evesecuref4
advertisement
IT Security Julie Schmitz James Mote Jason Tice Agenda • Overview of basic IT security • Human Resources Command-St. Louis • Inside Financing • Recommendations and Best Practices • Closing and questions IT Security Defined • “Broadly speaking, security is keeping anyone from doing things you do not want them to do to, with, or from your computers or any peripherals” -William R. Cheswick IT Security Overview • Intruders - hackers and crackers • Insiders – fraud case at Financing • Criminals • Online Scam artists • Terrorists IT Security Overview • Hacker – Person who enjoys exploring the details of programmable systems and how to stretch their capabilities – Hackers tend to view themselves as very knowledgeable computer programmers, sometimes to the point of arrogance – True hacker will look for weaknesses in a system and publish it Source: FBI Cyber Task Force IT Security Overview • Cracker – One who breaks security on a target computer system – The term was coined by hackers around 1985 in defense against the journalistic misuse of the term “hacker” – Tend to never disclose their findings Source: FBI Cyber Task Force Hackers or Crackers? How does a Hacker Effect You? • Michael Buen and Onel de Guzman – Both are suspected of writing the “I Love You” virus • David L. Smith – Melissa virus author – Released March 26, 1999 – Caused an estimated $80 million in damages Source: FBI Cyber Task Force IT Security at your Office • Social Engineering • Denial of service attacks (DoS) • E-mail bombs • Password cracking • Web spoofs • Trojan, worm, virus attacks • Antivirus tools Source: FBI Cyber Task Force Social Engineering • A con game played by computer literate criminals • Works because people are the weakest link in any security system Source: FBI Cyber Task Force Denial of Service • Prevents users from using a computer service. • A type of DoS attack involves continually sending phony authentication messages to a targeted server, keeping it constantly busy and locking out legitimate users • Ping attacks • DDoS attacks – Uses multiple computers to coordinate DoS attacks Source: FBI Cyber Task Force Email Bombs • A type of denial of service attack • Email bombs involve sending enormous amounts of email to a particular user, in effect, shutting down the email system • Many spammers fall victim to this type of attack • No need to manually send email; downloadable programs will do it for you Source: FBI Cyber Task Force Password Cracking • Involves repeatedly trying common passwords against an account in order to log into a computer system • Freely available “cracking” programs facilitate this process Source: FBI Cyber Task Force Web Spoofing • “faking the origin” • The attacker creates a false or shadow copy of a reputable web site; all network traffic between the victim’s browser and the shadow page are sent through the attacker’s machine • Allows the attacker to acquire information such as passwords, credit card numbers, and account numbers Source: FBI Cyber Task Force What Should Have Been Displayed What was Displayed Trojan, Worm, and Virus • A Trojan program does not propagate itself from one computer to another • A Worm reproduces ITSELF over a network • A Virus, like its human counterpart, looks for ways to infect other systems or “replicate” itself (i.e., e-mail) Source: FBI Cyber Task Force Trojans • Trojans are malicious files masquerading as harmless software upgrades, programs, help files, screen savers, pornography, etc. • When the user opens file, the Trojan horse runs in the background and can cause damage to the computer system (hard drive damage, total access, username and password) Source: FBI Cyber Task Force Trojan Control Virus • A program that replicates without being asked to • Copies itself to other computers or disks • Huge threat to companies Source: FBI Cyber Task Force Antivirus Tools • Any hardware or software designed to stop viruses, eliminate viruses, and/or recover data affected by viruses • AV tools refer to software systems deployed at the desktop or on the server to eliminate viruses, worms, trojans, and some malicious applets • Should be used as part of a security policy Source: FBI Cyber Task Force After the Incident • Identify means to avoid another attack – Download latest patches – Repair compromised systems – Re-educate users – Run anti-virus software • Stay alert for signs the intruder is still in your system • Log traffic data Source: FBI Cyber Task Force Security Budget The Facts on IT Security Budgets • 62 percent of technology officers feel no pressure to increase spending this year • 40 percent of their budgets will go toward preventing existing machinery from breaking • Systems security tends to go unfixed until proven broken • A simple firewall has become the ultimate security commodity • Don’t use ROI to configure IT security budget Source: FBI Cyber Task Force Money Lost Due to Different Types of Attacks $26,064,050 Denial of service $11,460,000 Theft of proprietary info $10,601,055 Insider Net abuse $10,159,250 Abuse of wireless networks $7,670,500 Financial fraud $6,734,500 Laptop theft $4,278,205 Unauthorized access $3,997,500 Telecom