Defense-Wide Information Assurance Program Cyber Threat to Critical Infrastructure Special Agent Jim...

Defense-Wide Information Assurance Program

Cyber Threat to Critical Infrastructure

Special Agent Jim Christy (AFOSI)Law Enforcement & Counterintelligence Coordinator

Defense-Wide Information Assurance ProgramAssistant Secretary of Defense

Command, Control, Communications, and Intelligence (ASDC3I)


OverviewOverview- Crime Vs InfoWar- Crime Vs InfoWar- Legal Issues- Legal Issues- Senate Hearings- Senate Hearings- Senate InfoSec Survey- Senate InfoSec Survey- Y2K Crisis- Y2K Crisis- Cyber Intrusion Incident Response- Cyber Intrusion Incident Response

- Crime Vs InfoWar- Crime Vs InfoWar- Legal Issues- Legal Issues- Senate Hearings- Senate Hearings- Senate InfoSec Survey- Senate InfoSec Survey- Y2K Crisis- Y2K Crisis- Cyber Intrusion Incident Response- Cyber Intrusion Incident Response


DEPSECDEF

CIO Council

Director, Information AssuranceMr. Richard C. Schaeffer, Jr.

National Manager

Lt Gen Kenneth H. Minihan

NSD-42

SECDEF

DoD CIOMr. Arthur L. Money

DII Advisor

LTG David A. Kelley

DIAP Staff DirectorCAPT J. Katharine Burton, USN

Services JointStaff

DISA NSA Other DefenseAgencies

Senior DIAPSteering Group

Program Planning,Coordination,

and Integration

DIAP

Crime vs. InfoWar - The Legal IssuesCrime vs. InfoWar - The Legal Issues

- Who is Perpetrator?- Who is Perpetrator? - Criminal? Terrorist? State-Sponsored Terrorist? State?- Criminal? Terrorist? State-Sponsored Terrorist? State?

- Where is the Perpetrator?- Where is the Perpetrator? - US? International Waters/Airspace? Third Country? State - US? International Waters/Airspace? Third Country? State of Perpetrator?of Perpetrator?

- What is the Impact on the U.S.?- What is the Impact on the U.S.? Minor Disruption Damage to National SecurityMinor Disruption Damage to National Security

- Who Should Respond (Stop the Attack)?- Who Should Respond (Stop the Attack)? - LE? Host Country? U.S. Military? - LE? Host Country? U.S. Military?

- Who is Perpetrator?- Who is Perpetrator? - Criminal? Terrorist? State-Sponsored Terrorist? State?- Criminal? Terrorist? State-Sponsored Terrorist? State?

- Where is the Perpetrator?- Where is the Perpetrator? - US? International Waters/Airspace? Third Country? State - US? International Waters/Airspace? Third Country? State of Perpetrator?of Perpetrator?

- What is the Impact on the U.S.?- What is the Impact on the U.S.? Minor Disruption Damage to National SecurityMinor Disruption Damage to National Security

- Who Should Respond (Stop the Attack)?- Who Should Respond (Stop the Attack)? - LE? Host Country? U.S. Military? - LE? Host Country? U.S. Military?

Perpetrator

Location

U.S. Impact

Right to Respond

*Criminal *Terrorist * State Sponsored Terrorist *State

U.S International 3rd Party State Water/Air Country

Minor Economic Minor Economic Major Economic Major Economic Damage tocomms disruption comms disruption comms disruption comms disruption National with loss of life with loss of life Security

U.S. LawEnforcement

Host Countryor Flag State

Law EnforcementU.S. Military

Perpetrator

Location

U.S. Impact

Right to Respond




U.S. LawEnforcement


Law EnforcementU.S. Military

U.S. Militaryif DOJ/FBI Cert

& Pres Exec Order

Perpetrator

Location

U.S. Impact

Right to Respond




U.S. LawEnforcement


Law Enforcement

U.S. Militaryif DOJ/FBI Cert

& Pres Exec Order

Perpetrator

Location

U.S. Impact

Right to Respond




U.S. LawEnforcement


Law Enforcement

U.S. MilitaryW/NCA

Permission


Law Enforcement

Perpetrator

Location

U.S. Impact

Right to Respond




U.S. LawEnforcement

U.S. MilitaryW/NCA

Permission


FactsFacts- We Will Face Competent Adversary- We Will Face Competent Adversary - We Won’t Know the Perpetrator- We Won’t Know the Perpetrator - We Won’t Know the Location of - We Won’t Know the Location of the Perpetratorthe Perpetrator- Law Enforcement Will Always Have - Law Enforcement Will Always Have Primary Jurisdiction Until Perpetrator Primary Jurisdiction Until Perpetrator & Location are Determined& Location are Determined


