Defense-Wide Information Assurance Program Cyber Threat to Critical Infrastructure Special Agent Jim...
-
Upload
abigail-hoover -
Category
Documents
-
view
228 -
download
1
Transcript of Defense-Wide Information Assurance Program Cyber Threat to Critical Infrastructure Special Agent Jim...
Defense-Wide Information Assurance Program
Cyber Threat to Critical Infrastructure
Special Agent Jim Christy (AFOSI)Law Enforcement & Counterintelligence Coordinator
Defense-Wide Information Assurance ProgramAssistant Secretary of Defense
Command, Control, Communications, and Intelligence (ASDC3I)
Defense-Wide Information Assurance Program
OverviewOverview- Crime Vs InfoWar- Crime Vs InfoWar- Legal Issues- Legal Issues- Senate Hearings- Senate Hearings- Senate InfoSec Survey- Senate InfoSec Survey- Y2K Crisis- Y2K Crisis- Cyber Intrusion Incident Response- Cyber Intrusion Incident Response
- Crime Vs InfoWar- Crime Vs InfoWar- Legal Issues- Legal Issues- Senate Hearings- Senate Hearings- Senate InfoSec Survey- Senate InfoSec Survey- Y2K Crisis- Y2K Crisis- Cyber Intrusion Incident Response- Cyber Intrusion Incident Response
Defense-Wide Information Assurance Program
DEPSECDEF
CIO Council
Director, Information AssuranceMr. Richard C. Schaeffer, Jr.
National Manager
Lt Gen Kenneth H. Minihan
NSD-42
SECDEF
DoD CIOMr. Arthur L. Money
DII Advisor
LTG David A. Kelley
DIAP Staff DirectorCAPT J. Katharine Burton, USN
Services JointStaff
DISA NSA Other DefenseAgencies
Senior DIAPSteering Group
Program Planning,Coordination,
and Integration
DIAP
Crime vs. InfoWar - The Legal IssuesCrime vs. InfoWar - The Legal Issues
- Who is Perpetrator?- Who is Perpetrator? - Criminal? Terrorist? State-Sponsored Terrorist? State?- Criminal? Terrorist? State-Sponsored Terrorist? State?
- Where is the Perpetrator?- Where is the Perpetrator? - US? International Waters/Airspace? Third Country? State - US? International Waters/Airspace? Third Country? State of Perpetrator?of Perpetrator?
- What is the Impact on the U.S.?- What is the Impact on the U.S.? Minor Disruption Damage to National SecurityMinor Disruption Damage to National Security
- Who Should Respond (Stop the Attack)?- Who Should Respond (Stop the Attack)? - LE? Host Country? U.S. Military? - LE? Host Country? U.S. Military?
- Who is Perpetrator?- Who is Perpetrator? - Criminal? Terrorist? State-Sponsored Terrorist? State?- Criminal? Terrorist? State-Sponsored Terrorist? State?
- Where is the Perpetrator?- Where is the Perpetrator? - US? International Waters/Airspace? Third Country? State - US? International Waters/Airspace? Third Country? State of Perpetrator?of Perpetrator?
- What is the Impact on the U.S.?- What is the Impact on the U.S.? Minor Disruption Damage to National SecurityMinor Disruption Damage to National Security
- Who Should Respond (Stop the Attack)?- Who Should Respond (Stop the Attack)? - LE? Host Country? U.S. Military? - LE? Host Country? U.S. Military?
