Controlling Computer Threats.Threat Awareness

ML20097F502
Person / Time
Issue date:	01/31/1996
From:	NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
To:
References
NUREG-BR-0190, NUREG-BR-190, NUDOCS 9602160085
Download: ML20097F502 (39)
v • d • e

Text

_.

' ' ^ ' -',

w 1%lplt?$$@l YDS'1'

$iff 8

g1,a3 + o a g,g?,M eJ g e l-7"--v h!

hhhkhg

~

!;k;1; ;;g;guaw,"

\\

'

• lu a k-""; j Aas d M * #

$:/c N

'h L;

y n;;

'Qg; M: 8 x.-

f ph < y.q

i r5 ' -

4 g

i

• f '$!D,$$jif!

4

yy'Obk(b9 k

q.

[y[.3 h

Lej.j\\\\\\. -

y, s

'NlC$g.f : N4 t

\\

Y

'"t " \\05 Nt Y[3k[hg

,4 O

/Q

%deg@

~

< m;g V./k[$f

[h g

hii

1. 'y,f gO(,\\,

cf u ;wg3 g

co#"y\\,,oyyad.

i

' wgY;.y k

y

+.

@jg 4

~'

/.

se

--g a

v :.g 9

M

'.h

/

.yY g_x2,5 s

p ggA *v g nap wa W

$5 gdi p--

f,/

-?

Q J (.

1500no-s v

9602160085 960131 PDR NUREG BR-0190 R PDR u h/ 0

d i

4

)

j a

1 i

1 i

o e

e e

e a g i

r.3 it@ty. n.$g@

g5 t

[,<l

((; igi a

A j

a

.y.g

\\

f:!

\\

W'

/

s

(

M'-:'

a meS::

d::' ;;dt%&*fy*

N,s-

/

, g&Q ifw

~

n s

yy,r -c s

,s 1

1.50035 r-l

,)

i fpj.c;%i;'.

N i

9602160085 960131

• P MR AC a;g;46.d,

.,d;

$1 - - =.. ---

if

~ -

i PDR NUREO g i M i

BR-0190 R PDR l

0 t - - -

CON-~70__ \\G COVUE'?

~~7EKS

~~"""""""""""""""""

4-F * /aC.

6

4. ^

c, w

l

,\\

o pg

.o r

1. 0/

o e

c n'

.ff.

I 1

t ll '

I ll

'O h

i L

.l '"

0 7;p 1

1 l

~~

7EK AWA7E \\ ESS l

U.S. Nuclear Regulatory Commission 4

.d

Introduction This document presents U.S. Nuclear Regulatory Commission (NRC) employees with scenarios of various threats to the local crea network (LAN) and microcomputer workstations. Risk assessments and other NRC octivities have yleided information on possible environmental threats and system vulnerabilities. The resulting threat scenarlos contained in this booklet represent basic threats that could happen at NRC if proper policies and procedures are not followed, or if proper controls are not used correctly.

A threat con be any person, object, or event that could cause domoge to a system. Threats con be malicious, such as the intentional modification of sensitive information, or con be occidental, such as on error in a calculation or the occidental dele + ion of a file. Threats con also be acts of nature, such as flood, wind, or lightning.

One of the overriding vulnerabilities in any system is the lack of user awareness regarding the types and consequences of threats.

Although users may understand the need for molntaining confidentiality and integrity of information, they may not be familiar enough with the technology to recognize what con happen to compromise the information they are trying to protect.

The NRC recognizes the importance of ensuring that users identify and understand the various threats that could result in serious domoge to the systems, programs, and information they need to fulfill the NRC mission. The threat scenarios presented herein will enable them to recognize creas of vulnerability within their own computer environments.

The conclusions drawn from these threat scenorlos are os follows; Although the possibility of outsiders gaining access to these systems does pose a risk, the risk that insiders could do domoge is higher.

The risk from insiders Is higher because the physical controls at the various NRC sites restrict outsiders from entering the sites.

The insider threat may not result from malicious Intent, but more likely from errors in the use of security controls. These errors would most likely be caused in port by a lock of understanding of these controls. Eliminating errors in the use of security controls has become critical since most users are connected to the LAN.

