7. -
Policy. In order to protect DoD computer systems, a virus management program is required. Antivirus software and HBSS will be installed on all IS. N6 Department personnel will oversee and maintain working anti-virus software with the capability of pushing latest virus definitions to domain workstations. In addition TTGL also uses HBSS which is configured to perform regularly scheduled scans of the LAN. External devices (e.g., floppy drives, authorized USB devices, CDs, etc…) will be scanned when they are accessed or introduced to the computer system.
Note: Anti-virus software availability. Service members and authorized civilians can get free antivirus software for home use through a program sponsored by the Navy's Information Assurance Web site. The anti-virus software can only be downloaded by users with a CAC card and reader. The INFOSEC web site at https://infosec.navy.mil has complete instructions that guide users to select the most appropriate software package. Anti-virus software is available for nearly all versions of both Windows and Apple operating systems.
CHAPTER NINE
INFORMATION OPERATIONS CONDITION (INFOCON) IMPLEMENTATION PLAN
8. -
Purpose. To establish policy for TTGL to set Information Operations Condition (INFOCON) procedures. This instruction recommends actions to uniformly heighten or reduce the information posture to thwart off computer network attacks and mitigate any possible damage to TTGL information infrastructure.
-
Background. The INFOCON strategy has shifted from a threat-based, reactive system to a readiness-based, proactive approach. This represents a significant change in how commanders at all levels ensure the security and operation readiness of their information networks. The Commander, Joint Task Force for CJTF-GNO will recommend changes in DoD INFOCON levels to Commander, US Strategic Command. If a change in INFOCON level is decided, it will be disseminated to naval activities by NCDOC.
-
Scope. The INFOCON presents a coordinated and structured approach to defend against attacks on Department of Defense (DOD) networks. While all communications systems are vulnerable to some degree factors such as low cost readily available technology and increased reliance on systems, connectivity, and interoperability make Computer Network Attack (CNA) an attractive option for adversaries. CNA is defined as operations to disrupt, deny, degrade, or destroy information resident in computers and computer networks.
-
INFOCON levels as described in reference (c).
-
INFOCON 5 – Characterized as routine Network Operations (NETOPS), normal readiness of IS and networks.
-
INFOCON 4 – Increases NETOPS readiness in preparation for operations or exercises with limited impact to the end user.
-
INFOCON 3 - Describes when a risk has been identified. Security review on important systems is a priority, and the Computer Network Defense (CND) system's alertness is increased. All unclassified dial-up connections are disconnected.
-
INFOCON 2 - Describes when an attack has taken place but the CND system is not at its highest alertness. Non-essential networks may be taken offline, and alternate methods of communication may be implemented
-
INFOCON 1 - Describes when attacks are taking place and the CND system is at maximum alertness. Any compromised systems are isolated from the rest of the network.
-
Action. TTGL shall maintain the latest INFOCON message and take all actions as required. IAM shall include INFOCON Compliance status and report any changes to INFOCON to the CO immediately.
CHAPTER ten
SYSTEM BACKUPS
9. -
Server Maintenance and Backup. N6 will direct server backups according to TTGL schedule and as operational requirements permit.
-
Backups shall commence daily, at the end of normal working hours, with a target completion time of 0600. The following apply to performing system backups:
-
Incremental back-ups will be conducted Monday-Thursday.
-
Full back-ups will be conducted on Friday.
-
A set of full backups will be housed at Distributed Training Center Atlantic (DTCL).
-
The set of full back-ups that are conducted on the last Friday of each month will be swapped out with the off-site set at DTCL.
-
In any case where a system locks up, services fail to respond or system failure is evident, SYSADMIN will conduct a reboot to restore services and notify the IAM/IAO.
-
If the system permits, an all hands service advisory will be released.
-
All backups shall be conducted IAW applicable SOP.
