THE INSIDER THREAT TO U. S. GOVERNMENT INFORMATION SYSTEMS

andreenterthedata,atacostofmorethan$40,000.Theemployeereportedlyfelther attemptstoreportimproperandillegalconductbyacomputercontractorwerenottaken seriouslyenough.ShesubsequentlyfiledanEEOcomplaint,allegingahostilework environmentandresignedherjob.AccordingtotheFBI,theprecisionofthehacking indicateditwasdonebysomeonewithinsideknowledge.<br><br> III.VULNERABILITIES 3.GeneralUserAccess Whereasthreatfocusesontheintentand,capabilitiesofinsiderstodo harm,avulnerabilityisacharacteristicorweaknessofIS(e.g.,systemsecurity procedures,hardwaredesign,internalcontrols,etc.)thatinsiderscanexploit.The examplesintheprevioussectionshowedthatthevulnerabilitymostwidelyandeasily exploitedbyaninsiderwasthelack,orineffectiveness,ofcontrolsandcheckstoprevent theinsiderfromremovingsensitivedocuments,computersorcomputeroutputmedia fromtheirworkareas.Thevulnerabilityhasincreasedoverthepast10yearsas organizationshaverelaxedexitchecksandrestrictionsinresponsetoaneasingofCold Wartensions,decliningresources,andincreasedemployeeuseofportableandhome computers. Thevulnerabilityofaninsidersimplyremovingsensitiveorclassified informationfromworkisfurthercompoundedbytheever-expandingaccessatypical 4 UNCLASSIFIED NSTISSAMINFOSEC/1-99 UNCLASSIFIED employeehastoinformationasaresultofincreasednetworking.Theconnectivitymay evenbegreaterthanisgenerallyknownbecauseconfigurationcontrolofnetworksis oftenlacking.Ingeneral,mostU.S.Governmentemployeeswithlegitimateaccessto governmentsystemsandnetworkscanbrowseanddownloadinformationfromseveral systemsandnetworks.Useofapplicationsandgraphicspackagesprovidethemwith additionalprivilegessuchasreadandwritecapabilities.Employees,dependingontheir jobfunction,mayhavetheabilitytomodify,manipulate,anddeletedatatheyhave accessto,ortheymaybeabletodownloadoruploadinformationregardlessofits sensitivity.Besidescopyingandphysicallyremovinginformation,aninsidercouldalso copytheinformationintoane-mailfileandsendit,undetectablebyhumanreview,to themselvesorsomeoneelseovertheInternetfromtheiroffice. 4.PrivilegedAccess Accessisgreaterforcertainemployeesatvariouspointsinthelifecycleof aU.S.Governmentsystem,andasaconsequence,theseemployeeshavetheabilitytodo morethanjustcompromiseinformationfromthesystem.Systemprogrammers,for example,byvirtueoftheirroleinthedesign,production,testing,andevaluationofa system,canintroducemaliciouscode,suchasviruses,timebombs,orTrojanHorses,that couldresultinseveredenialordisruptionofserviceproblemsatpredeterminedtimes.<br><br> Theycouldalsoputinbackdoorsforexfiltratinginformation.Itshouldbenotedthatthe incorporationofcommercialvendorsintothegovernmentarenawillincreasetherisk. U.S.Governmentsystemsareespeciallyvulnerabletoinsiderswhohave authorizedrootaccessprivileges,suchassystemadministrators.Aninsiderwithsystem administratorprivilegescouldmakesubtleandundetectablechangestofiles,data,and accesspermissions.Theycouldalsomakemoreobvious,detectablechangessuchas denyinguseraccessortakingovercontroloftheentiresystem/network.Specificdenial ofserviceattackscouldincludeshuttingdownrouters,closingaccesstoportstodisable dial-incapability,deletingnetworkfilessoconnectivitycannotbeestablished,and renamingtheserversoothermachinesdonotrecognizeit. 5.UnauthorizedAccess Muchlikeanoutsidehacker,aninsiderwithauthorizedaccesstosome systemscouldexecutevariousattackstogainunauthorizedaccesstoothersystemsor denyservicetousersoftheseothersystems.Aninsidercouldmanipulatefilesthat facilitatetheprovisionofservicesonvirtual/remotemachines.Commonattacksofthis typearedirectedathostsandnetworkfileserversthatfacilitateworkstationssharingfiles andservicesacrossanenterprisenetwork.Anotherattackofthistypeexploits weaknessesinprotocolstospoofusersorreroutetraffic.Examplesincludespoofing DomainNameServerstogainunauthorizedremotelogin,andbombing,thatusesInternet ControlMessageProtocol(ICMP)toknockamachineofftheair.Otherwellknown attacksincludesourceroutingtoindicateatrustedhostsourceandTransmissionControl Protocol(TCP)sequencenumberguessingtogainaccessandhi-jackalegitimate connection.Bombingaroutertoknockitoffthenetwork,floodingthenetworkwith garbagepackets,andfloodingmailhubswithjunkmailarejustafewofthealternatives insidershavetodenyservice.<br><br> 5 UNCLASSIFIED NSTISSAMINFOSEC/1-99 UNCLASSIFIED Systemadministrators,operators,orprogrammerswithsoftware knowledgecouldexploitvulnerabilitiesinsoftwarethatrunswithsystemprivileges. WellknownattacksinvolvesendmailandX-Windowsservervulnerabilities.Recently, therehasbeenaproliferationofalertsregardingoperatingsystemvulnerabilities.New vulnerabilitiesarediscoveredforvarioussoftwareandhardwareplatformsalmostdaily, vulnerabilities,andpatchesarereportedthroughthevariouscomputeremergency responsealertsandbulletins.Privilegedinsidersaretheprimaryrecipientsofthesealerts andbulletins . 6.Insider-FacilitatedOutsideAccess Toreducetheirriskofdetection,insiderscoulddonothingmorethan facilitateoutsideaccessorattack..Insiderscould,forexample,introducevirusesinto systemsbyplacingcontaminateddisksintothesystemsordownloadingcontaminated InternetattachmentssuchaswellknownPostScript,Active-X,andMSWordmacro viruses.TheycouldprovideanopendoortothedestructiveoutsiderthroughtheInternet orcreateacovertchanneltosignalprivateinformationoutsidethevirtualprivate network.<br><br> ThereleaseoftheTrojan,BackOrifice,inAugust1998hasaddedanew dimensiontothewell-intentionedinsiderthreat.Manycomputerusers,believingthey werehelpingtheirsecuritypersonnelidentifyanderadicatethisrisk,downloaded programspurportedtofindandeliminateBackOrifice.Themostwidelyknown,Bo Sniffer,wasactuallyatrojaninitself.InsteadoferadicatingBackOrifice,itensuredthe programwasloadedandsetfullyfunctional,allowingatwillaccesstosystemsbyan attacker. 7.DependencyonCommercialNetworks Thegovernmentoperatesnumerousnetworks.Thesenetworksmaystart asprivatenetworks,gothroughleasedorpublicnetworksandterminateasprivate networks(e.g.,SECRETInternetProtocolRouterNetwork(SIPRNET).Approximately 90percentofU.S.Governmenttelecommunicationsservicestraversepublic/commercial networksatsomepoint,primarilytheInternetandthePublicSwitchedTelephone Network.,butalsocellularandsatellitenetworks.Accessisgainedtypicallythrough serviceproviders.TheFederalGovernmenthasstructuredanumberofnetworkservice contractsthatprocurenetworkservicesforgovernmentuse.TheseincludetheFederal WirelessserviceandFTS2000andareprovidedbypublicnetworkproviders. ThePublicSwitchedNetworkisvulnerabletoinformationcompromise, denialordisruptionofservice,andunauthorizedmodificationofnetwork databases/services.Otherpotentialvulnerabilitiesincludetheuseofswitchedversus dedicatedlines,makingavailabilitya c oncern;theabilityofaninsidertocutacable,thus denying,delaying,orinterruptingservice;andthepossibilityofanetworkadministrator enteringthewrongInternetProtocoladdresstorerouteinformationtoanadversary.