Need to PrepareNeed to Prepare

- New Adversaries- New Adversaries - Virtual Organizations- Virtual Organizations - Non-Traditional Threats- Non-Traditional Threats


Number of Actual Incidents

InfoWar AttacksCyber Terrorism Attacks

Criminal Incidents


Resources & Expertise

Law Enforcement& Counterintelligence

DoD CERTS, CIA, DIA, J2, NSA

InfoWar Centers


Assumptions- Intelligence Community Restricted in U.S.

- The Vast Majority of Attacks Will Involve U.S. Systems (Civilian/Non-Gov)

- Every Intrusion is a Crime- Over 95% DOD Information over PSN- Imperative to Trace Attacks Back to Source


Attack ProfileAttack Profile - Will Probably Look Like Multiple Unrelated - Will Probably Look Like Multiple Unrelated Incidents (All Criminal Incidents) InitiallyIncidents (All Criminal Incidents) Initially - Will Probably Attack Civilian Infrastructure, - Will Probably Attack Civilian Infrastructure, Not DOD - 20th Century Fox Project - Not DOD - 20th Century Fox Project - ““WorldWar3.com”WorldWar3.com” - Launched from US or Allied Country- Launched from US or Allied Country


Opposite of Nuclear AttackOpposite of Nuclear Attack


Criminal Violations: - 18 USC 1029, Access Device Fraud

- 18 USC 1030, Computer Fraud Act

- 18 USC 2511, Interception & Disclosure of Wire, Oral or Electronic Communication

- 18 USC 2701, Stored Wire & Communication Access


Criminal Violations (cont’d):

- 18 USC 785 - Threats - 18 USC 1343 - Wire Fraud - 18 USC 1363 - Malicious Mischief - 18 USC 1462 - Import of Obscene Matter - 18 USC 1465 - Transport of Obscene Matter - 18 USC 2252 - Sexual Exploitation of Minors - 18 USC 2314 - Transport of Stolen Property


Criminal Violations (cont’d):

- 18 USC 2319 - Copyright Infringement - 18 USC 2320 - Trademark Goods - 18 USC 2510 thru 2521 - Wiretaps - 18 USC 2701 thru 2711 - Stored Electronic Comm - 18 USC 3121 - Pen Registers - 17 USC 506 - Copyright Infringement - 42 USC 2000aa - Privacy Protection


The Problem

“18th Century Law & 20th Century Technology”

Col. Bob GiovagnoniAFOSI, JA

1996


The First Problem

Speed Counts!


The Second Problem

The Legal Environment is

Geo-Centric


The Law- Criminal Law - Law Dealing with Crime &

Punishment

- Procedural Law - Legal Procedures Required

of a Law Enforcement

Official for the Commencement

of Legal Proceedings


Criminal Law

- What is a Crime

- What is Against the Law

i.e. Rape, Murder, Fraud, Computer Intrusions,

Narcotics Trafficking, etc..


Procedural Law

- How to Collect Evidence

- Wire Tap Court Orders

- Search Warrants

- Rights Advisements


Procedural Law

Balance Between

- Individual Rights of Privacy

- Public Safety


International Cooperation

- Each Country’s Legal Infrastructure

- Sovereignty

- Mutual Assistance Agreements


There’s a BIG Difference Between

What You CAN DO &

What You MAY DO

Your 3rd Grade Teacher was Right


CAN - To Be Able to

- To Have the Knowledge or Skill to

- To Know How to

- To Be Mentally Able to

MAY - Have Permission to

- Be Free to

- Be Achieved Within a Democratic Framework

Your 3rd Grade Teacher was Right

WEBSTER’S Ninth New Collegiate Dictionary


DoDDoDContractorContractor

F22 SPOF22 SPOWPAFBWPAFB ROME LabsROME Labs

GAFBGAFB

Naval Research LabsNaval Research Labs

Other CountriesOther CountriesCommercialCommercial SiteSite

AcademicAcademic SiteSite

Gov SiteGov Site

= DDN

= Internet= Internet

ExtremelyExtremelySlowSlow

Internet IncidentInternet IncidentInternet IncidentInternet Incident


Hackers Loop & Weave to Prevent Hackers Loop & Weave to Prevent Detection & IdentificationDetection & IdentificationHackers Loop & Weave to Prevent Hackers Loop & Weave to Prevent Detection & IdentificationDetection & Identification

