Dependence on automated information and the networks it moves around on means that networks must be secure from unauthorized manipulation and control. Making this happen is called information assurance (IA). At the same time, it is desirable to operate at or near peak efficiency. The computer network security regime described herein is designed to achieve an acceptable balance between data/network operations and data/network security within U.S. Army Europe (USAREUR). The fundamentals described are not, however, unique to USAREUR or even the military. They apply to all organizations, large or small, which create, store and move information on computer networks and want to do so with an acceptable degree of security.
Four fundamentals emerge as indispensable parts to any effective IA strategy:
Helping USAREUR put them in place and manage them is the Regional Computer Emergency Response Team - Europe (RCERT-Europe). This team of computer security experts is provided by the Army's Land Information Warfare Activity. They provide the technical support we need to devise, implement and oversee security discipline on USAREUR cyberterrain encompassing 38,000 PCs and laptops operating on some 1,500 local area networks, most connected to the Internet. These networks carry e-mail and data files on everything from base libraries to the maintenance of weapon systems.
Encourage A Viable Profession. Without a stable career field in the business of computer network system administration and computer network security, staffs will be in a perpetual spin cycle of train, work and rotate. A recognized military and civilian occupational specialty, known for its high level of technical skills and ethical standards, will help provide stability and professionalism. This profession should encompass network operations and network security since both require the same core skills.
The network operations people (system administrators) already know the tricks, so they make the best security staffs. Unless network security is their main task, however, it will always take a back seat to network operations since security slows things down and frustrates people. A dedicated security overwatch, performed by people who know the system administrator business inside and out, is the only effective solution. Optimally, these career paths would be interchangeable with people rotated through both.
Training. Without the proper training, achieving effective network operations and network security is problematic. Minimum standards that define acceptable competence in all computer related jobs must be published and rigorously enforced. Training programs that bring people up to these standards must be made available, and those who take this training must demonstrate they have achieved these standards through performance testing-before they touch a computer. Class attendance is simply not enough. The end result is a licensed workforce capable of using and administering the networks both efficiently and securely.
In USAREUR we base the amount and type of training required on a person's individual access within the network. That is, the amount of damage one can do either through ignorance or malice. In our new program, now under development for fielding this fiscal year, all computer users are trained for a USAREUR computer operator's license, meaning they can be issued an e-mail and network account. This training will be done during initial in-processing in much the same way we conduct training for a USAREUR driver's license. The bottom line is, without a license, you don't drive one of our computers!
The curriculum consists of the DISA basic CD and USAREUR policies, including how to handle hoaxes and spamming. We also cover chain mail and the appropriate use of a government computer and the worldwide web. For the more advanced system administrator and system security staff training needs, we centrally fund and manage basic administration and security training to ensure minimum core competency before assuming their duties. In doing this, we have eliminated much of the distinction between the operations and the security side of running computer networks, choosing instead to train to the common denominator between these two separate but linked duties. Basic Training not only establishes minimum technical competence, but also weeds out those who simply do not have the maturity or aptitude for this important work.
At all levels of training, those who fail to meet the minimum standards are retrained and retested until they pass the licensing exam. It is also possible to test out of training at any time, so people who have the requisite skills don't waste their time attending classes they don't need. Certificates of training from other commands which meet our standards are also acceptable. The bottom line is that licensing based on achievement of a minimum acceptable performance standard is required before getting access to a USAREUR computer or network. Special skill training above the basic level may be funded by any unit which chooses to pursue it, but may do so only with those who are already licensed at the basic level. This will cut down on the number of expensive failures experienced in more advanced training courses. Without question, this is a major investment in money and time, but is inescapable if you really want a secure network-and a natural consequence of our dependence on information technology.
Training Goes Hand In Hand With Public Awareness. USAREUR has a general awareness campaign to make IA issues known to the broadest base possible. This campaign includes local radio spots, half-page ads in Stars and Stripes, and newsworthy articles on computer network security in community newspapers.
Detection.Since hackers can't always be kept out, there must be a way to alert the network and system administrators when under attack. USAREUR developed a very sophisticated intrusion detection system (IDS) that has been coupled to a theater wide alert system. We can detect hackers, spread the alarm and then take measures to keep hackers from using that vulnerability in the future.
The Perimeter Fence: WAN-Based Alarms. The IDS alarms at our Internet gateways serve as an early warning system to tell us our networks are at risk or under attack. Because the volume of traffic is so high at this level (monitoring 38,000 PCs on 1,500 LANs) our centralized monitoring of the network perimeter is focused on only the most common and/or destructive types of attacks.