<br><br> 6 UNCLASSIFIED NSTISSAMINFOSEC/1-99 UNCLASSIFIED 8.PhysicalAccess Lackofmorestringentphysicalaccesscontrolsaffordstheinsiderthe opportunitytoaccessfacilitiesandhighlysensitive,orclassifiedareaswithinthose facilities,suchascomputerrooms,networkcenters,andsensitivecompartmented informationfacilities.Manyusers,especiallysystemadministratorsandcomputer operators,haveauthorizedphysicalaccesstocomputerroomshousingservers,modem pools,routerboxes,andotherequipmentfromwhichtheycouldphysicallyadjust settings,stealequipmentwithsensitiveinformationordisableequipment.Aninsider familiarwiththefacility,inconjunctionwithloosecontrolsandtheuseofsocial engineeringtechniques,mightalsobeabletousethisinsideknowledgetogainphysical accesstoareasoutsideoftheirapprovedlevelofaccess. 9.DataAggregation Dataaggregationcanbedescribedasthecollectionandreassemblyof piecesofinformation(orpartsofseveraldatabases)toprovidedetailsthatdifferfromthe originalpurposeoftheinformationordatabases.Additionally,itmayincludetheuseof datacontainedinadatabase,butsorteddifferentlythanoriginallyenvisioned.The resultsobtainedfromrecombiningorrecompilingdataarenotonlydifferentfromthe originalintent,butaredesignedtosatisfythevaryingneedsofthepersonororganization doingit.Insidershaveauniqueadvantageinthattheyhaveaccesstotheoriginaldata, oftenhavethecapabilityandknowledgetosortitdifferentlytosatisfydifferentpurposes and/orcanmodifytheoriginaldata.Insidersalsohaveaccesstounclassifieddatabases thatarenotaccessibletothepublic.Providingthisinformationtoarequestoror modifyingitcouldprovedetrimentaltotheoriginalownerofthedata.Oftenitis possibletodeduceclassifiedinformationfromtheseunclassified,butrestrictedor proprietarydatabases.Theinsiderisofteninabetterpositiontoaccessthesedatabases orhastheknowledgetomanipulatethemwithoutbeingdetected. 10.Homepages Withtheproliferationof"net"homepages,anothervulnerabilitybecomes availabletotheinsider.WhetherdealingwithInternetorintranethomepages,and whetherthesepagesareofficialorpersonalinnature,acommontendencyisformuchof thisinformationtospilloverontoothersites.Thelinesbetween"official"information and"personal"informationareoftenfuzzy,causingcomputer-savvyemployeestopost datathatmightbehighlysensitive.Amaliciousinsider(orevenaninnocent)could easilycompileanddepositinformationthatwouldgiveanadversaryadistinctadvantage inascertainingfriendlycapabilities,strengths,andweaknesses.<br><br> Forexample,duringrecentOperationsSecurity(OPSEC)surveys, concernwasexpressedoverpersonalhomepagesthathadbeencreatedbymembersof theU.S.military.Somepersonnelwereputtingunclassifiedwork-relatedinformationon theirpersonalhomepage.Somesitescontaineddatathatdirectlypertainedtomissions (e.g.,timing,locations)whileothersdealtwithpersonalitiesandunitsinvolved. 7 UNCLASSIFIED NSTISSAMINFOSEC/1-99 UNCLASSIFIED Otherhomepageshavebeenobservedtocontaininformationaboutthe systemtheyareon,theIPaddress,andnamesandphonenumbersofassociated personnel.Manyhomepagesalsocontainhotlinkstoothersites.Whilethisis advantageousfortheorganization,italsoprovidesinformationtoanyoneelsereadingthe homepage.Whoyouareassociatedwithandwithwhomyoufrequentlydobusinessor accessinformationfromcanprovidegoodinsightintoanorganizationanditsoperations. Homepagesmustbelookedatintermsof"whatarewegivingaway?"aswellas"what doIneedtoputonit?"Eventhoughmuchofthedatamightbeaccessibletoanoutsider, theinsiderholdsanenviableposition,commandingawide-angleviewpointofwhat informationisavailable,aswellasitssignificancetotheorganization.Consideringthat evenadversariesdonothaveunlimitedresources,anythingthatcanfocusthecollection effortisextremelyuseful.<br><br> Arelatedproblemconcernsunclassifiedmessagetrafficsentorganization- widethatdetailspositions,names,phonenumbers,e-mailaddresses,serverIPaddresses, andahostofotherinformation.Whileafewpeopleneedthiscompletelisting,not everyonedoes.Messagesofthistypeprovideexcellentdatabasematerialandstarting pointsforadversaries. On24September1998,DeputySecretaryofDefenseJohnHamreissueda memorandumorderingthefollowinginformationbeimmediatelyremovedfrompublicly availableDoDWorldWideWeb(WWW)sites: a.Plansorlessonslearnedthatwouldrevealsensitivemilitary operations,exercises,orvulnerabilities. b.Anyinformationthatwouldrevealmovementsofmilitaryassets orthelocationofunits,installations,orpersonnelwhereuncertaintyregardinglocationis anelementofthesecurityofamilitaryplanorprogram.<br><br> c.AllpersonalinformationinthefollowingcategoriesaboutU.S. citizens,DoDemployeesandmilitarypersonnel: (1)SocialSecurityNumbers (2)DatesofBirth (3)HomeAddresses (4)Telephonenumbers,otherthannumbersofdutyofficers thatareappropriatelymadeavailabletothegeneralpublic. d.Names,locationandanyotheridentifyinginformationabout familymembersofDoDemployeesandmilitarypersonnel.TheAssistantSecretaryof DefenseforCommand,Control,CommunicationsandIntelligence(ASDC3I)wasto developpolicyandproceduralguidelinestoaddressoperational,publicaffairs, acquisition,technology,privacy,legalandsecurityissuesassociatedwiththeuseofDoD WWWsites.<br><br> 8 UNCLASSIFIED NSTISSAMINFOSEC/1-99 UNCLASSIFIED IV.PERSPECTIVEFROMNO-NOTICEEXERCISES ItshouldcomeasnosurprisethatthethreemostimportantconsiderationsinIS securityare:access,access,andaccess.Mostaccessisgrantedtoclearedpersonnel,who arethentreatedastrustedusers.However,itispossiblethatanoutsidercanobtain accessbybreakingintoasystemandthusassumetrusteduserstatus.Onceontheinside, withtrusteduserstatus,itispossiblethatarealoutsiderhasaccesstothefullrangeof systeminformationregardlessofneed.ThisfactwasdemonstratedinarecentDoD exercise;anexercisethatfocusedontheDoD'sabilitytodealwiththecyberthreattothe DefenseInformationInfrastructure(DII),andalsotheDoD'sabilitytocooperatewiththe restoftheU.S.GovernmenttodealwiththreatstotheNationalInformation Infrastructure(NII). Whenaninformationoperationsexercisetakesplace,twoteamsofsecurity expertsaregenerallysentouttotestthesystemunderinvestigation.TheRedTeamisa setofindividualswhosetaskistoactastheadversaryandusewhatevertoolstheyhave availabletothemtoattackthesystemundertest.TheBlueTeamisasetofindividuals whosetaskitistousethesecuritytoolsandproceduresalreadyinplacetodefendthe systemundertestfromtheattack.Theadversarialrelationshipcreatedinthistypeoftest servestostressthesystemundertestasitmightbeinreal-worldconditionsand determinewhatweaknessesstillexistinthesystem.Duringarecentexercise,theRed Teamforcepostulatedgainingaccesstoagovernment-wideandgovernmentoperated classifiednetwork.AlthoughtheRedTeamhadnoprivileges,withrespecttoaccess, theyweretreatedbythenetworkasauthorizedinsiders. Thegovernmentoperatedclassifiednetworkisseparatedfromtherestofthe worldbyasecuritybarrier.Thisbarrierworkswell;however,ifthebarrierweretobe breachedbyahostileuser,theprivilegesenjoyedbytheintruderwouldbethesameas thoseenjoyedbytheauthorizeduser.Thispostulatedattackonthenetwork demonstratedthatthereislittledefenseonceahostileinformationoperationseffort breaksthenetworksecuritybarrier.Thenetwork'sdefense,anditsabilitytoauthenticate access,isorientedoutwardtowardtheunclassifiedsystems.Thenetworkedsystems connectedtotheclassifiednetworkaregenerallyconfiguredforglobalpermissions.A breakthroughanyclassifiednetworkuserconnectionmakesallconnectedorganizations vulnerablebecauseofthenetwork'sinterconnectednature.Thisexamplefromarecent exercisehighlightstheinsiderthreat,sinceonceinside,everyoneisconsideredatrusted agentoftheU.S.Government.