fraud $2,747,000 Misuse of public Web applications Web site defacement $958,100 System Penetration $901,500 $871,000 Sabotage $0 $5,000,000 $10,000,000 $15,000,000 $20,000,000 $25,000,000 Amount of Loss Source: Federal Bureau of Investigation / Computer Security Institute – http://www.gocsi.com - viewed 11/4/2004 $30,000,000 I.T. SECURITY BRIEFHUMAN RESOURCES COMMAND ST. LOUIS Human Resources Command St. Louis Historical Timeline •First established in 1944 at 4300 Goodfellow •First known as the Demobilized Personnel Records Branch after WWII •In 1956, moved to its present location, 9700 Page •In 1971, Reserve Components Personnel Center at Ft. Benjamin Harrison merged with St. Louis •In 1985, Army Reserve Personnel Center (ARPERCEN) was formed. •In 2003, organization was renamed to Human Resources Command (HRC) Source: https://www.2xcitizen.usar.army.mil/2xhome.asp - viewed 11/1/2004 Human Resources Command (HRC) St. Louis Overview • Supports or conducts the Human Resources Life Cycle for over 1.5 million customers • Workforce comprised of over 65% civilians, 30% Active Guard-Reserve soldiers, 5% Active Component soldiers • Of the military workforce, most officers are Majors (O-4) & most non-commissioned officers are Sergeants First Class (E-7s) • 65-acre facility located off Page Avenue • Total of Nine Directorates Source: https://www.2xcitizen.usar.army.mil/2xhome.asp - viewed 11/1/2004 Human Resources Command (HRC) Mission Statement •To provide the highest quality human resources life cycle management in the functional areas of structure, acquisition, distribution, development, deployment, compensation, sustainment and transition for all Army Reserve Soldiers, resulting in a trained and ready force in support of the national military strategy. •To provide human resource services to our retired reserve and veterans. Source: https://www.2xcitizen.usar.army.mil/2xhome.asp - viewed 11/1/2004 Information Assurance Office Information Assurance Manager (Rank: Major) IANCO (Rank: MSG) Assistant IAM (Rank: CPT) Civilian(GS-13) Deputy IAM Civilian (GS-12) Information Tech & Sec Specialist Civilian (GS-11) Information Tech & Sec Specialist Civilian (GS-11) Information Tech & Sec Specialist Source: Information Assurance Office, Human Resources Command, St. Louis Information Assurance Manager Duties Major: Responsible for Overall IT Security Master Sergeant: Verifies Security Clearances; Trng; Account Requests Captain: Drafts & Submits Policy GS-13: Updates Patches & ACERT Compliance GS-12: System Security Authorization Agreement; Networthiness Certification GS-11: Investigates Computer forensics; Backup for updates & patches GS-11: Backup for Computer forensics; Trng; Account Req.; Verifies Sec. Clear. Source: Information Assurance Office, Human Resources Command, St. Louis Information Assurance Defined • The protection of systems and information in storage, processing, or transit from unauthorized access or modification; denial of service to unauthorized users; or the provision of service to authorized users • Also includes those measures necessary to detect, document, and counter such threats • This regulation designates IA as the security discipline that encompasses COMSEC, INFOSEC, and control of compromising emanations Source: Army Regulation (AR) 25-2 Information Assurance Organization Chief Information Officer U.S. Army Reserve Command Atlanta, Georgia Information Assurance Officers11 Regional Support Commands Information Assurance OfficerHuman Resources Command-St. Louis Source: Information Assurance Office, Human Resources Command, St. Louis In Order to Gain System Access • All Military must have a Security Clearance • Some civilians must have Security Clearance • Other civilians must have at least a National Agency Check (NAC) • All employees must submit a request for system access Source: Information Assurance Office, Human Resources Command, St. Louis Common End User Problems • Pornography • Running Businesses • Unauthorized use of illegal software • Sharing of logons/passwords Source: Information Assurance Office, Human Resources Command, St. Louis What Happens If You Get Locked Out? • Go to your local Information Mgmt personnel assigned to serve your directorate Source: Information Assurance Office, Human Resources Command, St. Louis Main Concerns of IT Security • Information Security Training • Purchasing automation equipment without authorization • Computer left on 24/7 • Having a qualified Information Assurance Manager that is strict • Knowledge of the system Source: Information Assurance Office, Human Resources Command, St. Louis, MO; Information Assurance Officer, 63rd Regional Readiness Command, Los Alamitos, California Anti-Virus Activity STOPPED AT GATEWAY 50000 45000 Number of Events 40000 35000 30000 25000 Events 20000 45,000 IN APRIL 15000 10000 5000 04 04 Aug- Sep- J ul-0 4 4 J un-0 -04 May 04 Apr- Mar- 04 0 50 45 STOPPED AT DESKTOP Number of Events 40 35 30 25 Events 20 15 10 5 Source: Information Assurance Office, Human Resources Command, St. Louis 04 04 Aug- Sep- J ul-0 4 4 J un-0 May -04 04 Apr- Mar- 04 0 Probes and Scans Against Network 50000 135,000 YTD 45000 Number of Attempts 