Wireless BBP for the complete listing.
@ MAC address filtering will be conducted on the WLAN

@ SSID broadcasting will be disabled and the default SSID changed
@ Factory default settings will not be observed (BBP requirements will be enforced)
@ Multifactor authentication and mutual authentication will be practiced utilizing 802.1x access control, EAP,
and FIPS 140-2 compliant end-to-end encryption
@ WPA2 Enterprise will be the WLAN security baseline
@ Wireless Personal Area Networks are also covered by this BBP and will require encryption
Specific wireless standards and protocols prohibited on Army networks are:
@ WEP ± Wired Equivalent Privacy

@ WPA version 1
@ Bluetooth wireless headsets
G+^^$44(4
This BBP covers the scenarios when an email must be digitally signed. A Digital Signature provides three
cryptographic services: integrity, authentication, and nonrepudiation. When an email is digitally signed, the recipient
has assurances that the email content was not changed while in transit (integrity) and assurances as to where or
whom the email originated from (nonrepudiation and authentication). It should be noted that a digitally signed email in
itself does not provide confidentiality.
Specifically, emails must be digitally signed when:
@ the email is for official business

@ the email contains embedded hyperlinks
@ the sender wishes to attach a v-card
@ the email contains sensitive information
% c

^^24+4(40
Physical security of computing devices is crucial in protecting the information contained within the device. This BBP
provides bare minimum requirements in protecting mobile computing devices such as laptops.
Implementation of host-based security mechanisms will aid in securing the remote access into the trusted network
and prevent unauthorized accesses, while allowing trusted access to authorized individuals. Part of the host-based
security needs to be an effective host-based firewall that complies with Common Criteria¶s Evaluation Assurance
Level 4 as a minimum. DAA/SA¶s shall provide the laptop users with a cable lock that affixes to the Universal Security
Slot (USS) so that physical theft of the computing device can be mitigated. Multifactor authentication must be
enforced for the laptop by using technologies such as smart cards (Common Access Card).
Users shall remove and secure removable PC cards and peripheral devices when not needed to prevent their theft
and mitigate undesirable heat levels within the computing device. Users shall secure the laptop at all times when not
in use and while under their control; keep the laptop within sight at all times.
This BBP provides guidance in securing the operating system(s) that can be found in other Army documentation.
Please consult the BBP for additional information.
%

â
G
^^#4+4(4
This BBP provides instructions for the reuse of HDDs that handled U.S. Army information.
This process will be used when:
@ the drives will be re-purposed to a different environment than the one in which they were previously used
(i.e. new users without a need-to-know for the original data) or to process data at a different classification or
sensitivity level
@ the drives have met their scheduled end of their lifecycles
@ the drives have failed
c

*

People are a crucial factor in ensuring the security of computer systems and valuable information resources. Human
actions account for a far greater degree of computer-related loss than all other sources combined. Of such losses,
the actions of an organization's insiders normally cause far more harm than the actions of outsiders.
The major causes of loss due to an organization's own employees are: errors and omissions, fraud, and actions by
disgruntled employees. One principal purpose of security awareness, training, and education is to reduce errors and
omissions. However, it can also reduce fraud and unauthorized activity by disgruntled employees by increasing
employees' knowledge of their accountability and the penalties associated with such actions.
In this lesson we will examine three documents that seek to address these problems. AR 25-2, para 4-3 specifically
addresses the issue of security awareness training by requiring IASOs to provide system-specific and annual IA
awareness training and by defining the themes of the training. Certification and training requirements are established
by a combination of 8570.01-M, which identifies and categorizes IA workforce positions, and by the IA BBP, which
defines the training and certification requirements for those positions.

A good place to start is the References and Web Resources page. Your unit's procedures and policy publications is
another good source. You will find that your unit's IS accreditation documents and contingency plans have a wealth of
material. Also, this course provides much useful information.

*

%4)
/4#
AR 25-2 directs that all personnel associated with an IS undergo annual information assurance awareness training.
This training is required for managers, designers, developers, maintainers, operators, and users.
Appropriate awareness for management officials might stress management's pivotal role in establishing
organizational attitudes toward security. Appropriate awareness for other groups, such as system programmers or
information analysts, should address the need for security as it relates to their job. In today's systems environment,
almost everyone in an organization may have access to system resources and therefore may have the potential to
cause harm.
Awareness is used to reinforce the fact that security supports the mission of the organization by protecting valuable
resources. If employees view security as just bothersome rules and procedures, they are more likely to ignore them.
In addition, they may not make needed suggestions about improving security nor recognize and report security
threats and vulnerabilities.
Awareness is also used to remind people of basic security practices, such as logging off a computer system or
locking doors.
A security awareness program can use many teaching methods, including video tapes, newsletters, posters, bulletin
boards, flyers, demonstrations, briefings, short reminder notices at logon, talks, or lectures. Even electronic mail
messages with tips and reminders have a noticeable impact. Today, some units are using web pages to make their
users more aware about security.
An IASO may have other mission critical duties, making it difficult to conduct formal training. Although formal training
is always best, it may not always be possible or practical to use this method. When traditional means cannot be used,
use the other methods mentioned. One technique is to develop a training/policy guide that users can read (and sign).
All these methods can be used by the IASO and other managers to change employees' attitudes and meet the
regulatory training requirements.
Awareness is often incorporated into basic security training. Effective security awareness programs need to be
designed with the recognition that people tend to practice a tuning out process (also known as acclimation). For
example, after a while, a security poster, no matter how well designed, will be ignored; it will, in effect, simply blend
into the environment. For this reason, awareness techniques should be creative and frequently changed.
The initial security awareness briefing can consist of training material governing IA in general but must be tailored to
the system the employees will be managing or using. According to AR 25-2, para 4-3a (8a), this briefing must include
the following:
@
)
")
.
To control the risks of operating an information system, managers and users need to know the vulnerabilities of the
system and the threats that may exploit them. Knowledge of the threat environment allows the system managers to
implement the most cost-effective security measures.
Under this portion of the initial briefing, specific information regarding measures to reduce the threat from malicious
software must be provided, including prohibitions on loading unauthorized software, the need for frequent backup,
and the requirement to report abnormal program behavior immediately.
A good place to obtain material for training on threats, vulnerabilities and risks associated with your IS is the risk
assessment and risk management review.
@

"7
What is it that needs to be protected? Information security objectives should be based on system functional or
mission requirements, but should clearly state the security actions that are required by the users to support the
overall mission.
@ % " " -

Generally, the overall goal of an IA training program is to sustain an appropriate level of protection for computer
resources by increasing employee awareness of their computer security responsibilities and the ways to fulfill them.
Both the dissemination and the enforcement of policy are critical issues that are implemented and strengthened
through training programs. Employees cannot be expected to demonstrate accountability and to follow policies and
procedures of which they are unaware. In addition, enforcing penalties may be difficult if users can claim ignorance
when caught doing something wrong.
Training employees is also necessary to show that a standard of due care has been taken in protecting information.
Simply issuing policy, with no follow-up to implement that policy, does not suffice.
Many organizations use acknowledgment statements which state that employees have read and understand
computer security requirements.
@

This includes accessibility, handling, and storage considerations. It is important to realize that computer security
policies are often extensions of an organization's information security policies for handling information in other forms
(e.g., paper documents). In addition to the automation security SOP in the accreditation documentation, a sound
basis for training computer information security is your unit's published information security policies and procedures.
@

Physical and environmental considerations necessary to protect the system.

Cover physical access controls that restrict the entry and exit of personnel, (and often equipment and media) from an
area, such as an office building, suite, data center, or room containing a LAN server. Physical security training should
include controlled areas and screening measures at each of the entry points. In addition, staff members who work in
a restricted area should be trained to challenge people they do not recognize and the extent to which strangers are
challenged
Training users to care for environmental security is crucial. Training should address care of electrical equipment used
to connect elements of the system, the electric power service, the air conditioning and heating plant, telephone and
data lines, backup media and source documents, and any other elements required by system's operation.
Building fires are a particularly important security threat because of the potential for complete destruction of hardware
and data, the risk to human life, and the pervasiveness of the damage. Train about smoke and corrosive gases,
ignition sources, fuel sources, fire detection, extinguishment, individual responsibilities and exit routes, etc.
@

This includes what users (or user groups) can or cannot do with system resources. Also cover password security,
access control lists and user "need-to-know".
@ +

Train users on the organizational emergency and disaster plans, objectives, content and the actions required of the
users.
@

This includes authorized system configuration and associated configuration management requirements. This topic
deals with software that is authorized to be executed or loaded on computer systems as well as the management of
hardware and peripherals. If change is not managed, system security can be adversely affected over a period of time.
Remind users of their obligations to protect unit-owned and licensed software from damage and loss, as well as from
unauthorized use and duplication. Users should be reminded that personal software cannot be used without first
having it checked and approved according to regulations and your unit's policies.
@ %
%1

This includes the reporting of incidents, intrusions, malicious logic, viruses, and abnormal program or system
responses to the servicing RCERT.
@

-

In accordance with AR 25-2, para 4-3 b, individuals responsible for managing IS are required to have refresher
training every 18 ± 24 months.
There are many methods that can be used for periodic and follow-up training. They can be as sophisticated as
computer-based training or as simple as memorandums and electronic mail messages. Periodic training may include
various combinations of the following:
ß Self-paced or formal instruction

ß Security education bulletins
ß Security Posters
ß Training films and tapes
ß Computer-aided instruction
ß DoD Sponsored IA Workshops
@ *
G
Since various laws, directives, and regulations require information assurance training, it is good practice to maintain
records of training, such as rosters and correspondence, for inspection purposes. The IAM, managers and
commanders also have a responsibility to ensure that IA training is conducted and may inspect the documentation.

c
.

G(G&04º
DOD 8570.01-M is a manual which implements DoD Directive 8570.1. This manual ³provides guidance for the
identification and categorization of positions and certification of personnel conducting Information Assurance (IA)
functions within the DoD workforce supporting the DoD Global Information Grid (GIG) per DoD Instruction 8500.2´1
@ c
.

(
-
Those performing IA duties, whether they are a DoD employee (civilian or military) or supporting contractor, must
satisfy both preparatory and sustaining DoD IA training and certification requirements. In addition, a ³Privileged
Access Agreement´ must be completed by any personnel with privileged access.
Categories and specialties within the IA workforce are identified. IA workforce categories include IA Technical (IAT)
and IA Management (IAM). IA workforce specialties include Computer Network Defense Service Providers (CND-
SPs) and IA System Architects and Engineers (IASAEs). These categories and specialties are further subdivided into
levels based upon functional skill requirements and/or specific system environment focus. Each DoD IA position must
be correlated with a category or specialty and level. Functions within a position may span multiple levels. In such
cases, certification requirements are based upon the highest level function.
Specific training and certification requirements have been established for each category, specialty, and skill level.
Those individuals in IA positions that do not meet the certification requirements must be reassigned to other duties
unless a waiver is granted.
@ c
.
*

The technical category (IAT) is comprised of levels I, II, & III, which are cumulative in nature. For example, an IAT
Level II position requires mastery of the functions of the preceding level (e.g. IAT Level I).
Certification levels are based upon the IA functions of the position. New hires must achieve the appropriate IA
certification within 6 months of being assigned IA functions. Those personnel already performing an IA functions have
up to 4 years from the effective date of the 8570.01-M (19-Dec-2005) to comply with the certification requirements.
IAT Level I certification is mandatory before authorization will be given for unsupervised privileged access.
Detailed information of the IAT Level I, II, & III position requirements and functions can be found in the DOD 8570.01-
M.
@ c
.
º

The management category (IAM) is comprised of levels I, II, & III. Unlike the technical category, these levels are not
necessarily cumulative.
As with IAT category, certification levels are based upon the IA functions of the position. Management category
personnel must achieve the appropriate level of IA certification for their level. Furthermore, any IAM position that also
performs IAT functions, must obtain the appropriate technical level certification.
Detailed information of the IAM Level I, II, & III position requirements and functions can be found in the DOD 8570.01-
M.
@
!
º -
%1

Before access will be granted to a DoD IT system(s) all individuals are required to receive and complete initial IA
awareness training. These users are also required to complete annual IA awareness training to retain access.
According to DOD 8570.01-M the following themes must be conveyed, at a minimum, in the initial annual awareness
program:
@ ³Critical reliance on information and IS resources.

@ Commitment to protect information and IS resources to include personal identifiable information.
@ Threats, vulnerabilities, and related risks associated with IS.
@ Consequences for inadequate protection of the organization¶s IS resources.
@ The essential role of the DoD employee.
According to DOD 8570.01-M user orientation and awareness programs shall address, but are not limited to:
@ The importance of IA to the organization and to the authorized user.
@ Relevant laws, policies, and procedures, and how they affect the authorized user (e.g., copyright, ethics, and
standards of conduct).
@ Examples of external threats such as script kiddies, crackers, hackers, protesters, or agents in the employ of
terrorist groups or foreign countries. ³
@ Examples of internal threats such as malicious or incompetent authorized users, users in the employ of
terrorist groups or foreign countries, disgruntled employees or Service members, hackers, crackers, and
self-inflicted intentional or unintentional damage.
@ The potential elevated sensitivity level of aggregated unclassified information.
@ Authorized user risk from social engineering.
@ Common methods to protect critical system information and procedures.
@ Principles of shared risk in networked systems (i.e., how a risk assumed by one person is imposed on the
entire network) and changes in the physical environment (e.g., water, fire, and dust/dirt).
@ Risks associated with remote access (e.g., telecommuting, during deployment, or on temporary duty).
@ Legal requirements regarding privacy issues, such as email status (see DoD Directive 1000.25) and the
need to protect systems containing payroll, medical and personnel records.
@ Knowledge of malicious code (e.g., logic bomb, Trojan horse, malicious mobile code, viruses, and worms)
including how they attack, how they damage an IS, how they may be introduced inadvertently or
intentionally, and how users can mitigate their impact.
@ The impact of distributed denial of service attacks and what users can do to mitigate them.
@ How to prevent self-inflicted damage to system information security through disciplined application of IA
procedures such as proper logon, use of passwords, preventing spillage of classified informationj e-mail
security, etc.
@ Embedded software and hardware vulnerabilities, how the Department of Defense corrects them (e.g., IAVA
process), and the impact on the authorized user.
@ Prohibited or unauthorized activity on DoD systems (e.g., peer-to-peer file sharing, gambling, personal use,
and gain issues).
@ Requirements and procedures for reporting spillage, unauthorized or suspicious activity, and local IA office
point of contact information.
@ Categories of information classification and differences between handling information on the Non-Classified
Internet Protocol Router Network (NIPRNet) or the SECRET Internet Protocol Router Network (SIPRNet).
@ Software issues including license restrictions on DoD systems, encryption, and media sanitation
requirements and procedures.
@ Definition of Information Operations Condition (INFOCON) and its impact on authorized users.
@ Sources of additional information and training.
@ Requirements and procedures for transferring data to/from a non-DoD network.
@ Requirements and procedures for protection of Data at Rest.

*

^^
'^^
^^
The Information Assurance Training and Certification BBP lists the training and certification requirements for the IA
workforce, technical, specialty, and management levels, which have been defined in DoD 8570.01-M. As it is DoDD
8570.1 policy that ³the IA workforce knowledge and skills be verified through standard certification testing,´ Army IA
personnel will therefore attain and maintain Information Technology (IT)/IA certifications which are appropriate to their
position. For many, this will require passing one or more certification exams. These personnel are required to
complete the requisite training to maintain their certificate or complete 40-60 hours of sustainment training annually,
whichever is greater. Furthermore, there is a 6 month certification requirement for all new hires.
The following tables summarize the DoD approved baseline certificates (Table 1), the training and certification
requirements for non-certified personnel (IAM & IAT) (Table 2), the training and certification requirements for certified
personnel (IAM & IAT) (Table 3), the training and certification requirements for non-certified personnel (CNDSP &
IASAE) (Table 4), and the training and certification requirements for certified personnel (CNDSP & IASAE) (Table 5).
In depth information detailing the approved baseline certificates and training and certification requirements can be
found in the IA BBP.
*"4G G
^

* * *

CISA
GSEC
A+ CISSP (or Associate)
SCNP
Network+ GCIH
Security+
SSCP GSE
SSCP
SCNA
º º º
CAP CAP
CAP
GISF GSLC
CISM
GSLC CISM
CISSP (or Associate)
Security+ CISSP (or Associate)
+ + +
CISSP ± ISSAP
CISSP (or Associate) CISSP (or Associate)
CISSP ± ISSEP
,G

,G
,G ,G
,G4º

%

CEH CEH
CEH CEH CISM
CSIH CISA
GCIA SSCP CISSP-ISSMP
GCIH GSNA
*"4*

º
84, 4

'º9*
, 4

º º º# * * * #

*
IASO online IASO online IASO online IASO online IASO online IASO online
%1
course course course course course course
IA Technical IA Technical IA Technical
Security Plus CISSP CISSP
Level I Level I Level I
*
(Army e- (Army e- (Army e-
(Army e- (Army e- (Army e-
%1
Learning Learning Learning
Learning Learning Learning
Program) Program) Program)
Program) Program) Program)
CompTIA
Network+ 2005
for
the Network+
cert
IA Technical or CompTIA A+
Security Plus CISSP
Level I 220 601 IT
*
(Army e- (Army e-
(Army e- Essentials and
%1
# Learning Learning
Learning 602, 603, or
Program) Program)
Program) 604
series for A+
cert
(Army e-
Learning
Program)
Security+ Level
*
II
%1
/ Schoolhouse
Course
*
On-the-Job On-the-Job On-the-Job
%1
Training skills Training skills Training skills
practical practical practical
evaluation evaluation evaluation

! CNSS 4011 CNSS 4011
" certificate certificate
Obtain the
Obtain the Obtain the Obtain the appropriate Obtain the Obtain the

appropriate appropriate appropriate certification for appropriate appropriate
%1
certification for certification for certification for this level-for certification for certification for
this level. this level. this level. privileged this level. this level.
access.

4

Yes w/valid
Yes Yes
certification

%1

*"#4*

º
84

'º9*

^9+

*
:^
º º º# * * * #

º)
^

7 "
8

*
IASO online IASO online IASO online IASO online IASO online IASO online
%1
course course course course course course
IA Technical IA Technical IA Technical IA Technical
Level I Level I Level I Level I
*

(Army e- (Army e- (Army e- (Army e-
%1

Learning Learning Learning Learning
Program) Program) Program) Program)
On-the-Job On-the-Job On-the-Job
*
Training skills Training skills Training skills
%1
# practical practical practical
evaluation evaluation evaluation
Maintain the Maintain the Maintain the Maintain the Maintain the Maintain the
certification you certification you certification you certification you certification you certification you

hold IAW the hold IAW the hold IAW the hold IAW the hold IAW the hold IAW the
%1
standards of standards of standards of standards of standards of standards of
the certifying the certifying the certifying the certifying the certifying the certifying
body. body. body. body. body. body.

4

Yes w/valid
Yes Yes
certification

%1

*"/4*

º
84, 4

',G9+
, 4
,G +

*

IASO online course IASO online course
%1

GIAC Technical Modules or GIAC Systems
*

and Network Auditor CISSP (Army e- Learning Program)
%1

(Army e-Learning Program)
CISSP (Army e- Learning Program)

*
',Gº
(, 4,G4
%1
# º
ÿ
º
*

%1
/
On-the-Job Training skills

*

practical evaluation
%1

(except for CNDSPM)

!
CNSS 4011 certificate
"

Obtain the appropriate certification/s for this Obtain the appropriate certification/s for this
%1
level. level.

4
Yes, if working in a Technical level Yes, if working in a Technical level

position position
%1

*"4*

º
84

',G9+

^9+

*
,G +
:^

º)
^

7 "8

*

IASO online course IASO online course
%1

*

%1

*
On-the-Job Training skills
%1
# practical evaluation

Maintain the certification you hold IAW Maintain the certification you hold IAW the
%1
the standards of the certifying body. standards of the certifying body.