<br><br> Thesecuritybarriersprotectingourclassifiednetworksaregoodandmustremain strong,butcustomerrequirementsandtheinsiderthreatmakesanactivedefensive postureessentialforbothclassifiedandunclassifiedsystems.Tools,alongthelinesof intrusiondetection,firewalls/securemailguards,andstrongidentificationand authenticationshouldbeenhancedanduniversallyapplied.Whilethesetools traditionallyhavebeenfocusedoutward,usuallyprotectingagainstbarrierpenetration, theyshouldalsobeappliedwithintheenclavetoprotectinternalnetsandevenindividual hostmachines.Theinsiderthreatisrealandisonlycomplicatedbythefactthatan outsidercanpossiblyattaininsiderstatusbygainingaccess. 9 UNCLASSIFIED NSTISSAMINFOSEC/1-99 UNCLASSIFIED V.COUNTERMEASURESTOTHEINSIDERTHREAT 11.CountermeasureObjectives Therearemanyavailabletechnicalandproceduralcountermeasuresthat canhelptodealwiththeinsiderthreat.Inordertodecidewhichcountermeasuresarethe mosteffectiveandhoweffectiveanycountermeasureis,itishelpfultofirstdefinewhat thecommunitywouldlikethesecountermeasurestodo.Thefollowingisalistof objectives,indecreasingorderofeffectiveness,thatprovidesomeinsightintowhatthe communityneedstodotodealwiththeinsiderthreat.Thesemeasuresarespecifically focusedontheuse(orabuse)ofISbyinsiders. a.Defineandenforcelimitsontheovertaccesstosensitive informationandnetworks.Thatis,limittherangeofauthorizedprivileges(i.e., authorizedaccesstoinformationandinformationresources)ofeachindividualtoasetof privilegesconsistentwiththedutiesandresponsibilitiesofsaidindividual.Theintentis totrytominimizethedamagethatamaliciousinsidercancauseiftheinsiderdecidesto compromiseinformationtowhichheorshehasaccess.<br><br> b.Holdindividualsaccountablefortheiractionsbyprovidingreliable (non-refutable)recordsoftheactionsofindividualsauthorizedaccesstosensitivedata andnetworks.Thepremisehereisthatbykeepingreliablelogsofindividualactions, individualsmaybedeterredfromtryingtoaccessinformationunlesstheyhaveagood rationaleforaccessingit. c. Reviewtheactionsofindividuals.Thatis,reviewtheauditlogs foractionsoraccessesthatseeminappropriate.Thereviewsshouldbemoreextensive andfrequentforindividualswithhigherprivileges.Itisoftencountertoourcurrent cultureto ccheckuponsubordinates, dbecauseitimplieslackoftrustandconfidencein thesevaluableemployees.However,knowledgethatsuch caudits doccur,evenonan irregularbasis,actsasadeterrenttounauthorizedorinappropriateactions.Theseaudits mightbeconsideredtheelectronicequivalenttotheperiodicbackgroundchecksthatare performedonindividualsaspartofpersonnelsecuritymeasures.<br><br> d. Preventcovertaccesstosensitiveinformationandnetworksby makingthesystemsecuritymeasuresresistanttosophisticatedattacksbyinsiders. Maliciousinsidersmay,incertaincases,taketheriskystepsoftryingtobypassan organization'ssecuritycontrols.Tocounterthis,measuresareneededtoresistmore sophisticatednetworkattacks.<br><br> e. Detectcovertaccesstosensitiveinformationandnetworks.Since notallnetworkattackscanbeprevented,anotherobjectiveistotrytodetectsuchattacks byusingintrusiondetectionmethodstolookforattacksignaturesoranomaliesthat indicateanetworkattackmaybeinprogressormayhavealreadyoccurred. 10 UNCLASSIFIED NSTISSAMINFOSEC/1-99 UNCLASSIFIED f.<br><br> Quicklyandefficientlyperformdamageassessments,localize damage,andrecoverintheeventthatthesystemsecuritypolicyhasbeenviolated.At best,technicalcountermeasurescanonlyprovideameasureofprotectionagainst(and detectionof)attacksbyinsiders.Hence,itisequallyimportanttohaveplansinplaceto recoverfromsuchpenetrationswhenandiftheyaredetected.Theseplansneedtobe supportedbytechnicalmechanismsthatprovidetheautomatedtoolstoassessdamage andselectrecoverymeasures. 12.TechnicalCountermeasures a.AccessControl Toolsandtechnologiestoprovideaccesscontrolservicesare availablefrommanyvendors.Thefollowingaresomeofthemostimportant characteristicsthatneedtobeaddressedinordertoimplementeffectivetechnicalaccess controlmeasures. (1)Accesscontrolcriteria.<br><br> Theindividualsandorganizations whocontrolaccesstosensitivedataandresourcesneedtohaveclearpolicythatguides theminunderstandingwhatindividualsandorganizationsshouldbepermittedaccessto particulartypesofdataandresources. (2)Accesscontrollists. Usingtheabovecriteria,thedata ownersneedtodefine(basedonindividuals,rules,roles.etc.)andmaintainona recurringbasis,thelistsofspecificuserswhoareauthorizedtoaccesseachtypeofdata orresource.Thistypicallyrequiresamechanismforlabelingthesensitivityandaccess controlgroundrulesforvarioustypesofdata.<br><br> (3)Accesscontrolenforcementtools. Automatedtoolsmust beprovidedthatalloworganizationstoenterandmaintaintheseaccesscontrollists.The toolsmustalsoprovideeffectiveenforcementoftheseaccesscontrollists.Forexample, eachtimeauserrequestsaccesstoaparticularfile,object,database,etc.,theaccess controltoolmustdeterminewhetherornottherequestisauthorizedandthengrantor denytherequestaccordingly. b.IdentificationandAuthentication(I&A) Tobeeffective,accesscontrolmechanismsmustbeabletoascertainthe correctidentityofeachindividualrequestingaccesstodataorresources.Thisgenerally involvestwosteps.First,obtainingtheuser's cclaimed didentity.Second,forcingthe usertoauthenticatehisorheridentity.VariousI&Aoptionsareavailablefromalarge numberofvendors.Theyvarysignificantlyinthenatureofthemechanismsandintheir strengthandassurance.Themoreeffectivemechanismsrequiretwoorthreemeansof 11 UNCLASSIFIED NSTISSAMINFOSEC/1-99 UNCLASSIFIED authentication(e.g.,password,token,biometric)andarestructuredtoauthenticatethe entire"session"vicejusttheinitiationofasession.It'simportanttoselectanI&A mechanismthathasanoverallstrengththatiscommensuratewiththesensitivityofthe databeingprotectedortheactionbeingtaken.