Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. New Technology New Threats “ Approved for Army release as a Training and Security Awareness product by CIO/G-6 quot; 1
  2. 2. New technology poses new threats to security! USB Pen USB Memory USB E-Pen Scanning Devices Drive Watch Audio Miniaturization Recorders Thumb Drive Video with USB Casio Watch Digital Media Devices connectivity Camera 2
  3. 3. Readily Available! Dimensions (inches) 1/8quot; x 1-7/16quot; x 1-11/16quot; Inexpensive Huge Storage Capacity 3
  4. 4. Small size - - - - Great impact! If each page were laid end to end, it or would extend 8000 thick books, or for 694 miles = 4,000,000 pages or or 1-7/16” Less than 1/8“ thick 1-11/16” 4
  5. 5. Getting yourself in the News! American investigators have paid thousands of dollars to buy back the stolen drives, according to shopkeepers outside the major military base here.. …. By Paul Watson, Los Angeles Times | April 15, 2006 A handful of of memory sticks are displayed by an Associated Press reporter at the bazaar outside the U.S. military base in Bagram. - (Shoaib Amin / AP) Just outside the main gate of the huge U.S. military base in Bagram, Afghanistan, shopkeepers at a bazaar peddle a range of goods, including computer drives with sensitive — even secret information — stolen from the base. About 2K Afghans are employed as office staff and laborers at the Bagram base 5
  6. 6. Thumb drives and media everywhere! …even in Bagram, Afghanistan 6
  7. 7. Magnetic Media Kills! - - New technology poses new threats One flash memory drive, sold for $40, holds the names, photos and phone numbers of people described as Afghan spies working for the military. Other thumb drives have been found to contain: …Social Security numbers listed next to the names of hundreds of Soldiers …names of senior Afghan ministers whom US intelligence agencies believe to be drug smugglers …list of 12 provincial officials the US reportedly wants removed from office One shopkeeper said, “They were all stolen from offices inside the base by the Afghans working there,” he said. “I get them all the time.” “Convenience Kills” 7 - GEN Schoomaker, CSA
  8. 8. Mark it and safeguard it! - - Basic document markings apply to all media 1. Computer disc must reflect the highest level of classification contained on the disc 2. Standard labels should be used for all levels of classification - if none available - - make your own. a. SF706 - Top Secret FOUO b. SF707 - Secret c. SF708 - Confidential d. SF709 - Classified AR 380-5 is e. SF710 - Unclassified clear, it is the users f. SF711 - Data Descriptor responsibility g. SF712 - Classified SCI to properly 3. No standard form (SF) and/or label(s) exist for control, handle, mark, and Compact Discs (CDs) transport information a. The SF labels prescribed for removable storage media may be used for the marking of classified CDs and their cases b. Classification must be conspicuously marked on the CD case Security Education, and the CD itself 4. Personal drives - - must be marked personal!! Training and Awareness - - Do It!! 8
  9. 9. Take Away’s What else do I need to know? Classify and label removable media IAW regulation and SOP USB drives and other removable, portable media devices are mostly self starting and may bypass systems security features when plugged in (Example: bypass scanning for viruses) No approved method of sanitizing, downgrading and declassifying these devices - - Destroy when no longer usable USB and other portable devices improve productivity and increase risk - - Know the risk Take action to reduce risk - mark it, safeguard it Report unauthorized use! Remember, the lives of your fellow Soldiers are in your hands! 9
  10. 10. Questions and Thoughts? 10
  11. 11. New Technology New Threats 11 “ Approved for Army release as a Training and Security Awareness product by CIO/G-6 quot;
  12. 12. Information Assurance Security Awareness Briefing After Slide Show starts, click your mouse or press the Page Down key on your keyboard to continue Note: THIS SLIDE SHOW WAS DONATED TO THE IA COMMUNITY BY: Strategic Planning & Information DISA Information Assurance Branch (SI22)
  13. 13. Overview • What is Information Assurance • General Security Guidance • Protecting Information • Reporting Violations • What can you do? 3
  14. 14. Are you the Problem or the Solution? 4
  15. 15. What is Information Assurance? Information Assurance is: “ Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation…providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.” as defined by the CNSSI 4009, “ National Information Systems Security Glossary,” dated May 2003 5
