If the user has followed the computer security model provisions
supplied by the IS Security Group on his/her system, the
networked computer should be configured to print out the user's
last time and location each time the user is granted access.
Users should verify that the last session logged in was really
them. They should also get in the habit of looking at the last
logging to see if there are any irregularities. In UNIX this can
be done with the command : last
When files in directories are identified that don't belong, an
incidence exists. With UNIX, intruders like to hide files by
naming them something that starts with a period (.) because these
files are not listed when the standard ls command is given. Get
in the habit of checking for these types of files.
Other incidences include promiscuous network interface commands
and unusual (or unauthorized) network connections. These can
include the presence on Ethernet sniffers, a Trojaned netstat,
etc.
The following platform specification documents should be supplied
by the user:
Secure and commercial telephone numbers to DISSA Operations
Centers are:
WESTHEM/CONUS OC (STU-III)
Each user is individually responsible and should backup files
regularly. A user may wish to backup data every day, or at the
very least every week. Backups should be done either to tape or
to the local network archives. Many users choose to keep the
backup tape in a separate physical location from the computer.
If an incident happens, the tape won't fall prey to the same
incident. The system administrator should back up system and
user files regularly.
To eradicate the problem and the resource, the system
administrator will remove the exploited vulnerability by
installing patches identified by the IS Security Group, and
running a program such as SPI, COPS, Tiger, Ice-Pick, etc. Use a
trusted source to re-install damaged files and retire the name
and IP address.
Follow-up should include an assessment of the factors that
allowed the intrusion to occur, updating the security policy
which addressed this incident, and additional education for users
and administrations.
On-site hacking, particularly from summer Co-op students, is
considered a serious violation of NRL security requirements for
unauthorized access to Government sensitive information. Upon
confirmed detection of an on-site hacking attempt, the NRL IS
Security Group will immediately contact the Co-op's sponsor or
the NRL employee's supervisor. Action against the Co-op or
employee will be in accordance with NRL HRO Inst. 12540.1.
This is a DoD interest computer system. All DoD interest
computer systems and related equipment are intended for the
communication, transmission, processing, and storage of official
U.S. Government or authorized information only. All DoD interest
computer systems are subject to monitoring at all times to ensure
proper functioning of equipment and systems including security
devices and systems, to prevent unauthorized use and violations
of statutes and security regulations, to deter criminal activity,
and for other similar purposes. Any user of a DoD interest
computer system should be aware that any information placed in
this system is subject to monitoring and is not subject to any
expectation of privacy.
3.2.1 Initial Incident Reporting Procedures (unauthorized
access)
If a user discovers an unauthorized access (on-site or off-site),
or suspects one has happened, he/she should contact the system
administrator immediately! Contact the system administrator
either with a personal visit, or a phone call. Sending email to
the system administrator runs the risk of alerting the
unauthorized user that he/she has been found when the
unauthorized user intercepts the mail message. The system
administrator will contact the IS ADP Security Group.
3.2.2 Formal Notification of Break-in to DDN
Any DDN user (person/department/agency) having knowledge of a
suspected network security violation must contact the appropriate
operations center/area communications operations center, MILNET
Monitoring Center, NICE East, etc. to report the violation. If
possible, reporting should be via secure means.
3.3 Recovering Essential Network Resources
The initial action following a network incident discovery is
containment. The system should be isolated immediately by the
user either by shutting down the network interface or
disconnection. Following this action, either the user or the
system administrator check other systems for similar intrusion
signs, create a complete system backup, and notify both the NRL
IS Security Group and NAVCIRT. The NRL IS Security Group will
determine further action to be taken.
3.3.1 On-Site and Co-op Hacking
Two primary problems confront the system administrator: the
disgruntled or unconcerned employee and the outside cracker. A
disgruntled employee can set up an internal bypass for later use
or can use cracking programs from inside the network. In
addition, with more networks interconnected, the chances increase
that a legitimate user from one sub-network can find an open path
to another sub-network and from there into still other networks
where he has no legal authorization.
3.4 Network Activity Monitoring
While Public Law 99-474 applies to those who knowingly access a
computer without authorization, or to those who exceed their
authorization, there are also numerous site/organization specific
legal issues in accessing sensitive non-classified information
which may include private information. Most Government agencies
(as does NRL) have complete control over their network and
include a monitoring notice such as that shown below which
appears every time a user logs onto their net.
3.4.1 Response to Privacy Violation Complaints
Upon receipt of a user privacy violation complaint regarding
personal mail, the following Memorandum for Record will be issued
by the NRL IS Security Office. This memorandum will be sent to
the individual involved with a coppy to the appropriate Branch
Head.