<br><br> c.Encryption Afterauserrequestsdatafromaserver(inaclient-servermodel)andthe accesscontrolmeasureshavebeenapplied,itisfoolishtosendtheresult(thedata,file, etc.)unencryptedoverthenetwork.Ifthedataisunencrypted,maliciousinsiderscould usesnifferstomonitorthetrafficontheinternalnetworksandaccessdataintendedfor anotheruser.Likewise,sensitivedatasentfromusertouser(e.g.,messages,files,etc.) needstobeprotectedfrommonitoringbyinsiderswithoutaneed-to-know.Forthese reasons,theabilitytoencryptdata(usertouser,andinclientserverapplications)isan importantsecurityservice.Applicationlayerencryptionisnowavailablefrommultiple commercialvendorsinsupportofthemostpopularcomputingapplications.Equally importantisencryptingsensitivefilesstoredonhostsandservers.Thispreventsan insiderwhomanagestoaccessthisdatafromgatheringanyusefulintelligence.Bothfile andmediaencryptors(fileencryptorsencryptdesignatedflies,mediaencryptorsencrypt allfilesonadefinedmedia)areavailable. d.Operatingsystemcontrols Thehostandserveroperatingsystemsplayaleadroleinenforcingthe organization'ssecuritypolicyandaccesscontrolrules.Hence,itisimportanttouse operatingsystemsthatprovidebothflexibilityandassuranceintheimplementationof accesscontrolmechanisms.Further,it'simportantthattheseoperatingsystemsbe correctlyconfiguredandthattheyberegularlyupdatedtoaccommodatesecuritypatches andupgradesofferedbytheoperatingsystemproviders.TheDoD'sCommonOperating Environmentprogramisaninitiativethataddressestheseissuesthroughtightcontrolson operatingsystemselection,configuration,andmaintenance. e.Systemadministrationtools Oneofthemosteffectivecountermeasurestotheinsiderthreatistoensure thattheindividualswhoadministerthenetworks(especiallythemoresensitivenetworks) arespeciallyselectedandhighlytrainedandskilledatensuringthattheorganization's securitypolicyisenforcedona24-hourbasis.Theyalsoneedtobegiventhetimeand resourcestoaccomplishthisjobinadditiontotheirotherduties.Therearemanynew toolsnowavailabletohelptheseadministratorsdotheirjob.Forexample,network vulnerabilityscannersareavailablefrommultiplesourcesthatwillassessthe configurationofagivennetwork,willidentifysecuritydeficiencies,andwillrecommend countermeasures.Thesetoolscanalsomonitortheimplementationofpasswordpolicies.<br><br> 12 UNCLASSIFIED NSTISSAMINFOSEC/1-99 UNCLASSIFIED f.EventLoggingandAuditReductionTools ToaddressObjective3(Sec.V.,para.ll.c.),anorganizationneeds reliablelogsofsecurity-relevanteventsthatoccurwithinanorganization'sinformation networks.Toolsareavailabletocreateandmaintainsuchlogsbothattheoperating systemlevelandinsupportofanumberofcommonnetworkingapplications.However, theorganizationmustdecidewhattypesofeventsareworthmonitoringandduringwhat timesofday.Intheeventthatsuspiciousactivityisdetected,theorganizationalsoneeds tofinetunetheeventloggingtoolstorecordadditionaleventsofinterestortoadjustthe loggingthresholdstogetafinerpictureofsuspiciousactivity. Itispossibleforaninsider,afterhavingaccessedunauthorizeddata,to coverhisorhertracksbymodifyingtheeventlogs.Forthisreason,itisimportantthat anintegritymechanismbeappliedtodetectanymodificationoftheselogs.Thismay involveapplyingadigitalsignaturetoindividualorcombinationsoflogswithsequence numberstoensurethatthelogsarecomplete. Ofequal,orperhapsgreaterimportance,istheneedfortoolsthatanalyze eventlogsandsupporttheauditorinhis/hersearchforsuspiciousactivity.Thetedious natureofsuchreviews,especiallywhentheamountofrecordeddatacanbeenormous, oftenresultsinacursoryexaminationatbest.However,moresophisticatedtoolsare becomingavailabletoautomaticallyscanlargeamountsofdataandtopresentsuspicious eventstotheauditorinamoreuserfriendlyfashion.<br><br> g.IntrusionDetectionTools Intrusiondetectiontoolstypicallymonitortransactionsatthenetwork layer.Thesetoolsmonitoreventsbasedonsourceanddestinationaddressesandprotocol typesandcanlookfor"signatures"ofknownattackscenariosandanomalousbehavioral patterns.Themoresophisticatedtoolscanrespondfastenoughtoallowsystem administratorstoreactinreal-timetopotentialintrusionsandtoshutdownspecificports orentiresystemsinordertopreventdamagefromnetworkbasedattacks. h.BoundaryProtectionMechanisms Theaccesscontrolmeasuresaddressedearliertendedtofocusonthehosts andserverswithinaLocalAreaNetwork(LAN).However,manyLANsare interconnectednotonlywithinanorganization'slocalenclavebutacrossthewidearea networksusedtocreateintranetsandextranets.Whiletheuseofvirtualprivate networkingtechnologycanhelptoprotecttheseenvironmentsfromoutsiders,theydo nothingtocounterinsiderthreats.Infact,theymaymaketheproblemworse.Thisis becausetheinterconnectionprovidesindividualsinremotelocationswithaccessto informationinone'slocalsystemasifthedistantuserwasanauthorizedlocaluser. Whilethismaybenecessaryincertaincases,itisalsoprudenttolimitaccesstoan organization 9sLANtothosewhohaveavalidneedforthisaccess.Theinstallationof boundaryprotectiondevicessuchasfirewallscanhelptoprotectlocalnetworksbothby limitingaccessaswellasbyscanningcontentforpotentiallyharmfulmailbombs, viruses,trojanhorses,etc..<br><br> 13 UNCLASSFIED NSTISSAMINFOSEC/1-99 UNCLASSFIED MappingofTechnicalCountermeasurestoObjectives Theprecedingparagraphsidentifiedobjectivesandgenericcountermeasures.The followingtableprovidessomeadditionalinsightbyshowingwhichcountermeasurestend tosupporteachobjective. MechanismstoSupportObjectives: TechnicalCountermeasurestotheInsiderObjectives Objective Access Control I&AEncryp- tio O.S Controls S.A. Tools Event Logging Intrusion Detection Enclave Boundary Controls Enforce Access Limits Account- ability Review Actions Prevent Covert Access Detect Covert Access Recovery SummaryofTechnicalCountermeasures Protectingagainstanddetectingmaliciousbehaviorbyinsidersisoneofthemost difficultinformationassurancechallenges.Thegoodnewsisthatthereareinfactmany technicalcountermeasuresavailabletoaddressthisconcern.Thesemeasures,ifproperly implementedandadministered,canhelptolimitthedamagethataninsidercandoand canprovideameasureofdeterrenceforatleastcertaininsiders.Theycanalsosupport damageassessmentandreconstitutionactivitiesneededtorestoreoperations.Successin usingthesemechanismsdependsheavilyonawillingnesstolimitaccessonaneed-to- knowbasis.Thisissomewhatcountertotoday'sculturethattendstosupportahigh degreeofopensharingofinformation.However,organizationsthathavesensitive information,andthatchoosetocontrolitcarefully,willfindthattheuseofthesuggested measurescanprovideincreasedprotectionagainsttheinsiderthreat.<br><br> 14 UNCLASSIFIED NSTISSAMINFOSEC/1-99 UNCLASSIFIED 13.ProceduralCountermeasures Ultimatelyincarryingoutgovernmentalmissionsandinexecutingthe associatedresponsibilities,wemustrelyonpeopletoprotectnetworkedIS:system administrators,InformationSystemsSecurityManagersandOfficers(ISSMs/ISSOs), programarchitectsandmanagers,accreditors,andbasicusers,amongothers.Itisneither practicalnorfeasibletorelytotallyontechnologytoenforcesecurity;likewise,itis neitherpracticalnorfeasibletorelytotallyonprocedures.Tobemosteffective, technologyandproceduresmustcomplementoneanother.Althoughonthesurface, proceduralcountermeasuresarecheaperandappeareasiertoimplement,thedownsideis thattheyareoftendifficulttoenforce.Thegovernmentdoesnothave,andwillnotlikely have,asecuritypolicy/procedurepatroltoensurethatthewrittenrulesarenotbroken.A simplewrittenmandate,forexample,requiringuserstochangepasswordseverythree monthsoftengoesunheeded;however,supplementingthewrittenmandatewitha technicaldenialofaccesstoasystemifthepasswordisn'tchanged(afterappropriate warninghasbeenprovided)isalmostalwaysmoresuccessful. Anumberofcommonly-invokedproceduresusedtoprotect"valuable" information/ISfromoutsideattacksaredescribedbelow.Thesesameproceduresand moreshouldbeconsideredwhendealingwiththe"insider."Althoughtheseprocedural countermeasuresmaybesimilartosomeofthetechnicalones,thefocusisdifferent. ANNEXAidentifiessomeofthepoliciesinplacethatdelineatepersonnel,securityand/ oradministrativeprocedures.