4
Yes Yes, if working in a Technical level position

%1

c ,-
.*

A network threat is any event that could adversely affect an automated network, network facility, or network
operations. Threats are a potential violation of security.
Network threats must be formally evaluated to consider their potential and impact upon network operations.
@ In order to properly assess a threat, one must understand the threat and its ramifications; will it corrupt data,
will it send information back to the threat agent, or will it deny legitimate users access to a specific service?
@ Defensive measures include: anti-virus software, anti-spyware, intrusion detection systems (IDS), firewalls,
user education, and properly updating operating systems as well as applications.
Objectives of network threats include:
@
. ± Information leakage occurs when a supposedly secure system reveals some type of
information to unauthorized parties. For example, when a user sends encrypted information to several
locations. Someone sniffing that traffic may not be able to read the information but they may be able to
determine the intended recipients.
@
; ± Systems and applications are designed to work in a specified manner. If a hacker can
cause the system or application to do something other than what was intended, then the integrity is violated.
@ G
'G ± Preventing a system from providing resources or services to the intended
authorized clients.
@ ;
± A computer program that copies itself into other programs or files with the intent to cause harm to
the system.
@ ± Using a system or its resources to conduct attacks.
*
º
Masquerading, forging or spoofing

In order to gain an illegitimate advantage, such as the ability to by-passing an access control list (ACL) or to
maliciously redirect network traffic, a person or application may masquerade as another. This is done by
falsifying data. Common types of these attacks include: IP spoofing, E-mail spoofing, website spoofing, and
MAC spoofing.
Playback or replay
A form of network attack where a valid transmission, often including authentication data, is fraudulently
replayed by an attacker with the hopes of authenticating to a system by using the legitimate user¶s
credentials.
Bypassing security controls
Normal security controls include basic user authentication to complex firewalls on the network. Identification
can be faked and a firewall may be bypassed. Backdoors, Trojan-horses, and even rootkits are often used to
bypass security controls.
Authorization violations or misuse of authority

Insiders are a major area of concern to network security. According to the 2008 Computer Crime & Security
Survey ³insider abuse of networks was the second-most frequently occurring (incident), at 44 percent.´
Eavesdropping
Eavesdropping can occur on a network, telephone, or even within a social gathering. An unauthorized sniffer
running on a network can eavesdrop and gather data. Telephone bugs have been used for years to
eavesdrop on conversations. People gained valuable information by listening to conversations while in social
gatherings.
Network Attacks
The main intent of many network attacks is to cause a Denial of Service (DoS). Common DoS attacks
include: SYN floods, ICMP floods, smurf attacks, teardrop attacks, and the land attack.
Traffic analysis / network scanning

³Traffic analysis is the process of intercepting and examining messages in order to deduce information from
patterns in communication. It can be performed even when the messages are encrypted and cannot be
decrypted. In general, the greater the number of messages observed, or even intercepted and stored, the
more can be inferred from the traffic.´
War dialing
War dialing is a specialized technique which utilizes a modem to detect potential access points into a
network, usually a computer or fax machine, from a predetermined list of phone numbers. The Wardialer
makes calls to these numbers making note of any that are answered by a modem or fax machine. These
listed modems and fax machines provide the hacker with the possibility of bypassing the firewall in an
attempt to accessing the network.
War driving
War driving is the process of searching for wireless local area networks by driving through an area with a
portable computer or similar device. By conducting war driving, a user may be able to gain unauthorized
access to a network. The reasons for gaining this access may be malicious from a platform for launching
attacks to simply gaining access to the internet free of charge.
Malware (aka Malicious code)

³Malware is short for malicious software and is typically used as a catch-all term to refer to any software
designed to cause damage to a single computer, server, or computer network, whether it¶s a virus, spyware,
et al.´ As such, malware can take many different forms: viruses, worms, rootkits, trojan-horses, spyware,
and certain types of adware. Generally malware is designed to corrupt, alter, destroy, distribute information
or cause disruption of the network or system.
Backdoors
A backdoor is a means or method to covertly bypass normal authentication in order to establish remote
access to a system. A backdoor can be a specialized program, such as Back Orifice, or the unauthorized
modification of a legitimate program. A recent example includes the Sony rootkit backdoor in late 2005,
which installed itself on a windows system when a Sony music CD was played.
Media scavenging
Media scavenging describes the process of trying to obtain or in some cases recover sensitive information
from floppy disks, thumb-drives, CD-Roms, hard drives or tapes that have often been erased or discarded.
All too often these ³erased´ or ³destroyed´ types of media still contain data that can be beneficial to
unauthorized personnel.
Dumpster diving
Dumpster diving is the process of sifting through trash to obtain information. Sources of information include:
old passwords, system architecture, network diagrams, employee lists containing name and numbers, and
discarded manuals.
Social engineering
Social engineering is another method used to gain unauthorized access to a network. Social engineering
exploits people into revealing sensitive information or to carry out specific actions. Social engineering can be
a very effective tool as it relies upon human weaknesses and frailties. Humans are prime targets for
information gathering, so much so that humans are commonly referred to as the weakest link in computer
security. Kevin Mitnick, one of the most infamous of all hackers, routinely relied upon this method.
Phishing
³Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as
usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic
communication.´ Two common email messages are: ³We suspect an unauthorized transaction on your
account. To ensure that your account is not compromised, please click the link below and confirm your
identity.´ ³During our regular verification of accounts, we couldn¶t verify your information. Please click here to
update and verify your information.´
Pharming
Pharming is an attack that redirects traffic from one website to another, usually owned by a hacker. This can
be done either by changing the hosts file on the target system or by changing the entries in DNS (DNS
Attack). Antivirus and spyware detection software cannot detect or protect against pharming.
â -â.
c
.
There a several phases or steps that an attacker will follow to accomplish their objectives. This portion of the module
will examine the first three phases, known as the pre-hacking phases. These phases are foot-printing, scanning and
enumeration.
3 4

Foot-printing, also referred to as reconnaissance, is the phase where the attacker will create a profile of the target by
gathering specific information about the target. Much of this information is often in the public domain and can be
found by a simple search of the internet. A company¶s own web page can be a great source of information; employee
names, E-mail addresses, and information on technologies in use at the company. Other information may be learned
from social engineering attacks. At this point, the attacker does not access the system. The following are a few
examples of the types of information the attacker is seeking:
@ Employee names
@ Phone numbers
@ IP address ranges
@ DNS servers
@ Mail servers
@ Information concerning the software and hardware used by the company
@ Domain names
@ The availability and type of remote access

Scanning is the second pre-hacking phase, which may also be known as probing. The attacker now begins to probe
the perimeter of the target for potential weaknesses. The attacker is trying to determine which systems are live, what
services or applications the target is providing, machine names, and software version numbers. This information will
then be compared against known vulnerabilities for future exploitation. Tools used during this phase include Ping
Sweeps, Port Scans and Automated Discovery Tools.
- ± A Ping sweep, also known as ICMP Queries, is a technique of sending out ping (an ICMP ECHO
request) packets to a specific IP address range to map live hosts. A live host will return a reply (ICMP ECHO reply) to
the ping sweeper, which it then uses to create a map of the network.

± The purpose of port scanning is to scan for open TCP and UDP ports. By determining which ports are
open, the attacker can identify which services are running. Any service or open port may provide the attacker an entry
point. Furthermore, port scanning can help determine the specific type of operating system on the target computer.
Listed below are a few ports and their corresponding services:
@ Port 21 = File Transfer Protocol (FTP) service

@ Port 23 = Telnet service
@ Port 25 = Simple Mail Transfer Protocol (SMTP) service
@ Port 80 = Hyper Text Transfer Protocol (HTTP) service
@ Port 443 = Hyper Text Transfer Protocol Secure (HTTPS) service
@ Ports 135, 137-139, 445 ± NetBIOS ports used by the Microsoft operating system
G
* ± Automated discovery tools are utilized to determine the type of operating system on
the target system. As there are many differences in the IP stack implementations across vendors, the attacker is able
to use these differences to determine the target¶s operating system.
+

Enumeration is the pre-phase that is risky to the attacker. Active connections are now being made to the target
system as the attacker gains a toehold into the system. Information gathered by enumeration can be grouped as:
@ Network Resources and Shares

@ Users and Groups
@ Applications and Banners
º-

*
G
Before diving into what Malware is, it is important to have a basic understanding of a threat. As defined by AR 25-2, a
threat is the capabilities, intentions, and attack methods of adversaries to exploit, damage, or alter information or an
information system. In other words, a threat is the potential to cause harm. While a hurricane is an example of an
environment-based threat, software viruses or software worms would be computer-based threats.
*
G
While a threat is merely the potential to cause harm to a system, a threat agent is the specific entity used to cause
the harm. A threat agent is what exploited vulnerability in a system, operation, or facility. While an example of a threat
would be a worm, an example of a threat agent would be the Code Red worm which was designed to disrupt White
House web services.
;
"
An operating system can be described as a collection of programs that concurrently provide services to one or more
end users. Those programs may not be completely bug-free. The flaws in a computing system are vulnerabilities that
can be exploited by attackers.
One of the ways we can help protect our systems is to keep the systems thoroughly patched through hotfixes and
service packs. Effective patch management is sort of like the spackling for the cracks in our defensive walls. There
exists a history of threat agents successfully exploiting unpatched systems simply because the system administrators
failed to practice due diligence and due care. A vendor¶s patch was available for the system and the system
administrator failed to apply the patch. They failed to perform their duties as system administrators. This type of
dereliction of duty has occurred within the government, in hospitals, in the banking industry, and most of all, within the
home.
Sometimes a flaw exists in a system and the vendor does not know of the flaw so a patch is unavailable. An attacker
may have discovered the flaw and, without notifying the vendor, exploits the vulnerability. This is referred to as a
Zero-Day attack. This is one of the many reasons why network firewalls and Intrusion Detection Systems are so
important.
º-
G
Malware is an acronym that stands for MALicious softWARE and it comes in many forms. Generally speaking,
Malware is software code or snippets of code that is designed with malice in mind and usually performs undesirable
actions on a host system. Though Malware is often referred to in a broad sense, there are subcategories within
Malware such as Spyware, Adware, and Phishing.
º-
ÿ
One of the primary goals of Malware is to achieve stealth. Malware will likely be delivered to a host machine in
masked fashion and it will be designed to remain camouflaged during its stay. The Malware could be completely
hidden as may be the case with a Rootkit, or it could be masked well enough to deceive an inadequately trained user.
Usually third party software, such as anti-virus software, is needed to reveal the existence of Malware.
Another common goal of Malware is to establish platform-independency. Malware authors would like to see their work
infect indiscriminately by attacking all possible operating system platforms. The Malware author would determine
what is common amongst the targets of interest and devise code that exploits their commonality. For instance, all
major operating systems have at least one program that handles email (SMTP) or web (HTTP) traffic. Thus, email
attachments are quite commonly infected in today's computing world. Sometimes spyware is unknowingly installed as
web browser toolbars by Social Engineering the user into believing that it will aid in web searches. Of course, the
embedded spyware may provide additional search results but in the background it is capturing every key pressed on
the keyboard and every website to which you navigate.
Yet another primary goal of Malware is achieving maximum propagation. Not only does Malware intend to infect large
quantities and as many types of platforms as it possibly can, but it also wants to exhaust the possible ways it can get
from one platform to the remaining computing world. Malware will try to propagate by email, network folder shares,
third party file sharing programs (especially mp3 file sharing programs), chat programs, Internet Chat Relay (IRC),
and installation processes, to name just a few. Simply said, Malware isn¶t just limited to email attachments.
The last major goal of Malware is to survive. As a community, Malware can disperse to as many targets as possible
to continue its lineage. Yet, as one specific entity, it can copy itself numerous times and in numerous locations within
a system. It knows how to clone.
;

The most notorious form of Malware is a virus; it seems to gain the most headlines due to its damaging payload.
Viruses are actively aggressive in nature; they attack a file within the computer system and inject its payload into the
host. The infected host file is then turned into a malicious file.
There are three basic types of viruses: ³boot-sector´, ³file-infector´, and the ³macro-virus´. A boot-sector virus resides
in the boot sector of the storage medium (i.e. hard disk, flash media, or floppy disk) and is run each time the storage
device is instantiated. A file-infector virus is code that attacks and takes over a file, such as an executable. This may
or may not keep the original host file from performing its intended services depending upon where the malicious code
was written. A macro-virus is malicious code embedded in a macro-enabled file such as Microsoft Word or Microsoft
Excel document that uses a scripting engine like VBScript or JavaScript.
In the early 1980's a virus would commonly arrive within a program's installation disk such as the installation disk for
a computer game. The virus would place itself in the boot sector of the boot disk so that every time the computer was
booted the virus would be loaded into memory. The boot disk¶s boot sector is an area not fully revealed to the end
user even with modern operating systems. This boot area is thus a hiding place for malware.
Today, a virus is more likely to arrive via an email attachment (but is in no way limited to just email). An unsuspecting
user would instantiate the virus by opening the email attachment. Usually the very first action the virus takes is to
replicate itself. Soon after copying itself it would attack its intended target, inject its programmed payload, and
continue with any other actions the virus would be programmed to do (like delete files). These actions would occur
unknowingly to the user (or at least until it was too late). A virus might set the infected file's attributes to ³hidden´ or to
³system´. Most Windows NT platforms have default folder view settings that do not show files to the user that are
labeled as a system file or are marked as hidden. The virus would thus be hidden from the end user. Some viruses
are even programmed to shut down anti-virus services. These are all actions designed to establish covertness,
maintain covertness, and avoid extinction. Ironically, the same security concepts that we employ as security officers
are often employed by malware authors.
File-injection viruses will inject themselves into the target by using one of three techniques. The first technique is to
overwrite the target's code with its own code. In the Microsoft Windows world this is commonly done to executable
files such as a file that ends with ".exe" or ".com". Another technique is to prepend the malicious snippet of code at
the beginning of a file. This can be a bit tricky because of the potential to damage the file's header area that contains
important variables and file structure. Damaging this area could cause system errors and error messages to be
displayed to the end user thus disclosing system abnormality to the end user. The last technique is to append the
malicious snippet of code to the end of the file. This would preserve the vital file header, allow the file to perform its
functions, and transfer control to the malicious code within the infected file.
A macro virus is the most common form of virus today. The macro virus would use a scripting language such as
Visual Basic Script (³vbscript´) embedded inside a Microsoft Office document to perform the viral work. An example of
a macro virus would be the Melissa virus that targeted Microsoft Office 97 and Microsoft Office 2000 Word
documents and arrived as an email attachment. The email would have a subject line of "important message from".
When a user opened the attachment, the virus immediately copied itself, searched for the first 50 email addresses it
could find, and then emailed itself to those 50 contacts. Not only did the Melissa virus attempt to survive by copying
its code to a local file and dispersing itself to 50 other targets through email, but it would also lower the Microsoft
Office security settings so that it would be easier to compromise the computer system in the future. When all those
tasks were completed it would attack the host file ³Normal.dot´, the default template for Microsoft Word, and inject its
code. Every time the user opened any Microsoft Word document they ran the virus.
Another form of Malware is a worm. A worm is stand-alone software that does not require a host file to propagate. It
doesn¶t even require human interaction; the computer merely needs to be turned on with its services running.While a
virus is actively aggressive, a worm is passively aggressive. While a virus is primarily programmed to destroy
resources, a worm is primarily designed to saturate system resources, such as processor bandwidth, network
throughput, available memory, or hard drive space. While a virus attacks at the file-level, the worm attacks at the
system-level, usually by exploiting a buffer overflow in the software (poorly written software code). You will
sometimes hear a worm referred to as a mass-mailing worm because some worms have the ability to email
themselves (they have their own SMTP engine). Some notable worms are Love Bug, Code Red, Nimda, Blaster, and
Sasser. The extreme majority of these worms simply exploited poorly written operating system code and did not
require human interaction to cause harm. The end user did not need to be logged onto the computer; simply having
the computer energized was sufficient.
It is unwise for a worm author to have the victimized system crash because this would impede the ability of the worm
to saturate the system or control the system enough so that it may find other systems to attack. Ultimately what the
worm author desires is a Denial of Service. The victimized system is running but is unable to process work on behalf
of legitimate users. The victimized system might be a website that no longer responds in a timely fashion.
Many worms use speed algorithms so that they can spread across the internet quicker or they take advantage of
protocols designed to deliver traffic quickly. Nimda and the 2004 MyDoom variants used speed to saturate the
internet. Nimda achieved peak propagation within 22 minutes and MyDoom, at its zenith, propagated so efficiently
that it was determined that for every 5 emails being sent throughout the world at least one contained MyDoom as an
attachment. Also, it is more advantageous for worms to operate over UDP than TCP because of TCP's time-
consuming three-way handshake. UDP offers a fire-and-forget capability that is attractive to worm authors. TCP, on
the other hand, requires some administrative overhead by synchronizing the sequence numbers within the packets.
TCP would slow up the Malware propagation.
*
7 â

Another subcategory of Malware is the Trojan Horse. The term can be etymologized to ancient Greece in which the
Greeks offered a large wooden horse to the well fortified Trojans of Troy. During the night while the Trojan soldiers
slept, Greek soldiers climbed out of the wooden horse and opened up the Trojan gate to let the Greek army inside the
walls. Thus, a Trojan Horse is a program that appears to be legitimate but clandestinely has malicious intent.
Trojan Horses usually require user interaction to be installed on a user's system. The installation process is
predominantly conjoined with Social Engineering in which the end user is enticed to install the Malware onto the
system. The Trojan Horse may have a benign nomenclature (but malignant payload) or may present itself as an
interesting screen saver to be downloaded from a website (but turns out to be a keystroke logger that keeps track of
every pressed key on the keyboard). A Trojan Horse is usually used as an aid to other types of malware (such as
backdoors), necessitates Social Engineering to entice the user to act, and appears to be a legitimate program.
^.
A backdoor is software that bypasses the established authentication process to allow access to a system. It became
popularized by the movie "Wargames" starring Matthew Broderick in which a software engineer had purposely
programmed a backdoor into a government super system in case the programmer ever needed an alternate method
of obtaining access to the system.
As in the movie, real-world programmers do write backdoors into their code to bypass normal authentication
channels. This offers programmers easier, swifter access to their code for debugging and code creation. However,
due to looming deadlines, laziness, or a lack of attention to detail, the backdoors don't always get removed.
Backdoors can be purposely built by computer crackers to gain access to your computer and often are used in
conjunction with Trojan Horses. Backdoors can be built by legitimate companies for legitimate purposes such as
remote system administration. A handful of synonyms exist for the term ³backdoor´ such as RAT¶s (Remote Access
Trojans), trapdoors, maintenance hooks, or illicit servers. To elaborate on the term¶s definition, let¶s say the United
States Army has a policy in place that requires everyone to use a Smart Card (CAC) to log onto a system (this
establishes the traditional authentication process). However, an administrator installed a service that allows them to
log onto the computer remotely without using a Smart Card. The administrator has put in place a means to bypass
the traditional authentication process and thus violating the organizational security policy.
% .
The ³rootkits´ origin story begins with the UNIX operating system. The most powerful user account on the UNIX
machine is called ³root´ and is analogous to the Window¶s administrator account. The goal of a rootkit is to gain the
same kind of control that can be accessed by the root account. Rootkits are software components designed to gain
access to root privileges (administrator access) and maintain that access. A rootkit could be one program, but more
often it is multiple programs working together. Hence the second part of the term, ³kit´. One or more of the programs
are designed to subvert the security features of the operating system, other programs will manipulate the system logs
so the attacker can hide their work, and other programs assist the attacker so that if the system gets rebooted the
controlling Malware will still run.
The ultimate target is the system kernel so that complete access to the system can be achieved. The system kernel is
part of the Trusted Computing Base and once this part of the operating system is compromised, the attacker can act
at will. With an installed rootkit, an attacker not only has complete control of the system but has the necessary
capabilities to hide their Malware from the operating system and security specialists alike. It is not uncommon to see
Social Engineering, Trojan Horses, Backdoors, and rootkits all working together to compromise a system.

