Information Assurance: Basic Awareness Training. 28 November 2005

Transcription

1 Information Assurance: Basic Awareness Training By 28 November 2005

2 1 Course Introduction Purpose: The purpose of this course is to provide all DOD personnel and Federal employees with a basic awareness of the need for information assurance (IA).? Average time: On average, this course will require approximately minutes to complete.? Learning Objectives: o Identify the purpose of the IA program o Identify 3 of the most prevalent IA threats? Copyright: This course was developed by Amer Technology Inc, copyright 2005, all rights reserved. Page 2 of 40

3 2 About The IA Program 2.1 Purpose of IA The purpose of the IA program is to protect and defend information and information systems by ensuring:? Confidentiality: people who don't have the appropriate clearance, access level and "need to know" do not access the information.? Integrity: information cannot be modified or destroyed.? Availability: information is readily available when needed Page 3 of 40

4 2.2 Requirements? All users of Federal/DOD computer systems are required to be trained in information systems security.? Requirements are specified in many directives, policies, and regulations, including: o Public Law , also known as the Computer Security Act of 1987 o Presidential Decision Directive 63, or PDD 63 o OMB Circular A-130 o DOD Directive Page 4 of 40

5 3 Threats and Vulnerabilities 3.1 Definitions? Vulnerability: a weakness in an information system, cryptographic system, or components that could be exploited.? Threat: a circumstance or event with the potential to cause harm to an information system in the form of destruction, disclosure, adverse modification of data, and/or denial of service. Threats can be further classified into: o Natural or human o Unintentional or intentional o Internal or external Page 5 of 40

6 3.2 Natural Threats A natural or environmental threat is just what it sounds like; its source is either from nature or a system's environment. Natural threats can include lightning, fires, hurricanes, tornadoes, or floods. Environmental threats can include poor building wiring or insufficient cooling for the systems. Page 6 of 40

7 3.3 Human Threats Human threats are threats caused through unintentional or intentional actions. Page 7 of 40

8 3.3.1 Unintentional Threats A human accident, bad habit, carelessness, or misinformation (e.g. accidentally spilling coffee or soda on your keyboard or computer). The unintentional threat occurs more than any other type. Page 8 of 40

9 3.3.2 Intentional Threats An intentional threat can be caused by an insider or outsider, for example: a spy, hacker, corporate raider, or a disgruntled employee.? The insider intentional threat is one of the most challenging security problems today.? Since insiders have working knowledge of and access to their organization's computer resources, the potential for damage is great.? The threat to the Department of Defense information systems is both internal and external.? Intentional threats can be further categorized as internal or external. Page 9 of 40

10 Internal Threats The internal threat is often associated with the disgruntled or greedy employee? An employee, contractor, or someone who has legitimate access to a computer system.? Most insiders misuse or exploit weaknesses in the system.? Others, due to lack of training and awareness, can cause grave damage. Page 10 of 40

11 External Threats The external threat is often associated with hackers or crackers.? We should dismiss the notion that today's hacker is a geeky 14 year old trying to crack one computer at a time as an indoor sport.? Today's hacker is far more advanced in computer skills.? Using hacking tools available on the Internet, this hacker is capable of running automated attack applications against thousands of host computers at a time to identify security weaknesses. Page 11 of 40

12 Social Engineering Social engineering is also considered an intentional threat. It is a term used among hackers for cracking techniques that rely on weakness in human nature rather than software. The goal is to trick people into revealing passwords and other information that compromise the security of your system. Example: Acting as a field service technician or fellow employee with an urgent access problem, the caller attempts to have employees reveal passwords or other sensitive information like operating systems, logon IDs, server names, or application names. Page 12 of 40

13 You can play a vital role in preventing social engineering. Take a moment to review these tips, and remember, ask your Information Systems Security Officer if you need additional guidance.? Social Engineering Prevention Tips? Never, give your password to anyone for any reason.? Verify the identity of all callers.? Don t give out information about other employees, including names and positions.? Never type things into the computer when someone tells you to unless you know exactly what the results of the commands are.? Don t give out the dial-in phone numbers to any computer system unless they are valid users.? Never answer questions from telephone surveys. Tell the caller that employees do not participate in telephone surveys from vendors.? Ask your Information Systems Security Officer (ISSO) for more guidance. Page 13 of 40

14 What should you do if you receive a call that you believe is from an unauthorized person?? If Caller ID is available, write the number down.? Take detailed notes of the conversation.? Immediately contact your ISSO or supervisor once the caller has hung up or after you have placed them on hold. Page 14 of 40

15 4 Internet Security 4.1 Cookies? A cookie is a text file that a web server stores on your hard drive when you visit a site, and retrieves whenever you revisit that site.? When you return to that site, the cookie 'recognizes' you, saving you the trouble of re-registering.? The most serious security problem with cookies has occurred when the cookie has "saved" unencrypted personal information, such as credit card numbers or social security numbers, in order to facilitate future business with that site.? Another problem with cookies is that the site potentially can track your activities on the web. You can set up your browser not to accept cookies. Page 15 of 40