<br><br> a.PersonnelSecurityProcedures Thenationalinterestrequirestheprotectionofcertaininformation (classified,sensitive,proprietary,etc.),thedisclosureofwhichcouldcauseirreparable damagetonationalsecurity,economicdamageorloss,and/orpossiblythelossofhuman life.Requirementsassociatedwithdecidingwhetheranindividualshouldbeallowed accessorcontinuedaccesstoclassifiedinformationofteninvolvethefollowing: (1) Backgroundinvestigations. Theseareconductedbyinvestigative agencies,i.e.,agenciesauthorizedbylaworregulationtoconductacounterintelligence investigationorinvestigationofpersonswhoareproposedforaccesstoclassified informationinordertoascertainwhethersuchpersonssatisfythecriteriaforobtaining andretainingaccesstosuchinformation.Theyinclude: Thedisclosureofrelevantfinancialandtravelrecords; Theagreementtoadheretodefinedrulesofpersonalconduct; Theagreementtosignanapprovednondisclosureagreement; Theagreementtosubmittoanexaminationviaapolygraph;andinmanycase, U.S.Citizenship. 15 UNCLASSIFIED UNCLASSIFIED NSTISSAMINFOSEC/1-99 (2) EmployeeResponsibilities.<br><br> Additionally,oncehiredand permittedaccesstoclassifiedandsensitiveinformation,employeesarerequiredto: protectsensitiveandclassifiedinformationintheircustodyfromunauthorizeddisclosure; reportallcontactswithpersonswhoseektoobtainfromthemunauthorizedaccessto classifiedinformation;reportallviolationsofsecurityregulationstotheappropriate securityofficials;challengewhenobservingsuspiciousbehavior;andcomplywithother, oftenmorestringent,securityrequirementsdesignatedbytheirparentorganizations. (3)U.S.Department/AgencyResponsibilities. Therelationship betweentheemployeeallowedaccesstosensitiveinformationandtheU.S.Government departmentoragencyforwhichthatemployeeworksisasymbioticrelationship.The employeemustcarryouttherequirementsdelineatedintheparagraphabove;the DepartmentorAgency,inturn,mustensurethatthereisanestablishedprograminplace toeducateemployeesabouttheirindividualresponsibilities;andtoassistemployeeswho havequestionsorconcernsaboutissuessuchasfinancialmatters,mentalhealth,or substanceabuse.<br><br> b.ProceduresRelatingToUsersand"Super-Users"(e.g.,System Administrators) Inadditiontousersonasystemwhoshouldbeallowedvirtualaccesstoa systembasedoncriteriasuchasclearance,compartment,and/orneed-to-know,acadreof professionals(e.g.,systemadministrators)haveprivilegesthatallowthemrootaccessto systemsforwhichtheyareresponsible.Theseprivilegesincludetheabilityto:readall files;destroyapplicationsorinformation;circumventinternalcontrols;setupand administeruseraccountsandauthenticators;controlaccessofindividuals;troubleshoot ISmonitoringfunctions;and(potentially)connecttoothersystems.System administratorshavetheability,becauseoftheirposition,tovirtuallycontrolthe operationsofanIS.ADoDreportfromtheOfficeoftheInspectorGeneral( cDoD ManagementofInformationAssuranceEffortstoProtectAutomatedInformation Systems,"datedSeptember25,1997)allegesthat csystemadministratorsexceedingtheir rolesandresponsibilitieswereamongthemostcommonproblemsassociatedwith insidersexploitingvulnerabilities."Thatsamereportshowedthat87percentofidentified intrudersinDoDsystemswereemployeesorothersinternaltotheorganization. Proceduresoftenprescribedtocircumscribevirtualaccessibilityofusers (includingthesuperuser)intosystemsinclude: Amanagementcontrolprogram -anoutlineoftheorganization 9sefforts toensure(1)thatmanagementcontrolsystemsareworkingeffectivelythroughthe assignmentofresponsibilitiesatthepolicylevel.(2)theissuanceandimplementationof guidance(e.g.,establishedproceduresfortrackingthoseindividualswith csuper-user"or croot"privileges),(3)theimplementationofriskassessmentsandmanagementcontrol reviews,(4)thatthereexistsprovisionsforqualitycontrol,and(5)thatreportsaremade availabletoseniormanagement; 16 UNCLASSIFIED NSTISSAMINFOSEC/1-99 UNCLASSIFIED Separationofduties -acontrolprocesstoensurethatasingleindividual cannotnegatethesecuritysafeguardsofasystem; Leastprivilege -theprinciplethatrequireseachuserinasystemtobe grantedonlytheprivilegesneededfortheperformanceofauthorizedtasks; Accountability -thepropertythatenablesactivitiesonasystemtobe tracedtoindividualswhomaybeheldresponsiblefortheiractions; Audits(ameansofachievingaccountability) -security-relatedevents thatallowdetectionandafter-the-factinvestigationtotraceeventsandviolationstoa particularindividual;regularreviewsandinvestigationofanomaliesdiscoveredinaudit data;andretentionandadequateprotectionofaudittrailstopreventmodificationand/or destruction; Authentication -positiveidentificationsufficientforpermittingcertain rightsorprivileges;identificationofuserswithvalidated cneed-to-know"; Passwords -characterstringsusedtoauthenticateusers'identities; passwordmanagement;and HelpDeskCapabilities -toassistuserswithquestionsorexperiencing problems;andeducation,training,andawarenessprograms,includinginitialorientation, moreadvancededucationandtrainingcommensuratewithdutiesandresponsibilities,and reinforcementactivities.(NOTE:Formanypersonnelwithcriticalsystem responsibilities,e.g.,systemadministrators,suchresponsibilitiesareoften cotherduties asassigned.") c.PoliciesRelatingtotheProtectionofInformationSystems country'svulnerability.IS,forthemostpartautomatedandinterconnected,are dependentoncriticalinfrastructures(e.g.,telecommunications,energy,emergency services)whichhistoricallyhavebeenphysicallyandlogicallyseparate.Toaddressthe protectionrequired,PDD-63includesasitsgoaleliminatinganysignificant vulnerabilitiestocriticalinfrastructures,especiallycyber-basedIS,bytheyear2003. Subjecttonontraditionalattacksthatcouldcausesignificantharmtoourmilitarypower andeconomyaswellasdisruptionofvitalservices,criticalinfrastructuresoftenfall underthepurviewofboththegovernmentandprivatesectors;thus,PDD-63mandates thatthegovernmentworkinpartnershipwiththeprivatesectorinplanningforand protectingidentityinfrastructures.Toreducethepotentialincreaseinvulnerabilities withintheFederalGovernment.PDD-63mandateseveryU.S.departmentandagency accomplishthefollowing: " DesignateitsChiefInformationOfficerastheindividual responsibleforinformationassurance; 17 UNCLASSIFIED NSTISSAMINFOSEC/1-99 UNCLASSIFIED " AppointaChiefInfrastructureAssuranceOfficertobe responsibleforalloftheotheraspectsofthatdepartment's/agency'scritical infrastructures; " Establishprocedurestoobtainvalidatedvulnerabilityassessments ongovernmentcomputerandphysicalsystems; " Developaplanforprotectingitscriticalinfrastructures.