GAO: US cyber security efforts are uncoordinated. A congressional report released on 22 July identifies no less than 50 different federal organizations sharing responsibility for protecting critical infrastructures from cyber attack, and warns that they're in desperate need of a consistent strategy to glue them together. The General Accounting Office found despite the tangle of bureaucracy thrown at the problem, critical networks remain vulnerable to cyber attack and that relationships among organizations performing similar critical infrastructure protection activities were ill-defined and inconsistent. The report urged the White House to better define the key federal agencies' cyber security roles in its upcoming National Strategy to Secure Cyberspace, due for release in September. (Security Focus, 22 Jul)
Cyber Security Research and Development Act
Cyber Security Research and Development Act - Authorizes appropriations, to the National Science Foundation (NSF) and to the Secretary of Commerce for the National Institute of Standards and Technology (NIST), to establish new programs and to increase funding for certain current programs for computer and network security research and development and research fellowships. Requires the NSF Director to award grants for computer and network security through the following: (1) basic research in innovative approaches to the structure of their hardware and software; (2) multidisciplinary research centers, through institutions of higher education (IHEs) or their consortia which may partner with government laboratories or for-profit institutions; (3) undergraduate and master's degree programs, as well as education-related grants under the Scientific and Advanced Technology Act of 1992; (4) graduate traineeships; and (5) graduate research fellowships. Amends the National Science Foundation Act of 1950 to include among NSF functions leading in supporting research and education activities to improve networked information systems' security. Amends the National Institute of Standards and Technology Act to require the NIST Director to establish a program of assistance to IHEs that enter into partnerships with for-profit entities to support research to improve the security of computer systems. Requires NIST to carry out specified types of intramural computer security research. Requires the NIST Director to arrange with the National Research Council of the National Academy of Sciences to study and report to Congress on critical infrastructure weaknesses.
Government Information Security Reform Act (GISRA) 2000
Federal Information Security Management Act (FISMA) 2002
-makes GISRA permanent-follow NIST policy without exception
Online InfoSec Books
Firewalls Complete
http://secinf.net/info/fw/complete/
Handbook of Applied Cryptography
http://www.cacr.math.uwaterloo.ca/hac/
Information Security Publications
http://www.washingtonpost.com/wp-dyn/technology/techpolicy/security/
Information Assurance News, Information Assurance Support Element
National Infrastructure Protection Center - Cybernotes
Daily CyberCrime and Security Report
http://www.newsfactor.com/perl/story/19151.html
Information Week – Security Tech Center
Network Magazine – Security Tutorials
Network World
http://www.nwfusion.com/topics/security.html
http://www.nwfusion.com/supp/security2002/
Computerworld-Security Knowledge Center
Computerworld-Security Special Report
Information Assurance Technology Analysis Center (IATAC)
Publishes IANewsletter. Good Reading on Government IA initiatives.
Intelligence Enterprise-Privacy and Security
http://www.intelligententerprise.com/info_centers/privacy/
Published by @stake, only online distribution, excellent publication
Security Focus Author Wong, Chief Executive Officer San Mateo, California
Author Wong, Chief Executive Officer
Oliver Friedrichs, Director of Engineering
Security Focus DeepSight Threat Management System, collects and correlates data from more than 14,000 network intrusion-detection, firewall and router devices located on thousands of university, corporate and government networks in 150 countries. Formerly called Attack Registry and Intelligence Service, it tracked its one-billionth security incident after 18 months in operation. SecurityFocus sold to Symantec in July 2002.
TechUpdate- Security
http://techupdate.zdnet.com/techupdate/filters/mrc/0,14175,6020424,00.html
The Encyclopedia of Computer Security
http://www.itsecurity.com/defaultie5.htm
Information Assurance Advisory Council
Network Security Library
http://secinf.net/policye/html
GAO: US cyber security efforts are uncoordinated. A congressional report released on 22 July identifies no less than 50 different federal organizations sharing responsibility for protecting critical infrastructures from cyber attack, and warns that they're in desperate need of a consistent strategy to glue them together. The General Accounting Office found despite the tangle of bureaucracy thrown at the problem, critical networks remain vulnerable to cyber attack and that relationships among organizations performing similar critical infrastructure protection activities were ill-defined and inconsistent. The report urged the White House to better define the key federal agencies' cyber security roles in its upcoming National Strategy to Secure Cyberspace, due for release in September. (Security Focus, 22 Jul)
Central Intelligence Agency
DCID 6/3
Information Security requirements for the Intelligence Community. Signed by CIA Director April 1999.
The National Colloquium for Information Systems Security Education (NCISSC) was created during 1997 to provide a forum for leading figures in government, industry and academia to work in partnership to define current and emerging requirements for information systems security education. The goal of the Colloquium is to influence and encourage the development of information security curricula, especially at the graduate and undergraduate levels. The Colloquium history and charter may be found at http://www.ncisse.org. Chairmanship of the Colloquium rotates annually among government, academia and industry. Check the website for information on the annual conference. An important outcome of the Colloquium is the sharing of knowledge and resources through Colloquium web sites which currently contain course materials on Ethics in Computing http://www.infosec.jmu.edu/computerethics, Risk Management, and Malicious Logic.
Appendix III to OMB Circular No. A-130 - Security of Federal Automated Information
http://www.osec.doc.gov/cio/oipr/newaiii.htm
Federal Agency Security Practices
NIST Computer Security Handbook
Common Criteria
http://niap.nist.gov/cc-scheme
International Common Criteria
FIPS 140-1 and 140-2 Specifications & Current Validation Modules
http://csrc.nist.gov/cryptval/
NIAP Validated Products List (VPL)
http://niap.nist.gov/cc-scheme/ValidatedProducts.html
http://niap.nist.gov/cc-scheme/PPRegistry.html
Information Assurance Technical Framework
NSA/NIST US Government recommended Protection Profiles
FedCIRC
http://www.fedcirc.gov/index.html
The U.S. Department of Energy- Computer Incident Advisory Capability
The Government Information Security
Reform Act is requiring action. The new Draft DoD Information Assurance Policy
and Instruction are capstone documents to be used for building an Information
Assurance Program that is documented and measurable, specifically referred to as
DoDD 8500.aa and DoDI 8500.bb. The widely accepted approach to Defense in
Depth has established a methodology for addressing network and information
security concerns. Using these guidelines and requirements, coupled with
currently available information, we can design a framework that will support any
organization and tailor it to fit our individual business needs.
Defense Information Technology Certification and Accreditation Process (DITSCAP). Prescribes all the steps required to assess, assign, implement, and audit the information security environment. The DITSCAP umbrella methodology includes everything from risk assessment and management issues, to complete certification and accreditation of all systems and the network.
Special Information Operations (SIO)
(DOD) Information operations that by their sensitive nature
and due to their potential effect or impact, security requirements, or risk to
the national security of the United States, require a special review and
approval process. Also called SIO. See also information; information operations;
operation.
Directorate for C4 systems-Joint Staff experts on C4
http://www.dtic.mil/jcs/core/j6.html
535 page PDF document that outlines DoD wide Information Assurance policy.
Joint publication 3-13 Rev1 - Joint Doctrine for Information Operations
Joint publication 3-13.1 Rev1 - Joint Doctrine for Command and Control Warfare (C2W)
Department of Defense Annual Reports
http://www.defenselink.mil/execsec/index.html
Rumsfeld said the military now has six operational goals:
o Protect the U.S. homeland and defeat weapons of mass destruction and their means of delivery.
o Project and sustain power in distant anti-access and area-denial environments.
o Deny enemy sanctuary by developing capabilities for persistent surveillance, tracking and rapid engagement.
o Leverage information technologies and innovative network- centric concepts to link joint forces.
o Protect information systems from attack.
o Maintain unhindered access to space and protect U.S. Space capabilities from enemy attack.
Department of Defense
John Stenbit, CIO
DoD Information Assurance Office
www.c3i.osd.mil/org/sio/ia/diap
DoD Information Assurance Scholarship Program
DoD Information Assurance Support Environment
DoD Computer Emergency Response Team
DoD Computer Forensics Laboratory
AFOSI is the executive agent for DoD for the DoD Computer Forensics Laboratory. Publishes excellent newsletter on computer forensics
DoD Information Operations
23rd Information Operations Squadron
Gregory J. Rattray is a Lieutenant
Colonel in the US Air Force. He is currently commander of the 23rd Information
Operations Squadron responsible for information warfare tactics development. He
has served on the Headquarters Air Force and Headquarters Strategic Air Command
staffs and as Assistant Professor of Political Science at the USAF Academy.