  16. 16. What is Information Assurance? • Making sure the computer and the information is there when we need it (Availability). • Making sure the information we use, transmit, process, or stored has not been corrupted or adversely manipulated (Integrity). • Making sure we know who is using our computers and accessing our data (Authentication). • Making sure the information is protected from disclosure (Confidentiality). • Making sure the information is ‘tagged’ so when we send it – we know it got there, and the recipient knows who sent it (Nonrepudiation). 6
  17. 17. So, Why Are You Here? • DOD policy requires annual information assurance awareness training • Need to emphasize important security tasks and acceptable user practices 7
  18. 18. Your Mission…Should you decide to accept it… • Recognize your computing responsibilities. • Accept responsibility for protecting government information. • Recognize the challenges and threats that can harm our National Security. 8
  19. 19. Do you know what “OK” means? When you click “OK” : • You acknowledge that the information system you use is for “Official Government Use Only.” • Your computer and all of its information are subject to inspection. • Your actions are subject to continuous audit. 9
  20. 20. General Workstation Security • Protect your identity (User Id) • Use Strong Passwords – Make passwords 8 characters or longer • use capital letters, numbers, and punctuation symbols – Change passwords often • Always Lock your PC while leaving it unattended – Press Control+ALT+Delete and click the “Lock Workstation” Button • Use your Common Access Card (CAC) to digitally sign and encrypt your sensitive emails – Take your CAC with you when you leave your work area You are responsible for the data on your system at all times! 10
  21. 21. Prudent Network Security and Internet Practices • Email and Internet Use – Do not open emails from individuals that you do not recognize • Report suspicious emails to the DISANet Help Desk and your security manager. – Incidental personal use is permitted. • DISANet prohibits the use of Email or the Internet for: • Chain letters • Private commercial activities • Accessing pornographic or gambling sites • Participating in online auction activity • Political Activity • Illegal fraudulent or malicious activities • Any use which reflects adversely on DISA or any other DOD element • Virus Protection – Avoid attaching media from unfamiliar computing environments. – Ensure your workstation runs a daily virus scan. “Trust, but Verify” 11
  22. 22. What is P2P and What is the Risk? • Peer-to-Peer file sharing is technology that allows users to typically share music/video files. • It is risky! It bypasses security or control mechanisms. • Opens DOD networks to attacks and intrusions! 12
  23. 23. What are the Dangers of P2P? • The default settings of P2P applications share all documents and media files on your machine. – This causes the potential for disclosure of sensitive information. • P2P applications create open doors that may be remotely exploited to compromise DOD systems. • P2P software puts excessive strain on the network resources. – This will overwhelm our infrastructure already operating at 90% capacity. • P2P file exchanges generally violate international copyright laws. 13
  24. 24. What should I do? Don’t Use it! • ASD (NII) Memo, Elimination of Unauthorized Peer-to- Peer File Sharing Applications Across DOD, 13 April 2004. • There are many legal and security issues, and there is no mission essential aspect to P2P applications. • DO NOT USE P2P software on government assets • Forbidden software includes (but is not limited to): Napster ARES IRC Chat Relay Kazaa Limewire BitTorrent Morpheus Gnutella 14
  25. 25. Got Wireless? • DOD Directive 8100.2, quot;Use of Commercial Wireless Devices, Services, and Technologies in the Department of Defense (DOD) Global Information Grid (GIG),quot; – This directive outlines the DOD wireless policy to ensure a secure use of wireless technology throughout the agency. 15