Unauthorized access is caused by poor password choice An intruder gained physical access to the LAN by using a microcomputer that did not have on access control mecho-nism (e.g., power-on password or access control software) and was connected to the LAN. The intruder was familiar with the names of certain employees who use this system. The intruder tried each name as a username and each birth date as a password. The intruder gained access to the LAN through a user account in which the user had chosen his birth date as a password.

HelpfulHint NRC's LAN software requires users to change their passwords periodically. It does not, however, prevent users from using personal data for passwords. There-fore, users should avoid using easily guessed personal data for passwords.

N

)

2

lllI111llllllI

\\

/

h E;

\\

1 L

,3 e

o vog 3

s; ei NA Jogy Lg4

\\

\\

t An unauthorized and undetected modificotlon is made to a report The manager was collaborating with other managers on a report. The report was to be released the next day. The managers were using the file-sharing feature of the LAN oper-ating system and appreciated its benefits. However, none of them attended the recommended training classes and did not understand how the access control mechanism of the LAN worked. Each manager could access the file containing the report because it was stored on a shared network drive that all users of the server could access. Unfortunately, one of the staff members realized this and modified the report just be-fore it was printed in final form and sent to higher manage-ment. The changes the staff member made were not compll-mentary to the managers.

(

3 HelpfulHint Users of NRC's LANs con store files on network drives set up for individual, gioup, and server-wide use. How-ever, the user is responsible for placing files on the op-propriate drive (s).

N

]

s

i;4:wx -<=~:=-

f,,.

y[ j

1. @E4X/ I'M USING I TWINK 111. CHANGE }

'1 THE I4N. BUT I

IPA'S REP'ORI SWE sh SWOULD WAVE TAkEN PilT ITON THE SHAREPPRlVE L

TRAINING. I PONT S0 ITS #ER S

UNPERSTANP THESE PROBLEM.

W MESSAGES.

gs i{Mifj n3

[

tj e

sy a

'p-[ N

i

/

D t

/x

~

5;;

X, SO TWAT'S WWAT MR. JONES MEANT I PIPN'T AT TWE MEETING..

WRITE TNAT/

j o

~

~

f Nx p

I o.

~

l-^

}

n

[

esed r

>f i

n l'.

~

p p:

,_a

.<eb' i j.;',4

.j, g.

~ ~ ~ ~

Electronic mall message is unoldhorized Most LAN users do not realize that electronic mall mes-sages cannot always be trusted as genuine. A message that one manager received from another manager relayed a ru-mor of an impending major reugonization in which manage--

ment positions might be eliminated. The manager who re-ceived the message fretted about this information but did not discuss it with the sender for one week. When the manager did discuss it with the sender, he learned that the sender did not know about the rumor and had never sent the message.

(

3 HelpfulHint Before leaving your workstation, always log off, lock the keyboard, or use the Windows or other screen sover with a built-in password feature to prevent other people from waking up your screen to ensure that someone doesn't use your unattended workstation to " spoof" (make unauthorized use of your system to mislead a re-cipient) another user or send messages in yo i name.

(

)

LOCAL AREA NETWORK ghhk a,

I 8 9 k

.g!-T if

/

v it t vy>

n xsg

~#

t

Processing capability is lost as a result of lack of application software backups A working group purchased a new database package that allowed them to simultaneously create, modify, and ac-cess the information of the working group. The working group installed the database package in their shared directory on the LAN. The database software enabled the working group to make noticeable improvements in their productivity. When a new hire followed the instructions to access the database, he made on error and accidentally destroyed the database software. The user who had installed the database recently left the organization and took all her software with her. She mistakenly took the database software. No other me 7ber of the working group had made a backup copy of the software.

(

3 HelpfulHint User organizations should remember to make and retain copies of software they acquire and support as well as data files.

N

)

(TWIS NEW PATABASE V TN4NES l WORKS GREAT /

NMCrf

(

g.))