CHAPTER ELEVEN
INFORMATION ASSURANCE VULNERABILITY MANAGEMENT
1100. Background. Information Systems (IS), through technological advances and practical application, are inherently vulnerable. This enforces the requirement to continuously improve the confidentiality, integrity, and availability of systems and data. The DoN primary method of reducing vulnerabilities is accomplished through the practice of scanning for vulnerabilities, downloading of security patches to correct vulnerabilities, and scanning for proper implementation of security patches. Periodically, Program Managers will release security patches in the form of Information Assurance Vulnerability Alerts (IAVA), Information Assurance Vulnerability Bulletin (IAVB), Computer Tasking Orders (CTO), and Fleet Advisory Messages (FAM).
1101. Policy.
TTGL shall conduct monthly scans for all IS on a monthly basis IAW CTO 09-08 and 11-16a. All security patches shall be loaded and applied using one of two methods:
Pushed to the server or workstation using GPO in conjunction with Windows Server Update Services (WSUS).
Manually as required.
Due to the critical nature of these patches to network security, patches need to be loaded and applied as often as possible, but no less than monthly.
To reduce the impact of security patches loading on the servers, all security patches will be scheduled and briefed to the IAM and N6.
CHAPTER TWELVE
POLICY ON CONTROL AND ACCOUNTABILITY OF LAPTOP/NOTEBOOK COMPUTERS
1101. Purpose. Per reference (a), to establish procedures for the control and accountability of command laptop and notebook computers, associated peripheral and ancillary equipment.
1102. Background. The increased number of portable computers offer unique security risks beyond those associated with non-portable systems. Accordingly, special countermeasures designed to reduce the risk of compromising classified material or introducing malicious software into command laptop and notebook computers must be established.
1103. Action.
Command Laptops. The following procedures are established to maintain accountability and preserve the security integrity of command laptop and notebook computers and magnetic media. These requirements are consistent with current security policy.
a. Per reference (a), all laptop and notebook computers must be accredited to process data. The National Computer Security Act of 1987 (Public Law 100-235) specifically requires that a system security plan be submitted on all computer systems used to process classified, or unclassified sensitive data. Accordingly, all laptop and notebook computers must be nominated for security accreditation prior to their use.
c. Laptops and notebook computers shall be controlled as minor property items and as such must be returned to the command before personnel rotate to their next duty station.
d. Laptops and notebooks may not be removed from the command without the specific approval of the IAM under the following conditions:
(1) There is a justifiable, official need to do so.
(2) The computer’s hard drive, associated data storage devices and media are clearly marked for unclassified processing only.
e. At no time will personal portable computer systems be connected online to another microcomputer, computer or communications circuit. Government issued laptops may be connected to an external connection via secure Virtual Private Network (VPN). VPN access is to be approved by the local IA authority on a case by case basis. The only external connection permitted is to an approved printer for downloading printer material. Modems, both internal and external, are not authorized unless specifically requested in the accreditation and approved by the IAM.
f. Current policy specifically states that “software used or developed outside of a government approved facility on either a personal or government-owned computer system will not be introduced into any command system.” Reference (p) defines software to be “any information recorded on magnetic media to include data files, source code and executable code.”
g. Software license and copyright laws shall be strictly applied to all laptop and notebook computers and unlicensed software will not be used. Public domain software or shareware that has not been provided, purchased or distributed through official channels shall not be permitted on any command system. All laptop and notebook computers shall be reviewed for extraneous software when returned to the command. Software present on a system that is not specifically outlined in accreditation documents shall be removed.
h. Physical control and loss prevention of command portable computer systems rests solely with the individual issued the equipment. Instances of damage, loss, theft or misuse must be outlined in a written report to the IAM. This report should contain a narrative overview of all circumstances surrounding the incident and shall include any supporting documentation that may be useful in a subsequent investigation.
i. Individuals assuming custody of a laptop or notebook computer must read and sign Exhibit 4. This acknowledgement cannot be delegated.