Inside The Wire: LAN/Host-Based Alarms. Effective intrusion monitoring needs more than a perimeter defense. USAREUR has a complementary security apparatus closer to the information being protected. This gives us security in-depth throughout our network infrastructure, and is accomplished by placing additional IDS and security routers/firewalls further inside the network infrastructure at the critical LAN and server level. These alarms are monitored by RCERT-Europe, as well as by individual system administrators (SAs) and network managers, thereby making it easier to separate suspicious activity from legitimate system use. Additionally, IDS devices and software installed at the local level can be configured to look for more specific types of activity, thus increasing the likelihood that an event not detected at the perimeter would be noticed further inside the network infrastructure. Firewalls and security routers, also used for protection, will be addressed later.
Reaction. The first step is to decide what constitutes illegitimate behavior within computer networks. We adopted the DoD standard of seven reportable categories of security problems. The seven categories include: unauthorized user, unauthorized root, attempts at unauthorized access, unauthorized probe, denial of service attack, poor security practice and malicious logic. RCERT-Europe reacts to these by immediately contacting the affected system administrators and security staff to begin verification and event analysis. Most alarm events turn out to be incidents, or attacks which failed to penetrate the systems involved for any number of reasons, such as being blocked at the router or an NT attack on a UNIX box. Intrusions concern us the most, since they involve an actual breach of system integrity - an unauthorized user or successful denial of service attack. We work intrusion cases in conjunction with criminal investigators and counterintelligence agents, as well as with the commanders of the units involved and their automation staffs. The imperative is to stop the attack, then design a security solution that protects the network but still allows the unit to fully use it.
Rapid Notification and Response. Because threats to any networked computer anywhere in DoD threatens DoD computer systems worldwide, they require rapid attention. To do this effectively, the USAREUR information assurance program manager and deputy chief of staff for operations and plans, located in the emergency action center, developed a message alert procedure for IA emergencies. These alerts are given the same level of attention as attacks by terrorists or hostile aircraft. USAREUR defines an IA emergency as a security vulnerability that has the potential for either major damage to data, or major degradation of automation services which would adversely affect the USAREUR warfighting mission. An IA emergency requires USAREUR and Army notification within four hours and immediate reporting to the command's leaders and appropriate staffs.
Managed Use of Computers and Networks. A frequently violated tenet of network security is the strict control of authorized users. In USAREUR, only those people who have a verified need for a user account should have one, and the verification cannot come from the user. In addition, we require user logs to be scrubbed frequently for accuracy, making sure user accounts are deleted when people leave their jobs.
Control Of Authority Levels. Inseparable from authorized use is the level of authority granted to people within the computer system. USAREUR gives only the level of access needed, as validated by a supervisor, and commensurate with licensed skills. People are not given higher accesses without validated need or the proper training and license.
Strong Passwords. USAREUR policy requires passwords to be a minimum of eight alpha numeric digits. Passwords must be changed every six months on the unclassified side, every three months on the classified side or upon compromise, whichever is sooner. The RCERT-Europe web site provides a hot link to a password generator to help system administrators with the generation of legal passwords.
Software Configuration. RCERT-Europe has designed security configuration baselines for UNIX and Windows applications that must be applied to all clients, servers and routers on USAREUR networks. Standardization is a cornerstone of our software configuration program, but there is enough flexibility to provide tailored applications at each of our different and dispersed commands. We post our software configuration standards to the RCERT-Europe web site so all USAREUR system administrators and security staffs have access to them.
Firewalls and Security Routers. Too often, firewalls are seen as a universal solution for preventing unauthorized access to computer networks and systems. Guards and firewalls are not perfect security devices. All of them contain inherent vulnerabilities, some common to all and some unique to a particular product. Extreme caution must be exercised in their use, with emphasis on how they are set up and maintained.
While it is true that firewalls can prevent unauthorized network activity, they can also impede normal business, and they do not easily address the internal threat. The trick is to configure a firewall so it gives you an optimum balance of operations and security, recognizing that no one solution is a silver bullet for securing diverse LANs, servers and systems. USAREUR has found that it is often just as easy and certainly cheaper to add security at the network routers by denying access to particular rogue IP addresses or by denying certain services. These protections are tailored to allow traffic the client needs, while preventing connections that may constitute a risk.
Anti-Virus and Malicious Logic (ML). RCERT-Europe's web site has the latest versions of two popular commercial anti-virus software packages, which we get under DoD site license. Both vendors are continuously updating their products to stay one step behind the authors and distributors of new malicious codes. It is essential that all systems are running the latest versions of anti-virus software.
