AFSPC REFRESHER TRAINING COVER SLIDE: Good morning . Welcome to this presentation on the AFSPC Annual Refresher Computer Security Education, Training, & Awareness Program (ETAP) for AFSPC personnel. My name is . I am the with the . This ETAP presentation is targeted towards annual refresher training of AFSPC personnel, and will require approximately 20 minutes for the slide presentation, followed by a 10 to 20 minute discussion period. At the conclusion of this presentation you will understand (remember) the how and the why of the security protection measures in place for your organization. If you feel that you do not understand any portion of this presentation, please do not leave here without discussing the issues with me today. As a headquarters command, AFSPC contains many diverse elements and components, with personnel and organizations spread around the world. This presentation will equip you to continue to operate closely with all AFSPC elements, and to communicate via data processing resources in the course of your job by refreshing your awareness of the AFSPC approach to computer security, and by presenting the AFSPC organization and infrastructure that supports the AFSPC approach to computer security. < NEXT SLIDE > SLIDE 2: AFSPC/SCX Organization of AFSPC. AFSPC/SCX has been tasked by AFSPC with implementing Air Force directives concerning computer security. AFSPC/SCX fulfills this obligation through two primary roles: a) by developing, promulgating, and maintaining directives - SI 33-200 AFSPC C4 SYSTEMS SECURITY PROGRAM SI 33-202 AFSPC COMPUTER SECURITY (COMPUSEC) PROGRAM SI 33-203 AFSPC TEMPEST PROGRAM SI 33-204 AFSPC EDUCATION, TRAINING AND AWARENESS PROGRAM (ETAP) SI 33-1 C4 SECURITY CHECKLIST; and SI 33-2 DEVELOPMENTAL C4 SYSTEMS SECURITY, and b) by providing staff support to technical and task-driven activities. Some of you may have even worked on the drafting and development of these directives. Each of these documents addresses another piece of the overall program, and should be read and digested fully by you to enable you to apply them in everything that you do here. If you have any questions concerning these documents, or would like to discuss how to apply them in your real-world of work, please ask me about them. If you want some time to think of the way to phrase your question, remember that there will be a question-and-answer session at the end of this program. < NEXT SLIDE > SLIDE 3: BASE C4 SYSTEM SECURITY OFFICE Given the geographic distribution of AFSPC elements, the responsibilities for systems security issues at the local level have been delegated to base-level and to unit level C4 System Security offices. The Base C4 System Security Office is your local link to obtain help, guidance, clarification or support in computer security issues. The Base C4 System Security Office representative at this base is , and the telephone number is . Their office is located in . I'm sure that all of you know your Base C4 Systems Security Office personnel. Can someone tell me who the Bas C4 Systems Security Office is made up of? < NEXT SLIDE > SLIDE 4: UNIT C4 SYSTEM SECURITY OFFICE Besides the Base C4 System Security Office, you have an even closer point-of-contact for computer security assistance, and for your other systems security concerns. That point-of-contact is your Unit C4 System Security Office, and is your closest link to obtain help, guidance, clarification or support in computer security issues. The Unit C4 System Security Office representative at this base is , and the telephone number is . The office is located in . < NEXT SLIDE > SLIDE 5: C4 SYSTEMS PERSONNEL C4 Systems Personnel are pretty easy to find, because that is quite probably what YOU are. If you are in this briefing, and are seeing this presentation, you are a user, a provider, or are a link in the AFSPC C4 chain at some level. We will now discuss YOUR role in addressing computer security issues. The END USER is the individual who is really doing the day-to-day work. Computer security within AFSPC rises and falls with the user. If you, as a user, decide to try to work around the system, or to try and "get away" with some practices which go against policy, you probably can succeed for a period of time. Does this help you? Can you get your job done faster if you go around security? If so, you should be passing this information up the chain. The level of computer security protection was established knowing that SOME level of performance degradation may result. But feedback on the acceptability of the degradation can only come from you - the user. Do not assume that "everyone" has seen what you have seen. Feedback from you can help the entire command, so communicate! < NEXT SLIDE > SLIDE 6: UNDERSTANDING THE AFSPC COMPUSEC PROGRAM The AFSPC/SCX organization has made a commitment to proactively educate, indoctrinate, and train you to assist you in becoming the computer security-aware individual that is vitally needed for the forces of the nineties and beyond. This section of the presentation discusses how the elements of AFSPC support this program through their assigned roles. As the user you are a key component of this process. The Air Force establishes high-level policy for all aspects of USAF, to include