How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch.

Slides:

Advertisements

Similar presentations

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.

Advertisements

Transaction Journaling

Managing a “Data Spill” Corrie Velez Technical Security Orlando, Florida March 14, 2012.

1 © Jetico, Inc. Oy Military-Standard Data Protection Software Customer Challenges with Classified Data Spills.

Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.

1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.

The Ultimate Backup Solution.

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

COMPUTER BACKUP A disaster will happen to you one day…an accidentally deleted file, a new program that caused problems or a virus that wreaked havoc, wiping.

 When you receive a new you will be shown a highlighted in yellow box where your can be found  To open your new just double click.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Maintaining Windows Server 2008 File Services

Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg.

Security The Kingsway School. Accidental Data Loss Data can be lost or damaged by: Hardware failure such as a failed disk drive Operator error e.g. accidental.

Section Ten: Security Violations and Deviations Note: All classified markings contained within this presentation are for training purposes only.

Guide to Computer Forensics and Investigations, Second Edition

Electronic Public Record What is it, and Where Can Agency Lawyers Find It?

1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.

Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.

Security in Practice Enterprise Security. Business Continuity Ability of an organization to maintain its operations and services in the face of a disruptive.

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.

COMPUTER CARE & MAINTENANCE. Protecting Your Computer From Damage Like any kind of equipment, your computer requires care and maintenance to run smoothly.

Section Five: Security Inspections and Reviews Note: All classified markings contained within this presentation are for training purposes only.

Module 7. Data Backups  Definitions: Protection vs. Backups vs. Archiving  Why plan for and execute data backups?  Considerations  Issues/Concerns.

Maintaining File Services. Shadow Copies of Shared Folders Automatically retains copies of files on a server from specific points in time Prevents administrators.

Software Writer:-Rashedul Hasan Editor:- Jasim Uddin.

Preventing Common Causes of loss. Common Causes of Loss of Data Accidental Erasure – close a file and don’t save it, – write over the original file when.

Computer Forensics Principles and Practices

Additional Security Tools Lesson 15. Skills Matrix.

MCTS Guide to Microsoft Windows Vista Chapter 4 Managing Disks.

Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.

Information Asset Classification Community of Practicerev. 10/24/2007 Information Asset Classification What it means to employees.

Forensic Procedures 1. Assess the situation and understand what type of incident or crime is to be investigated. 2. Obtain senior management approval to.

Prepared By Prepared By : VINAY ALEXANDER ( विनय अलेक्सजेंड़र ) PGT(CS),KV JHAGRAKHAND.

Storage Devices A storage device is used to store instructions, data, and information when they are not being used in memory – Magnetic disks use magnetic.

 When you receive a new you will be shown a highlighted in yellow box where your can be found  To open your new just double click.

CIT 470: Advanced Network and System AdministrationSlide #1 CIT 470: Advanced Network and System Administration Disaster Recovery.

Sample only Order at Security Awareness Training A threat awareness briefing. A defensive security briefing. An overview of the.

Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.

SYS364 Database Design Continued. Database Design Definitions Initial ERD’s Normalization of data Final ERD’s Database Management Database Models File.

SECURITY BRIEFING A threat awareness briefing A defensive security briefing An overview of the security classification system Employee reporting obligations.

Administrative Inquiries

Managing a “Data Spill”

COMPUTER SYSTEM TOOLS. SCANDISK MICROSOFT UTILITY PURCHASED FROM NORTON, WHICH IS NOW SYMANTEC; INCLUDED WITH MS-DOS 6.2 AND ON AS WELL AS ALL VERSIONS.

By: Julianna Leach.  PC Support Technician- They work on site and are responsible for in general maintenance.  PC Service Technician- Goes to customer.

Information Security Everyday Best Practices Lock your workstation when you walk away – Hit Ctrl + Alt + Delete Store your passwords securely and don’t.

How To Conduct An Administrative Inquiry (AI) Due To A Security Violation

Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.

Information Management and the Departing Employee.

Welcome to the ICT Department Unit 3_5 Security Policies.

PROV NETWORK MEETING Linda Tolson, Corporate Records Manager 6 May, 2016.

Network and Server Basics. Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server network.

WHAT ARE BACKUPS? Backups are the last line of defense against hardware failure, floods or fires the damage caused by a security breach or just accidental.

Backup and Disaster Dr Stuart Petch CeG IT/IS Manager

Blackboard Security System

Incident Reporting And Investigation Program

The Ultimate Backup Solution.