Bruce Berkowitz review of LTC Rattray's book on Information Warfare:
Paper on Information Operations to Air Force 2025
http://www.au.af.mil/au/2025/volume3/chap02/v3c2-1.htm#Contents
Critical Infrastrucure Protection in the United States Ralf Bendrath, Berlin FoG:IS Forschungsgruppe Research Group
http://www.isn.ethz.ch/crn/extended/workshop_zh/ppt/Bendrath/index.htm
INFORMATION OPERATIONS "IO in a Peace Enforcement Environment"
http://call.army.mil/products/newsltrs/99-2/99-2toc.htm
Joint Task Force-Computer Network Operations
http://www.spacecom.mil/jtf-cno.htm
The Joint Task Force-Computer Network Operations (JTF-CNO) is the Commander-in-Chief, United States Space Command’s (USCINCSPACE) operational component for Computer Network Operations (CNO), and supports USCINCSPACE in the integration of Computer Network Defense and Computer Network Attack capabilities into the operations of US military forces. Computer Network Operations are comprised of two specific yet complementary mission areas: Computer Network Defense (CND) and Computer Network Attack (CNA). The CND mission is to defend DOD computer networks and systems from any unauthorized event whether it be a probe, scan, virus incident, or intrusion. The CNA mission is to coordinate, support and conduct, at the direction of the National Command Authority (NCA), computer network attack operations in support of regional and national objectives.
The Task Force headquarters, located in the metropolitan Washington, DC area, is collocated with the Defense Information Systems Agency’s Global Network Operations and Security Center (GNOSC) and the Department of Defense Computer Emergency Response Team (DoD-CERT).
The JTF-CNO components are the Land Information Warfare Activity (LIWA), Marine Forces-Computer Network Defense (MARFOR-CND), Navy Component Task Force-Computer Network Defense (NCTF-CND), Air Force Forces-Computer Network Operations (AFFOR-CNO) and DISA’s DOD Computer Emergency Response Team (DOD CERT).
http://www.iwar.org.uk/cip/resources/ia-hearing-2001-05/01-05-17bryan.htm
DoD Cert
Internet Engineering Task Force
Jeff Schiller, Security Area Director
SAAG-IETF Security Area Advisory Group
Password: vivienda
http://web.mit.edu/network/ietf/sa/
IETF Security Tutorial
http://jis.mit.edu/sectutorial
Internet Engineering Task Force
Internet Mail Consortium
The Internet Security Conference Newsletter
http://www.tisc2002.com/insight.html
National Association of State Chief Information Officers
NASCIO has issued a report on IT security titled "Public-Sector
Information Security: A Call to Action for Public-Sector CIOs." (See
"Final Report" download link below.) It was written for NASCIO by Don
Heiman, former Chief Information Technology Officer for the State of Kansas, as
part of a grant from the PricewaterhouseCoopers Endowment for the Business of
Government. http://endowment.pwcglobal.com The report comes out of the November
2001 forum for CIOs held in Washington, DC. Presentations and supporting
materials from that forum are available below.
https://www.nascio.org/
CIO University
CIO Council
Information Technology Association of America (ITAA)
Shannon Kellogg, VP of Information Security Programs
Institute of Internal Auditors, Altamonte Spings, FL
Charles Le Grand, Director of Technology Practices
ISC2, Framingham, MA
James Wade, President (Also CSO for Federal Reserve System)
SANS (System Administration, Networking, and Security)
Alan Paller, Director of Research
Top Twenty Most Critical Internet Security Vulnerabilities. SANS and NIPC compiled this list.
DShield
SANS, a Bethesda, Md., nonprofit educational group for security professionals, is also planning to enlarge its early-warning system called DShield. www.dshield.org Top Ten list of attacking IP addresses for free online as a public service. DShield could get much bigger soon. Check Point Software Technologies Ltd., the world's dominant firewall maker, plans to provide a feature in its August Firewall 1/VPN 1 product upgrade that will allow customers to block traffic from IP addresses SANS lists as attackers. Customers may also choose to automatically and anonymously submit firewall logs to SANS. Check Point has 100,000 customers and its software sits at 250,000 network gateways world-wide. The Check Point partnership with SANS isn't exclusive and doesn't involve money, according to Asheem Chandna, vice president of business development at the Check Point.
ACM Special Interest Group on Security, Audit and Control (ACM SIGSAC)
IEEE Computer Society Technical Committee on Security and Privacy
The International Association for Cryptologic Research (IACR)
Computer Security Institute (CSI)
Publishes with FBI “Computer Crime and Security Survey”
CMP Media LLC, publishes Network Magazine and also owns the CSI
Internet Security Alliance
Dave McCurdy, Executive Director
The alliance is the joint effort of Carnegie Mellon University's Software Engineering Institute, the institute's CERT Coordination Center and the Electronics Industries Alliance.
Braxton
Was Deloitte Consulting (closely held 3.5 billion revenue, 15,000 employees)
Doug McCracken, CEO
Will officially separate from Big Five parent Deloitte Touche Tohmatsu
Accenture
Was Anderson Consulting (public company)
Monday
IBM recently announced will acquire for $3.5 Billion. Was PWC Consulting, was planning to separate itself from
PricewaterhouseCoopers and go public late 2002.
Interpact Inc
Winn Schwartau, President
http://www.interpactinc.com/home.html
Great links from Interpact
http://www.interpactinc.com/infosec.html
White Wolf Consulting
http://www.whitewolfconsulting.com
Counterpane Internet Security
@stake
The @stake Sleuth Kit (TASK) is an open source forensic
toolkit for a complete analysis of Microsoft and UNIX file systems.
http://www.atstake.com/research/tools/task/
ICSA Labs, division of TruSecure Corporation
http://www.icsalabs.com/index.shtml
Information Systems for Security Professionals
Packet Storm
www.packetstorm.decepticons.org
Good infosec links.
Black Hat Briefings & Training, July 29 - August 1, Las
Vegas, the world's premier technical security event! 8 tracks, 12 training
sessions, Richard Clarke keynote, 1500 delegates from 30 nations, with a near
cult following of both CSOs and "underground" security experts.
http://www.blackhat.com
Security Writers organization
Latin American consulting firm
Checksum
Good link farm on Info sec topics
Security Knowledge Base
http://www.security.ittoolbox.com/
Defense Advanced Research Project Agency (DARPA)
Mitretek Systems (Non-profit research organization to Federal Government)
Developed for the Intelligence Community Starlight and Spire, visual analysis tools
Center for Information Systems
Craig Janus, VP
Mitre Intrusion Detection Technology Program
www.mitre.org/research/cyber/security/index.html
The Edge-Information Assurance Issue
www.mitre.org/pubs/edge/february_01/
Mitre Infosec website
www.mitre.org/work/infosec/shtml
CVE
www.mitre.org/pubs/showcase/cve-01/
National Research Council
June 25, 2002 report on electrical grid vulnerabilities-commissioned by National Academies
ANSER (fed funded research agency)
Ruth David, President
Information Security Assessment Training & Rating Program
username: vivienda
password: rancho
Aberdeen Group
Eric Hemmendinger, Research Director in the Information Security Group
Robert Francis Group
Chad Robinson, Senior Research Analyst
The Theory Group
Gibson Research
Steven Gibson, President
Solutionary, Managed Security Service Provider (MSSP)
Foundstone
Stroz and Assciates
http://www.strozassociates.com/
Attrition.org
www.attrition.org/security/denial
computer security website, host Denial of Service database 2.0
Information Week Annual Global Information Security Survey
Fielded by Pricewaterhouse
www.information.week.com/TC/networking/security
Computer Economics
Michael Erbschloe, VP Research and author of Information Warfare: How to survive Cyberattacks
H2K2 Slides [MS PowerPoint, 2.6 MB]
http://www.iwar.org.uk/hope/h2k2strategic_thought.ppt
Wanja Eric Naef
Webmaster & Principal Researcher
IWS - The Information Warfare Site
http://www.iwar.org.uk
www.nitzbergsecurityassociates.com
Information Security Recruiting
Firms
Tatum CIO Partners LLP
http://www.tatumcio.com/index.htm
National Strategy for Homeland Security
Information sharing and data mining important components of plan
http://www.whitehouse.gov/homeland/book/
National Plan for Protecting Cyberspace. On 26 July the Bush administration unveiled the nation's first homeland and cybersecurity strategy, which calls for an unprecedented partnership between federal, state and local governments and the private sector to battle terrorism. The National Plan for Protecting Cyberspace builds upon work started by the Clinton administration to enlist the help of the private sector, which owns and operates the bulk of the nation's critical infrastructure. The new plan calls for the use of a wide array of information technologies to help battle terrorism at home, including the establishment of "smart borders" through the use of IT-enabled sensors and monitoring equipment. It also calls for: port authorities to make use of IT to secure shipping containers entering US ports; biometric authentication systems to secure buildings, airports and other critical infrastructure facilities; the deployment of "red teams" to test the security of critical systems, network and facilities; and an overhaul of IT systems to support better information sharing among federal law enforcement and intelligence agencies.
National Security Directive (NSD)-42 (5 JUL 90)
National Policy for the Security of National Security Telecommunications and
Information Systems.