16 4.2 Mobile Code? Mobile code, such as ActiveX and Java, are scripting languages used for Internet applications. o Mobile code embedded in a web page can recognize and respond to user events such as mouse clicks, form input, and page navigation as well as play audio clips. However, mobile code does introduce some security risk. o It can cause hostile programs to be automatically run on your computer without your knowledge, simply because you visited a Web page. o The downloaded program could try to access or damage the data on your machine, or insert a virus.? To protect information systems from the threat of malicious or improper use of mobile code, organizations must assess and control the risks imposed by the technology. o The DOD has developed policy guidance for use of mobile code in DOD information systems. o The guidance categorizes mobile code technologies and restricts their application within DOD based on their potential to cause damage if used maliciously. Page 16 of 40

17 ? Mobile Code Categories: o Category 1 mobile code technologies: Can pose a severe threat to operations Have known security vulnerabilities with few or no countermeasures May be used in DoD information systems only when the mobile code is signed with a DoDapproved PKI code signing certificate and the mobile code is obtained from a trusted source Examples are: ActiveX, Windows Scripting Host, UNIX Shell Scripts, DOS Batch Scripts o Category 2 mobile code technologies: Can pose a moderate threat to information systems May have known security vulnerabilities but also have known countermeasures May be used in DoD information systems if the mobile code is obtained from a trusted source over an assured channel Examples are: Java applets, Visual Basic, LotusScript, PerfectScript, PostScript Page 17 of 40

18 o Category 3 mobile code technologies: Pose a limited risk to information systems Have history of known vulnerabilities but also support security safeguards May be used in DoD information systems Examples are: Javascript, VBScript, PDF, Shockwave/Flash Page 18 of 40

19 ? As a user, you can limit your exposure to mobile code by setting your web browser to warn you prior to accepting cookies, Java and Javascript. o ActiveX security relies entirely on your judgement. ActiveX programs come with digital signatures from the author of the program. o Once your browser has verified the signature, it tells you who signed the program and asks whether or not to run it. o Depending on the trust-worthiness of the source you can either accept the program and let it run on your machine or reject it completely. o Additional actions you can take to lower your risk: For Active X controls, think carefully before accepting a digitally signed program. How trustworthy is the signer? Use up-to-date browser versions and install the security patches offered by the browser vendor Never surf the Internet on a computer that contains sensitive information like personnel, financial or medical records. Page 19 of 40

20 4.3 Distributed Denial of Service Attacks? Another threat in Internet security is the Distributed Denial of Service, or DDoS, attack.? These attacks involve bombarding a web server with huge amounts of data from many different machines and locations in an effort to bring the server down and deny its availability.? The attacks can be launched from systems across the Internet unified in their efforts, or by compromised systems that are controlled by servers which can hide the true origin of the attack. Page 20 of 40

21 4.4 Malicious Code? What is Malicious Code? o Malicious Code is software or firmware capable of performing an unauthorized function on an information system. o It is designed with a malicious intent to deny, destroy, modify or impede systems configuration, programs, data files, or routines. o Malicious Code comes in several forms to include viruses, Trojan horses, Bombs, and Worms. Page 21 of 40

22 ? The Macro Virus o The most common type of viruse today is the macro virus. o A macro virus affects programs used to create documents and spreadsheets, such as Microsoft Word and Excel. o Once infected, every document opened or created with these programs is corrupted, meaning that data could be lost or altered. o Since they infect such commonly used applications, macro viruses can spread quickly. o It is important to remember that viruses work only if you execute them! Page 22 of 40

23 ? How Does it Spread? o Sharing files through the use of diskettes and attachments or downloading files from the Internet are the most common forms of spreading Malicious Code. o It is your responsibility to scan all outside files using current anti-virus software. o Your system may contain a virus even if it appears to be virus free. o Viruses can remain hidden and may show up months later to infect your system. o For this reason, it is essential that you scan your system daily using current anti-virus software. Page 23 of 40

24 4.5 Attachments? It is important that you use caution when opening attachments.? Attachments may contain malicious code that could corrupt files, erase your hard drive, or even allow a hacker to gain access to your computer.? Be especially wary of attachments that end in.exe,.com,.vbs,.bat, or.shs.? Don't assume that an attachment is safe because a friend or coworker sent it.? A good rule of thumb is to save the attachment to your hard drive and scan it with current anti-virus software before opening it. Page 24 of 40

25 4.6 Actions/Responses: If you discover that a virus has infected your system, follow these basic steps.? Remain calm.? Call your help desk for assistance.? Don't the infected file to anyone. Page 25 of 40

26 4.7 Hoaxes? Internet hoaxes are messages written with one purpose; to be sent to everyone you know.? There are many different types of hoaxes. Some of them warn of new viruses, promote moneymaking schemes, or ask for the user to forward the message to all their friends in the name of a fictitious cause. These hoaxes only serve to slow down Internet and service for computer users by clogging networks.? If you receive an message that asks you to forward it to all your friends and coworkers, take the time to check the facts.? For hoax information, visit the U.S. Department of Energy's Computer Incident Advisory Committee site at Page 26 of 40

