DIRECTORATE OF INFORMATION MANAGEMENT STANDING OPERATING PROCEDURE SECURITY TECHNICAL CONTAMINATION, TECHNICAL VULNERABILITY AND INTRUSION NOTIFICATIONS SOP NO. 380-07 16 Dec 92 1. PURPOSE: This procedure establishes policies and instructions to address notification procedures applicable to information system resources which may be subject to technical contaminations, to technical vulnerabilities and to intrusions/attempted intrusions. 2. SCOPE: This procedure is applicable to contractor, civilian and military personnel assigned/attached or in support of the Directorate of Information Management (DOIM). 3. OBJECTIVE: This procedure implements the requirements of AR 380-19 and other applicable directives. Information systems security has three objectives: (1) data confidentiality; (2) data integrity; and (3) system availability. Contaminations, technical vulnerabilities, and deliberate intrusions into DOIM systems threaten these objectives. 4. DEFINITIONS: a. "Contamination" is any software introduced into an information system that intentionally or unintentionally causes a disruption to normal operations through the destruction or modification of data, or through the denial of service. Examples of such software may include bacteria, logic bomb, trapdoor, trojan horse, virus, and worm programs. b. "Flaw" is an error of commission, omission, or oversight in a system that allows protection mechanisms to be bypassed. c. "Information systems security" refers to all those disciplines applied to protect telecommunications systems and automated information systems, and the information those systems process and store. d. "Information System Security Officer" is the individual responsible for monitoring compliance with those set of safeguards identified in an accreditation document approved by the designated approval authority. e. "Intrusion" is any unauthorized access into an individual host, a network, or a stand-alone personal computer. Access includes both electronic and physical entry. f. "Technical vulnerability" is any hardware, firmware, communication, or software flaw that leaves a computer processing system open for potential exploitation, either externally or internally, thereby resulting in risk for the owner, user, or manager of the system (reference NCSC-TG-004, 21 Oct 88, subject: Glossary of Computer Security Terms). 5. RESPONSIBILITIES: a. The DOIM will ensure sufficient personnel resources are available to provide the technical expertise required to address the threats of contaminations, of technical vulnerabilities, and of intrusions. b. The DPI Information System Security Officer (ISSO) will: (1) Maintain this SOP and manage the technical implementation of its instructions. (2) Maintain a technical threat database on contaminations, on technical vulnerabilities, and on intrusion attack methodologies. (3) Stockpile available public domain and commercial software programs for the detection and for the eradication of computer viruses for both the MS- DOS and MACINTOSH environments. (4) Provide security education training to alert individuals to the threats of contaminations, technical vulnerabilities, and intrusions; to ensure users are aware of defensive strategies which they may take to control and to minimize such threats; and to advise users of reporting requirements under Federal statute and Army directives. c. Individuals are responsible to report contaminations, technical vulnerabilities, and intrusions/attempted intrusions immediately upon their detection to the DPI ISSO. 6. PROCEDURES: a. The DOIM will maintain the technical expertise to control and to minimize such threats, and will provide educational and technical support to White Sands users under its Information Mission Area (IMA) responsibilities. b. All information on technical vulnerabilities will be classified at least CONFIDENTIAL. Therefore, individuals who report such information must use secure transmission facilities and must ensure that recipients of such information have the necessary security clearance and need-to-know. If DOIM employees do not have access to a Secure Telephone Unit (STU-III), they will notify the DPI ISSO in person of the technical vulnerability information. c. Upon the detection of a contamination, of a technical vulnerability, or of an intrusion/attempted intrusion, individuals will contact the DPI ISSO for the initial investigation and for the formal reporting of the incident. Individuals will not delay reporting an incident because their management chain-of-command is unavailable. d. The identification of a contamination, technical vulnerability, or an intrusion/attempted intrusion is a difficult task. The following procedures will be used at a minimum to assist in the task of identification. 