Perpetrator
Location
U.S. Impact
Right to Respond
*Criminal *Terrorist * State Sponsored Terrorist *State
U.S International 3rd Party State Water/Air Country
Minor Economic Minor Economic Major Economic Major Economic Damage tocomms disruption comms disruption comms disruption comms disruption National with loss of life with loss of life Security
U.S. LawEnforcement
Host Countryor Flag State
Law EnforcementU.S. Military
Perpetrator
Location
U.S. Impact
Right to Respond
*Criminal *Terrorist * State Sponsored Terrorist *State
U.S International 3rd Party State Water/Air Country
Minor Economic Minor Economic Major Economic Major Economic Damage tocomms disruption comms disruption comms disruption comms disruption National with loss of life with loss of life Security
U.S. LawEnforcement
Host Countryor Flag State
Law EnforcementU.S. Military
U.S. Militaryif DOJ/FBI Cert
& Pres Exec Order
Perpetrator
Location
U.S. Impact
Right to Respond
*Criminal *Terrorist * State Sponsored Terrorist *State
U.S International 3rd Party State Water/Air Country
Minor Economic Minor Economic Major Economic Major Economic Damage tocomms disruption comms disruption comms disruption comms disruption National with loss of life with loss of life Security
U.S. LawEnforcement
Host Countryor Flag State
Law Enforcement
U.S. Militaryif DOJ/FBI Cert
& Pres Exec Order
Perpetrator
Location
U.S. Impact
Right to Respond
*Criminal *Terrorist * State Sponsored Terrorist *State
U.S International 3rd Party State Water/Air Country
Minor Economic Minor Economic Major Economic Major Economic Damage tocomms disruption comms disruption comms disruption comms disruption National with loss of life with loss of life Security
U.S. LawEnforcement
Host Countryor Flag State
Law Enforcement
U.S. MilitaryW/NCA
Permission
Host Countryor Flag State
Law Enforcement
Perpetrator
Location
U.S. Impact
Right to Respond
*Criminal *Terrorist * State Sponsored Terrorist *State
U.S International 3rd Party State Water/Air Country
Minor Economic Minor Economic Major Economic Major Economic Damage tocomms disruption comms disruption comms disruption comms disruption National with loss of life with loss of life Security
U.S. LawEnforcement
U.S. MilitaryW/NCA
Permission
Defense-Wide Information Assurance Program
FactsFacts- We Will Face Competent Adversary- We Will Face Competent Adversary - We Won’t Know the Perpetrator- We Won’t Know the Perpetrator - We Won’t Know the Location of - We Won’t Know the Location of the Perpetratorthe Perpetrator- Law Enforcement Will Always Have - Law Enforcement Will Always Have Primary Jurisdiction Until Perpetrator Primary Jurisdiction Until Perpetrator & Location are Determined& Location are Determined
Defense-Wide Information Assurance Program
Need to PrepareNeed to Prepare
- New Adversaries- New Adversaries - Virtual Organizations- Virtual Organizations - Non-Traditional Threats- Non-Traditional Threats
Defense-Wide Information Assurance Program
Number of Actual Incidents
InfoWar AttacksCyber Terrorism Attacks
Criminal Incidents
Defense-Wide Information Assurance Program
Resources & Expertise
Law Enforcement& Counterintelligence
DoD CERTS, CIA, DIA, J2, NSA
InfoWar Centers
Defense-Wide Information Assurance Program
Resources & Expertise
Law Enforcement& Counterintelligence
DoD CERTS, CIA, DIA, J2, NSA
InfoWar Centers
Defense-Wide Information Assurance Program
Assumptions- Intelligence Community Restricted in U.S.
- The Vast Majority of Attacks Will Involve U.S. Systems (Civilian/Non-Gov)
- Every Intrusion is a Crime- Over 95% DOD Information over PSN- Imperative to Trace Attacks Back to Source
Defense-Wide Information Assurance Program
Attack ProfileAttack Profile - Will Probably Look Like Multiple Unrelated - Will Probably Look Like Multiple Unrelated Incidents (All Criminal Incidents) InitiallyIncidents (All Criminal Incidents) Initially - Will Probably Attack Civilian Infrastructure, - Will Probably Attack Civilian Infrastructure, Not DOD - 20th Century Fox Project - Not DOD - 20th Century Fox Project - ““WorldWar3.com”WorldWar3.com” - Launched from US or Allied Country- Launched from US or Allied Country
Defense-Wide Information Assurance Program
Opposite of Nuclear AttackOpposite of Nuclear Attack
Defense-Wide Information Assurance Program
Opposite of Nuclear AttackOpposite of Nuclear Attack
Defense-Wide Information Assurance Program
Criminal Violations: - 18 USC 1029, Access Device Fraud
- 18 USC 1030, Computer Fraud Act
- 18 USC 2511, Interception & Disclosure of Wire, Oral or Electronic Communication
- 18 USC 2701, Stored Wire & Communication Access
Defense-Wide Information Assurance Program
Criminal Violations (cont’d):
- 18 USC 785 - Threats - 18 USC 1343 - Wire Fraud - 18 USC 1363 - Malicious Mischief - 18 USC 1462 - Import of Obscene Matter - 18 USC 1465 - Transport of Obscene Matter - 18 USC 2252 - Sexual Exploitation of Minors - 18 USC 2314 - Transport of Stolen Property
Defense-Wide Information Assurance Program
Criminal Violations (cont’d):
- 18 USC 2319 - Copyright Infringement - 18 USC 2320 - Trademark Goods - 18 USC 2510 thru 2521 - Wiretaps - 18 USC 2701 thru 2711 - Stored Electronic Comm - 18 USC 3121 - Pen Registers - 17 USC 506 - Copyright Infringement - 42 USC 2000aa - Privacy Protection
Defense-Wide Information Assurance Program
The Problem
“18th Century Law & 20th Century Technology”
Col. Bob GiovagnoniAFOSI, JA
1996
Defense-Wide Information Assurance Program
The First Problem
Speed Counts!