AF Sys AF Sys Tampa, FLTampa, FL

GW UniversityGW University

NYNYTimesTimes

LatvianLatvianGov SysGov Sys

SUBJECTSUBJECT in NYCin NYC

Sandia LabsAction

Probe

Scan

Flood

Authenticate

Bypass

Spoof

Read

Copy

Steal

Modify

Delete

Target

Account

Process

Data

Component

Computer

Network

Internetwork

Incident

Event

UnauthorizedResult

IncreasedAccess

Disclosure ofInformation

Corruption ofInformation

Denial ofService

Theft ofResources

Objectives

Challenge,Status, Thrills

PoliticalGain

FinancialGain

Damage

Attack

Vulnerability

Design

Implementation

Configuration

Tool

PhysicalAttack

InformationExchange

UserCommandScript orProgram

AutonomousAgent

Toolkit

DistributedTool

Data Tap

Attackers

Hackers

Spies

Terrorists

CorporateRaiders

ProfessionalCriminals

Vandals

Voyeurs


U.S. SenateU.S. SenatePermanent Subcommittee Permanent Subcommittee

on Investigationson Investigations

ManhattanCyber

Project

ManhattanCyber

Project


Subcommittee HearingsSubcommittee Hearings

- Chaired by Senator Sam Nunn, GA- Chaired by Senator Sam Nunn, GA- Investigate the Threat to the National- Investigate the Threat to the National

Information Infrastructure from aInformation Infrastructure from a Cyberspace Attack (Jan-Aug 96)Cyberspace Attack (Jan-Aug 96)


Subcommittee Hearings - Cyberspace SecuritySubcommittee Hearings - Cyberspace Security

- Staff Interviewed > 200 - Staff Interviewed > 200 - U.S. & International- U.S. & International

- Government Leaders- Government Leaders- Computer Security Experts- Computer Security Experts- Law Enforcement Agencies- Law Enforcement Agencies- Private Sector- Private Sector


Subcommittee Hearings - Cyberspace SecuritySubcommittee Hearings - Cyberspace Security- Set of 4 Hearings - Set of 4 Hearings (22 May, 5 Jun, 25 Jun, 16 Jul 96)(22 May, 5 Jun, 25 Jun, 16 Jul 96)

- Witnesses- Witnesses- Dir CIA- Dir CIA- Dep Sec Def- Dep Sec Def- Dep Attorney General- Dep Attorney General- Senators Kyl & Leahy- Senators Kyl & Leahy- Computer Security Experts- Computer Security Experts- Subcommittee Staff- Subcommittee Staff


- Only Documented Computer- Only Documented Computer Espionage CaseEspionage Case- OSI & FBI- OSI & FBI- Five Hackers Levied by Soviet KGB- Five Hackers Levied by Soviet KGB - Drug & Financial Problems- Drug & Financial Problems- Best Seller - Best Seller “The Cuckoo’s Egg”“The Cuckoo’s Egg”

- Only Documented Computer- Only Documented Computer Espionage CaseEspionage Case- OSI & FBI- OSI & FBI- Five Hackers Levied by Soviet KGB- Five Hackers Levied by Soviet KGB - Drug & Financial Problems- Drug & Financial Problems- Best Seller - Best Seller “The Cuckoo’s Egg”“The Cuckoo’s Egg”

Hanover Hacker Case - 1986Hanover Hacker Case - 1986Hanover Hacker Case - 1986Hanover Hacker Case - 1986


Mar - May 1994Mar - May 1994Mar - May 1994Mar - May 1994Rome Air DevelopmentRome Air Development