Executive Order 13010, Critical Infrastructure Protection, creating the PCCIP
July 15, 1996
President’s Commission on Critical Infrastructure Protection (PCCIP)
July 1996-October 1997. Chairman: General Robert T. (Tom) Marsh USAF (R)
Remains the definitive public policy review of the business, economic and defense implications of cyber-security risks, vulnerabilities and threats Report Summary, Critical Foundations-Thinking Differently.
http://www.pccip.gov/summary.html
Presidential Decision Directive PDD-63 (22 MAY 98)
http://www.fas.org/irp/offdocs/pdd-63.htm
Plan of action on the findings of the President’s Commission on Critical Infrastructure Protection (PCCIP) of Oct 97. Requires Vulnerability Awareness and Education Programs within both the Government and private sector to sensitize people regarding the importance of security and train them to security standards, particularly regarding cyber systems.
President's Critical Infrastructure Protection Board (PCIPB)
Chairman, Richard Clarke
Vice Chairman, Howard Schmidt
The CNSS reports fully and regularly on its activities to the PCIPB.
National Security
Telecommunications & Information Systems Security Policy 11 (NSTISSP 11)
-use Common Criteria by 1
July 2002
-House version of Defense
Authorization Bill 2003 requires DoD to buy certified products
DOD Information Assurance
Directorate
Michael Jacobs, Director
IAD Sponsored events
Executive Order 13231 -
Critical Infrastructure Protection in the Information Age, 16 OCT 2001
http://www.ciao.gov/News/EOonCriticalInfrastrutureProtection101601.html
http://www.whitehouse.gov/news/releases/2001/10/20011016-12.html
Created the President’s
Critical Infrastructure Protection Board (PCIPB)
Information Sharing and Analysis Centers (ASIC) to pool information about cyber threats. Only Four ISAC currently, were created in Banking, Telecommunications, electric Power, emergency law enforcement and Information Technology.
IT-ISAC
Financial services
(FS-ISAC), Mr. Stanley (Stash) R. Jarocki, Chairman
NIPC and Financial
Services ISAC agree to share security information. In an effort to enhance the
security and readiness of the country's financial services industries to deal
with potential terrorist threats, Mr. Stanley (Stash) R. Jarocki, Chairman,
Financial Services Information Sharing and Analysis Center, LLC (FS/ISAC)
signed an agreement with Ronald L. Dick, NIPC Director. The partnership between
the FS/ISAC and the NIPC will allow vital security-related information to move
more effectively between the multi-agency NIPC, based at FBI headquarters in
Washington, DC, and financial services associations.
Chemical Sector Cyber
Security Information Sharing Forum
David Kepler, CIO, Dow
Chemical Corporation
Water supply, and
telecommunications (NCC-ISAC)
North American Electric Reliability Council (NERC)—the ISAC for the electric power sector-have established an indications, analysis and warning program (IAW) program
The proposal for an
interstate information sharing and analysis center (ISAC) for cybersecurity,
put forward by the National Association of State Chief Information Officers
(NASCIO), stems from Presidential Decision Directive 63 issued by President
Clinton in 1998. This may be the same initiative as the Cyber Security
Information Sharing Network.
Critical Infrastructure Assurance Office (CIAO), created by PDD-63
February 1998. National Cyber Warning Center, under the
department of Justice housed within the Federal Bureau of Investigation (FBI).
All 56 Field offices have an Infragard chapter. The NIPC has developed the InfraGard initiative into the largest
government/private sector joint partnership for infrastructure protection in
the world. We have taken it from its humble roots of a few dozen members in
just two states to its current membership of over 4,400 partners. It is the most
extensive government-private sector partnership for infrastructure protection
in the world. InfraGard (with the private sector infrastructure owners and
operators) shares information about cyber intrusions and other critical
infrastructure vulnerabilities. This service is provided free of charge.
NIPC offers "Seven Simple Computer Security Tips"
http://www.nipc.gov/warnings/computertips.htm
US Space Command (SPACECOM) Joint Task Force/Computer Network Operations (JTF/CNO)
National Security Presidential Directive (NSPD 1)
Currently working on EO to implement (NSPD 1)
NCIX
Committee on National Security Systems (CNSS) formerly NSTISSC
John Stenbit, Chairman, Assistant Secretary of Defense for Command, Control, Communications and Intelligence. CNSS is the new name for National Security Telecommunications & Information Systems Security Committee (NSTISSC)
Under Executive Order (E.O.) 13231 of October 16, 2001, Critical Infrastructure Protection in the Information Age, the President redesignated the National Security Telecommunications and Information Systems Security Committee (NSTISSC) as the Committee on National Security Systems (CNSS). The Department of Defense continues to chair the committee under the authorities established by NSD-42. As a standing committee of the President's Critical Infrastructure Protection Board, the CNSS reports fully and regularly on its activities to the Board.
The EO directs the protection of information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems. The Secretary of Defense and the Director of Central Intelligence are responsible for developing and overseeing the implementation of government-wide policies, principles, standards, and guidelines for the security of systems with national security information.
The CNSS provides a forum for the discussion of policy issues, sets national policy, and promulgates direction, operational procedures, and guidance for the security of national security systems through the CNSS Issuance System. National security systems contain classified information or:
a. involves intelligence activities;
b. involves cryptographic activities related to national security;
c. involves command and control of military forces;
d. involves equipment that is an integral part of a weapon or weapons
system(s); or
e. is critical to the direct fulfillment of military or intelligence missions (not
including routine administrative and business applications).
National Information Assurance Partnership
Ron Ross, Director
Partnership between NIST and NSA to implement Common Criteria
Developing “Protection Profiles” for each technology area-Basic, extended and Advanced
Trusted Computer Security Evaluation Criteria (TCSEC) “Orange Book”
Security Proof of Concept Keystone Program (SPOCK Program)
SPOCK is a joint government-industry consortium sponsored by NSA to demonstrate security features of commercial and government products that can support dependable security architectures. This activity provides a forum for government users and security technology providers to share information on security requirements, emerging technologies, and new product developments. Integrators and product developers are afforded opportunities to share new solutions, identify government developed technology available for commercial use, and prototype COTS products in government sponsored test beds.
John H. McIver, Jr
NSA SPOCK Program Manager
410-854-6318
jhmcive@missi.ncsc.mil
Larry McGinness
COACT, Inc. SPOCK Support
301-498-0150
lbm@coact.com
ICAT Metabase Common Vulnerabilities and Exposures Database
ICAT is a searchable vulnerability index available at http://icat.nist.gov and maintained by the Computer Security Division at the National Institute of Standards and Technology. ICAT enables one to search, at a fine granularity (e.g. by software, version number, and other attributes), a set of vulnerabilities standardized and verified by the members of the computer security community involved with the CVE vulnerability naming standard http://cve.mitre.org Once a vulnerability is isolated, ICAT provides a snapshot of the vulnerability and links to the appropriate entries in public vulnerability databases. These public databases then provide ICAT users with detailed vulnerability and patch information. ICAT is a fine grained search engine that allows one to search and access the contents of some of the best public vulnerability databases on the web. ICAT can help system administrators, researchers, and security officers to stay abreast of the ever changing world of vulnerabilities.
National Computer Security Center
National Security Council
Stay Safe Online
Defense Information Systems Agency (DISA)
Air Force Office of Special Investigations Computer Crime Investigations and Information Operations
Vermont National Guard
RESERVE COMPONENT IO SUPPORT
The multi-component concept of operations for the LIWA includes reserve component support to expand the LIWA's capability to support Army total IO requirements across the entire operational spectrum especially defensive IO emphasizing information infrastructure protection. Both the Army National Guard (through the IO Project Office) and the Army Reserve (through the Reserve IO Coordination Center - RIOCC) are organized and trained to provide a structure to complement and reinforce the LIWA's IO operational capabilities. Both reserve components provide direct IO support to operational and tactical commanders to achieve full spectrum dominance, expanding the Army's capability to perform IO across the operational continuum. Additionally, ARNG IO organizations also support Homeland Defense and state applications of defensive IO in the form of computer emergency response and vulnerability assessment. Another purpose of the integrated multi-component support strategy is to contribute to the readiness of the entire Army by providing an IO capability using the soldier's civilian acquired skills.
Reserve Information Warfare Enhancement Center (RIOCC)
Defense chief outlines challenges of information age warfare
http://www.govexec.com/dailyfed/0802/081602td1.htm
Army Strategic Readiness System - replaces the USR https://akocomm.us.army.mil/srs/
AR 520-20, Information Warfare/Command and Control Warfare Policy, established LIWA to support and integrate IO in Army operations.
