DOCSLIB.ORG

AR 380 19 Information Systems Security

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Army Regulation 380–19 Security Information Systems Security Headquarters Department of the Army Washington, DC 27 February 1998 UNCLASSIFIED SUMMARY of CHANGE AR 380–19 Information Systems Security This regulation-- o Requires the use of cost-effective information systems security (ISS) measures to respond to the specific threats and vulnerabilities associated with each information system (para 1-5a). o Emphasizes the requirement to address security in all stages of system development (para 1-5e). o Provides information systems security requirements for system administrators (para 1-6d). o Removed the position/title of terminal area security officer (TASO) to comply with national policies (para 1-6). o Replaces the acronyms US1, US2, CS1, CS2, and CS3 with Unclassified Nonsensitive, Sensitive But Unclassified, Confidential, Secret, Top Secret, and Sensitive Compartmented Information Subsystem to comply with national policies (para 2-2). o Removed paragraph 2-11, ’Location and construction of a Central Computer Complex,’ because the U.S. Army has very few central computer facilities under construction and should not be included in an ISS policy regulation. o Removed paragraph 2-12, ’Mainframe computer equipment room standards,’ because the U.S. Army has very few mainframe computers remaining and should not be included in an ISS policy regulation. o Addresses security requirements for laptop, notebook, and portable information systems (para 2-11). o Provides minimum standards for generating and using passwords to control access to information systems (para 2-14). o Introduces the Land Information Warfare Activity as the Army focal point for reporting system vulnerabilities (2-27). o Updates reporting requirements for automated information system (AIS) security incidents and technical vulnerabilities (para 2-27). o Introduces the concept of site-based accreditation for the Sensitive Compartmented Information (SCI) system and an alternative to accrediting collateral systems while taking into account their interconnectivity concerns and allows other related systems to be included in a site (para 3- 11). o Introduces a warning banner for the monitoring of the Army system (para 4-1m). o Reconstructs chapter 5, Risk Management, to meet the ISS environment currently facing ISS managers. o Introduces policy and guidance for use of Government-sponsored Internet accounts (app B). o Incorporates the National Security Agency’s Manual 130-1, annex S, as requested by the Department of the Army Inspector General, to address clearing, purging, declassifying , and destroying magnetic media (app F). o Provides an Army Management Control Process for administration of the Army Information System Security Program (app C). Headquarters *Army Regulation 380–19 Department of the Army Washington, DC 27 February 1998 Effective 27 March 1998 Security Information Systems Security and Department of Defense (DOD) guidance C o n t r o l , C o m m u n i c a t i o n s , a n d C o m p u t e r s . contained in DOD directives governing secu- The proponent has the authority to approve rity for information in an electronic form, exceptions to this regulation that have re- including DOD Directives 5200.28, 5200.5, ceived a legal review to ensure that the ex- and 5200.19 (when used in conjunction with ception is consistent with controlling law and AR 381–14). It also provides the Army’s im- regulation. The proponent may delegate the plementation of sections 1 through 8, Act of approval authority, in writing, to a division 8 January 1988, Public Law (PL) 100–235, c h i e f w i t h i n t h e p r o p o n e n t a g e n c y i n t h e U . S . S t a t u t e ( S t a t ) 1 0 1 , p p . 1 , 7 2 4 – 1 , 7 3 0 , grade of colonel or the civilian equivalent. cited as the Computer Security Act of 1987. This regulation designates ISS as the security A r m y m a n a g e m e n t c o n t r o l p r o c e s s . discipline that encompasses communications This regulation contains management control s e c u r i t y ( C O M S E C ) , c o m p u t e r s e c u r i t y p r o v i s i o n s a n d i d e n t i f i e s k e y m a n a g e m e n t (COMPUSEC). It defines the Army Informa- controls that must be evaluated. tion Systems Security Program (AISSP) and prescribes a structure for implementing that Supplementation. Major commands may H i s t o r y . T h i s i s a r e v i s i o n . B e c a u s e t h e p r o g r a m . T h i s r e g u l a t i o n p r o v i d e s s p e c i f i c supplement this regulation. Copies of all sup- publication has been extensively revised, the policy on accreditation of AIS and networks. plements must be forwarded to Director of changed parts have not been highlighted. It also provides minimum security standards Information Systems for Command, Control, Summary. This publication introduces the for transmitting classified and sensitive un- C o m m u n i c a t i o n s , a n d C o m p u t e r s concept of site-based accreditation, provides classified information. (SAIS–PAC), 107 Army Pentagon, Washing- new security policies for the use of laptop Applicability. This regulation applies to the t o n , D C 2 0 3 1 0 – 1 0 7 , f o r c o n c u r r e n c e a n d and small deployable computers and for the Active Army, the Army National Guard of legal review prior to implementation. use of the Internet and Homepages, and is- the U.S. (ARNGUS), and the United States sues minimum requirements for degaussing, Army Reserve (USAR). It applies to contrac- Suggested Improvements. Users are in- declassifying, and downgrading of informa- tors who operate Government-owned or con- vited to send comments and suggested im- tion and media. This regulation is an update t r a c t o r - o w n e d , A I S t h a t p r o c e s s o r s t o r e p r o v e m e n t s o n D A F o r m 2 0 2 8 to meet changing information system security Army information. Contractors who process (Recommended Changes to Publications and (ISS) policies and directives for all Army au- Sensitive But Unclassified (SBU) information Blank Forms) directly to Director of Informa- tomated information systems (AIS); it imple- o n c o n t r a c t o r - o w n e d A I S a r e g o v e r n e d b y tion Systems for Command, Control, Com- ment the transition to site-based accreditation this regulation if specified in the contractual m u n i c a t i o n s a n d C o m p u t e r s ( S A I S – P A C ) , (SBA) concepts and requirements for those requirements or if they connect to an installa- 1 0 7 A r m y P e n t a g o n , W a s h i n g t o n , D C Army intelligence systems subject to Defense tion AIS/network system. All of the above 20310–107. Intelligence Agency (DIA) or National Secu- must comply with sections 1 through 8, Act rity Agency (NSA) directives derived from of 8 January 1988, PL 100–235, 101 Stat 1, Distribution. Distribution of this publica- D i r e c t o r , C e n t r a l I n t e l l i g e n c e , D i r e c t i v e 724–1,730. During mobilization, deployment, tion is made in accordance with initial distri- (DCID) 1/16. This regulation implements the o r n a t i o n a l e m e r g e n c y , t h i s r e g u l a t i o n bution number (IDN) 095066, intended for ISS portion of the Command and Control remains in effect without change. command levels B, C, D, and E of the Active Protect (C2 Protect) component of the Ar- Proponent and exception authority. Ef- Army, Army National Guard of the U.S., and my’s Information Operations Program as de- fective 1 January 1997, the proponency of U.S. Army Reserve and Government contrac- fined in Field Manual (FM) 100–6 and AR this regulation has been transferred to the Di- tors. 525–20. This regulation implements national rector of Information Systems for Command, Contents (Listed by paragraph and page number) U.S. Army Information Systems Security Program • 1–6, page 4 Chapter 1 Chapter 2 Introduction, page 1 Computer Security, page 6 Purpose • 1–1, page 1 References • 1–2, page 1 Section I Explanation of abbreviations and terms • 1–3, page 1 General Policy, page 6 Responsibilities • 1–4, page 1 Overview • 2–1, page 6 Security-related requirements • 1–5, page 4 *This regulation supersedes AR 380–19, 1 August 1990.
Recommended publications
  • Getting to Grips with Unix and the Linux Family

