Information Assurance: DITSCAP, DIACAP, ISP and SSAA Guidance

DIACAP is READY!!

2006-07-19T09:28:00.000-07:00

What is scary, is that my blogs are on google above some of the most informative pages about DIACAP. For this reason, the government should have secured blogs and or forum (.mil/.gov only) to allow faster access to this kind of extremily important information. C & A, security engineering and IA officers get information much faster than the Gov't can publish. A security forum or secure blogs would allow some email that we get on the latest news on IA issues to be posted immediately without fear of giving out unauthorized data over the Internet. Just one mans oppinion.

DoD 8510.bb is signed and will supercedes DoDI 5200.40 and DoDI 8510.1-M. The DIACAP Knowledge Service site is up and ready to go:

https://diacap.iaportal.navy.mil. (.gov, .mil only)
More information on the DIACAP - http://www.sdissa.org/downloads/Revised_DIACAP_KS_eMASS_Brief ISSA_10-28-05.ppt

What I don't get is how to get to eMASS.

Unless I have read wrong, the "Enterprise Mission AssuranceSupport System" (eMass) is supposed to be the main feature for automating and streamlining the Certification and Accreditation process. It seems that you have to get some sort of software to get access to eMass. Not sure, I'm researching this while reading up on the new DIACAP documents.
Here is some contact information on how to get on eMass - https://diacap.iaportal.navy.mil/ks/links2/emass.aspx

DIACAP Guide

2006-04-26T06:47:00.000-07:00

This slide will tell you everything you need to know for now about the upcoming
DIACAP:

http://www.sdissa.org/downloads/Revised_DIACAP_KS_eMASS_Brief

According to rumors about the DIACAP, the document (8510.bb) is waiting to be signed. DoD 8510.bb will be the DIACAP Instruction guide. The DoD 8510.bb, Defense Information Assurance Certification and Accreditation Process will replace the 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP) and 8510.1-M, Department of Defense Information Technolgoy Security Certification and Accreditation Process (DITSCAP) Application Manual.

READ MORE on the DIACAP Guide.

e-Eye Retina Vulnerability Scanner replaces ISS

2005-09-27T13:14:00.000-07:00

e-Eye Digital Security hit a homerun in 2004 when they won the $6 Million dollar Defense Information System Agency’s I-ASSURE contract which will allow their robust e-Eye Retina Vulnerability Scanner to be used on DOD systems world wide.

The Retina Vulnerability Scanner will be used to measure compliance with Department of Defense (DoD) Computer Emergency Response Team (CERT) Information Assurance Vulnerability Management Notices.

The DOD used to use Internet System Security (ISS) vulnerability assessment tools exclusively for this task. However, on 30 September 2005 the ISS vulnerability tools will no longer be used by the Department of Defense.

This comes at a time of the "cover up" CiscoGate controversy which involved ISS. On July 2005, Michael Lynn, a former research analyst with Internet Security Systems, resigned from the company just before releasing a major flaw in Cisco routers (many of which are on critical infrastructures).

According to Lynn, Cisco and ISS allowed him to speak about the flaw at the Black Hat but suddenly changed their minds at the last minute attempting to shut Lynn up with legal action. Cisco and ISS were trying to protect there shareholders at the cost of all the customers, organizations and nations that depend on the Cisco routers. From an ethical perspective, this was not a great way for an Internet System Security company to act.

It will be interesting to see if e-Eye Digital will be more ethical than ISS as it comes to power. Something very evil tends to happen when large groups of people get together to gather large sums of money.

As stated above, after Friday, 30 Sept 05, the ISS scanner will no longer be available. You should be able to download the new e-Eye Retina Network Security Scanner from one of the DISA pages:

ISS/Retina Vulnerability Scanners (DOD):

e-Eye Retina Network Security Scanner(SCCVI)
http://iase.disa.mil/stigs/iss/index.html
http://iase.disa.mil/stigs/iss/retina.html

eEye Digital Security and DISA press release:

http://www.eeye.com/html/company/press/PR20040623.html

Official Word from DISA

Information Assurance Support Environment:

DISA IA Announcement: DISA will be converting from using Internet Security Scanner to the e-Eye Retina Network Security Scanner(SCCVI) effective 1 Aug 05 for all security reviews, compliance validations, certification efforts, etc. All open findings related to a penetration test conducted with the ISS tool will be archived (closed) as a Retina penetration test is conducted by DISA. The ISS findings are still valid open findings that need to be worked and closed by the site. However, sites are highly encouraged/recommended to perform a self-assessment using the Retina scanner, as soon as they receive the tool.

Information, online training, and Retina software can be obtained from the http://iase.disa.mil website.

eEye Digital Security

http://www.eeye.com/html/index.html

Retina Network Vulnerability Scanner:

http://www.eeye.com/html/products/retina/index.html

Resources

ISS is Shady

e-Eye Press release

Inside CiscoGate

Lynn’s Lawyer

Cisco & ISS vs. Lynn

First Step in Completing the SSAA

2005-09-20T11:57:00.000-07:00

In my opinion understanding the system you are working on is the most important part of writing an System Security Authorization Agreement (SSAA). Once you have an understanding of the how the system works, why the system is necessary and what the current status of the system is it becomes much easier to put the pieces together.

Although the SSAA is a very detailed document, much of the data in the document is filler information. You are gathering information on the system or the system being created in order to put together a comprehensive account of security of the system.
If you look at the outline below, you will see that much of the items require in the SSAA should already exist:

1. MISSION DESCRIPTION AND SYSTEM IDENTIFICATION

2. ENVIRONMENT DESCRIPTION

3. SYSTEM ARCHITECTURAL DESCRIPTION

4. ITSEC SYSTEM CLASS

5. SYSTEM SECURITY REQUIREMENTS

6. ORGANIZATIONS AND RESOURCES

7. DITSCAP PLAN

SSAA OUTLINE <--- HERE

The difficultly comes when you have very little information of resources (such as engineers who have worked on the system or old documentation). That is when the SSAA gets tricky and each paragraph becomes like a mountain you must conquer.

I’ve found that most of my challenges come from legacy systems that do not fit into the modern day security needs of the organization. When this happens I don’t panic. I’m simply assessing the system an reporting the facts. It is the Designated Approval Authority that must ultimately take the risk.

Use Tags to Research ISPs, SSAAs or whatever

2005-09-19T12:11:00.000-07:00

Del.icio.us & and Technorati are great site you can use to research C4ISP/ISP, SSAA or whatever you want. Since these sites are a whole new way to web lets start from the begining.

There is a new branch of the Web growing like a well organized storm cloud. This recent trend on the Web can be used to strengthen your presence with major search engines and reach an active audience that is highly interested in your content.

Welcome to the world of "folksonomy" and "tagging."

What is Folksonomy and Tagging?

Folksonomy is a combination of the words folks and taxonomy meaning "people classification management." This allows users some level of control over how the web is organized. One of the most popular tools of the folksonomy concept is tags. Tagging, in the context of this article, is the process of labeling a piece data with metadata.

Using Tagging & Folksonomy to Advertise

Three of the most effective sites currently using tags and/or folksonomy are: Del.icio.us, digg.com, and technorati. Each of these sites is a major player in the folksonomy world.

Del.icio.us is a social bookmarking web application that is growing very fast in popularity. With a free account, del.icio.us users can submit and access all of their bookmarks from any computer with Internet access. By submitting and tagging your own web pages, you instantly give access to thousands of other users with interests in the same tags. Encouraging site visitors to submit your selected webpages to their own del.icio.us bookmark page is a very good way to get more exposure to del.icio.us users. Submitting to del.icio.us is instant and it creates meaningful relevant links important to the major search engines.

Digg.com is mostly a technical news site. If you are familiar with the Web phenomenon Slashdot, then digg will remind you of that geek culture. The difference is that ALL of digg's content is created, submitted, and judged by its audience. If your page, blog or online article is good enough to be "dug" by digg users, you could receive literally hundreds of unique visitors immediately. Virtually any participation (comments, submissions, links in your profile) can get your site traffic from digg. The beauty of digg is that it is so popular that many submissions to digg can instantly dominate some keywords on search engines such as google.com.