AR 380-19, Information Systems Security
http://www.gordon.army.mil/sit/ar380-19.doc
AR 380-5, US Army
Information Security Program
AR 380-53, Penetration testing and security testing attempting to circumvent security features
FM 3-13 (Formerly FM 100-6), US Army Information Operations
Scheduled to be published in 3rd Qtr 2002. FM 3-13 is the
Army's overarching publication for information operations (IO) and builds on the
foundation laid in Chapter 11, "Information Superiority, of FM 3.0
AR 381-14 (S), TEMPEST and communications security
Information Operations in the US Army Reserve
http://www.usarc.army.mil/news/IOPromo.htm
US Army Land Information Warfare Activity (LIWA)
8825 Beulah Street, Fort Belvoir, VA 22060-5246
https://www.liwa.belvoir.army.mil/
Great links from LIWA
https://www.liwa.belvoir.army.mil/io_websites.html
Army's Computer Response Team assumes electronic border protection duties
by Master Sgt. Joan Fischer
FORT BELVOIR, Va. (ARNEWS, May 12, 1997) -- Information dominance took a giant leap into the future in March when the U.S. Army Intelligence and Security Command opened the Army Computer Emergency Response Team Coordination Center at Fort Belvoir, Va. Its mission is to re-write the books on how the Army handles the newest threat in the field manuals -- computer hackers.The team, also known as ACERT/CC, is the newest division formed under the two-year old Land Information Warfare Activity led by Col. Halbert F. Stevens. It's chartered with the responsibility to detect, track and report computer attacks against Army computer networks.
LIWA received the tasker in February 1996 to form the response team. A year later, under the guidance of INSCOM Commander Brig. Gen. John. D. Thomas Jr., the command was ready to take on command and control protect (C2
protect) operations in support of the Army. "It's an element whose time has come," said Lt. Gen. (Ret.) Paul E. Menoher Jr., former deputy chief of staff for intelligence. "C2 protection of information assurance is absolutely critical."
Future plans include regional computer emergency response teams, called RCERTs, which will be located around the world. One regional team is already operational in Europe. ACERT/CC is currently operational Monday through Friday, 12-hours a day. Eventually, it will be operational 24-hours a day.
ACERT/CC is a joint venture among the information operations triad of the Army's deputy chiefs of staff for Operations and Intelligence, and the Joint Chief of Staff's director for Command, Control, Communications and Computers (DISC4).
The ACCERT/CC role is two-fold: help the Army identify computer systems vulnerabilities, and prevent hackers from accessing those same systems by exploiting those vulnerabilities. Set up to operate under the INSCOM umbrella, ACERT/CC receives missions from DA, DCSOPS and assistance requests from any Army command. According to Lt. Col. Bob Vrtis, LIWA's chief of information assurance, ACERT/CC prioritizes the incoming requests for assistance, however the Army's deputy chief of staff for operations can direct their priorities.
A hacker demonstration was conducted as part of the ribbon-cutting ceremony. An ACERT/CC computer security expert conducted the demonstration, saying that you have to "think like a hacker and try to break into a system."
For example, if an Army organization requests the team's assistance in checking out its vulnerabilities, a team member can sit at a computer terminal and attempt to break in from the remote site -- much like a real-world hacker. The goal is to get access to the "target" and gain system administrator's privileges, then erase all electronic record of the contact. In the case of a malicious hacker, the goal might be to alter files, delete information, or replace an Internet web site. While the team can diagnose such vulnerabilities long-range, Vrtis said you lose a lot by this process. "What you miss is the hands-on approach of providing personal attention and training to the systems administrator," he said. ACERT/CC sends out forward support teams to various sites on request. ACERT/CC is also the first-line of defense in tracking down computer hackers, whether teenage hackers trying out their skills on military targets, or people attempting espionage. ACERT/CC's main thrust is to deter outside intrusion into the Army's systems. "Deter is the key piece and focus of what ACERT/CC is all about," said Stevens.
Whatever else it is, ACERT/CC is not a police activity. Stevens said ACERT/CC's role is to determine if there is a hacker, then use the established notification process to report and coordinate responses, such as in the case of any other potential crime.
Barbara Schalestock, ACERT/CC chief, said that, depending upon the incident, it could be reported to Criminal Investigation Command or other appropriate Army activity. She has been involved in writing those reporting procedures while forming ACERT/CC's nucleus. Schalestock visited other agencies, including the Navy and Air Force, both of which had previously formed emergency response teams to address computer security issues. She was able to draw from the other services' experiences, along with DISA, to focus the ACERT/CC mission. She said the groundwork is established for getting operational procedures in place and formalized. The ACERT/CC staffing is another on-going challenge. ACERT/CC is currently staffed with a mix of contractors, Department of the Army civilians and military. Stevens said that resources are being reallocated from existing entities within the Department of Defense, which will enable the ACERT/CC to grow to its target strength of about 20 people.
Educating the rest of the Army about a new system or organization is part of the evolution process. Plans call for a web site on the Army homepage featuring information about ACERT/CC services. Vrtis said they intend to be proactive on notifying their "customers" about vulnerabilities by forming a service database and e-mail notices to consumers. The team will also provide LAN managers with the software tools they need to combat attacks. Rapidly changing capabilities further blur areas of responsibilities among the various agencies in a joint environment. ACERT/CC provides valuable support to the operational side of the military. Stevens said ACERT/CC's primary focus is to support the land component commander. In these days of joint missions, he added that it is difficult to draw the line for areas of responsibilities. "It depends on who gets tasked with the mission," said Stevens. "If the Army gets the lead, then (they will) coordinate with the other players."
Many decisions are yet to be made. Meanwhile, Vrtis and Schalestock are charged with forging ahead -- drawing a road map to the future. "We play it by ear," Schalestock simply said. "There's no (predetermined) path to take."
(Editor's note: To contact the Army Computer Emergency Response Team Coordination Center, call 1-888-203-6332 toll free from the United States or DSN 312-235-1113 from overseas military phones. For more information, call INSCOM Public Affairs Office at COML (703) 806-5326. Fischer is with the INSCOM Public Affairs Office, Fort Belvoir, Va.)
Information Warfare Associates (private firm)
US Army Research Laboratory – History of Computing, ENIAC supported US Army operations
http://ftp.arl.army.mil/~mike/comphist/
Theater Network Operations and Security Center
CONUS-TNOSC is a part of the United States Army Signal Command which is located at Ft. Huachuca, Arizona. CONUS-TNOSC consists of dedicated teams providing system, network and database management support to U.S. Army customers in support of the Army Power Projection missions on a worldwide basis.
The Office of the Director of Information Systems for
Command, Control, Communications and Computers (DISC4)
http://www.army.mil/disc4/ is now Office of the Chief Information Officer/G-6
(CIO/G-6)
http://www.army.mil/ciog6/
Army Information Assurance
https://informationassurance.us.army.mil/
The Information Assurance Directorate is responsible for developing and overseeing the Army's Information Systems Security Program (ISSP) which is the overarching program for securing the Army's portion of the Defense Information Infrastructure. The Army's Chief Information Officer/G-6 is responsible for implementing protective measures, developing plans, policies and procedures, developing and monitoring training, and validating requirements to protect SECRET and below command, control, communications, and computer capabilities. The Information Assurance Directorate develops and directs the implementation of the ISSP for product procurement, the Network Security Improvement Program (NSIP) Plan for the Army sustaining base, and the Force XXI Protection Plan for the tactical force.
DoD Information Assurance Directorate
Information Assurance Technology Analysis Center
Good infosec links on resource page.
Information Assurance Technical Framework Forum
National Information Assurance Partnership
Systems Security Engineering - Capability Maturity Model
Information Assurance Support Element
Army Computer Emergency Response Team
http://www.acert.belvoir.army.mil/
Orange Book DoDD 5200.28
http://www.acert.belvoir.army.mil/regulations/dod5200
Automated System Security Incident Response Team
CERT Security Improvement Modules
http://www.cert.org/security-improvement
Computer Incident Advisory Capability
DOE Information Security (DOE-IS)
Director of Information Management (DOIM)
INFOSEC Program Management Office
U.S. Army Regional Computer Emergency Response Team Europe (RCERT-E)
http://www.iwsc.5sigcmd.army.mil/
Site Security
Guidance
Site Security Handbook
http://www.net.ohio-state.edu/hypertext/rfc1244/toc.html
This handbook is a guide to setting computer security policies and procedures for sites that have systems on the Internet. This guide lists issues and factors that a site must consider when setting their own policies. It makes some recommendations and gives discussions of relevant areas. This guide is only a framework for setting security policies and procedures. In order to have an effective set of policies and procedures, a site will have to make many decisions, gain agreement, and then communicate and implement the policies.
http://www.yahoo.com/Computers_and_Internet/Security_and_Encryption
List of homepages of leading cryptographers including Ross Anderson, University of Cambridge and Dorothy Denning, Georgetown University
http://www.swcp.com/~mccurley/cryptographers/cryptographers.html
Jan Camenisch http://www.zurich.ibm.com/~jca/
list of Crytographers http://www.zurich.ibm.com/~jca/cryptographers/
SIRENE: SIcherheit in REchnerNEtzen / Security in Computer Networks
http://www.semper.org/sirene/index.html
Zurich Information Security Center
Joint Interoperability Test Command (JITC) (Part of DISA) JITC is located at the Naval Surface Warfare Center (NSWC) Indian Head, Md.