,,y 3

i s

e t

Or l

' 'Q 0

)

T m

' ARE YOU LEAVING \\

[

1. 1. ON' PPENEP ?

g f

0

[

e

,a gg 7j q(

,9m L

N.,

L i

m l

AL

)

t t

,v I

WWO WAS Tl4E e

BACKUP 7 c%

N l

I x

i LOCAL AREA NETWORK

)

Intruders posing as LAN administrators lead users to compromise authentication information A LAN user received a telephone call from someone claiming to be a LAN administrator. The administrofor ex-plained that there were problems with the authentication l

mechanism of the user's server and requested that the user change her password to SPOOF. The user was asked to log into the server using the new password so that the admin /stro-j forcould monitorthe login session of the user from an outs /de port. The user did not realize that what the administratorwas explaining was rather farfetched. The administratorasked the user to continue using the new password for a few days so that the administrator could continue diagnostic work. The i

server audit logs later revealed that sensitive files were ac-cessed from the user's account during times the user was not in the office.

HelpfulHint NRC LAN administrators do not need to ask users to change their passwords. Any such request should be immediately reported to the Office of Information Re-sources Management (IRM) Customer Support Center and NRC Computer Security.

(

)

SCAi AREA NETWGRK 7

LlNDA, YOUR PASSWORD WAS EEEN COMPROMISED. PLEASE Cl4ANGE IT TO TPM"

/

FOR A FEW i

PAYS.

I 1

'1 1

Co

(

i e

kS

==

f WHAT WAPPENED WWILE I

WAS ON If O

VACATION ?

o w

s

~

- 00 0

Account sharing leads to unauthorized use Two staff members were temporarily working on the same project and collaborating on a report. Each staff member was supposed to incorporate data from his or her primary ar-eos of responsibility. Cne of these staff members was able to access, using his user account, more of the information needed to finish the report. The other staff member could not access this information, even temporarily, because of her other duties. To hosten the completion of the report, each staff member allowed the other to use his or her account. This agreement allowed both staff members to access all the in-formation necessary to complete the report. However, one of the staff members was a curious system user and began to look at other files accessible from this user account. The curi-ous system user also began to execute programs available to the other user. One of the programs that the curious user ran caused an update to be made of a file. Unfortunately, nec-essary backups were not done on the file in its previous state, and important information was lost.

(

h HelpfulHint Accounts should never be shared, even temporarily.

Any problems that result are the sole responsibility of the account owne,r.

N

]

12 1

l L9 CAL AREA NETW9RK

[

SURE, USE MV I

TWIS IS AN i

ACCOUNT SO WE CAN INTERESTING PROGRAM GET TMIG REPORT lEr$

r#Y/r/

OUT ON TIME.

Y f

f

~y y

4 (Y

's 1

k m

TWIS REPORT }t ACCES CONTROLLING COPS / GNE CWANGED THE IS ALL WRONG.

DATA IN THE WNAr 4 DATA IS VOuf FlLE! WARRY WAPPENED?

RESPONSIBlUTV WONT UKE

//ARY/

QlSQ

'Y Y

' u-( b' l g i

( V k:p

- a,

'l

\\\\

s

\\

,g% )

Unauthorized use results from unattended workstation The audit log of a particular system showed that a spe-cific user accessed a sensitive file at 12:30 p.m. on a Monday, At the noted time, the user was attending the retirement lun-cheon of a col league. However, the audit log did not show that the user logged off the system to leave the area to ot-tend the luncheon. An intruder used the unattended work-station and account to access the file. The user of the ac-count was held responsible for the compromise of the file. The system also had to be reviewed to discover any other com-promises that may have resulted from the intruder's access.

HelpfulHint Before leaving your workstation, always log off, lock the keyboard, or use the Windows or other screen sover with a built-in password feature to prevent other people from waking up your screen to ensure that someone doesn't use your unattended workstation in an unau-thorized manner.

(

)

' LSCAL AREA NETW@RK l

TWERE SWE GOES, WWO'S T#/S ?

OUT TO LUNCW...

WWAT IG WE l'M NOT LOCKED /

P0 LNG ?

I'M STILL QEuu

, M. ?

CONNECTED TO o

O qQg g,lf d ! ht

$(

')'

_ ll & t i

AFTEE luMC//...