    Getting to Grips with Unix and the Linux Family

    Getting to grips with Unix and the Linux family David Chiappini, Giulio Pasqualetti, Tommaso Redaelli Torino, International Conference of Physics Students August 10, 2017 According to the booklet At this end of this session, you can expect: • To have an overview of the history of computer science • To understand the general functioning and similarities of Unix-like systems • To be able to distinguish the features of different Linux distributions • To be able to use basic Linux commands • To know how to build your own operating system • To hack the NSA • To produce the worst software bug EVER According to the booklet update At this end of this session, you can expect: • To have an overview of the history of computer science • To understand the general functioning and similarities of Unix-like systems • To be able to distinguish the features of different Linux distributions • To be able to use basic Linux commands • To know how to build your own operating system • To hack the NSA • To produce the worst software bug EVER A first data analysis with the shell, sed & awk an interactive workshop 1 at the beginning, there was UNIX... 2 ...then there was GNU 3 getting hands dirty common commands wait till you see piping 4 regular expressions 5 sed 6 awk 7 challenge time What's UNIX • Bell Labs was a really cool place to be in the 60s-70s • UNIX was a OS developed by Bell labs • they used C, which was also developed there • UNIX became the de facto standard on how to make an OS UNIX Philosophy • Write programs that do one thing and do it well.
  • NSA Security-Enhanced Linux (Selinux)