Security Technical Implementation Guide (STIG)
STIG certification is granted to only the most comprehensive and reliable security management solutions and enables government agencies to select and utilize these certified products to help secure their IT infrastructure.
Federal Energy Regulation Commission (FERC)
Office of Science & Technology Policy (OSTP)
House Science Committee
Sherwood Boehlert (R-NY), Chairman
Senate Commerce Subcommittee on Science, Technology and Space
Ron Wyden, Chairman
UNIRAS is a member of
the Forum of Incident Response and Security Teams (FIRST)
and has contacts with
other international Incident Response Teams (IRTs) in order to foster
cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote
information sharing amongst its members and the community at large.
UNIRAS (UK Govt CERT)
Briefing Notice - 187/02 dated 20.06.02
Time: 11:30
UNIRAS is part of NISCC(National
Infrastructure Security Co-ordination Centre)
-
----------------------------------------------------------------------------------
UNIRAS material is also available from its
website at www.uniras.gov.uk and
Information about NISCC is available
from www.niscc.gov.uk
Upcoming Information
Security and Assurance events:
http://iac.dtic.mil/iatac/news_events/training_2002_main.htm
http://call.army.mil/Io/liwa/20may02.htm
The Federal Cyber Service program offers scholarships to study information assurance in exchange for two years of government service. The University of Tulsa, Carnegie Mellon University, the Naval Postgraduate University, Iowa State University, the University of Idaho, and Purdue University currently participate and have programs for both graduate and undergraduate students. The first group of 66 students is finishing the first year of the program.
National Colloquium for
Information Systems Security Education
NSA Centers of Academic
Excellence in Information Assurance Education
http://www.nsa.gov/isso/programs/coeiae/index.htm
National INFOSEC
Education and Training Program
http://www.nsa.gov/isso/programs/nietp/index.htm
DOD Information
Assurance Scholarship Program
National Security Telecommunications and Information Systems Security Committee:
James Madison University
Center for Research in Information
Systems Security Education (CRISSE)
www.infosec.jmu.edu/ncisse/conference99
Manages the NCISSE as
chairmanship changes each year amongst academic, industry and government.
US Army Signal Center,
School of Information Technology
http://www.gordon.army.mil/sit/
http://atzhssweb.gordon.army.mil/otdweb/information/contents.asp
Dartmouth
Institute for Security
Technology Studies
Michael Vatis, Director
Dartmouth
The Institute for
Information Infrastructure Protection
http://www.thei3p.org/index.jsp
Great Links from I3P
http://www.thei3p.org/ecommunities/links.jsp
Dartmouth
Investigative Research into
Infrastructure Assurance (IRIA) group
http://www.ists.dartmouth.edu/IRIA/courses/index.htm
Georgetown University
Institute for
Information Assurance
Dorothy Denning,
Director
http://www.cosc.georgetown.edu/~denning/
Carnegie Mellon
University, Software Engineering Institute
Computer Emergency
Response Team (CERT) Coordination Center
Navy War College,
Newport, RI
Knowledge Management
Team
2001 Global War Games –
eliminated stove-piped chains of command
John Hopkins University
Information Security Institute
KSU Center for Info Security Education & Awareness
http://infosec.kennesaw.edu/link2.html
Southeast Crime Institute
http://cybercrime.kennesaw.edu
University of New Haven
Forensic Computer
Investigation Program
University of Washington
Dave Dittrich, Senior
Research Engineer
http://staff.washington.edu/dittrich/misc/ddos
Largest collection of
links relating to DDOS attacks on the Internet
Purdue University
Center for Education and
Research in Information Assurance and Security
Gene Spafford, Director
http://www.cerias.purdue.edu/homes/spaf/index.html
United States Military
Academy
Information Technology
and Operations Center
Norwich University
Mich Kabay, Associate Professor
of Information Assurance
University of Maryland,
Baltimore County
Center for Information
Security and Assurance
National Defense University
Security and Information
Assurance
Carnegie Mellon University
Center for Computer and Communications Security (C3S)
http://www.ece.cmu.edu/c3s/index.html
University of
California-Davis, Department of Computer Science
Computer Security
Laboratory
George Mason University
Laboratory for
Information Security Technology
George Mason University
Center for Secure
Information Systems
Idaho State University
Information Security
Resources
University of Cambridge
Computer Laboratory
Ross Anderson, author of
Security Engineering
http://www.cl.cam.ac.uk/users/rja14/
University of Cambridge
Computer Security Group,
Computer Laboratory
http://www.cl.cam.ac.uk/Research/Security/index.html
Ross Anderson, author of
Security Engineering
http://www.cl.cam.ac.uk/users/rja14/
University of
Wisconsin-Milwaukee
The Center for
Cryptography, Computer and Network Security (CCCNS)
London School of
Economics
Computer Security
Research Center
Queensland University of
Technology
Information Security
Research Centre
http://www.fit.qut.edu.au/DataComms/Research/ISRC/ISRC.html
University Information Security Courses
http://www.iwar.org.uk/comsec/resources/security-lecture/index.html
Recommended Textbooks for course:
Computer Security, Dieter Gollmann, J. Wiley & Sons.
Network Security Essentials, William Stallings, Prentice Hall
Secrets and Lies, Bruce Schneier, J. Wiley and Sons.
Security Engineering, Ross Anderson. J. Wiley & Sons. ISBN 0 471 38922 6
James Madison University
MS in Computer Science
with concentration in Information Security
http://www.infosec.jmu.edu/program/html/program.htm
University of Miami
Michael Froomkin,
Professor of Lay, E-commerce cyberspace expert
http://personal.law.miami.edu/~froomkin/
University of Tulsa
Police, students combat cybercrime. In an unusual
arrangement, Tulsa, OK police are teaming up with students at the University of
Tulsa to help investigate and stop cybercrime. Under the agreement,
computer science students will work
with the Tulsa police to help them investigate child pornography, fraud and
forgery, identity theft and other crimes committed via computers, said Detective
Scott Wanzer of the Cyber Crimes Unit. The student interns gain real-world
experience by learning what a forensic investigator does, and the officers gain
expertise in new software tools, research and techniques. President Bush wants
people to help protect the nation against cyberattacks, but there is not enough
money
or people to go around, said Sujeet Shenoi, computer science professor at the
University of Tulsa.
University of Auckland
Peter Gutmann
http://www.cs.auckland.ac.nz/~pgut001/
Cornell University
University of Tennessee
Tom Dunigan Security
Page
http://www.epm.ornl.gov/~dunigan/security.html
Georgetown University
Dorothy Denning website
http://www.cosc.georgetown.edu/~denning/
MIT
Ron Rivest
http://theory.lcs.mit.edu/~rivest/
http://theory.lcs.mit.edu/~rivest/crypto-security.html
University of
California, Berkeley
David Wagner, Assistant
Professor, specializes in information security
http://www.cs.berkeley.edu/~daw/
Capitol College
MS in Network Security
Intelligence Community
John Dahms, CIO for Intelligence Community
Sallie McDonald, assistant commissioner for the office of information assurance and critical infrastructure protection
Analyzes data from agencies' intrusion-detection systems, firewalls and security-incident logs. Intends to develop early warning system in cooperation with the CERT Coordination Center, a federally funded research group in Pittsburgh operated by Carnegie Mellon University.
Department of Commerce-Office of the CIO
Tom Pyke, CIO
Department of Defense
John Stenbit, Assistant
Secretary of Defense for Command, Control. Communications and Intelligence
(C3I)
Federal Bureau of
Investigation (FBI)
Darwin John, CIO
Was CIO for the Mormon
church
Office of Management
& Budget
Mark Forman, CIO
Office of Homeland Security
Steven Cooper, CIO and Senior
Director for Information Integration
Government Accounting
Office
Robert Dacey, Director
of Information Security
National Security Agency
Daniel Wolf, Information Assurance Director
US Army
LTG Robert W. Noonan Jr., the Army G-2,
MG. Steven W. Boutelle, Director of Information Operations, Networks and Space, CIO/G-6
US Air Force
John Gilligan, CIO
US Navy
Alex Bennet, Deputy CIO
for Enterprise Integration
Federal Emergency
Management Agency (FEMA)
Ron Miller, CIO
Steven Schmidt, Chief
Security Officer
NASA, Washington, DC
Lee Holcomb, CIO
Federal Reserve System
James Wade, Chief
Security Officer
Harris Corporation
Bill Wall, Chief
Security Engineer
Staples
Paul Gaffney, CIO
VISA, Tampa, FL
John Shaughnessy, Sr VP
of Risk Management
Cardholder Information Security
Program
http://usa.visa.com/business/merchants/cisp_how_to_comply.html
Oracle
Mary Ann Davidson, Chief
Security Officer
Hewlett Packard
Zone Labs
Personal firewall
downloaded from the Internet
Bindview Corporation
Worlds leader in Host
bases vulnerability assessment
Scott Blake, VP for
Information Security
Microsoft
Bindview RAZOR Team
Scott Blake, Head of Bindview RAZOR team
Deployed as ISP level,
expert systems examine network traffic against baseline of normal activity
Arbor Networks
Peakflow
Asta Networks
Vantage System
Captus Networks
Mazu Networks
Traffic Master
Bruce Murphy, Chief Executive Officer Parsippany, NJ
Attack intelligence services based on information gleaned from underground hacker sites and chat rooms and other public sources. Competes with SecurityFocus and SANS Institute for deep threat warning systems.