Antivirus software is a common countermeasure to neutralize the Malware threats mentioned thus far. Antivirus
software is primarily signature-based, meaning it is a reactive program and not a proactive program. A threat agent
must be created first, then a signature of the threat agent can be created. The threat agent would have a fingerprint
(or key behavioral pattern) and the fingerprint would be the basis of the signature.
Generally, how antivirus engines work is it compares what is happening in a system to a predefined list of specific
actions. If the action being observed correlates to the key behavioral pattern of the Melissa Virus then it flags the
offending program as the Melissa Virus. If somehow the Melissa Virus was able to change its own behavior only
slightly then the antivirus would not flag it as Malware. This is how Malware authors are able to get around antivirus
engines; they change the behavior of the Malware. It is extremely important to keep your antivirus updated.
Some antivirus engines will also use some limited form of heuristics, a method of looking for general system
abnormalities. For example, if a program attempted to alter a sensitive portion of the system then the antivirus
program would quarantine the offending program. If a program tries to write to the boot sector the antivirus may stop
the action because it believes it is some kind of boot sector virus; or if a program tried to modify the system registry
the antivirus engine would alert the user. Also, some antivirus engines will have integrity checking built into them.
They will have a hash or check sum of a file and if the file has been altered in some unauthorized way, it will retrieve
a cached version to replace the altered file.
Changing the signature of the Malware is key to defeating signature-based systems. Malware authors have come up
with some simple, yet clever, ways to mask the identity of their Malware.
One way is to create generations of the Malware such as the case of MyDoom. The original MyDoom performed a
Distributed Denial of Service attack on the SCO website but later, slight variants were created that changed the
behavior of MyDoom so that it attacked other websites as well. The change in behavior made the antivirus ineffective
in identifying the Malware. While the antivirus engine successfully identified MyDoom.A it did not recognize
MyDoom.B or MyDoom.C. Antivirus companies had to stay diligent and come up with new signatures for the modified
Malware. Administrators who failed to keep the antivirus signatures updated were compromised.
Another way for Malware authors to bypass antivirus is by practicing metamorphic or polymorphic coding practices.
Metamorphic means the code is programmed to change, thus changing the functionality of the malware. Sometimes
a virus or a worm is labeled as being a metamorphic virus, meaning that the virus behaves one way for about a week
but the next week it behaves entirely differently. Polymorphic means, once again, the code changes but the
functionality stays the same. In other words, a polymorphic virus would behave one way, then its code changes the
next week but continues to behave just as before.
An alarming trend by the malware authors is to encrypt the malware. Encryption provides a means to scramble the
signature each time the malware is propagated. Though it can be more difficult for the malware author to manage the
distribution of the malware, it is a highly effective way to neutralize safeguards that are based upon signatures. This
behavior was evidenced in the Conflicker worm and proved to be difficult to eradicate.
One last term to take note of is Multipartite Malware. Today¶s Malware more often display characteristics that borrow
from the virus definition, and also the worm definition, and perhaps some other category. Just like modern warfare
weapons, Multipartite Malware has multiple capabilities. Perhaps it attacks at the file-level and injects its payload like
a virus, but it also opens up a networking port like a backdoor to bypass the system¶s authentication process.
In practicing a Defense in Depth philosophy it may prove beneficial to deploy two competing Antivirus engines within
the overall Information System. Not one single antivirus program will recognize all possible Malware all the time.
Installing two or more antivirus engines on the same computer is not a good idea so install them on different systems
with different roles. For example, one particular Antivirus product could be installed on the clients and an alternative
Antivirus product could be deployed on the server (for instance the email server). With two different antivirus engines
on the network one antivirus engine will scan for Malware as email reaches the server, the other antivirus engine will
scan for malware when it reaches the client.
-

A subcategory of Malware is Spyware (SPY softWARE). Spyware is an independent executable program that covertly
gathers information about a user and reports that information to a third party. Spyware has the ability to monitor key
strokes, web-surfing habits, retrieve credit card information, change web browser settings, and capture screen
snapshots of the user's display. Examples of Spyware are Bargain Buddy and Gator software. Spyware has been a
tool to support identity theft. Spyware can be installed through Social Engineering practices (trickery), Trojan Horses,
or simply by a lazy end user who fails to read the End User Licensing Agreement that states the software is going to
record everything you do for the rest of your life (³..click OK to accept´).
As of this typing, spyware software has been in decline but is still a viable threat and should not be ignored. Besides
the potential disclosure of sensitive information, spyware can also exhaust network throughput, memory, and
processor bandwidth causing an overall reduction in system availability to the authorized end user.
-

Usually working in conjunction with Spyware is Adware (ADvertising softWARE). Adware is any software application
that requires the displaying of advertisements for the application to run properly. Some Internet Service Providers
offer free or cheap internet service in exchange for displaying advertisement banners on the user's web browser.
Some shareware and freeware email programs are offered to users in exchange for the right to display
advertisements while the program is open. The problem with adware is it becomes a distraction to the end user and
exhausts system resources like network bandwidth and memory.
-

Antispyware is the countermeasure to neutralize Spyware and Adware. A popular Antispyware product is Windows
Defender by Microsoft. Most major Antivirus providers are bundling Antispyware technology, Antivirus technology,
and Personal Firewall technology and labeling it a protection suite.

Phishing is the act of impersonating a legitimate organization in an attempt to scam a user out of their identity
credentials. This is most commonly done by sending bogus emails that entice a user to give up their bank account
information, email address (to confirm that the user's email address truly exists), or simply to retrieve usernames and
passwords.
Phishing relies heavily on Social Engineering. Online banking customers have been victims of Phishing scams that
used emails to scam user credentials. The email would state something to the effect of the user¶s account had been
suspended due to abnormal account behavior. There would be a place to type in your bank account number, PIN, or
email address to unlock the account. In reality the account had never been suspended, but by typing personal
information the criminals are able to access the victim¶s account. Sadly, a life¶s savings that took decades to
accumulate would disappear at the speed of light.

The effects of Malware often result in decreased system performance, unexplained system errors, unusual system
behavior, or unauthorized access (to name just a few). While patch management, Antivirus software, and
Antispyware software can be effective tools to neutralize the threats, a strong, continued commitment to training end-
users will help mitigate Malware, Spyware, and Phishing attempts by reducing the effects of Social Engineering
attacks.

As an Information Assurance Security Officer, AR 380-5 and AR 25-2 are sources that will provide us with physical
security guidance. Additionally, Department of Defense 5200.01 is mandatory reading which explains information
security requirements. However, for more detailed information regarding building requirements, construction
materials, etc, AR 190-13 and AR 190-16 provide detailed physical security information. These regulations are going
to be outside of the scope of the Information Assurance Security Officer training but they are regulations that should
be reviewed when you get the chance.
Physical security is the anchor that supports information security. Without sound physical security there could be no
information security. Information security seeks information confidentiality, information integrity, and information
availability. This is sometimes referred to as the CIA triad.
Information confidentiality seeks to reveal the meaning of data only to those persons who are authorized. The
opposite of information confidentiality is disclosure. The goal of information integrity is to verify the trustworthiness of
the information, checking for unauthorized modifications. The opposite of information integrity would be tampering.
Information availability seeks to ensure resources are made available to authorized users on a timely basis. The
opposite of information availability would be disruption.
Classified information must be protected at all times either by storing the materials in an approved security container,
protected within a secure facility, or maintaining positive control of the materials in person. Everyone who has been
granted access to classified information is responsible for providing protection to those materials. An End-of-Day
Security Check must be conducted that verifies that all safes, storage areas, and devices have been secured. This
activity is to be documented on Standard Form 701.

Server rooms should have access control devices in place to maintain positive control of the room. Access controls
can come in many forms, but they all have the goal of authentication. Authentication is the means of proving a person
is whom they claim to be. Authentication is based on either:
1. Something you know

2. Something you have
3. Something you are

5 -
Authentication based on secret knowledge could be in the form of a password, a PIN, or a cipher-lock combination,
just to name a few. When entering the secret into the system it is important to be leery of people looking over your
shoulder (shoulder surfing). To harden the security of cipher lock systems install a covering over the terminal so that
hand and finger movements are masked to the casual viewers. Additionally, electronic cipher locks can be placed
away from the door and at customizable heights to help reduce the chances of shoulder surfing. Remember to
regularly clean the cipher-lock keys, keep them free of grease, dirt, or other markings so as not to reveal the keys
involved in the combination.
When using cipher locked, automatic doors, be leery of piggybacking in which unauthorized personnel enter a
sensitive room by following you through the entrance before the door closes. As an added layer of security, personnel
who are already inside a controlled room have the responsibility of ensuring that unauthorized personnel never gain
entry. If you are ever in doubt about a person, ask to see their credentials.
Combinations to cipher locks and safes should be set in a way so that it does not have personal meaning to the
persons involved. For example, the combination should not be set to anyone¶s birthday. The combination will be
changed whenever the lock is initially put into service, whenever someone no longer has the need to know, and
whenever the lock is taken out of service. When not in service, combination locks will be set to 10-20-30 and built-in
combination locks (to safes or vaults) shall be set to 50-25-50.

â
Authentication based on what a person has could be in the form of a smart token such as a magnetically striped card
or an RFID card. The Common Access Card (CAC) is a smart card that supports authentication based on something
a person has (additionally it supports multifactor authentication because it requires you to know a PIN as well). A key
to a padlock is one of the simplest examples of authentication based upon something a person has.
An example of how a simple key system can be administered is as follows. A finite number of keys are created and
each key is tracked. A list of users who have been granted permission to use a specific key is maintained. In an effort
to add another layer of defense, all keys could be secured in a lock box with two people designated as custodians.
When a server room key is needed, a lock box custodian verifies the user's credentials, opens the box, and retrieves
the appropriate key. Furthermore, the event could be noted in an official log. This type of system is based on
something the user has (the key). The key gives the user access to the equipment room or the server room.
When the padlock is unlocked, it is a good idea to lock the padlock to the hasp and keep the key on your person
while the room is in an open condition. This prevents unauthorized personnel from gaining access by spoofing
(reproducing) the key, after obtaining the original padlock or the original lock key.

Authentication based on the person is biometrics. Examples of biometrics are: iris scans, retinal scans, handprints,
hand geometry, or facial scans. We will go over a few of the biometric systems available on the market but our review
will not be conclusive.
A biometric system is best used in conjunction with another authentication system to form a multifactor authentication
system. Some of the more complex and expensive access control systems implemented in today¶s computing
environments employ some form of biometric system. A unique characteristic of a person is used for the
authentication. The sample cannot be mistaken for someone else; it must have an unambiguous 1:1 relationship.
Also, the biometric sample should be something difficult to reproduce (spoof) so that no one else is able to
impersonate you.
Ideally, the biometric sample would be something unlikely to change. Another sample taken five years later would still
effectively identify the same person. Lastly, the biometric system needs to be non-invasive to the end user. The end
user must be willing to accept the biometric system; it must be appropriate for the situation and operate without harm
to the end user.
Biometric information is a privacy concern. Although normally the biometric data in itself is unclassified, it still needs
to be protected as Personally Identifiable Information (PII). A plethora of federal regulations exist that require proper
safeguarding of an individual¶s biometric information. An intruder would be highly interested in the database that
stores biometric samples.
âÿ
^

Hand Geometry devices record a digital sample of the entire hand. It records how long the hand and fingers are as
well as how wide. The device is usually large and expensive, making it difficult to transport (imagine a USB-enabled
hand reader you had to lug through the airport). Hand Geometry mechanisms are often relegated to stationary
devices making them ideal for server rooms, data centers, data vaults, and the like. This type of device is
inappropriate for environments that mandate the wearing of gloves.
â
<3

<* "
^

These devices record a sample of the unique ridges or swirls that can be found on the thumb, fingers, or throughout
the hand. Today's Common Access Cards are assigned to us through the sampling of a thumbprint. Also, most major
U.S. airports have lockers that require a fingerprint before it can be used. A problem with fingerprints is that they can
be reproduced. For example, as you take a drink from a glass a fingerprint is left behind. That fingerprint can be lifted
from the glass using something as simple as gummy worm candy. The fingerprint device would authenticate an
intruder as authorized personnel, thus gaining the same access that has been granted to you. Worse yet, you cannot
easily change your compromised fingerprint.
This type of biometric, as well as the aforementioned Hand Geometry biometric, is inappropriate for environments
where gloves are required. For example, if the environment would be susceptible to CBR (Chemical, Biological,
Radiological) attacks an end user would have to wear a protective suit and protective gloves. Removing the gloves
would expose the end user to harmful contaminants. If the end user had ever lost appendages then they would not be
able to authenticate.

%
Iris scans and retina scans focus on the eyeball. Iris scans sample the unique colored part of the eye surrounding the
pupil. It focuses less on the colors however, but more on the flake pattern. The retina biometric scans the unique
organization of blood vessels at the back of the eye. They are both considered to be highly reliable biometric
systems.
Some end users may have difficulty with the biometrics because their eyes have become sensitive to light. There
may be health reasons why the two biometric systems are deemed unacceptable. As an example, if the device
requires the end user to place their eye in extreme proximity of the sensor and the person before them has Pink Eye,
this would be an unacceptable health reason.
3

Facial profiling is a digitized sample of the entire face including bone structure, chin shape, and forehead size. The
equipment for this process, like hand profiling mechanisms, can be cumbersome to transport and extremely
expensive. The setup makes it unlikely it can be plugged into a USB port on a laptop next to a mouse. Damages to
the face after a profile, even slight alterations like stitched cuts or band-aids, can make authentication difficult.
;

Voiceprints are digitized samples of your voice orating predetermined words or phrases. The sample would capture
parameters such as pitch, tone, and cadence. A very high sampling rate of your voice (much greater than 48 KHz) is
required because it is fairly easy for an intruder to record someone's voice. For instance, having a higher sampling
rate would provide a more granular sample than an intruder recording your voice over a telephone line (POTS).
Besides the ease of spoofing, there are still other issues with voiceprint technology. If a person is under stress their
pitch may alter enough to prevent authentication. A person could also lose their voice due to sickness or disease.
^
3-
Though biometrics can provide highly detailed digital samples, the accuracy can actually be a problem. Engineers
who design biometric devices force a skew tolerance to be built into the system. This margin of error is necessary
because, as is the case of hand or face profiling, they need to account for the possibility of accidents such as cutting
a hand with a knife or a shaving cut.
When employing biometric devices, it is best to couple the technique with another authenticating technique such as a
PIN or CAC in a multiple-factor approach. The defense-in-depth ensures that if the fingerprint is lifted from a glass,
the PIN is still needed to establish authentication.

+1 %
The United States government can invest millions of dollars into finding more secure ways to deliver computing bits
across a medium. A military post can spend hundreds of thousands of dollars on the best firewalls., However, if the
enemy has the ability to physically retrieve the equipment that stores and forwards the bits, then the effectiveness of
all those invested dollars are nullified. If the enemy acquires the data storage device then the game is over. You lose,
they win.
A Defense in Depth approach is the mainstay to any security posture and this is especially true when it comes to the
data center or server room. The Defense in Depth approach stretches the enemy's start and completion time, making
it more difficult to compromise a system by adding varied and overlapping safeguards in a linear fashion. By adding
layers of defense, not only does overall system security become hardened, but more obstacles are presented to the
enemy; what may have worked against one safeguard won¶t work against the next safeguard.
Machines acting as computer servers, DNS platforms, Domain Controllers, Key Distribution Centers, Certificate
Authorities, or any other crucial service-delivering platform should be placed inside a secure room, away from general
pedestrian traffic, and protected with Defense-in-Depth safeguards. Furthermore, cabling that leaves a physically
secure room should be secured as much as possible and periodically be checked for tampering (splicing attacks).
The server room should consist of walls that offer significant resistance and, if intrusion does occur, be capable of
providing evidence of intrusion. Haphazardly, some data center walls consist of sheets of plaster (i.e. SheetRock).
Plaster board does not offer enough resistance to keep determined intruders at bay because they can easily push
through the wall with simple force. Furthermore, after the intruders have obtained the storage devices, they merely
need to replace the damaged plaster board to help cover up the break in. An equipment room such as a data center
should use materials such as hard wood, metal, or cement.
The walls need to reach all the way to the floor and all the way to the ceiling so that no one can climb over or under
the wall. Be aware of utility ducting that ingresses or egresses the room. Do not construct the room with duct work
that a small human being could crawl through. Typically, duct work less than 96-square inches is acceptable.
While it would be best for a server room not to have any windows, if windows are installed, cover the windows with
steel meshing. Make sure shrubs outside the window can¶t be used to elevate an intruder into the window. Ultimately,
the windows should provide the same level of security as the surrounding walls.
Server room doors should be designed to open towards the inside of the room so that the door hinges aren't exposed
while the door is in the closed position. If the hinges were accessible from the outside an intruder could merely
remove the pins to release the hinge plates and thus remove the "locked" door. A determination to use either fail-safe
or fail-secure doors must be made. A fail-safe door unlocks automatically if there is a loss of power. This is a desired
behavior if there is a fire and personnel work within the data center. Otherwise, a fail-secure door is appropriate if
devoid of personnel so that if power is lost the door remains locked.
Setting up a security guard station that observes the server room provides another layer of defense, especially if the
above conditions cannot be met due to a lack of materials. Ensure that security guards are supplied with materials to
properly log pertinent events of interest. Establish a guard rotation to help ensure attentiveness. The security guards
should take positive efforts to ensure only cleared personnel are entering the sensitive room. Piggybacking, an
unauthorized person entering a sensitive room by quickly following an authorized person, must be prevented.
If security guards are not used to protect the facility, an Automated Entry Control System (AECS) can be
implemented. Each individual entering the room must be positively identified by utilizing either:
1. Active Token (such as an RFID card) or a Passive Token (such as a magnetically striped card)
2. Biometrics (such as retinal scans)
To optimize the reliability of the authentication process, biometrics should be implemented with Personal Identification
Numbers (PIN). The PIN must be at least 4 digits long and randomized so that it does not have significance to any
individual. For example, the PIN cannot be based upon someone¶s birth date. The PIN must be changed whenever a
compromise is suspected or realized. It must also be changed whenever an individual no longer requires access (i.e.,
they have transferred to another command). The keypad must be installed in a manner to prevent shoulder surfing.

â

Computers themselves require varying degrees of physical security to be applied. Laptops and desktops should be
tethered with a security cable extending from them to some immovable object, such as a bolted down equipment
rack. This makes it difficult for an intruder to grab and run with the box.
The computer chassis should have a sliding locking mechanism at the back of the computer with eye loops that slide
together so that it can be locked with a padlock. The padlock prevents the unlocking of the chassis shell and
mitigating risk to the motherboard. This added layer of defense introduces an undesirable delay to the intruder. The
key to the padlock should be kept in a separate and secure location with necessary access controls. Remember, if
the intruder can get physical access to the data storage then it is only a matter of time before they get to the data.

After the server box has been configured it may no longer be necessary to keep certain devices attached to the
server. The mouse, keyboard, and monitor can be removed to make it more difficult for an intruder to access the
computer via the local terminal. If local access is required the devices can be plugged back into the server.
Additionally, disable or remove any other unnecessary devices such as the floppy drive, optical drives, or USB
interfaces. These interfaces could be used by an intruder to reboot the machine into an alternate operating system.
The alternate operating system could be used to attack the defenses of the inoperable operating system and retrieve
sensitive information.
Visually inspect the machine and ensure there aren't any other unnecessary devices installed on the system. For
instance, an unnecessary PCI or serial modem could be used to open a port to the outside world and completely
bypass the network perimeter security of a firewall or proxy server. Remove the modem and if possible, disable the
adapter port via the BIOS. A USB device with malicious intent could be used to copy key data from the hard drive at a
remarkably fast rate or be used to launch a malicious executable file. If the USB adapter ports aren't required then
disable the adapter ports via the system BIOS. If the laptop communicates to the network over a cable then disable
any wireless adapters through the BIOS settings. All of these devices could be enabled when the need arises.
^(º
When working inside the BIOS, make sure a BIOS password is established to limit people having access to the BIOS
settings. Also make sure the hard drive is the very first boot device in the boot list. It would be preferable to make it
the only bootable item. Having the floppy disk or CD-ROM the first boot device exposes the system of being rebooted
into an alternate operating system such as Linux. To further harden security against this threat, enable the
motherboard's Trusted Platform Module (TPM) to encrypt the volume stored on the hard drive (provided that the
motherboard AND the operating system can handle this feature). The TPM is a motherboard IC Chip that stores
encryption keys. Various vendors, such as Microsoft¶s Bit Locker, support this capability. It would be wise to backup
the encryption keys.

