how to manage a contamination incident defense security service carolyn shugart information...
TRANSCRIPT
![Page 1: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/1.jpg)
How to Manage a Contamination Incident
Defense Security Service Carolyn Shugart
Information Technology SpecialistStandards & Quality Branch
![Page 2: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/2.jpg)
Objectives
• Define a compromise• Define a contamination• Describe the causes of a contamination• Discuss preparing an ad hoc team• Review steps for conducting an
Administrative Inquiry• Review reporting requirements • Discuss cleanup considerations
![Page 3: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/3.jpg)
What is a compromise?
• The disclosure of classified informationto an unauthorized person
SECRET
![Page 4: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/4.jpg)
What is a contamination?
• When classified information is processed on a non-accredited IS
OOPS
![Page 5: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/5.jpg)
How does this happen?
• Change in classificationlevel
• Unsecure transmission
• Accidental / intentional use of non-accredited equipment
![Page 6: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/6.jpg)
How does this happen?
•Unaccredited System with internal hard drive•Cleared employee saves to floppy•A temporary file created on internal hard drive then automaticallydeleted.
(S) Sssssssssssssssssssss(S) Sssssssssssssssssssss(S) Sssssssss
Secret
![Page 7: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/7.jpg)
How does this happen?
UnclasUnclasSecret
1. “Track Changes” are hidden 2. Unclassified Extractionwww.dss.mil/infoas/index.htm
(U) Uu uuuuu uu uuuu uu.
(S) Ssss s ssss. Ssss ssss.
![Page 8: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/8.jpg)
How does this happen?
Secret
Compilation creates classified
(U) Uu uuuuu uu uuuu uu.
(U) Ssss s ssss. Ssss ssss.
![Page 9: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/9.jpg)
How does this happen?
S S
S U
![Page 10: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/10.jpg)
Attitudes can be a factor!Attitudes can be a factor!
People not following the rules
Confusion Too busy to follow
the rules Indifference It can’t happen here It cost too much Everyone else does it
![Page 11: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/11.jpg)
Before it happens, build an ad hoc team!
• No regular meetings • SysAdmins proficient
in each operating system
• SysAdmin proficient in email system
• Someone proficient in RAID drives
• Security RepRAID = Redundant Array of Independent Disks
![Page 12: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/12.jpg)
Conducting an Administrative Inquiry!
• Investigate the loss, compromise, or suspected compromise of classified information
NISPOM Para 1-303
![Page 13: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/13.jpg)
Conduct a preliminary inquiry!
• Conduct immediately
• Identify W5H, determine extent
• “Did a loss, compromiseor suspected compromiseoccur?”
What happened?
NISPOM Para 1-303a
![Page 14: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/14.jpg)
Is there a loss, compromise, or suspected compromise?
• Loss: material can’t be located within a reasonable period of time
• Compromise: disclosure to unauthorized person(s)
• Suspected compromise: when disclosure can’t be reasonably precluded
![Page 15: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/15.jpg)
Now what should be done?
• Assemble ad hoc team
• Physically isolate, protect all contaminated equipment
• Remove unauthorized people
![Page 16: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/16.jpg)
What should be done? (cont.)
• Call your Defense Security Service (DSS) IS Rep and/or ISSP*
• Contact your customer, the data owner
• DO NOT DELETE DATA YET!
* Information Systems Security Professional
![Page 17: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/17.jpg)
DO NOT DELETE THE FILE!!
“Would you take care of this for me!”
![Page 18: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/18.jpg)
What will DSS do?
• Help you limit further systems from being contaminated.
• Work with you on sanitizing all infected systems.
![Page 19: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/19.jpg)
What are important facts?
• What platforms and O/Ss are involved?• Are there any remote dial-ins• Are there any other network connections?• At what locations was the file or e-mail
received (e-mail servers) or placed?• Was the data encrypted? • Was the file deleted?• Is there RAID technology involved?
![Page 20: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/20.jpg)
What about an email server?
• What type of email system is involved?• Is System Administrator cleared?• Ensure areas where deleted files are
retained are addressed, e.g., MS Exchange’s deleted item recovery container).
MS Exchange is discussed because of its widespread use. DSS does not endorse any products.
![Page 21: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/21.jpg)
A B
Forget any components?
S
![Page 22: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/22.jpg)
Follow through!
• Gather and review Audit Trails that are applicable– Paper– Electronic
• Interview all people known to be involved
![Page 23: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/23.jpg)
And finally…
• Write and submit the final report (Paragraph 1-303c, NISPOM)
![Page 24: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/24.jpg)
Follow available guidance!
• NISPOM AI Report Requirements (Paragraph 1-303)
• DSS Guidance for Conducting an AI
• Clearing and Sanitization Matrix
![Page 25: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/25.jpg)
And don’t forget to
• Protect classified media• Sanitize/clear the system components• Write the report
SECRET
SECRET
SECRET DSS
![Page 26: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/26.jpg)
• Norton Utilities “WipeInfo” • ISTAC (Government Issued)• Nuts & Bolts • Novell’s “Data Shredder” (Novell Consulting) • Sun’s “Purge” ( Part of the O/S)• SGI “FX” (Part of the O/S)• Unishred Pro - HP Unix and Linux• Infraworks Products: Shredder and Sanitizer• BCWipe • Terminus
Available software utilities:
Note: This is a partial list of products that have enabled contamination cleanup in the
past. DSS does not endorse any products.
![Page 27: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/27.jpg)
Report suspenses!
• Initial - “promptly submit” (72 hours)
• Final - investigation is complete (15 days)
NISPOM Para 1-303b,c
![Page 28: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/28.jpg)
One last thing…
• Send details to government customer to include cleanup action
• Include hardware and operating system platforms
• Request they provide additional cleanup steps within 30 days
![Page 29: How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649c925503460f9494de78/html5/thumbnails/29.jpg)
Summary
• What causes contaminations• Possible cleanup considerations
• Reporting requirements
NISPOM Para 8-103b,c