TRANSCOM Computer Security Training

1
TRANSCOM Computer Security Training
2
Training Facility Information
3
Computer Security Training Objectives

• Computer Security Program drivers
• Protecting DOE computer resources and data
• Computer vulnerabilities and threats
• Secure DOE User ID and passwords
• Social Engineering the art of manipulation
• Computer security incident reporting procedures

AWARENESS
AWARENESS
AWARENESS
4
Computer Security Program

• What is the purpose of DOEs unclassified
• computer security program?
• Uniform security requirements
• Responsibilities
• Policies and procedures
• Site audits for compliance
• Establish security plan requirements based on
  national security directives, executive orders,
  public law, and site policies

5
Computer Security Program Drivers

• DOE Order 200.1
• Public Law 100-235, Computer Security Act of 1987
• OMB Circular A-130, Appendix III
• DOE Order 205.1A, 205.2, 205.3 and 205.4
• FIPS 199 Standards for Security Categorization of
  Federal Information and Information Systems

6
Protecting DOE ResourcesWhat are Computer
Resources?

• Workstation/desktop
• Laptop
• Printer
• Peripherals such as a scanner
• Fax machine
• Personal Digital Assistants with download
  capability
• Cell Phones with download capability
• Wireless/Infrared (Bluetooth technology)

7
Protecting DOE ResourcesFoundations of Computer
Security
Security objectives for Information Systems
C.
I.
A.
8
Foundations of Computer Security
Confidentiality

• Keep information Private

• Prevent Unauthorized Disclosure

• Accomplish through

• Passwords
• Access Control
• Encryption

• APPLYING NEED TO KNOW

9
Foundations of Computer Security
I
ntegrity

• Information is complete and unaltered.

• Changes performed by authorized personnel
  in a specified manner.

• Examples
• Falsifying Route Information
• Falsifying Bill of Ladings
• Falsifying Schedules

10
Foundations of Computer Security
A
vailability

• INFORMATION IS AVAILABLE WHEN NEEDED
• INFORMATION IS IN A USABLE FORMAT
• EXAMPLE
• Users ability to view shipment information when
  needed

11
Protecting DOE ResourcesLoss of Data

• Most data/information is lost or disclosed
  accidentally
• Factors contributing to loss of data
• lax management attitude
• false sense of security
• not understanding the value of information

12
Protecting Information

• Potential TRANSCOM information targeted
• Routes
• Current Position
• Bill of Lading Information

13
Protecting DOE ResourcesTools and Methods

• Screen savers and Password Protection
• Use only software that has been tested and
  approved Flash drives
• Passwords Two sets 1st authentication
  application
• Virus check all software and media
• Awareness of surroundings, computer, and of those
  with a need to know
• Computer Security - AWARENESS

14
Computer Vulnerability Threats

• Insiders
• pose the greatest threat
• have access and are familiar with the computer
  system
• unintentionally destroy or alter information -
  carelessness or ignorance
• Hacker
• Individual who utilizes his/her technical ability
  to gain unauthorized access to cause mischievous
  or destructive activity
• Disasters
• from natural events
• Anomalies
• anything out of the ordinary

15
Secure DOE User IDs and PasswordsPassword
Program Drivers

• Good business practice to use passwords.
• DOE G 205.3-1 Password Guide
• Establishes requirements for generating,
  protecting and using passwords

16
Protect Your Passwords

• If someone else logs on using your password
• Audit trail says it was you!!!!
• Memorize your passwords! If you must write your
  password down
• place in sealed envelope
• store it in a locked drawer
• Dont share or reveal passwords
• Select strong/unique passwords
• DOE change password every 90 days

17
Protect Your Passwords (cont)

• Avoid using personal information
• DOB - license plate - home address
• family member names or pet names
• Do not choose words that
• are found in the dictionary
• consist of repeat characters
• contain common abbreviations, words or numbers

18
Choosing a Password

• Passwords contain at least eight non-blank
  characters
• Passwords contain a combination of letters
  (preferably a mixture of upper and lowercase),
  numbers, and at least one special character (,
  , ) within the first seven positions
• Passwords contain a nonnumeric in the first and
  last position
• Passwords do not contain the user ID
• Example a 9 u V s 0 t

19
Social Engineering
The practice of exploiting what has long been
considered the 'weakest link' in the security
chain of an organization the Human
Factor'. the art and science of getting people
to comply to your wishes.

20
Social Engineering

• HOW IS IT DONE?

• Direct Request Calling someone up and asking
  for their system access passwords.
• Important User Calling a person and acting as
  though they are a senior manager with a deadline
  and needing access to the system.
• Helpless User Pretend to be a user who
  requires assistance to gain access to the
  organization's systems. Very simple and
  effective.
• Technical Support Personnel Pretending to
  belong to an organization's technical support
  team.
• Reverse Social Engineering (RSE) Attacker will
  create a problem and ask you to help him solve it
  by providing information.
• Sabotage - create or create an illusion of a
  problem (corrupt system)
• Marketing - make sure you have a way to contact
  him for assistance (email)

21
Social Engineering

• Social Engineering techniques continued
• E-mail chain mail and virus hoaxes
• Website - fictitious competition or promotions,
  which requires a user to enter in a contact
  email address and password.
• Watch for over the shoulder observation visitor
  behavior patterns
• Dumpster diving

22
Social Engineering
Key traits for a target
You Me

• GETTING IN WITH THE BOSS!!! Get on the right
  side of somebody who could award you future
  benefits
• AVOID GUILT, ACT MORALLY The target's instinct
  to act morally in helping someone out, thus
  avoiding the feeling of guilt.
• PERSONAL COMMUNICATION Resulting in the target
  voluntarily complying with the request without
  realizing the pressure being applied. Building
  relationships through previous dealingssmall
  requests lead to BIG REQUESTS
• ARE YOU CUSTOMER SERVICE ORIENTED? Todays 1
  measure of an employees success in service
  oriented organizations.

23
Social Engineering
Countermeasures

• Security Policy
• A sound security policy will ensure a clear
  direction on what is expected of staff within an
  organization.
• Good Security Architecture
• Use of firewalls and firewall controls
• Management Buy-In
• Managers understand your role and understand what
  requires protection and why. Make sure protective
  measures are in place to protect against
  associated risks.

24
Social Engineering
Countermeasures

• Education
• Never give out any information without
  appropriate authorization and
• report any suspicious behavior.
• Limit Data Leakage
• Reduce the amount of data available NEED TO
  KNOW
• Incident Response Strategy
• Know your organizations policies

AWARENESS
AWARENESS
AWARENESS
25
Incident Reporting

• Incident - implies harm, or the attempt to harm
• Some examples of an incident
• Unauthorized use of another users account or
  system privileges
• Execution of malicious code
• The details of an incident may become sensitive
  and even classified

26
Incident Reporting Procedure

• Follow your organizations internal procedures

• Contact Transcom Communication Center
• (575) 234-7105

27
Summary

• DOEs Computer Security Programs derived from
  DOE Orders, Notices, and Public Laws
• TRANSCOM Users must exercise the need to know
  policy and be aware of the threats associated
  with the information processed within TRANSCOM
• TRANSCOM requires all passwords meet DOE G
  205.3-1. Authorized users must take
  responsibility for protecting TRANSCOM passwords.
• TRANSCOM Users must be aware of the incident
  reporting procedures within their own
  organizations as well as those required by DOE.

28

• Questions?