I WON 9ER HOW THAT s

WAPPENEPP 11 n'

gia A

4 M] @f

/f;m t

y

s. [ \\

j j

Passwords are captured by spoofing the login sequence One morning, each user of a particular system failed on his or her first attempt to log in. None of the users mentioned the failure to anyone else because falling a login occasion-ally is not unusual. The users did not realize that they were not using the legitimate login program executed by the operat-l Ing system. Instead, the first (false) login screen was from a trojan horse program that merely prompted the user for username and password, recorded this Information when typed by the user,lssued a failed /ogin attempterror message, and then allowed the legitimate login program to run, display-Ing the second (true) login screen.

/

3 HelpfulHint Report suspicious or peculiar system behavior to the IRM Customer Support Center.

(

)

LOCAL AREA NETWORK j)

WHAT'S WRONG? I GUESS I'LL GO TO I'LL REAP )

MY MEETING.

AWLilLE.

. fb Jdl I a o M, g -hr 'N 5 b g I / N ) // SOMETWING p SOMEONE CALL THE CUSTOMER SUPPORT SMELLS J CENTER / /

1. E7/

<NO 4 f

QpW

W 4

• y.T Lf s

viv 1 i in L

An IndMdual gains access posing as an authorzed support person Most of the office space in NRC buildings consists of open workstations, with the NRC employees separated by office partitions. A staff member in one of these creas had been using a word processing program to write o sensitive report. The staff member was to be out of the office for the next 3 days at a training workshop. While the staff member was away, on Individual claiming to be on NRC microcomputer support person was questioned by NRC personnel working near the staff member who was away. However, the stronger con-vinced the other staff members that he was supposed to take the microcomputer out of the office for maintenance and would t. ave it returned when the staff member finished his train-Ing. The other NRC employees allowed the microcomputer to be removed. The individual was never seen again, the computer was found in on empty office located in another building, and the information contained in the sensitive report was made public. HelpfulHint All NRC microcomputer support personnel have contractor badges and will display them upon request. When a technician reports to perform maintenance at a Headquarters locailon, he or she should present an IRM Customer Support Center ticket or similar request-for-service document. Most repairs to NRC microcom-puters are mode at the location of the computer and I do not require the removal of the computer. Any vari-once s,hould be reported to the IRM Customer Support Center. Also remember that files containing sensitive dato should be kept on removable storage rnedia (e.g., microdiskettes) which con be properly secured. ( ) 18

l TIM IS GOING [4k20N/ TWATHURTS! ) WWAT ARE TI-LEY ON LEAVE FOR I 3 PAYS-POING To MY RAM? I2L EEST! r s O b I w A [, 1 \\ 0 'ta 4 i l YOU POING TO) [FOR MAINTENAN WHAT ARE TIM CALLED lATEE.. 3 l TlM'S PC ? d WE NEEP To i EPLACE THIS BOARP. i 4# 'ainre - - - 1

u Information is compromised because oflack of file protection A manager wrote the performance evaluations of staff members using the word processing software on a microcom-puter. The manager had no protection on the microcom-puter. A staff member who was installing on upgrade to the manager's microcomputer viewed the evaluations and in-formed the other staff members about what he learned con-cerning each of them. HelpfulHint Sensitive information such as performance evalua-tions should be protected by storing the data off line on diskettes or other removable storage media, using the password and file-locking functions of the word process-ing software, or encrypting the information. N )

USER MICliSCOMPUTER - WORKSTATION MRS. MUG ASKEP BUT LOOK AT ME TO UPGRAPE TN/3 F//E/ WER SOFTWARE. IT'S UNPROTECTEP! IVOW! ' h, f, $g pr g,t -9 O %w y [di h {0 W SAY, NANCY { /t'8T/LOOK AT l COME WERE. F#EPT ERFORMANCE I WAVE EVALUATl0N/ SOMETWING TO SWOW YOU! f F a f V I al; 7 y

Compromise results from viewing monitor screens and paper output An NRC manager was nominating one of her staff mem-bers for an award. She gave the application forms and justifi-cation memorandum to her secretary to integrate into a final package. While the secretary was editing the award oppil-cation information on her microcomputer, another staff mem-ber entered the work area. While they were conversing, he glanced at the secretary's microcomputer monitor screen. The information on the screen was clearly visible because the screen was directly in the field of vision of anyone standing in the reception area of the secretary's office. The staff mem-ber noticed the award application, became upset about the nomination, and informed other staff members,who were also unhappy with the decision. The manager did not want this information relayed to the staff in such a manner. This situa-tion could have been avoided if the secretary's rnonitor screen had not been visible from the high-traffic area. ( 3 HelpfulHlnt Managers should work with the Office of Adminis-tration to ensure that sensitive information displayed on workstation screens is not readily visible to a passerby. ( ) 22