40000 35000 30000 25000 20000 15000 10000 5000 Source: Information Assurance Office, Human Resources Command, St. Louis Sep -04 Aug -04 J ul-0 4 J un04 May -04 Apr04 Mar04 04 Feb- J an04 -03 Dec -03 Nov O ct- 03 0 Computer Security Model • Bell-LaPadula Model – Developed by the US Army in the 1970’s – Provides framework for handling data of different classifications – Known as “multilevel security system” – One of the earliest and most famous computer security models Source: Information Assurance Office, Human Resources Command, St. Louis; http://infoeng.ee.ic.ac.uk/~malikz/surprise2001/spc99e/article2 - viewed 11/6/2004 Information Unable to Obtain • IT Security Budget • Business Policy Procedures • Outsource IT providers information Source: Information Assurance Office, Human Resources Command, St. Louis Security challenges at Financing from the CIO’s perspective Financing Background Info • Financing is one of the largest domestic providers of inventory floor financing for several different industrial channels. • Recent focus to use IT to reduce business costs by processing transactions online. • IT operates 5 different customer facing applications handling in excess of 4 billion dollars in transactions monthly. Source: Interview and personal comments from Financing’s CIO – October 2004 Case Study Research Method • Interviewed CIO to gain their different perspectives on IT security and business. • Interview lasted approximately 2 hours and consisted of 15 questions. • Subsequent discussion based on what CIO said were issues of highest concern. Source: Interview and personal comments from Financing’s CIO – October 2004 Most Pressing Security Concerns 1. Eliminating bad user practices 2. Measures to prevent security breeches 3. Ability to quickly recover from security failures / breeches 4. Impact of compliance with SOX regulations Source: Interview and personal comments from Financing’s CIO – October 2004 Security Specifics • No specific line item budget amount. – Security costs are encompassed in other budget items, such as system development & testing, data center operations, etc. • No dedicated resources focusing solely on security. – Security related activities fall under responsibility of existing IT staff. Source: Interview and personal comments from Financing’s CIO – October 2004 Security Challenges: End User Security “Security is a 50/50 proposition. A system can be perfectly secure; however, if users don’t properly use the provided security features, then there might as well be no security at all.” -Anonymous End User Security: Typical Financing User • Non-technology savvy office clerks and book keepers. • No on-site IT support to maintain individual system security. • Many dealers have Broadband access without firewall protection. Source: Interview and personal comments from Financing’s CIO – October 2004 End User Security: Typical Financing User • Non-technology savvy office clerks and book keepers. • No on-site IT support to maintain individual system security. • Many dealers have Broadband access without firewall protection. •What is so risky about this??? Source: Interview and personal comments from Financing’s CIO – October 2004 End User Security: Typical Financing User (2) • Known problems with Spyware and viruses. • Account reps reported seeing multiple users post their username and password in plain view in their offices. Source: Interview and personal comments from Financing’s CIO – October 2004 End User Security: Typical Financing User (2) • Known problems with Spyware and viruses. • Account reps reported seeing multiple users post their username and password in plain view in their offices. •Poor password selection by users consistently cited as one of the top three IT Security issues. Source: Cupps, John; How To Identify and Contain Some of the Information Security Problems Created By Unique Business Environments; http://www.sans.org/rr/whitepapers/casestudies/666.php; viewed 11/3/2004 Password Survey Password Survey • Sit down if you change your password once a week. • Put your hand down if your password has both letters and numbers in it. Password Security Level: Strong Password Survey • Sit down if you change your password every month. • Put your hand down if your password is a NOT word in the dictionary Password Security Level: Good Password Survey • Sit down if you change your password only a few times each year. • Put your hand down if you use the SAME password on multiple systems. Password Security Level: Weak Password Survey • Sit down if you NEVER change your password. • Put your hand down if your password is simply part of your name or username. Password Security Level: Poor Bad Habits are Hard To Break • Use familiar words, names that can be easily guessed. • Use a password that is too short, therefore fewer characters to guess / crack. • Use the same password on multiple systems. • Do not change password regularly. • Share passwords with others. • Post passwords somewhere around their computer. Need for Strong Passwords Today’s computers are capable of trying millions of word variations per second and often can guess a good number of passwords in less than a minute. - Rob