G
Make sure all external hard drives have a security cable tethered to them to prevent the intruder from performing a
grab-and-go tactic. External hard drives that are in constant use can be more difficult to keep secure than internal
hard drives. External hard drives that are used on an ad hoc basis should be locked up in a secure safe when not in
use.
Storage media containing sensitive or classified data will be clearly identified with physical markings, electronic
labeling, or by designation. If the device holds varying degrees of classified information, then the device will be
marked to reflect the highest level of classification held by the information. The purpose of the marking is to make
personnel not only aware of the due care required to protect the information, but also serves as a source of guidance
to appropriately down-grade the device if the need arises.
Prohibit storage of portable Information Systems, Personal Electronic Devices (PEDs), and other storage media in
general, containing classified information in personal residences. Exceptions will follow the guidance prescribed in
DOD 5200.1 and AR 380±5.
Storage devices marked for destruction must continue to be protected to the degree appropriate for the information
that has been stored on the hard drives (even if the devices are no longer in use). Storage devices that are at the end
of their life cycle (no longer desired) will be purged if the device held unclassified data. However, whenever it is more
cost-effective, or whenever security concerns arise of the unclassified storage devices, then complete destruction is
preferable over purging. If the storage devices held classified material, such as COMSEC material or SCI material,
then the storage devices will be destroyed; purging is not an option. The devices will be incinerated, preferably by a
pyrolytic furnace, in accordance with AR 380-5.
G^.
A backup plan should be developed to support the COOP (Continuity of Operations Plan). Data backups support data
redundancy which ultimately supports information availability. The backups should be made on a routine basis
depending upon the sensitivity and timeliness of the information. A determination should be made between using the
various backup modes such as a Full Backup, Incremental Backup, Differential Backup, Copy, Shadow Copy, and
etc.
If a password is used in conjunction with the backup, do not store the password with the backup, but keep them in
separate locations. Store the media in a distant and secure location, such as another military post. If your data center
is housed in one building and your backups are stored in the adjacent building, a powerful enough explosive device
could be used to take out both buildings thus hampering information availability recovery. Keep in mind that the
storage facility storing the backup media must meet the minimum security requirements of the data's security
classification on the backup media.
% -
Emergency power devices such as generators and Uninterruptible Power Supplies (UPS) should be implemented to
ensure there isn¶t a loss in service. A UPS should provide enough power so that administrators can safely power
down the servers without a loss of data. Generators should have enough fuel reserves on hand to support the
mission.
Physical security should be applied to generators and the UPS. The generator should be placed within a barbed wire
fence and the UPS should be secured inside the equipment room.
+

Computing devices are highly susceptible to extreme environmental variables such as heat and humidity. Care
should be exercised to bring both risks within tolerance.
A room with too much humidity could cause corrosion to components or bead quantities of water that can cause
system failure. On the other hand, if a room lacks sufficient humidity then the equipment is more susceptible to ESD
(Electrostatic Discharge). This danger is apparent by the unpleasant zap that is transferred between personnel and
equipment.
Computing devices are also at risk to increases in heat. An increase in room temperature causes an even greater
increase in system temperature because it becomes even more difficult for the system to dissipate heat. As heat
increases inside, an IC chip performance degrades until it finally gets to a point of catastrophic failure. A data center
or other primary service room should have its own dedicated air conditioning that does not compete with air
conditioning destined for office spaces.
On the more extreme range of heat, fire is going to be a risk for personnel and equipment. Computing devices often
require voltages that can pose a danger to human life. Using water to put out an electrical fire can cause
electrocution. Chemical powders can cause the fire to smolder then reignite. For this reason it is not advisable to use
water to put out electrical fires. Maintain a CO2 fire extinguisher within the computing room. A portable CO2 bottle
should be mounted so that it is immediately visible when entering the room.

When implementing a lattice of security safeguards it should not be forgotten that safety is of extreme importance,
whether safety to personnel or safety to equipment. The human side of this statement is obvious. However, to further
illustrate this point, consider that we might encase a server machine completely in cement. This tactic may harden the
security of the box by drastically eliminating intrusive physical access, but it also drastically reduces the machine's
ability to vent internally generated heat that would be detrimental to system availability. Prudence should be
exercised to balance the safety of the equipment and the security of the equipment.
To create a bastion host you must begin hardening the system by removing unnecessary devices and unnecessary
services. Any extraneous elements can be used by an intruder to subvert the system. As extraneous devices and
services are left in place, additional safeguards are needed to protect those elements as well. Pruning impertinent
elements from a system is an important factor in assuring system trustworthiness.
Biometric systems are best utilized in a multi-factor environment, not as a standalone authentication system. There
are credible reasons why end users may not be able to interact with the biometric system, whether it is due to loss of
limb, health reasons, or danger posed to the end user. A survey of the prospective environment should be conducted
and a biometric system appropriate for the environment should be chosen.
According to AR-25-2, a Security Awareness Program must be implemented and security awareness training
conducted at least once a year. The Security Awareness Program must include physical security information as well
as information security information. Information security is anchored to physical security; you cannot have information
security without physical security.
%.º
FM 5-19 (supersedes FM 100-14)
Composite risk management (CRM) is the Army¶s primary decision making process for identifying hazards and
controlling risks across the full spectrum of Army missions, functions, operations, and activities.
%º4

= !

Use mission, enemy, terrain and weather, troops and support available, time available and civil considerations
(METT-TC) factors to serve as a guide for identifying hazards. METT-TC factors are institutionalized in the Army. FM
5-19 section 1-6 describes the role of METT-TC in hazard identification.
Use other available resources such as: personal experience, experts, policies (and other supporting documentation,
test and analysis, etc. Section 1-4 identifies other resources and tools which might be useful in identifying hazards.
= !

.
> 44> '
Risk analysis involves estimating or determining loss potential that exists as the result of threats and vulnerabilities
and causing some form of impact on the system.
Methodologies can be formal or informal, detailed or simplified, high or low level, quantitative (computationally based)
or qualitative (based on descriptions or rankings), or a combination of these. No single method is best for all users
and all environments. How the boundary, scope, and methodology are defined will have major consequences in
terms of the:
@ Total amount of effort spent on risk management

@ Type and usefulness of the assessment's results
The boundary and scope should be selected in a way that will produce an outcome that is clear, specific, and useful
to the system and environment under scrutiny.
Managers would naturally use mathematical tools and statistical analysis techniques to determine the overall risk of
operating a particular IS or network. This would seem to be a logical methodology to employ. However, experience
shows that these methods are, at best, only marginally successful. Don't use these techniques except when their
value has been established. In many cases, you will be better off using qualitative or subjective techniques.
?%.º

8@' -" -

..

""

@ Probability: frequently, likely, occasional, seldom or unlikely
+ 8

@ Severity: catastrophic, critical, marginal or negligible.
G

.

""

@ Risk Level: extremely high, high, moderate or low.
+8
â %.
Loss of ability to accomplish the mission if hazards occur during mission.

â %.
Significant degradation of mission capabilities in terms of the required mission standard, inability to accomplish all
parts of the mission, or inability to complete the mission to standard if hazards occur during the mission.
º
%.
Expected degraded mission capabilities in terms of the required mission standard and will result in reduced mission
capability if hazards occur during mission.
-%.
Expected losses have little or no impact on accomplishing the mission.
#=G
.
.
Controls are developed and applied. The hazard is reassessed to determine any residual risk. Risk decisions are
always based on the residual risk.
* *
^ %.º
Risk avoidance:
Risk avoidance involves the selection and implementation of security controls to reduce risk to a level acceptable to
management within applicable constraints. Although there is flexibility in how a risk assessment is conducted, the
sequence of identifying boundaries, analyzing input, and producing an output is quite natural. The process of risk
avoidance has greater flexibility and the sequence will differ more depending on organizational culture and the
purpose of the risk management activity. For example, it may be immediately apparent to a manager that closing and
locking the door to a particular room that contains local area network equipment is a needed control, while posting a
guard at the door would be too expensive and not user-friendly. This choice is the most costly and should not be
considered since it requires the implementation of exorbitant countermeasures to nullify the risk and to protect
information.
Total risk acceptance:
While providing the least costly alternative at the onset, this choice may cost significantly more in the long run. Failure
to implement security safeguards on an IS leaves its vulnerabilities open to exploitation by the local threats. In an
operational combat environment, however, this level of risk may be acceptable to the combat commander in the
short-term.
Risk reduction and residual risk acceptance:
This is the best choice. It supports applying cost effective security measures to IS operations. The amount of risk that
remains after the selection of a safeguard or countermeasure is known as residual risk.
/=

Leaders and staffs ensure that controls are integrated into SOPs, written and verbal orders, mission briefings, and
staff estimates. The critical check for this step is to ensure that controls are converted into clear and simple execution
orders.
Various forms of user awareness, training and education are needed for the controls to be successful.
=

Ensure that risk controls are implemented and enforced to standard.
@ Are individuals properly trained

@ Is there monitoring to ensure controls stay in place
@ Are individuals utilizing the controls correctly
Supervision and oversight provides commanders and leaders with the situational awareness necessary to anticipate,
identify, and assess any new hazards and to develop or modify controls as necessary.
Ensure the adequacy of selected control measures in supporting the objectives and desired outcomes.
@ Identify any hazards that were not identified as part of the initial assessment, or identify new hazards that
evolved during the operation or activity
@ Assess effectiveness in supporting operational goals and objectives
@ Assess the implementation, execution, and communication of the controls
@ Ensure compliance with the guiding principles of CRM
*
.G
The Army standard CRM worksheet (DA Form 7566, Composite Risk Management Worksheet) or an electronic
version will be used to document the CRM process.
Examples of CRM worksheets and documentation can be found throughout the FM 5-19.
%.º

AR 25-2, p. 7-1
1. Absolute confidence in the information accessed or available in the Army enterprise is unachievable; as
such, the Army and DOD will approach increasing that level of trust through the implementation of a risk
management process. With technological advances and capabilities, training, and IA-focused processes to
reduce identifiable threats, the level of trust of information and ISs is significantly increased. Establish a risk
management process containing the following phases as a minimum for all ISs. The process outlined in this
chapter is based, in principle, on the risk management doctrine as defined by FM 5±19
(1) Identify threats such as those posed by default designs or configurations, architecture deficiencies,
insider access, and foreign or nation-state interests, ownership and capabilities.
(2) Assess threats to determine risks.
a. What information is accessible?

b. What information will be stored electronically and secured, for example self generated, prototype,
research and development, electronic forms and documents, calendars, operational logs?
c. What will be the stored format of the information and the naming or identification mechanism?
d. Who has authorization to access and share the information?
e. What is the potential adverse effect of loss, access, or manipulation of the data?
f. What are the OPSEC issues of data availability?
g. What are the data owner¶s requirements and length of required storage or access?
h. What legacy operating systems or applications are required for stored information? What hardware is
required to access and read the storage media?
i. What are the backup and disaster recovery plans?
j. What is the plan to migrate legacy data to current application capabilities?
(3) Develop controls and make risk management decisions. How do you protect the information access, and
infrastructure?
(4) Implement controls, countermeasures, or solutions. Choose the correct IA tools, controls and
countermeasures to defend against adversarial attacks on IS and networks.
(5) Implement a capability to monitor for compliance and success.
(6) Supervise, evaluate, review, and refine as necessary.
b. Commanders, Directors, combat developers, and materiel developers will integrate the risk management
process in the planning, coordination, and development of ISs.
c. Reevaluate and reissue any risk analyses and mitigations plans if there is a successful compromise of an
IS or device.
d. Telecommunications systems that do not include the features normally associated with an IS and that
handle classified or sensitive information will be implemented and operated in conformance with the risk
management process.

+
% *'ACERT
The ACERT-CNO conducts and synchronizes operations across the Computer Network Operations spectrum in
support of the U.S. Army to ensure the availability, integrity, and confidentiality of the information and information
systems used by commanders worldwide. The ACERT Website provides the following links with information
regarding risk assessment and management:
G
Mission Support Teams (MST) and the Computer Defense Assistance Program (CDAP) are available to provide
various types of support and services such as:
MST Functional Areas include:
@ Computer Network Defense (CND)

@ Computer Network Defense - Response Actions (CND-RA)
CDAP missions include:
@ Network Damage Assessments (NDA)

@ Penetration Testing (PT)
Computer Network Operations Support to Information Operations (IO) including:
@ Computer Network Operations (CNO) Planning

@ Computer Network Operations (CNO) Synchronization
@ Strategic Reconnaissance
@ Technical Support
@ Technical Analysis and Development
@ Threat Analysis.
;
"
ACERT has team which provides vulnerability assessment services for unclassified and classified Army Automated
Information Systems (AIS).
*
Various Army Information Assurance (IA) tools:
@ The current Army Approved Products List

@ Vulnerability assessment and monitoring tools

Links to policy documents, regulations, instructions, and memoranda are provided.
(
%

@ The Army¶s Composite Risk Management Web Site

@ Risk Management Guide for Information Technology Systems (NIST SP 800-30)

-
+
"7
1. Determine an appropriate type of security plan

2. Design your security to meet those requirements
3. Test your security design against the requirements
4. Monitor your security requirements for change and retooling
The purpose of the security plan is to provide an overview of the security requirements of the system and describe
the controls in place or planned for meeting those requirements. The system security plan also delineates
responsibilities and expected behavior of all individuals who access the system. The security plan should be viewed
as documentation of the structured process of planning adequate, cost-effective security protection for a system. It
should reflect input from various managers with responsibilities concerning the system, including information owners,
system operators, system administrators, and information assurance security officers.

º ^38"
To evaluate systems under the following conditions:
@ various life-cycle stages

@ systems under evolutionary development
@ single purpose or legacy systems
Security plans are living documents that require periodic reviews, modifications, and milestone or completion dates
for planned controls.
Procedures should be in place outlining who reviews the plans and follows up on planned controls.
Once completed, a security plan will contain technical information about the system, its security requirements, and
the controls implemented to provide protection against risks and vulnerabilities.

There are diverse Army mission requirements therefore Security plans need to possess characteristics of flexibility.
@ *
" The security process is applicable to any system regardless of the system status in its life cycle
or shift in program strategy.
@ " The security process is applicable to systems differing in security requirements, size, complexity,
connectivity, and data policies.
@
" The security process is uniformly applicable to any system and minimizes personal opinion
and subjectivity.
@
" The security process provides the participants with a consistent view of the security
requirement compliance of the system
@ %The security process facilitates the identification of security requirements and solutions that are
achievable (available, affordable, and within the context of the development approach, IA strategies, and
mission needs).
@ %" The security process provides corresponding results when applied or reapplied to similar ISs.
@ + The security process results in and maintains an accreditation for the target system.
@ + " The security process allows for the incorporation of lessons learned, as well as changes in
security policy and technology, in a manner that meets the time schedule of the mission.
@ % The security process accommodates timely responses essential for supporting emergent
Military Department (MILDEP) and national operational requirements and priorities.
*

%
? G
G

'G @
^

Define what constitutes a system:
@ Direct management control

@ Coordinated function or mission objective
@ Coordinated operating characteristics and security needs
@ Coordinated general operating environment
Hints:
@ Have at least one system administrator assigned in writing as the system administrator for that system.
@ It is easier to design security if the system is identified by function.
@ If your system boundaries go beyond your location, plan security for that which you control and coordinate
security separately on that which you cannot control. Treat system components that are external to you as
external systems. Coordinate their security with personnel in direct contact with them.
G
+

@ Connected to the Internet

@ Located in a harsh or overseas environment
@ Software rapidly implemented
@ Software resides on an open network, accessed by the public or with overseas access
@ Application is processed at a facility outside of the organization's control
@ Dial up access exists
These are just some of the items that make up the environment that determines your security needs. Risk is found
within our environment. If we control our environment, we control our risk.
â
%.A*
8;
"8
In the formula, Cost is the value of your data. If your data is worthless, your risk will be zero. Vulnerabilities are the
holes in your system, procedures or software. If you have no vulnerabilities, your risk is zero. Threats are those
dangers in your environment. If there are no threats to your data, your risk is zero.

All interconnections should be addressed with MOUs (memorandum of understanding), MOAs (memorandum of
agreement) or LOIs (letter of instruction). An agreement needs to be in place between each party where each party's
security requirements are spelled out.
The Security Plan needs to address concerns and rules of behavior of the interconnected systems that need to be
considered in the protection of the system.
Things to consider:
@ Does the exterior organization own or control the interconnected system

@ What types of connections are used? (TCP/IP, Dial, SNA, etc.)
@ Where does one systems security responsibility stop and another's start
%.
Refer to ³ &4%.º´

Security is something you can control. It is up to you to decide upon the level of risk that you will accept. We control
security through proper planning and by setting up various control features to minimize our risk. There are
management controls, operational controls, and technical controls. Here is a brief explanation of those control areas:
º

%.ºThe total process of identifying, measuring, controlling, and minimizing or reducing the security
risk incurred by an IS to a level commensurate with the value of the assets protected. Risks are generally defined as
the coexistence of a threat and a point of vulnerability.

IAW OMB Circular A-130, must be reviewed every three years. Reviews can be done internally
or externally. System security may degrade over time, as the technology changes, the system evolves, or people and
procedures change. Periodic reviews provide assurance that management, operations, personnel, and technical
controls are functioning effectively and providing adequate levels of protection.
Security planning can be done during any point of the Life-Cycle of a system. The recommended
approach is to draw up the security plan at the beginning of a system Life-Cycle. The plan needs to address the
phasing in and out of the new and old components and/or systems as changes in technology, mission, and
acquisition dictate.

'9 C&A provides a form of quality control. The DIACAP (DODI 8510.01)
provides the format for this process. It is no coincidence that it evolves around the same three year concept as
required by OMB Circular A-130. It is also referred to as "authorizing processing". By authorizing processing in a
system, a manager accepts the risk associated with it. This forces managers and technical staff to find the best fit for
security. , given technical constraints, operational constraints, and mission requirements. Below are the minimum
security controls that must be in place prior to authorizing a system for processing.
@ Technical and/or security evaluation complete

@ Risk assessment conducted
@ Rules of behavior established and signed by users
@ Contingency plan developed and tested
@ Security plan developed, updated, and reviewed
@ System meets all applicable federal laws, regulations, policies, guidelines, and standards
@ In-place and planned security safeguards appear to be adequate and appropriate for the system
@ In-place safeguards are operating as intended

The security plan if properly created, maintained, and disseminated, provides the foundation for a risk
based approach. The security plan will contain information about all three control areas.
(

The greatest harm/disruption to a system comes from the actions of individuals both intentional
and unintentional. Individuals should be assigned the least amount of privilege required to function. Critical functions
should be divided among different individuals. Develop a process for requesting, establishing, issuing, and closing
user accounts.

Physical security should address access controls to the area containing system hardware and
data, wiring closets, and along the wiring path, electrical power, back up media, and any other elements required by
the system to operate.

<(
Production input/output controls are the procedures to handle help desk needs,
theft of printed data, authorized deliveries and pick-ups, audit trail integrity, privacy act concerns, media storage,
electronic sanitizing, and destruction of sensitive hardcopy media.
Contingency planning allows for recovery of data and/or systems regardless of cause of
disruption.
â
-
-
ºControls should be in place to monitor and prohibit the
unauthorized installation of hardware components or software. Software configuration policy or Configuration
Management procedures should be in effect.
G
Data integrity tools are used to protect data from accidental or malicious alteration or destruction and
to provide assurance to the user that the information meets expectations about its quality and that it has not been
altered.
G Documentation explains how hardware/software is to be used and to formalize security and
operational procedures specific to the system.

-
*
Training is a mandatory requirement set forth in the Computer Security Act. Training
is a mandatory requirement prior to system access and also on a periodic basis for continued access.
% "Procedures must be put in place which provide for an incident response capability.
The incident reporting chain should be known to all users.
*

! Identification and authorization is a technical measure that prevents unauthorized
people/processes from entering an IT system. Access control is often based on "least privilege".

Logical access controls are the system-based mechanisms used to specify who or what
is to have access to a specific system resource and the type of access that is permitted.
*
Audit trails maintain a record of system activity by system or application processes and by user activity.
Audit trails can provide a means to help accomplish several security-related objectives, including individual
accountability, reconstruction of events, intrusion detection, and problem identification.