WORKSTATION I'LL JUST MAKE BETTY, CAN YOU ) THIS QUICK CHANGE WELP ME W(TW FOR THE BOSS... /, TWIS FORM? Y gupf' ks OARD,' ,' 'd {))Ni \\ y NOW! 8 GET A LDAP l oO W< k 4 ~s

Unauthorized modification is made because of a lack of file protection An NRC program reviewer prepared a report showing that on NRC program was not effective. The report was stored on the microcomputer of the program reviewer. The manager of that program thought that the report did not occurately re-flect the results of the program and did not indicate possible positive outcomes. The program manager entered the office of the reviewer, opened the computer file containing the re-port, and changed the report to include more favorable com-ments about the program. The program reviewer printed a final copy of the report and not noticing the changes mode by the program monoger sent it to the appropriate people within NRC. ( 3 HelpfulHint Sensitive information should be well protected by the information owner, or the person responsible for it. Options for protecting sensitive information include the physical protection of the machine (e.g., use of login passwords), physical protection of the disk or diskette used to store the information, use of the password and file-locking function of the word processing software, or use of encryption or other appropriate means. ( ) 9

ORKST' e' W N0! N vahg e ing W1 in&g O o \\ 5 ' V 4 vy = nt wl

Functionality and data are lost because of a lack of contingency plans and proper backups A fire in an NRC building caused damage to only one floor of the building. However, every floor sustained either smoke or water damage. NRC employees were allowed to enter the building during the initial cleanup process to get any time-critical documents or Information. Unfortunately for most employees, the smoke and water damage made the microcomputers throughout the building unusable. This disos-ter greatly limited processing capability and forced employ-ees to rely heavily on backups to reconstruct data and appli-cations. Users who understood the importance of backups continued to work on microcomputers away from the site using backup copies of applications and data. These who did not create backup copies, whether by lack of understanding or by conscious choice, could not quickly resume necessary and perhaps critical application processing. ( 3 HelpfulHint Microcomputer users are responsible for backing up their own data and applications stored on their work-stations and need to perform these backups at routine intervals. As a safety measure, it is useful to test that backup copies are actually usable. Documentation and backup media (e.g., disks, tapes) should be stored in a locked desk, file cabinet, or safe at an offsite location. ( ) 26 1

USER MICRSCOMPUTER WORKSTATION TER MY PC IS SURE, TOM, USELESS ANP My MY BACKUPS PISKETTES ARE ARE ON THE TWE FIRE ON THE [o yod PAMAGED PUE TO 6" FLOOR. WAVE I CAN GET SECOND FLOOR BACKUPS? TWEM TOPAY YESTERPAX 8 \\ p a= i, f) h i 1 y j s s i i k m [ BACKUPS SOMEWWERE E I WISW I WAP STOREP MV 5 4 [ WONT BE ABLE TO DO ANY s C^' I GMER ALL OF MY O FILES / 0 Os " m ^ s5 L l et psypp W Y r Q. l 27

n Microcom 3 uter functionality is lost because of c amage from spilled liquids An NRC employee was very proud of his horticultural achievements. He frequently brought various kinds of plants into his office and displayed them on his desk and bookshelves. His coworkers appreciated the plants, since they added to the office decor. However, the coworkers were not so under-standing on the day he overwatered a plant sitting on the bookshelf above his microcomputer stand. The resultant seri-ous water damage to his microcomputer forced the project group to use scarce funds to replace it. HelpfulHint Practice good housekeeping at all times, including not drinking or eating around your microcomputer. Most often, th9 damage that results from food and spilled lig-uid is inopero' % l'.eyooards and monitors. Users should c realize that any such damage that results from food or spilled liquids is their responsibility.

