3.0 Network Penetration Control

Top - Help

Copyright(c), 1996 - Management Analytics and Others - All Rights Reserved

3.1 Background on Network Incidences

General recovery of LAN server hardware/software failures, communications node failures, the loss of mission critical LAN servers, or a major LAN cable cut are the responsibility of NRL RCD. The NRL IS Security Group will respond to two types of incidences, (1) a NRL network security breach and (2) the notification through various sources that a network vulnerability has been identified. Virus and denial of service attacks are covered in a different part of this plan.

3.2 Determination of Break-in (Security Breach) Incident

Incidences are either reported by the system administrator, the user, or by one of various monitoring agencies.

If the user has followed the computer security model provisions supplied by the IS Security Group on his/her system, the networked computer should be configured to print out the user's last time and location each time the user is granted access. Users should verify that the last session logged in was really them. They should also get in the habit of looking at the last logging to see if there are any irregularities. In UNIX this can be done with the command : last .

When files in directories are identified that don't belong, an incidence exists. With UNIX, intruders like to hide files by naming them something that starts with a period (.) because these files are not listed when the standard ls command is given. Get in the habit of checking for these types of files.

Other incidences include promiscuous network interface commands and unusual (or unauthorized) network connections. These can include the presence on Ethernet sniffers, a Trojaned netstat, etc.

3.2.1 Initial Incident Reporting Procedures (unauthorized access)

If a user discovers an unauthorized access (on-site or off-site), or suspects one has happened, he/she should contact the system administrator immediately! Contact the system administrator either with a personal visit, or a phone call. Sending email to the system administrator runs the risk of alerting the unauthorized user that he/she has been found when the unauthorized user intercepts the mail message. The system administrator will contact the IS ADP Security Group.

The following platform specification documents should be supplied by the user:

1. Specific security models
2. Specific testing procedures
3. Specific investigation procedures

3.2.2 Formal Notification of Break-in to DDN

Any DDN user (person/department/agency) having knowledge of a suspected network security violation must contact the appropriate operations center/area communications operations center, MILNET Monitoring Center, NICE East, etc. to report the violation. If possible, reporting should be via secure means.

Secure and commercial telephone numbers to DISSA Operations Centers are:


DSN 312-746-1849
COM 202-692-5726

3.3 Recovering Essential Network Resources

The initial action following a network incident discovery is containment. The system should be isolated immediately by the user either by shutting down the network interface or disconnection. Following this action, either the user or the system administrator check other systems for similar intrusion signs, create a complete system backup, and notify both the NRL IS Security Group and NAVCIRT. The NRL IS Security Group will determine further action to be taken.

Each user is individually responsible and should backup files regularly. A user may wish to backup data every day, or at the very least every week. Backups should be done either to tape or to the local network archives. Many users choose to keep the backup tape in a separate physical location from the computer. If an incident happens, the tape won't fall prey to the same incident. The system administrator should back up system and user files regularly.

To eradicate the problem and the resource, the system administrator will remove the exploited vulnerability by installing patches identified by the IS Security Group, and running a program such as SPI, COPS, Tiger, Ice-Pick, etc. Use a trusted source to re-install damaged files and retire the name and IP address.

Follow-up should include an assessment of the factors that allowed the intrusion to occur, updating the security policy which addressed this incident, and additional education for users and administrations.

3.3.1 On-Site and Co-op Hacking

Two primary problems confront the system administrator: the disgruntled or unconcerned employee and the outside cracker. A disgruntled employee can set up an internal bypass for later use or can use cracking programs from inside the network. In addition, with more networks interconnected, the chances increase that a legitimate user from one sub-network can find an open path to another sub-network and from there into still other networks where he has no legal authorization.

On-site hacking, particularly from summer Co-op students, is considered a serious violation of NRL security requirements for unauthorized access to Government sensitive information. Upon confirmed detection of an on-site hacking attempt, the NRL IS Security Group will immediately contact the Co-op's sponsor or the NRL employee's supervisor. Action against the Co-op or employee will be in accordance with NRL HRO Inst. 12540.1.

3.4 Network Activity Monitoring

While Public Law 99-474 applies to those who knowingly access a computer without authorization, or to those who exceed their authorization, there are also numerous site/organization specific legal issues in accessing sensitive non-classified information which may include private information. Most Government agencies (as does NRL) have complete control over their network and include a monitoring notice such as that shown below which appears every time a user logs onto their net.

Use of this or any other DoD interest computer system constitutes a consent to monitoring at all times.

This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in this system is subject to monitoring and is not subject to any expectation of privacy.

If monitoring of this or any DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer system reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action.

3.4.1 Response to Privacy Violation Complaints

Upon receipt of a user privacy violation complaint regarding personal mail, the following Memorandum for Record will be issued by the NRL IS Security Office. This memorandum will be sent to the individual involved with a coppy to the appropriate Branch Head.

1. All Government computer resources are to be utilized for Official Use, and are not authorized for personal use. As an employee of the Naval Research Laboratory, you are/were an agent representing the United States Government. As such, your access to computer systems here were for Official Use Only. As part of your official duties, you had electronic mail boxes to communicate with various entities, both internal and external to NRL for official, not personal, business.

2. Therefore, there is no violation of personal mail, or invasion of privacy. If, however, the mail boxes are being used for personal reasons, this does constitute a violation of the law, and parties who utilize Government resources for personal reasons are subject to administrative actions.