<br><br> SubmittedtotheNationalCoordinatorforanalysisofinter-governmentaldependencies andmitigationofthosedependencies,theplanistobeupdatedeverytwoyears. DisruptionintheflowofvitalU.S.Governmentinformation,acritical vulnerability,isaddressedbyarecently-releasedExecutiveOrder(E.O.)13073 (February1998)concerningYear2000conversions.InadditiontoestablishingaYear 2000ConversionCouncil,E.O.13073mandatesthatnocriticalFederalprogram experiencedisruptionbecauseoftheY2Kproblem.AnotherE.O.12864(September 1993)establisheswithintheDepartmentofCommercetheUnitedStatesAdvisory CouncilontheNationalInformationInfrastructure,thepurposeofthiscouncilbeingto advisetheSecretaryofCommerceonmattersrelatedtothedevelopmentoftheNII, includingnationalsecurityandemergencypreparations. OMBCircularA-130,AppendixIII,"SecurityofFederalAutomated Resources"delineatesrequirementstoallU.S.Governmentdepartmentsandagenciesin theprotectionofFederalGovernmentIS.Prescribedsafeguardsaddressedinthis Circularinclude: " Ensuringinformationisprotectedcommensuratelywiththe potentialriskandmagnitudeofharm; " Limitingthecollectionofinformationtoauthorizedindividuals andallowingsuchcollectiononlywhennecessaryfortheproperperformanceofagency functions; " Limitingthesharingofinformationtoauthorizedindividuals; " Trainingpersonnelinskillsappropriatetotheirrolesinthe managementofinformation ; " Providingforperiodicreviewofinformationsystemsto determine:howthemissionmayhavechanged;whethertheIScontinuestofulfill ongoingandanticipatedmissionrequirements;andthelevelofmaintenanceneededto ensuretheISmeetsthemissionrequirementscosteffectively;and " Ensuringthattheofficialwhoadministersaprogramsupported byanISisresponsibleandaccountableforthemanagementofthatISthroughoutitslife cycle.<br><br> 18 UNCLASSIFIED NSTISSAMINFOSEC/1-99 UNCLASSIFIED AlthoughtheOMBCircularprovidesagenericoverviewofrequirements relatingtoprotectingtheU.S.Government'sIS,theNationalSecurity TelecommunicationsandInformationSystemsSecurityCommittee(NSTISSC)has promulgatednumerousissuances(e.g.,policies,instructions,advisorymemoranda)that addressinmorefocuseddetailparticularsecurity-relatedrequirements.NSTISSC issuances,nationalinscope,havecoveredabroadrangeofissues,asubsetofwhich include: " UseofCryptomaterialbyActivitiesOperatinginHighRisk Environments; " Education,Training,Awareness--aseriesofdocumentsfor personnelwithsignificantroles(e.g.,Accreditors,SystemAdministrators,Information SystemsSecurityOfficers); " CertificationandAccreditationofNationalSecurity TelecommunicationsandInformationSystems; " ElectronicKeying; " GovernmentContractorTelecommunications; " IncidentResponseandVulnerabilityReportingforNational SecuritySystems; " CompromisingEmanations; " CommunicationsSecurityMonitoring;and " DoctrinesforoperatingvariousINFOSECequipment. Initsgoaltomaintainrelevancyinconcertwiththerapidevolutionoftechnology,the NSTISSChostsanannualoffsitethataddresseskeyissuesandinitiativesandalso sponsorsnational-levelissuegroups(e.g.,InformationAssurance;Education,Training, Awareness)tofocusonareasofparticularconcern. Withtheexistingandnewly-implementedpolicyprotectioninitiatives,it shouldbepointedoutthat none explicitlyrelatetoaddressingthe"insiderthreat" problem.Departmentsandagenciesimplementthepoliciesandproceduresmandatedin nationalanddepartmentalissuancesanddevelop,asappropriate,theirindividual, application-specificsecuritypolicies.<br><br> d.SystemSecurityPolicies Asecuritypolicyisthesetoflaws,rules,andpracticesthat regulatehowanorganizationprotectsitsISandthedatawithinthem.Itsdevelopmentis 19 UNCLASSIFIED NSTISSAMINFOSEC/1-99 UNCLASSIFIED basedonnationalanddepartmentalrequirementsfactoredintospecificapplicationsand environments.Oftenthebaselinerequirementscenteraroundthetriadofcritical informationcharacteristicsofconfidentiality,integrity,andavailability: Confidentiality -theassurancethatonlyselectedusersorgroups (basedontheirresponsibilities,privileges,andneed-to-know)areallowedaccessto certaindata; Integrity -theassurancethatdatainthesystemisaccurateand complete,andhasn'tundergoneunauthorized(accidentalormalicious)modificationor destruction;and Availability -theassurancethatthesystemworksreliably,andthe datainthesystemisaccessibletoauthorizeduserswhenrequestedorneeded.Ifadhered to,thecompositeofproceduralcountermeasuresmandatedinthenationalanddefense policyissuances,whenincorporatedintosecuritypolicies,wouldhelpcontrolor minimizetheinsiderthreatproblem.Proceduralrequirementscitedinsuchpoliciesare oftenasubsetofthefollowing: (1)Accesscontrols " Virtualaccesscontrolsandtools,includingthe establishmentofanaccessauthorizationprocessandaccountandpasswordmanagement; limitationsongroupaccounts(listsofindividualsthatarepartofgroup);thedelineation oftoolsavailabletothegeneraluserpopulation(e.g.,virusdetectionsoftware)andthose toolslimitedtocertainauthorizedusers(e.g.,networkanalyzers);isolationofoperating systemviapartitions,domains,etc.topreventintroductionofmaliciouscodes; " Physicalaccesscontrolsandtools,includingthelocation ofcritically-sensitivecomponentsandmaterialincontrolledlocationsorfacilitieswith physicalsecurityparametersinplacetoprotectcriticalnetworknodes(e.g., communicationcircuits,terminationpoints,entrypoints);alarms;intrusiondetection withinapplications,operatingsystems,andatnetworklayer;proceduresrequiredfor attendedandunattendedoperationsofIS;regularchecksofthehardware; (2)Accountability forclassifiedand/orsensitivematerialand data(includingmarkingandhandlingofthedata)anddocumentationcontrols;secured distributionofsensitiveaccountinformation(e.g.,passwords); (3)Configurationmanagement limitingthenumberof authorizedpersonnel(orapproved,designatedcontractors)allowedtomakesystem changesanddocumentingthosechanges; (4)Systemconnectionsandcontrolledinterfaces (e.g., firewalls,guards)betweeninterconnectedsystems; 20 UNCLASSIFIED NSTISSAMINFOSEC/1-99 UNCLASSIFIED (5)Maintenanceprocedures forlocalemployeesandcontract employees(clearedand/orescortedandsupervisedbyknowledgeablepersonnel), includingthereviewofmaintenancediagnosticsbeforetheyareexecutedonthesystem; (6)Reportableincidents,violations,compromises ;suspected unapprovedactivities;suspectednetworkattacks;andconsequencesforfailingtocomply withdepartmentalrules; (7)Proceduresassociatedwithmagneticmedia (e.g., shareware,personalsoftware,viruschecks,overwrites,purging,degaussing,storing, transporting,destruction);periodicinventoriestoaccountforsensitivematerial; (8)Contingencyprocedures/continuityofoperations/ disasterrecovery (theseplansandproceduresmayentailstorageofcriticalbackup mediaoffsite);and (9)Legalissues relatingtomonitoring,work-related managementsearches;filetransfers;workplacepractices(e.g.,thelog-onbanner); personaluseofgovernmentsoftwareinsupportofnonworkactivities,downloading,and thelike. SummaryofProceduralCountermeasures Numerouspoliciesinplace,atthenational,defense,service,andagencylevels, prescribeproceduralcountermeasurestoprotectvaluableinformationinU.S. Governmentsystems.Althoughmostoftheseprocedureshavebeenmandatedforyears, manyofthemarenotenforcedand/orarenotproperlyimplemented.Moreover,the focusofthepoliciesandmandatedprocedureshasbeendirectedtowardpreventingentry byoutsidersintoU.S.Governmentsystems.