Defense-Wide Information Assurance Program
The Second Problem
The Legal Environment is
Geo-Centric
Defense-Wide Information Assurance Program
The Law- Criminal Law - Law Dealing with Crime &
Punishment
- Procedural Law - Legal Procedures Required
of a Law Enforcement
Official for the Commencement
of Legal Proceedings
Defense-Wide Information Assurance Program
Criminal Law
- What is a Crime
- What is Against the Law
i.e. Rape, Murder, Fraud, Computer Intrusions,
Narcotics Trafficking, etc..
Defense-Wide Information Assurance Program
Procedural Law
- How to Collect Evidence
- Wire Tap Court Orders
- Search Warrants
- Rights Advisements
Defense-Wide Information Assurance Program
Procedural Law
Balance Between
- Individual Rights of Privacy
- Public Safety
Defense-Wide Information Assurance Program
International Cooperation
- Each Country’s Legal Infrastructure
- Sovereignty
- Mutual Assistance Agreements
Defense-Wide Information Assurance Program
There’s a BIG Difference Between
What You CAN DO &
What You MAY DO
Your 3rd Grade Teacher was Right
Defense-Wide Information Assurance Program
CAN - To Be Able to
- To Have the Knowledge or Skill to
- To Know How to
- To Be Mentally Able to
MAY - Have Permission to
- Be Free to
- Be Achieved Within a Democratic Framework
Your 3rd Grade Teacher was Right
WEBSTER’S Ninth New Collegiate Dictionary
Defense-Wide Information Assurance Program
DoDDoDContractorContractor
F22 SPOF22 SPOWPAFBWPAFB ROME LabsROME Labs
GAFBGAFB
Naval Research LabsNaval Research Labs
Other CountriesOther CountriesCommercialCommercial SiteSite
AcademicAcademic SiteSite
Gov SiteGov Site
= DDN
= Internet= Internet
ExtremelyExtremelySlowSlow
Internet IncidentInternet IncidentInternet IncidentInternet Incident
Defense-Wide Information Assurance Program
Hackers Loop & Weave to Prevent Hackers Loop & Weave to Prevent Detection & IdentificationDetection & IdentificationHackers Loop & Weave to Prevent Hackers Loop & Weave to Prevent Detection & IdentificationDetection & Identification
AF Sys AF Sys Tampa, FLTampa, FL
GW UniversityGW University
NYNYTimesTimes
LatvianLatvianGov SysGov Sys
SUBJECTSUBJECT in NYCin NYC
Sandia LabsAction
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
Incident
Event
UnauthorizedResult
IncreasedAccess
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
Objectives
Challenge,Status, Thrills
PoliticalGain
FinancialGain
Damage
Attack
Vulnerability
Design
Implementation
Configuration
Tool
PhysicalAttack
InformationExchange
UserCommandScript orProgram
AutonomousAgent
Toolkit
DistributedTool
Data Tap
Attackers
Hackers
Spies
Terrorists
CorporateRaiders
ProfessionalCriminals
Vandals
Voyeurs
Defense-Wide Information Assurance Program
U.S. SenateU.S. SenatePermanent Subcommittee Permanent Subcommittee
on Investigationson Investigations
ManhattanCyber
Project
ManhattanCyber
Project
Defense-Wide Information Assurance Program
Subcommittee HearingsSubcommittee Hearings
- Chaired by Senator Sam Nunn, GA- Chaired by Senator Sam Nunn, GA- Investigate the Threat to the National- Investigate the Threat to the National
Information Infrastructure from aInformation Infrastructure from a Cyberspace Attack (Jan-Aug 96)Cyberspace Attack (Jan-Aug 96)
Defense-Wide Information Assurance Program
Subcommittee Hearings - Cyberspace SecuritySubcommittee Hearings - Cyberspace Security
- Staff Interviewed > 200 - Staff Interviewed > 200 - U.S. & International- U.S. & International
- Government Leaders- Government Leaders- Computer Security Experts- Computer Security Experts- Law Enforcement Agencies- Law Enforcement Agencies- Private Sector- Private Sector
Defense-Wide Information Assurance Program
Subcommittee Hearings - Cyberspace SecuritySubcommittee Hearings - Cyberspace Security- Set of 4 Hearings - Set of 4 Hearings (22 May, 5 Jun, 25 Jun, 16 Jul 96)(22 May, 5 Jun, 25 Jun, 16 Jul 96)
- Witnesses- Witnesses- Dir CIA- Dir CIA- Dep Sec Def- Dep Sec Def- Dep Attorney General- Dep Attorney General- Senators Kyl & Leahy- Senators Kyl & Leahy- Computer Security Experts- Computer Security Experts- Subcommittee Staff- Subcommittee Staff
Defense-Wide Information Assurance Program
- Only Documented Computer- Only Documented Computer Espionage CaseEspionage Case- OSI & FBI- OSI & FBI- Five Hackers Levied by Soviet KGB- Five Hackers Levied by Soviet KGB - Drug & Financial Problems- Drug & Financial Problems- Best Seller - Best Seller “The Cuckoo’s Egg”“The Cuckoo’s Egg”