43G

The security plan should address all conceivable security issues. At a minimum, a good security plan will include:
@ An established organization wide security management structure

@ A risk management and mitigation plan
@ An incident response capability
@ A certification and accreditation policy
@ An anti-virus infrastructure in place and operational at all organization facilities
@ Security training and awareness programs established and available to all personnel
@ Roles and relationships, clearly defined and established
@ An understanding on the importance of protecting mission critical information assets
@ Integration of security into the planning process
@ Funding issues
@ Descriptions of security guidance issued in the past year
% ÿ

NIST Special Publication 800-53 (Aug 2009) Recommended Security Controls for Federal Information Systems and
Organizations
NIST Special Publication 800-53A (Jul 2008) Guide for Assessing the Security Controls in Federal Information
Systems
NIST Special Publication 800-18 (Feb 2006) Guide for Developing Security Plans for Information Technology
Systems
NIST stands for: National Institute of Standards and Technology
%
The incident response portion of computer security has become an important piece of information technology (IT)
preparedness. Network and computer security threats grow more numerous and diverse and have become more
damaging and disruptive. New types of security-related incidents emerge frequently. Doing proper risk assessments
and managing and mitigating those risks can lower the number of incidents, but not all incidents can be prevented.
An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction,
mitigating the weaknesses that were exploited, and restoring computing services.
Preventing problems is normally less costly and more effective than reacting to them after they occur. Thus, incident
prevention is an important complement to an incident response capability. If security controls are insufficient, high
volumes of incidents may occur, overwhelming the resources and capacity for response. This would result in delayed
or incomplete recovery and possibly more extensive damage and longer periods of service and data unavailability.
Incident handling can be performed more effectively if organizations complement their incident response capability
with adequate resources to actively maintain the security of networks, systems, and applications, freeing the incident
response team to focus on handling serious incidents.
Incident response is a 24x7 undertaking and can be very complex. Proper incident response requires substantial
planning and resources. Constant vigilance and continual monitoring of threats through intrusion detection systems
(IDS) and other mechanisms is essential. Establishing clear and concise procedures for assessing the current and
potential mission impact of incidents is critical, as is effectively collecting, analyzing, and reporting data. Establishing
relationships and lines of communication with other incident response teams, law enforcement, and legal personnel
are also important. The Army¶s Computer Emergency Response Team (ACERT) has established procedures once a
unit has identified that an incident has occurred.
Signs of an incident fall into one of two categories: indications and precursors. A precursor is a sign that an incident
may occur in the future. An indication is a sign that an incident may have occurred or may be occurring now. Too
many types of indications exist to exhaustively list them, but some examples are listed below:
@ The network intrusion detection sensor alerts when a buffer overflow attempt occurs against an FTP server.
@ The antivirus software alerts when it detects that a host is infected with a worm.
@ The Web server crashes.
@ Users complain of slow access to hosts on the Internet.
@ The system administrator sees a filename with unusual characters.
@ The user calls the help desk to report a threatening e-mail message.
@ The host records an auditing configuration change in its log.
@ The application logs multiple failed login attempts from an unfamiliar remote system.
@ The e-mail administrator sees a large number of bounced e-mails with suspicious content.
@ The network administrator notices an unusual deviation from typical network traffic flows.
One should not think of incident detection as being strictly reactive. In some cases, the organization can detect
activities that are likely to precede an incident. For example, a network IDS sensor may record unusual port scan
activity targeted at a group of hosts, which occurs shortly before a DoS attack is launched against one of the same
hosts. The intrusion detection alerts regarding the scanning activity serve as a precursor of the subsequent DoS
incident. Other examples of precursors are as follows:
@ Web server log entries that show the usage of a Web vulnerability scanner
@ An announcement of a new exploit that targets a vulnerability of the organization¶s mail server
@ Information stating that the Unit will receive a cyber attack
Not every attack can be detected through precursors. Some attacks have no precursors, whereas other attacks
generate precursors that the organization fails to detect. If precursors are detected, the organization may have an
opportunity to prevent the incident by altering its security posture through automated or manual means to save a
target from attack. In the most serious cases, the organization may decide to act as if an incident is already occurring,
so that the risk is mitigated quickly. At a minimum, the organization can monitor certain activity more closely²
perhaps connection attempts to a particular host or a certain type of network traffic.
Establishing an incident response capability should include the following actions:
@ Creating an incident response policy that incorporates ACERT procedures

@ Developing procedures for performing incident handling and reporting, based on the incident response
policy
@ Setting guidelines for communicating with outside parties regarding incidents
@ Identifying key personnel
@ Training the incident response team
Organizing an effective computer security incident response capability involves several major decisions and actions.
One of the first considerations should be to create an organization-specific definition of the term ³incident´ so that the
scope of the term is clear. Incident response policy and procedure creation is an important part of establishing a
team, so that incident response is performed effectively, efficiently, and consistently. The policies and procedures
should reflect the team¶s interactions with other teams within the organization as well as with outside parties, such as
the ACERT, law enforcement and other incident response organizations.
The ACERT has established certain procedures to follow if you think you have a compromised computer.
G(
@ Disconnect the system from the network.
@ If the system is an IRIX or Sun Solaris system leave the network cable plugged into the machine and plug
the distant end of the network cable into a hub which is not connected to any thing else. Only when no hub
is available unplug the network cable from the machine.
@ Contact your supporting RCERT or the ACERT immediately!!! Additionally, the RNOSC/TNOSC should be
notified.
@ Restrict physical access to the system until additional guidance is provided by your supporting RCERT, the
ACERT or CID.
@ When the RCERT, ACERT or CID asks for the log collector the network cable must be re-connected to the
network before the log collector is run to ensure that the most information available is collected.
G(,B*
@ Continue to look for more evidence with out being instructed to do so by CID.
@ Turn the system off or reboot the computer.
@ Allow anyone access to the system in any way until told to do so by your supporting RCERT, the ACERT or
CID.
@ Finger or attempt to contact the source directly.
@ Alter or change anything on the suspect system.
@ Connect to the system over the network.
Procedures if your computer is infected with a virus.
G(
@ Disconnect the system from the network.

@ Contact your supporting RCERT immediately!!!
@ Additionally, the RNOSC/TNOSC should be notified.
@ Provide any information about the virus, Trojan or worm that your antivirus detected to your supporting
RCERT, or ACERT.
G(,B*
@ Continue to look for more evidence with out being instructed to do so.
@ Turn the system off or reboot the computer.
@ Try to clean or repair the infected system or files.
@ Move infected system or data to another system or network.
@ Connect to the system over the network.
@ Attempt to back up any of the files on the computer.
â

8
" "- .
UNIT INFORMATION
TARGET INFORMATION
SOURCE INFORMATION
For federal agencies, continuity of operations planning is nothing new. Signed in 1988, Executive Order 12656 called
for each agency to ensure it could continue to provide services during an emergency. But the order didn¶t specify how
to execute a COOP plan. 1998¶s Presidential Decision Directive 67 lent more specificity to COOP. It stated that
agencies should plan for all types of hazards, from floods and fires to terrorist attacks. Agencies should have
alternate facilities that could be operational within 12 hours of a disaster. And the COOP should be sustainable for 30
days.

% =#'%& ?
(

@
This regulation details Army Continuity Program policy in accordance with Department of Defense guidance (DODD
3020.26), ensures continuity of mission essential functions under all circumstances, establishes the requirement for
annual continuity exercises, and requires centralized coordination of alternate headquarters and emergency
relocation facilities.
+ %.º
Contingency planning follows a simple formula:
1. Develop the contingency planning policy statement

2. Conduct the business impact analysis (BIA)
3. Identify preventive controls
4. Develop recovery strategies
5. Develop an IT contingency plan
6. Plan testing, training, and exercises
7. Plan maintenance
G

There are plenty of strategies to draw from when putting together a COOP. Below are just a few examples of
contingency strategies.
G.

"

@ Document system and application configurations

@ Standardize hardware, software and periphrerals
@ Provide guidance on backing up data
@ Ensure interoperability among components
@ Coordinate with security policies and controls
@ Back up data and store offsite
@ Back up applications and store offsite
@ Use alternate hard drives
@ Image disks
@ Implement redundancy in critical system components
@ Use uninterruptible power supplies

@ Document system and application configurations

@ Standardize hardware, software and peripherals
@ Ensure interoperability among components
@ Back up data and store offsite
@ Back up applications and store offsite
@ Implement fault tolerance in critical system components
@ Replicate data
@ Implement redundancy in critical system components
@ Use uninterruptible power supplies
c"

@ Document web site

@ Code, program, and document web site properly
@ Consider contingencies of supporting infrastructure
@ Implement load balancing
@ Coordinate with incident response procedures
,

@ Document LAN
@ Coordinate with vendors
@ Identify single points of failure
@ Implement redundancy in critical components
@ Monitor LAN
@ Integrate remote access and wireless local area network technology
There are many things that a COOP could contain. Your COOP is your answer to disaster. When doing your COOP,
you briefly describe the procedures (contingency plan) that would be followed to ensure the application /system
continues to be processed/operate if the supporting IT systems were unavailable and provide the detailed plans as an
attachment.
There are plenty of things to consider when putting your COOP together. You¶d want to consider the following:
@ Are tested contingency plans in place to permit continuity of mission-critical functions in the event of a
catastrophic event?
@ Are tested disaster recovery plans in place for all supporting IT systems and networks?
@ Are formal written emergency operating procedures posted or located to facilitate their use in emergency
situations?
@ How often are contingency, disaster, and emergency plans tested? You should always test your disaster
recovery and contingency plans regularly.
@ Are all employees trained in their roles and responsibilities relative to the emergency, disaster, and
contingency plans?
@ Any agreements for backup processing (e.g., hot site contract with a commercial service provider).
@ Documented backup procedures including frequency (daily, weekly, monthly) and scope (full backup,
incremental backup, and differential backup).
@ Location of stored backups (off-site or on-site).
@ Generations of backups kept.
@ Coverage of backup procedures, e.g., what is being backed up.
Part of planning for continuity of operations is deciding on the where to base your system recovery efforts. Depending
on the criticality of your mission you may want to establish a back up location to operate from in the event that
disaster happens. Backup sites are often referred to as either a hot, warm, or cold site.
@ â A site ready to be operational within a short period of time. Hot sites need to be tested frequently
to ensure the switchover runs smoothly and quickly. Very expensive but offers the greatest insurance of
continuing operations.
@ c
Similar to a hot site but without all the duplicate servers or computers that would be needed to
facilitate an immediate switchover. Normally this is a facility which offers network connectivity but requires
the original equipment or duplicate equipment to be brought to it. This is the most widely used form but is
hard to test and may not be immediately available following a disaster.
@ An empty facility with some basic features such as wiring and some environmental protection, but
no equipment. This is the least expensive option but offers the least advantage when disaster strikes.
*+(º%(,
â
-
+1 * *
Cold Site Low None None Long Fixed
Warm Site Medium Partial Partial/Full Medium Fixed
Hot Site Med/High Full Full Short Fixed
Mobile Site High Dependent Dependent Dependent Not Fixed
Mirrored Site High Full Full None Fixed
G
The DoD Information Assurance Certification and Accreditation Process (DIACAP) is a process that supports and
complements the net-centric, Global Information Grid (GIG)-based environment. The DIACAP establishes a standard
process for:
@ Identifying, implementing, and validating standardized IA Controls

@ Authorizing the operation of DoD information systems
@ Managing an IA posture across the DoD information system life cycle
The core activities of the DIACAP are consistent with:
DoDD 8500.01E
DoDI 8500.2
DoDD 8100.1
DoDI 8510.01
Federal Information Security Management Act
(FISMA) of 2002
Ñ

G5+ 3+* %+
@ Dynamic process (you will always be reviewing and updating your documentation, attending DIACAP
workshops, and making modifications as the process changes and grows)
@ IA posture reviewed not less than annually
@ DoD enterprise C&A decision structure
@ DIACAP Scorecard -- conveys compliance with assigned IA Controls and the IS C&A decision status
@ IA controls may be augmented at the DoD Component level and IS level
@ Implements baseline (enterprise) level IA Controls based on the IS Mission Assurance Category (MAC) and
Confidentiality Level (CL)
ß º

'º : Applicable to DoD information systems, the mission
assurance category reflects the importance of information relative to the achievement of DoD goals
and objectives, particularly the war fighters¶ combat mission. Mission assurance categories are
primarily used to determine the requirements for availability and integrity. The Department of
Defense has three defined mission assurance categories.
ß ' : Applicable to DoD information systems, the confidentiality level is

primarily used to establish acceptable access factors, such as requirements for individual security
clearances or background investigations, access approvals, and need-to-share determinations;
interconnection controls and approvals; and acceptable methods by which users may access the
system (e.g., intranet, Internet, wireless). The DoDI 8500.2 defines three confidentiality levels:
classified, sensitive, and public.
G

"-

@ The DIACAP Knowledge Service (DODI 8510.bb, encl. 5)

ß A Web-based, DoD PK-enabled DIACAP knowledge resource that provides current GIG IA
Certification and Accreditation guidelines
ß A library of tools, diagrams, process maps, documents, etc., to support and aid in execution of the
DIACAP
ß A collaboration workspace for the DIACAP user community to develop, share and post lessons
learned and best practices
ß A source for IA news and events and other IA-related information resources

j

@ The eMASS (Enterprise Mission Assurance Support Service) provides automation and management of the
DoD IA Program, while integrating other IA services.
ß An OASD(NII) Research and Development Initiative
ß An Integrated System for Select Core IA Program Management Processes
ß Designed to Support the DoD 8500-series Policy Framework
ß Planned to Support DCID 6/3 (Intelligence Community) and NIST SP 800-37/53 (Civil) in Future
Versions
ß Being reviewed during the pilots as the candidate for the DoD Core Enterprise Service for IA
Program Management
ß An IATAC Endeavor ± Government Owned, Not Proprietary
º^
ß Automation
1. Creates a C&A package for management of each registered system
2. Eliminates need for users to manually track down controls or related documentation
3. Notification, workflow, and workload status features enable users to track detailed, current
status of each registered system
ß Accountability
1. DoD PKI and auditing features enable tracking of each transaction
2. Roles-based access control enhances system security
3. Tracks all registered enterprise systems and provides current, detailed status of each
ß Extensibility
1. Scalable to any enterprise, regardless of size and mission
ß Flexibility
1. Designed to support multiple IA requirements types
2. Roles and Permissions can be customized to fit each enterprise¶s structure
º
3
ß Certification and Accreditation Service

1. C&A package creation tool
2. System Registration with Component IA Program
3. IA control set selection (baseline and supplemental)
4. Validation Test implementation
5. Set and manage recurring events
6. Create and manage artifacts
7. Track and manage validation/revalidation
ß Controls Administration Service

1. View, add, delete, or modify control sets, subject areas, and controls
2. Write validation procedures and attach implementation guidance
ß Reports
1. Generate reports on C&A process, controls, users, and system status
2. Flexibility allows users to generate reports on specific information types
3. Eliminates need for large volumes of hardcopy documents (e.g., DITSCAP SSAA)
ß System Administration
1. eMASS System management/maintenance console for users with Administrator privileges
Definitions and Acronyms (8510.bb Interim DoD C&A Guidance, July 6, 2006, Encl. 2)
&""
G G9ÿ

@ Establishes the DoD information assurance (IA) certification and accreditation (C&A) process for authorizing
the operation of DoD information systems consistent with the Federal Information Security Management Act
(FISMA), DoD Directive (DoDD) 8500.1, and DoD Directive 8100.1.
@ Supports net-centricity through an effective and dynamic IA C&A process.
@ Provides visibility and control of the implementation of IA capabilities and services, the C&A process, and
accreditation decisions authorizing the operation of DoD information systems, to include Core Enterprise
Services (CES) and web services-enabled software systems and applications.
"
The Office of the Secretary of Defense (OSD), the Military Departments, the Chairman of the Joint Chiefs of Staff
(CJCS), the Combatant Commands, the Inspector General of the Department of Defense, the Defense Agencies, the
DoD Field Activities, and all other organizational entities within the Department of Defense (hereafter referred to
collectively as the DoD Component(s)).
All DoD-owned or controlled information systems that receive, process, store, display or transmit DoD information,
throughout the entire System Life Cycle (SLC) and regardless of classification or sensitivity, including but not limited
to:
@ DoD information systems that support special environments, e.g., Special Access Requirements (SAR), as
supplemented by the special needs of the program.
@ Information systems under contract to the Department of Defense.
@ Information systems of Non-appropriated Fund Instrumentalities.
@ Stand-alone information systems.
@ Mobile computing devices such as laptops, handhelds, and personal digital assistants operating in either
wired or wireless mode, and other information technologies as may be developed.
@ DoD information systems that are Prototypes or Advanced Concept Technology Demonstrations (ACTDs).
July 06, 2006.
G*º"

The officials responsible for implementing the DIACAP for a DoD information system. At a minimum the DIACAP
Team includes the DAA, the CA, the SIAO, the DoD information system PM or SM, the DoD information system IAM,
IAO, and a User Representative.
G

'G Official with the authority to formally assume responsibility for operating a
system at an acceptable level of risk. This term is synonymous with Designated Approving Authority and Delegated
Accrediting Authority.

' The senior official having the authority and responsibility for the certification of
information systems governed by a DoD Component IA Program.

(
'( Official responsible for directing an organization¶s information
assurance program on behalf of the organization¶s CIO.

º
'º
º Official responsible for the early and seamless integration of information
assurance into and throughout the system life cycle of an assigned DoD information system.

º
'º The individual responsible for the information assurance program of a DoD
information system or organization. While the term IAM is favored within the Department of Defense, it may be used
interchangeably with the title Information Systems Security Manager (ISSM).

(
'( An individual responsible to the IAM for ensuring that the appropriate
operational IA posture is maintained for a DoD information system or organization.

%
' % Individual or organization that represents the user community in the DIACAP.
*% "
G

, in addition to the responsibilities established in DoDI 8500.2 shall:
@ Comply with GIG MA PAA(s) direction.
@ Ensure each DoD information system complies with applicable DoD baseline IA Controls in order to
interconnect with the GIG.
@ Ensure assigned systems have appropriate data management and sharing policies according to DoDI
8500.2 and implement security requirements for classified and controlled unclassified information, including
establishing security classification guides according to DoD Regulation 5200.1-R.
@ Ensure that appropriate access policies are established for all information being produced by the assigned
information systems, and that the established roles and privileges are consistent with defined enterprise
roles and privileges.
@ Authorize or deny testing or operation of assigned DoD information systems.

º
(PM or SM) for DoD information systems shall:
@ Ensure that each assigned DoD information system has a designated Information Assurance Manager (IAM)
with the support, authority and resources to satisfy the responsibilities established in DoDI 8500.2 and
Interim DIACAP
@ Implement the DIACAP for assigned DoD information systems.
@ Plan and budget for IA Controls implementation, validation and sustainment throughout the system life cycle,
to include timely and effective configuration and vulnerability management.
@ Ensure that Information System Security Engineering (ISSE) is employed to develop or modify the IA
component of the system architecture in compliance with the IA component of the GIG Architecture and to
make maximum use of enterprise IA capabilities and services.
@ Identify and implement software quality controls and validation methods for assigned DoD information
system programs that develop or integrate software.
@ Enforce accreditation decisions for hosted or interconnected DoD information systems.
@ Develop, track, and resolve the DIACAP Implementation Plan for assigned DoD information systems.
G G

%
shall:
@ Represent the operational interests of the user community in the DIACAP.
@ Support the IA Controls assignment and validation process to ensure user community needs are met.
@ Work with information owners and Communities of Interest to ensure that data management and sharing
policies and any required security classification guidelines are developed.

º
'º , in addition to the responsibilities established in DoDI 8500.2 shall:
@ Support the PM or SM in implementing the DIACAP.

@ Advise and inform the governing DoD Component IA Program on DoD information C&A status and issues.
@ Comply with information and process requirements of the governing DoD Component IA Program.
@ Provide direction to the Information Assurance Officer (IAO) according to DoDI 8500.2.
@ Coordinate with the organization Security Manager to ensure issues affecting the organization¶s overall
security are addressed appropriately.
G*

The Defense Information Systems Agency (DISA) is responsible for the DoD-wide DIACAP training program. While
the DIACAP Knowledge Service is a primary source of information and implementation guidance for the community,
DISA is providing a training program for IA professionals that is expected to cover the DIACAP and associated
functions. This training will focus on the understanding and execution of the DIACAP, including the Knowledge
Service ± while also providing insight into the use of eMASS. This will include role based training on the concepts of
the instruction, the required activities of each role, and how to use the DIACAP activities in conjunction with the tools
provided by DoD. As with other training programs, DoD Components will identify those individuals requiring training
and will work with DISA to ensure personnel receive the training required for their position.