  26. 26. Does this Apply to Me? • This Policy Applies to all – DOD Personnel, Contractors, and visitors that have access to DOD Information. – All (government owned/used) commercial wireless devices, services and technologies including but not limited to: • Messaging Devices • Laptops with WiFi • Any other wireless device • Cellular or PCS Devices capable of storing, processing, • Audio/Video Recorders or transmitting information • Personal Data Assistants Exempted are: –The Detection Segment of a PED – Receive only pagers •The signal between a barcode – GPS Receivers reader and receiver – Hearing Aids, Pace makers, other •A TV remote and television implanted medical devices or – RF Identification Tags (both personal life support systems Active and Passive) 16
  27. 27. What are my Duties? Employee Owned Equipment Government Owned Equipment • Enable Wired Equivalent • Do not process Privacy (WEP) on all government information on laptops, PDAs and personally owned laptops, wireless access points. PDAs, or cell phones. • When computers are • Do not attempt to connect plugged into the personally owned wireless network, disable any devices to government wireless cards. networks. • Enable Encryption on all • Turn off camera phones wireless transmissions and PDAs with camera • Turn off wireless modules in classified devices in classified areas. areas. Never transmit CLASSIFIED data using a wireless device! 17
  28. 28. What is Information? • Information is: Any knowledge that can be communicated regardless of its physical form or characteristic. • Information is classified by the degree of damage which would be caused if the information was revealed. There are 3 levels of classification: – TOP SECRET - unauthorized disclosure could cause exceptionally grave damage to national security. – SECRET - unauthorized disclosure could cause serious damage to national security. – CONFIDENTIAL - unauthorized disclosure could cause damage to national security. • Sensitive Compartmented Information (SCI): • Requires more stringent security protection. 18 • Protects intelligence sources and methods.
  29. 29. What is Information? (Con’t) • “Controlled Unclassified Information” is the DOD term used to define sensitive information such as: – For Official Use Only (FOUO) – Contract Sensitive – Proprietary 19
  30. 30. Protection of Computerized Information • At Rest • In Transit • In Process 20
  31. 31. Information At Rest Information can be stored on: Backup Tapes CDs or Floppy Disks Printers with memory Printed Documents Fax Machines WEB Pages Computer Hard Drives Handheld Devices DOD treats all media as documents. 21
  32. 32. MARK STORAGE MEDIA Mark computer components and media with: is edium This m • SF 710 Unclassified T SECRE • SF 708 - Confidential NT RNM E • SF 707 - Secret GOVE HE US Y OF T 707 OPERT SF PR • SF 706 - Top Secret ed s ifi mi ss ediu AL a cl sm Thi is D TI FIE m T iu EN SI ed N S NM sm DE A T hi EN ER CL NM T V FI R N VE O U G GO S S N EU U ) TH (1-87 E 08 CO H7 OF 710 T F SF TY S F PER O This medium is classified O TY PR ER P RO P TOP SECRET PROPERTY OF THE US GOVERNMENT SF 706 22
  33. 33. The Fundamentals of Marking • Documents must be marked SECRET according to Classification Level or Information Sensitivity. OFFICE OF THE SECRETARY OF DEFENSE WASHNGTON ,DC • Markings must be conspicuous! date – Large/Bold lettering MEMORANDUM FOR DASD (I&S) SUBJECT: Classification Markings (U) – Use no abbreviations 1. (U) This is an example of a document that contains originally classified information. Standard markings are required for all documents as shown here. These markings include: • Classification/sensitivity of a. (U) Portion marking(s) for each section of a document to reflect the classification of the information. When using subsections such as shown here, individual markings are used. When subsections are not marked, the information is protected at the level of protection shown by the documents must “stand out” - overall section. either electronically or stamped b. (U) Overall markings must be CONSPICUOUS AND LARGE/BOLD. c. (U) A quot;Classified byquot; line that includes the name or personal identifier and Position Of the manually. originator. d. (S) A reason for classification MUST BE USED. • Mark top & bottom of each page. e. (U) A quot;Declassify onquot; line that indicates the following: – FOR OFFICIAL USE ONLY (FOUO) is (1) The date or event for declassification not to exceed 10 years. (2) The date that is 10 years from the date of the original decision. marked on the bottom of page only (3) An extension beyond the initial 10 years of classification. (4) An authorized and applicable exemption category( ies). – FOUO guidance please visit 2. (S) If this paragraph contained quot;Secretquot; information, the portion would be marked with the designation quot;Squot; in parentheses. If the paragraph contained quot;Confidentialquot; information, the portion would be marked with the designation quot;Cquot; in parentheses. • Paragraph, portion, and title Classified by : Emmett Paige, Jr . ASD(C31) markings may be abbreviated. Reason: 1.5 (a) and (d) * Declassify on: December 31, xxxx ** – (U) UNCLASSIFIED SECRET – (C) CONFIDENTIAL • Sample of paragraph marking23 – (S) SECRET – (TS) TOP SECRET