Encryption. USAREUR is taking a hard look at greater use of medium and high assurance encryption technologies to give added protection to sensitive information. Encrypting data streams and hard drives adds a degree of security unavailable any other way, particularly on unclassified systems. The use of public key encryption technology to secure unclassified but sensitive e-mail is widely known and used.
Less common, but no less useful, is encrypting to media. The trick is to make use of this technology transparent to the user because if it's cumbersome, it won't be used. We see this as a particularly useful methodology in cases where there is concern that system administrators or others with elevated privileges could read private files, or where there is concern that other insiders might gain access to information the owners do not want them to see.
Potential customers for disk encryption are senior leaders, inspector generals, criminal investigators, medical doctors and staff, people who handle sensitive personnel actions and finance officers and staff. It's unlikely anyone would want to encrypt everything they save to hard drives or floppy disk, but in cases when particularly sensitive matters are involved, an encryption algorithm that only the author can employ is an attractive option.
Physical Security. Without physical security all the virtual security in the world can become irrelevant. This seems obvious but often gets overlooked during network design and installation, with expensive retrofit repercussions.
Command Support. Command support is the bedrock of any military program. Like corporate CEOs, our commanders determine the relative priorities of everything that requires scarce time, money and manpower. We work hard to make IA a strong competitor for these resources and USAREUR leaders are absolutely behind what we do.
Resourcing. Every organization has to make the decision on how much security it can afford. Clearly, the grades of the children in our dependent schools deserve to be free from manipulation, but at what cost? If it costs a million dollars to secure them, is it worth it? Perhaps we can adopt strong, dynamic passwords at no cost and accept any residual risk. On the other hand, for mission critical information, like deployment timetables or medical records, a million dollars may be a small price to pay for the protection they deserve. In all cases, we work closely with network managers and their leadership to make sure they have the security they need without overdoing it.
Money, of course, isn't the only critical resource. Staffing decisions also play a key role. USAREUR has found that manning documents need to provide for a dedicated system administrator and information systems security officer at all battalion or battalion equivalent organizations and, generally, on all staffs that are led by a Lieutenant Colonel or higher.
Customer Support. While it is the hacker alarm system that gets all the attention, the foundation of RCERT-Europe's success in preventing damage by hackers is built on customer support. For example, an alarm sounds indicating one of our systems is being attacked by an intruder through a vulnerability in the Windows NT operating system for MS Exchange e-mail servers. The RCERT-Europe immediately notifies not only the SA of the server being attacked, but also every USAREUR MS Exchange administrator, telling them how to fix their system. RCERT-Europe also provides defensive vulnerability scanning to find security weaknesses before hackers do, and then, working by phone, e-mail or onsite with the system administrators, applying the appropriate security patches and configuring the network correctly.
System and Workforce Registration. When a fire alarm rings at the station house, fire fighters have to know whose house is on fire and what kind of house it is, in order to figure out where to go and how to fight the fire. The same goes for an effective IA defense. We require 100 percent workforce and system/network registration. This allows us to get the word out when there is a new software problem, virus alert or particular kind of attack under way. It also keeps us from wasting time in the NT community during UNIX events, or vice versa. We also accommodate the Army's centralized vulnerability alert process by requiring our network operations and security workforce to register with the Army list server at Ft. Belvoir. All registration is done via our RCERT-Europe web site.
Policies. Sometimes money and manpower are not the only solutions to problems, and in the IA business, there are many effective ways to use good policy. Policies and regulations set the security standards for our networks, outline training requirements, detail reporting procedures in the event of a security problem and require that people at all levels be held accountable for their actions.
Inspections. Effective, independent oversight is indispensable for real IA. The IA program manager provides USAREUR inspector general teams with an IA security expert in order to keep IA an up-front and visible part of the command's comprehensive inspection program.
Discipline. Two kinds of discipline are needed to make these programs work: self discipline, and when that fails, discipline in some form of appropriate punishment. People who do not want to play by the rules jeopardize not only USAREUR's networks, but DoD's networks. This requires swift and appropriate action by commanders who take this seriously. Slowly, commanders are coming to realize that virtual damage in a computer network is no different than the actual damage an employee might do to a vehicle. Both situations must be investigated and dealt with in the same way.
Putting security features in a computer network is like putting hurdles on a running track. You have to make sure the hurdles are high enough to do the job, but not so high you cannot run anymore. Adding enough security to a computer network to give IA without measurably slowing traffic requires tailored solutions with each network user. It also requires an informed and supportive leadership and a well trained workforce. Getting there is not easy, fast or inexpensive, but failure to do this jeopardizes every network and every bit of data stored inside it. Bottom line: IA is an expensive but inescapable component of the Information Age.
About the Authors: COL Dennis Treece, Mr. Tom Ledoux and MAJ Kevin Maley