AFSPC. Where USAF addresses computer security, this occurs at the policy level. A direction is set; a commitment is made to achieve a particular level or state of readiness in computer security. INFORMATION RESOURCES MANAGEMENT has a wide range of responsibility for the Information Resources of AFSPC. You may have understood that already, given their organization's name. One aspect of their role is to serve as the "owners" of all AFSPC information assets. Files, media, etc., belong to their area. Over time, you will become familiar with the day-to-day implications of this organization for you, but unless you routinely share files or data, you may have only minimal interaction with them. The SECURITY & AUDIT organization provides the real heart of the AFSPC computer security program. SECURITY & AUDIT will provide you with your boot disk and media. SECURITY & AUDIT will establish your operational parameters for your use of AFSPC computing resources, by establishing levels of permissions and your need-to-know of information. < NEXT SLIDE > SLIDE 7: Computer Security (COMPUSEC) The previous slide addressed "UNDERSTANDING AFSPC COMPUSEC," meaning in the organization. This slide addresses COMPUSEC from the perspective of action words: what does AFSPC DO to achieve a level of computer security? AFSPC roles & responsibilities for computer security are defined in SI 33-200. The organization that AFSPC has put in place reflects the guidance in SI 33-200. The specific roles described by SI 33-200 include the DAA, AFSPC/SCX C4 Systems Security Office, Base C4 Systems Security Office, Unit C4 Systems Security Office, and the role of C4 Systems Personnel, as listed in the preceding pages/slides. SI 33-202 implements SI 33-200, and describes the AFSPC Computer Security (COMPUSEC) Program. The major components of the AFSPC COMPUSEC program address: a) approval to operate from the DAA, b) minimum security requirements & automated computer security features, and c) Security Test & Evaluation (ST&E) as a means to verify the effectiveness of the security features. The concept that each of you should leave with, is that YOU are part of the AFSPC COMPUSEC program. If someone is applying COMPUSEC policy in an insecure or at least inadequate manner, ask for clarification. Do not assume that "everybody can see that ..." < NEXT SLIDE > SLIDE 8: Personnel Security Personnel Security policy falls along some of the same lines as physical security policy. Badges indicate who is/is not authorized to be in an operational area, and under what conditions, such as ESCORT REQUIRED, etc. What do you do when you see someone with ESCORT REQUIRED badge on their own, alone, in your area? Oh? Personnel Security policy also addresses what information specific individuals have been authorized access to. Sharing of information with your colleagues may seem natural to you, because you are all working together. In actuality, some of your colleagues may have no need-to-know or authorization for the information you process. How can you tell? One means of differentiating between users is certainly the work assignment. Any of your colleagues who are working the same tasks you are working may be correctly deemed to have a valid need-to-know for the information that you are processing. Another colleague, wearing the same blue uniform, but working in a different section, probably does NOT have a need-to-know. Personnel Security policy requires all users to have an adequate security clearance PLUS a valid need-to-know for all information that they obtain access to. If you are unsure, ask. Sure, you may have locked your keyboard. But if intruders cart your entire computer away, they might use another keyboard or other means at their leisure to access your system. How could an intruder get into your area to cart off your computer? By tail-gating behind you, when you come in. By watching your fingers punch in the cipher-lock code. By asking to "just use the bathroom," or something like that. Do you challenge unfamiliar personnel, when you see them without the required area badge? NO, because it makes you feel like a "cop?" Did you know that part of your responsibilities include protecting USAF property by enforcing personnel security? If you don't challenge un-badged personnel, or personnel exceeding their authorizations, you are cooperating with them in whatever they are doing. Why I remember when . . . SLIDE 9: INFORMATION SECURITY (INFOSEC) Information Security addresses the protection that we afford to the actual information in terms of documents, data, files, etc. Issues such as determining the proper security classification of the information, determining who has/does not have a valid need-to-know for the information, etc., are Information Security issues. The determination of whether or not to grant access to information causes us to think about, "What protection does this information require?" Much of the information we deal with on a daily basis may seem trivial to us, or not requiring extraordinary protection. When we print, and the paper looks bad, do we throw the COMMUNICATIONS ROUTING TABLE into the recycling box? Into the wastebasket? Into classified waste? Users need to be aware that the determination of sensitivity or classification may