IA Certification and Accreditation overview (encl. 3) describes the DoD processes for identifying, implementing,
validating, certifying, and managing IA capabilities and services, expressed as IA Controls, and authorizing the
operation of DoD information systems in accordance with statutory, Federal and DoD requirements. It also describes
the processes for configuration management of DoD IA Controls and supporting implementation materials. Within the
Department of Defense, IA C&A is comprised of activities and roles that are distributed across all levels of the DoD
organization and GIG governance structures, and across all stages of the life cycle of both the IA Component of the
GIG and individual information systems.
Assignment is made according to Mission Assurance Category and Confidentiality Level:
@ º

'º Systems handling information that is determined to be vital to the
operational readiness or mission effectiveness of deployed and contingency forces in terms of both content
and timeliness. The consequences of loss of integrity or availability of a MAC I system are unacceptable and
could include the immediate and sustained loss of mission effectiveness. MAC I systems require the most
stringent protection measures. Mission assurance category (MAC) I systems require high integrity and high
availability,
@ º

'º Systems handling information that is important to the support of
deployed and contingency forces. The consequences of loss of integrity are unacceptable. Loss of
availability is difficult to deal with and can only be tolerated for a short time. The consequences could include
delay or degradation in providing important support services or commodities that may seriously impact
mission effectiveness or operational readiness. MAC II systems require additional safeguards beyond best
practices to ensure assurance. MAC II systems require high integrity and medium availability.
@ º

'º Systems handling information that is necessary for the conduct
of day-to-day business, but does not materially affect support to deployed or contingency forces in the short-
term. The consequences of loss of integrity or availability can be tolerated or overcome without significant
impacts on mission effectiveness or operational readiness. The consequences could include the delay or
degradation of services or commodities enabling routine activities. MAC III systems require protective
measures, techniques or procedures generally commensurate with commercial best practices. MAC III
systems require basic integrity and availability.
Confidentiality levels are determined by whether the system processes classified, sensitive, or public information.
Mission assurance categories and confidentiality levels are independent.
The nine combinations of Mission Assurance Category and Confidentiality Level establish nine baseline IA levels that
may coexist within the GIG.
º

"

MAC I, Classified Encl. 4, Attachments A1 and A4
MAC I, Sensitive Encl. 4, Attachments A1 and A5
MAC I, Public Encl. 4, Attachments A1 and A6
MAC II, Classified Encl. 4, Attachments A2 and A4
MAC II, Sensitive Encl. 4, Attachments A2 and A5
MAC II, Public Encl. 4, Attachments A3 and A6
MAC III, Classified Encl. 4, Attachments A3 and A4
MAC III, Sensitive Encl. 4, Attachments A3 and A5
MAC III, Public Encl. 4, Attachments A3 and A6
* G
1. 9 This activity includes registering the system with the governing DoD Component
IA Program, assigning IA Controls, assembling the DIACAP Team, and initiating the information system¶s
DIACAP Implementation Plan.
A. Indicate DIACAP Package workflow (register system; assemble team)

B. Assign IA controls and other requirements
C. Conduct Analysis of system life cycle status and configuration (i.e initiate DIACAP implementation
plan)
D. DIACAP Implementation Plan concurrence
2. ;

This activity includes all tasks related to the execution of
the DIACAP Implementation Plan. Each assigned IA Control is implemented according to the applicable
implementation and validation requirements and expected results described in the DIACAP Knowledge
Service. IA Controls may be individually validated as they are completed, or they may be validated by sub-
entity of the DoD information system, Subject Area, or other organizing scheme established by the DIACAP
Team; therefore, implementation and validation activities may be occurring in parallel. Validation includes all
tasks related to the execution of the Validation Procedures that are associated with assigned IA Controls.
Validation Procedures are maintained through the DIACAP CCM and published in the DIACAP Knowledge
Service. Each Validation Procedure describes requisite preparatory steps and conditions, actual validation
steps, expected results, and criteria and protocols for recording actual results, and may include associated
supporting background material, sample results, or links to automated testing tools. Actual results are
recorded according to the criteria and protocols specified in the Validation Procedure and are made a
permanent part of the comprehensive DIACAP package, along with any artifacts produced during the
validation, e.g., output from automated test tools or screen shots that depict aspects of system configuration.
The status of actual results for all assigned Validation Procedures is compiled into a DIACAP Scorecard,
further discussed and illustrated in Enclosure 4 of this Instruction.
A. Validate IA Controls
B. Analyze and compare actual results against expected results in the validation activities
C. Plan of Action & milestones (POA&M)
D. Compile Validation Results
E. Compile and PM Review comprehensive DIACAP package
3. º.
G

G The certification determination is based
on the validation actual results. It considers Impact Codes associated with IA Controls in a non-compliant
status, associated Severity Codes, expected exposure time (i.e., the projected life of the system release or
configuration minus the time to correct or mitigate the IA security weakness), and cost to correct or mitigate
(e.g., dollars, functionality reductions). The accreditation decision always applies to an operationally ready
instance of a DoD information system and is a balance of mission or business need, protection of personal
privacy, protection of the information being processed, and protection of the information environment, and
thus, by extension, protection of other missions or business functions reliant upon the shared information
environment.
A. Perform initial certification review

B. Make certification recommendations
C. Make accreditation decision
a. Revise DIACAP implementation (if needed)
b. Conduct live testing within specified timeframe (if needed)
c. Execute POA&M (if needed)
d. ATO (Authorization To Operate)
4. º
! (
%- Continued authorization to operate is
contingent upon the sustainment of an acceptable IA posture. The DoD information system IAM has primary
responsibility for maintaining situational awareness and initiating actions to improve or restore IA posture.
A. Maintain situation awareness, monitors security related events, evaluate and recommend IA
controls
B. Annual reviews
C. Re-accreditation (every 3 years)
5. G G G

When a DoD information system is removed from
operation, a number of IA-related events are required relative to the disposition of DIACAP registration
information and system±related data or objects in GIG supporting IA infrastructures and core enterprise
services such as key management, identity management, service management, privilege management,
policy management, and discovery. Requirements and procedures change over time as the GIG EIE
changes and these changes are maintained through the DIACAP CCM and published in the DIACAP
Knowledge Service.
A. Decision to retire system

B. Retire system

Wireless local area networks (WLANs) have rapidly grown in popularity during the past decade. Many electronic
devices now ship with an embedded wireless card that utilizes the 802.11 wireless protocol. This allows laptops,
netbooks, PDAs, personal computers, servers, and many other devices to communicate with each other wirelessly, at
speeds traditionally only supported by hard-wired equipment. The 802.11a/b/g/n suite of protocols offers data rates
ranging from 11-300Mb in the public 2.4GHz and 5GHz frequency spectrums. The key stipulation with engineering
and deploying wireless LANs is determining the coverage area (which may be limited to a few hundred feet indoors,
or less depending on the type of building construction you are attempting to transmit wireless signals through) and
implementing methods to deal with the increased exposure to packet interception and injection. These conditions are
aggravated by the need to provide adequate wireless coverage, requiring engineers to amplify and sometimes
³blanket´ the wireless coverage area.
c
^9
Most computer networks utilize copper or fiber optic hard-wired cable for transmitting data between workstations,
servers, switches, and routers. Although this method of transmission medium is reliable and fast, many organizations
seek an alternative means to provide more flexibility to clients that require the freedom a wireless solution can
provide, such as the ability for a technician to carry a small PDA with them that links back into the helpdesk system.
The challenge with securing a wireless network is protecting data packets broadcast into the air, traveling several
hundred²potentially several thousands of feet. An adversary sitting outside in the parking lot or in the building next
door (or way down the street, with the help of a high-gain antenna) can both intercept and inject traffic flowing
between your wireless equipment. The exposure to enemy attack requires you to implement a more aggressive
security posture towards securing your wireless network than you would towards securing a wired network.
Inadequate planning and inappropriate use of wireless networks within the Army can needlessly expose network
systems to attack. Here are a few common wireless deployment º*5+ to avoid:
@ Failure to use authorized wireless equipment, as listed on the Army¶s IA Tools list (found at:
https://www.acert.1stiocmd.army.mil )
@ Failure to perform firmware updates and patch management activities on wireless equipment
@ Failure to configure and periodically change wireless equipment passwords as determined by AR 25-2
@ Failure to configure adequate authentication AND encryption (per Army and DOD Policy)
@ Failure to physically secure the access point (and access point controllers)
@ Allowing users to bring in devices from home and setup their own personal (ad-hoc) unauthorized
workstations and networks
@ Failure to monitor the wireless network, or configure monitoring, to identify rogue access points and other
wireless clients
c
)% ) .)9^^
As an IASO you will be responsible for enforcing IA policies and occasionally you may be required to help create
policy. You are highly encouraged to thoroughly review and stay current on the following:
G(G&4
c
G)
)* G
G
'G(G ÿ "
ÿ
'ÿÿ
Note: This regulation does ,(* apply to:
@ IS or SCIFs, as DCID would apply to these facilities

@ Receive-only pagers, GPS receivers, hearing aids (and other medical implanted devices)
@ The detection sensor of a PED, Barcode System, or RFID
Purpose and Scope:
@ Establishes policy and responsibility for commercial wireless devices and promotes joint interoperability
using open standards across the GIG
@ Directs and promotes the sharing of wireless technologies and vulnerability mitigation strategies
@ Identifies compliance requirements (8500.1) for all wireless devices and services
@ Details FIPS encryption requirements
@ Defines conditions for transmitting classified data per DAA approval
@ Lists wireless monitoring (sensing) and auditing requirements
@ Provides guidance on roles and responsibilities
G(Gc

.
@ Provides direction on DOD Wireless Policy

@ Details operational compliance requirements
@ Network Device Configuration
@ Client Configuration
@ Classified WLANs
@ Bluetooth
@ WiMax
@ RFID
@ Free Space Optic
@ Wireless VoIP
@ Wireless Keyboards and Mice
@ PDA and Smartphone Compliance
G(Gc
*ÿ
@ Details 802.11 WLAN Technologies

@ SSID Configuration
@ MAC Address Filtering
@ WEP, WPA, & WPA2
@ DOD WLAN Security Boundary Implementation Requirements
@ WLAN Requirements (Classified and Unclassified)
@ Bluetooth WPAN
@ Wireless Mice and Keyboards
@ VoIP WLAN Systems
@ RFID Technologies
@ EAP-TLS (EAP transport layer security)
@ Details Wireless PED Technologies
@ 1st, 2nd, 3rd Generation Cell Technologies
@ SMS & Cell Phone Security
@ Wireless Two-Way (Paging and Email)
@ PDA Technologies (Palm, Windows Mobile, Symbian, Java, & Linux)
@ Device File Encryption & Tethering
@ Secure Mobile PEDs & Compliance Requirements
%4

'/4$)/4#
@ Defines areas where PEDs may be utilized

@ Defines identification and authentication requirements
@ Specifies PED security awareness training
@ Requires PEDs and Wireless LANs to meet the same C&A requirements as wired LANs
@ Specifies requirements for testing, analysis, and risk assessments

^^c

@ Addresses 802.11 and 802.16 wireless technologies

@ Discusses vulnerabilities and exposures driven by the use of wireless technologies
@ Details Approval to Connect, Mitigation Plan, and Assessment requirements
@ Specifies WLAN security requirements
@ Provides component configuration requirements
@ Lists prohibited standards and protocols (e.g. Bluetooth Wireless Headsets)
@ Specifies training requirements

G 'G 9
'
Intrusion Detection (IDS) & Prevention (IPS) Systems detect or prevent, watch or do something about the system.
Legacy intrusion identification devices were typically passive detection based systems. They would read in a
combination of static and dynamic signatures and record or alert an activity that matched the signature. The
drawback with detection-only systems is that they simply record the criminal hacking activity, failing to actually
prevent the attack. Many organizations felt it was essential to not only detect, but stop or prevent the attack from
succeeding. This need forced many IDS vendors to evolve the capability of their software to support intrusion
prevention. An intrusion identification system can be classified as a prevention system when it actively stops or
thwarts a data packet or software application from delivering it¶s payload for execution.
â ,-
.
A host or host-based intrusion detection/prevention system is only concerned with monitoring the activities that are
occurring on ³it´, the local host. Antivirus is a good example of host-based IDS/IPS software. Your Antivirus only
scans the local memory and physical drives for different types of malware. It is not concerned with the status of
malware on other disparate systems. A network-based system is only concerned with the data that is flowing by on
the network, e.g. Ethernet traffic. Assuming most malware can be detected in memory, on the hard drive, or while
being transmitted over the network, host and network intrusion detection systems work together to identify malware
as it exists in a mixture of environments.
3,
A false positive is categorized as an event in which the IDS/IPS has positively identified an attack (by the criterion
specified in the signature), but the attack turns out to be false or a benign event. We categorize it as being a positive,
in that the IDS/IPS is doing its job, per the signature that was fed into it, but the events that led up to the alert and the
circumstances surrounding the event lead us to believe this really was not a legitimate attack. As a result, this activity
may require us to tweak or correct the IDS/IPS signature to prevent future alarms from triggering on this benign
activity.
A false negative is categorized as an event in which the IDS/IPS has failed (hence the negative) to identify an actual
attack (based on the criterion specified in the attack signatures). There are a number of reasons why the IDS/IPS
may have failed to alert us to a legitimate attack. One reason may be due to the sensor being configured incorrectly
and thus failing to properly identify internal and external traffic. Another reason may simply be that the IDS/IPS
signature was not fully tested prior to being implemented. Subsequently, another common reason for the IDS/IPS
failing to alert during a legitimate attack may be due to the attacker¶s use of encryption to hide the content of the
attack signature from the IDS/IPS analysis engine.
,-
.^G<4^94*
G

There is an ongoing debate over which deployment scenario (pass-by or pass-through) is more effective and efficient.
One is not necessarily better or more effective than the other. It typically depends on your network architecture and
the ratio of homogeneity to heterogeneity in your network protocols, along with the expected line speed (processing
power) of the detection/prevention device.
A pass-by solution is sometimes called an IDS/IPS ³on a stick´, see figure 13.1 below.
A copy of the packets flowing from the private network to the public network will be passed into the IDS/IPS. This is
where the solution gets it¶s ³on a stick´ designation. In this pass-by monitoring configuration, the traffic is not really
flowing through the IDS/IPS, but a copy of the traffic is sent to the IDS/IPS while the original packet travels to the
Public Network. If the IDS/IPS identifies an anomaly with the packet, the IDS/IPS can either log/record the activity or
potentially inject a communication reset request back into the Core Switch and disrupt the connection between the
Client and the Public Network, preventing the attack from being successful.
A pass-through solution (see Figure 13.2 below) is deployed inline with the flow of network traffic from the Client to
the Public Network. This is often accomplished by creating a Layer2 bridge between the Firewall and the Core
Switch, or by configuring a Layer3 forwarding service to route packets from the Private Network to the Public
Network. If the IDS/IPS identifies an anomaly with the packet, the IDS/IPS can log/record the event and pass the
packet on, or terminate/drop the packet on the spot, preventing the attack from being successful.

G'G
Application Protocol-based Intrusion Detection Systems are commonly placed between a front-end and back-end
system to monitor the remote procedure methods or operand calls to the back-end system. A good example would be
an APIDS connected in series between a public web server and its back-end SQL database. The APIDS will monitor
for inappropriate SQL requests and drop packets that violate acceptable operation events. In a similar scenario the
APIDS may also be deployed as a host-based IDS/IPS on the public web server itself or may be installed on the
back-end SQL database.
5 -4^'
^
4^'
G <

A knowledge-based IDS/IPS system works on the premise that it already has all of the signatures (prior knowledge)
necessary to identify and respond to an attack. Analyzing and learning from prior attacks allows an IDS/IPS signature
(or rule) writer to identify key (sometimes repetitive) attributes of an attack and effectively recognize the recreation of
these elements. Once an attack is discovered by the industry, it is dissected to extract the common pattern or string
that will then be used to write a signature (commonly built with a regex expression) for future detection or prevention.
A behavior-based IDS/IPS system relies on the statistical accumulation of normal (expected) behavior of a program
or network packet. Alarms are configured to trigger, based on a percentage of variation from the acceptable baseline
(which may take some time to establish). Along with variations in normal activity the anomaly system may also alert
on trivial events, providing they appear peculiar. The existence of a friendly AppleTalk or IPX packet may trigger an
alert for simply being unusual.
Although there is no distinct and clear separation between the categorization of knowledge-based and behavior-
based system, many modern IDS/IPS devices are evolving into a hybrid, best-of-breed solution containing the
beneficial attributes of both signature and anomaly systems. Many vendors focus their efforts towards a particular
capability, allowing the device to be noticeably categorized as either a signature or anomaly based the engine. Often
the separate categories of host, network, signature, and anomaly can be acquired through COTS systems as
separate software/hardware packages with various capabilities and add-ons. See table 13.1 below for signature and
anomaly examples for host-based and network-based systems.
Category Signature (Knowledge-Based) Example Anomaly (Behavior-Based) Example

Enumerating the web servers W3C compliant
Antivirus/Antimalware engine using a DAT log file for acceptable URI queries and stem
Host engine to scan files/folders and memory values to establish a baseline²and then
locations for known attack signatures periodically scanning the log file for stems
and queries that differ from the baseline
A snort intrusion detection system configured Using a Ntop or Xangati device to collect flow
to read in rule (signature) files and scan traffic via Netflow, Sflow, or SNMP to allow
Network
network traffic for Apache Web application for visual charting of traffic and protocol
attacks anomalies
*"#
G<
An IDS/IPS system can commonly be broken up into three separate components.
Examples
Component
Network/Host sensor (or engine) Snort Engine, Symantec 11 Engine
Windows Eventlog, Syslog, SQL Server, Proprietary
Logging Facility
Eventlog
Proprietary or Web-based Interface. Typically ties into
logging facility and sensor (for updates and
Console/Monitor/Configuration/Management Interface
configuration) via CGI binaries such as Perl, PHP,
Cobra, ASP.NET etc.
,-
.*9
º

A network TAP (Test Administrative Port) can be found in a variety of flavors. Active, passive, aggregating, non-
aggregating²these are just some of the core options available. The monitoring requirements of the security analyst
will play a key role in choosing the best solution for the environment. The following table outlines common TAP
features:
Description
TAP Feature
An active TAP allows the IDS/IPS system to inject frames back into the network,
Active
allowing for active termination of the attack
A passive TAP limits an IDS/IPS system to capture and monitor functions only. This
Passive operates as a Rx or receive only interface, preventing the IDS/IPS system from
transmitting back into the network being monitored.
An aggregated (teamed, or bonded) TAP combines both the Tx and Rx traffic into
Aggregating one channel allowing the IDS/IPS sensor to monitor bidirectional traffic on one
interface.
A non-aggregating TAP separates the Tx and Rx streams for separate analysis, or
Non Aggregating
to be recombined by the sensing/monitoring device.
A soft TAP commonly refers to a dual-homed system that bridges the inbound and
Soft (or softTAP) outbound interfaces, allowing the IDS/IPS system to then monitor one of the bridged
interfaces.
Most TAPs combine two of the above TAP features for a specific purpose, e.g. an Active TAP that auto aggregates
the Tx and Rx channels to provide bi-directional monitoring for a pass-by IPS system; or a Passive TAP with non-
aggregating features used to capture separate Tx and Rx data being fed to a network analyzer device for
troubleshooting circuit problems. Modern IDS/IPS systems typically utilize pass-through bridging to act as a Soft-TAP,
or contain an integrated Active Aggregating hardware TAP that allows the device to monitor bidirectional traffic flow
and reset or drop connections when necessary.
â 9G
A honeypot is a term used to describe a system or service that is developed/deployed with the intention of recording,
logging, and learning from criminal attempts to hack it. Here are some common honeypot configurations:
@ Configure a server/system as you would a production system, fully patch it, enable as much logging and
auditing as possible, and then monitor it for criminal hacking activity.
@ Load up a default operating system (unpatched), enable as much logging and auditing as possible, then
monitor it very closely for criminal hacking activity.
@ Utilize a program or script designed to emulate a production server. Typically, all connection attempts, to
include the payload sent from the attacker, will be logged for later analysis.
The depth by which you wish to trick, lure, or deceive your adversary determines the categorization of your
honeypot/deception system. Devices that modestly project banners and log the connection attempts of intruders are
referred to as decoy systems. A device that goes that extra mile to emulate the real operating system, or IS the real
operating system, would be categorized as a full deception system, or more generally, a honeypot.
There are very few instances where honeypots are authorized for deployment on Army information systems. This
type of activity commonly requires the participation of counterintelligence and specialized mission needs to assess
the attack posture of the enemy.
ºG<
A Meta IDS/IPS system is a label used to describe an IDS/IPS architecture that uses a centralized log collection
system to collect and correlate data from numerous event sources (IDSs, IPSs, Switches, Routers, Firewalls, Active
Directory Servers, and Antivirus Management Servers etc.). A common collection system will utilize a SQL database,
Syslog server, Sflow/Netlow collector, SNMP collector, and may also perform text/xml based extraction and
collection.
The ability to collect from numerous sources allows the Meta-IDS to more accurately perform trend analysis and
event correlation between analogous and disparate networks across the enterprise. Although most SMB and Medium
Sized businesses will not likely justify the cost of a Meta IDS/IPS system, larger enterprise networks can substantiate
the expenditure for these more sophisticated intrusion identification systems.
c
-
³A firewall is a chokepoint device that has a set of rules specifying what traffic it will allow or deny passing through it.
A firewall typically picks up where the border router leaves off and makes a much more thorough pass at filtering
traffic. Firewalls come in several different types, including static packet filters, stateful firewalls, and proxies. You
might use a static packet filter such as a Cisco router to block easily identifiable "noise" on the Internet, a stateful
firewall such as a Check Point FireWall-1 to control allowed services, or a proxy firewall such as Secure Computing's
Sidewinder to control content. Although firewalls aren't perfect, they do block what we tell them to block and allow
what we tell them to allow.´1
c
c

.
Attacks on a network are orchestrated for various reasons. The attacker may want to steal proprietary information;
passwords, social security numbers, credit card information, or technicalogical secrets. The purpose of other attacks
may be to delete data or make it inaccessible through some type of Denial of Service (DoS) attack. A third reason
may be annoyance, to make a point or to make your organization look foolish. According to the 2006 CSI/FBI
Computer Crime and Security Study, 52% of respondents to the study reported unauthorized use of their computer
systems. While this number includes some incidents that would not normally be associated with firewalls, this none
the less should be a call to action to all administrators for a greater emphasis on network security.
3
-3

G
How should the firewall process traffic when it is first installed on the network? One approach is to permit all traffic,
except for that which is specifically denied. While this approach provides less disruption to existing services, it does
so at a high cost: the security of our network. The favored approach, by security professionals, is often referred to as
the ³closed fist´ approach. Utilizing this approach, all traffic is denied, except that which is specifically permitted. This
approach errs on the side of security at the cost of network functionality. Therefore, any new services that require
access through the firewall must be specifically permitted by the firewall administrator.