    NSA Security-Enhanced Linux (Selinux)

    Integrating Flexible Support for Security Policies into the Linux Operating System http://www.nsa.gov/selinux Stephen D. Smalley [email protected] Information Assurance Research Group National Security Agency ■ Information Assurance Research Group ■ 1 Outline · Motivation and Background · What SELinux Provides · SELinux Status and Adoption · Ongoing and Future Development ■ Information Assurance Research Group ■ 2 Why Secure the Operating System? · Information attacks don't require a corrupt user. · Applications can be circumvented. · Must process in the clear. · Network is too far. · Hardware is too close. · End system security requires a secure OS. · Secure end-to-end transactions requires secure end systems. ■ Information Assurance Research Group ■ 3 Mandatory Access Control · A ªmissing linkº of security in current operating systems. · Defined by three major properties: ± Administratively-defined security policy. ± Control over all subjects (processes) and objects. ± Decisions based on all security-relevant information. ■ Information Assurance Research Group ■ 4 Discretionary Access Control · Existing access control mechanism of current OSes. · Limited to user identity / ownership. · Vulnerable to malicious or flawed software. · Subject to every user©s discretion (or whim). · Only distinguishes admin vs. non-admin for users. · Only supports coarse-grained privileges for programs. · Unbounded privilege escalation. ■ Information Assurance Research Group ■ 5 What can MAC offer? · Strong separation of security domains · System, application, and data integrity · Ability to limit program privileges · Processing pipeline guarantees · Authorization limits for legitimate users ■ Information Assurance Research Group ■ 6 MAC Implementation Issues · Must overcome limitations of traditional MAC ± More than just Multi-Level Security / BLP · Policy flexibility required ± One size does not fit all! · Maximize security transparency ± Compatibility for applications and existing usage.
  • An Access Control Model for Preventing Virtual Machine Escape Attack

    An Access Control Model for Preventing Virtual Machine Escape Attack

    future internet Article An Access Control Model for Preventing Virtual Machine Escape Attack Jiang Wu ,*, Zhou Lei, Shengbo Chen and Wenfeng Shen School of Computer Engineering and Science, Shanghai University, Shanghai 200444, China; [email protected] (Z.L.); [email protected] (S.C.); [email protected] (W.S.) * Correspondence: [email protected]; Tel: +86-185-0174-6348 Academic Editor: Luis Javier Garcia Villalba Received: 26 March 2017; Accepted: 23 May 2017; Published: 2 June 2017 Abstract: With the rapid development of Internet, the traditional computing environment is making a big migration to the cloud-computing environment. However, cloud computing introduces a set of new security problems. Aiming at the virtual machine (VM) escape attack, we study the traditional attack model and attack scenarios in the cloud-computing environment. In addition, we propose an access control model that can prevent virtual machine escape (PVME) by adapting the BLP (Bell-La Padula) model (an access control model developed by D. Bell and J. LaPadula). Finally, the PVME model has been implemented on full virtualization architecture. The experimental results show that the PVME module can effectively prevent virtual machine escape while only incurring 4% to 8% time overhead. Keywords: virtual security; virtual machine escape; access control; BLP model; PVME model 1. Introduction Cloud computing treats IT resources, data and applications as a service provided to the user through network, which is a change in the way of how data is modeled. Currently, the world’s leading IT companies have developed and published their own cloud strategies, such as Google, Amazon, and IBM.
  • Linking + Libraries