Visitor Computers. The following procedures are established to maintain accountability and preserve the security integrity of command network infrastructure. Exhibit 5 must be read and signed before laptop will be allowed to be brought onboard TTGL. These requirements are consistent with current security policy.
a. Non-TTGL laptops will not be connected to any command ISs nor will they connect by wireless means to any external internet service provider (ISP) or WiFi spot while onboard TTGL.
b. TTGL staff will disable wireless and/or bluetooth devices via bios settings and will not be re-enabled while onboard TTGL.
c. No work related data is authorized to pass between command ISs and personal laptops.
d. No personal magnetic media will be introduced into TTGL Network assets.
Appendix A
GLOSSARY OF TERMS
Access - The ability and the means to approach, communicate with (input to or receive output from), or otherwise make use of any material or component in IS.
Accreditation - A policy decision by the responsible Officer in Charge (DAA) resulting in a formal declaration that appropriate security countermeasures have been properly implemented for the IS activity, so that the activity is operating at an acceptable level of risk.
Asset - Any software, data, hardware, administrative, physical communications or personnel resource within IS of an activity.
Audit - To conduct an independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, and to recommend any indicated changes in controls, policy or procedures.
Audit Trail - A chronological record of system activities which is sufficient to enable the reconstruction, review and examination of the sequence of events leading towards a particular final result.
Authentication - Supports verifying the identity of an individual or entity and the authority to access specific categories of information.
Availability - Supports timely, reliable access to data and IS for authorized users, and precludes denial of service or access.
Central Computer Facility - One or more computers with their peripheral and storage units, central processing units and communications equipment in a single controlled area.
Compromise - An unauthorized disclosure or loss of sensitive defense data.
Compromising Emanations - Unintentional data relayed or intelligence bearing signals which, if intercepted and analyzed, disclose the classified information transmission received, handled or otherwise processed by any information processing equipment.
Confidentiality - Supports the protection of both sensitive and classified information from unauthorized disclosure.
Configuration Management - The use of procedures appropriate for controlling changes to a system's hardware and software structure for the purpose of ensuring that such changes will not lead to decreased data security.
Countermeasure - Any action, device, procedure, technique or other measure that reduces the vulnerability of an IS system or activity to the realization of a threat.
Data Integrity - The state that exists when computerized data is the same as that in the source documents and has not been exposed to accidental or intentional modification, disclosure or destruction.
Data Security - The protection of data from unauthorized (accidental or intentional) modification, destruction or disclosure.
Dedicated Mode - The system processing or storing one type of data and all persons with access to the computer or any attached terminal or peripherals are shared for the type of data.
Dedicated Security Mode - IS processing a particular category and type of classified material. The central computer facility and all of its connected peripheral devices and remote terminals are exclusively used and controlled by specific users or group of users having a security clearance and need-to-know.
Designated Approving Authority (DAA) - An official assigned responsibility to accredit IS elements, activities and networks under the official's jurisdiction.
Hardware Security - Computer equipment features or devices used in IS to preclude unauthorized, accidental or intentional modification, disclosure or destruction of IS resources.
IS Assets - All IS equipment, personnel, software, supplies, facilities and data/information used to support an automated process or function.
Information Assurance - Information operations that protect and defend information and IS by ensuring their availability, integrity, authentication, confidentiality and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection and reaction capabilities.
Integrity - Supports protection of information against unauthorized modification or destruction.
IS Security - Measures required to protect against unauthorized (accidental or intentional) disclosure, modification or destruction of IS and data, and denial of service to process data.
Information System - An assembly of computer equipment, facilities, personnel, software and procedures configured for the purpose of classifying, sorting, calculating, computing, summarizing, storing and retrieving data and information with a minimum of human intervention.
Non-Repudiation - Provides assurance to the sender of data with proof of delivery and to the recipient of the sender's identity, so that neither can later deny having processed the data.
Password - A protected word or string of characters that identifies or authenticates a user for access to a specific resource such as dataset, file or record.