â

The Operating System (OS) upon which a software firewall resides must be hardened. Hardening an OS includes
such things as insuring that it is fully patched, any unnecessary services are disabled, and that it is properly
configured according to best practices.
An appliance firewall is no different. All appliances, whether it is a switch, router, or a firewall has its own operating
system. This OS must be patched and properly configured.
*
3 -
Network traffic flows both in (ingress) and out (egress) of our network. A firewall should be configured to examine
both inbound and outbound traffic. The firewall, by examining inbound packets for malicious activity and/or code,
protects our internal network from outside threats, such as espionage and worms. By filtering outbound traffic, our
firewall can prevent our network from being a launching platform for attacks upon other networks, prevent
compromised data being sent outside our network, and limits the effect of malware.

*
3 -
In order for a firewall to effectively control traffic flow, all traffic must be made to flow through the firewall. Any traffic
that bypasses the firewall has therefore bypassed our security, effectively creating a backdoor. This places our entire
network at risk. An example of this would be a user installing an unauthorized modem on their workstation to bypass
the network filtering policies, thus creating an unprotected entry point into our network.
+
Installing a firewall on your network is no guarantee of security. Many factors will affect the effectiveness of a firewall;
the firewall administrator, the firewall policies, and security training of users. Poor management of the firewall or
inadequate policies will negate the effectiveness of any firewall. A user sharing their password, however inadvertent it
may be may, also negates our firewall.
â -
-
.
There are numerous possibilities for implementing a firewall:
^^

3
-
One way is to simply install the firewall between the private (protected) network and the unprotected network. In this
case the firewall will have two ports or network cards, an inside NIC (network interface card) and an outside NIC. The
inside interface is connected to the network we wish to protect, while the outside interface is connected to
unprotected (untrustworthy) network.
^3
--
-
â
This approach provides additional security by creating a DMZ. A DMZ is an area located in front of the firewall. A
DMZ allows for computers sitting in the DMZ to act as agents or proxies on behalf of computers located in the more
protected internal LAN. These proxies broker request onto the internet on behalf of the computers setting behind the
firewall. The DMZ is also a good location to place publicly accessible services such as a web server, dns (domain
name service), or a mail relay agent. Notice that the DMZ is not entirely open, but is usually protected by a border
router. The function of the border router is to provide the first line of defense for the DMZ and the internal network.
The border router can provide a relatively fast method to filter traffic based upon such things as source and
destination address, source and destination ports, protocols, and message types. The border router can eliminate
significant amounts of ³noise´ traffic before it reaches the firewall; easing the burden of the firewall. This router then
provides another layer to our layered security and is the first line of defense for inbound traffic, or the last area of our
control for outbound traffic.
^3
--
"
This approach utilizes a firewall with three network cards, often referred to as triple homed, to effectively create an
isolated network behind the protection of our firewall. The screened subnet typically hosts public services, such as
web, mail, and dns; similar to the aforementioned DMZ. These public hosts are offered more security than a basic
DMZ while still providing for the segregation of the two networks.
º 3
-
Another popular implementation of firewalls is to install multiple firewalls inline. This approach allows for incremental
layers of security as the network traffic passes deeper into our infrastructure, allowing us to set differing levels of
security for different networks. As traffic proceeds into the more secure areas, it must pass more stringent filtering
and be examined multiple times. Dual inline firewalls provide a useful means to separate networks, while providing
defense in-depth. If one firewall is circumvented, the attacker must now attempt to circumvent another firewall. To
make this even more effective, differing firewall products are often used. This security does come with a price
however, the cost of purchasing and administering multiple firewalls plus network latency.
c
"
A properly implemented firewall will provide many benefits to include: a chokepoint for network traffic, user
authentication, auditing and logging, and a central point of management. One of the greatest benefits of a firewall is
of course enhanced security. With a single point of entry into a network, a chokepoint, we now have a central point of
management from where to apply security policies to all traffic entering or exiting our network. Depending upon the
type of firewall installed we may be able to simply block unwanted traffic, control services, or even control content.
Firewalls also serve to hide our internal network from outsiders.
A firewall can also be configured to require user authentication. Users may be required to authenticate to use
particular services or resources. Not only will services and resources be protected, but this will provide the ability to
track user¶s activities.
Auditing and logging can also be enabled on the firewall to track authorized and unauthorized access attempts. Logs
are also very important for tracking trends and statistics used for making policy decisions that impact network access
and utilization, not to mention documentation for possible prosecution.
c

The benefits of adding a firewall far out weight the costs, but these costs should be understood. An effective firewall
implementation requires that all traffic passes through the firewall, with all traffic passing through this single point a
traffic bottleneck may develop. Not only does the funneling traffic create a bottleneck, but the filtering done by the
firewall also adds its own latency. As a firewall becomes more and more complex, from a simple access list
examining a packet¶s header to an application layer firewall examining the payload or content of a packet, the latency
will increase proportionally. It is not only the type of firewall that determines latency, but the also the access lists and
policies assigned to it. As access lists grow longer and more complex or the number of policies grow and become
more complex, the latency added to network traffic increases.
Applying a majority of our security policies to a single location or on a single device creates the potential of a single
point of failure; whether that failure is in the firewall itself, such as if it ³crashes´ or has ineffective policies. A firewall
that fails to monitor traffic, such as a firewall that has been disabled by a DOS attack, should, by default stop all
network traffic. In this example, the DOS not only has brought down the firewall, but has also brought down the
network. Inadequate policies can also create a single point of failure in that our network has been opened up to attack
through a single point. If the policies applied to the firewall are ineffective, we have little or no control over the traffic
passing through the firewall. This may also create a false sense of security.
Implementing a firewall will no doubt cause levels of user frustration and may increase management responsibility.
Services and application that worked seamlessly may now not function at all. The administrator must have a detailed
understanding of the network to make the proper configuration changes to allow specific types of traffic to pass.
When new services are added, additional configuration may be required to setup and manage these new services.
Proxy firewalls will also add to management responsibilities as new proxies may need to be set up for the new
services. Based upon the firewall type used, client side applications may also need to be installed and managed.
c 6
A firewall is not a panacea. It is one layer of the defense in depth strategy used to protect computer networks. It does
not negate the need for antivirus, antispyware, IDS/IPS, or regular security audits. A properly configured firewall will
work in tandem with these other technologies to provide multiple layers of security.
A firewall does not protect from inside attacks. A firewall only filters traffic that passes through it; therefore, traffic that
is already inside our network is not subject to the firewalls policies. An insider attack is just as dangerous, if not more
so, than attacks originating from the outside. IDS, IPS, and auditing are effective means to minimize the risk of insider
attacks.
Firewalls can be bypassed. Poorly trained users my inadvertently bypass security by sharing passwords or failing to
physically secure their devices. More malicious users may bypass the firewall in an attempt to circumvent the network
policies. Backdoors imbedded in software are also potential avenues to circumvent a firewall. Security awareness
training is the best defense against poorly trained users. Physical checks, penetration testing, and regular reviews of
audit logs can be effective tools for fighting the malicious user and for locating backdoors.
Finally, a firewall is only as good as the administrator and the policies he or she applies. Administrators make
mistakes; poorly trained administrators make more mistakes. A firewall administrator must continually train and
educate themselves about their specific firewall and networks. Also, they must be diligent about updating and
patching the firewall.
â -

To answer the question of how firewalls protect our network, we will segregate the types of firewalls into three groups;
static packet filtering, stateful packet inspection, and application gateways/proxies.
.

A static packet filtering firewall is the simplest method of filtering traffic. With this type of firewall, the packet header is
compared to rules or filters configured on the firewall. Then based upon these rules, the packet is either permitted or
denied. Each packet is examined individually without regard to other packets in the communications session.
Decisions are based upon the source and destination addresses, source and destination port numbers, and the
protocol. A router could be used as a static packet filtering firewall. Generally, these types of firewalls work at the
network or transport layers.
Static packet filtering firewalls have their own advantages and disadvantages. Advantages include their speed, low
cost, and that they require no additional client configuration. Disadvantages include complex access control lists,
allowing direct connections, only allowing all or nothing filtering, and providing no means for user authentication.
.
Stateful packet inspection improves upon the static packet filtering method described above. The improvement is
provided by the firewall¶s ability to keep track of the network sessions. It determines if a packet should be permitted or
denied based upon the policies or rules and the state of the session. This firewall does not examine packets
individually, but in conjunction with prior packets. In order to do this, packet information is stored in a dynamic state
table. Subsequent packets are then evaluated based upon the information stored in this table. It attempts to
determine it the packets are behaving as expected. For example, it knows that for application X, A should be followed
by B, then C, and so on. If packet C arrives without there ever being an A or B, the packet C would be rejected. This
type of firewall is said to be application aware.
This type of firewall also has the advantages of speed, relative low cost, requires little or no additional client
configuration and that it maintains a connection state. Disadvantages are similar to static packet filtering; complex
access control lists, allowing direct connections, only allowing all or nothing filtering, and providing no means for user
authentication.
ÿ-<
8
This type of firewall operates at the highest level of the OSI model; the application layer. An application based firewall
will allow for the filtering of content. It can be configured to permit or deny specific applications or specific features
within an application. It examines the payload of a packet to perform content analysis and decision making, providing
a level of granularity that is not found in the other types of firewalls. A second compelling feature is that application
gateways/proxies do not allow direct connections. A client that is trying to communicate outside of our network will
communicate with the firewall, the firewall will then, on behalf of the client, contact the server outside our network.
The server will then respond to the firewall, which then communicates with the client. The server and client will never
have direct communications between one another. The proxy is just that, an agent acting on behalf of the client. For
these two reasons, operating at the application layer and its ability as a proxy, this type of firewall is considered to be
the most intelligent and most secure and therefore is the most expensive. Application gateway/proxies also provide
the ability to require user authentication.
Disadvantages include the substantial cost, client side configurations, configuration of new applications, and network
performance. Because this type of firewall is acting as a proxy, new services will require that a new proxy be setup on
the firewall and that clients be configured to communicate with that new proxy. Network performance may also be
degraded due to the complexity involved and depth at which the firewall examines each packet.
;,
A VPN, virtual private network, is a low cost solution to provide fast, secure and reliable communications for mobile
users and geographically dispersed networks by utilizing the public communications infrastructure. Simply put, a VPN
is a method to provide private communications over public networks. Before the advent of VPNs, this type of private
communications was accomplished by leasing dedicated lines to maintain a wide area network (WAN). While a WAN
has many advantages to include reliability, performance and security, they are also very expensive to maintain.
Privacy is provided because ³a VPN is an encrypted tunnel between two endpoints. VPN tunnels are created using a
tunneling protocol such as L2TP and secured using a protocol such as IPsec.´3 A properly configured VPN will allow
secure site to site communications as well as secure communications for telecommuters. Even though a malicious
hacker may be able to capture our traffic from the public communications lines, the data will be incomprehensible
without the proper decryption key. A VNP can provide us with confidentiality, integrity, and authentication.

Firewalls play a critical role in any defense in depth strategy. By providing a single access point into and out of our
network, a firewall is able to filter all traffic traversing that single point. A firewall provides the first and/or last
opportunity to screen traffic before it enters or exits our network.
A firewall may be a single appliance or host, a group of appliances or a group of hosts. The firewall may filter by
looking deep into the contents of a packet or by merely examining the header. The firewall may have negligible
impact on network performance or it may have a significant impact. Whatever type of firewall is used, however it is
installed on the network, it is critical that it be administered by a security professional who truly understands not only
the firewall, but his or her entire network.
A firewall is neither a panacea nor a fire and forget device. It is a critical layer of the security infrastructure that must
be constantly administered, monitored, maintained, updated, and secured. It must be used in conjunction with other
devices such as an IDS/IPS, NAT, VPNs, and antivirus to provide the most effective security environment.
+

Encryption is the process of obscuring information to make it unreadable without special knowledge. While encryption
has been used to protect communications for centuries, only organizations and individuals with an extraordinary need
for secrecy had made use of it. In the mid-1970s, strong encryption emerged from the sole preserve of secretive
government agencies into the public domain, and is now employed in protecting widely-used systems, such as
Internet e-commerce, mobile phone networks and bank automatic teller machines.
A cipher is an algorithm for performing encryption (and the reverse, decryption). The original information is known as
plaintext and the encrypted form as ciphertext. The ciphertext message contains all the information of the plaintext
message, but is not in a format readable by a human or computer without the proper mechanism to decrypt it; it
should resemble random gibberish to those not intended to read it.
The operation of a cipher usually depends on a piece of auxiliary information, called a key. The encrypting procedure
is varied depending on the key, which changes the detailed operation of the algorithm. A key must be selected before
using a cipher to encrypt a message. Without the same key, it should be difficult, if not impossible, to decrypt the
resulting ciphertext into readable plaintext.
Algorithms are formulas that determine how data is encrypted with a key. There are several different types of
algorithms. A couple of examples are DES, PGP, MD5. Randomness is important with algorithms. There are usually
two ways to attack and encrypted message. One is the systematic trial of each key used in the algorithm. The other is
to solve the algorithm and skip the lengthy calculations.
There are three different types of ciphers. Here are a couple of examples of simple ones:
@ Substitution Cipher: Replace bits or bytes
Example - Caesarian Cipher shift up 3
The enemy is nigh = Wkh hqhpb lv qljk
@ Transposition Cipher:
Example - Transposition rotate three characters right
The enemy is nigh = ene myisn ig hthe
@ Substitution and Transposition (modern algorithm)

The enemy is nigh = hqh pblvq lj kwkh
*
.

@ Difference in key lengths is significant

m 40 bits = 2^40 = 1,099,511,627,776
m 128 bits = 2^128 = 34,028,200,000,000,000,000,000,000,000,000,000,000
@ 128 bit keys are therefore
m 309,000,000,000,000,000,000,000,000 times harder to crack than a 40 bit key.
@ Comparison if a key can be broken in an algorithm
m Using 40 bits in 5 seconds
m Then 128 bits will take 49,068,526,417,640,960,921 years
@ Imagine key lengths of 192, 256, 512, or 1024
º

"

@ Confidentiality ± Encryption
@ Integrity ± Hash, ICV
@ Authentication ± Verifying the sender
@ Non-repudiation ± Checking a digital signature
G

1
-

8
*

@ Conventional encryption (also called secret key or symmetric encryption)

@ Public key cryptography (also called asymmetric)
@ Hash/MAC integrity mechanisms
There are multiple ways to do these
+
'
5 '

@ Encryption and decryption processes share same key

@ This key must be protected against compromise
@ Secret key encryption provides confidentiality and a basic authentication service
@ Standard secret key encryption does not provide a non-repudiation service (or good authentication)
@ Uses some simple mathematical algorithm to encrypt
@ Both sender and receiver have same key
@ Block ciphers
m Message broken into fixed-length blocks
m Each block encrypted with the same key
@ Stream ciphers
m Message encrypted bit-by-bit
m Continuous keystream generated from initial key
@ Advantages
m Faster, smaller key lengths
m Math algorithm is straight forward usually cannot be broken
@ Disadvantages
m No true means of authenticating sender
m Breaking one key compromises multiple parties
"5

'

@ Certificate ± normally a set of keys, 1 private, 1 public

@ Digital signatures
m Normally use public key algorithm
m May encrypt a hash value>
@ Encryption process uses public key
m This key does not have to be protected against compromise
@ Decryption process uses private key
m This key must be protected against compromise
@ An algorithm where data encrypted with a public key can only be decrypted by the matching private key.
Vice versa is true, what is encrypted with a private key can only be decrypted with a public key.
@ Decryption process uses private key of recipient.
@ Authentication process uses public key of sender.
@ ³Known recipient´ public key encryption provides confidentiality, but does not provide authentication (anyone
can send a message that only one person can read)
@ ³Known sender´ public key encryption provides limited authentication, but no confidentiality (one person can
send a message that anyone can read)

.; ';
@ Often known by the term ³Hash´

@ A checksum capable of detecting modification of a data set
@ Sender and recipient use identical key to compute ICV
@ Key is known only to them
@ Information bits and ICV are sent to recipient
@ If ICV computed by recipient matches ICV received, then message is accepted

'
*
=G G6

The Department is implementing smart card technology as a Department-wide Common Access Card (CAC). The
CAC will be the standard identification card for active duty military personnel, Selected Reserve, DoD civilian
employees, and eligible contractor personnel. The CAC will also be the principal card used to enable physical access
to buildings and controlled spaces and forlogical access to the Department¶s computer networks and systems. The
CAC platform will contain the mandatory identification, physical and logical access capabilities and may also contain
Department-wide and/or Component-specific applications such as manifesting, deployment readiness, food service,
and medical/dental readiness.
44
%
Approximately 4 million active duty military members, Selected Reserve, DoD civilians, and eligible contractors will
receive the CAC. The CAC issuance began in October 2000. The CAC most people possess currently has 32K of
memory. The 64K cards replace them over time.

44^

The CAC will be the Uniformed Services Identification Card and will carry the same benefits and privileges as its
predecessor identification cards. In addition, the CAC will provide functionality for accessing buildings and secure
spaces (flash passing, magnetic stripe access gates), and the CAC will contain a card recipient¶s private key used for
secure authentication to computer systems and networks. CAC issuance will be performed using an integrated Local
Registration Authority (LRA) ± Real-Time Automated Personnel Identification System (RAPIDS) workstation. Existing
RAPIDS workstations will be supplemented with LRA functionality. All workstations will be fully fielded by 2002.
* 44

The CAC brings to the daily operations of DoD, the Components, and Military Services a technology with proven
financial and non-financial benefits. The CAC, as the hardware token for the DoD Public Key Infrastructure, will play a
key role in the information assurance defense-indepth strategy for unclassified and sensitive but unclassified data.
CAC recipients will gain appropriate access to computer systems and perform secure transactions over networks.

@ The CAC contains 3 types:

m Identity
m Digital Signature
m Encryption
@ Using the public and private keys allows user to send messages that are:
m Confidential
m Non-repudiated
m Authenticated
m Integrity checked

used for identifying you and gaining access to closed (PKEnabled) websites for authentication.
AKO now allows you to login to the site with your CAC and PIN versus having to input your login and password.
G
± as we just covered, refers to a transformation of a message using an asymmetric cryptosystem
such that a person who has the initial message and the signer's public key can accurately determine: (1) whether the
transformation was created using the private key that corresponds to the signer's public key; and (2) whether the
initial message has been altered since the transformation was made.
+

± Used for encrypting a message. Encryption, you remember is the process of transforming
data to an unintelligible form in such a way that the original data either cannot be obtained (one-way encryption) or
cannot be obtained without using the inverse decryption process.
*

@ Mandatory applications for the CAC are identification, logical access and authentication using the CAC as
the hardware token for the DoD-wide Public Key Infrastructure (PKI), and physical access.
@ Department-wide applications currently under development and/or evaluation include food service, financial
(stored value, ATM, electronic purse), and Joint exercises.
@ Component-specific applications currently under development and/or evaluation include stored value,
medical and dental readiness, student visibility, armory and property accountability, training, rifle range, and
deployment readiness.
"5

'5
To make PKI work, each individual has a unique public and private key assigned to them. Public and Private keys are
used for encryption and digital signature.
@ The PKI keys are generated as a pair at the time that the CAC is issued to an individual.
@ The private key is inserted and maintained on the Integrated Circuit Chip of the CAC.
@ The private key is protected by the owner and is used to sign messages to other users and decrypt
messages from other users.
@ The public key is distributed freely and openly and used to verify signatures from other users and encrypt
messages to other users.
@ Public keys are maintained in a directory and passed to others in signed messages.

5
@ Protected by owner
@ Used to sign messages
@ Used to decrypt messages
@ Kept in physical possession of owner
"5
@ Distributed freely and openly

@ Used to verify signatures
@ Used to encrypt messages
@ Stored in user's Contacts folder
@ Available over the internet
The DoD is required to implement a single, integrated Public Key Infrastructure that is designed to provide a set of
security services. These services enable business processes to better operate in an un-trusted network environment.
This doesn¶t make unsecured processes secured. It just adds an added layer of security.

)

"
@ Protect private key from disclosure

ß Anyone could use your digital signature or assume your digital identity
ß Ensure no one gets access to or uses your password or private key
@ Report loss or compromise of private key/CAC
@ Remember your PIN!
ß If you forget your PIN, currently only the ID issuance facility can reset it
* (
+

"
+
1. Thou Shalt Not Use A Computer To Harm Other People.