Veritas Software Corporation
350 Ellis Street
Mountain View, VA 94043
Backup solutions
Silent Runner
10700 Parkridge Blvd, #400
Reston, VA 20191
800-842-2366
John Suit, CTO
McAfee Security
McAfee Virusscan ASaP is backed by AVERT (Anti-Virus Emergency Response Team). Large number of McAfee stock owned by Network Associates.
IBM
http://www-3.ibm.com/security/index.shtml
Advanced Control Systems, Inc. is an expert developer and supplier of information management systems, including SCADA, distribution management, energy management and substation automation systems. Established in 1975, the company has commissioned more than 500 systems worldwide. The company is based in Norcross, Georgia, with offices in Texas and California, and agents throughout the world.
Secure Network Operations
Security-services firm better known as Sno-Soft. HP threatened with legal action for disclosing serious flaw in Tru64 Unix operating system, which HP acquired with the Compaq acquisition.
eEye Digital Security
Make Retina and other security products. Have CHO, chief hacking officer.
VMWare
Allows multiple operating systems to run simultaneously
Foundstone
Hacking exposed book, firm dedicated to Penetration Testing.
Hacktivismo
Oxblood Ruffin, Founder
Hacktivismo is a group
of international hackers, human rights workers, artists and others who seek to
further the goals of human rights through technology. They operate under the
aegis of the CULT OF THE DEAD COW (cDc). Hacktivismo is committed to developing
technologies in support of the highest standards of
human rights. For more
information, please visit www.hacktivismo.com
Cult of the Dead Cow
Based in Lubbock, Texas,
the CULT OF THE DEAD COW (cDc) is the most influential hacking group in the
world. The cDc alumni reads like a Who’s Who of hacking and includes a former
Presidential advisor on Internet security, among others. The group is further
distinguished by publishing the longest running e-zine on the Internet [est.
1984], stretching the limits of the First Amendment, and fighting anyone or any
government that aspires to limit free speech.
2600 Magazine and www.h2k2.net
The three-day conference known as H2K2 -- short for Hackers 2002 -- was organized by the publishers of 2600, a magazine sold in suburban bookstores that celebrates the culture of computer hacking. To preserve anonymity and draw the largest crowd, no names are taken at registration.
Great paper on Penetration Testing-as Published on SANS
www.vimare.com/PenetrationStudies.html
Top 50 Info Security tool by Fyodor, author of nmap
http://www.insecure.org/tools.html
http://www.insecure.org/links.html
Navy Surface Warfare Center Dahlgren Lab – Information Assurance Office
Government, Vendor and Blackhat hacker links
http://www.nswc.navy.mil/ISSEC/link.html
Security tool by @stake
http://www.atstake.com/research/tools/index.html
FedCirc Security Tools
www.vimare.com/Fedcirctools.htm
CERT Coordination Center list of Tools
DoD CERT On-line
http://www.cert.mil/resources/security_tools.htm
Map of vulnerable Wireless access points.
Trinux
http://trinux.sourceforge.net
Trinux is a good command based Linux operating system that comes on a floppy disk
and installs itself into RAM with a RAM Drive. Trinux brings together a comprehensive
list of command line based security tools built around a Linux operating system.
You can also download extra modules that can be downloaded on each boot from the
Trinux website and installed into RAM for the current session. An ideal solution if
you need to move around to multiple offices, prefer a command line interface over a GUI
interface and would prefer that you have everything configured for you or if you want to
run on a low specification computer.
Redhat 7.2 Enimga Linux
http://www.redhat.com
RedHat if installed from CD or DVD and is very easy to install for the Linux novice and will give you a guided GUI setup program and will have you up and running with a KDE or GNOME X-Windows interface very quickly. If you are a Linux novice, then this would be a good Linux operating system to choose and contains lots of built in help systems and help forums that are available on the internet. Most security tools are available pre-compiled for RedHat so you won’t have to get your hands dirty in re-compiling Unix source code and libraries. You will need a Linux platform to install some of the Linux based security tools.
http://steganography.tripod.com/stego/software.html
Camera/Shy, a browser-based steganography application fromHACKTIVISMO. It allows users to
trade in banned content across the Internet. Camera/Shy is the debut release
from Hacktivismo, a special operations group sponsored by the CULT OF THE DEAD COW.
Camera/Shy will be released open source under the GNU General Public License.
Camera/Shy’s "one touch" encryption process delivers banned content
across the Internet in seconds. Utilizing LSB steganographic techniques and
AES-256 bit encryption, hiding content in plain view as ordinary gif images.
Camera/Shy is the only steganographic tool that automatically scans for and
delivers decrypted content straight from the Web. Standalone, Internet
Explorer-based browser that leaves no trace on the user’s system. As a safety
feature Camera/Shy also includes security switches for protection against
malicious HTML.
· Automatic invisible
cache and history clearing built in, your browsing experience is invisible
· Automatic scanning of
Web pages for stegged and encrypted gif files
· One click Web page
encoding into gif functionality
· One click parsing of
hidden content functionality
· All content scanned
and parsed is down from the local cache, no double grabbing of content
· Automatic Rijandael
encryption of all steganographic content
· Least Significant Byte
Pixel insertion steganography
· Relative links that
would be broken are made into static links in Web site encrypting process
· High and moderate
security browsing settings that include:
Optionally killing all
activescripting including DHTML behaviors
· Optionally killing all Java and ActiveX
· Optionally disabling client pull in
cases where you want to ensure the content comes from the server or local cache
you are browsing
· Standalone executable
file, no installer
· GIF to and from BMP
and JPEG to and from BMP utilities built in for easy gif
content selection
Trinoo
Stacheldraht
http://www.pgpi.org/products/pgp/versions/freeware/
RSA
IDEA
DES
Is a block cipher. Operates on a single chunk of data at a time encrypting 64 bits (8 bytes) of plaintext to produce 64 bits of ciphertext, key length is 56 bits often expressed as an 8 character string with the extra bits used as a parity check. DES Algorithm has 19 distinct stages
DES Cipher Feedback Mode
Steam cipher-treats the plaintext as a continuous stream of information. Ciphertext produced depends on the entire history of the stream. Both sender and receiver operate their DES chips in encryption mode.
Triple DES
Three 56 bit DES keys
used an input to an array of 3 DES chips (or software blocks). Pattern is used
for the encryption step is encrypt-decrypt-encrypt (EDE) with a DED pattern
used to reverse process.
IDEA
Block cipher, uses secret
key symmetric encryption, uses
128 bit key to operate on 64 bit plaintext blocks. Same algorithm used for both
encryption and decryption. Consists of 8 iterations
RC2
64 bit block
cipher with a variable length key
RC4
uses a
variable length key, operates as a stream cipher
RC5
Totally
parametrized system, can change block size, key length, and the number of rounds,
basic algorithm is a blockcipher, stream version can also be defined
Rob Rosenberger's Virus
Myths website is always an outstanding source of information.
George Smith 70743.1711@compuserve.com is
Editor-at-Large for VMYTHS and founder of the Crypt Newsletter. He has written
extensively on viruses, the genesis of techno-legends and the impact of both on
society. His work has appeared in publications as diverse as the Wall Street
Journal, the Village Voice and the National Academy of Science's Issues in
Science & Technology, among others.