originate in another location, but each user can raise a voice to say, "This needs to be protected!" Look at your data in this way. If you are working with labeled classified data, this level of assessment may be unnecessary. The labels reflect the assigned security classification of the data, or of SOME PART of the data. Reclassification, declassification or relabeling of the data must occur only in accordance with your specific operating instructions, as approved by the DAA. For questions see your Unit C4 System Security Office. < NEXT SLIDE > SLIDE 10: Understanding Minimum Requirements The procedures regarding minimum requirements address measures which are implemented as an operational component of the computer system. The computer system then constitutes a part of the overall security mechanism. Individual automated features which have been implemented in Class C2 computer systems, and in AFSPC computer systems include: user IDs, passwords, audit controls, audit data and analysis, file protection and access controls, as well as object reuse measures. These automated features are easily used, and introduce no significant complexity or delay into processing. Can you imagine manually logging your use of the system in hardcopy, rather than creating an automated audit record? Also, the audit trail doesn't forget, and it doesn't lie. The responsibility for instituting the controls is a system management issue, not a user issue. Cooperating & applying the appropriate controls is a user issue. < NEXT SLIDE > SLIDE 11: Understanding Minimum Requirements - Passwords Passwords represent your ticket, your authorization to use the AFSPC computer resources. That ticket not only grants entry, but it declares your "credit limit" by associating a level of access along with the password/user ID. SI 33-202, paragraph 3.2.2, discusses the use, administration, and control of the AFSPC password. Passwords must be changed when compromised, or suspicion arises that they may be compromised. The structure of the password is prescribed in SI 33-202, 3.2.2, and also in AFSSI 5013, Password Management. Consider your password with respect. If it were a credit card for which you have to give account, you would be pretty careful with what you did with it, who you told about it, and who you would let use it. Your password is just as precious, and just as valuable. < NEXT SLIDE > SLIDE 12: Understanding Minimum Requirements - Audit Audit, and automated audit trails, provide the Computer Security Officer (CSO) and Network Security Officer (NSO) with a mechanism to selectively audit (track, follow, observe) the use of the system, to identify unauthorized activity, and to evaluate the security posture of a computer system or network. The CSO and NSO are responsible to track the audit trail events selectively. This means that they do not have the time to read each of your keystrokes. They are not the "BIG BROTHER" of George Orwell's book 1984. In fact, if you accidentally delete some files, or if you commit some error, you may be very happy that an audit trail exists that could serve to help you rebuild your data. The actions that the audit trail can (potentially) record are selected by the CSO or NSO to collect sufficient information to observe and track problems, without unduly taxing system resources, or collecting too much information to ever properly administer. Captured audit events include: use of identification/authentication mechanisms in other words - logins introduction of objects into a user's address space reading a file, opening a file, etc. deletion of objects OK password changes, or lockout of a user ID because of an expired password this is important This has been a refresher into "everything you ever wanted to know about audit ..." < NEXT SLIDE > SLIDE 13: Understanding Minimum Requirements - File Protection & Control SI 33-202 says that Discretionary Access Control is the same concept as 33-202 uses for file protection & control. The meaning is that the system must define and control access between individual users and individual objects (such as files, programs, displays, and menus). Objects must always be protected from unauthorized access. < NEXT SLIDE > SLIDE 14: Understanding Minimum Requirements - Threats & Vulnerabilities Terminology for computer security is not just the "buzzwords," like HACKER, CRACKER, TROJAN HORSE, and others. Plain English is also included such as RISK, THREAT, VULNERABILITY. A THREAT is an adverse event that could affect your system(s) or your facility. A VULNERABILITY is the likelihood of damage resulting from the occurrence of the THREAT. A RISK is the combination of THREAT + VULNERABILITY. In an attempt to quantify just how dangerous a VULNERABILITY may be to a particular installation, THREATS are evaluated against two criteria: 1) Frequency, and 2) Extent of Damage. A THREAT which occurs only once per hundred years, such as a local flood, would be serious, but may be "accepted," that is, to be "discounted" as a viable THREAT, because it is so infrequent. However, the EXTENT OF DAMAGE of such a THREAT may cause it to be re-evaluated, as the damage from such a flood would be catastrophic. Striking a balance between the Frequency and the Extent of Damage makes up a Risk Assessment. An