2 (1) Technical Contamination (a) The DPI ISSO will for personal computers run at least two viral scanning software programs on the possibly contaminated system. In the event the programs detect a computer virus or trojan horse, the DPI ISSO will provide the necessary disinfectant programs and provide technical assistance to eliminate the contamination. In the event the programs do not detect a known computer virus or trojan horse, the DPI ISSO will determine if the system displays any symptoms normally associated with a computer virus or other type of malicious software. A list of symptoms is at enclosure 1. (b) The DPI ISSO will for other systems attempt to identify if any symptoms are present based upon a baseline of what is the normal system operation. Where appropriate, the DPI ISSO will look for specific contaminations already identified for mainframes, such as the WANK WORM for Digital Equipment Corporation (DEC) VAX VMS systems. If a known contamination can be identified, the DPI ISSO will provide the approved "fix", when available. (c) If the DPI ISSO in conjunction with the best efforts of DOIM personnel and other local experts is unable to identify the contamination regardless of the type of system, the DPI ISSO will contact the appropriate emergency response team under the Forum of Incident Response and Security Teams (FIRST). (2) Technical Vulnerability (a) The DPI ISSO will maintain an inventory of known technical vulnerabilities and provide such information to individuals on a need-to-know basis. (b) Examples of "technical vulnerabilities" include the use of software commands which unexpectedly disable protection features or which provide greater access privileges than required; the failure of hardware to separate individual processes or to protect security relevant protective mechanisms from unauthorized access or modification; or a communications channel which allows two cooperating processes to transfer information in a manner that violates the overall system's security policy. (c) The DPI ISSO will contact the appropriate emergency response team for assistance in the event in-house personnel resources are insufficient to fully describe, fix, or reduce the impact of the vulnerability. (3) Intrusion/Attempted Intrusion (a) Audit trail records are an essential element of detecting intrusion/attempted intrusion attacks. System administrators and individual data processing activity ISSOs will review available records on a daily 3 basis, and will report all "suspicious" activity to the DPI ISSO. (b) "Suspicious" activity includes incorrect logons; dual logons; successful and unsuccessful connections from hosts which do not normally establish connections to DOIM systems; error messages which indicate that non-privileged users have attempted to execute or obtain privileges; error messages that privileged users have experienced problems; and appropriate symptoms identified at enclosure 1. These do not constitute a complete list of all activity which may suggest that an intrusion/attempted intrusion has occurred. But the examples do provide a starting point for evaluation. (c) For those systems which lack audit trail capabilities, announced and unannounced reviews are the minimum criteria which system administrators and ISSOs will use to detect and to discourage intrusions. Those reviews will utilize the symptoms at enclosure 1 as a baseline, and will include whatever additional standards individual administrators and ISSOs determine are appropriate. (d) The DPI ISSO will distribute specific threat data and signature information on known attackers and their methodology to respective system administrators on a need-to-know basis. e. The DPI ISSO will investigate the validity of all contaminations, technical vulnerabilities, and intrusion/attempted intrusion reports. f. The DPI ISSO will notify the individuals/organizations identified at enclosure 2 immediately upon the confirmation of any report. The method of notification will be appropriate to the sensitivity of the information to be transmitted. For example, any information on technical vulnerabilities is at a minimum CONFIDENTIAL national defense information. g. The DPI ISSO will coordinate technical recovery actions and will submit interim (if necessary) and final reports on all incidents. Reports will contain at a minimum the information specified at enclosure 3. h. The DOIM will distribute anti-viral scanning programs to all elements at White Sands for which site licensing exists. As of the date of this SOP, two programs are available for the MS-DOS environment; and one program is available for the MACINTOSH environment. Distribution will be by the DOIM's Information Center and by the DPI ISSO. Individuals may contact either source for the software and any updates. 7. REFERENCES: a. AR 380-19, Information Systems Security, 1 Aug 90 b. AMC Supplement 1 to AR 380-19, Information Systems Security, 4 Jan 91 4 8. PROPONENT: Computer Operations Division, Mission Systems Branch, Scientific and Engineering Operations Section (IM-CM-S). 3 Encls 1. Symptoms of Contamination 2. Notification List 3. Notification Formats