- Only Documented Computer- Only Documented Computer Espionage CaseEspionage Case- OSI & FBI- OSI & FBI- Five Hackers Levied by Soviet KGB- Five Hackers Levied by Soviet KGB - Drug & Financial Problems- Drug & Financial Problems- Best Seller - Best Seller “The Cuckoo’s Egg”“The Cuckoo’s Egg”
Hanover Hacker Case - 1986Hanover Hacker Case - 1986Hanover Hacker Case - 1986Hanover Hacker Case - 1986
Defense-Wide Information Assurance Program
Mar - May 1994Mar - May 1994Mar - May 1994Mar - May 1994Rome Air DevelopmentRome Air Development
CenterCenterRome Air DevelopmentRome Air Development
CenterCenterGriffiss AFB,Griffiss AFB,
New YorkNew YorkGriffiss AFB,Griffiss AFB,
New YorkNew York
Rome Labs Discovers Sniffers
Rome LabsRome LabsRome LabsRome Labs
Rome LabsRome LabsRome LabsRome Labs
AFCERT Deployed Teamsfrom Kelly AFB
Rome LabsRome Labs
AFOSI DeployedAgents from Andrews AFB,
Rome LabsRome Labs
Investigative Team Assessed Situation Briefed Commander
Rome LabsRome Labs
Attacks Traced to Internet Provider in New York
CommercialCommercialInternetInternetProviderProvider
Rome LabsRome Labs
Attacks Traced to Internet Provider in Seattle, WA
CommercialCommercialInternetInternetProviderProvider
CommercialCommercialInternetInternetProviderProvider
Rome LabsRome Labs
Internet Path Deadend-Attackers Using Phone Lines
CommercialCommercialInternetInternetProviderProvider
CommercialCommercialInternetInternetProviderProvider
Keystroke Monitoring@ Rome Labs
Rome LabsRome LabsCommercialCommercialInternetInternetProviderProvider
CommercialCommercialInternetInternetProviderProvider
Rome LabsRome Labs
Limited Context Monitoring@ NY Internet Provider
CommercialCommercialInternetInternetProviderProvider
CommercialCommercialInternetInternetProviderProvider
Rome LabsRome Labs
Limited Context Monitoring @ WA Internet Provider
CommercialCommercialInternetInternetProviderProvider
CommercialCommercialInternetInternetProviderProvider
Rome LabsRome Labs
Handles of Hackers wereKuji & Datastream
CommercialCommercialInternetInternetProviderProvider
CommercialCommercialInternetInternetProviderProvider
Rome LabsRome Labs
Agents RequestedHelp from Informants
CommercialCommercialInternetInternetProviderProvider
CommercialCommercialInternetInternetProviderProvider
Rome LabsRome LabsRome LabsRome Labs
UKUKUKUK
Informant Identifies Hacker from UK
CommercialCommercial
CommercialCommercial
Rome LabsRome Labs
UKUK
Hacks .MIL Sites Because So Easy
Commercial
Commercial
Rome LabsRome Labs
UKUK
Agents Call CCU Scotland Yard. Pen Registers Up
Commercial
Commercial
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
Scotland Yard Sees, Phreaking thru South America
Commercial
Commercial
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
Phreaking thru South America to New York
Commercial
Commercial
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
Defrauds Internet Provider
Commercial
Commercial
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
From NY Internet Provider Attacks Rome Labs
Commercial
Commercial
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
Same Scenario for Seattle, WA Internet Provider
Commercial
Commercial
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
Entered Rome from NYC or, Seattle, WA
Commercial
Commercial
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBRUSBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
Followed Contracts
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
Followed Contracts
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
Followed Contracts
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
Followed Contracts
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
Followed Contracts
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
Thru S. America toSeattle to HQ NATO
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
GoddardGoddardSFCSFC
HQ NATOHQ NATO
Thru S. America toSeattle to HQ NATO
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
Through S. America toSeattle to HQ NATO
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
Data From WPAFB
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
Data From WPAFBGoing to Seattle
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
Data From WPAFBGoing to Latvia?