CenterCenterRome Air DevelopmentRome Air Development

CenterCenterGriffiss AFB,Griffiss AFB,

New YorkNew YorkGriffiss AFB,Griffiss AFB,

New YorkNew York

Rome Labs Discovers Sniffers

Rome LabsRome LabsRome LabsRome Labs


AFCERT Deployed Teamsfrom Kelly AFB

Rome LabsRome Labs

AFOSI DeployedAgents from Andrews AFB,

Rome LabsRome Labs

Investigative Team Assessed Situation Briefed Commander

Rome LabsRome Labs

Attacks Traced to Internet Provider in New York

CommercialCommercialInternetInternetProviderProvider

Rome LabsRome Labs

Attacks Traced to Internet Provider in Seattle, WA



Rome LabsRome Labs

Internet Path Deadend-Attackers Using Phone Lines



Keystroke Monitoring@ Rome Labs

Rome LabsRome LabsCommercialCommercialInternetInternetProviderProvider


Rome LabsRome Labs

Limited Context Monitoring@ NY Internet Provider



Rome LabsRome Labs

Limited Context Monitoring @ WA Internet Provider



Rome LabsRome Labs

Handles of Hackers wereKuji & Datastream



Rome LabsRome Labs

Agents RequestedHelp from Informants




UKUKUKUK

Informant Identifies Hacker from UK

CommercialCommercial


Rome LabsRome Labs

UKUK

Hacks .MIL Sites Because So Easy

Commercial

Commercial

Rome LabsRome Labs

UKUK

Agents Call CCU Scotland Yard. Pen Registers Up

Commercial

Commercial

Rome LabsRome Labs

UKUK

ColombiaColombia && ChileChile

Scotland Yard Sees, Phreaking thru South America

Commercial

Commercial

Rome LabsRome Labs

UKUK


Phreaking thru South America to New York

Commercial

Commercial

Rome LabsRome Labs

UKUK


Defrauds Internet Provider

Commercial

Commercial

Rome LabsRome Labs

UKUK


From NY Internet Provider Attacks Rome Labs

Commercial

Commercial

Rome LabsRome Labs

UKUK


Same Scenario for Seattle, WA Internet Provider

Commercial

Commercial

Rome LabsRome Labs

UKUK


Entered Rome from NYC or, Seattle, WA

Commercial

Commercial

Rome LabsRome Labs

UKUK


S. Korean . Korean Atomic ResearchAtomic ResearchInstInst



AF ContractorAF Contractor


JPL, NASAJPL, NASA

USBRUSBRUSBRUSBR

ArmyArmy

WPAFBWPAFB

LatviaLatvia

HQ NATOHQ NATO

GoddardGoddardSFCSFC

Followed Contracts

Rome LabsRome Labs

UKUK







JPL, NASAJPL, NASA

USBRUSBR

ArmyArmy

WPAFBWPAFB

LatviaLatvia

HQ NATOHQ NATO


Followed Contracts

Rome LabsRome Labs

UKUK







JPL, NASAJPL, NASA

USBRUSBR

ArmyArmy

WPAFBWPAFB

LatviaLatvia

HQ NATOHQ NATO


Thru S. America toSeattle to HQ NATO

Rome LabsRome Labs

UKUK







JPL, NASAJPL, NASA

USBRUSBR

ArmyArmy

WPAFBWPAFB

LatviaLatvia


HQ NATOHQ NATO

Thru S. America toSeattle to HQ NATO

Rome LabsRome Labs

UKUK







JPL, NASAJPL, NASA

USBRUSBR

ArmyArmy

WPAFBWPAFB

LatviaLatvia

HQ NATOHQ NATO


Through S. America toSeattle to HQ NATO

Rome LabsRome Labs

UKUK







JPL, NASAJPL, NASA

USBRUSBR

ArmyArmy

WPAFBWPAFB

LatviaLatvia

HQ NATOHQ NATO


Data From WPAFB

Rome LabsRome Labs

UKUK







JPL, NASAJPL, NASA

USBRUSBR

ArmyArmy

WPAFBWPAFB

LatviaLatvia

HQ NATOHQ NATO


Data From WPAFBGoing to Seattle

Rome LabsRome Labs

UKUK







JPL, NASAJPL, NASA

USBRUSBR

ArmyArmy

WPAFBWPAFB

LatviaLatvia

HQ NATOHQ NATO


Data From WPAFBGoing to Latvia?