A-Z list of computer
virus hoaxes
How to spot a hoax
computer virus alert
http://Vmyths.com/resource.cfm?id=19&page=1
Reduce virus hoaxes
inside your company
http://Vmyths.com/resource.cfm?id=20&page=1
Alternatives to BugTrack:
Full Disclosure
http://lists.netsys.com/mailman/listinfo/full-disclosure
Vulnwatch
http://www.vulnwatch.org/subscribe.html
Detecting and Removing Malicious Code - Security Focus
http://online.securityfocus.com/infocus/1610
Firewalls
Windows ICF (Internet Connection Firewall)
http://online.securityfocus.com/infocus/1620
Worms and Virii
Melissa March 1999
http://www.fcw.com/fcw/articles/1999/FCW_041299_294.asp
ILOVEYOU April 2000
http://www.fcw.com/fcw/articles/2000/0501/web-love2-05-04-00.asp
Code Red- July 2001- Port scanning is a level of noise that many sites must endure. The tools are readily available and interest runs high in so-called "script kiddies" who run the tools for reasons ranging from curiosity to malice. However, in July 2001, scanning reached a new level. The Code Red worm quickly traversed the Internet, infecting hundreds of thousands of systems. The worm would scan random IP addresses for port 80. On successful location of a server, the worm would try to exploit the .IDA buffer overflow weakness of Microsoft’s IIS web servers. Upon successful exploitation, the worm would start 100 threads on that victim server, looking for additional victims. The infection mushroomed quickly, as administrators scrambled to apply the Microsoft fix which had been announced almost a month before the worm appeared. U.S. officials also believe it is possible that a foreign government helped create the Code Red virus that took control of 314,000 servers in July 2001 and directed them to attack White House computers.
Nimba debuted 17 Sept 2002.
Nmap ("Network Mapper") is an open source utility
for network exploration or security auditing. It was designed to rapidly scan
large networks, although it works fine against single hosts. Nmap uses raw IP
packets in novel ways to determine what hosts are available on the network,
what services (ports) they are offering, what operating system (and OS version)
they are running, what type of packet filters/firewalls are in use, and dozens
of other characteristics. Nmap runs on most types of computers, and both
console and graphical versions are available. Nmap is free software, available
with full source code under the terms of the GNU GPL.
http://www.insecure.org/nmap/index.html
Xprobe
Like Nmap - discovers operating system. Doesn't work through firewalls.
WinPcap 2.3
Remote install, local install, command prompt you can install from, can install without access to Windows GUI.
VNC Virtual Network Computer
Like PC Anywhere, very insecure.
Nlog-runs in Linix, logs information into database, freeware, lightware.
Cybercop
Internet Scanner
Superscan
http://www.foundstone.com/knowledge/proddesc/superscan.html
A reasonable Windows port scanner. This will only perform TCP port scans
(which are regarded as somewhat “loud”), where as other tools like Nmap will also
give you better UDP port scans allowing for stealth scans. It can be a quick tool to
run up if you want to scan something internally and not have to worry about being in
stealth mode.
Network Supervisor by 3Com
A very powerful SNMP based network-management tool used to map out IP-connected devices in a graphical, easy-to-use format.
Advantages of Network Supervisor:
Shareware: Available at 3com.com. To extend use beyond 60 days, you may register online for a permanent license key.
http://www.3com.com/
Scalability: Network Supervisor can support over 2000 IP-connected network devices.
User Friendly: NS comes with a nice graphical interface that allows testers to easily
view what is going on of the network in question. Presents a network map either grouped by IP subnet or as a flat Layer 2 view of the entire
network. Users may specify what subnet to look for and the ability to discover boundaries in a
network on various ports. (1)
Phpdistributedportscanner
http://www.digitaloffense.net:8000/phpDistributedPortScanner/
Dscan, based on client/server architecture
http://www.packetstorm-security.com/distributed
SIDEN
LanGuard Network Scanner
http://www.gfi.com/languard/
A fairly good port scanner for Windows and free!
SNMP Ping
mailto:snmptool@sans.org
SNMP is always a major vulnerability and easy configured by accident on most network
devices. This tool allows you to scan subnets very quickly and determine which devices
have SNMP switched on and which SNMP traps are available.
Strobe: a port scanner. It sequentially attempts connections to TCP ports.
The Hacker’s Choice (THC)
THC-Scan 2.0 supports sequential or randomized dialing, dialing through a network out-dial, modem carrier and repeat dail-tone detection and rudimentary detection avoidance capabilities. Written by Van Hauser
http://inferno.tusculum.edu/thc
Toneloc: a wardialer. It looks for modems.
Security Administrator Tool for Analyzing Network (SATAN)
One of the first widely distributed automated vulnerability scanners, introduced in 1995
Nessus Project, Renaud Deraison, Director
Nessus is a complete security scanner and vulnerability database for Linux,
which is free and gives you free updates to the knowledge base on a regular basis.
This will allow you to configure scans against network devices and pick and choose
what style of scan or attack you would like to perform. Nessus also utilizes other
great penetration tools like Nmap giving you full reports on your environment and
links to potential security fixes or work arounds. You can do anything from simple
port scanning to IIS or Operating System Denial of Service scans. This is a must have
tool for every Pen test kit! Free, open source, general purpose, full-featured scanner
for identifying vulnerabilities on remote systems. www.nessus.org
TCP Dump
http://www.tcpdump.org
Another network analyzer for both Linux and Windows. This is a command line based
tool but can be very quick to write the contents out to file to examine network packets if you are in a hurry in capturing some network data.
Whisker is a full-feature vulnerability scanning tool
focusing on web server CGI scripts.
Written Rain Forest Puppy. www.wiretrip.net/rfp
Downloadable from: http://sourceforge.net/projects/whisker/
VLAD the Scanner
Scans for vulnerabilities on SANS top twenty list
Airsnort
Encryption Key Recovery for Wireless Applications
ICAT Vulnerability Database
Mitre
Common Vulnerabilities, standardized naming of vulnerabilities.
Wild list
Standardized list of virii and worms
Project grep
Malicious code database and virus bulletin
Ethereal
http://www.ethereal.com
A good network protocol analyzer for both Linux and Windows running your network card
in promiscuous mode allows you to sniff and capture data that flies past your workstation
allowing you to examine packets and see what data is being transmitted across your network. A very good tool!
Ettercap
http://ettercap.sourceforge.net
Another network sniffer for Linux, but also works over a switched network
(where most network sniffers cannot) and is very good at what it does.
Sniffit by Brecht Claerhout
http://reptile.rug.ac.be/~coder/sniffit/sniffit.html
Snort, by Martin Roesch
Airsnort
Encryption Key Recovery for Wireless Applications
Solaris (ships with the snoop tool)
Tcpdump (ships with some variants of unix and linux)
Dsniff, inject traffic into a network, including MAC address flooding, spurious ARP traffic, fake DNS response, and person-in-the-middle attacks against SSL.
http://www.monkey.org/~dugsong/dsniff/
Hunt, by Kra
Fully functional session hijacking tool, allow an attacker to monitor and steal sessions, insert single commands, and even give the session back to the user
http://www.cri.cz/kra/index.html
Countless denial-of-service attacks are in widespread use today
http://packetstorm.securify.com/exploits/DoS
Network-based denial-of-service attack fall into two categories: malformed packet attacks and packet floods.
Malformed packet attacks are the teardrop attack that exploits IP fragmentation handling vulnerability. Other attacks are WinNuke, Land, LaTierra, NewTear, Bonk, Boink, etc.
Packet floods are the well-known SYN flood (take advantage of TCP’s three way handshake. Send only spooked SYN packets and never respond to SYN-ACK, attacker can exhaust a server’s ability to maintain state of all the initiated sessions. Directed broadcast attacks, sometimes called smurf attack, named after the first tool to exploit this technique. Uses third-party network an amplifier for the packet flood. Attacker located network on Internet that will respond to broadcast ICMP message (essentially a ping to the network’s broadcast address). All machines respond to the ping. By spoofing the ICMP request, attacker can have the network send responses to the victim.
Distributed denial-of-service attacks use tools such as Trin00. Tribe Flood Network 2000 (TFN2K) and Stacheldraht. First, usually remote buffer overflow attack to exploit vulnerable system on the Internet. Simple daemon processes, called Zombies, are installed on the machines. Can do SYN, UDP and ICMP flooding, smurf, malformed packet attacks.
Netcat, incredibly flexible tool written for UNIX by Hobbit, Windows NT by Weld Pond . The current version for Unix was released in 1996 by hobbit (see above). This Windows version was released by Chris Wysopal in 1998. Both hobbit and Chris are part of @stake, Inc. Netcat has been dubbed the network swiss army knife. It is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities. Netcat is now part of the Red Hat Power Tools collection and comes standard on SuSE Linux, Debian Linux, NetBSD and OpenBSD distributions.
http://www.atstake.com/research/tools/index.html
Redir
http://oh.verio.com/~sammy/hacks
Defense Tactics against DOS Attacks-FedCIRC
http://www.fedcirc.gov/docs/DDOS-defense.PDF
Remote Intrusion Detector (RID)
Downloadable from: www.theorygroup.com/Software/RID/
Can detect Trin00 DDOS attack client, Tribal flood network DDOS attack client,
Stacheldraht DDOS attack client.
Zombie Zapper
http://razor.bindview.com/tools/ZombieZapper_form.shtml
Works against Trin00, TFN, Stacheldraht, Trinoo for Windows and Shart DDOS attacks programs.