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
Data From WPAFBGoing to Latvia
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
NASA Major Target
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
NASA Major Target
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
NASA Major Target
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
NASA Major TargetGoddard SFC, MD
HQ NATOHQ NATO
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
GoddardGoddardSFCSFC
NASA Major TargetGoddard SFC & JPL
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
Scotland Yard IssuedSearch Warrant
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
Scotland Yard IssuedSearch Warrant
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
Waiting Until Onlineat Rome Labs
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
Identify AdditionalDownstream Victim
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
Had Access to Korean Atomic Research Institution Data
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
KUJI from Wales
DATASTREAM from London
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
Rome LabsRome Labs
UKUK
ColombiaColombia && ChileChile
Over 100 DownstreamVictims From Rome
S. Korean . Korean Atomic ResearchAtomic ResearchInstInst
CommercialCommercial
CommercialCommercial
AF ContractorAF Contractor
AF ContractorAF Contractor
JPL, NASAJPL, NASA
USBRUSBR
ArmyArmy
WPAFBWPAFB
LatviaLatvia
HQ NATOHQ NATO
GoddardGoddardSFCSFC
- 2 Hackers- 2 Hackers- - 26 Days 26 Days of Attacksof Attacks- 20 Days of Monitoring- 20 Days of Monitoring- 7 Sniffers on Rome Systems- 7 Sniffers on Rome Systems- Over - Over 150 Intrusions 150 Intrusions at ROME Labs from 10at ROME Labs from 10 Different Points of OriginDifferent Points of Origin- Victims - Many & Varied- Victims - Many & Varied- Law Enforcement Agencies - Multiple- Law Enforcement Agencies - Multiple- At Least - At Least 8 Countries 8 Countries Used as ConduitUsed as Conduit
HackersHackersRome Labs Summary
Defense-Wide Information Assurance Program
Bad Actors in the Physical WorldBad Actors in the Physical WorldBad Actors in the Physical WorldBad Actors in the Physical World
Disaffected Loners Unabomber Oklahoma City
Subnational Threat Aum Shinrikyo World Trade Center
Rogue States Iraq North Korea
Defense-Wide Information Assurance Program
Promoting Our National Security In The Physical World
Promoting Our National Security In The Physical World
DoDCIADoDCIA
DoDDoD
FBIFBIFBILocalFBILocal
IntelligenceIntelligence
ForeignForeign
EnforcementEnforcement
DomesticDomestic
Defense-Wide Information Assurance Program
Promoting Our National Security In The Virtual World
Promoting Our National Security In The Virtual World
IntelligenceIntelligence
ForeignForeign
EnforcementEnforcement
DomesticDomestic
AB
Minimum Essential Pillars of Critical ElementsMinimum Essential Pillars of Critical Elements
NationalInformation Infrastructure
Mil
itar
y/G
ov S
ys
Pu
blic
Sw
itch
Net
s
Fin
anci
al S
ys
Hea
lth
Car
e S
ys
Uti
liti
es/P
ower
Tra
nsp
orta
tion
Sys
Defense-Wide Information Assurance Program
ActorHacker
Disgruntled/Co-opted InsiderCriminalsTerrorist
Commercial OrganizationsNation States
ActorHacker
Disgruntled/Co-opted InsiderCriminalsTerrorist
Commercial OrganizationsNation States
ObjectiveCyber-Joyrider
For a Variety of MotivesPersonal/Financial Gain
Advance CauseIndustrial Espionage
Espionage or EconomicAdvantage, InfoWar
ObjectiveCyber-Joyrider
For a Variety of MotivesPersonal/Financial Gain
Advance CauseIndustrial Espionage
Espionage or EconomicAdvantage, InfoWar
“Bad Actors”“Bad Actors”
Defense-Wide Information Assurance Program
Hearings, 16 July 96Hearings, 16 July 96- Witnesses- Witnesses - Jamie Gorelick & Dr John White - Jamie Gorelick & Dr John White - Announced the President Signed Exec Order 13010- Announced the President Signed Exec Order 13010 to formulate Protection of Critical Infrastructuresto formulate Protection of Critical Infrastructures From Terrorism & Cyber AttacksFrom Terrorism & Cyber Attacks - Created- Created - Commission- Commission - Infrastructure Protection Task Force (IPTF)- Infrastructure Protection Task Force (IPTF)
Hearings, 16 July 96Hearings, 16 July 96- Witnesses- Witnesses - Jamie Gorelick & Dr John White - Jamie Gorelick & Dr John White - Announced the President Signed Exec Order 13010- Announced the President Signed Exec Order 13010 to formulate Protection of Critical Infrastructuresto formulate Protection of Critical Infrastructures From Terrorism & Cyber AttacksFrom Terrorism & Cyber Attacks - Created- Created - Commission- Commission - Infrastructure Protection Task Force (IPTF)- Infrastructure Protection Task Force (IPTF)