Lemos Source: Lemos, Rob; Hackers can crack most in less than a minute; http://news.com.com/Passwords+The+weakest+link/2009-1001_3-916719.html; viewed 10/27/2004 Improving Passwords at Financing • 8 Month project to consolidate and enhance application passwords • Start November 2003, End May 2004 • Completed as a Green Belt project for 2 business and 2 IT project managers Source: Interview and personal comments from Financing’s CIO – October 2004 Before consolidation . . . DB DB DB DB DB • 3 applications only required a password with 3 characters. • Only 1 application had users change their password annually. • Users could only reset their password by calling the support center. After consolidation . . . Single Sign On • 5 distinct applications now use a Single Sign On process. • All applications share 1 common authentication source and logon process. User Benefits • Only have to remember 1 password for all 5 applications. • Once logged into one application, can jump right into other application. • Navigation of applications is now much easier for users. Source: Interview and personal comments from Financing’s CIO – October 2004 The Big Question ??? Did the project ‘Do The Right Thing?’ -orDid the project ‘Do The Thing Right?’ Was ‘The Right Thing’ . . . • Enabling ‘Single Sign On’ was ‘the right thing to do’ only when implemented in conjunction with new password rules, recommended by IBM: – Password must have been 8 and 12 characters – Password must have at least 1 number in it. – Password cannot contain elements of user’s name, company, address, or email address. – New Passwords must be different from prior 12 passwords. – New passwords cannot contain more than 6 repeated characters from the last password. – Passwords must be changed every 90 days. Additional Benefit • Enhanced applications to allow users to reset their password online if they forgot it. – This eliminated nearly 200 calls per month to the application support center. Source: Interview and personal comments from Financing’s CIO – October 2004 Results of Project • Application security improved through enforcing strong password rules. • Users initially complained about having to remember a more complicated password; however, these complaints were short lived when users realized they only had to remember a single password for all 5 applications. • Call center costs reduced by eliminating calls from users who had forgotten their password. Source: Interview and personal comments from Financing’s CIO – October 2004 Further Enhancing Security • IT Department publishes articles focusing on security in monthly newsletter to customers. • Currently considering modifying ‘Single Sign On’ system to use security key validation. Source: Interview and personal comments from Financing’s CIO – October 2004 Security Challenges: Preventing Breeches • Technology Use to Enhance On-Line Security All user application traffic is transported using SSL encryption. Source: Interview and personal comments from Financing’s CIO – October 2004 Encryption Explained Browser Server KEY INTERNET KEY My Credit Card My Address My Phone Number My Credit Card My Address My Phone Number Jdhd923k Jdss938jds djdskzyu Safety of Encryption ??? True or False: Encryption prevents all third parties from intercepting transactions? The Answer is False . . . • In reality, a third party could determine the correct key and decode the encrypted transactions if given enough time. • The time and effort to crack a 128-bit encryption key is so large, given the limited strength of computing technologies, encrypted data is considered security since the costs to crack the encryption outweigh the potential gains. IT Infrastructure & Security • IT resources for applications are geographically separated across country. • Applications are run on multiple server clusters. – If a single server goes down, other servers in the cluster can immediately take over the load from the down server. Source: Interview and personal comments from Financing’s CIO – October 2004 Application Monitoring • Impossible to predict when a system breech or system outage may occur. • IT cannot react to a situation until it has occurred. • Staff needs to be informed as soon as possible when an outage occurs to reduce downtime. • Fast disaster reaction time is made possible through 24 / 7 application monitoring. Source: Interview and personal comments from Financing’s CIO – October 2004 Application Monitoring (2) • All applications are monitored by a third party software tool run from multiple locations. • Question: Why must the monitoring tool be run from multiple locations? Source: Interview and personal comments from Financing’s CIO – October 2004 Application Monitoring (2) • All applications are monitored by a third party software tool run from multiple locations. • Question: Why must the monitoring tool be run from multiple locations? Answer: To insure that the application is being monitored even if one of the locations crashes. Key Components of Monitoring • Monitoring tool confirms that the application is up and running and can be accessed by customers. Simulates the same actions as if a user connects to the application