<br><br> Equal,ifnotmore,focuswillneedtobedirectedtowardensuringthatinsidersare preventedfromdoingharmtotheGovernment 9ssystems.DoD'sIGReport,"DoD ManagementofInformationAssuranceEffortstoProtectAutomatedInformation Systems,"datedSeptember25,1997recommendedincludingaccountabilityfor managementcontrolpracticesinthejobdescriptions,performanceplans,and performanceevaluationsofpersonnelresponsibleforsafeguardingDoD'sIS.This recommendationisinconcertwithboththeGovernmentPerformanceandResultsAct, thatisintendedtoincreasefederalprogrameffectivenessthroughstrategicplanningand performance-basedmanagement;andtheDefense-wideInformationAssuranceProgram (DIAP),oneofthedesiredoutcomesofthisprogrambeingtheestablishmentof performancemeasuresbasedoneffective,measurablecriteria. VI.RECOMMENDATIONS Havingtakenalookatthreatsandvulnerabilitiesposedbytheinsideragainst GovernmentIS,andthevariouscountermeasures-bothtechnicalandprocedural-that mightbeusedtomitigatetherisksassociatedwiththoseinsiders,thefollowing 21 UNCLASSIFIED NSTISSAMINFOSEC/1-99 UNCLASSIFIED recommendationsareofferedasimmediatestepstoimprovingthissituation.Asnoted earlier,theserecommendationsareofferedinpriorityorderwithsomeemphasisplaced oneaseofimplementationandcost.Theorderis,however,subjecttoseveral considerationsthatmightinfluencethefinaloutcome.Onediscriminatorwouldbethe issueofdeterringanexistinginsiderversusthatofdeterringsomeonewhomightbecome aninsider.Anotherwouldbetheneedtoshowaseriousresolveintheshortterm,versus takingalongerterm,strategicapproachtothisproblem.Theimportantpointisthatall arepositivestepsthatwouldimproveourposturewithrespecttotheinsiderthreat,and thatminoradjustmentsinorderarelesssignificant. 14.EnforcePoliciesAlreadyinPlace Manypoliciesrelatingtopersonnelsecurity,computersecurity,andIS securitymandatesecurityprocedurestoprotectmission-criticalinformation(e.g., classified,sensitive),theunauthorizeddisclosureofwhichcouldirreparablyharmthe UnitedStates'securityandeconomyandcouldpotentiallyresultinthelossofprivacyor intheprematurelossoflife.Themanagementcontrolprogramestablishedbyeach governmentorganizationisrequiredtoensurethatthereareeffectiveproceduresinplace: theassignmentofresponsibilities;theissuanceandimplementationofguidance;the conductofriskassessmentsandmanagementcontrolreviews;theprovisionforquality control;andreportingtoseniormanagement.Anessentialelementofaneffective securityprogramisaccountability.Thoseindividualsresponsibleforanactionmustbe heldaccountablewhenISarenotincompliancewithprescribedsecurityrequirements andwhenknownsecurityvulnerabilitieshavenotbeencorrected.<br><br> 15.EnforceNationalandOrganizationalPoliciesthatMandatethe EstablishmentofaSecurityPolicyforAllSystems U.S.Governmentinformationtechnologyhasevolvedfromstand-alone mainframecomputerstoanintricate,seamlesswebofcommunicationnetworks, computers,software,databases,securityservices,andotherprocesses.Risktoone organizationnowrepresentsrisktoalland,fromalessons-learnedperspective,weare cognizantoftheinternalandexternalthreatstooursystems.Asmoreandmoresystems throughoutthegovernmentareinterconnected,itisincumbentonallU.S.Government departmentsandagenciestoadheretoOMBCircularA-130.AppendixIIIthatrequires securityplansforallgovernmentsystems.U.S.Governmentdepartmentsandagencies cannotassumethattheinsiderthreatproblemistoodifficulttosolveand,thus,should notbetackled.Systemplannersmustconsidercontrols(e.g.,evaluationtools, contingencyplans,manageableaudits)tomitigatethegrowingnumberofinsider problems. 16.SecurityEducation,Training,andAwareness(ETA)Programs ShouldBeMandatoryforAllUsersandEmployeeAssistanceProgramsMustBe Enhanced ETAprogramsmustprovidearationalefortherulesandregulationsthat arebeingenforced.Thistrainingmustnotonlyidentifythepunishmenttotheindividual, 22 UNCLASSIFIED NSTISSAMINFOSEC/1-99 UNCLASSIFIED butmustalsoclearlyidentifytheimpacttoothers,theorganization,andthenationthat canresultfromfailuretofollowtheserulesandregulations.Itisrecommendedthat trainingtaketheOPSECapproachandprovideinstructioninidentifyingcritical informationandtheneedtoprotectit.Whenpersonnelunderstandtheneedforrulesand regulations,theycomplymorereadily.Thistrainingshouldbereinforcedthrough warningbanners,posters,dailyreminders,publications,andthroughdiscussionsinother trainingclasses.Informationdevelopedfromthepsychologicalprofilemightbeprovided duringtrainingsessions.Italsorecommendedthattheoutcomeofinfractionsthathave beenadjudicatedbepublicizedthroughouttheorganization(namesandcasefilesshould notbeidentified)toreinforcethefactthatnotonlyisthereaproblem,butthatitisbeing addressed.Employeeswhoareidentifiedaspotentialcomputerabusersmustbeprovided withenhancedassistanceintheareasofpsychologicalproblems,monetaryproblems, maritalandfamilyproblems,etc. 17.AccessControls Systemsthatprocessclassifiedandsensitiveinformationneedtoenforce mandatoryanddiscretionaryaccesscontrolmechanismstoensurethatonlyuserswiththe properclearancesandneed-to-knowareabletoaccessthisdata.Theneedforaccessas wellasaccesspermissionsshouldbereviewedperiodically.Accesscontrolmechanisms needtobedeployednotonlyatnetworkboundaries(tocontrolexternalaccess),but withintheclient-servercomputingenvironment(tolimitinsideraccess).Theuseofsuch mechanismsrequiresthatappropriatedatalabels(orothermechanisms)beusedto identifytheaccesscontrolgroundrules-forindividualfiles,messages,databases,etc.<br><br> Untilviablemandatoryaccesscontrolmechanismsbecomewidelyavailable,systems processingdifferentlevelsofinformationmustremainisolatedandeachenforce discretionaryaccesscontrol. 18.StrongAuthentication Accesscontrolmechanismsarecriticallydependentontheauthentication mechanismusedtovalidatetheidentityoftheusersrequestingaccess.Itiswellknown thatreusablepasswords(today'smostprolificauthenticationmechanism)arehighly vulnerableduetotheirunprotectednatureandduetopooroperationalpractices.Amajor initiativeisneededtoreplacepasswordswithstrongauthenticationmechanismsthat requiretheuseoftokensorbiometrics(foruserlogin)andcryptographicauthentication (fornetworkinteractions).Asaninterimmeasure,theadministrationofpassword-based systemsneedstobesignificantlystrengthenedbothprocedurallyandwithautomated tools(suchasnetworkvulnerabilityscanners). 19.EstablishSeniorFocalPointforSecurityinAIS Assignaseniorindividualineachgovernmentdepartmentoragencywith responsibilitytooverseedepartment/agencymonitoringofemployeecomputeruse(e.g., 23 UNCLASSIFIED NSTISSAMINFOSEC/1-99 UNCLASSIFIED aChiefInformationOfficer(CIO)Security).Thisseniorcouldalsoserveasthe championandmentorforsystemadministratorprofessionalizationanddevelopmentand forworkforcetraininginISsecurity.