Technorati.com is a power house in the world of tagging. If you have a blog, Technorati should become one of your favorite search engines on the World Live Web. Many Technorati Tags are beginning to dominate the Web by having constantly updated, fresh blog content on highly focused subjects. The beauty of Technorati is that blog application such as blogware and others are completely integrated with it allowing blog categories to be instantly tagged and syndicated into the blog search engine. Any blog can be manually added as well to technorati's very open tagging system. Like digg, even if you only happen to get a trickle of traffic from technorati itself many times the link value alone will sky rocket the speed in which your site rank in the search engines.

There are many other folksonomy sites that can help you with "tag syndication." With its encouragement to get users to submit their own RSS feeds as content, My Yahoo! is a great way to increase traffic and links. Web applications like TagCloud integrates RSS and tagging while wikipedia.org is method of allowing social webpage and content development. All these methods and many more have two great things in common 1) they are free (as of this writing) and 2) they give the power to reshape and categorize the Web to the people. If content is King then content management is the the kingdom.

Security Risks and Ways to Decrease Vulnerabilities in a 802.11b Wireless Environment

2005-09-18T19:39:00.000-07:00

Introduction

This document explains topics relating to wireless networks. The main topics discussed include, what type of vulnerabilities exist today in 802.11 networks and ways that you can help prevent these vulnerabilities from happening. Wireless networks have not been around for many years. Federal Express has been using a type of wireless networks, common to the 802.11 networks used today, but the general public has recently just started to use wireless networking technology. Because of weak security that exists in wireless networks, companies such as Best Buy have decided to postpone the roll-out of wireless technology. The United States Government has done likewise and is suspending the use of wireless until a more universal, secure solution is available.

Background

What is Wireless?

Wireless LANs or Wi-Fi is a technology used to connect computers and devices together. Wireless LANs give persons more mobility and flexibility by allowing workers to stay connected to the Internet and to the network as they roam from one coverage area to another. This increases efficiency by allowing data to be entered and accessed on site.

Besides being very simple to install, WLANs are easy to understand and use. With few exceptions, everything to do with wired LANs applies to wireless LANs. They function like, and are commonly connected to, wired Ethernet networks.

The Wireless Ethernet Compatibility Alliance [WECA] is the industry organization that certifies 802.11 products that are deemed to meet a base standard of interoperability. The first family of products to be certified by WECA is that based on the 802.11b standard. This set of products is what we will be studying. Also more standards exist such as 802.11a and 802.11g.

The original 802.11 standard was published in 1999 and provides for data rates at up to 2 Mbps at 2.4 GHz, using either FHSS or DSSS. Since that time many task groups have been formed to create supplements and enhancements to the original 802.11 standard.

The 802.11b TG created a supplement to the original 802.11 standard, called 802.11b, which has become the industry standard for WLANs. It uses DSSS and provides data rates up to 11 Mbps at 2.4 Ghz. 802.11b will eventually be replaced by standards which have better QoS features, and better security.

Network Topology

There are two main topologies in wireless networks which can be configured:

Peer-to-peer (ad hoc mode) – This configuration is identical to its wired counterpart, except without the wires. Two or more devices can talk to each other without an AP.

Client/Server (infrastructure networking) – This configuration is identical to its wired counterpart, except without the wires. This is the most common wireless network used today, and what most of the concepts in this paper apply to.

Benefits of Wireless LANs

WLANs can be used to replace wired LANs, or as an extension of a wired infrastructure. It costs far less to deploy a wireless LAN than to deploy a wired one. A major cost of installing and modifying a wired network is the expense to run network and power cables, all in accordance with local building codes. Example of additional applications where the decision to deploy WLANs include:
Additions or moves of computers.
Installation of temporary networks
Installation of hard-to-wire locations

Wireless LANs give you more mobility and flexibility by allowing you to stay connected to the Internet and to the network as you roam.

Cons of Wireless LANs

Wireless LANs are a relatively new technology which has only been around since 1999. With any new technology, standards are always improving, but in the beginning are unreliable and insecure. Wired networks send traffic over a dedicated line that is physically private; WLANs send their traffic over shared space, airwaves. This introduces interference from other traffic and the need for additional security. Besides interference from other wireless LAN devices, the 2.4 GHz is also used by cordless phones and microwaves.

Security Issues of WLANs

War-driving

War-driving is a process in which an individual uses a wireless device such as a laptop or PDA to drive around looking for wireless networks. Some people do this as a hobby and map out different wireless networks which they find. Other people, who can be considered hackers, will look for wireless networks and then break into the networks. If a wireless is not secure, it can be fairly easy to break into the network and obtain confidential information. Even with security, hackers can break the security and hack. One of the most prevalent tools used on PDAs and Microsoft windows devices is, Network Stumbler, which can be downloaded at http://www.netstumbler.com. Equipped with the software and device, a person can map out wireless access points if a GPS unit is attached. Adding an antenna to the wireless card increases the capabilities of Wi-Fi. More information can be found at: http://www.wardriving.info and http://www.wardriving.com to name a few.

War-chalking
War-chalking is a method of marking wireless networks by using chalk most commonly. War-driving is usually the method used to search for networks, and then the person will mark the network with chalk that gives information about the network. Some of the information would include, what the network name is, whether the network has security, and possibly the contact information of who owns the network. If your wireless network is War-chalked and you don't realize it, your network can be used and/or broken into faster, because of information shown about your network.

Eavesdropping & Espionage

Because wireless communication is broadcast over radio waves, eavesdroppers who just listen over the airwaves can easily pick up unencrypted messages. These intruders put businesses at risk of exposing sensitive information to corporate espionage. Wireless LAN Security – What Hackers Know That You Don't www.airdefense.net Copyright 2002

Internal Vulnerabilities

Within an organization network security can be compromised by ways such as, Rouge WLANs (or Rouge Aps), Insecure Network Configuration, and Accidental Associations to name a few.

Rouge Access Points – An employee of an organization might hook up an access point without the permission or even knowledge of IT. This is simple to do, all a person has to do is plug an Access point or wireless router into an existing live LAN jack and they are on the network. One statistic in 2001 by Gartner said that, “at least 20 percent of enterprises already have rouge access points.” Another type of attack would be if, someone from outside the organization, enters into the workplace and adds an Access Point by means of Social Engineering.

Insecure Network Configurations - Many companies think that if they are using a firewall or a technology such as VPN, they are automatically secure. This is not necessarily true because all security holes, big and small, can be exploited. Also if devices and technologies, such as VPNs, firewalls or routers, are mis-configured, the network can be compromised.

Accidental Associations – This can happen if a wireless network is setup using the same SSID as your network and within range of your wireless device. You may accidentally associate with their network without your knowledge. Connecting to another wireless LAN can divulge passwords or sensitive document to anyone on the neighboring network. Wireless LAN Security – What Hackers Know That You Don't www.airdefense.net Copyright 2002

Social Engineering – Social Engineering is one of the most effective and scariest types of attacks that can be done. This type of attack really scares me and can be done for many other purposes besides compromising security in wireless networks. A scenario: Someone dressed up as a support person from Cisco enters the workplace. The secretary sees his fake credentials and lets him get pass the front desk. The impersonator walks from cubicle to cubicle, collecting user names and passwords as he/she goes. After finding a hidden corner, which seems to be lightly traveled, he plugs an insecure Access Point into the network. At the same time he configures the Access Point to not broadcast its SSID and modifies a few other settings to make it hard for the IT department to find this Rouge Access Point. He then leaves without ever being questioned by anyone because it looks like he just fits in. Now, all he has to do is be within 300 feet from the access point, (more if he added an antenna), and now has access to all kinds of secure documents and data. This can be a devastating blow to any corporation and could eventually lead to bankruptcy if the secrets of the company were revealed to competitors.

Bruce Schneier came to my classroom and said the following about Social Engineering, “Someone is just trying to do their job, and be nice. Someone takes advantage of that by targeting this human nature. Social Engineering is unsolvable.”

Securing Wireless Networks

According to Bruce Schneier and others such as Kevin Mitnick, you can never have a totally secure computing environment. What is often suggested is to try and control the damage which can be done if security is breached. One can try many different tools on the market which can help prevent security breaches.

WEP – WEP supports both 64 and 128-bit keys. Both are vulnerable, however, because the initialization vector is only 24-bits long in each case. Its RC4 algorithm, which is used securely in other implementations, such as SSL, is quite vulnerable in WEP. Http://www.infosecuritymag.com/2002/jan/cover.shtml Wireless Insecurities By Dale Gardner. Different tools exist to break WEP keys, including AirSnort, which can be found at www.airsnort.net. Although this method is not a secure solution, it can be used to help slowdown an attacker if other means are not possible financially or otherwise.

