The NRL IS Security Course Handbook

Network Penetration Control

General recovery of LAN server hardware/software failures, communications node failures, the loss of mission critical LAN servers, or a major LAN cable cut are the responsibility of NRL RCD. The NRL IS Security Group will respond to two types of incidences, (1) a NRL network security breach and (2) the notification through various sources that a network vulnerability has been identified.

Determination of Break-in Incident

Incidences are either reported by the system administrator, the user, or by one of various monitoring agencies. If the user has followed the computer security model provisions supplied by the IS Security Group on his/her system, the networked computer should be configured to print out the user's last time and location each time the user is granted access. Users should verify that the last session logged in was really them. They should also get in the habit of looking at the last log to see if there are any irregularities. In UNIX this can be done with the command : last .
When files in directories are identified that don't belong, an incidence exists. With UNIX, intruders like to hide files by naming them something that starts with a period (.) because these files are not listed when the standard ls command is given. Get in the habit of checking for these types of files.
Other incidences include promiscuous network interface commands and unusual network connections. These can include the presence of Ethernet sniffers, a Trojaned netstat, etc.

Formal Notification of Break-in to DDN

Any DDN user (person/department/agency) having knowledge of a suspected network security violation must contact the appropriate operations center/area communications operations center, MILNET Monitoring Center, NICE East, etc. to report the violation. If possible, reporting should be via secure means.
Secure and commercial telephone numbers to DISSA Operations Centers are:
WESTHEM/CONUS OC (STU-III)
DSN 312-746-1849

COM 202-692-5726

Recovering Essential Network Resources

The initial action following a network incident discovery is containment. The system should be isolated immediately by the user either by shutting down the network interface or disconnection. Following this action, either the user or the system administrator check other systems for similar intrusion signs, create a complete system backup, and notify both the NRL IS Security Group and NAVCIRT. The NRL IS Security Group will determine further action to be taken.
To eradicate the problem and the resource, the system administrator will remove the exploited vulnerability by installing patches identified by the ADP Security Group, and running a program such as SPI, COPS, Tiger, Ice-Pick, etc. Use a trusted source to re-install damaged files and retire the name and IP address.
Follow-up should include an assessment of the factors that allowed the intrusion to occur, updating the security policy which addressed this incident, and additional education for users and administrations.