Personnel Security - The procedures established to ensure that each individual has a background which indicates a level of assurance of trustworthiness which is commensurate with the value of IS resources which the individual will be able to access.
Risk Assessment - An analysis of system assets and vulnerabilities to establish an expected loss from certain events based on estimated probabilities of the occurrence of those events.
Software - Any information recorded on magnetic or optical media to include data files, source code, object code and executable images.
Tempest - An unclassified short name referring to investigations and studies of compromising emanations.
Threat - Any circumstance or event with the potential to cause harm to the IS system or activity in the form of destruction, disclosure, and modification of data, or denial of service.
User - A person or organization receiving products or services produced by an IS either by access to the system or by other means.
Vulnerability - A weakness in the physical layout, organization, procedures, personnel, management, administration, hardware or software that may be exploited to cause harm to the IS or activity.
Exhibit 1- NETWORK/SYSTEM INTRUSION CHECKLIST
Date: _________ Technician: ___________________
IA Network Intrusion Procedures
|
Yes
|
No
|
NA
|
1.
|
Consult your command IA policy for precise procedures:
|
|
|
|
|
a. If command IA procedures and policy guidance do not adequately address a network intrusion or are not available.
|
|
|
|
|
(1) Contact your chain of command immediately.
|
___
|
__
|
__
|
|
(2) Determine if legal council is required.
|
___
|
__
|
__
|
|
(3) Notify NAVIOCOM/NCDOC for advice and assistance.
|
___
|
__
|
__
|
|
b. Document all actions preceding, during, and after the intrusion
|
___
|
__
|
__
|
|
|
|
|
|
2.
|
Regain control of the network (containment)
|
|
|
|
|
a. Disconnect intruded systems from the network.
|
___
|
__
|
__
|
|
b. Image backup the network where the intrusion occurred.
|
___
|
__
|
__
|
|
|
|
|
|
3.
|
Analyze the intrusion (eradication)
|
|
|
|
|
a. Look for modifications made to system software and configuration files.
|
___
|
__
|
__
|
|
b. Look for modifications to data on the network.
|
___
|
__
|
__
|
|
c. Look for tools and data left behind by the intruder.
|
___
|
__
|
__
|
|
d. Review all log, accounting records, and audit files.
|
___
|
__
|
__
|
|
e. Look for signs of a network sniffer.
|
___
|
__
|
__
|
|
f. Check other systems on the network for signs of intrusion.
|
___
|
__
|
__
|
|
g. Check remote systems and networks for signs of intrusion.
|
___
|
__
|
__
|
|
|
|
|
|
4.
|
Contact NAVIOCOM/NCDOC (report)
|
|
|
|
|
a. Prepare incident report (Per OPNAVINST 2201.2 or DODIIS).
|
___
|
__
|
__
|
|
b. Notify NAVIOCOM/NCDOC:
|
___
|
__
|
__
|
|
|
|
|
|
5.
|
Recover from the intrusion (recovery)
|
|
|
|
|
a. Install a clean version of the operating system.
|
___
|
__
|
__
|
|
b. Disable unnecessary services.
|
___
|
__
|
__
|
|
c. Install all vendor recommended patches, service packs, and hot fixes.
|
___
|
__
|
__
|
|
d. Consult all NAVCERT advisories, summaries, and IAVA’s for security vulnerabilities and directed countermeasures.
|
___
|
__
|
__
|
|
e. Change all passwords.
|
___
|
__
|
__
|
|
f. Restore data and application files from backup. CAUTION: Be extremely careful when restoring data and application files from image backups. An intruder may have left behind Trojan horse or trap doors software.
|
___
|
__
|
__
|
|
|
|
|
|
6.
|
Take steps to improve the security of your network. (refine)
|
|
|
|
|
a. Review security profiles to ensure they are consistent with established guidance and vendor recommendations.
|
___
|
__
|
__
|
|
b. Review and enhance auditing, logging and accounting to ensure all essential events are being audited.