<br><br> 20.EstablishPersonnelSecurityVettingProceduresCommensuratewith Individuals 9LevelofISAccess Individualswithprivileged,root,orsuper-useraccessshouldbegiven additionalattention.Itisparticularlyimportanttofocusondevelopingastrongsecurity partnershipwithsystemadministrators,ensuringthattheseindividualsreceivethebest securityawarenesstrainingavailable.Careerdevelopmentprogramsandindustry acceptedcertificationorlicensingshouldbeinitiated.Forgovernmentelementsthat haveauthoritytopolygraphpersonnel,morefrequentpolygraphsarerecommendedfor individualswithgreaterISaccess.Polygraphscouldbesupplementedbythecreationof aspecialaccessprogram,includingasecurityfilereview,forindividualswithprivileged access.Forgovernmentelementswithoutpolygraphauthority,additionalemphasis shouldbegiventobackgroundinvestigations. 21.Select,Train,MotivateandRewardSystemAdministrators Systemadministrationisacriticalfunctionandpointofvulnerability.As such,thegovernmentmustbemoreselectiveinwhoitassignstosystemadministrator positions,howitscreensandmonitorspeopleinthesepositions,andhowitregards systemadministrators.Prospectiveorcurrentsystemadministratorsshouldreceive additionalscreeningduringbackgroundinvestigationsandmorefrequentpolygraphs. Useofa cPsychologicalProfile"toolmaybehelpfulinrecruiting ctrusted"individuals forsystemadministratorpositions.Oncehired,theyneedadefinedcareerpath.They shouldbeprovidedon-the-jobtrainingandindividuallytailoredtrainingplanstoinclude ethicstraining.Inanefforttokeepskillscurrent,theyshouldbeaffordedevery opportunitytoattendtechnicalandsecurityrelatedcourses.Theyshouldnotbeassigned otherjobfunctionsthatmayinterferewiththeirsystemadministratorduties.Finally,in ordertomotivateandretainvaluedsystemadministrators,aspecialpayscaleorrewards program(e.g.,SAoftheQuarterorSAoftheYear)shouldbeinstituted.<br><br> 22.FileEncryption Unprotecteddatastoredonuserworkstationsanddataserversis vulnerabletoanumberofinsiderattacks.Tocounterthis,organizationsshouldbe encouragedtowidelydeploymediaorfileencryptorsthattransparentlyencryptsensitive data.Particularattentionneedstobepaidtothemechanismsthatgenerateandstorethe keyencryptionkeysusedforthispurposetoensurethattheyareresistanttoinsider attacks.Inaddition,datarecoverymechanismsneedtobeusedtoensurethatthe encrypteddatacanberecovered(byappropriateauthorities)intheeventofalostor damagedtokenorotherfailurecondition. 24 UNCLASSIFIED NSTISSAMINFOSEC/1-99 UNCLASSIFIED 23.CollectandAnalyzeAuditDataonUseofISandPerformAudits Scrutinizetheonlineactivitiesofindividualswithrootprivilegeand/or broad cneed-to-know"access.Thiswillbecostlyandlaborintensive,buttherealthreat ofauditscandomuchtodetertheinsiderproblem.Auditingcanestablishnormal computeruseprofiles,andtherebyenablethedetectionofabnormalpatterns.The developmentofadditionalaudit/profilingtools,suchasaniconthatwouldalerttheuser toongoingmonitoringcouldassistthiseffort.Additionally,auditingtheuseofprinters andotherremovablemediawoulddisclosetheremovaloflargequantitiesofdata. 24.DeployIntrusionDetectionToolsforUseWithinIS Intrusiondetectionshouldalsofocusonthemaliciousandmischievous activityoftheinsider.Itshouldbepositionedatmultiplelevelswithinasystem(e.g.<br><br> localworkstation,hostlevels).Traditionally,ourintrusiondetectionsystemshave focusedoutward,protectingagainstanattackfromtheoutsidewhileignoringthesecurity aspectsofmonitoringforactiveattacksontheinside.Specialattentionshouldbegiven todetectinganomalousinsideractivity,activityassociatedwithnotonlyentryintoand withinasystem,butalsoegressfromthesystem. 25.EstablishaRepositoryfortheSharingofInsiderAttackInformation Thisshould,asaminimum,includerelatinghackeractivities,viruses, incidents,incidentresponses,reportsconcerningincidents,andlessonslearned. Vulnerabilityandincidentdatabasesarebeingdevelopedbythecomputeremergency responseteamcommunityforhacker-relatedactivity,butthisisnotfocusedonthe insiderproblem.Asimilarcapabilitytoamassandshareincidentinformationrelatedto theinsiderwouldraisetheawarenesslevelofthecommunitytothethreatposedbythe insiderandalsoeducatethecommunityastothesymptomsthatwouldalertonetoan insiderattack.<br><br> 26.DevelopaPsychologicalProfileofanInsidertoAssistintheEarly IdentificationofFutureInsider/ComputerAbusers Thisprofileshouldprovidemanagers,securityspecialists,andmedical personnelaprofileoftheinsider/computerabuserthusenablingthemtoidentifypotential abusersbeforetheycauseseriousdamage.Employeesshouldbeinstructedinreporting employeechanges,bothonthejobandoffthejob,totheirmanagementchain.The profileshouldbedevelopedbasedonknowninsider/abusersandshouldbeautomated,to thedegreepossible,toassistinthedetectionofprofiledactivities.Studiesareunderway todevelopsuchaprofile,andtheyshouldbecontinued.Oncedeveloped,thisprofilewill assistinthedevelopmentofquestionsforsecurityinvestigationsandwillalsoprovide additionalmaterialforsecurityeducation,awareness,andtraining. 5 UNCLASSIFIED NSTISSAMINFOSEC/1-99 UNCLASSIFIED 27.StopthePracticeofPublishingSensitiveDataonUnclassified Databases,WebSites,etc. Datathatisbeingreleasedintounclassifieddatabasesorwebsitesmustbe reviewedforsensitivitypriortorelease.Existingprogramsspecifythemethodfor releasingdatatothepublic.Placinginformationinunclassifieddatabasesandonweb pagesisliterallythesameaspubliclyreleasingthedata.Thisdatamustbereviewedin theaggregate;thatis,adeterminationmustbemadeastowhetherthis"unclassified"data whencombinedwiththeother"unclassified"databeingreleasedoralreadypublicly availablewillrevealcriticalinformationorprovidearoadmaptoattackingthesystem.<br><br> Internalunclassifieddatabasesmustbeprovidedstrongaccesscontrolstorestrict"pull technology"bythosewithoutajustifiedneed-to-know.Inaddition,theintranetandother internalAgencyandCommunitynetworksofferopportunitiesforknowledgeable personneltogleanandaggregateinformationofvaluewithinclosedcommunities.What isnowrequiredofcorporateinformationofficerswithintheirspheresofresponsibilityis therequirementtoreviewthebalancebetweenmakinginformationfullyandreadily available(unlessprecludedbydefinedrestrictions)andsecurity.Somesemblanceof editorialcontrolovercontentanddeterminationof cneed-to-know"shouldbetakeninto consideration. 28.IncreaseSecurityAssociatedwithPhysicalAccess Physicalsecurityandphysicalaccesscontrolsmustbeenhanced.State- of-the-arttechnology,suchasbiometrics,mustbeimplemented-wemustmovebeyond thedaysof"flashingabadge"orpersonalrecognition.Personnelwithaclearance,but nottheneed-to-know,mustbeescortedandtheiractivitiescontrolledwithinsensitive areas.Securitymustbeevenlyappliedtoallranksandgradeswithnoonebeing exemptedbyvirtueofhigherrankorposition.Enhancedsensorydevicesshouldbe developedtodetectphysicalintrusion.Sensitiveareasmustbeswept-eveninthe continentalU.S.Sweepingshouldnotbeconductedonapredictableschedule.Itshould bedonerandomly. 29.ConductIndependentVulnerabilityAssessments Independentvulnerabilityassessments--fromthebroadsystemlevel assessmentstopenetrationtestingtoredteaming--areagoodwaytoperiodicallycheck thesecurityhealthofIS.Theseassessmentsneedtoencompassallaspectsofinsider threatsandvulnerabilities.Checkingtheorganization'sprogressinim<br><br>

less