VPN and IPSec - IPSec VPNs let companies connect remote offices or wireless connections using the public Internet rather than expensive leased lines or a managed data service. Encryption and authentication systems protect the data as it crosses the public network, so companies don't have to sacrifice data privacy and integrity for lower costs. A lot of VPN's exist on the market today. An important note about VPNs is, interoperability does not really exist, and whatever you use for your server has to be the same brand as your clients most of the time. Some VPNs include:

Borderware
BroadConnex Networks
CheckPoint
Cisco
Computer Associates

DMZ – Adding this to your network enables you to put your wireless network on an untrusted segment of your network.

Firewalls – Firewalls are all over the place. Firewalls range from hardware to software versions. By adding a firewall between the wireless network and wired network helps prevent hackers from accessing your wired network. This paper doesn't go into specifics about different firewalls and how to set them up, but there are many. Some of the firewalls include:

ZoneAlarm (an inexpensive based software firewall) Zonelabs.com
Symantec has many different firewalls depending what you require.

PKI - Public-key infrastructure (PKI) is the combination of software, encryption technologies, and services that enables enterprises to protect the security of their communications and business transactions on the Internet. What is PKI? http://verisign.netscape.com/security/pki/understanding.html

Site Surveys – Site Surveys involve using a software package and a wireless device to probe your network for Access Points and security risks.

Proactive Approaches

Since wireless technology is insecure, companies or anyone can take a proactive approach to try and identify hackers trying to gain access via wireless networks.

Honeypots – are fake networks setup to try and lure in hackers. This enables administrators to find out more about what type of techniques hackers are using to gain access. One product is Mantrap created by Symantec.

“ManTrap has the unique ability to detect both host- and network-based attacks, providing hybrid detection in a single solution. No matter how an internal or external attacker tries to compromise the system, Symantec ManTrap's decoy sensors will deliver holistic detection and response and provide detailed information through its system of data collection modules.”

http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=157

Intrusion Detection – Intrusion Detection is software that monitors traffic on the network. It sounds out a warning if a hacker it trying to access the network. One such free product is Snort.

“Before we proceed, there are a few basic concepts you should understand about Snort. There are three main modes in which Snort can be configured: sniffer, packet logger, and network intrusion detection system. Sniffer mode simply reads the packets off of the network and displays them for you in a continuous stream on the console. Packet logger mode logs the packets to the disk. Network intrusion detection mode is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user defined rule set and perform several actions based upon what it sees.” http://www.snort.org/docs/writing_rules/chap1.html#tth_chAp1

Network Monitoring - Network Monitoring would be products such as snort that monitor the flow of traffic over the network.

Quick tips and tricks

When setting up wireless networks and access points there are a few quick steps that can be taken to immediately secure the network, even though it does not make it secure. Some of these ways include:
Change your default SSID: each router or access point comes with a default SSID. By changing this it can take longer for an attacker to know what type of device he is trying to hack.
Change the default password – generic default passwords are assigned to access points and routers. Sometimes the password is admin. By changing this password, the attacker cannot modify settings on your router as easily.
Disable broadcasting SSID: By default AP's broadcast their SSIDs, if you shutoff this setting it is harder for outsiders to find your AP.
Enable MAC filtering: WARNING: this can only work in smaller environments where a centralized access list does not need to be maintained. You can enable only specific wireless cards to access the AP by only enabling those MAC addresses.
Turn off shares: If security is important, scanning for shares and turning off the shares on the network can help. Also encrypting sensitive data can prevent hackers from accessing the data.
Put your wireless access points in a hard to find and reach spot.
Keep your drivers on all wireless equipment updated. This helps patch existing security vulnerabilities.
Read current press releases about emerging wireless news.

About The Author

Richard J Johnson

Network+ Certified

RJ Computer Consulting

http://rjcomputerconsulting.com

Richard@johnsorichard.com

Hacking Threats and Protective Security

2005-09-17T13:34:00.000-07:00

Written by: Michael Hart

The 1998 Data Protection Act was not an extension to, but rather a replacement which retains the existing provisions of the data protection system established by the 1984 legislation. The Act was to come into force from 24 October 1998 but was delayed until 1st March 2000.

In addition to data, manual records were to be brought within the terms of the new data protection system, thus allowing subject access rights to access to such records.

Due to the allowances made for existing institutions to be brought into compliance with the new legislation, manual data processing that began before 24 October 1998 was to comply with the new subject access accommodations of the Act until 2001.

Now 4 years later there are still unresolved issues such as the security threats presented by computerisation, these can be broadly divided into 3 broad categories:

Incompatible usage:
Where the problem is caused by an incompatible combination of hardware and software designed to do two unconnected but useful things which creates weak links between them which can be compromised into doing things which they should not be able to.

Physical:
Where the potential problem is caused by giving unauthorised persons physical access to the machine, might allow user to perform things that they should not be able to.

Software:
Where the problem is caused by badly written items of "privileged" software which can be compromised into doing things which they should not be able to.

Security philosophy:
A systems security implementations (software, protected hardware, and compatible) can be rendered essentially worthless without appropriate administrative procedures for computer system use.

The following details the results of the threat analysis. If a computer system was setup to mimic the current running of the health practice the following considerations should be understood:

Assets To Be Protected:
That due to the nature of the institution, stable arrangements would need to be made to protect the:

Data: Programs and data held in primary (random access and read only memory) and secondary (magnetic) storage media.

Hardware: Microprocessors, communications links, routers, and primary / secondary storage media.

Security Threats:
The following details the relevant security threats to the institution and the more common causes of security compromise.

Disclosure:
Due to both the sensitive nature of the information to be stored and processed there are more stringent requirements of the new data protection legislation, all reasonable precautions must be taken to insure against this threat.

Attackers:
Although the vast majority of unauthorized access is committed by hackers to learn more about the way computer systems work, cracker activities could have serious consequences that may jeopardize an organisation due to the subsequent violation of the seventh data protection principle ie that personal data shall be surrounded by proper security.

The staff:
It is widely believed that unauthorized access comes from the outside, however, 80% of security compromises are committed by hackers and crackers internal to the organisation.

operators:
The people responsible for the installation and configuration of a system are of critical risk to security. Inasmuch as they may:

[1] Have unlimited access to the system thus the data.

[2] Be able to bypass the system protection mechanisms.

[3] Commit their passwords for your system to a book, or loose notes.

[4] A tendency to use common passwords on all systems they create, so that a breach on one system may extend to others.

The data subject:
The data subject invoking the right to access personal data creates a breach in security by definition. To comply with such a request the data must be ‘unlocked’ to provide access to it, thus creating additional risks to security. Inasmuch as:

[1] If copies have to be made, this will normally be by clerical staff who would not normally have such rights themselves.

[2] The copies may go astray whilst being made available.

[3] Verification of the identity of the data subject becomes very important.

Software:
Many business have database applications that are typically designed to allow one to two staff to handle a greater work load. Therefore such software does not allow validation (confirming that data entries are sensible) of the details the staff enter.

This is a critical security risk as it allows basic acts of fraud to be committed, such as, bogus data entry (entering additional unauthorised information).

Importance Of Good Security:
Data is valuable in terms of time and money spent on gathering and processing it. Poor or inadequate system protection mechanisms canlead to malicious computer system attacks (illegal penetration and use of computer equipment).

One or more devious, vandalising, crackers may damage a computer system and / or data, such damage could have serious consequences other than those of the subsequent violation of the seventh data protection principle that may jeopardize the organisation. For example:

Loss of information: Which can cost money to recreate.

False information: With possible legal action taken.

Bad management: Due to incorrect information.

Principles Of Computer Security:
The publication and exploration of inefficiencies and bugs in security programs that exit in all complex computer programs (including operating systems), methods of entry and ease of access to such technical information has meant that a system is only as secure as the people who have access to it and that good system security cannot be guaranteed by the application of a device or operating system.

Computerisation:
Media reports that draw public attention to the security threats inherent in the nature of programable technology and the safety of individuals information has given rise to situations where institutions entrusted with sensitive information need to spend as much time and energy to gain public trust in such systems as they do in providing serveries.