|
___
|
__
|
__
|
|
c. Install intrusion detection software.
|
___
|
__
|
__
|
|
d. Adjust network firewall policies to mitigate the exploited vulnerability (make recommendations to the NOC).
|
___
|
__
|
__
|
|
|
___
|
__
|
__
|
7.
|
Review/update command IA policy and procedures. (Reflect)
|
___
|
__
|
__
|
|
a. Review and, if necessary, modify the command IA policy and procedures to reflect actions required to respond to network intrusion incidents.
|
___
|
__
|
__
|
|
b. Document any lessons learned.
|
___
|
__
|
__
|
|
c. Calculate the cost of the incident.
|
___
|
__
|
__
|
|
(1) Mission disruption
|
___
|
__
|
__
|
|
(2) Resource (money and equipment) requirements.
|
___
|
__
|
__
|
|
(3) Man hours expended investigating and resolving the intrusion.
|
___
|
__
|
__
|
|
d. Incorporate any changes as required.
|
___
|
__
|
__
|
|
|
___
|
__
|
__
|
8.
|
Conduct a security and vulnerability analysis of the network.
|
___
|
__
|
__
|
|
a. Analyze network configuration for exploitable
|
___
|
__
|
__
|
|
(1) Verify all required security patches are installed.
|
___
|
__
|
__
|
|
(2) Verify that the exploited vulnerability has been eliminated.
|
___
|
__
|
__
|
|
(3) Validate all NAVCERT recommended countermeasures are installed.
|
___
|
__
|
__
|
|
(4) Recertify that only required network service are running.
|
___
|
__
|
__
|
|
b. Perform a security and vulnerability analysis of the operating system.
|
___
|
__
|
__
|
|
|
___
|
__
|
__
|
9.
|
Conduct follow-up of “Just-In-Time” training.
|
___
|
__
|
__
|
|
a. Conduct system administrator technical training.
|
___
|
__
|
__
|
|
b. Conduct user awareness training.
|
___
|
__
|
__
|
|
c. Conduct management awareness training.
|
___
|
__
|
__
|
|
|
___
|
__
|
__
|
10.
|
Provide follow-up reports and feed-back to NAVIOCOM/NCDOC.
|
___
|
__
|
__
|
|
11. List actions taken/recommendation provided:
Date Completed: ___________ N6/IAM Review: __________________
Exhibit 2 - INTRUSION INCIDENT REPORT MESSAGE FORMAT
FM TACTRAGRULANT DAM NECK VA//IAM//
TO NAVCYBERDEFOPSCOM NORFOLK VA//NCDOC//
INFO CINCLANTFLT NORFOLK VA
CNO WASHINGTON DC//N6/N64//
COMSURFFLTTRANLANT NORFOLK VA
(APPROPRIATE CLASSIFICATION) //N02201//
MSGID/GENADMIN/TTGL DAM NECK VA//
SUBJ/POSSIBLE COMPUTER INTRUSION INCIDENT//
REF/A/DOC/OPNAVINST 2201.2//
AMPN/REF A IS NAVY AND MARINE CORPS COMPUTER NETWORK INCIDENT/RESPONSE INSTRUCTION.
RMKS/
1. Incident date:
2. Physical location of the system attacked:
3. How was the attack identified:
4. How was access obtained:
5. Vulnerability exploited:
6. Actions attempted during session:
7. Highest classification of information involved:
8. Evaluation of attack success:
9. Damage or effects resulting from attack:
10. Hardware configuration:
11. Operating system:
12. Security software installed:
13. Origination point of incident:
14. Indication of additional activity:
15. IP address:
16. Names used:
17. Mission of system attacked (e.g., administration, command
and control, message handling):
18. Point of contact (e.g., name, phone number, addresses):
19. Additional information:
Exhibit 3- Incident Procedures Involving Electronic Media
Reference A: COMPUTER TASKING ORDER 2008-08
The following actions should be taken if there is an incident regarding Electronic Media. Electronic media are media that use electronics or electromechanical energy for the end-user to access the content. This is in contrast to static media (mainly print media), which today are most often created electronically, but don't require electronics to be accessed by the end-user in the printed form. The primary electronic media sources familiar to the general public are better known as video recordings, audio recordings, multimedia presentations, slide presentations, CD-ROM and online content. Most new media are in the form of digital media. However, electronic media may be in either analog or digital format. This Exhibit however will focus primarily on removable media such as USB devices, removable hard drives, and CD’s.