CERT Coordination Center
Distributed-Systems Intrusion Tools Workshop
www.cert.org/reports/dsit_workshop-final.html
Provides DDOS protection guidelines
Open Channel Foundation
Distributes software from academia, spitfire is Intrusion Detection from Mitre.org
www.openchannelsoftware.org/projects/spitfire
Password cracking tools
John-the-Ripper, by Solar Designer, focuses on cracking UNIX passwords
L0phtCrack, used to crack Windows NT passwords - LC3
http://www.atstake.com/research/lc/index.html
Netcat, incredibly flexible tool written for UNIX by Hobbit, Windows NT by Weld Pond . The current version for Unix was released in 1996 by hobbit (see above). This Windows version was released by Chris Wysopal in 1998. Both hobbit and Chris are part of @stake, Inc. Netcat has been dubbed the network swiss army knife. It is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities. Netcat is now part of the Red Hat Power Tools collection and comes standard on SuSE Linux, Debian Linux, NetBSD and OpenBSD distributions.
http://www.atstake.com/research/tools/index.html
Nobo detects Back Orifice
Back Orifice - Windows Remote Administration Tool or Hacker's Delight?
Back Orifice is the brainchild of the well know "Cult of the Dead Cow", an underground computer group noted for its hacker antics. Though promoted as a "network administration tool", Back Orifice (commonly known as BO) poses considerable threat to computer users when in the wrong hands. BO is a windows based application that can be stealthily transmitted to unknowing users through email attachements, shareware, legitimate applications or any number of different vehicles. Operates on UDP Port 31337. The program has two distinct components:
- The Server Component which is embedded in another legitimate program or attached to email. The server component is small and entirely self installing. Once executed, the server automatically installs itself and removes obvious traces of its existence. It operates under a shroud of invisibility and does not interfere with other programs. To simplify distribution, BO can be embedded in a legitimate windows application which will run normally after it installs the server component. BO will run automatically each time your computer is turned on and will not show up in the task list. Once running, the computer can be controlled from any remote location either on the users network or the internet, if connected.
- The second component of BO is the Client Application . The BO Client can exist anywhere and allows total control of a remote computer which is running the BO Server. The client actually allows more extensive control of the remote computer than the user has from the local keyboard. The client provides a variety of "point-and-click" options and also allows numerous plugin options to be uploaded to the remote computer. Functions natively available in the client include:
- System Control: Create dialog boxes with text of your choice, log keystrokes, lock-up or reboot the remote system.
Get detailed system information, including but not necessarily limited to:
- Current User
- CPU type
- Windows Version
- Memory Usage
- List of all mounted disks
- Screensaver password
- Passwords cached by the user (ncluding those for dialups, web and network access)
- File System Control: Copy, rename, delete, view and search files and directories, compress or decompress files.
- Process Control: List, kill or spawn processes.
- Registry Control: List, create, delete and set keys and values in the system registry.
- Network Control: View all accessible network resources, incoming and outgoing connections, list, create and delete network connections, list all exported resources and associated passwords, create and delete exports.
- Multimedia Control: Play .WAV files, capture screen shots and capture video and/or still shots from any multimedia device (such as scanner, camera, etc.)
- Packet Redirection: Redirect any incoming TCP or UDP packets to any other address or port.
- Application Redirection: Spawn most console applications (such as COMMAND.COM) on any TCP port enabling control via a TELNET session.
- HTTP Server: Upload or download files on any port using a browser client such as Netscape or MS Internet Explorer.
- Integrated Packet Sniffer: Monitor network packets, logging any plaintext passwords that pass across the network.
- Plug-in Interface: Enables the writing of plug-ins that can be executed from the BO Client. This option is by far the most dangerous and can basically mean that there are no limits to the capabilities that can be built into BO.
Defensive Options to protect against hostile use of Back Orifice.There are several methods of detecting and protecting against hostile use of Back Orifice. Existing BO detection tools such as "NOBO" vary in effectiveness and can only detect Back Orifice if the configuration is known or if Back Orifice is operating in the default configuration (using port 31337). Network Associates (McAfee) Anti-Virus and Norton Anti-Virus detect BO, provided the most current version of the virus signature file in on your workstation. Detecting and eliminating BO are two different matters. In order for BO to do its work, it must be executed. Evidence of this will be found in the system registry. Run "Regedit" from the start menu and find the registry key:
"HKEY_LOCAL_MACHINE_SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices".
This key entry tells the operating system which applications will be executed at start-up. Inspect the contents of this key for suspicious entries. BO normally installs intself using the filename " .exe" (space.exe) but may be configured as any filename. If you see a suspicious entry in this key that cannot be identified, it may indicate the presence of BO. Do not delete this entry until you can verify it. Another indication of BO presence is the existence of the file "windll.dll". This file only supports a few of the BO capabilities. Deleting this file DOES NOT disable BO. Once you have identified the BO server application file, you may delete it and the corresponding registry key.
In addition to the above methods, using the resident "NetStat" tool will show any data connections to remote hosts. Pay particular attention to UDP transmissions to remote hosts. To run NetStat, type "netstat -a 5 > filename.log". This operation will monitor your connections and record the output to filename.log, updating every 5 seconds. Review the log for any suspicious UDP connections to remote host with which you are unfamiliar.
In addition to the above information, The CERT® Coordination Center has researched Back Orifice and compiled a vulnerability note addressing the issue.
BackOrifice2000
A whole variety of UNIX Rootkits
Knark, by Creed, is kernel-level Rootkit
http://packetstorm.securify.com/UNIX/penetration/rootkits
NT Rootkits
Plasmoid, Solaris kernel level rootkit
http://www.infowar.co.uk/thc/slkm-1.0.html
To protect against Rootkits
High Integrity Software
Systems Assurance
Security Assertion
Markup Language (SAML)
An emerging XML-based
standard for exchanging authentication and authorization information. Supported
by Baltimore Technologies, Crosslogix, Sun, IBM's Tivoli Systems and others in
a SAML interoperability demonstration. The biggest shot in the arm, however,
will come from the Liberty Alliance, a group of vendors and corporate users who
have spent the past six months creating a single sign-on specification. The
group will release its work, and announce it is supporting SAML and adding
nearly 20 new members.
MCP TechMentor Summit on
Security and Windows Security Challenge. July 2002
- The most important
thing I learned is that Windows 2000, contrary to much of what you read, can be
made very, very secure. We had more than 40,000 attacks, from all over the
world, on the network that our experts locked down. Not a single attack was
successful at penetrating to our internal network. Keep in mind that we used
standard security checklists and the Microsoft Security Operations Guide to
harden our network; no third-party products were used, and no exotic
configurations were put in place. These are things each of you can do; you
don't have to be a security expert to use the methods our team used. Of course,
no network connected to the Internet can be made totally hack-proof. But I think
the Windows Security Challenge proved that you can keep most of the bad guys
out -- even in a Windows world.
-- Keith Ward, editor
mailto:keith.ward@mcpmag.com
Careers in Information Technology Security
MCP TechMentor Summit on
Security and Windows Security Challenge. July 2002
Security is far from a
glamorous field. At our panel discussion on IT security careers, Kirk Bailey,
chief security officer for the city of Seattle, painted a portrait of a job
that has very long hours, ever-increasing liability risk and little praise.
Those of you thinking about going into IT security because it's "hot"
had better rethink your position. Unless you love the field, you'll probably
find that the drawbacks outweigh the rewards.
Breaking into Information
Security-Information Security Magazine
http://www.infosecuritymag.com/articles/may01/features_career_advice.shtml
Information Security Certifications
Certified Information
Systems Security Professional (CISSP)
Global Information Assurance Certification
British Institute for Standards
BS7799 Lead Auditor
Information Technology Certifications
IBM Object Oriented exam.
http://certcities.com/editorial/exams/story.asp?EditorialsID=61
MCSE
http://www.microsoft.com/traincert/offers/win2000.asp
CIO Security Worksheet
http://www2.cio.com/research/surveys/securityindex.cfm
Other links:
http://www.securitywriters.org/library/texts/firewall/pro/what_is_firewall.pdf
http://www.securitywriters.org/library/texts/firewall/pro/what_is_firewall.php
Vicomsoft Resource Knowledge Base - http://www.vicomsoft.com/knowledge/reference/
RFC 1631 - The IP Network Address Translator (NAT)
InterHack.net’s Firewalls FAQ - http://www.interhack.net/pubs/fwfaq/
PhoneBoy’s FireWall-1 FAQ - http://www.phoneboy.com/
DeathStar’s Firewall Security website - http://www.deathstar.ch/security/fw1/
SecurityPortal.com’s Enterprise Firewall documentation - http://securityportal.com/firewalls/enterprise/
Check Point FireWall-1/VPN-1 - http://www.checkpoint.com/products/firewall-1/
Security News related Sites