through their own web browser. • Since the monitoring tool is acting like a user, many times it is called a ‘robot’. • Monitoring tool access the application and invokes the most frequently used traffic flows and transactions performed by users. • The response time for each traffic flow and transaction is recorded. Preventing System Outages • Each robot reports transaction times to a central database. • A system alarm is sounded if any transaction time slows beyond a predetermined limit. • Slow transactions point to a possible system problem that needs to be investigated further, possibly caused by a Denial of Service attack, or a hardware problem (broken disk, failed memory/processor, etc). Benefits of System Monitoring • Reduce application downtime by proactively responding to problems before they cause a system outage. • Allow for High – Availability Service Level Agreements. • Quickly determine if reported system outages are caused by network connectivity problems as opposed to application problems. Source: Interview and personal comments from Financing’s CIO – October 2004 Security Challenges: Fraud Prevention “Currently so much emphasis has been put on protecting systems from unauthorized access and attack, that many have not considered or made provisions for security and fraud issues created by valid application users themselves.” - Financing’s CIO, 10/2004 Primary Fraud Concerns • Applications do not allow transfer of funds to external accounts, minimizing risk of external fraud. • Higher probability of customers trying to manipulate data stored in system to their advantage. • Must walk the fine line between respecting the customer while not allowing the customer to take advantage of the company. Source: Interview and personal comments from Financing’s CIO – October 2004 Application Logging • All applications log all user activity from Logon to Logout. • Also logged are: IP address of computer used for access, hostname of system used for access, browser type, operating system, etc. • System transactions such an interest calculations and online document requests are also logged. Allows for tracking of calculation or processing errors in back-end systems. Source: Interview and personal comments from Financing’s CIO – October 2004 Business Intelligence & Security • Logs are stored by username in a separate database. • Current data center capacity allows for live storage of more than 2 years of logs. • Live database allow for on-demand searching of any user’s activity. Database streamlines investigation process and reduces call center call time. Source: Interview and personal comments from Financing’s CIO – October 2004 Sample Fraud cases from 2004 Case 1: Fraudulent Payments Customer calls to report that their bank account has been debited several thousand dollars in excess. The caller suspects someone has broken into the payment system using their account. Source: Interview and personal comments from Financing’s CIO – October 2004 Fraud Investigation Process • User calls Support Center to report suspicious problem. • Call center pulls up all of user’s transactions in suspect period. • Call center and customer identify suspicious sessions / transactions, by comparing the system log with the customer’s records. • If fraud is identified, evidence is sent to fraud department for investigation. Source: Interview and personal comments from Financing’s CIO – October 2004 Problems with Fraud Investigation • Fraud department borrows resources from processing department and IT (both support and development) to track down error and determine root cause. • When fraud is identified, fraud department determines what reparations will be given. • Fraud investigation has a very high cost. Source: Interview and personal comments from Financing’s CIO – October 2004 Preventing Fraud via Logging • Transaction activity database allows for 83% of fraud cases to be resolved in one call to the support center. • Nearly 65% of suspected fraud cases are not fraudulent and are resolved in less than 20 minutes. • How does this benefit the company? Source: Interview and personal comments from Financing’s CIO – October 2004 Benefits to Company • Lower risk, attract additional investment. • Significant cost savings through minimal fraud investigation. • Increased shareholder and customer confidence. • Maintain high company image in light of recent corporate account scandals. Source: Interview and personal comments from Financing’s CIO – October 2004 Sample Fraud cases from 2004 Case 1: Fraudulent Payments – What happened? • While a dealer’s bookkeeper (caller) was on vacation in Florida, the dealer owner received a call from their account rep telling them about a special discount program if they made several extra payments that month. • Consequently the dealership owner logged into the payment system, using the bookkeeper’s username and password that were posted in plain view on a ‘postit’ note on her monitor, and made several payments. Source: Interview and personal comments from Financing’s CIO – October 2004 Sample Fraud cases from 2004 Case 1: Fraudulent Payments – Resolution: • Matter was resolved in one 12 minute call to