1 / 29

How to Manage a Contamination Incident

How to Manage a Contamination Incident. Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch. Objectives. Define a compromise Define a contamination Describe the causes of a contamination Discuss preparing an ad hoc team

rmarsha
Download Presentation

How to Manage a Contamination Incident

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch

  2. Objectives • Define a compromise • Define a contamination • Describe the causes of a contamination • Discuss preparing an ad hoc team • Review steps for conducting an Administrative Inquiry • Review reporting requirements • Discuss cleanup considerations

  3. What is a compromise? • The disclosure of classified informationto an unauthorized person SECRET

  4. What is a contamination? When classified information is processed on a non-accredited IS OOPS

  5. How does this happen? • Change in classificationlevel • Unsecure transmission • Accidental / intentional use of non-accredited equipment

  6. (S) Sssssssss ssssssssssss (S) Sssssssss ssssssssssss (S) Sssssssss Secret How does this happen? • Unaccredited System with internal hard drive • Cleared employee saves to floppy • A temporary file created • on internal hard drive • then automatically • deleted.

  7. How does this happen? (S) Ssss s ssss. Ssss ssss. Unclas Secret (U) Uu uuuuu uu uuuu uu. 1. “Track Changes” are hidden 2. Unclassified Extraction www.dss.mil/infoas/index.htm

  8. How does this happen? (U) Ssss s ssss. Ssss ssss. Secret (U) Uu uuuuu uu uuuu uu. Compilation creates classified

  9. S S How does this happen? S U

  10. Attitudes can be a factor! • People not following the rules • Confusion • Too busy to follow the rules • Indifference • It can’t happen here • It cost too much • Everyone else does it

  11. Before it happens, build an ad hoc team! • No regular meetings • SysAdmins proficient in each operating system • SysAdmin proficient in email system • Someone proficient in RAID drives • Security Rep RAID = Redundant Array of Independent Disks

  12. Conducting an Administrative Inquiry! • Investigate the loss, compromise, or suspected compromise of classified information NISPOM Para 1-303

  13. Conduct a preliminary inquiry! • Conduct immediately • Identify W5H, determine extent • “Did a loss, compromiseor suspected compromiseoccur?” What happened? NISPOM Para 1-303a

  14. Is there a loss, compromise, or suspected compromise? • Loss: material can’t be located within a reasonable period of time • Compromise: disclosure to unauthorized person(s) • Suspected compromise: when disclosure can’t be reasonably precluded

  15. Now what should be done? • Assemble ad hoc team • Physically isolate, protect all contaminated equipment • Remove unauthorized people

  16. What should be done? (cont.) • Call your Defense Security Service (DSS) IS Rep and/or ISSP* • Contact your customer, the data owner • DO NOT DELETE DATA YET! * Information Systems Security Professional

  17. DO NOT DELETE THE FILE!! “Would you take care of this for me!”

  18. What will DSS do? • Help you limit further systems from being contaminated. • Work with you on sanitizing all infected systems.

  19. What are important facts? • What platforms and O/Ss are involved? • Are there any remote dial-ins • Are there any other network connections? • At what locations was the file or e-mail received (e-mail servers) or placed? • Was the data encrypted? • Was the file deleted? • Is there RAID technology involved?

  20. What about an email server? • What type of email system is involved? • Is System Administrator cleared? • Ensure areas where deleted files are retained are addressed, e.g., MS Exchange’s deleted item recovery container). MS Exchange is discussed because of its widespread use. DSS does not endorse any products.

  21. S Forget any components? A B

  22. Follow through! • Gather and review Audit Trails that are applicable • Paper • Electronic • Interview all people known to be involved

  23. And finally… • Write and submit the final report (Paragraph 1-303c, NISPOM)

  24. Follow available guidance! • NISPOM AI Report Requirements (Paragraph 1-303) • DSS Guidance for Conducting an AI • Clearing and Sanitization Matrix

  25. SECRET DSS SECRET SECRET And don’t forget to • Protect classified media • Sanitize/clear the system components • Write the report

  26. Available software utilities: • Norton Utilities “WipeInfo” • ISTAC (Government Issued) • Nuts & Bolts • Novell’s “Data Shredder” (Novell Consulting) • Sun’s “Purge” ( Part of the O/S) • SGI “FX” (Part of the O/S) • Unishred Pro - HP Unix and Linux • Infraworks Products: Shredder and Sanitizer • BCWipe • Terminus Note: This is a partial list of products that have enabled contamination cleanup in the past. DSS does not endorse any products.

  27. Report suspenses! • Initial - “promptly submit” (72 hours) • Final - investigation is complete (15 days) NISPOM Para 1-303b,c

  28. One last thing… • Send details to government customer to include cleanup action • Include hardware and operating system platforms • Request they provide additional cleanup steps within 30 days

  29. Summary • What causes contaminations • Possible cleanup considerations • Reporting requirements NISPOM Para 8-103b,c

More Related