Although this scenario does not yet apply to the health industry inasmuch as the public are not yet the end users of the system, such social impressions must be considered:

This leads us to the question: if life with computers is so wonderous, how do you leave it? Simply flip a switch and everything will shut down and you can explore the marvels of the oustide world. Computers are only tools and, just like an electric screwdriver, computers can save time and effort without taking anything away from you. All you have to decide is when you want to use a computer and when you don't, you're still in complete control of your life.

Principles Of Inference:
One of the new concepts introduced by the data protection legislation is ‘inference’, and data is now regarded as itself sensitive if sensitive data can be inferred from it. For example, if an estate agent displays complete details about one terraced house, you can infer what the neighbouring house is like. In a medical practice, full patient details about three members of a family could probably allow you to construct the details of a fourth.

This must be linked to the proposition that, in the last 10 years or so more information has been stored about individuals than in all of previous history, and, because of computerisation, all of that information is capable of being pulled together from the different organisations (banks, stores, state, etc) which hold it.

Right To Privacy:
It can be seen that the statement ‘The processing of personal computerised data represents a threat to the individual’s right to privacy’ is well founded. Unfortunately, until now, there has been no statutory right in English law to personal privacy.

For this reason, a right to privacy of that information has been set into the data protection legislation, and, it is only such legislation that prevents complete dossiers from being compiled on any given individual.

Health professionals are exempted from the need for prior approval before processing personal information, for example, as it is clear the health of the individual overrides the individual’s right to privacy, and the consent can be taken for granted.

This does not prevent health professionals from having the full burden of protecting that information from unauthorised access, specifically due to the higher obligations placed on them by the Hippocratic oath which states that a member of the medical profession should respect the secrets which are confided them, even after the patient has died.

However, as can be seen from the exemptions and exceptions, a difficult balance has to be achieved between the right to privacy, and the needs of the individual (and/or the organisation).

In the case of the any entity or practice, the data subject’s rights to the protection of the data that relates to them creates a conflict of interests between them and the practice inasmuch the complex security system needed for this requires extra administration and the navigation of a complex system every time data is need may place extra stress on the staff, both things the management may wish to avoid.

© I am the website administrator of the Wandle industrial museum (http://www.wandle.org). Established in 1983 by local people to ensure that the history of the valley was no longer neglected but enhanced awareness its heritage for the use and benefits of the community.

Network Vulnerability Assessment Notes

2005-09-16T10:24:00.000-07:00

What is a Vulnerability?
Weakness in a system that allows the system to be maliciously exploited
and used outside of the way it was designed to be used and/or open to
a threat increasing the risk of operational corruption or disaster.

What is a Threat?
A possible danger to your system: a person, a thing, or an event that might attack the system either accidentally or deliberately.

What is a Risk?
The potential of a threat to exploit a vulnerability

Vulnerability Assessment
A Vulnerability Assement consists of determining that amount of risk associated
with a given vulnerability. And the systems compliance with secuirty policies
and practices.

Vulnerabilty Assessment Tasks:
-Identify System Vulnerabilities -Evaluate and measure risk associated with vulnerabilities -Point out possible solution (if any)

Penetration Test Vs. Vulnerability Assessment
Penetration Test:
-Use hacker techniques to break into a system

Vulnerability Assessment:
-Risk evaluation
-Repeatable methods to uncover all vulnerabilities
-Analysis of security practices and implementation of security policies

6 Steps to a Solid Assessment
from Peltier's Networkwork Vulnerability Assessment trainer
Step 1: Site Survey
Step 2: Develop a Test Plan
Step 3: Build the Toolkit
Step 4: Conduct the Assessment
Step 5: Analysis
Setp 6: Documenation

Reference:
Peltech.com

NR-KPP stands for Net Ready Key Performance Parameters

2005-09-15T20:29:00.000-07:00

NR-KPP stands for Net Ready Key Performance Parameters.
Net Ready is the ability to have immediate access to mission or business essential information. Like the term Netcentric, Net Readiness is the full exploitation of the Internet and/or Intranet whether the organization's primary mission is business, volunteerism or warfare.

So Net Ready Key Performance Parameters refers to evaluating the “net readiness” of a given information system or organization.

Formal Definition:
NR-KPP was developed to assess net-ready attributes required for both the technical exchange of information and the end-to-end operational effectiveness of that exchange. The NR-KPP replaces the Interoperability KPP, and incorporates net-centric concepts for achieving Information Technology (IT) and National Security System (NSS) interoperability and supportability.

What are the elements within the Net Ready Key Performance Parameters?

Net Centric Operations and Warfare Reference Model (NCOW RM) Compliance Statement

Information Assurance (IA) Accreditation Compliance Statement

Your guide on creating the NR-KPP will be the CJCSI 6212, Interoperability and Supportability on National Security Systems:

Net-Ready Key Performance Parameter. All Information Support Plans (ISP) for systems that exchange information with other systems will contain a Net-Ready KPP. For all ISPs with an associated approved JCIDS CDD or CPD capabilities document, the ISP can refer to the associated CDD/CPD. ISPs for CRDs, ORDs, non-ACAT and fielded systems will include the NR-KPP in the ISP.

The NR-KPP will consist of the following:
a. AV-1, OV-2, OV-4, OV-5, OV-6C
b. SV-4, SV-5, SV-6
c. TV-1 generated from DISR online
d. Applicable CRD crosswalk (See Table D-3)
e. Initial LISI Profile (Interface Requirements Profile) See Enclosure K
f. NR-KPP statement. (Table I-1)
g. IA Statement of Compliance
h. Key Interface Profile (KIP) Declaration (list of the KIPS that apply to
the system)

Key Interface Profiles (KIPs) Compliance Statement

Reference:
CJCSI 6212, Interoperability and Supportability on National Security Systems
ß http://www.teao.saic.com/cbrtraining/docs/CJCSI_6212_01.pdf

Net Ready -> http://del.icio.us/tag/%22net%2Bready%22
More on NR-KPP à http://del.icio.us/tag/%22nr%2Bkpp%22

http://del.icio.us/rss/tag/netcentric

Information System Security Engineering Professional (ISSEP) certification

2005-09-14T07:40:00.000-07:00

I've been thinking of taking the Information System Security Engineering Professional (ISSEP) certification. Since the CISSP info is still fresh in my mind and much of the ISSEP are things I do or have to deal with daily it seems like a good idea.

What is the ISSEP?
The ISSEP was developed by the International Information System Security Certification Consortium (ISC)2 in conjuction with the National Security Agency/IAD. Where as the CISSP is an all encompassing general look at security, the ISSEP is a concentration on system security engineering process. System security engineering has to do with ensuring that selected solutions
meet the mission or business security needs. It is defined as "the art of and science of discovering users security needs, and designing and making with economy and elegance information
systems so that they can safely resist the forces they might be subjected to."

System Security Engineers tasks:
Discover Information Protection Needs
Define system Security Requirements
Design System Security Architectures
Develop Detailed Security Design
Implement System Security
Assess Information Protection Effectiveness

Instead of ten Domains the ISSEP has four:
System Security Engineering
Certification and Accreditation
Technical Managment
U.S. Government Information Assurance Regulations

Most of of the ISSEP's material comes from the Information Assurance Technical Framework (IATF).

My co-worker recently took the test and he said it was more difficult than the CISSP. The CISSP is easily THE most difficult test I've every done. Although, since most of the information comes from the IATF, I'm not sure how it could be more difficult.
The CISSP is so broad that you could not possibly get all the information from a single source.

http://www.acsac.org/2003/case/thu-c-1530-Oren.pdf
www.nsa.gov
www.isc2.org

Taking the CISSP: part 1

2005-09-12T10:13:00.000-07:00

I took the CISSP. I really don't know what to say about it aside from acknowledging that it was extremily difficult. Andrew Briney's article is the most accurate description of the CISSP test. Briney says, "It's a mystery wrapped in riddle inside an enigma."

His other very true point:

"The exam is best characterized as an 'inch deep and a mile wide.' Whether this makes it easy or difficult is a matter of perspective."

For me the hardest part were the answers. I feel like I've mastered the art of studying for a test. The fact that there is so much knowledge crammed in a 250 question test makes my study techniques watered down. Its very difficult to cover all 10 domains effectively.