Information Systems Security Survey
Conducted by WarRoom Research, LLCJul-Oct 96
U.S. Senate PermanentU.S. Senate PermanentSubcommittee on InvestigationsSubcommittee on Investigations
U.S. Senate PermanentU.S. Senate PermanentSubcommittee on InvestigationsSubcommittee on Investigations
Defense-Wide Information Assurance Program
Information Security SurveyInformation Security Survey
- Collaborated with WarRoom Research- Collaborated with WarRoom Research - Conduct Information Systems Security- Conduct Information Systems Security Survey with Private SectorSurvey with Private Sector - Snapshot of InfoSec - Snapshot of InfoSec - Target Fortune 1000 Companies- Target Fortune 1000 Companies
- Anonymous Survey Results- Anonymous Survey Results
Defense-Wide Information Assurance Program
Information Security SurveyInformation Security Survey
- Surveys Sent, 18 Jul 96- Surveys Sent, 18 Jul 96 - 500 Sent- 500 Sent - Completed Surveys Received, 18 Oct 96- Completed Surveys Received, 18 Oct 96 - 205 Qualified Responses (236)- 205 Qualified Responses (236)
Defense-Wide Information Assurance Program
Information Security SurveyInformation Security Survey
- Categories- Categories - General Information- General Information - Policy- Policy - Intrusions- Intrusions - Damage & Reporting- Damage & Reporting - Financial Institutions Only- Financial Institutions Only
Defense-Wide Information Assurance Program
Information Security SurveyInformation Security Survey
- General Information- General Information - Positions in Organization- Positions in Organization - Security Responsibilities- Security Responsibilities - Type of Industry- Type of Industry - All Infrastructures Represented- All Infrastructures Represented
Defense-Wide Information Assurance Program
Information Security SurveyInformation Security Survey
- Policy- Policy - 83% Did Have Written Policy- 83% Did Have Written Policy - 67% Did Have Logon Warning Banners- 67% Did Have Logon Warning Banners
Defense-Wide Information Assurance Program
Information Security SurveyInformation Security Survey
- Intrusions- Intrusions - 94% Consider Outside Security Firm- 94% Consider Outside Security Firm - 27% No Capability to Detect- 27% No Capability to Detect
Defense-Wide Information Assurance Program
Information Security SurveyInformation Security Survey
- Intrusions- Intrusions - 58% Detected Attempts from Outside- 58% Detected Attempts from Outside - 30% Don’t Know- 30% Don’t Know
Defense-Wide Information Assurance Program
Information Security Survey Information Security Survey - Damage & Reporting- Damage & Reporting - Cost for Each Intrusion- Cost for Each Intrusion - By Insiders- By Insiders
- By Outsiders- By Outsiders
Defense-Wide Information Assurance Program
Damage by InsidersDamage by Insiders Unknown - Unknown - 12.7%12.7% - 26 - 26 $0 -$0 - 0.0% 0.0% - 0- 0 $1-1000 - $1-1000 - 0.0% 0.0% - 0- 0 $1,001-5,000 - $1,001-5,000 - 1.5%1.5% - 3 - 3 $5,001-10,000 - $5,001-10,000 - 5.4%5.4% - 11 - 11 $10,001-50,000 - $10,001-50,000 - 11.2%11.2% - 23 - 23 $50,001-200,000 - $50,001-200,000 - 22.4%22.4% - 46 - 46 $200,001-500,000 - $200,001-500,000 - 20.0%20.0% - 41 - 41 $500,001-1,000,000 - $500,001-1,000,000 - 11.2%11.2% - 23 - 23 Over $1,000,000 - Over $1,000,000 - 15.6% 15.6% - 32 - 32
Damage by InsidersDamage by Insiders Unknown - Unknown - 12.7%12.7% - 26 - 26 $0 -$0 - 0.0% 0.0% - 0- 0 $1-1000 - $1-1000 - 0.0% 0.0% - 0- 0 $1,001-5,000 - $1,001-5,000 - 1.5%1.5% - 3 - 3 $5,001-10,000 - $5,001-10,000 - 5.4%5.4% - 11 - 11 $10,001-50,000 - $10,001-50,000 - 11.2%11.2% - 23 - 23 $50,001-200,000 - $50,001-200,000 - 22.4%22.4% - 46 - 46 $200,001-500,000 - $200,001-500,000 - 20.0%20.0% - 41 - 41 $500,001-1,000,000 - $500,001-1,000,000 - 11.2%11.2% - 23 - 23 Over $1,000,000 - Over $1,000,000 - 15.6% 15.6% - 32 - 32
205 Incidents
Defense-Wide Information Assurance Program
Damage by OutsidersDamage by Outsiders Unknown - Unknown - 21.0%21.0% - 43 - 43 $0 -$0 - 0.0% 0.0% - 0- 0 $1-1000 - $1-1000 - 0.0% 0.0% - 0- 0 $1,001-5,000 - $1,001-5,000 - 0.0%0.0% - 0 - 0 $5,001-10,000 - $5,001-10,000 - 4.4%4.4% - 9 - 9 $10,001-50,000 - $10,001-50,000 - 8.3%8.3% - 17 - 17 $50,001-200,000 - $50,001-200,000 - 14.6%14.6% - 30 - 30 $200,001-500,000 - $200,001-500,000 - 19.0%19.0% - 39 - 39 $500,001-1,000,000 - $500,001-1,000,000 - 15.1%15.1% - 31 - 31 Over $1,000,000 - Over $1,000,000 - 17.6% 17.6% - 36 - 36
206 Incidents
Defense-Wide Information Assurance Program
Information Security SurveyInformation Security Survey
- Intrusions Referred to Law Enforcement- Intrusions Referred to Law Enforcement
Out of 411 Incidents
Only 4 ???Only 4 ???