  34. 34. Marking Your IT Equipment DISA Form 205 “No Classified” CLASSIFIED Standard THIS MEDIUM IS CLASSIFIED Form 707 SECRET PROPERTY OF THE US GOVERNMENT Keep ALL labels in clearly identifiable locations. 24
  35. 35. Information in Transit Encrypt Email with CAC HELLO THE INTERNET IS ALWAYS WATCHING Decrypt Email with CAC Use your Common Access Card (CAC) to: • Digitally Sign Emails HELLO • Encrypt Emails • Decrypt Emails Sign and Encrypt ALL sensitive DOD information! 25
  36. 36. What’s a Spillage? • It is a form of System Contamination. • It is the Improper storage, transmission or processing of CLASSIFIED information on an UNCLASSIFIED system or via a communications path. – Most common occurrence is transmission via email. 26
  37. 37. Why is Spillage a ‘Hot Topic?’ • Can result in denial of service. • Handled incorrectly – can result in costly mistakes. • Agency numbers: – FY 2002: 27 – FY 2003: 21 – FY 2004: 25 (as of 2 Sep 04) • Resource intensive. – It takes 3 weeks to close a spillage. • Impacts the security of DOD missions. 27
  38. 38. Cost of Recovery: 1 Incident Time Spent Researching Compromise 16 hours $ 418.40 20 Mailboxes Involved; 15 minutes to Clear Each 5 hours $ 130.75 Scrub Operations (first server only) 7 hours $ 366.10 Additional Servers Scrubbed 6 hours $ 156.90* Daily Backups Lost 3 $1800.00** Additional Hours 19 hours $ 496.85*** TOTAL $3369.00 * Add .5 hours for each additional server ** Tapes cost $65-$85 each (estimate 8 tapes per day) ***Trouble Shooting/Additional Measures 28 Activities responsible for incidents will PAY for the cleanup!
  39. 39. Why is This Happening? • Users are not reading Email completely. • Electronic media is not being marked properly. • File names or subject headers do not reveal content sensitivity of information. • Rules for “data aggregation”/derivatively classifying are not well understood. • Individuals are unaware of classification guides/guidance. • Improper storage, transmission, processing of classified information. • All DISA personnel are PERSONALLY responsible for protecting sensitive and classified information. Bottom Line: THESE INCIDENTS MUST STOP! 29
  40. 40. Processing Classified Information • Workstation allowed to process classified information if: – In approved open storage area. – Contains removable hard disk in unsecured area. – Not connected to unclassified Local Area Network/Wide Area Network. • e.g., DISANet • Ensure access is controlled. – use approved passwords and change periodically. • Never transfer information from a classified to an unclassified system without authorization from the Chief Information Officer. • Never use personally owned computers to process classified information. 30
  41. 41. Connecting to a CLASSIFIED Network • Workstation must have a removable hard drive – This requirement can be waived if there is a proof of “Open Storage” • Monitors must face away from any opening – If this can not be accomplished, an approved privacy screen must be used • All doors and windows near CLASSIFIED assets must be covered • CLASSIFIED CPU’s should be at least 3 feet from UNCLASSIFIED CPU’s Keep CLASSIFIED information from other’s view! 31
  42. 42. NEVER Take CLASSIFIED Material Home • If you do, you could: – Be subjected to an espionage investigation. – Lose your access or security clearance. – Lose your job. – Be prosecuted pursuant to statute(s). CLASSI FIED 32
  43. 43. Safeguarding - When Not in Secure Storage • Keep CLASSIFIED material in your possession at all times until it is either passed to a trusted person or stored in an approved storage container. • You must be an approved courier when transporting CLASSIFIED material outside of your building. – Ensure material is double-wrapped before leaving building. • All documents must be properly marked and protected by cover sheets. • NEVER leave classified information unattended. • NEVER discuss classified information on non-secure telephones. • NEVER discuss, read, or work with classified information in public places.33