I'm not one of those bastards that can walk into a test cold (no studying, no worries) finish in half the average time and pass. If I don't study, I fail. I've learned to live with this. I know my weakness. I just second guess myself too much on every answer. I'm one of those guys that does not believe that everything is black and white but that everything is a million shades of gray. For me that is where the difficulty lies. The CISSP wants you to choose the "best" answer. So while many or even ALL of the answers might be true, there is only one BEST answer. But my best might not be your best.

I've taken many certifications. They have become almost a hobby of mine. In June, I took the Security+ hoping it would help prepare me for the CISSP. First of all let me just say comparing the the CISSP and the Security+ is like comparing Lennox Lewis' fighting style to that of some 12 year old girl from John C. Still Middle School. There is NO freakin' comparison... NONE, do you hear me! The preparation that I put into the Security+ is what help me in my CISSP success. That being said, there were about 6 very similar questions from the Security+ that were on the CISSP but the CISSP contains ALL of the domains of the Security+ on a comprehensive level.

As I said, I've taken many certs. And I DO think that taking a test makes him smart or more technically skilled then some l33t hacker that has been cracking databases since age 12, but I believe some certifications have great value to the IT and Security industry. Many say that any dependency on certification is what is lowering the amount of IT and security professionals with skills. While there maybe truth to that, I say it is just another way for employers to gauge whether or not they are investing in a skilled employee. Whether they choose the right candidate will ultimately be decided (just like anyone else) by time.

NO certification I have taken comes within an Astronomical Unit of the CISSP. Of course I'm not an MCSE or a CCNP (though I've tasted the fruits of both) so perhaps there is a match in its level of difficulty.

Having taken the test I don't feel I was fully prepared even though I have legitamate experience in nearly all aspects of security, I read a book and studied on and off for a year before taking the test. I tell you, this test beat the shit out of me. They give you 6 hours to complete the test and I finished in 5 1/2 hours. When I was done, I was sure I'd failed. I started trying to think of ways I'd pay the company back since they would not pay for a failed certification. I also started studying for the repeat. I was pleasantly surprised when I got the "congradulations" email.

Adequate study for me would have consisted of reading no less that two "600 page" books and going to a boot camp.

This is the best online CISSP resource I have found: www.cccure.org.

Special Shout outs go to the ISSA COS chapter and Mr. Proeller, so long and thanks for all the bagels.. bad, bad joke...42.

Information Security Vs. Information Technology career fields

2005-09-11T23:04:00.000-07:00

In my experience Information Security as a career field is far superior to Information Technology (IT). I've done both for a number of years. IT seems to get worse every year and Information Security seems to get better.

Overall Information Security pays better, has less competition from competent professionals and usually doesn't have a lot of out of country competition. There are exceptions such as highly specialized IT jobs and management posistions. When I refer to "IT" I'm speaking of basic network engineers and
System Administors not WAN engineering CCIE's, or IT guys with running their own business contracts or very specialized software coders that know assembly. I used to be very excited about IT until I went into the private sector for about a year.

Why does Information Technology suck as a career field?
Well it doensn't necessarily SUCK, but there are several reasons why I will more than likely never go back to vanilla flavored IT: Too much work, Slave wages, competition.

Lets start with too much work. Many business' that rely heavily on their servers, routers, Data bases and other information systems want their systems to be up 24/7 which requires on call workers. I used to be excited about getting the pager and/or corporate cellphone until I got called a few times at the crack of ASS
on a weekend. When a critical system goes down, the IT persons' pager blows up. This sometimes means working long hours. When you are on call, your free time is completely dependent on the status of the Information System. FYI, the system hardly
ever goes down when you're sitting at home thinking, "Damn, I'm bored! I wish I could fix the server." It usually goes off when your
at your daughter graduation or in the middle of your mariage about to say "I DO" or in mid-stroke when you're about to orgasm.

Information Security specialists can also have a "digital leash." But major virus' taking down an entire network is much more rare than a system crash or user error.. especially if you have Windows
behind a good robust firewall.

Slave wages.. o.k. thats an overstatement, but unless you are specialized, as stated above, you will be hard pressed to make over 55k in a basic IT job. Now 55k is pretty good, but in security you can make as much as 100k (particulary in forensics).

The low wages are directly related to the amazing amount of competition you will face as an IT guy. Where I live there are a hand full of military installations which crank out bright young service who are willing to take the minimum that most companies will pay. One of the biggest competitors may not even come from your country of origin. In the U.S., global outsourcing has become an epidemic. India is one of the biggest competitors for American IT jobs including help desk and software engineering.

Information Security typically hires within the host coutries borders. Many even require a secuirty clearance which greatly limits not only international competition, but local competition as well.

The bottom line in Information Technology and Information Security is specialization. The more skilled you are at one particular trade, the more certifications, licenses and degrees you have focusing on one specialized skill that are in demand the better. They may just be pieces of paper but consider them ammunition against the competition that want YOUR job. The specialization doesn't have to be in Security it could be in Database Analysis or Network Management or some programming language.

ISP Architectural Views

2005-09-08T20:48:00.000-07:00


One the most important part of an Information Support Plan
(previously known as a C4ISP) is the Architectural Views.
The DoD Architecural Framework Document describes each veiw
in painful, painful detail.  Since the C4ISP has been
changed into the ISP, the DoD Architectural Framework is a
bit out dated.  For example it doesn't mention "ISP" and
also includes some old views that have been phased out such
as OV-3 and SV-1.  The following gives my view on some of
the views.

In my limited experience creating views is very interative
process. Meaning you create a little then your tweak and
change them as you go.

AV-1 Overview and Summary Information is a breeze if you
have all the appropriate information readily available.

Operation Views (OV)
These are fun for me because I feel like I understand
them.  OV-1, High-level Operational Concept Graphic is
one that I've had the pleasure of not having to do. 
Merely starting it was a bit of a challenge.  It is
intended to look pretty. I've seen it done affectively
with MS Word and PowerPoint.

OV-2 is Operation Node Connectivity.  As a network guy,
this is my favorite.  I use Visio for this one with
simple shapes representing the nodes or you can get
fancy and use computer Icons OV-4, Organizational
Relationship Chart is another fun easy diagram that can
be created with Visio or Word using simple shapes. 
Ov-5 is the Activity Model.  Since it is so closely
tied to SV-4, fuctional description and SV-5,
Operational Activity to System Function Traceability
Matrix, it is very, very interative and not one of my
favorites. I complete these three one after another. 
Both SV-4 and OV-5 must be completed before you do SV-5
since all the info in SV-5 comes from those two.
OV-6c, Operational Events-Trade Description requires a
very good understanding of what happens to the data
upon entering the system.  But once you have that
nailed down it is fairly straight forward.  The logical
data model, OV-7, can get a bit convoluted, I imagine. 
In it you are supposed give a visual representation of
the various domains.

System Views (SV)
The SV's can get a little gray as some of the views can
touch on things that involve your system but you have
perhaps only heard of.  For example, if your system "A"
connects with System "B" you may have to show that
connection even though you don't know much of anything
about System "B". I haven't seen SV-1 on the Teao Saic
site so I assume it has been phased out. But it deals
with Interfaces.  SV-2, System Communication Description
is very much like the example of system "A" in relation
to "B".  SV-2 shows how your system communicates/connects
with other systems.  Its almost like a birds eye veiw of
OV-2. SV-4, System Functionality Description, like I said
in the OV section closely related to OV-5 and SV-5.  So
if one changes, they may all have to change.
SV-5 is a large table that shows the direct relationship
between Operational Activity to System Function.  It is a
pain in the ass for reason stated above. SV-6 can be a
very complex table.  It is the System Data Exchange
Matrix.. you'll note that anything with the word "matrix"
in it sucks.  That is because one change on a seperate
veiw can affect change in other views and almost always
includes the matrices.

Technical View (TV)
TV-1, Technical Standards merely lists all the capabilities
of the system and references each of the technical standards
used.

That is my oppinion of the ISP views.  I hope you find them as relatively painless
as I did and if not this site will help you out --->
http://www.teao.saic.com/cbrtraining/archpro01.asp

More on System Security Engineering - AFI 31-207

2005-08-22T12:27:00.000-07:00

AFI 31-207, System Security Engineering was rescinded on 15 July 98. Guidelines for System Security Engineering can be found inChapter 3 of the AFPAM 63-1701.

I haven't found a lot of informaiton for what System Security Engineers actually do. Some times it seems like the field isn't quite nailed down since we do everything from penetration tests to business plans to aquisition system security.