    Linking + Libraries

    LinkingLinking ● Last stage in building a program PRE- COMPILATION ASSEMBLY LINKING PROCESSING ● Combining separate code into one executable ● Linking done by the Linker ● ld in Unix ● a.k.a. “link-editor” or “loader” ● Often transparent (gcc can do it all for you) 1 LinkingLinking involves...involves... ● Combining several object modules (the .o files corresponding to .c files) into one file ● Resolving external references to variables and functions ● Producing an executable file (if no errors) file1.c file1.o file2.c gcc file2.o Linker Executable fileN.c fileN.o Header files External references 2 LinkingLinking withwith ExternalExternal ReferencesReferences file1.c file2.c int count; #include <stdio.h> void display(void); Compiler extern int count; int main(void) void display(void) { file1.o file2.o { count = 10; with placeholders printf(“%d”,count); display(); } return 0; Linker } ● file1.o has placeholder for display() ● file2.o has placeholder for count ● object modules are relocatable ● addresses are relative offsets from top of file 3 LibrariesLibraries ● Definition: ● a file containing functions that can be referenced externally by a C program ● Purpose: ● easy access to functions used repeatedly ● promote code modularity and re-use ● reduce source and executable file size 4 LibrariesLibraries ● Static (Archive) ● libname.a on Unix; name.lib on DOS/Windows ● Only modules with referenced code linked when compiling ● unlike .o files ● Linker copies function from library into executable file ● Update to library requires recompiling program 5 LibrariesLibraries ● Dynamic (Shared Object or Dynamic Link Library) ● libname.so on Unix; name.dll on DOS/Windows ● Referenced code not copied into executable ● Loaded in memory at run time ● Smaller executable size ● Can update library without recompiling program ● Drawback: slightly slower program startup 6 LibrariesLibraries ● Linking a static library libpepsi.a /* crave source file */ … gcc ..
  • AR400 User Guide 2.7.1

    AR400 User Guide 2.7.1

    AR400 SERIES User Guide Software Release 2.7.1 AR410 AR440S AR441S AR450S AR400 Series Router User Guide for Software Release 2.7.1 Document Number C613-02021-00 REV F. Copyright © 2004 Allied Telesyn International Corp. 19800 North Creek Parkway, Suite 200, Bothell, WA 98011, USA. All rights reserved. No part of this publication may be reproduced without prior written permission from Allied Telesyn. Allied Telesyn International Corp. reserves the right to make changes in specifications and other information contained in this document without prior written notice. The information provided herein is subject to change without notice. In no event shall Allied Telesyn be liable for any incidental, special, indirect, or consequential damages whatsoever, including but not limited to lost profits, arising out of or related to this manual or the information contained herein, even if Allied Telesyn has been advised of, known, or should have known, the possibility of such damages. All trademarks are the property of their respective owner. Contents CHAPTER 1 Introduction Why Read this User Guide? ............................................................................... 7 Where To Find More Information ...................................................................... 8 The Documentation Set .............................................................................. 8 Technical support .............................................................................................. 9 Features of the Router .....................................................................................
  • The Linux Command Line

    The Linux Command Line

    The Linux Command Line Fifth Internet Edition William Shotts A LinuxCommand.org Book Copyright ©2008-2019, William E. Shotts, Jr. This work is licensed under the Creative Commons Attribution-Noncommercial-No De- rivative Works 3.0 United States License. To view a copy of this license, visit the link above or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042. A version of this book is also available in printed form, published by No Starch Press. Copies may be purchased wherever fine books are sold. No Starch Press also offers elec- tronic formats for popular e-readers. They can be reached at: https://www.nostarch.com. Linux® is the registered trademark of Linus Torvalds. All other trademarks belong to their respective owners. This book is part of the LinuxCommand.org project, a site for Linux education and advo- cacy devoted to helping users of legacy operating systems migrate into the future. You may contact the LinuxCommand.org project at http://linuxcommand.org. Release History Version Date Description 19.01A January 28, 2019 Fifth Internet Edition (Corrected TOC) 19.01 January 17, 2019 Fifth Internet Edition. 17.10 October 19, 2017 Fourth Internet Edition. 16.07 July 28, 2016 Third Internet Edition. 13.07 July 6, 2013 Second Internet Edition. 09.12 December 14, 2009 First Internet Edition. Table of Contents Introduction....................................................................................................xvi Why Use the Command Line?......................................................................................xvi
  • Multilevel Security (MLS)

    Multilevel Security (MLS)