Defense-Wide Information Assurance Program
Information Security SurveyInformation Security Survey Reasons Not Referred to Law EnforcementReasons Not Referred to Law Enforcement 14.3%14.3% - Didn’t Want LE in Their System - Didn’t Want LE in Their System 14.3%14.3% - Lose Productivity - Lose Productivity 12.1%12.1% - LE have Access to Sensitive Data - LE have Access to Sensitive Data 20.9%20.9% - Crime Would Become Public - Crime Would Become Public 19.8%19.8% - Loss of Client Confidence - Loss of Client Confidence 8.8%8.8% - Loss of Competitive Status - Loss of Competitive Status 9.8%9.8% - Other - Other
Defense-Wide Information Assurance Program
Information Security SurveyInformation Security Survey
Circumstances - Willing to Report to LECircumstances - Willing to Report to LE 6.8%6.8% - Anytime Detected - Anytime Detected 30.2%30.2% - If Could Report Anonymously - If Could Report Anonymously 21.7%21.7% - Only If Everyone Else Reported - Only If Everyone Else Reported 37.4%37.4% - Only If Mandatory by Law - Only If Mandatory by Law 3.9%3.9% - Other - Other
Defense-Wide Information Assurance Program
Information Security SurveyInformation Security Survey
Financial Institutions OnlyFinancial Institutions Only - Avg. EFTs per Day?- Avg. EFTs per Day? - What % Misrouted?- What % Misrouted? - What % Misrouted Recovered?- What % Misrouted Recovered? - Annual Loss from Unreconciled EFTs?- Annual Loss from Unreconciled EFTs? - What % EFTs Lost to Criminal Activity?- What % EFTs Lost to Criminal Activity? - Have You Reported Losses to FINCEN?- Have You Reported Losses to FINCEN?
Defense-Wide Information Assurance Program
Information Security SurveyInformation Security Survey
Financial Institutions OnlyFinancial Institutions Only
NO Financial InstitutionNO Financial InstitutionAnswered Any of These Answered Any of These Questions ?????????Questions ?????????
Defense-Wide Information Assurance Program
Year 2000 CrisisAKA: Y2K a Snow Ski ??
Defense-Wide Information Assurance Program
Just a Software Problem?- It’s the Hardware Too!