Here is a formal description from chapter 3 of the AFPAM 63-1701 (1701 is a combination of some of the information previously contained in AFI 31-701, Program Protection Planning, AFI 31-702, System Security Engineering, and AFI 31-703, Product Security):

According to AFPAM 63-1701, the purpose of System Security Engineers (SSE) is to eliminate, reduce, or control, through engineering and design, any characteristics that could result in the deployment of systems with operational security deficiencies

Here are some of the things I've had to do as a System Security Engineer:

- SYSTEM SECURITY AUTHORIZATION AGREEMENT (SSAA)
- INFORMATION SUPPORT PLAN
- Security documentation for Information System Security Officers
- PROGRAM PROTECTION PLAN
- CONSULT ON SECURITY ISSUES FOR SMC PM’S
SYSTEM ENGINEERS
- PROVIDE ON-SITE ISSO TRAINING
- MAINTAIN TCNO DATABASE
- Security Tests and Evaluation (ST&E - write the plan and implement it)
- Certification Test and Evaluation (CT&E)
- Vulnerability Assessments (network etc)
- Physical Security Assessment

What kind of knowlege and skills does an SSE need?

Strong understanding of security, of course. I've noticed that only about 50% of the SSE's have degrees, but ALL have solid of experience in the fields of physical secuirty, information security, personel security, and/or network/computer security. Prior military are often drawn to this feild because service men are usually groomed for nearly every aspect of security and safety as a basic part of their job.

Strong writen and oral skills are needed as much as the understanding of security as SSE's often make very detail documented assesments of multimillion dollar systems and facilities and do presentations for managers and executives.

What kind of degrees and certifications do SSE's have?

Computer degrees such as BS/IT, BS/EE, Computer Science, and Information System degrees are the norm. But with universities creating all these new Information Assurance/Security degrees, I imagine the bar will be raised in the next 5-6 years. Experience will always out way a degree.

Without a degree and/or a lot of experience, an SSE can definitely get by on a Certified Information System Security Professional (CISSP) certification and some experience in a security related field. The ultimate certification for an SSE is and ISSEP, Information System Security Engineering Professional Certification from ISC2. Although this is one of the most prestigious certification that an SSE can achieve, there are other technical and security certs and licenses that could help enhance a resume. Security Resource manager training (for example) would be a great bullet to put on a resume although they do all physical security.

The types of certs, degrees and background you need are really dependent on the type of job you are going for. CISSP is such an all encompassing security certification (covering everything from circumstantial evidence to SSL) that as a SSE, you can not go wrong with it.

Other things SSE's do:

As mentioned above, I've been tasked to do an Information Support Plan (ISP) which is like a Business Continuity Plan. This is a management type document but since security, risk and vulnerability assessments have such an important role in the ISP, it is natural that an SSE be tasked to do one.

I've also been tasked to do penetration testing which involves hacking a system to see what kind of security features are effectively implemented on a system.

Security Tests and Evaluation (ST&E)/Trusted Facility Manual (TFM) Templates

2005-07-26T12:42:00.000-07:00

Air Mobility Command (AMC) has one of the best Security Testing and Evaluation Templates I've seen. I think they get them from DISA and make some alterations. Either way great job guys:

https://www.amc.af.mil/amccg/index.cfm (must have .mil access)

On the left column under 805 CSPTS select "AMC Information Assurance"

Under Our Services click "IA Support"

Operating system TFMs and ST&E will be under: "Trusted Facility Manual/ST& Plans" Links

enjoy.

Information Support Program (ISP), formerly C4ISP

2005-07-25T12:40:00.000-07:00

The Information Support Plan (ISP) evolved from the Command Control Communication Computer and Intelligence Support Plan (C4ISP). The C4ISP has evolved into the ISP as a result of the revision of the CJCS Instruction 3170.01 requirements documentation.

It is intended to fill in the information needs of an acquisition program is support of the operational capabilities of the system. The ISP is a tool used to identify problems or shortcomings of a given system and resolve implementation issues.

The ISP incorporates the System Security Authorization Agreement (SSAA). The SSAA and ISP really have much of the same information. Since the ISP requires the SSAA, the SSAA needs to be complete before the ISP can be accomplished. The ISP then draws much of its information from the SSAA.

There are scores of very wordy documents that can be used to assist you in the completion of the ISP.

Resources for the ISP:

DoD Instruction 4630.8, Enclosure 4 provides the ISP format
National Security Space Acquisition Policy, Number 03-01, requires submission of an ISP.
DoD Instruction 5000.2, Enclosure 3, Regulatory Information Requirements
CJCS Instruction 6212.01 implementing guidance regarding the ISP format

SAIC has one of the best sites on the ISP:
http://www.teao.saic.com/cbrtraining/default.asp

Other resources (reguires aggregator):
http://del.icio.us/rss/tag/c4isp

DITSCAP vs DIACAP

2005-07-22T06:53:00.000-07:00

The DIACAP will include Netcentricity, GIG and FISMA concepts. Implementations such as online status of system information assurance and annual reviews will be done in hopes of keeping information assurance visible and current.

DITSCAP	DIACAP	TARGET
System-Unique Reqirements and Metric (Risk Assessment)	Baseline DOD Controls, Standards, Tests Metrics	Mature knowledge-base Integrates DoD, Component, Mission Area, Domain, and COI IA Control & Standards
System-Unique IA Architechure	Emerging GIG and DoD Component	Robust Plug-and-Play Enterprise IA Services
Information is Seldom Current	Review NLT Annual Status driven Online Repository	Automated Certification of IA posture
No Information on Many Systems	Expanded System Boundaries = Greater Coverage Status driven Online Repository	IA Posture Visible
OVERALL
Slow	Intergrates FISMA
Difficult to Share	Intergrates Netcentricity

DIACAP Rumors

2005-07-20T13:01:00.000-07:00

DIACAP Rumor Mill:
From what I hear DIACAP is going through an Inspector General Process to ensure compliance with FISMA among other things. I've also heard from a fellow ISSA member that it is supposed to be officially release around 30 July.

Common Criteria, the Rainbow Series and Windows 2k

2005-06-30T10:08:00.000-07:00

A breakdown of the Common Criteria its connection with the "Orange Book" in the rainbow series and Microsoft. Super Security Geek stuff.

read more | digg story

General Cartwright on Netcentric

2005-06-30T10:01:00.000-07:00

Commander from Stratcom talks about using his blog for netcentric collaboration. This is a good example of what netcentric is.

“The metric is what the person has to contribute, not the person’s rank, age, or level of experience. If they have the answer, I want the answer. When I post a question on my blog, I expect the person with the answer to post back. I do not expect the person with the answer to run it through you, your OIC, the branch chief, the exec, the Division Chief and then get the garbled answer back before he or she posts it for me. The Napoleonic Code and Netcentric Collaboration cannot exist in the same space and time. It’s YOUR job to make sure I get my answers and then if they get it wrong or they could have got it righter, then you guide them toward a better way…but do not get in their way.”
-- Gen. James Cartwright, USMC, talking about this Blog

read more digg story

SSAA vs. ISP

2005-06-24T21:53:00.000-07:00

I've done a few System Security Authorization Agreements (SSAA's) but I admit I'm doing Information Support Plans, ISPs (formerly C4ISPs) for the first time.

I used to think that the SSAA was a little bit too much information. Overtime I've learned that it make total sense. It forces the designers to answer important questions. Many times the questions it answers aren't important until much later (such as life cycle issues).

The ISP's puts the SSAA to shame in its sheer volume of information that needs to be gathered. This is because it includes the netcentric aspects of the system, the actual schedule and money involved, acquisitions issues and a bunch of other things that I, as a security guy, don't care about.

The ISP is a birds eye view of the target system where the SSAA is a microscope into all levels of security over the life of the system from cradle to the grave.

DIACAP Policy

2005-06-21T06:50:00.000-07:00

This is an overview of the DIACAP's final draft, paraphrased.

The DIACAP includes the same things that the DITSCAP has with two major differerences: netcentric environments and GIG standards. With these two (and MANY other changes) it seems that this evolution of the DITSCAP has to take place. So many major levels of Information Assurance in the DoD and abroad have changed that DITSCAP will have to embrace them to stay relevant.

The DIACAP policies will come from DoD Directive 8500.1/.2.