  44. 44. Security Containers • Store and protect classified information in GSA- approved safes. • Memorize combinations: they are classified and cannot be written down or carried on your person. • SF 700, “Security Container Information” records emergency contact information of all individuals having access to safe. 34
  45. 45. Destruction • Dispose all classified paper, diskettes, and other classified waste in “burn bags.” • Cross-cut shredding also authorized method of destruction – must be on NSA list of approved shredders. • TS requires destruction certificates. • Send Hard Drives to NSA: Attn: CMC – degaussing Suite 36875 9800 Savage Rd. Ft George Meade, MD 20755 35
  46. 46. Reporting Computer Security Incidents Security Incident • An attempt to exploit a national security system; may involve fraud, waste, or abuse; compromise of information; loss or damage of property or information; or denial of service. – Security incidents include: • penetration of computer systems • exploitation of vulnerabilities • introduction of computer viruses or other forms of malicious code. If an incident occurs: • Gather all pertinent information. – time, details, person(s) involved, actions taken, etc. • Report it to the computer help desk. • Site administrators should notify NetDefense [DOD-CERT]. • If a violation of law is evident or suspected, the incident must also be reported to both security and law enforcement organizations for appropriate action. Report ALL Suspicious Activity!! 36
  47. 47. Reporting Suspicious Activities • Report suspicious persons or circumstances immediately to your supervisor, Facility Security Manager or the Security Division (MPS6). • Be alert for: – surveillance attempts. – suspicious persons or activities. – individuals using unauthorized recording devices. 37
  48. 48. Let’s Review 38
  49. 49. To Improve our Security Program • Be a strong link in the security chain! • Keep passwords safe! Adhere to password standards. • Separate government work from personal activities. • Working from home? Scan your removable media for viruses when you come back to the office (if you are using your home computer). Keep your government work on government-provided media – don’t leave it on your home hard drive. • Watch what you upload and download from the INTERNET or where you ‘travel’ on the WEB...your computer activity is subject to monitoring. • Adhere to DISA email standards. 39
  50. 50. To Improve our Security Program (cont.) • Separate classified from unclassified information. Use classification guidance when regrading classified information. Label your diskettes! • Keep track of your removable media. Store them when not in use. • Watch your file transmissions! Make sure the files you transfer or the email you send is appropriate for the sensitivity of that network! • Turn on your screensavers and activate password protection. Keep your files and access to the network safe! • Report anomalies. Requests for information from unknown sources (foreign countries), destroyed, infected or corrupted files, missing computer hardware, etc. Report this to your Information Assurance Manager and to the Help Desk. • Traveling with a government computer? Keep track of it! 40
  51. 51. Conclusion • Strictly follow DOD and DISA security guidance. If you don’t know - ask! • Contact your Security Manager, Information Assurance Manager (IAM), or the Security Division (MP6) for assistance. • Pay Attention to Detail. • Be Alert. • Be Aware! Security is your responsibility! 41
  52. 52. We’re Almost Done! 42
  53. 53. Do you want credit? I certify that I have read and understand the material presented in this slideshow. I acknowledge that I am responsible for knowing and following the information presented in this guide. Upon completion of viewing this slideshow click on quot;SUBMITquot; and complete the form, this will certify that you have read and understood the material contained in this slideshow. If a POP-UP box appears informing you that quot;This form is being submitted using e-mail. Submitting this form will reveal our e-mail address to the recipient, and will send the form data without encrypting if for privacy. You may continue or cancel this submission.quot; Click OK. Another box will appear quot;A program is trying to automatically send e-mail on your behalf. Do you want ot allow this?, If this is unexpected, it may be a virus and you should choose quot;NOquot;. quot; Click quot;YESquot;, if you click quot;NOquot; you will not get credit for completing this required briefing. 43 Press the Esc key on your keyboard to exit Slideshow. SUBMIT
  54. 54. End, IA