EVENT that occurs only once every hundred years may be ignorable, but only if we look at how far into the hundred years we are. To counter the THREAT of flooding, a new building may be required to reduce the VULNERABILITY to the THREAT. The possibility of the THREAT (flooding) cannot be reduced, but the potential exposure to damage (VULNERABILITY) can certainly be reduced. A THREAT may also be something that would occur much more frequently, such as an ANNUAL blizzard. The VULNERABILITY may become an inability for personnel to get into the facility to accomplish their work. Here the frequency of an ANNUAL event is great. What is the VULNERABILITY? What does it cost? What do countermeasures provide? A frequent event, with a low cost may be "accepted" or "discounted" as a viable threat, because the organization can work around the problem. But how do we know the severity? How do we know whether we can work around the problem? This can be determined by the Risk Assessment process. Moving a computer with the cables attached can result in damage to the computer, and unhealthy consequences to the mover. This may be trivial, or this may be non-trivial. We make decisions at this level without even thinking about them. PCs are portable. They can be moved, and they can be stolen. Have you ever come into work in the morning and found your computer on? Things moved around at your desk? A possible virus on your computer? The sanctity of the workplace, even for a military organization, is threatened today. < NEXT SLIDE > SLIDE 15: Understanding Minimum Requirements - Output Marked By Classification The primary consideration of any security program of whatever stripe lies in protecting classified information from unauthorized access or manipulation. On a computer system, the markings indicating the classification may be applied to ALL data in a particular system; this is called Dedicated Mode Operations. Or the classification may be applied at varying levels; this is called Multilevel Operations. To simply say "multilevel" or "dedicated" is an easy matter; to construct a system to operate at all times and under all conditions so that it complies with these "labels" is a different matter. Because AFSPC has so many different systems and approaches, be aware that you as the user are responsible for always knowing the classification level of all data that you process on a computer. You are responsible for knowing the level that your session (the period of activity on a computer) is at. You are responsible for knowing and for following the direction and guidance for your particular computer system for labeling data, for classification levels which are and are not allowed on the systems. Without your assistance, labeling and classification will become confused and ineffective quickly. < NEXT SLIDE > SLIDE 16: Understanding Minimum Requirements - Report Computer Abuse Computer abuse is NOT where the computer abuses YOU. Computer abuse for our purposes is defined as the user applying the computer resource in a manner which contradicts the DAA approval to operate for the system, which goes against published policy for the system, and which is patently inappropriate. Examples include printing classified data from an unclassified machine because it is the fastest machine in the office. Also, disabling or disregarding security procedures for the sake of expediency; such as going to lunch without logging out or shutting down the computer, where unauthorized personnel could easily obtain access to your system and data in your absence. PROGRAM MANAGERS & FUNCTIONAL MANAGERS are tasked with getting the job done. Part of the criteria used to evaluate these managers is their track record of security violations or problems. A MANAGER who urges you to "go around" a security feature in the name of expediency is wrong. A MANAGER who winks at you going around a protective feature is also wrong. If you are faced with a time-critical task, and you need relief from some feature, discuss that with your MANAGER. Ask for advice on how to do your job. Have a solution ready to be suggested, though, because you know it best, as the END USER. For example, if your system requires a lengthy, complicated LOGIN procedure, and you just want to leave the system up when you go to lunch, so you won't have to go through that LOGIN process, what do you suggest in place of shutting down the system? Will that be effective in preventing unauthorized access to your system? ASK FIRST! Do not decide on your own to "accept the risk," because "I'm only going out for a sandwich." < NEXT SLIDE > SLIDE 17: This has been an AFSPC Production THIS CONCLUDES THE PRESENTATION PORTION OF THIS SESSION. WE WILL NOW OPEN THE SESSION TO A DISCUSSION PERIOD. PLEASE REMAIN IN YOUR SEATS, AS YOU ARE NOT DISMISSED. (** Open Discussion Session **) Closing Comments Thank you for your attendance at this presentation on the AFSPC Computer Security Education, Training, & Awareness Program (ETAP). My name is . I am the with the . I can be reached at . If you feel that you do not understand any portion of this presentation, please do not leave here without discussing the issues with me today. Thank you. You are now dismissed. <***** LAST SLIDE *****> AFSPC REFRESHER TRAINING Page 6