-
Incident on any TTGL computer system or network regarding Electronic Media:
-
Inform the IAM or IAO.
-
Contact Computer Network Defense Service Provider/Navy Cyber Defense Operations Command (CNDSP/NCDOC) Naval computer incident response team. The CNDSP/ NCDOC personnel can provide technical assistance and reporting guidance in response to computer security incidents. They do not have legal expertise and cannot offer legal advice or opinions. NCIS agents are available at the CNDSP, if necessary.
-
System Administrator, conduct full virus scan on Network.
-
Determine if the Network has been infected with a virus, or if a spillage has occurred. If either one has occurred inform NCDOC and they will begin Incident Handling procedures right away.
-
Notify other interested elements within your command. In addition to notifying the CO and legal counsel, you may also need to notify others who may be directly affected.
-
Document all of the steps you take in systems or data recovery. The importance of documenting every step taken in recovery cannot be overstated.
-
Regain control – Same as above
-
Incident Reporting. The preferred method is via the NCDOC webpage.
Contact the NCDOC
Mailing address:
Commanding Officer
Network Computer Defense Operations Center
2555 Amphibious Drive
Norfolk, VA 23521-3225
Phone: Comm: (757) 417-4024, DSN (312) 537-4024
NCDOC Hotline: 1-888-NAVCDOC or 1-888-628-2362
Unclas fax: (757) 417-4031
Class fax: (757) 417-4064
STU/STE (312) 537-7592/ (757) 417-7952
NIPRNET: https://www.ncdoc.navy.mil
E-mail: ncdoc@ncdoc.navy.mil
SIPRNET: http://www.ncdoc.navy.smil.mil/forms.php
E-mail: cndwo@ncdoc.navy.smil.mil
Exhibit 4 - TTGL Laptop Computer and Portable Electronic Devices Loan Procedures and Authorization
The following command Laptop Computer and Portable Electronic Devices Procedures are a supplement to the TACTRAGRULANT Network Policy Instruction. These procedures apply to the use of all laptop computers and electronic devices owned by TTGL and used on or off command property. Military and Civilian members are expected to follow these procedures when using any laptop computers or other electronic devices owned by TTGL.
All laptop computers, electronic devices and accessories owned by TTGL are district property provided to TTGL staff for a period of time as deemed appropriate by the requirements of use and N6 department.
TTGL allows staff to use laptop computers and electronic devices on or off command property. Command laptop computers and electronic devices are to be used as a productivity tool for command-related business, curriculum enhancement, research, and communications. Staff will exercise appropriate professional judgment and common sense when using the command’s laptop computers, electronic devices and accessories.
Staff must comply with and agree to the following conditions prior to being approved for the use of TTGL laptops, electronic devices and accessories:
-
Prior to being issued one of the TTGL laptop computers, electronic devices or accessories staff sign the Staff Laptop Computer and Electronic Devices Acceptance Use Form (Below) and agrees to all outlined procedures.
-
Staff must NOT attempt to or install software, hardware or change the system configuration including network settings on any equipment assigned to the staff member without prior consultation with N6 computer specialist or the IAM/IAO.
-
Staff is expected to prevent damage and theft to all TTGL electronic equipment assigned to them.
-
Staff must provide access to any electronic, equipment and/or accessories they have been assigned upon N6’s request.
Share with your friends: |