27 5 Roles and Responsibilities 5.1 Ethics and Computer Misuse? Here are 8 common sense rules to compute by when using a government machine: o Don't use a computer to harm other people. o Don't interfere with other people's computer work. o Don't snoop in other people's files. o Don't use a computer to steal. o Don't use or copy software that you have not purchased. o Don't steal other people's intellectual property. o Don't use a computer to pose as another person. o Don't use other people's computer resources without approval.? Keep in mind that your rights to privacy are limited when using government computer resources. o When you log on to a government system, you give your consent to monitoring. o Everything you do can be monitored. Page 27 of 40

28 ? Some examples of computer misuse are: o viewing or downloading pornography o gambling on the Internet o conducting private commercial business activities or profit-making ventures o loading personal software o making configuration changes. Page 28 of 40

29 5.2 Passwords? The system authenticates the user through his password and determines his right to use the system.? Here are some key points to keep in mind when creating passwords: o Memorize your password. o Don't write down or share passwords. o Choose a password that is easy to remember, hard to guess, and at least six characters in length, mixing letters, numbers, and special characters. o Don't use personal information like the names or birthdays of family members, pets, or the name of your favorite sports team. o Avoid using words or phrases that can be found in a dictionary. o Change your password on a regular basis.? Remember, it is your responsibility to ensure that all activity done under your user ID constitutes appropriate use of DOD information systems resources. Page 29 of 40

30 5.3 Files, Backups, and Storage? It is essential that you back up all important computer files on a regular basis.? These backups will minimize the loss of data if your hard drive crashes or is infected by a virus. o Keep a set of your backup files off-site. o Label the backups to reflect the sensitivity level of the information they contain. o Prevent erasures by keeping diskettes away from magnetic sources such as radios and telephones. o Store in areas such as metal cabinets for greater protection from fire and water damage. Page 30 of 40

31 6 Technology Specific Vulnerabilities 6.1 Introduction? You must also protect information stored or transmitted on devices other than your computer.? These include fax machines, cell phones, laptops, and palm pilots.? You need to be as vigilant about security on these devices as you are with your computer at work. Page 31 of 40

32 6.2 FAX? Be careful with information transmitted over a fax machine.? Make sure that the recipient will be there to pick up the fax immediately if you are sending sensitive information. Page 32 of 40

33 6.3 Cell Phone? Remember that cell phones are nothing more than glorified transmitters.? Anyone with the right equipment could potentially listen to your conversation.? Use a landline for more privacy, and never discuss sensitive information on an unsecure phone. Page 33 of 40

34 6.4 Laptop? The convenience of laptops also makes them vulnerable to theft or security breaches.? Password protect the logon to your laptop.? Be careful what you display on your screen, especially in close quarters such as airplanes.? Be aware of your laptop when traveling to prevent theft. Page 34 of 40

35 6.5 PDA (Personal Digital Assistant)? PDAs, such as PalmPilots or Pocket PCs, pose a security threat for a number of reasons.? Their small size and low cost make them easy to obtain and difficult to control.? They have tremendous connectivity and storage capabilities, and are extremely popular.? It can be very easy for a person to setup a PDA to download information from your computer. Page 35 of 40

36 7 Data Classification 7.1 Introduction? Proper protection of our information is critical to information systems security.? The Department of Defense has three broad categories of information.? DOD categorizes information as Unclassified, For Official Use Only (FOUO) or Sensitive, and Classified. Page 36 of 40

37 7.2 Unclassified? All DOD information, individually or in aggregation, could, given the right set of conditions and circumstances, provide an adversary an insight into our capabilities and intentions and/or impact upon the safety of DOD personnel and, thus, warrants some level of protection.? As a minimum, all DOD unclassified information must be reviewed before it is released in any form outside the U.S. Government.? This type of information still requires security protection. Page 37 of 40

38 7.3 FOUO/Sensitive? FOUO and Sensitive unclassified information can include, but is not limited to, personnel, medical, operational and Privacy Act information.? Don't leave files or media containing sensitive unclassified information where an unauthorized person can see or obtain it.? When not being used, sensitive unclassified information must be stored in a locked drawer or more secure container.? Dispose of it properly. It is a good habit to shred it or put it into a burn bag. Page 38 of 40

39 7.4 Classified? Classified information includes Confidential, Secret, and Top Secret.? Information may be originally classified only by the Secretary of Defense, the Secretaries of the Military Departments, and other officials who have been specifically delegated this authority in writing.? The original classification authority determines which level of classification is to be applied.? If there is significant doubt about the appropriate level of classification, the information shall be classified at the lowest level.? Classified information must be used in an area approved and cleared for that classification level.? When not in use, the classified information must be stored in a GSA-approved vault or container.? Data Classification Summary Page 39 of 40

40 8 Course Summary? Information is a critical asset to the Department of Defense.? It is your responsibility to protect DOD's sensitive and classified information that has been entrusted to you.? Remember, absolutely NO classified information is allowed on an unclassified system.? Please contact your information systems security officer for more information about classification or handling of information. Page 40 of 40