The DIACAP supports Information Systems transitioning to netcentric environments and GIG Standards by:

Ensuring uniformity of approach
Managing and disseminating Information Assurance Design, implementation, validation, sustainement and approach
Being able to handle differing system
facilitating a dynamic environment

Information Assurance will be implemented with Information Assurance Controls as defined by DoDI 8500.2 and maintained through a DoD wide configuration management process that considers the GiG architecture and risk assessments conducted at the DoD component level in accordance with FISMA.

The DIACAP will support the ongoing validation to maintain the Information Assurance posture of an Information System. DoD component IA Programs are the primary method of supporting the DoD Information Assurance Program.

Status of all systems in the DIACAP program will be available to all who have authorized access.

What the hell is Netcentricity?

2005-06-20T15:22:00.000-07:00

"The power of digital networks to distribute information instantly and without borders. Characterized by global connectivity, real-time collaboration and rapid and continuous information exchange, netcentricity is a ubiquitous force reshaping every facet of our markets, organizational cultures, and personal lives at the dawn of the twenty-first century. " -Netcentricity Labs

Great links for more about Netcentricity:
Netcentric Supply Chain Labs
Network Centric Happiness
Network Centric Fun

SUBJECT: DoD Information Assurance Certification and Accreditation Process (DIACAP)

2005-06-20T14:47:00.000-07:00

The Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) is replacing with the DoD Information Technology Security Certification and Accreditation Process (DITSCAP). More on DITSCAP can be found at the DOD's IASE website.

What is DIACAP?
The DIACAP is the DoD process for identifying, implementing, and validating information assurance controls, for authorizing the operation of DoD information systems, and for managing information assurance posture across DoD information systems consistent with the Federal Information Security Management Act (FISMA).

What is so special about the DIACAP?
It will replace DoDI 5200.40 and DoD 8510.1-M
Guide for compliance with the Global Information Grid
Supports Netcentricity.

Follow this link to my interpretation of the DIACAP Policy.

What will we have to do differently with the DIACAP. (soon)

Computer Security

2005-06-19T21:51:00.000-07:00

By: Mario Ramis

What is computer security?
Computer security is the process of preventing and detecting unauthorized use of your computer. Prevention measures help you to stop unauthorized users (also known as "intruders") from accessing any part of your computer system. Detection helps you to determine whether or not someone attempted to break into your system, if they were successful, and what they may have done.

Why should I care about computer security?
We use computers for everything from banking and investing to shopping and communicating with others through email or chat programs. Although you may not consider your communications "top secret," you probably do not want strangers reading your email, using your computer to attack other systems, sending forged email from your computer, or examining personal information stored on your computer (such as financial statements).

Who would want to break into my computer at home?
Intruders (also referred to as hackers, attackers, or crackers) may not care about your identity. Often they want to gain control of your computer so they can use it to launch attacks on other computer systems.

Having control of your computer gives them the ability to hide their true location as they launch attacks, often against high-profile computer systems such as government or financial systems. Even if you have a computer connected to the Internet only to play the latest games or to send email to friends and family, your computer may be a target.

Intruders may be able to watch all your actions on the computer, or cause damage to your computer by reformatting your hard drive or changing your data.

How easy is it to break into my computer?
Unfortunately, intruders are always discovering new vulnerabilities (informally called "holes") to exploit in computer software. The complexity of software makes it increasingly difficult to thoroughly test the security of computer systems.

When holes are discovered, computer vendors will usually develop patches to address the problem(s). However, it is up to you, the user, to obtain and install the patches, or correctly configure the software to operate more securely. Most of the incident reports of computer break-ins received at the CERT/CC could have been prevented if system administrators and users kept their computers up-to-date with patches and security fixes.

Also, some software applications have default settings that allow other users to access your computer unless you change the settings to be more secure. Examples include chat programs that let outsiders execute commands on your computer or web browsers that could allow someone to place harmful programs on your computer that run when you click on them.

Technology
This section provides a basic introduction to the technologies that underlie the Internet. It was written with the novice end-user in mind and is not intended to be a comprehensive survey of all Internet-based technologies. Subsections provide a short overview of each topic. This section is a basic primer on the relevant technologies. For those who desire a deeper understanding of the concepts covered here, we include links to additional information.

What does broadband mean?
"Broadband" is the general term used to refer to high-speed network connections. In this context, Internet connections via cable modem and Digital Subscriber Line (DSL) are frequently referred to as broadband Internet connections. "Bandwidth" is the term used to describe the relative speed of a network connection -- for example, most current dial-up modems can support a bandwidth of 56 kbps (thousand bits per second). There is no set bandwidth threshold required for a connection to be referred to as "broadband", but it is typical for connections in excess of 1 Megabit per second (Mbps) to be so named.

What is cable modem access?
A cable modem allows a single computer (or network of computers) to connect to the Internet via the cable TV network. The cable modem usually has an Ethernet LAN (Local Area Network) connection to the computer, and is capable of speeds in excess of 5 Mbps.

Typical speeds tend to be lower than the maximum, however, since cable providers turn entire neighborhoods into LANs which share the same bandwidth. Because of this "shared-medium" topology, cable modem users may experience somewhat slower network access during periods of peak demand, and may be more susceptible to risks such as packet sniffing and unprotected windows shares than users with other types of connectivity. (See the "Computer security risks to home users" section of this document.)

What is DSL access?
Digital Subscriber Line (DSL) Internet connectivity, unlike cable modem-based service, provides the user with dedicated bandwidth. However, the maximum bandwidth available to DSL users is usually lower than the maximum cable modem rate because of differences in their respective network technologies. Also, the "dedicated bandwidth" is only dedicated between your home and the DSL provider's central office -- the providers offer little or no guarantee of bandwidth all the way across the Internet.

DSL access is not as susceptible to packet sniffing as cable modem access, but many of the other security risks we'll cover apply to both DSL and cable modem access. (See the "Computer security risks to home users" section of this document.)

How are broadband services different from traditional dial-up services? Traditional dial-up Internet services are sometimes referred to as "dial-on-demand" services. That is, your computer only connects to the Internet when it has something to send, such as email or a request to load a web page. Once there is no more data to be sent, or after a certain amount of idle time, the computer disconnects the call. Also, in most cases each call connects to a pool of modems at the ISP, and since the modem IP addresses are dynamically assigned, your computer is usually assigned a different IP address on each call. As a result, it is more difficult (not impossible, just difficult) for an attacker to take advantage of vulnerable network services to take control of your computer.

Broadband services are referred to as "always-on" services because there is no call setup when your computer has something to send. The computer is always on the network, ready to send or receive data through its network interface card (NIC). Since the connection is always up, your computer’s IP address will change less frequently (if at all), thus making it more of a fixed target for attack.

What’s more, many broadband service providers use well-known IP addresses for home users. So while an attacker may not be able to single out your specific computer as belonging to you, they may at least be able to know that your service providers’ broadband customers are within a certain address range, thereby making your computer a more likely target than it might have been otherwise.

The table below shows a brief comparison of traditional dial-up and broadband services.

Dial-up Broadband
Connection type Dial on demand Always on
IP address Changes on each call Static or infrequently changing
Relative connection speed Low High
Remote control potential Computer must be dialed in to control remotely
Computer is always connected, so remote control can occur anytime
ISP-provided security Little or none Little or none
Table 1: Comparison of Dial-up and Broadband Services

How is broadband access different from the network I use at work?
Corporate and government networks are typically protected by many layers of security, ranging from network firewalls to encryption. In addition, they usually have support staff who maintain the security and availability of these network connections.

Although your ISP is responsible for maintaining the services they provide to you, you probably won’t have dedicated staff on hand to manage and operate your home network. You are ultimately responsible for your own computers. As a result, it is up to you to take reasonable precautions to secure your computers from accidental or intentional misuse.

What is a protocol?
A protocol is a well-defined specification that allows computers to communicate across a network. In a way, protocols define the "grammar" that computers can use to "talk" to each other.

What is IP?
IP stands for "Internet Protocol". It can be thought of as the common language of computers on the Internet. There are a number of detailed descriptions of IP given elsewhere, so we won't cover it in detail in this document. However, it is important to know a few things about IP in order to understand how to secure your computer. Here we’ll cover IP addresses, static vs. dynamic addressing, NAT, and TCP and UDP Ports.