HQMC ISC BRIEF FEBRUARY 6, 2007

is not secure is not secure..

Incident Reporting And Investigation Program

HQ Expectations of DOE Site IRBs

Anatomy of a Common Cyber Attack

Presentation transcript:

How to Manage a Contamination Incident Defense Security Service Carolyn Shugart Information Technology Specialist Standards & Quality Branch

Objectives Define a compromise Define a contamination Describe the causes of a contamination Discuss preparing an ad hoc team Review steps for conducting an Administrative Inquiry Review reporting requirements Discuss cleanup considerations

What is a compromise? The disclosure of classified information to an unauthorized person SECRET

What is a contamination? When classified information is processed on a non-accredited IS OOPS

How does this happen? Change in classification level Unsecure transmission Accidental / intentional use of non-accredited equipment

How does this happen? Unaccredited System with internal hard drive Cleared employee saves to floppy A temporary file created on internal hard drive then automatically deleted. (S) Sssssssss ssssssssssss (S) Sssssssss ssssssssssss (S) Sssssssss Secret

How does this happen? Unclas Secret 1. “Track Changes” are hidden 2. Unclassified Extraction (U) Uu uuuuu uu uuuu uu. ( S) Ssss s ssss. Ssss ssss.

How does this happen? Secret Compilation creates classified (U) Uu uuuuu uu uuuu uu. ( U) Ssss s ssss. Ssss ssss.

How does this happen? S S S U

Attitudes can be a factor! u People not following the rules u Confusion u Too busy to follow the rules u Indifference u It can’t happen here u It cost too much  Everyone else does it

Before it happens, build an ad hoc team! No regular meetings SysAdmins proficient in each operating system SysAdmin proficient in system Someone proficient in RAID drives Security Rep RAID = Redundant Array of Independent Disks

Conducting an Administrative Inquiry! Investigate the loss, compromise, or suspected compromise of classified information NISPOM Para 1-303

Conduct a preliminary inquiry! Conduct immediately Identify W 5 H, determine extent “Did a loss, compromise or suspected compromise occur?” What happened? NISPOM Para 1-303a

Is there a loss, compromise, or suspected compromise? Loss: material can’t be located within a reasonable period of time Compromise: disclosure to unauthorized person(s) Suspected compromise: when disclosure can’t be reasonably precluded

Now what should be done? Assemble ad hoc team Physically isolate, protect all contaminated equipment Remove unauthorized people

What should be done? (cont.) Call your Defense Security Service (DSS) IS Rep and/or ISSP* Contact your customer, the data owner DO NOT DELETE DATA YET! * Information Systems Security Professional

DO NOT DELETE THE FILE!! “Would you take care of this for me!”

What will DSS do? Help you limit further systems from being contaminated. Work with you on sanitizing all infected systems.

What are important facts? What platforms and O/Ss are involved? Are there any remote dial-ins Are there any other network connections? At what locations was the file or received ( servers) or placed? Was the data encrypted? Was the file deleted? Is there RAID technology involved?

What about an server? What type of system is involved? Is System Administrator cleared? Ensure areas where deleted files are retained are addressed, e.g., MS Exchange’s deleted item recovery container). MS Exchange is discussed because of its widespread use. DSS does not endorse any products.

A B Forget any components? S

Follow through! Gather and review Audit Trails that are applicable –Paper –Electronic Interview all people known to be involved

And finally… Write and submit the final report (Paragraph 1-303c, NISPOM)

Follow available guidance! NISPOM AI Report Requirements (Paragraph 1-303) DSS Guidance for Conducting an AI Clearing and Sanitization Matrix

And don’t forget to Protect classified media Sanitize/clear the system components Write the report SECRET DSS

Norton Utilities “WipeInfo” ISTAC (Government Issued) Nuts & Bolts Novell’s “Data Shredder” (Novell Consulting) Sun’s “Purge” ( Part of the O/S) SGI “FX” (Part of the O/S) Unishred Pro - HP Unix and Linux Infraworks Products: Shredder and Sanitizer BCWipe Terminus Available software utilities: Note: This is a partial list of products that have enabled contamination cleanup in the past. DSS does not endorse any products.

Report suspenses! Initial - “promptly submit” (72 hours) Final - investigation is complete (15 days) NISPOM Para 1-303b,c

One last thing… Send details to government customer to include cleanup action Include hardware and operating system platforms Request they provide additional cleanup steps within 30 days

Summary What causes contaminations Possible cleanup considerations Reporting requirements NISPOM Para 8-103b,c