2. Thou Shalt Not Interfere With Other People¶s Computer Work.
3. Thou Shalt Not Snoop Around In Other People¶s Computer Files.
4. Thou Shalt Not Use A Computer To Steal.
5. Thou Shalt Not Use A Computer To Bear False Witness.
6. Thou Shalt Not Copy Or Use Proprietary Software For Which You have Not Paid.
7. Thou Shalt Not Use Other People¶s Computer Resources Without Authorization Or Proper Compensation.
8. Thou Shalt Not Appropriate Other People¶s Intellectual Output.
9. Thou Shalt Think About The Social Consequences Of The Program You Are Writing Or The System You
Are Designing.
10. Thou Shalt Always Use A Computer In Ways That Insure Consideration And Respect For Your Fellow
Humans.

@ c

Computer crime can be defined as fraud, embezzlement, unauthorized access, and other "white collar"
crimes committed with the aid of or directly involving a computer system and/or network. Computer crime is
any illegal act which involves a computer system, whether the computer system is an object of crime, a tool
used to commit a crime, or a storage device containing evidence related to a crime. Computer crime can
involve criminal activities such as theft, fraud, forgery, and mischief. These activities are subject to criminal
sanctions. There are many potentially new misuses or abuses that may or may not be criminal as well.
Computer-related crime is one of law enforcement's greatest challenges.
@ c

Computer crimes can be committed by insiders or outsiders. Insiders (i.e., authorized users of a system) are
responsible for the majority of fraud. In the commercial world, ninety percent of Chief Information Officers
view employees "who do not need to know" information as threats to the computer systems. The U.S.
Department of Justice's Computer Crime Unit has stated that "insiders constitute the greatest threat to
computer systems." Since insiders have both familiar with and have access to the victim computer system
(including what resources it controls and its flaws), they are in a better position to commit crimes - and they
are "authorized" users. Another threat is former employees. They have knowledge of an organization's
operations. This fact alone makes it imperative to terminate a prior employee's access promptly.
@

Mr. Don B. Parker, a researcher on computer crime and security for SRI International at Menlo Park,
California, says that computer crime is any intentional act associated in any way with computers where a
victim suffered, or could have suffered, a loss and a perpetrator made, or could have made a gain, and he
identified four forms of computer abuse distinguished in each case by the role played by the computer. Thus
the computer might:
ß Serve as the victim of crime.

ß Constitute the environment within which a crime is committed.
ß Provide the means by which a crime is committed.
ß Symbolically be used to intimidate, deceive, or defraud victims.
@
"(
The U.S. Justice Department has stated that computer crime is any illegal act for which knowledge of
computer technology is essential for its perpetration, investigation, or prosecution, and according to that the
offenses that could constitute computer crime are:
ß
"- -
.
This deals primarily with unauthorized access to a telephone system.
ß º7

-
.

Today, this is taken to mean the Internet. Many, major commercial and private networks exist in the
U.S.
ß ,-
.

This means manipulating or altering a network's intended function
ß

The accumulation of vast amounts of electronic information about individuals by governments,
credit bureaus, and private companies, combined with the ability of computers to monitor, process,
and aggregate large amounts of information about individuals have created a threat to individual
privacy. The possibility that all of this information and technology may be able to be linked together
has arisen as a specter of the modern information age. This is often referred to as "Big Brother." To
guard against such intrusion, Congress has enacted legislation, over the years, such as the Privacy
Act of 1974 and the Computer Matching and Privacy Protection Act of 1988, which defines the
boundaries of the legitimate uses of personal information collected by the government.
The threat to personal privacy arises from many sources. In several cases federal and state
employees have sold personal information to private investigators or other "information brokers."
One such case was uncovered in 1992 when the Justice Department announced the arrest of over
two dozen individuals engaged in buying and selling information from Social Security
Administration (SSA) computer files. During the investigation, auditors learned that SSA employees
had unrestricted access to over 130 million employment records. Another investigation found that 5
percent of the employees in one region of the IRS had browsed through tax records of friends,
relatives, and celebrities. Some of the employees used the information to create fraudulent tax
refunds, but many were acting simply out of curiosity.
As more of these cases come to light, many individuals are becoming increasingly concerned about
threats to their personal privacy. While the magnitude and cost to society of the personal privacy
threat are difficult to gauge, it is apparent that information technology is becoming powerful enough
to warrant fears of both government and corporate "Big Brothers." Increased awareness of the
problem is needed.
ß

Industrial espionage is the act of gathering proprietary data from private companies or the
government for the purpose of aiding other company/companies. Industrial espionage can be
perpetrated either by companies seeking to improve their competitive advantage or by
governments seeking to aid their domestic industries. Foreign industrial espionage carried out by a
government is often referred to as economic espionage. Since information is processed and stored
on computer systems, computer security can help protect against such threats; it can do little,
however, to reduce the threat of authorized employees selling that information.
Within the area of economic espionage, the Central Intelligence Agency has stated that the main
objective is obtaining information related to technology, but that information on U.S. Government
policy deliberations concerning foreign affairs and information on commodities, interest rates, and
other economic factors is also a target. The Federal Bureau of Investigation concurs that
technology-related information is the main target, but also lists corporate proprietary information,
such as negotiating positions and other contracting data, as a target.
@

ß
!

or

break into computers without authorization. They can include both
outsiders and insiders. Much of the rise of hacker activity is often attributed to increases in
connectivity in both government and industry.
ß
! -

Making illegal copies of copyrighted software is a problem primarily associated with PCs and LANs,
but can apply to any type of computer system. See Software piracy for additional information.
ß

See Industrial Espionage, above.
ß

This can be interpreted as actions that cause damage, mischief, or sabotage. The motivation for
vandalism can range from altruism to revenge.
ß

Computer systems can be exploited for both fraud and theft by "automating" traditional methods of
fraud and by using new methods. For example, individuals may use a computer to skim small
amounts of money from a large number of financial accounts, assuming that small discrepancies
may not be investigated. Financial systems are not the only ones at risk. Systems that control
access to any resource are targets (e.g., time and attendance systems, inventory systems, school
grading systems, and long-distance telephone systems).
ß

Forging a document, such as a magnetic card, to gain entry, privileges, services, goods, or
information.
ß G

This refers to damaging or altering a computer's files.
ß *

See Computer Fraud, above.

ß ^
.3
-
when national defense, foreign relations, atomic energy, or other restricted information is stolen or
compromised.
ß
ß U.S. government department or agency computer.
ß Banks or other types of financial institutions.
ß Interstate or foreign communications.
ß People or computers in other states or countries.
c
3

-
*
3
"
(18 U.S. Code 1030, Public Law 99-474)
This act was passed in 1986 mainly to combat what is now commonly known as"hacking". Any federal
agency and/or the Secret Service is authorizedto investigate any offenses under this act. The list below is
what isconsidered illegal under this act.
1. Knowingly access without authorization (or in excess of authorization) any computer system and in
doing so obtain restricted or classified government information.
2. Knowingly access without authorization (or in excess of authorization) any computer system, and in
doing so obtain financial information held by a financial institution, credit information held by a
consumer reporting agency, or credit card information held by the issuer of credit cards.
3. Intentionally and without authorization access any computer of a department or agency of the
United States if the computer is exclusively for use, or if not exclusively for use, in a way that
affects the government¶s use of the computer.
4. Knowingly, and with intent to defraud, traffic in any password or similar information through which a
computer can be accessed without authorization if such trafficking affects interstate or foreign
commerce or such computer is used by the government of the United States.
++*%(,(ºº ,*(,
%; *(3$&2'+
PUBLIC LAW 99-508
Begun as an "anti-wiretapping" act, the ECPA was meant to combatthe eavesdropping problems presented
by such events as the Watergate scandal inthe early 1970s. Its mandate was to protect U.S. citizens from
governmenteavesdropping on telephone discussions without the consent of those beingmonitored. The
ECPA required a warrant from a federal judge beforeconversations could be intercepted. In late 1986,
Congress sought to increasethe scope of the anti-wiretapping laws to cover the increasingly wider range
ofelectronic communication. As a result, Congress passed the ECPA. The law wasmodified to deal with all
forms of digital communications, includingtransmissions of text and digitized images, as well as
telephonecommunications.
m "
The CPA prohibits unauthorized eavesdropping by all persons, businesses, and the government.
m c

The ECPA prohibits unauthorized access to messages in storage on computer systems and the
unauthorized interception of messages in transmission.
m
" -
)
)

ß
"

This Act prohibits interception and disclosure of communications. It is unlawful to intercept
or use any wire, oral, or electronic communication.
ß
"

PL 99-508 prohibits the manufacture, distribution, possession, and advertising of
intercepting devices.
ß
"
Whenever any wire or oral communication has been intercepted, no part of the contents of
the communication and no evidence derived from it can be used as evidence in any trial,
hearing, or other legal proceeding.
m

1

! "
7
a Federal judge may grant an order authorizing the interception of wire or oral communications by
the FBI or a Federal agency having responsibility for the investigation of an offense.
m -

According to the ECPA, a provider of wire or electronic communication service can intercept,
disclose, or use that communication if
ß It is necessary to rendering the service.
ß It is necessary for the protection of the service provider's property or rights.
m -

A provider of wire communication service cannot utilize service observing or random monitoring
except for mechanical or service quality control checks.
m -

It is lawful to record the fact that a wire or electronic communication was initiated or completed to
protect from fraudulent, unlawful or abusive use of the service.This is meant to protect:
ß *

toward the completion of the wire or electronic communication.

ß

-
º

ß Unauthorized use of or access to a computer.

ß Destruction, modification, or alteration of data or computer programs.

$&0
A central computer security program must address compliance with nationalpolicies and requirements, as
well as requirements of DOD directives, Armyregulations, and organization-specific requirements. National
requirementsinclude those prescribed under the Computer Security Act of 1987.
Congress declared that improving the security and privacy of sensitiveinformation in Federal computer
systems is in the public interest and created ameans for establishing minimum acceptable security practices
for those systemswithout limiting the scope of security measures already planned or in use.
G

ß Cost-effective security.
The Computer Security Act assigned to the National Bureau of Standards responsibility for
developing standards and guidelines for federal computer systems, including responsibility for
developing standards and guidelines needed to assure the cost-effective security of federal
computer systems.
ß Privacy of sensitive information.

This act also assigned to the National Bureau of Standards responsibility for developing standards
for the privacy of sensitive information in federal computer systems and drawing on the technical
advice and assistance (including work products) of the National Security Agency where
appropriate.

The law requires the development of standards and guidelines for federal computer systems needed to
assure the cost-effective security and privacy of sensitive information in federal computer systems.
%1

The Computer Security Act provides for the establishment of security plans by all operators of federal
computer systems that contain sensitive information. It also requires mandatory periodic training for all
persons involved in management, use, or operation of federal computer systems that contain sensitive
information.
%1

The Computer Security Act states that "each federal agency shall provide for the mandatory periodic training
in computer security awareness and accepted computer practices of all employees who are involved with
the management, use, or operation of each Federal computer system within or under the supervision of that
agency."
*
$0/
The Privacy Act of 1974, 5 U.S.C. § 552a (1994 & Supp. IV 1998) becameeffective on September 27, 1975.
The historical context of the Privacy Act isimportant to an understanding of its remedial purposes: In 1974,
Congress wasconcerned with curbing the illegal surveillance and investigation ofindividuals by federal
agencies that had been exposed during the Watergatescandal; it was also concerned with potential abuses
presented by thegovernment's increasing use of computers to store and retrieve personal data bymeans of a
universal identifier--such as an individual's social securitynumber.
("7
The Act focuses on four basic policy objectives:
1. To restrict disclosure of personally identifiable records maintained by agencies.
2. To grant individuals increased rights of access to agency records maintained on them.
3. To grant individuals the right to seek amendment of agency records maintained on themselves
upon a showing that the records are not accurate, relevant, timely or complete.
4. To establish a code of "fair information practices" that requires agencies to comply with statutory
norms for collection, maintenance, and dissemination of records.
(º^

4#
Management of Federal Information Resources
The federal government is the largest single producer, collector, consumer,and disseminator of information
in the United States. Federal agencies,state and local governments, and the public are dependent on
governmentinformation resources. Other entities dependent on this information are localgovernment
agencies, educational, and other not-for-profit institutions, andfor-profit organizations. Hence, the OMB
views government information systemsas a valuable national resource. It provides the public with knowledge
of thegovernment, society, and economy - past, present, and future. It is a means toensure the
accountability of government, to manage the government's operations,and to maintain the healthy
performance of the economy and is itself acommodity in the marketplace.
The OMB also recognized that the free flow of information between thegovernment and the public is
essential to a democratic society. At the sametime, it is also essential that the government minimize the
federal paperworkburden on the public, minimize the cost of its information activities, andmaximize the
usefulness of government information.
Because the public disclosure of government information is essential to theoperation of a democracy, the
management of federal information resourcesshould protect the public's right of access to government
information.
A central security program should provide two quite distinct types of benefits:
@ increased efficiency and economy of security throughout the organization

@ the ability to provide centralized enforcement and oversight
Both of these benefits are in keeping with the purposeof the Paperwork Reduction Act as implemented in
OMB Circular A-130.
OMB Circular A-130 Requires:
@ information security plans
@ computer security plans
@ awareness training
@ contingency planning
@ formal emergency response capabilities
@ protection of Privacy Act information
@ cooperation between federal, state, and local government

In law, intellectual property (IP) is an umbrella term for various legalentitlements which attach to certain
types of information, ideas, or otherintangibles in their expressed form. The holder of this legal entitlement
isgenerally entitled to exercise various exclusive rights in relation to thesubject matter of the IP. The term
intellectual property reflects the idea thatthis subject matter is the product of the mind or the intellect, and
that IPrights may be protected at law in the same way as any other form of property.However, the use of the
term and the concepts it is said to embody are thesubject of some controversy (see below).
Intellectual property laws vary from jurisdiction to jurisdiction, such thatthe acquisition, registration or
enforcement of IP rights must be pursued orobtained separately in each territory of interest. However, these
laws arebecoming increasingly harmonised through the effects of international treatiessuch as the 1994
World Trade Organization (WTO) Agreement on Trade-RelatedAspects of Intellectual Property Rights
(TRIPs), while other treaties may facilitateregistration in more than one jurisdiction at a time. Certain forms
of IPrights do not require Intellectual property laws confer a bundle of exclusiverights in relation to the
particular form or manner in which ideas orinformation are expressed or manifested, and not in relation to
the ideas orconcepts themselves (see idea-expression divide). It is therefore important tonote that the term
"intellectual property" denotes the specific legalrights which authors, inventors and other IP holders may
hold and exercise, andnot the intellectual work itself.
Intellectual property laws are designed to protect different forms ofintangible subject matter, although in
some cases there is a degree of overlap.

Copyright may subsist in creative and artistic works (e.g. books, movies,music, paintings, photographs, and
software) and give a copyright holder theexclusive right to control reproduction or adaptation of such works
for acertain period of time.

A patent may be granted for a new, useful, and non-obvious invention, andgives the patent holder an
exclusive right to commercially exploit theinvention for a certain period of time (typically 20 years from the
filing dateof a patent application).
*

.
A trademark is a distinctive sign which is used to distinguish the productsor services of different businesses.
*

A trade secret (or "confidential information") is secret,non-public information concerning the commercial
practices or proprietaryknowledge of a business, public disclosure of which may sometimes be illegal.
Patents, trademarks, and designs rights are sometimes collectively known asindustrial property, as they are
typically created and used for industrial orcommercial purposes. ire registration in order to be enforced.
-

The unauthorized copying of software. Most retail programs are licensed foruse at just one computer site or
for use by only one user at any time. Bybuying the software, you become a licensed user rather than an
owner (seeEULA). You are allowed to make copies of the program for backup purposes, butit is against the
law to give copies to friends and colleagues.
Software piracy is all but impossible to stop, although software companiesare launching more and more
lawsuits against major infractors. Originally,software companies tried to stop software piracy by copy-
protecting theirsoftware. This strategy failed, however, because it was inconvenient for usersand was not
100 percent foolproof. Most software now requires some sort ofregistration, which may discourage would-be
pirates, but doesn't really stopsoftware piracy.
An entirely different approach to software piracy, called shareware,acknowledges the futility of trying to stop
people from copying software andinstead relies on people's honesty. Shareware publishers encourage users
togive copies of programs to friends and colleagues but ask everyone who uses aprogram regularly to pay a
registration fee to the program's author directly.
Commercial programs that are made available to the public illegally areoften called .
This course has presented the steps necessary to establish and maintain a good security program for automated
information systems. The subject matter and concepts described in the course can be applied to any Army unit.
Illustrations and examples of these concepts have been discussed and examined.
For context, federal, Department of Defense, and Army-level policies were referenced. Detailed operational policies
and procedures for computer systems were discussed and related to these high-level policies. Effects on Army unit
assets and threats were identified, and a detailed survey of safeguards, vulnerabilities, and risk mitigation actions
were presented. The safeguards included a variety of techniques, and were used to illustrate issues of assurance,
compliance, and security program oversight.
As illustrated, effective computer security requires clear direction from upper management. Upper management must
assign security responsibilities to organizational elements and individuals. It must formulate or elaborate the security
policies that become the foundation for the organization's security program. These policies must be based on an
understanding of the organization's mission priorities and the resources necessary to fulfill them. They must also be
based on a pragmatic assessment of the threats against these resources and operations.
A good security program relies on an integrated, cost-effective collection of physical, procedural, and automated
controls. Cost-effectiveness requires targeting these controls at the threats that pose the highest risks while accepting
other residual risks. The difficulty of applying controls properly and consistently over time has been the downfall of
many security programs. Major security vulnerabilities arise from a lack of assurance or compliance. Hence, periodic
compliance audits, examinations of the effectiveness of controls, and reassessments of threats are essential to the
success of any organization's security program.

What Is Information Assurance

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

What Is Information Assurance

Uploaded by

Copyright:

Available Formats

c 

Click here to read about AIAP in AR 25-2: AR 25-2, para. 1-4a

@ Develop local policy and guidance

ÿ     

@ Respond to the Army's widespread use of Information Systems

@ Federal service or contracting

@ The nature and circumstances of the disclosure

This directive also applies to all DoD employees.

@ Commercial wireless networks

The documents that make up this series are as follows:

@ DoD Directive 8500.1E ± Information Assurance (IA)

DoD has defined three mission assurance categories:

A mission assurance category is always teamed with an independent level of confidentiality.

DoD has also defined three levels of confidentiality:

@ High Confidentiality for systems processing classified information

This directive applies to the following:

The following enclosures discuss the implementation of this program:

Enclosure 3 ± Information Assurance (IA) Program Implementation

Enclosure 4 ± Baseline Information Assurance Levels

This Instruction applies to the following:

The following are key enclosures in this instruction:

This directive applies to the following:

This directive applies to the following:

This directive applies to the following:

This Directive applies to:

This policy applies to:

Examples of the information-gathering technology are:

@ Classified defense or foreign relations information

@ Without your express consent

@ Title I - Enhancing Domestic Security Against Terrorism

 ^^ 

 0G "

*  G G

08-CO-M-0001 IT Contingency Plans and Testing 11 Apr 08

03-DC-O-0001 Information Assurance Tools 11 Mar 05

07-EB-O-0001 Cross Domain Solutions 19 Mar 07

04-EC-M-0003 Web Filtering 1 May 04

04-IA-O-0001 Army Password Standards 15 Dec 04 01 May 08

03-PE-O-0002 Reuse of Army Computer Hard Drives 23 Jan 04 02 Jun 09

04-PR-M-0001 Family Member Support 1 May 04

03-VI-O-0001 Classified Spillage on Information Systems 20 Apr 07

@ Completing the online IASO course (https://ia.signal.army.mil/IASO/default.asp)

The most common password vulnerabilities are:

@ Accounts have weak, default, publicly known, or nonexistent passwords.

Army password requirements:

Army Smart Card (i.e. Common Access Card) requirements:

@ PIN¶s will be 6-8 digits long

@ MAC address filtering will be conducted on the WLAN

@ WEP ± Wired Equivalent Privacy

G+ ^^$4 4(4

Specifically, emails must be digitally signed when:

@ the email is for official business

 % c

@ % " " -  

Physical and environmental considerations necessary to protect the system.

ß Self-paced or formal instruction

@ ³Critical reliance on information and IS resources.

 *  *  *

CISSP (Army e- Learning Program)

On-the-Job Training skills

Objectives of network threats include:

@    ± Using a system or its resources to conduct attacks.

c

ÿ

^^

0G"

* G G

G+^^$44(4

% c

@ % " " -

*

@ ± Using a system or its resources to conduct attacks.

= !

> 44> '

?%.º

+ 8

/=

%.

Refer to ³ &4%.º´

% ÿ

+ %.º

G

G5+ 3+* %+

ß ' : Applicable to DoD information systems, the confidentiality level is

G