the call center. Call center rep was able to locate the suspect transactions, confirm where and when they were made. The bookkeeper was able to figure out what happened by asking other staff around their office who had used her computer while she was away. No need to escalate case to fraud department for further investigation. Source: Interview and personal comments from Financing’s CIO – October 2004 Security Challenges: Sarbanes-Oxley Act of 2002 Sarbanes-Oxley Act Defined: • Federal legislation passed in result of accounting scandals at Enron, WorldCom, etc. • Requires formal documentation of all processes where securities are exchanged. • Process documentation must be audited annually to insure it remains current. • Major changes to business processes may require more auditing. • Nicknamed SOX for short. Initial SOX Challenges • All five of Financing’s primary applications were identified as exchanging securities and would be audited for SOX compliance. • Initial process documentation difficult to complete due to lack of good product documentation and staff changes. • Technical IT staff struggled to produce quality documentation that could be used for audit purposes. Initially had to borrow resources from business units to draft documents. Source: Interview and personal comments from Financing’s CIO – October 2004 Compliance with SOX • Pros & Cons ??? Compliance with SOX • Pros: – Avoid legal action (SOX is a federal law) – Prevent Corporate fraud – Insure overall economic stability – Improve public and shareholder image • Cons: – Additional auditing tasks – Increased workload for existing resources – Additional costs for auditing – Slower development time Maintaining SOX Compliance • Ongoing auditing requires further assistance from technical staff to verify system behavior. • SOX auditing is performed by external vendors, such as KPMG, to insure compliance. • Any changes to application requirement review of SOX documentation and possible revision, hence, increasing time required to make enhancements. Source: Interview and personal comments from Financing’s CIO – October 2004 SOX Costs • Majority of SOX auditing costs have fallen within IT budget, as only IT analysts have full knowledge of business processes and how they are being technically implemented, which is necessary for full documentation. • Costs for SOX auditing have been fully funded while still decreasing IT’s annual budget through shifting more development and support to Financing’s offshore resources. Source: Interview and personal comments from Financing’s CIO – October 2004 SOX Compliance: Lessons Learned • Project management must allow sufficient time to allow for SOX documentation. • Appoint a SOX owner for each application who is responsible for ongoing audits of documentation for that application. • Encourage all team members to think proactively about SOX compliance. SOX owners are encouraged to include technical staff in their ongoing reviews to help develop strong documentation skills. • Edit SOX documentation in an on-going fashion. Source: Interview and personal comments from Financing’s CIO – October 2004 Security Comparison Topic HRC Financing No line item budget amount. Security tasks are encompassed with other budget items. Budget Information Not Available. Dedicated Security Resources Dedicated resources Staff from other IT responsible for systems functions also serve to and user accounts. fulfill security responsibilities. Security Testing Information Not Available. Penetration test is conducted by external vendor annually. Security Comparison (2) Topic HRC Financing Risk Assessment Risk controlled through maintaining access levels on all users and data. Business responsible for identifying business areas at risk, IT responsible for technical areas of risk Security Architecture Security practices based on well-known models, such as BellLaPadula Model Applications designed in house; hence, architecture team defined security framework based on risks Annual audits are performed by security officers. Security provisions are reviewed on an on-going basis as part of maintaining SOX docs. Review Process Security Best Practice Recommendations From HRC: From Financing: • Password policies • Firewall in place to discourage illegal sites • Ensure you have a procedure in place to ensure all personnel you let on the network have been fully screened. • Virus protection • Do Audits • Use a strong password and change it regularly. • Monitor / Restrict Internet Access on workstations. • Hire a third party expert to evaluate security of systems. • Keep complete logs / backups for recovery purposes. • Proactively seek new / better security provisions. Sources Utilized • • • • • http: //archive.ncsa.uiuc.edu http://www.itsecurity.com/dictionary.html https://www.2xcitizen.usar.army.mil/2xhome.asp http://www.acerts.net http://www.infragard.net Sources Utilized • “FrontLine-Tips and Techniques to Protect Your Information”; June 2004 • United States Army Reserve Information Assurance Office • Human Resources Command-St. Louis Information Assurance Office • Army Regulation (AR) 25-2, 14 November 2004 • Army Regulation (AR) 25-1, 30 June 2004