Rome LabsRome Labs

UKUK







JPL, NASAJPL, NASA

USBRUSBR

ArmyArmy

WPAFBWPAFB

LatviaLatvia

HQ NATOHQ NATO


Data From WPAFBGoing to Latvia

Rome LabsRome Labs

UKUK







JPL, NASAJPL, NASA

USBRUSBR

ArmyArmy

WPAFBWPAFB

LatviaLatvia

HQ NATOHQ NATO


NASA Major Target

Rome LabsRome Labs

UKUK







JPL, NASAJPL, NASA

USBRUSBR

ArmyArmy

WPAFBWPAFB

LatviaLatvia

HQ NATOHQ NATO


NASA Major TargetGoddard SFC, MD

HQ NATOHQ NATO

Rome LabsRome Labs

UKUK







JPL, NASAJPL, NASA

USBRUSBR

ArmyArmy

WPAFBWPAFB

LatviaLatvia


NASA Major TargetGoddard SFC & JPL

Rome LabsRome Labs

UKUK







JPL, NASAJPL, NASA

USBRUSBR

ArmyArmy

WPAFBWPAFB

LatviaLatvia

HQ NATOHQ NATO


Scotland Yard IssuedSearch Warrant

Rome LabsRome Labs

UKUK







JPL, NASAJPL, NASA

USBRUSBR

ArmyArmy

WPAFBWPAFB

LatviaLatvia

HQ NATOHQ NATO


Waiting Until Onlineat Rome Labs

Rome LabsRome Labs

UKUK







JPL, NASAJPL, NASA

USBRUSBR

ArmyArmy

WPAFBWPAFB

LatviaLatvia

HQ NATOHQ NATO


Identify AdditionalDownstream Victim

Rome LabsRome Labs

UKUK







JPL, NASAJPL, NASA

USBRUSBR

ArmyArmy

WPAFBWPAFB

LatviaLatvia

HQ NATOHQ NATO


Had Access to Korean Atomic Research Institution Data

Rome LabsRome Labs

UKUK


KUJI from Wales

DATASTREAM from London






JPL, NASAJPL, NASA

USBRUSBR

ArmyArmy

WPAFBWPAFB

LatviaLatvia

HQ NATOHQ NATO


Rome LabsRome Labs

UKUK


Over 100 DownstreamVictims From Rome






JPL, NASAJPL, NASA

USBRUSBR

ArmyArmy

WPAFBWPAFB

LatviaLatvia

HQ NATOHQ NATO


- 2 Hackers- 2 Hackers- - 26 Days 26 Days of Attacksof Attacks- 20 Days of Monitoring- 20 Days of Monitoring- 7 Sniffers on Rome Systems- 7 Sniffers on Rome Systems- Over - Over 150 Intrusions 150 Intrusions at ROME Labs from 10at ROME Labs from 10 Different Points of OriginDifferent Points of Origin- Victims - Many & Varied- Victims - Many & Varied- Law Enforcement Agencies - Multiple- Law Enforcement Agencies - Multiple- At Least - At Least 8 Countries 8 Countries Used as ConduitUsed as Conduit

HackersHackersRome Labs Summary


Bad Actors in the Physical WorldBad Actors in the Physical WorldBad Actors in the Physical WorldBad Actors in the Physical World

Disaffected Loners Unabomber Oklahoma City

Subnational Threat Aum Shinrikyo World Trade Center

Rogue States Iraq North Korea


Promoting Our National Security In The Physical World

Promoting Our National Security In The Physical World

DoDCIADoDCIA

DoDDoD

FBIFBIFBILocalFBILocal

IntelligenceIntelligence

ForeignForeign

EnforcementEnforcement

DomesticDomestic


Promoting Our National Security In The Virtual World

Promoting Our National Security In The Virtual World

IntelligenceIntelligence

ForeignForeign

EnforcementEnforcement

DomesticDomestic

AB

Minimum Essential Pillars of Critical ElementsMinimum Essential Pillars of Critical Elements

NationalInformation Infrastructure

Mil

itar

y/G

ov S

ys

Pu

blic

Sw

itch

Net

s

Fin

anci

al S

ys

Hea

lth

Car

e S

ys

Uti

liti

es/P

ower

Tra

nsp

orta

tion

Sys


ActorHacker

Disgruntled/Co-opted InsiderCriminalsTerrorist

Commercial OrganizationsNation States

ActorHacker

Disgruntled/Co-opted InsiderCriminalsTerrorist

Commercial OrganizationsNation States

ObjectiveCyber-Joyrider

For a Variety of MotivesPersonal/Financial Gain

Advance CauseIndustrial Espionage

Espionage or EconomicAdvantage, InfoWar

ObjectiveCyber-Joyrider

For a Variety of MotivesPersonal/Financial Gain

Advance CauseIndustrial Espionage

Espionage or EconomicAdvantage, InfoWar

“Bad Actors”“Bad Actors”


