UNCLASSIFIED 01 RR RR UUUU DIA WASHINGTON DC//DSM-4// AIG 7894 SECDEF WASHINGTON DC//C3I-T// JOINT STAFF WASHINGTON DC//6JT/DIRM-SCD/ NSACSS FT GEORGE G MEADE MD//T03/T711/V531/V34// DCA WASHINGTON DC//DIS/DODM// HQ AFOSI BOLLING AFB DC//IVSC// AFCSC KELLY AFB TX//SRPE// HQ ESC KELLY AFB TX//INAR// DA WASHINGTON DC//DAMI-AM/DAMI-CIC/SAIS-SS// CDRINSCOM FORT BELVOIR VA//IAOPA-OP-I/IAOPA-OP-TO// CDRUSAOPSGP FT GEORGE G MEADE MD//IAGPC-TSE// CDR902ND MIGP FT GEORGE G MEADE MD//IAGPA-OP-I// CDR730THMIBN MUNICH GE//IAGPE-SCM// HQ AFISA BOLLING AFB DC//IND// COMNAVINTCOM WASHINGTON DC//OOQ/OOJ// CDRINSCOM WASHINGTON DC//22E3/22E1// NAVINVSERVA MUNICH GE//60MK// NAVINVSERV ERREG LONDON UK//60HQ// MICHAEL R. HIGGINS (703) 284-0182, 5 AUG 91 (DEJ) ROBERT L. AYERS, CHIEF, DSM-4 UNCLASSIFIED UNCLASSIFIED 02 RR RR UUUU NAVINVSERVRA LONDON UK//60LN// AFOSI DET 7008 MUNICH GE//CC// CMC WASHINGTON DC//INTX// USCENTCOM MACDILL AFB FL//J2// USCINCEUR VAHINGEN GE//ECJ2/ECJ2-P/EUCOM AIDES// USCINCLANT NORFOLK VA//J2// USCINCPAC HONOLULU HI//J21// CINCSAC OFFUTT AFB NE//INYSCC// USCINCSO QUARRY HEIGHTS PM//J2// USCINCTRANS SCOTT AFB IL//J2// USCINCFOR FT MCPHERSON GA//J2// USSPACECOM PETERSON AFB CO//J2// UNCLAS U-7,338/DSM-4 PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER (ISSO) AND SITE/FACILITY/COMMAND INFORMATION RESOURCE MANAGER (IRM); COMM CEN MUNICH GE PASS TO NAVINVSERVA MUNICH GE SUBJECT: AUTOMATED SYSTEM SECURITY INCIDENT SUPPORT TEAM (ASSIST) 1. THIS IS THE INITIAL ALERT ORDER FOR THE FORMATION OF THE UNCLASSIFIED UNCLASSIFIED 03 RR RR UUUU DEFENSE INTELLIGENCE AGENCY'S (DIA) AUTOMATED SYSTEM SECURITY INCIDENT SUPPORT TEAM (ASSIST). THE DIA OFFICE OF SECURITY SERVICES IS CHARTERED WITH THE RESPONSIBILITY FOR THE SECURITY OF THE DEPARTMENT OF DEFENSE INTELLIGENCE INFORMATION SYSTEM (DODIIS) NETWORKS. THE RECENT REORGANIZATION WITH THE DIA/DSM OFFICE CREATED THE ASSIST. 2. THIS TEAM HAS BEEN CHARTERED TO PROVIDE TECHNICAL ASSISTANCE TO DODIIS SITES FACED WITH A COMPUTER SECURITY EVENT/INCIDENT. THE TEAM WAS CREATED TO: A. HANDLE SIGNIFICANT COMPUTER SECURITY INCIDENTS AT DOD SITES. B. ESTABLISH A CENTER FOR INCIDENT HANDLING. C. ESTABLISH A CLEARINGHOUSE OF INFORMATION ON COMPUTER SECURITY INCIDENTS. D. DEVELOP COOPERATIVE PROCEDURES WITH DOD AND OTHER USG AGENCIES IN THE HANDLING OF COMPUTER SECURITY INCIDENTS. E. DEVELOP GUIDELINES FOR INCIDENT HANDLING. F. PROVIDE THE DODIIS SITES WITH A SKILLED ANALYSIS CAPABILITY FOR HANDLING COMPUTER SECURITY INCIDENTS. UNCLASSIFIED UNCLASSIFIED 04 RR RR UUUU 3. ASSIST SEEKS TO FOSTER A COOPERATIVE ATMOSPHERE AMONGST THE INFORMATION SYSTEMS SECURITY OFFICERS (ISSO). BY WORKING TOGETHER, DISSEMINATING INFORMATION REGARDING SYSTEMS VULNERABILITIES, AND RESPONDING, REAL TIME, TO NETWORK INCIDENTS, DODIIS SECURITY POSTURE WILL BE IMPROVED. AS THE FOCAL POINT OF THE DODIIS NETWORK OF AUTOMATED INFORMATION SYSTEMS, ASSIST WILL RAPIDLY SHARE INFORMATION OF CONCERN WITHIN THE COMMUNITY. 