    Multilevel Security (MLS) Database Security and Auditing Multilevel Security (MLS) Definition and need for MLS – Security Classification – Secrecy-Based Mandatory Policies: Bell- LaPadula Model – Integrity-based Mandatory Policies: The Biba Model – Limitation of Mandatory Policies Hybrid Policies – The Chinese Wall Policy Definition and need for MLS Multilevel security involves a database in which the data stored has an associated classification and consequently constraints for their access MLS allows users with different classification levels to get different views from the same data MLS cannot allow downward leaking, meaning that a user with a lower classification views data stored with a higher classification Definition and need for MLS Usually multilevel systems are with the federal government Some private systems also have multilevel security needs MLS relation is split into several single-level relations, A recovery algorithm reconstructs the MLS relation from the decomposed single-level relations At times MLS updates cannot be completed because it would result in leakage or destruction of secret information Definition and need for MLS In relational model, relations are tables and relations consist of tuples (rows) and attributes (columns) Example: Consider the relation SOD(Starship, Objective, Destination) Starship Objective Destination Enterprise Exploration Talos Voyager Spying Mars Definition and need for MLS The relation in the example has no classification associated with it in a relational model The same example in MLS with
  • Multilevel Adaptive Security System

    Multilevel Adaptive Security System

    Copyright Warning & Restrictions The copyright law of the United States (Title 17, United States Code) governs the making of photocopies or other reproductions of copyrighted material. Under certain conditions specified in the law, libraries and archives are authorized to furnish a photocopy or other reproduction. One of these specified conditions is that the photocopy or reproduction is not to be “used for any purpose other than private study, scholarship, or research.” If a, user makes a request for, or later uses, a photocopy or reproduction for purposes in excess of “fair use” that user may be liable for copyright infringement, This institution reserves the right to refuse to accept a copying order if, in its judgment, fulfillment of the order would involve violation of copyright law. Please Note: The author retains the copyright while the New Jersey Institute of Technology reserves the right to distribute this thesis or dissertation Printing note: If you do not wish to print this page, then select “Pages from: first page # to: last page #” on the print dialog screen The Van Houten library has removed some of the personal information and all signatures from the approval page and biographical sketches of theses and dissertations in order to protect the identity of NJIT graduates and faculty. ABSTRACT MULTILEVEL ADAPTIVE SECURITY SYSTEM by Hongwei Li Recent trends show increased demand for content-rich media such as images, videos and text in ad-hoc communication. Since such content often tends to be private, sensitive, or paid for, there exists a requirement for securing such information over resource constrained ad hoc networks.
  • Looking Back: Addendum

    Looking Back: Addendum

    Looking Back: Addendum David Elliott Bell Abstract business environment produced by Steve Walker’s Com- puter Security Initiative.3 The picture of computer and network security painted in What we needed then and what we need now are “self- my 2005 ACSAC paper was bleak. I learned at the con- less acts of security” that lead to strong, secure commercial ference that the situation is even bleaker than it seemed. products.4 Market-driven self-interest does not result in al- We connect our most sensitive networks to less-secure net- truistic product decisions. Commercial and government ac- works using low-security products, creating high-value tar- quisitions with tight deadlines are the wrong place to ex- gets that are extremely vulnerable to sophisticated attack or pect broad-reaching initiatives for the common good. Gov- subversion. Only systems of the highest security are suffi- ernment must champion selfless acts of security separately cient to thwart such attacks and subversions. The environ- from acquisitions. ment for commercial security products can be made healthy again. 3 NSA Has the Mission In 1981, the Computer Security Evaluation Center was 1 Introduction established at the National Security Agency (NSA). It was charged with publishing technical standards for evaluating In the preparation of a recent ACSAC paper [1], I con- trusted computer systems, with evaluating commercial and firmed my opinion that computer and network security is in GOTS products, and with maintaining an Evaluated Prod- sad shape. I also made the editorial decision to soft-pedal ucts List (EPL) of products successfully evaluated. NSA criticism of my alma mater, the National Security Agency.
  • BASIC UNIX COMMANDS FILES and DIRECTORIES All Information Is Stored in files