An overview of TCP/IP can be found in the TCP/IP Frequently Asked Questions (FAQ) at

http://www.faqs.org/faqs/internet/tcp-ip/tcp-ip-faq/part1/ and

http://www.faqs.org/faqs/internet/tcp-ip/tcp-ip-faq/part2/

What is an IP address?
IP addresses are analogous to telephone numbers – when you want to call someone on the telephone, you must first know their telephone number. Similarly, when a computer on the Internet needs to send data to another computer, it must first know its IP address. IP addresses are typically shown as four numbers separated by decimal points, or “dots”. For example, 10.24.254.3 and 192.168.62.231 are IP addresses.

If you need to make a telephone call but you only know the person’s name, you can look them up in the telephone directory (or call directory services) to get their telephone number. On the Internet, that directory is called the Domain Name System, or DNS for short. If you know the name of a server, say www.cert.org, and you type this into your web browser, your computer will then go ask its DNS server what the numeric IP address is that is associated with that name.

Every computer on the Internet has an IP address associated with it that uniquely identifies it. However, that address may change over time, especially if the computer is

dialing into an Internet Service Provider (ISP)
connected behind a network firewall
connected to a broadband service using dynamic IP addressing.

What are static and dynamic addressing?
Static IP addressing occurs when an ISP permanently assigns one or more IP addresses for each user. These addresses do not change over time. However, if a static address is assigned but not in use, it is effectively wasted. Since ISPs have a limited number of addresses allocated to them, they sometimes need to make more efficient use of their addresses.

Dynamic IP addressing allows the ISP to efficiently utilize their address space. Using dynamic IP addressing, the IP addresses of individual user computers may change over time. If a dynamic address is not in use, it can be automatically reassigned to another computer as needed.

What is NAT?
Network Address Translation (NAT) provides a way to hide the IP addresses of a private network from the Internet while still allowing computers on that network to access the Internet. NAT can be used in many different ways, but one method frequently used by home users is called "masquerading".

Using NAT masquerading, one or more devices on a LAN can be made to appear as a single IP address to the outside Internet. This allows for multiple computers in a home network to use a single cable modem or DSL connection without requiring the ISP to provide more than one IP address to the user. Using this method, the ISP-assigned IP address can be either static or dynamic. Most network firewalls support NAT masquerading.

What are TCP and UDP Ports?
TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are both protocols that use IP. Whereas IP allows two computers to talk to each other across the Internet, TCP and UDP allow individual applications (also known as "services") on those computers to talk to each other.

In the same way that a telephone number or physical mail box might be associated with more than one person, a computer might have multiple applications (e.g. email, file services, web services) running on the same IP address. Ports allow a computer to differentiate services such as email data from web data. A port is simply a number associated with each application that uniquely identifies that service on that computer. Both TCP and UDP use ports to identify services. Some common port numbers are 80 for web (HTTP), 25 for email (SMTP), and 53 for Domain Name System (DNS).

What is a firewall?
The Firewalls FAQ (http://www.faqs.org/faqs/firewalls-faq/) defines a firewall as "a system or group of systems that enforces an access control policy between two networks." In the context of home networks, a firewall typically takes one of two forms:

Software firewall - specialized software running on an individual computer, or

Network firewall - a dedicated device designed to protect one or more computers.

Both types of firewall allow the user to define access policies for inbound connections to the computers they are protecting. Many also provide the ability to control what services (ports) the protected computers are able to access on the Internet (outbound access). Most firewalls intended for home use come with pre-configured security policies from which the user chooses, and some allow the user to customize these policies for their specific needs.

More information on firewalls can be found in the Additional resources section of this document.

What does antivirus software do?
There are a variety of antivirus software packages that operate in many different ways, depending on how the vendor chose to implement their software. What they have in common, though, is that they all look for patterns in the files or memory of your computer that indicate the possible presence of a known virus. Antivirus packages know what to look for through the use of virus profiles (sometimes called "signatures") provided by the vendor.

New viruses are discovered daily. The effectiveness of antivirus software is dependent on having the latest virus profiles installed on your computer so that it can look for recently discovered viruses. It is important to keep these profiles up to date.

More information about viruses and antivirus software can be found on the CERT Computer Virus Resource page

http://www.cert.org/other_sources/viruses.html Computer security risks to home users

What is at risk?
Information security is concerned with three main areas:

Confidentiality - information should be available only to those who rightfully have access to it

Integrity -- information should be modified only by those who are authorized to do so

Availability -- information should be accessible to those who need it when they need it

These concepts apply to home Internet users just as much as they would to any corporate or government network. You probably wouldn't let a stranger look through your important documents. In the same way, you may want to keep the tasks you perform on your computer confidential, whether it's tracking your investments or sending email messages to family and friends. Also, you should have some assurance that the information you enter into your computer remains intact and is available when you need it.

Some security risks arise from the possibility of intentional misuse of your computer by intruders via the Internet. Others are risks that you would face even if you weren't connected to the Internet (e.g. hard disk failures, theft, power outages). The bad news is that you probably cannot plan for every possible risk. The good news is that you can take some simple steps to reduce the chance that you'll be affected by the most common threats -- and some of those steps help with both the intentional and accidental risks you're likely to face.

Before we get to what you can do to protect your computer or home network, let’s take a closer look at some of these risks.

Intentional misuse of your computer
The most common methods used by intruders to gain control of home computers are briefly described below. More detailed information is available by reviewing the URLs listed in the References section below.

Trojan horse programs
Back door and remote administration programs
Denial of service
Being an intermediary for another attack
Unprotected Windows shares
Mobile code (Java, JavaScript, and ActiveX)
Cross-site scripting
Email spoofing
Email-borne viruses
Hidden file extensions
Chat clients
Packet sniffing
Trojan horse programs
Trojan horse programs are a common way for intruders to trick you (sometimes referred to as "social engineering") into installing "back door" programs. These can allow intruders easy access to your computer without your knowledge, change your system configurations, or infect your computer with a computer virus. More information about Trojan horses can be found in the following document.

http://www.cert.org/advisories/CA-1999-02.html

Back door and remote administration programs
On Windows computers, three tools commonly used by intruders to gain remote access to your computer are BackOrifice, Netbus, and SubSeven. These back door or remote administration programs, once installed, allow other people to access and control your computer. We recommend that you review the CERT vulnerability note about Back Orifice. This document describes how it works, how to detect it, and how to protect your computers from it:

http://www.cert.org/vul_notes/VN-98.07.backorifice.html

Denial of service
Another form of attack is called a denial-of-service (DoS) attack. This type of attack causes your computer to crash or to become so busy processing data that you are unable to use it. In most cases, the latest patches will prevent the attack. The following documents describe denial-of-service attacks in greater detail.

http://www.cert.org/advisories/CA-2000-01.html
http://www.cert.org/archive/pdf/DoS_trends.pdf

It is important to note that in addition to being the target of a DoS attack, it is possible for your computer to be used as a participant in a denial-of-service attack on another system.

Being an intermediary for another attack
Intruders will frequently use compromised computers as launching pads for attacking other systems. An example of this is how distributed denial-of-service (DDoS) tools are used. The intruders install an "agent" (frequently through a Trojan horse program) that runs on the compromised computer awaiting further instructions. Then, when a number of agents are running on different computers, a single "handler" can instruct all of them to launch a denial-of-service attack on another system. Thus, the end target of the attack is not your own computer, but someone else’s -- your computer is just a convenient tool in a larger attack.

Unprotected Windows shares
Unprotected Windows networking shares can be exploited by intruders in an automated way to place tools on large numbers of Windows-based computers attached to the Internet. Because site security on the Internet is interdependent, a compromised computer not only creates problems for the computer's owner, but it is also a threat to other sites on the Internet. The greater immediate risk to the Internet community is the potentially large number of computers attached to the Internet with unprotected Windows networking shares combined with distributed attack tools such as those described in http://www.cert.org/incident_notes/IN-2000-01.html

Another threat includes malicious and destructive code, such as viruses or worms, which leverage unprotected Windows networking shares to propagate. One such example is the 911 worm described in http://www.cert.org/incident_notes/IN-2000-03.html

There is great potential for the emergence of other intruder tools that leverage unprotected Windows networking shares on a widespread basis.

more...
please visit site...

For complete article please visit: http://ramis.aspfreeserver.com/Home_Network_Security.asp