W@RKSTATI@N __i- ~ { g ( BLUB... BLUB... / IM IN s TROUBLE... l 7 4 -y ,ph_e, q N/ fd th fQ\\ e.c ~. 4 c r 1r 1 ^ r b O -Q n h l 1 I z, yl,' n s sr l , ly/ b f k ,,,,..s q j ze w u n R

U<SER-MICRSCSMPUTER W ORKSTATISN Data and processing capability are lostbecause of a virus A working group was collaborating on a statistical report. One working group member decided to work on the report 1 of home. He took home a diskette containing a copy of the report and the statistical software needed to work on the re-port. He executed the statistical software on his microcom-puter at home and worked on the report. Earlier in the day, j the working group member's son loaded and executed some games obtained from a friend. One of the games contained o virus. The working group member's home microcomputer become infected. The working group member brought the statistical software back to work along with the report. The statistical software package corried the virus. He executed the statistical software on his microcomputer at work, infect-Ing this microcomputer with the virus. HelpfulHint Never bring unauthorized or personal so0 wore to work. Beware of borrowed or unsolicited software. Check all diskettes obtained from either internal or ex-ternal sources for viruses before using them on your work-station. Check computers used off site for virus infec-tion before use. Virus-scanning software is available on the network. If you suspect your systern may be infected, call the IRM Customer Support Center. ( )

WORKSTATION [ GAME IS FON/ \\ 04 BOY! TWis FRANK IS TAKlNG 1 WIC WORK MOME... I 40PE WE'S CAREFUL. TM GLAP BENNY f IT TO 1R* t Mr()/k$ ^ ll( 1\\ s \\ F NOW I NEEP TO RUN lNEXT MORN /NS... THIS l.0TUS SPREAPSHEET B#ON/TWIS DISKETTE AND REVISE MY REPORT. IS SICK. IT HAS A VIRUS l ANP NOW l'M INFEC1 l "f

~ c

sb s... gp,.- i n,,,) e i k } l s t ml 1 L I. 1 s ( ) C#! I SEE WE WAVE A NEW 'TIbb=- (( e CONTRACTOR! L LJt3 /1 I' P ~ 66 [ k 7,,h %) ~ 'o 0 O J; v., .c ,<.,7. s a ig. a a d [ .$.AJ.I", _3.. ,.7 .2' / 4 System services are not resumed because oflack of contingency and disaster recovery pans A fire occurred in a building containing systems that pro-cess time-sensitive applications. Although the fire did not oc-cur on the floors containing the computer systems,it rendered the building not structurally sound enough for employees to access the systems. Contingency plans and disaster recovery plans were implemented to ensure that the time-sensitive op-plications were running. Group XYZ information owners, sys-tem administrators, and users who had practiced drills using the contingency plans and disaster recovery plans returned their systems to operation in an acceptable period of time. However, group ABC information owners, system administra-fors, and users had never practiced drills in the use of the con-tingency plans cnd disaster recovery plans. They discovered the problems with their plans while trying to execute them. These employees did not get their time-critical applications running in an acceptable period of time. Some users even stated that they were not aware of their system's contingency plans and disaster recovery plans. ( 3 HelpfulHint Develop and test contingency and disaster recovery plans. N ] 34 l ALL ENVIRONME.NTS A \\ ,,j r ' [ WWAT PO WE I ~ 90 NOW!!? g WWERE ARE OUR r b " 'l i 17ME-SEUS/7/VE \\ PRO 6 RAM I ~\\\\ BACKUPS? L, d <k ( / l f / kl/ h w BC BILL, GET TWE PIP YOU EVER. BACKURS FROM BUILDING TEST THE "Y". SUE, CALL "EENMPC." CONTINGENCY PLAN? WE NEEP FOUR GEORGE, ARRANGE FOR TELECOM c WOOKUPS ANP SPACE FOR US IN THE WAREWOUSE. n bl g I'M GLAP WE WAVE A CONTINGENCY <q g ,,\\) V \\ t i = I &^3 Federal Recycling Program bFPJ21s??? 2^"2" ?M_;86,$dk' c^""S S C S CUsN b cN oc eosss U.S. Nuclear Regulatory Commission Office of information Resources Management-January 1996 eyt.g8REGy% S s;m.se NUREG/BR-0190}}