4. TO AIDE ASSIST IN SUPPORTING THE COMPUTER SECURITY COMMUNITY, THE TERM COMPUTER SECURITY "INCIDENT" MUST BE DEFINED. A COMPUTER SECURITY INCIDENT IS DEFINED AS AN EVENT THAT HAS ACTUAL OR POTENTIAL ADVERSE EFFECTS ON THE COMPUTER OR NETWORK OPERATIONS. EXAMPLES OF INCIDENTS OF INTEREST TO ASSIST INCLUDE VIRUSES, WORMS, TROJAN HORSES, UNAUTHORIZED FILE TRANSFERS AND MODIFICATIONS, HACKER ATTACKS, CRACKER ATTACKS, MASQUERADING, SCAVENGING, AND SPOOFING. INCIDENTS MAY BE MANIFEST IN ONE OF THE FOLLOWING SYMPTOMS: A. SYSTEM CRASH. B. NEW USER ACCOUNTS OR HIGH ACTIVITY ON A PREVIOUSLY INACTIVE ACCOUNT. UNCLASSIFIED UNCLASSIFIED 05 RR RR UUUU C. NEW FILES, USUALLY WITH NOVEL OR NON-STANDARD NAMES. D. ACCOUNTING DISCREPANCIES. E. CHANGES IN FILE LENGTHS OR DATES. F. ATTEMPTS TO WRITE TO SYSTEM. G. DATA MODIFICATION OR DELETION. H. DENIAL OF SERVICE, USER OR SYSTEM ADMIN LOCK OUT. I. UNEXPLAINED, POOR SYSTEM PERFORMANCE, I.E. INCREASED SYSTEM RESPONSE TIME. J. ANOMALIES, FREQUENT "BEEPS" OR DISPLAYS ON THE MONITOR. K. SUSPICIOUS PROBES, NUMEROUS UNSUCCESSFUL LOGIN ATTEMPTS. L. SUSPICIOUS BROWSING OF USER FILES. M. UNEXPLAINED PRIVILEGE CHANGES. 5. NONE OF THESE INDICATIONS IS PROOF THAT AN INCIDENT IS OCCURRING, NOR ARE ALL THESE INDICATIONS NORMALLY OBSERVED WHEN AN INCIDENT OCCURS. IF SOMEONE OBSERVES ANY OF THESE INDICATIONS, HOWEVER, IT IS IMPORTANT TO SUSPECT AN INCIDENT MIGHT BE OCCURRING. OTHER THAN IN A CASE OF A VIRUS, NO FORMULA EXISTS TO DETERMINE WITH ABSOLUTE CERTAINTY THAT AN INCIDENT IS OCCURRING. DO NOT LET THE LACK OF INFORMATION AVAILABLE DISCOURAGE YOU FROM UNCLASSIFIED UNCLASSIFIED 06 RR RR UUUU CONTACTING ASSIST. 6. AT THE TIME THAT THE ISSO CALLS ASSIST, AND REQUESTS SERVICE, THE FOLLOWING INFORMATION WILL BE REQUIRED REGARDING THE INCIDENT: A. PERSON AND AGENCY MAKING THE REPORT. B. TYPE OF INCIDENT. C. DATE AND TIME OF DISCOVERY. D. DATE AND TIME OF INCIDENT (IF DIFFERENT AND/OR KNOWN). E. TYPE OF COMPUTER INVOLVED. F. TYPE OF OPERATING SYSTEM INVOLVED. G. TYPE OF NETWORK SOFTWARE INVOLVED. H. TYPE OF COMMUNICATIONS INVOLVED. I. NARRATIVE OF INDICATIONS OF THE INCIDENT. J. NARRATIVE OF ACTIONS TAKEN TO DATE. K. REQUESTED ACTIONS OF ASSIST, IF ANY. 7. THE SCOPE OF TECHNICAL SUPPORT AVAILABLE FROM ASSIST EXTENDS FROM TELEPHONIC CONSULTATION, DIAGNOSIS AND CORRECTIVE RECOMMENDATIONS TO ON-SITE TECHNICAL ASSISTANCE FOR INCIDENT RECOVERY OPERATIONS. ASSIST MEMBERS ARE AVAILABLE 24 HOURS A DAY, 7 DAYS A WEEK THROUGH THE FOLLOWING MEANS: UNCLASSIFIED UNCLASSIFIED 07 07 RR RR UUUU A. DURING REGULAR DUTY HOURS (EST): ASK FOR "ASSIST" COMMERCIAL (703) 284-0182/1276 OR DSN 251-0182/1276. B. AFTER DUTY HOURS: ASK FOR THE "ASSIST DUTY OFFICER" COMMERCIAL (202) 373-8000 OR DSN 243-8000. C. IN AN EMERGENCY 24 HOURS A DAY: COMMERCIAL PAGER (202) 896-6863. 8. THIS IS THE FIRST IN A SERIES OF MESSAGES WHICH WILL OUTLINE THE PROGRAM AND GUIDELINES FOR USING THE ASSIST IN COMPUTER SECURITY INCIDENT RESPONSE. A COMPLETE PROGRAM OVERVIEW WILL BE PRESENTED AT THE 1ST ANNUAL DODIIS COMPUTER SECURITY OFFICERS CONFERENCE TO BE HELD 2-6 DECEMBER 1990 IN COLORADO SPRINGS, CO. 9. ANY QUESTIONS, CONCERNS OR ISSUES CAN BE ADDRESSED BY THE ASSIST TEAM CHIEF, MR. MIKE HIGGINS, COMM (703) 284-0182, DSN 251-0182, UNSECURE FAX (703) 284-0722, DISTS 981-7338 OR DDN DIA-COMMO AT DDN-CONUS.DDN.MIL ATTN: MIKE HIGGINS. UNCLASSIFIED