    BASIC UNIX COMMANDS FILES and DIRECTORIES All Information Is Stored in files

    BASIC UNIX COMMANDS FILES AND DIRECTORIES All information is stored in files. File names and COMMANDS commands are case sensitive. Case matters. Files Commands are what you type at the prompt. Com- are contained in directories. You start out in your mands have arguments on which they operate. For own home directory, and your prompt usually tells example, in rm temp, the command is rm and the ar- its name. At any given time, one of these directories gument is temp; this command removes the file called is your working directory, the one you are in. temp. Here I put arguments in UPPER CASE. Thus, You can refer to files in your working directory by words such as FILE are taken to stand for some other just their names. You can refer to a file that is in a word, such as temp. In the following list, I use [ ] for subdirectory by giving a subdirectory name, a slash, optional arguments that are not typicaly used. and the file name, e.g., Mail/baron. You can refer to Commands have options that are controlled with any file on the computer by giving its full name, start- switches, which are usually letters following a single ing with a slash, such as /home7/b/baron/mbox. dash. Usually you can write several letters after one dash. For example ls -l lists files in a long format, If the file is a program, typing its name will run it. with more information. ls -a lists all the files, in- (That is what commands do.) If the program is some- cluding those that begin with ., which are usually thing you have just written and is in the director you files used by various programs.
  • Zypper Cheat Sheet Or Type M an Zypper on a Terminal

    Zypper Cheat Sheet Or Type M an Zypper on a Terminal

    More Information: Page 1 Zypper Cheat Sheet https://en.opensuse.org/SDB:Zypper_usage or type m an zypper on a terminal For Zypper version 1.0.9 Package Management Source Packages and Build Dependencies Basic Help Selecting Packages zypper source-install or zypper si Examples: zypper #list the available global options and commands By capability name: zypper si zypper zypper help [command] #Print help for a specific command zypper in 'perl(Log::Log4perl)' Install only the source package zypper shell or zypper sh #Open a zypper shell session zypper in qt zypper in -D zypper By capability name and/or architecture and/or version Install only the build dependencies zypper in 'zypper<0.12.10' Repository Management zypper in -d zypper zypper in zypper.i586=0.12.11 Listing Defined Repositories By exact package name (--name) Updating Packages zypper in -n ftp zypper repos or zypper lr By exact package name and repository (implies --name) zypper update or zypper up Examples: zypper in factory:zypper Examples: zypper lr -u #include repo URI on the table By package name using wildcards zypper up #update all installed packages zypper lr -P #include repo priority and sort by it zypper in yast*ftp* with newer version as far as possible By specifying a .rpm file to install zypper up libzypp zypper #update libzypp Refreshing Repositories zypper in skype-2.0.0.72-suse.i586.rpm and zypper zypper refresh or zypper ref zypper in sqlite3 #update sqlite3 or install Installing Packages Examples: if not yet installed zypper ref packman main #specify repos to be
  • APPENDIX a Aegis and Unix Commands

    APPENDIX a Aegis and Unix Commands

    APPENDIX A Aegis and Unix Commands FUNCTION AEGIS BSD4.2 SYSS ACCESS CONTROL AND SECURITY change file protection modes edacl chmod chmod change group edacl chgrp chgrp change owner edacl chown chown change password chpass passwd passwd print user + group ids pst, lusr groups id +names set file-creation mode mask edacl, umask umask umask show current permissions acl -all Is -I Is -I DIRECTORY CONTROL create a directory crd mkdir mkdir compare two directories cmt diff dircmp delete a directory (empty) dlt rmdir rmdir delete a directory (not empty) dlt rm -r rm -r list contents of a directory ld Is -I Is -I move up one directory wd \ cd .. cd .. or wd .. move up two directories wd \\ cd . ./ .. cd . ./ .. print working directory wd pwd pwd set to network root wd II cd II cd II set working directory wd cd cd set working directory home wd- cd cd show naming directory nd printenv echo $HOME $HOME FILE CONTROL change format of text file chpat newform compare two files emf cmp cmp concatenate a file catf cat cat copy a file cpf cp cp Using and Administering an Apollo Network 265 copy std input to std output tee tee tee + files create a (symbolic) link crl In -s In -s delete a file dlf rm rm maintain an archive a ref ar ar move a file mvf mv mv dump a file dmpf od od print checksum and block- salvol -a sum sum -count of file rename a file chn mv mv search a file for a pattern fpat grep grep search or reject lines cmsrf comm comm common to 2 sorted files translate characters tic tr tr SHELL SCRIPT TOOLS condition evaluation tools existf test test