Hearings, 16 July 96Hearings, 16 July 96- Witnesses- Witnesses - Jamie Gorelick & Dr John White - Jamie Gorelick & Dr John White - Announced the President Signed Exec Order 13010- Announced the President Signed Exec Order 13010 to formulate Protection of Critical Infrastructuresto formulate Protection of Critical Infrastructures From Terrorism & Cyber AttacksFrom Terrorism & Cyber Attacks - Created- Created - Commission- Commission - Infrastructure Protection Task Force (IPTF)- Infrastructure Protection Task Force (IPTF)

Hearings, 16 July 96Hearings, 16 July 96- Witnesses- Witnesses - Jamie Gorelick & Dr John White - Jamie Gorelick & Dr John White - Announced the President Signed Exec Order 13010- Announced the President Signed Exec Order 13010 to formulate Protection of Critical Infrastructuresto formulate Protection of Critical Infrastructures From Terrorism & Cyber AttacksFrom Terrorism & Cyber Attacks - Created- Created - Commission- Commission - Infrastructure Protection Task Force (IPTF)- Infrastructure Protection Task Force (IPTF)

Information Systems Security Survey

Conducted by WarRoom Research, LLCJul-Oct 96

U.S. Senate PermanentU.S. Senate PermanentSubcommittee on InvestigationsSubcommittee on Investigations

U.S. Senate PermanentU.S. Senate PermanentSubcommittee on InvestigationsSubcommittee on Investigations


Information Security SurveyInformation Security Survey

- Collaborated with WarRoom Research- Collaborated with WarRoom Research - Conduct Information Systems Security- Conduct Information Systems Security Survey with Private SectorSurvey with Private Sector - Snapshot of InfoSec - Snapshot of InfoSec - Target Fortune 1000 Companies- Target Fortune 1000 Companies

- Anonymous Survey Results- Anonymous Survey Results



- Surveys Sent, 18 Jul 96- Surveys Sent, 18 Jul 96 - 500 Sent- 500 Sent - Completed Surveys Received, 18 Oct 96- Completed Surveys Received, 18 Oct 96 - 205 Qualified Responses (236)- 205 Qualified Responses (236)



- Categories- Categories - General Information- General Information - Policy- Policy - Intrusions- Intrusions - Damage & Reporting- Damage & Reporting - Financial Institutions Only- Financial Institutions Only



- General Information- General Information - Positions in Organization- Positions in Organization - Security Responsibilities- Security Responsibilities - Type of Industry- Type of Industry - All Infrastructures Represented- All Infrastructures Represented



- Policy- Policy - 83% Did Have Written Policy- 83% Did Have Written Policy - 67% Did Have Logon Warning Banners- 67% Did Have Logon Warning Banners



- Intrusions- Intrusions - 94% Consider Outside Security Firm- 94% Consider Outside Security Firm - 27% No Capability to Detect- 27% No Capability to Detect



- Intrusions- Intrusions - 58% Detected Attempts from Outside- 58% Detected Attempts from Outside - 30% Don’t Know- 30% Don’t Know


Information Security Survey Information Security Survey - Damage & Reporting- Damage & Reporting - Cost for Each Intrusion- Cost for Each Intrusion - By Insiders- By Insiders

- By Outsiders- By Outsiders


Damage by InsidersDamage by Insiders Unknown - Unknown - 12.7%12.7% - 26 - 26 $0 -$0 - 0.0% 0.0% - 0- 0 $1-1000 - $1-1000 - 0.0% 0.0% - 0- 0 $1,001-5,000 - $1,001-5,000 - 1.5%1.5% - 3 - 3 $5,001-10,000 - $5,001-10,000 - 5.4%5.4% - 11 - 11 $10,001-50,000 - $10,001-50,000 - 11.2%11.2% - 23 - 23 $50,001-200,000 - $50,001-200,000 - 22.4%22.4% - 46 - 46 $200,001-500,000 - $200,001-500,000 - 20.0%20.0% - 41 - 41 $500,001-1,000,000 - $500,001-1,000,000 - 11.2%11.2% - 23 - 23 Over $1,000,000 - Over $1,000,000 - 15.6% 15.6% - 32 - 32