- 286, 386, 486 Processors - An Estimated 200 Million RISC & 86 Microprocessors Shipped in 1995, Over Half in Embedded Systems (and Weapon Systems) - 93% of All Chips Prior to 1997 - Not Compliant - 50% of All Chips Sold in 1997 - Not Compliant
Defense-Wide Information Assurance Program
Where is this Hardware?- What Could be Effected? - Gas Pumps - Elevators - VCRs - Cell Phones - Microwave Ovens - Cameras - Pagers - Radios - Pace Makers - Store Cash Registers - Brake Systems - Body Wires - Ignition Systems - HVAC - Entry Control Systems - Weapon Systems
Defense-Wide Information Assurance Program
DoD Cyber Incident Response
Goal:
Situational Awareness
Defense-Wide Information Assurance Program
Critical Process
DETECTION REPORTING ANALYSISCOA
RESPONSEALERT/
DISSEMINATION
EVENT
CentralReportingFacility
IncidentCertified
CentralDecisionAuthority
Determination
Inputsto
EventDetected
24x7 C/S/Aorganization
4 hours
Tweak Sensors
Defense-Wide Information Assurance Program
DIO Organizations and Activities Study35 Organizations Assessed
• Joint Task Force - Computer Network Defense
• US Space Command• National Infrastructure
Protection Center
• Air Force Information Warfare Center
• Land Information Warfare Activity
• Naval Information Warfare Activity
• Fleet Information Warfare Center
• Information Operations Technology Center
• Air Force Network Operations Center
• Army Network Systems Operations Center
• Naval Computer and Telecommunications Command
• Global Network Operations Security Center
• Air Force Computer Emergency Response Team
• Army Computer Emergency Response Team
• Navy Computer Incident Response Team
• Defense Logistics Agency CERT• National Security Agency
(XGroup)• DoD CERT• Carnegie Mellon University
CERT/CC
• Joint Staff - J2• Defense Intelligence
Agency• Air Intelligence Agency
• Air Force Office of Special Investigations
• US Army Criminal Investigation Directorate
• US Army Military Intelligence• Naval Criminal Investigation
Service• Defense Criminal Investigative
Service• DoD Computer Forensics Lab
• Joint Command and Control Warfare Center
• Joint Spectrum Center• Defense Advanced Research
Projects Agency• Joint C4ISR Battle Center• Army Research Lab
• National Aeronautics and Space Administration
• Joint Warfare Analysis Center
Protection CERTs Network Operations Support
IW LE/CI Intelligence Other
Defense-Wide Information Assurance Program
Preliminary Mapping of CERT Support toJTF-CND
SERVICECERT
ROSC/RISC
CINC CERT
JTF-CND
SYSTEMMGT
CENTER
AIR FORCE BASE
BASE CONTROLCENTER
ASIM(128)
AFCERTMAJCOM
NOSC
CYBERW ATCH
THREATDATABASE
CARNEGIEMELLON
NATIONALINFRASTRUCTURE
PROTECTIONCENTER
DII AIR FORCE
ARMY BASE
BASE CONTROLCENTER
REAL SECURE(146)
ARMY
NAVY BASE
BASE CONTROLCENTER
NAVY
NETRANGER(12)
NAVCIRT
INFORMATIONASSURANCE
VULNERABILITY ALERT(IAVA)
NIPRNET/SIPRNETNEW S GROUPS & W EB
PAGES
Facility NIPRNET_______________
System Adm in.Function
J6/J39
REGIONALNOSCLOCAL LE/CI
LE/CI
LE/CI
JOINTINTRUSIONDETECTION
(64)
NCIS
OSI/CID
REGIONALCERT/NOSC
ACERT
OTHERSERVICE
CERTS
GLOBALOPERATIONS& SECURITY
CENTER
OSI DET
LOCAL OSI DET
Inform ation Flow DirectionInform ation Flow Bi-DirectionalInform ation CoordinationDIO CentersLaw Enforcem entBase Control CentersIntrusion Detection System sOther DOD OrganizationsNon-DOD Organizations
Figure 5
Defense-Wide Information Assurance Program
DoD FusionCenter
NCA
CJCS
DoD CERTs
NIPC
IC
PEACE ------------------- CRISIS ------------------ WAR
DoD LE/CI
CINCsUSSPACECOM
INFOCON
NORMAL
INFOCON
ALPHA
INFOCON INFOCON
BRAVOBRAVO
INFOCON
CHARLIE
INFOCON
DELTA
JTFCND
Defense-Wide Information Assurance Program
DoD FusionCenter
NCA
CJCS
DoD CERTs
NIPC
IC
PEACE ------------------- CRISIS ------------------ WAR
DoD LE/CI
CINCsUSSPACECOM
INFOCON
NORMAL
INFOCON
ALPHA
INFOCON INFOCON
BRAVOBRAVO
INFOCON
CHARLIE
INFOCON
DELTA
JTFCND
Defense-Wide Information Assurance Program
DefCon 7DefCon 7
- Annual International Hacker Convention- Annual International Hacker Convention- Here in Las Vegas Every July- Here in Las Vegas Every July- Grown to Over 2500- Grown to Over 2500
- “Bad Guys”- “Bad Guys”- “Good Guys”- “Good Guys”
- Share New Tools & Techniques- Share New Tools & Techniques
Stay Close to Your Friends & Closer to Your EnemiesStay Close to Your Friends & Closer to Your Enemies
Special Agent Jim ChristyLaw Enforcement & Counterintelligence Coordinator
Defense-Wide Information Assurance ProgramAssistant Secretary of Defense
Command, Control, Communications, and Intelligence (ASDC3I/DIAP)
Voice: 703-602-9982, DSN 332-9982 Pager: 800-915-1245 Email: [email protected]