Damage by InsidersDamage by Insiders Unknown - Unknown - 12.7%12.7% - 26 - 26 $0 -$0 - 0.0% 0.0% - 0- 0 $1-1000 - $1-1000 - 0.0% 0.0% - 0- 0 $1,001-5,000 - $1,001-5,000 - 1.5%1.5% - 3 - 3 $5,001-10,000 - $5,001-10,000 - 5.4%5.4% - 11 - 11 $10,001-50,000 - $10,001-50,000 - 11.2%11.2% - 23 - 23 $50,001-200,000 - $50,001-200,000 - 22.4%22.4% - 46 - 46 $200,001-500,000 - $200,001-500,000 - 20.0%20.0% - 41 - 41 $500,001-1,000,000 - $500,001-1,000,000 - 11.2%11.2% - 23 - 23 Over $1,000,000 - Over $1,000,000 - 15.6% 15.6% - 32 - 32

205 Incidents


Damage by OutsidersDamage by Outsiders Unknown - Unknown - 21.0%21.0% - 43 - 43 $0 -$0 - 0.0% 0.0% - 0- 0 $1-1000 - $1-1000 - 0.0% 0.0% - 0- 0 $1,001-5,000 - $1,001-5,000 - 0.0%0.0% - 0 - 0 $5,001-10,000 - $5,001-10,000 - 4.4%4.4% - 9 - 9 $10,001-50,000 - $10,001-50,000 - 8.3%8.3% - 17 - 17 $50,001-200,000 - $50,001-200,000 - 14.6%14.6% - 30 - 30 $200,001-500,000 - $200,001-500,000 - 19.0%19.0% - 39 - 39 $500,001-1,000,000 - $500,001-1,000,000 - 15.1%15.1% - 31 - 31 Over $1,000,000 - Over $1,000,000 - 17.6% 17.6% - 36 - 36

206 Incidents



- Intrusions Referred to Law Enforcement- Intrusions Referred to Law Enforcement

Out of 411 Incidents

Only 4 ???Only 4 ???


Information Security SurveyInformation Security Survey Reasons Not Referred to Law EnforcementReasons Not Referred to Law Enforcement 14.3%14.3% - Didn’t Want LE in Their System - Didn’t Want LE in Their System 14.3%14.3% - Lose Productivity - Lose Productivity 12.1%12.1% - LE have Access to Sensitive Data - LE have Access to Sensitive Data 20.9%20.9% - Crime Would Become Public - Crime Would Become Public 19.8%19.8% - Loss of Client Confidence - Loss of Client Confidence 8.8%8.8% - Loss of Competitive Status - Loss of Competitive Status 9.8%9.8% - Other - Other



Circumstances - Willing to Report to LECircumstances - Willing to Report to LE 6.8%6.8% - Anytime Detected - Anytime Detected 30.2%30.2% - If Could Report Anonymously - If Could Report Anonymously 21.7%21.7% - Only If Everyone Else Reported - Only If Everyone Else Reported 37.4%37.4% - Only If Mandatory by Law - Only If Mandatory by Law 3.9%3.9% - Other - Other



Financial Institutions OnlyFinancial Institutions Only - Avg. EFTs per Day?- Avg. EFTs per Day? - What % Misrouted?- What % Misrouted? - What % Misrouted Recovered?- What % Misrouted Recovered? - Annual Loss from Unreconciled EFTs?- Annual Loss from Unreconciled EFTs? - What % EFTs Lost to Criminal Activity?- What % EFTs Lost to Criminal Activity? - Have You Reported Losses to FINCEN?- Have You Reported Losses to FINCEN?



Financial Institutions OnlyFinancial Institutions Only

NO Financial InstitutionNO Financial InstitutionAnswered Any of These Answered Any of These Questions ?????????Questions ?????????


Year 2000 CrisisAKA: Y2K a Snow Ski ??


Just a Software Problem?- It’s the Hardware Too!

- 286, 386, 486 Processors - An Estimated 200 Million RISC & 86 Microprocessors Shipped in 1995, Over Half in Embedded Systems (and Weapon Systems) - 93% of All Chips Prior to 1997 - Not Compliant - 50% of All Chips Sold in 1997 - Not Compliant


Where is this Hardware?- What Could be Effected? - Gas Pumps - Elevators - VCRs - Cell Phones - Microwave Ovens - Cameras - Pagers - Radios - Pace Makers - Store Cash Registers - Brake Systems - Body Wires - Ignition Systems - HVAC - Entry Control Systems - Weapon Systems


DoD Cyber Incident Response

Goal:

Situational Awareness


Critical Process

DETECTION REPORTING ANALYSISCOA

RESPONSEALERT/

DISSEMINATION

EVENT

CentralReportingFacility

IncidentCertified

CentralDecisionAuthority

Determination

Inputsto

EventDetected

24x7 C/S/Aorganization

4 hours

Tweak Sensors


DIO Organizations and Activities Study35 Organizations Assessed

• Joint Task Force - Computer Network Defense

• US Space Command• National Infrastructure

Protection Center

• Air Force Information Warfare Center

• Land Information Warfare Activity

• Naval Information Warfare Activity

• Fleet Information Warfare Center

• Information Operations Technology Center

• Air Force Network Operations Center

• Army Network Systems Operations Center

• Naval Computer and Telecommunications Command

• Global Network Operations Security Center

• Air Force Computer Emergency Response Team

• Army Computer Emergency Response Team

• Navy Computer Incident Response Team

• Defense Logistics Agency CERT• National Security Agency

(XGroup)• DoD CERT• Carnegie Mellon University

CERT/CC

• Joint Staff - J2• Defense Intelligence

Agency• Air Intelligence Agency

• Air Force Office of Special Investigations

• US Army Criminal Investigation Directorate

• US Army Military Intelligence• Naval Criminal Investigation

Service• Defense Criminal Investigative

Service• DoD Computer Forensics Lab

• Joint Command and Control Warfare Center

• Joint Spectrum Center• Defense Advanced Research

Projects Agency• Joint C4ISR Battle Center• Army Research Lab

• National Aeronautics and Space Administration

• Joint Warfare Analysis Center

Protection CERTs Network Operations Support

IW LE/CI Intelligence Other


Preliminary Mapping of CERT Support toJTF-CND

SERVICECERT

ROSC/RISC

CINC CERT

JTF-CND

SYSTEMMGT

CENTER

AIR FORCE BASE

BASE CONTROLCENTER

ASIM(128)

AFCERTMAJCOM

NOSC

CYBERW ATCH

THREATDATABASE

CARNEGIEMELLON

NATIONALINFRASTRUCTURE

PROTECTIONCENTER

DII AIR FORCE

ARMY BASE

BASE CONTROLCENTER

REAL SECURE(146)

ARMY

NAVY BASE

BASE CONTROLCENTER

NAVY

NETRANGER(12)

NAVCIRT

INFORMATIONASSURANCE

VULNERABILITY ALERT(IAVA)

NIPRNET/SIPRNETNEW S GROUPS & W EB

PAGES

Facility NIPRNET_______________

System Adm in.Function

J6/J39

REGIONALNOSCLOCAL LE/CI

LE/CI

LE/CI

JOINTINTRUSIONDETECTION

(64)

NCIS

OSI/CID

REGIONALCERT/NOSC

ACERT

OTHERSERVICE

CERTS

GLOBALOPERATIONS& SECURITY

CENTER

OSI DET

LOCAL OSI DET

Inform ation Flow DirectionInform ation Flow Bi-DirectionalInform ation CoordinationDIO CentersLaw Enforcem entBase Control CentersIntrusion Detection System sOther DOD OrganizationsNon-DOD Organizations

Figure 5


DoD FusionCenter

NCA

CJCS

DoD CERTs

NIPC

IC

PEACE ------------------- CRISIS ------------------ WAR

DoD LE/CI

CINCsUSSPACECOM

INFOCON

NORMAL

INFOCON

ALPHA

INFOCON INFOCON

BRAVOBRAVO

INFOCON

CHARLIE

INFOCON

DELTA

JTFCND


DefCon 7DefCon 7

- Annual International Hacker Convention- Annual International Hacker Convention- Here in Las Vegas Every July- Here in Las Vegas Every July- Grown to Over 2500- Grown to Over 2500

- “Bad Guys”- “Bad Guys”- “Good Guys”- “Good Guys”

- Share New Tools & Techniques- Share New Tools & Techniques

Stay Close to Your Friends & Closer to Your EnemiesStay Close to Your Friends & Closer to Your Enemies

Special Agent Jim ChristyLaw Enforcement & Counterintelligence Coordinator

Defense-Wide Information Assurance ProgramAssistant Secretary of Defense

Command, Control, Communications, and Intelligence (ASDC3I/DIAP)

Voice: 703-602-9982, DSN 332-9982 Pager: 800-915-1245 Email: [email protected]

Defense-Wide Information Assurance Program Cyber Threat to Critical Infrastructure Special Agent Jim...

Documents

Transcript of Defense-Wide Information Assurance Program Cyber Threat to Critical Infrastructure Special Agent Jim...